3rd Party Spam Services & Data Confidentiality

[Doug Sandford <dsandfor () SEEBECK UA EDU>]

We have a department on campus that, via an MX record, is having all
their e-mail sent through a third party spam checking service. In the
absence of an institutional spam appliance or anything similar, we
understand their reasoning. Don't we all.
My concern is the integrity and confidentiality of institutional data
(FERPA related for example) that passes into the hands of these
services and what they may do with it or who may have access to it.
What if a piece of mail is quarantined for some reason and it does in
fact contain sensitive data? Does the institution have liability for
the confidentiality of that data now that it is on the vendors
server?
It's my initial reactive position that, since we forward the mail to
an internal institutional address initially, that the department
arranging for the services is responsible for contractual assurances
with the vendor. This issue raised it's ugly head just yesterday so
I'm doing some homework before approaching the powers that be with
possible solutions.
Any thoughts or success stories are welcome. Lurking vendors please
be aware my phone rings constantly all ready. ;)

Thanks in advance...
Doug Sandford
Information Security Officer
University of Alabama
Seebeck Computer Center
doug () ua edu

This email is intended only for the person to whom it is
addressed.  Any review or other use of this information by
persons or entities other than the intended recipient or any
retransmission without the consent of the sender is prohibited.