Legal Compliance and Marketscore and Higher Ed

[James H Moore <jhmfa () RIT EDU>]

Joel, and Theresa and Mike seem to touch on my concerns.  My concerns are
legal compliance and liability, which line up with the outrage over
Marketscore slipping beneath the radar of users.

My understanding is this:

1) Marketscore buries in their EULA the language that asks the user to
authorize them to redirect web traffic, including encrypted web traffic
through their servers.

2) They also ask for the ability to update software on the users computer

3) They redirect "internet traffic" through their web proxies, and if the
page is available from the proxy, they provide it, thereby giving the
appearance of accelerated web access (their claim - the reason that people
agree.  The definition of "Internet" is key here.  Their software as no idea
where is located, and what is internet and intranet.  According to Joel,
from what he has observed, they make an assumption.  If it is in the 255
addresses closest to you, that is intranet, everything else is Internet.

4) Most universities have administrative servers on separate subnets, so
they are not in the 255 closest to anyone. For us: This means that the web
server for Student Educational Records, and Student Accounts is "Internet"
as far as almost all on-campus connections are concerned.

5) We have legal requirements to control access to Student Record data
(FERPA), Customer data / Financial Aid data (GLB), and Protected Health
Information (HIPAA).  And as Theresa mentions, for HIPAA, there is no
agreement as HIPAA requires.  When we outsource information where we are
required to control access, we have contract terms that communicates the
restrictions to our outsource partner.  We would be fools from a liability
point of view not to do that.

6) Our end users have an agreement with marketscore, and they have no
agreement with the university.

The speculation is about the liability picture if we make against policy the
use of any redirection off of campus, with whom the university does not have
a protective contract (and we can list them).  And we have the right
communication vehicle to make people aware.  And we put the appropriate
blocks in place.  Does it improve our liability and compliance picture, if
someone still exposes the university through carelessness.

Jim


> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt
> Sent: Friday, January 07, 2005 11:42 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Marketscore and Higher Ed
>
> Just for the record, I contacted the GC office at Ernst &
> Young when we first started looking into Marketscore.  They
> have certified that the connection between the client
> computer and the Marketscore servers meet the requirements
> for their WebTrust logo.  They had no official comment on
> what the MarketScore company was doing, since that was not
> what they were asked to check on.  They basically certified
> that when you "sign up" for the MarketScore service, your
> data is safe.
>
> Joel Rosenblatt
>
> Joel Rosenblatt, Senior Security Officer & Windows
> Specialist, AcIS Columbia University, 612 W 115th Street, NY,
> NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
>
>
> --On Friday, January 07, 2005 10:29 AM -0600 Theresa Semmens
> <theresa.semmens () NDSU NODAK EDU> wrote:
>
> > Mike, are you going to request a formal written statement from
> > Marketscore that states it is doing everything in your best
> interests
> > to protect the university data you are responsible for?
> >
> > While it may look like they are meeting industry standards
> in privacy
> > protection, I am not comfortable with any public, sensitive,
> > intellectual, confidential university data traveling
> through any third
> > party server for which I have no specific formal written guarantee
> > stating that it is doing everything within all federal laws and
> > regulations to protect the information it gleans.
> >
> > HIPAA requires a Business Associate Agreement.  Are you going to
> > request one from them? I know I'm reaching a bit far here,
> but I think
> > it's important to make such a point.
> >
> > Theresa Semmens
> > IT Security Officer
> > North Dakota State University
> > IACC 210C
> > Ph: 701-231-5870
> > E-mail: theresa.semmens () ndsu nodak edu
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Discussion Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Wiseman
> > Sent: Friday, January 07, 2005 10:15 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Marketscore and Higher Ed
> >
> > I did a little investigation (well, web surfing) of Marketscore's
> > claimed privacy policy which proved to be interesting.
> >
> > On their home page is a WebTrust icon. Following the hyperlink is a
> > report from the WebTrust organization that says Marketscore has met
> > the requirements of their 'WebTrust Online Privacy'
> assurance service
> > as determined by Ernst & Young. The WebTrust main website
> > http://www.webtrust.org/overview.htm lists four assurance services
> > that they
> > provide: WebTrust Online Privacy, WebTrust Consumer Protection,
> > WebTrust, and WebTrust for Certification Authorities.
> >
> > The latter one turns out to be the main trust requirement that
> > Microsoft specifies for any organization applying to have
> their root
> > CA cert installed in their products
> > http://www.microsoft.com/technet/security/news/rootcert.mspx#EFAA .
> >
> > I am not familiar with the details of obtaining these
> approvals or how
> > they compare to each other since I'm not an accountant. But I am
> > beginning to feel assured that the Marketscore is meeting a
> recognized
> > industry standard in privacy protection.
> >
> > Mike
> >
> >
> > Mike Wiseman
> > Manager - Computer Security Administration Computing and Networking
> > Services University of Toronto
> >
> > **********
> > Participation and subscription information for this EDUCAUSE
> > Discussion Group discussion list can be found at
> http://www.educause.edu/groups/.
> > **********
> > Participation and subscription information for this EDUCAUSE
> > Discussion Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>
>
> Joel Rosenblatt, Senior Security Officer & Windows
> Specialist, AcIS Columbia University, 612 W 115th Street, NY,
> NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
>
> **********
> Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Attachment: smime.p7s
Description: