Educause Security Discussion mailing list archives
Legal Compliance and Marketscore and Higher Ed
From: James H Moore <jhmfa () RIT EDU>
Date: Fri, 7 Jan 2005 14:53:19 -0500
Joel, and Theresa and Mike seem to touch on my concerns. My concerns are legal compliance and liability, which line up with the outrage over Marketscore slipping beneath the radar of users. My understanding is this: 1) Marketscore buries in their EULA the language that asks the user to authorize them to redirect web traffic, including encrypted web traffic through their servers. 2) They also ask for the ability to update software on the users computer 3) They redirect "internet traffic" through their web proxies, and if the page is available from the proxy, they provide it, thereby giving the appearance of accelerated web access (their claim - the reason that people agree. The definition of "Internet" is key here. Their software as no idea where is located, and what is internet and intranet. According to Joel, from what he has observed, they make an assumption. If it is in the 255 addresses closest to you, that is intranet, everything else is Internet. 4) Most universities have administrative servers on separate subnets, so they are not in the 255 closest to anyone. For us: This means that the web server for Student Educational Records, and Student Accounts is "Internet" as far as almost all on-campus connections are concerned. 5) We have legal requirements to control access to Student Record data (FERPA), Customer data / Financial Aid data (GLB), and Protected Health Information (HIPAA). And as Theresa mentions, for HIPAA, there is no agreement as HIPAA requires. When we outsource information where we are required to control access, we have contract terms that communicates the restrictions to our outsource partner. We would be fools from a liability point of view not to do that. 6) Our end users have an agreement with marketscore, and they have no agreement with the university. The speculation is about the liability picture if we make against policy the use of any redirection off of campus, with whom the university does not have a protective contract (and we can list them). And we have the right communication vehicle to make people aware. And we put the appropriate blocks in place. Does it improve our liability and compliance picture, if someone still exposes the university through carelessness. Jim
-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt Sent: Friday, January 07, 2005 11:42 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Marketscore and Higher Ed Just for the record, I contacted the GC office at Ernst & Young when we first started looking into Marketscore. They have certified that the connection between the client computer and the Marketscore servers meet the requirements for their WebTrust logo. They had no official comment on what the MarketScore company was doing, since that was not what they were asked to check on. They basically certified that when you "sign up" for the MarketScore service, your data is safe. Joel Rosenblatt Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel --On Friday, January 07, 2005 10:29 AM -0600 Theresa Semmens <theresa.semmens () NDSU NODAK EDU> wrote:Mike, are you going to request a formal written statement from Marketscore that states it is doing everything in your bestintereststo protect the university data you are responsible for? While it may look like they are meeting industry standardsin privacyprotection, I am not comfortable with any public, sensitive, intellectual, confidential university data travelingthrough any thirdparty server for which I have no specific formal written guarantee stating that it is doing everything within all federal laws and regulations to protect the information it gleans. HIPAA requires a Business Associate Agreement. Are you going to request one from them? I know I'm reaching a bit far here,but I thinkit's important to make such a point. Theresa Semmens IT Security Officer North Dakota State University IACC 210C Ph: 701-231-5870 E-mail: theresa.semmens () ndsu nodak edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Wiseman Sent: Friday, January 07, 2005 10:15 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Marketscore and Higher Ed I did a little investigation (well, web surfing) of Marketscore's claimed privacy policy which proved to be interesting. On their home page is a WebTrust icon. Following the hyperlink is a report from the WebTrust organization that says Marketscore has met the requirements of their 'WebTrust Online Privacy'assurance serviceas determined by Ernst & Young. The WebTrust main website http://www.webtrust.org/overview.htm lists four assurance services that they provide: WebTrust Online Privacy, WebTrust Consumer Protection, WebTrust, and WebTrust for Certification Authorities. The latter one turns out to be the main trust requirement that Microsoft specifies for any organization applying to havetheir rootCA cert installed in their products http://www.microsoft.com/technet/security/news/rootcert.mspx#EFAA . I am not familiar with the details of obtaining theseapprovals or howthey compare to each other since I'm not an accountant. But I am beginning to feel assured that the Marketscore is meeting arecognizedindustry standard in privacy protection. Mike Mike Wiseman Manager - Computer Security Administration Computing and Networking Services University of Toronto ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found athttp://www.educause.edu/groups/.********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found athttp://www.educause.edu/groups/. Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Attachment:
smime.p7s
Description:
Current thread:
- Legal Compliance and Marketscore and Higher Ed James H Moore (Jan 07)
- <Possible follow-ups>
- Re: Legal Compliance and Marketscore and Higher Ed Tracy Mitrano (Jan 07)
- Re: Legal Compliance and Marketscore and Higher Ed James H Moore (Jan 10)