Educause Security Discussion mailing list archives
Re: Legal Compliance and Marketscore and Higher Ed
From: James H Moore <jhmfa () RIT EDU>
Date: Mon, 10 Jan 2005 14:50:28 -0500
Thanks Tracy for your clear answer directly addressing the liability and compliance issues. I just really want to know what is needed to do the right thing. I guess I am looking for validation for my "shoot from the hip" response, which largely reflects the efforts described on the SECURITY list, but goes a little beyond the technical, too. 1) Have a test for individual users, wheather in anti-spyware, or a web-based test which simply detects where traffic came from. 2) Have some alarms or blocks on the marketscore addresses for redirection. 3) Communicate to university leadership and legal counsel that we have seen a problem of size x, and we are concerned with the potential for compromise of personal and regulated data. 4) Make an announcement of marketscore, and its potential impact to the general population 5) As quickly as possible create a standard on web-redirection. ... What have I missed? How have others presented this to their university leadership? Jim
-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tracy Mitrano Sent: Friday, January 07, 2005 5:49 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Legal Compliance and Marketscore and Higher EdDoes it improve our liability and compliance picture, if someone still exposes the university through carelessness. JimShort answer, no, unless the *contract* was found to be unconscionable.. Let's play with the scenario: Employee acts as agent for institution, makes contract with MarketScore...if it were to be found by a court (or in the case of FERPA, an administrative proceeding) that they acted outside the scope of their employment they might also lose institutional indemnity, perhaps their job (especially if warned or prohibited by policy to engage in relationship) and could conceivably be personally liable for damages in the event of a disclosure, say, of medical or financial records (along with MarketScore, incidentally, since they promise in the contract to protect the personal information). The institution may or may not be liable, depending on how the "respondent superior" (vicarious liability in employment law) plays out at trial, but with deep pockets and precedent in favor of finding for institutional liability except in the most egregious "ultra vires" cases I sure would not be cavalier on that account either. Tracy ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Attachment:
smime.p7s
Description:
Current thread:
- Legal Compliance and Marketscore and Higher Ed James H Moore (Jan 07)
- <Possible follow-ups>
- Re: Legal Compliance and Marketscore and Higher Ed Tracy Mitrano (Jan 07)
- Re: Legal Compliance and Marketscore and Higher Ed James H Moore (Jan 10)