Educause Security Discussion mailing list archives
Re: Outsourcing Student Email - Security Concerns?
From: Gene Spafford <spaf () CERIAS PURDUE EDU>
Date: Fri, 27 May 2011 01:29:07 -0400
There are also a number of policy and legal concerns with outsourcing email. For instance, if email contains data on a research project not covered under a basic research exemption to export control and the email server is outside the US or hosted on certain kinds of equipment, the act of storing or sending the email "across campus" could be a weapons export violation. Does the email provider indemnify you against all FERPA and HIPAA penalties and costs if they disclose protected information on students and/or staff? When faced with a subpoena or open records act request (similar to the ones in Wisconsin and Michigan recently), what charges will be incurred to pull out all the archived mail and search it? What control will you at the university have over disclosure of materials that might be privileged when the email isn't in your actual possession to begin with? Actually, is storage of official email by faculty and staff offsite in this manner in keeping with state sunshine/open records laws if you are a state university? Is email with design information and data stored on a third party's system sufficient to violate an NDA or invalidate a future patent claim because the information is no longer under your direct control? In the event of a legal issue, will personnel from the service provider be willing to testify under oath to chain of custody for data used in forensics? Will they even help in the forensics? And what will they charge for that? This could be as complex as an in-depth NSF IG investigation for fraud over several years, or investigating online stalking, or as simple as determining which of several students actually plagiarized a paper last year, but in each case it means pulling some backups and doing examination. Much different than doing it in-house. 5 years from now, after your own infrastructure has withered, what happens when the mail provider you have selected decides to impose very major price increases — and a hefty charge if you want to transfer all your existing archives and accounts off their system? How can you know that they won't change their business model and pricing later when you have no affordable alternative? Those are only a few of the problems I posed to our campus committee when they were thinking about moving to an outside email provider. After considering the questions and getting advice on the answers, we're keeping all our email on campus. Cost of common operations is what drives most organizations to outsource. Security is usually the issue that causes some initial concern. But it is the unusual and rare instances of other events that often cause the biggest problems because of lack of resources and control. I'd suggest you consult with your campus legal and contracts folk, audit, risk, and similar offices, and think through some of the possible scenarios (such as the above) that might happen (or have happened) on your campus and could involve email. Get their opinions as to what the consequences and issues might be. It's more than viruses and people's files being stolen. Your state laws and institutional profile may mean you are not at risk to move the email offsite to a 3rd party. Or, it could mean you could create some very sticky situations down the road.
Attachment:
smime.p7s
Description:
Current thread:
- Outsourcing Student Email - Security Concerns? Allen Wood (May 26)
- Re: Outsourcing Student Email - Security Concerns? Walter Moore (May 26)
- Re: Outsourcing Student Email - Security Concerns? Kenneth G. Arnold (May 26)
- Re: Outsourcing Student Email - Security Concerns? Dr. Wole Akpose (May 26)
- Message not available
- Re: Outsourcing Student Email - Security Concerns? Charles Polisher (May 26)
- Re: Outsourcing Student Email - Security Concerns? Gene Spafford (May 26)
- Google Apps additions Plesco, Todd (Jun 14)
- Re: Google Apps additions Jesse Thompson (Jun 14)
- Re: Google Apps additions Theresa Rowe (Jun 14)
- <Possible follow-ups>
- Re: Outsourcing Student Email - Security Concerns? Radford, Jennifer (May 26)
- Re: Outsourcing Student Email - Security Concerns? Barron Hulver (May 26)
- Re: Outsourcing Student Email - Security Concerns? Walter Moore (May 26)
- Re: Outsourcing Student Email - Security Concerns? Francis, Greg (May 26)
- Re: Outsourcing Student Email - Security Concerns? Mike Porter (May 26)
- Re: Outsourcing Student Email - Security Concerns? Walter Moore (May 26)