Educause Security Discussion mailing list archives

Re: Cloud vendor contracts starting to say they own the data you put in their cloud

From: Ben Marsden <bmarsden () SMITH EDU>
Date: Fri, 21 Sep 2018 12:43:28 -0400

I detect a policy gap I'll need to address:  something along the lines of "
If you work with institutional information [ie. all fac / staff +],  use of
any app or SaaS provider service that has a "we own all data you put in our
grasp" clause in their contract / terms of use  is prohibited."     We can
usually find these in contracts we sign institutionally, but one-off use of
such apps like Grammarly we'll be hard pressed to catch.

    +1 for developing & publishing a list or repository of apps and
services that include such language as part of their default terms of use.

-- Ben


On Fri, Sep 21, 2018 at 12:28 PM Jason Edelstein <jasone () uchicago edu>
wrote:

We see two variants:

1. We don't own your actual data, but we reserve the right to make
anonymized copies of your data and use them for anything we want, including
marketing, etc.

2. We own your stuff, thanks for uploading.

We've usually struck clauses of the second type or simply refused to sign
that contract, where possible. I actually haven't seen one of the second
type in a while.

For clauses of the first kind, we've had some success modifying contracts
to restrict this to only allowing anonymized data for support or delivery
of the contracted goods and services, but many copies complain that they
don't have a way to opt us out of their Big Data.

In that case, I've been pondering simply saying that any release of data,
anonymized or not, that ends up being identifiable information is
considered a breach. Some have bought that, others have not.

Jason Edelstein
IT Risk and Compliance Program Manager
University of Chicago, IT Services
desk: 773 834 3457security.uchicago.edu / 773 702 CERT

On 9/21/2018 11:10 AM, Grace Lynn Faustino wrote:

Can Universities add the ownership of data clause to the contract terms?



~ Grace L. Faustino



Public Key

7C4F 3117 131E A4AC 3B07 45FC 57E3 1235 59BE DFB4 6075 2ED2 A9DB C847 CBD8



*“Learning is not attained by chance, it must be sought for with ardor and
diligence” ~Abigail Adams*









*From: *The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE EDU> on
behalf of Sue Rivera <srivera () CSUB EDU> <srivera () CSUB EDU>
*Reply-To: *The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE EDU>
*Date: *Friday, September 21, 2018 at 10:07 AM
*To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
<SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE EDU>
*Subject: *Re: [SECURITY] Cloud vendor contracts starting to say they own
the data you put in their cloud



I ran into that recently as well.



Have a breach free day!



Thank you,

Sue Rivera

Information Security Analyst, Lead

Information Technology Services

California State University, Bakersfield



*From:* The EDUCAUSE Security Community Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *randy
*Sent:* Friday, September 21, 2018 9:03 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Cloud vendor contracts starting to say they own the
data you put in their cloud



The subject line  says it all.



We're starting to see clauses in vendor cloud contracts where they are
stating that they will own any data that we store in their cloud. Basically
this sounds like cloud vendors are starting to adopt the social media
sites' approach of "gimme, gimme, gimme, it's mine".  Needless to say, this
is disturbing in so many ways.



Has anyone else run into this?



-Randy Marchany

VA Tech IT Security Office and Lab.


-- 
[}--> BEWARE of links and attachments in email!   *  Stop, Think before you
click *
============================================
Ben Marsden : Information Security Director, CISSP
ITS, 201 Stoddard Hall, Smith College, Northampton, MA 01063
---------------------------------------------------------------------
=--> Any request to reveal your Smith password via email is fraudulent!

Current thread:

Re: Cloud vendor contracts starting to say they own the data you put in their cloud, (continued)
- - - Re: Cloud vendor contracts starting to say they own the data you put in their cloud Zachary Yamada (Sep 21)
    - Re: Cloud vendor contracts starting to say they own the data you put in their cloud Jason Edelstein (Sep 21)
    - Re: Cloud vendor contracts starting to say they own the data you put in their cloud Alex Lindstrom (Sep 21)
    - Re: Cloud vendor contracts starting to say they own the data you put in their cloud Sue McGlashan (Sep 21)
    - Re: Cloud vendor contracts starting to say they own the data you put in their cloud Nick Lewis (Sep 21)
    - Re: Cloud vendor contracts starting to say they own the data you put in their cloud Nathaniel Hall (Sep 21)
    - Re: Cloud vendor contracts starting to say they own the data you put in their cloud Nick Lewis (Sep 21)
    - Re: Cloud vendor contracts starting to say they own the data you put in their cloud Nathaniel Hall (Sep 21)
    - Re: Cloud vendor contracts starting to say they own the data you put in their cloud Frank Barton (Sep 21)
    - Re: Cloud vendor contracts starting to say they own the data you put in their cloud Ben Marsden (Sep 21)
    - Re: Cloud vendor contracts starting to say they own the data you put in their cloud Ben Marsden (Sep 21)
    - Re: Cloud vendor contracts starting to say they own the data you put in their cloud Boyce-Werner, Rori (Sep 24)
- Re: Cloud vendor contracts starting to say they own the data you put in their cloud Carrie Shumaker (Sep 24)