Legal Risk at the 2016 Enterprise IT Summit

Legal Risk and Uncertainty

One of the topics discussed during a session focusing on cloud services contracts was the notion of legal risk — the risk that an institution faces due to a failure to comply with legal or regulatory obligations (e.g., the failure to comply with a federal, state, or local law or the failure to adhere to contract terms). In the contract world, legal risk can also mean failing to take the right measures to protect institutional assets. In the shift from technologies to services, one of the most important assets that an institution must protect is its data and the data entrusted to it from students, faculty, and staff. Thus, most institutions carefully scrutinize contracts with service providers to try to manage issues of data protection and legal risk.

Even though cloud contracts are scrutinized for data protection terms, conference attendees were reminded that cloud services bring to bear some potentially uncomfortable truths:

• We like to hold cloud service providers to the highest standard possible.
• Because we know and trust our own institutions and staff, we may not be holding ourselves as accountable for data protection as we hold cloud providers.
• Not all cloud contracts should get the same level of scrutiny, which should be based on the underlying application, what it will be used for, and the types of data it will collect.
• Sometimes we just aren't going to get good answers to the questions that we ask about data protection, and sometimes we won’t get the contractual protections we seek.

Parameters of Risk Inquiry

After a brief presentation discussing legal risk concepts, conference attendees were introduced to 11 different kinds of data protection statements that should be considered in cloud-based contracts. If these items are not included in cloud contracts, then their absence might raise legal risk questions for the institution. The items introduced were:

1. Auditing and Forensics: Verify that the vendor has a process in place to audit the services and provide those audit logs to the institution as needed for performance, incident handling, and forensics needs
2. Business Continuity and Disaster Recovery: Verify that the vendor has appropriate safeguards to ensure continued operations in the event of an outage or disaster
3. Data Backups: Verify that data backups are regularly made and verified to be accurate and usable
4. Data Segregation: Verify that your institutional data is kept separate from another entity's data
5. Encryption of Data at Rest: Verify that institutional data is encrypted
6. Institutional Data Availability: Verify the processes to ensure that critical institutional business and academic data (e.g., admissions, business operations, research, etc.) are available when needed
7. Institutional Service Availability: Verify the processes to ensure no institutional loss of access to IT systems and services for an unacceptable period of time
8. Operational Security: Verify that the vendor has enacted logical security safeguards to protect institutional data/services (such as single sign‐on support, configurable security groups)
9. Physical security: Verify that the vendor has appropriate co‐location, redundancy, security zones, two-factor authentication presence, camera surveillance, and least privilege
10. Security Compliance and Certifications: Verify that the vendor/service meets a security standard such as ISO, NIST, or an institutionally developed standard
11. Service Management: Verify that the vendor has a process for measuring and managing service performance and for managing service problems to ensure they are adequately resolved or for investigating causes to prevent recurrence

Conference participants were then asked to rank the above items in three ways:

• Which items cause you the greatest concern in terms of cloud contracts?
• Which items cause you the least concern in terms of cloud contracts?
• Which items cause you the greatest concern, but you are willing to accept an unsatisfactory answer in order to proceed with the contract?

Twenty nine conference participants shared their responses to the exercise. The top 3 items cited most frequently as the greatest concerns were:

1. Institutional data availability (19% of respondents)
2. Business continuity and disaster recovery (16% of respondents)
3. Institutional service availability (13% of respondents)

The top 3 items cited most frequently as the least concerns were:

1. Data segregation (22%)
2. Security compliance and certifications (18%)
3. Service management and physical security (TIE) (12% each)

The top 3 items cited most frequently as the greatest concerns/unsatisfactory answers were:

1. Service management and auditing (tie) (18%)
2. Forensics (tie) (18%)
3. Security compliance and certifications (15%)

Discussion among conference attendees highlighted that there are a number of data protection concerns in cloud contracts. Participants also noted that a "one-size-fits-all" approach to negotiating these protections via contracts is problematic because it fails to account for different types of vendors and services, and access to institutional data.

Next Steps

Creating a forward thinking cloud strategy in today’s higher education IT landscape is imperative. One element of such a strategy will be to consider notions of legal risk in contracts with cloud vendors and service providers. There are a number of resources available to institutions considering such issues:

• EDUCAUSE Enterprise IT Program, Effective Sourcing Strategies webpage
• HEISC Information Security Guide Data Protection Contractual Language Toolkit
• Cloud Security Alliance Cloud Controls Matrix

The 2017 EDUCAUSE Enterprise IT Summit will be held February 27–March 1, 2017, in Phoenix, Arizona.

---

Joanna Lyn Grama is director of cybersecurity and IT GRC programs for EDUCAUSE.