I have a bold proposal: to make standard in all vendor contracts regarding the transmission and storage of institutional information that the vendor will comply with applicable privacy and technical security regulations in existing federal privacy laws.
OMG?!? Not, IMHO. The regulations are not that exacting. About privacy, it would mean no inappropriate disclosure ... which should be the case whether it is personally identifiable education, financial or medical records or anything else for that matter. (The other aspects of those regulations regarding notice, for example, could contractually be understood to be assigned to the institution.) About technical security, it boils down to having intrusion detection and the administrative and technical means by which to address a compromise and expeditiously staunch a breach of data using basic industry technical security standards. What vendor worth a contract does not have already have industry administrative, logical and physical security standards in place? Finally, while encryption has been an uphill slog for the failure to create user-friendly practices, it is becoming fairly regular practice now, even for common users of information technology resources. It covers a lot of potential sins, and liability. So long as it is included in the technical measures, which should be clear in the contract, both parties can exhale. Left to debate is who pays (the insurance) for a data breach notification. Ultimately, that one seems simple to resolve by circumstances: whoever had the breach. Poof! Much of the privacy and security provisions in vendor "cloud" contracts are now settled.
If it is so easy, you ask, why has negotiation on these points been so difficult? I have three reasons. The first is a sense that vendors simply do not believe, perhaps do not want to believe, that they really, really do have the responsibility to protect information that they maintain on behalf of our institutions. Fact is: They do. If they want our business, it is time for us to make that point clear. Consequently, no wiggle language, which is what voracious litigation lawyers feast on. Starve a litigator today! Say it plainly: I, vendor, accept responsibility that [state your institutional or organizational name] has for the the disclosure privacy provisions and the security requirements in FERPA, GLBA and HIPAA. While it is true that in contract negotiations both parties seek to avoid accepting responsibility, I submit that this is one responsibility that cloud vendors of institutional information must accept.
Second, in our model contracts we made the mistake of trying to define the law in privacy and security provisions instead of simply referring to law. That was an old problem in copyright policies of which we should have taken note. Simply say: x institution complies with federal and state copyright laws. Same here. If X institution has to comply with FERPA, so does the vendor that holds the institution's education records. And so on ... so with our first steps in this contractual area, we fell for the old ruse of rewriting existing law. Time to admit the mistake and move on.
Third, and finally, we must help the vendor to recognize that most of what they fear is fear itself. Contract lawyers associated with Internet companies have heard of these laws, but are not knowledgeable about them. That lack of knowledge makes them fearful, understandably so: no lawyer should ever agree to accept responsibility on behalf of their client if they don't understand what that responsibility entails. A little education could go a long way. If they recognize, first, that we cannot reasonably contract with them without these provisions, and second, that in all likelihood they already are prepared to meet the relevant privacy and security provisions in these laws, their anxiety level might go way down. Indeed, the light bulb will go off over the head: Cool! I can make these promises, no sweat, and then I will be all the more attractive -- and competitive -- in the higher education market!
Correct me if I am wrong, but I think we have an easy win-win here. Who first among our vendors is willing to give it a try?