Re: Policy - Employees using personal storage

["Giacobe, Nick" <nxg13 () PSU EDU>]

My university has no such policy directly.  There are some indirect policies related to software license agreements.

We have a difficult-to-enforce requirement that says that employees do not have the authority to bind the university to 
a contract with an external organization. Only authorized persons have the ability to do that.  That includes 
click-through agreements for things like online services, software, etc.  It is extremely difficult for the university 
to monitor and police such agreements.

However, as a faculty member who teaches in security and risk, and in cybersecurity, I am cognizant that my 
organization will likely pin it all on me if I violate something like FERPA using such “free” or low cost, personal 
account and services.

How would it happen? Let’s say that, as a faculty member, I sign up for Google’s free email service.  The click-through 
agreement says that I

“give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative 
works (such as those resulting from translations, adaptations or other changes we make so that your content works 
better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The 
rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and 
to develop new ones. This license continues even if you stop using our Services (for example, for a business listing 
you have added to Google Maps).”  https://policies.google.com/terms?gl=US&hl=en

So, let’s say I do that. I sign up for Gmail, and Google “Publicly” displays and performs emails or google drive 
content to someone else in the world (because I gave them license to do that)…. And that content included the grades of 
my students.  As an employee of the university, I have no authority to bind the university to such agreements.  So if I 
did it… I did it personally.

Who is responsible for the FERPA violation?

Me. Personally…. And my institution will probably hang me out to dry.

---
Nicklaus A. Giacobe, Ph.D.
Director of Undergraduate Programs and Assistant Teaching Professor
Phone: 814-865-8233
College of Information Sciences and Technology
Penn State University
E333 Westgate Building
University Park, PA 16802

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Keenan Martinez
Sent: Friday, July 19, 2019 5:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Policy - Employees using personal storage

Good day,

Can members advise how they treat with employees who use their personal online storage (Gmail, Hotmail, Dropbox, etc) 
to store company files instead of company assigned storage? Is there a policy there would guide the restricted use?

Thanks in advance.

Regards,



Keenan Martinez
Manager -  Information Technology & METS
The Arthur Lok Jack Global School of Business
1, Max Richards Drive, Uriah Butler Highway North West, Mt. Hope. Trinidad & Tobago (UTC -4 hours)
Mt. Hope, Trinidad, W.I.
Tel : (868) 645-6700 ext: 333| (868) 498-0764 | Email : k.martinez () lokjackgsb edu tt|<mailto:k.martinez () 
lokjackgsb edu tt|> 
www.lokjackgsb.edu.tt<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lokjackgsb.edu.tt%2F&data=02%7C01%7Cnxg13%40psu.edu%7Cd2ebeff5e61a4650b50408d70c414bc7%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C636991346956547033&sdata=h2SdecS7Z13cBbFmt8mX0ifnbDIr1OfWw2wzHNtBgCQ%3D&reserved=0>

[signature_1247171682]


Empowering UWI-ALJGSB to thrive in a digital world

_____________________________________________________________________ Please note that this message and any attachments 
may contain confidential and proprietary material and information and are intended only for the use of the intended 
recipient(s). If you are not the intended recipient, you are hereby notified that any review, use, disclosure, 
dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received 
this email in error, please immediately notify the sender and destroy this e-mail and any attachments and all copies, 
whether electronic or printed. Thank you.