Re: Outsourcing Student Email - Security Concerns?

[Gene Spafford <spaf () CERIAS PURDUE EDU>]

There are also a number of policy and legal concerns with outsourcing email.

For instance, if email contains data on a research project not covered under a basic research exemption to export 
control and the email server is outside the US or hosted on certain kinds of equipment, the act of storing or sending 
the email "across campus" could be a weapons export violation.

Does the email provider indemnify you against all FERPA and HIPAA penalties and costs if they disclose protected 
information on students and/or staff?  

When faced with a subpoena or open records act request (similar to the ones in Wisconsin and Michigan recently), what 
charges will be incurred to pull out all the archived mail and search it?  What control will you at the university have 
over disclosure of materials that might be privileged when the email isn't in your actual possession to begin with?

Actually, is storage of official email by faculty and staff offsite in this manner in keeping with state sunshine/open 
records laws if you are a state university?

Is email with design information and data stored on a third party's system sufficient to violate an NDA or invalidate a 
future patent claim because the information is no longer under your direct control?

In the event of a legal issue, will personnel from the service provider be willing to testify under oath to chain of 
custody for data used in forensics?  Will they even help in the forensics?  And what will they charge for that?    This 
could be as complex as an in-depth NSF IG investigation for fraud over several years, or investigating online stalking, 
or as simple as determining which of several students actually plagiarized a paper last year, but in each case it means 
pulling some backups and doing examination.  Much different than doing it in-house.

5 years from now, after your own infrastructure has withered, what happens when the mail provider you have selected 
decides to impose very major price increases — and a hefty charge if you want to transfer all your existing archives 
and accounts off their system?  How can you know that they won't change their business model and pricing later when you 
have no affordable alternative?


Those are only a few of the problems I posed to our campus committee when they were thinking about moving to an outside 
email provider.   After considering the questions and getting advice on the answers, we're keeping all our email on 
campus.

Cost of common operations is what drives most organizations to outsource.  Security is usually the issue that causes 
some initial concern.  But it is the unusual and rare instances of other events that often cause the biggest problems 
because of lack of resources and control.

I'd suggest you consult with your campus legal and contracts folk, audit, risk, and similar offices, and think through 
some of the possible scenarios (such as the above) that might happen (or have happened) on your campus and could 
involve email.  Get their opinions as to what the consequences and issues might be.  It's more than viruses and 
people's files being stolen.   Your state laws and institutional profile may mean you are not at risk to move the email 
offsite to a 3rd party.  Or, it could mean you could create some very sticky situations down the road.

Attachment: smime.p7s
Description: