Re: Legal Compliance and Marketscore and Higher Ed

[James H Moore <jhmfa () RIT EDU>]

Thanks Tracy for your clear answer directly addressing the liability and
compliance issues.

I just really want to know what is needed to do the right thing.  I guess I
am looking for validation for my "shoot from the hip" response, which
largely reflects the efforts described on the SECURITY list, but goes a
little beyond the technical, too.

1) Have a test for individual users, wheather in anti-spyware, or a
web-based test which simply detects where traffic came from.

2) Have some alarms or blocks on the marketscore addresses for redirection.

3) Communicate to university leadership and legal counsel that we have seen
a problem of size x, and we are concerned with the potential for compromise
of personal and regulated data.

4) Make an announcement of marketscore, and its potential impact to the
general population

5) As quickly as possible create a standard on web-redirection.

... What have I missed?  How have others presented this to their university
leadership?

Jim

> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tracy Mitrano
> Sent: Friday, January 07, 2005 5:49 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Legal Compliance and Marketscore and Higher Ed
>
> >  Does it improve our liability and compliance picture, if someone
> > still exposes the university through carelessness.
> >
> > Jim
>
> Short answer, no, unless the *contract* was found to be
> unconscionable..
>
> Let's play with the scenario:  Employee acts as agent for
> institution, makes contract with MarketScore...if it were to
> be found by a court (or in the case of FERPA, an
> administrative proceeding) that they acted outside the scope
> of their employment they might also lose institutional
> indemnity, perhaps their job (especially if warned or
> prohibited by policy to engage in relationship) and could
> conceivably be personally liable for damages in the event of
> a disclosure, say, of medical or financial records (along
> with MarketScore, incidentally, since they promise in the
> contract to protect the personal information).
>
> The institution may or may not be liable, depending on how
> the "respondent superior" (vicarious liability in employment
> law) plays out at trial, but with deep pockets and precedent
> in favor of finding for institutional liability except in the
> most egregious "ultra vires" cases I sure would not be
> cavalier on that account either.
>
> Tracy
>
> **********
> Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Attachment: smime.p7s
Description: