Educause Security Discussion mailing list archives
Re: Cloud vendor contracts starting to say they own the data you put in their cloud
From: Ben Marsden <bmarsden () SMITH EDU>
Date: Fri, 21 Sep 2018 15:19:37 -0400
.... yup, and lawyers not understanding IT... On Fri, Sep 21, 2018 at 3:14 PM Frank Barton <bartonf () husson edu> wrote:
it comes down to Lawyers doing what lawyers do... On Fri, Sep 21, 2018 at 3:06 PM Nathaniel Hall < educause-lists () nathanielhall com> wrote:I never said it was the right way to do it- just that I'd heard it before. -- Nathaniel Hall, GSEC GPPA GCIA GCIH GCFA PCNSE On 9/21/2018 1:53 PM, Nick Lewis wrote:You can do that with a narrow license to the data limited to theoperation of the service. If they need to move the data for the operation of the service, then they could.Thanks, Nick On 9/21/18, 2:26 PM, "The EDUCAUSE Security Community Group Listservon behalf of Nathaniel Hall" <SECURITY () LISTSERV EDUCAUSE EDU on behalf of educause-lists () NATHANIELHALL COM> wrote:I've heard it said before that the reason for these "we own data" clauses" is so they can duplicate data between multiple locations without your permission, encrypt such data with their own keys, etc. - Nathaniel Hall, GSEC GPPA GCIA GCIH GCFA PCNSE On 9/21/2018 12:42 PM, Nick Lewis wrote:We’ve seen them as well and include contract language in the NET+ contracts around campuses owning the data. How metadata is handled is less clear and I would count anonymized/de-identified data in the same group where the provider might get a license to use it for theoperationof the service, improving the service, etc. If the data can be re-identified (why is a separate question) makes it customer dataagain.The feedback aspect is less clear as universities lawyers haveexpressedconcerns about if they own the intellectual property of the comment, campuses express the desire to own the feedback to improve interoperability, etc. Usually the cloud provider is granted a limited license to use the feedback. Thanks, Nick Nick Lewis, MS, MA, CISSP Program Manager, Internet2 Cloud Services - Security and Identity Internet2 nlewis () internet2 edu *From: *The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Sue McGlashan <sue.mcglashan () UTORONTO CA> *Reply-To: *The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> *Date: *Friday, September 21, 2018 at 12:46 PM *To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU*Subject: *Re: [SECURITY] Cloud vendor contracts starting to say they own the data you put in their cloud +1 to Alex. -- *Sue McGlashan * Phone 416-946-3260*/Users/mcglash1/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_626555961**October is Cyber Security Awareness Month, learn more: *_securitymatters.utoronto.ca <https://securitymatters.utoronto.ca/>_ | _@uoftcyberaware <https://twitter.com/uoftcyberaware>_ | _@uoftcyberaware <https://www.instagram.com/uoftcyberaware/>_| _uoftcyberaware <https://www.facebook.com/uoftcyberaware>_ *From: *The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Alex Lindstrom <aglind () UDEL EDU> *Reply-To: *The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> *Date: *Friday, September 21, 2018 at 12:43 PM *To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU*Subject: *Re: [SECURITY] Cloud vendor contracts starting to say they own the data you put in their cloud In the same vein as Jason, I've seen vendors propose a few things: 1. You own your data, but we can use anonymized copies. 2. We own your feedback, suggestions, and data about your use of the service. I haven't yet seen a vendor propose to own all customer-provided data. Typically, the two above points are blended such that the customer owns their actual data, but the vendor can aggregate it for service management purposes. To Grace's comment: yes, and we often do if it's not already there. (Usually, the vendor's standard agreement acknowledges that thecustomerretains all rights to, title to, and interest in their data.) We also include clauses that limit the vendor's use of the data to only the purposes necessary to provide the services. ----- Alex Lindstrom IT Security Analyst II UD IT Security (302) 831-4823 https://www.udel.edu/security/ <https://www1.udel.edu/security/> https://sites.udel.edu/threat/ On Fri, Sep 21, 2018 at 12:28 PM Jason Edelstein <jasone () uchicago edu <mailto:jasone () uchicago edu>> wrote: We see two variants: 1. We don't own your actual data, but we reserve the right to make anonymized copies of your data and use them for anything we want, including marketing, etc. 2. We own your stuff, thanks for uploading. We've usually struck clauses of the second type or simply refusedtosign that contract, where possible. I actually haven't seen one of the second type in a while. For clauses of the first kind, we've had some success modifying contracts to restrict this to only allowing anonymized data for support or delivery of the contracted goods and services, but many copies complain that they don't have a way to opt us out of their Big Data. In that case, I've been pondering simply saying that any release of data, anonymized or not, that ends up being identifiableinformationis considered a breach. Some have bought that, others have not. Jason Edelstein IT Risk and Compliance Program Manager University of Chicago, IT Services desk: 773 834 3457 security.uchicago.edu <http://security.uchicago.edu> / 773 702CERTOn 9/21/2018 11:10 AM, Grace Lynn Faustino wrote: Can Universities add the ownership of data clause to the contract terms? ~ Grace L. Faustino Public Key 7C4F 3117 131E A4AC 3B07 45FC 57E3 1235 59BE DFB4 6075 2ED2A9DBC847 CBD8 /“Learning is not attained by chance, it must be sought forwithardor and diligence” ~Abigail Adams/ *From: *The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> <mailto:SECURITY () LISTSERV EDUCAUSE EDU> on behalf of SueRivera<srivera () CSUB EDU> <mailto:srivera () CSUB EDU> *Reply-To: *The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> <mailto:SECURITY () LISTSERV EDUCAUSE EDU> *Date: *Friday, September 21, 2018 at 10:07 AM *To: *"SECURITY () LISTSERV EDUCAUSE EDU" <mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE EDU> <mailto:SECURITY () LISTSERV EDUCAUSE EDU> *Subject: *Re: [SECURITY] Cloud vendor contracts starting tosaythey own the data you put in their cloud I ran into that recently as well. Have a breach free day! Thank you, Sue Rivera Information Security Analyst, Lead Information Technology Services California State University, Bakersfield *From:* The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *randy *Sent:* Friday, September 21, 2018 9:03 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> *Subject:* [SECURITY] Cloud vendor contracts starting to say they own the data you put in their cloud The subject line says it all. We're starting to see clauses in vendor cloud contracts where they are stating that they will own any data that we store in their cloud. Basically this sounds like cloud vendors are starting to adopt the social media sites' approach of "gimme, gimme, gimme, it's mine". Needless to say, this is disturbing in so many ways. Has anyone else run into this? -Randy Marchany VA Tech IT Security Office and Lab.-- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University
-- [}--> BEWARE of links and attachments in email! * Stop, Think before you click * ============================================ Ben Marsden : Information Security Director, CISSP ITS, 201 Stoddard Hall, Smith College, Northampton, MA 01063 --------------------------------------------------------------------- =--> Any request to reveal your Smith password via email is fraudulent!
Current thread:
- Re: Cloud vendor contracts starting to say they own the data you put in their cloud, (continued)
- Re: Cloud vendor contracts starting to say they own the data you put in their cloud Grace Lynn Faustino (Sep 21)
- Re: Cloud vendor contracts starting to say they own the data you put in their cloud Zachary Yamada (Sep 21)
- Re: Cloud vendor contracts starting to say they own the data you put in their cloud Jason Edelstein (Sep 21)
- Re: Cloud vendor contracts starting to say they own the data you put in their cloud Alex Lindstrom (Sep 21)
- Re: Cloud vendor contracts starting to say they own the data you put in their cloud Sue McGlashan (Sep 21)
- Re: Cloud vendor contracts starting to say they own the data you put in their cloud Nick Lewis (Sep 21)
- Re: Cloud vendor contracts starting to say they own the data you put in their cloud Nathaniel Hall (Sep 21)
- Re: Cloud vendor contracts starting to say they own the data you put in their cloud Nick Lewis (Sep 21)
- Re: Cloud vendor contracts starting to say they own the data you put in their cloud Nathaniel Hall (Sep 21)
- Re: Cloud vendor contracts starting to say they own the data you put in their cloud Frank Barton (Sep 21)
- Re: Cloud vendor contracts starting to say they own the data you put in their cloud Ben Marsden (Sep 21)
- Re: Cloud vendor contracts starting to say they own the data you put in their cloud Grace Lynn Faustino (Sep 21)
- Re: Cloud vendor contracts starting to say they own the data you put in their cloud Ben Marsden (Sep 21)
- Re: Cloud vendor contracts starting to say they own the data you put in their cloud Boyce-Werner, Rori (Sep 24)