By Stephen Rawson
One of the most significant (and accelerating) technology trends in public education is the use of cloud-based products and services for the enhancement of educational programs. A 2013 study by Fordham Law School revealed that 95 percent of school districts use some form of cloud-based services. And while many school districts considering such opportunities would love to have a lawyer who can explain to them the difference between software-as-a-service and platform-as-a-service, uptime and downtime, and 128-bit and 256-bit encryption, what they are really looking for is someone who can answer the following two questions: Can we legally use this service, and are there any problems with the contract terms proposed by the provider? Generally speaking, the answers are yes and yes. But helping the client understand and fix the issues regarding the second yes is critical to maintaining the accuracy of the first.
Most lawyers don’t have the time to learn the technical details of cloud-based products and services. With that in mind, what follows is a brief exploration of the most common pitfalls in cloud computing contracts, and how to address each. As a general rule, smaller companies are more willing to be flexible with their terms than larger companies over whom you have little bargaining power. But at minimum, recognizing the issues below will allow you to present your client with an informed choice about any given opportunity presented by a cloud service provider.
Who Owns/Controls the Data?
To mitigate these issues, include terms in the proposed contract rider clarifying that the school district retains ownership over all data provided to the vendor and prohibiting any use of the data for purposes other than providing the service itself. It is especially important that your agreement prohibit commercial and marketing uses of student data. If you can, secure a term guaranteeing that your data will be stored in the United States. Many cloud server systems are housed elsewhere around the world—if the district’s data is being stored in Siberia, you may have difficulty enforcing ownership rights when you need to retrieve the data or when the data is misused.
Protecting Student Confidentiality
Chances are that any cloud-based service that will be of actual use to your district will require the disclosure of some student data protected by FERPA. The district has an obligation under federal law to protect the confidentiality of education records disclosed to the cloud provider. The best way to protect the district is to incorporate language into the contract rider that addresses the requirements of 34 C.F.R. § 99.31(a)(1)(i)(B). Specifically, the contract should name the provider as a “school official” for the purposes of the agreement, state that the provider will not use or maintain the records except as directed by the district, and acknowledge that provider is bound by the provisions of FERPA, including those regarding redisclosure of education records. Most cloud providers that work with school districts will not balk at these basic terms – if one does, you should question whether that provider is equipped to meet the district’s needs.
Locking In the Terms
This is perhaps the most important area of all, and it’s the one where companies will be least likely to make firm promises. Many online Terms will disclaim any guarantee, warranty, or even responsibility for the security of your data, though they will preface such a statement with a flowery declaration about how they value their customer’s privacy and data confidentiality and how they are committed to working toward the most secure network possible. You can and should demand better. Add language requiring that the company use at least “industry standard” security measures, and requiring that they protect your data no less rigorously than their own confidential data. If you can obtain some type of auditing right, do so.
You can be sure that online Terms and Conditions will have enormously unfair liability terms. Your district will be expected to indemnify the company for anything under the sun, including misconduct by students using the service from home. Terms also often include releases of all legal claims, including those that don’t yet exist. You may even encounter a statement that your “sole and exclusive remedy” under the agreement is to stop using the service. You may meet significant resistance to changing these terms, but your district will be in a much better legal position if you can at least remove the indemnification provisions, especially for conduct of third-parties like students, and if you can avoid releasing future claims. Avoid arbitration clauses as well.
You will also want to plan for security breaches. Your contract rider should allocate liability for lost, stolen or destroyed data. But if you can’t get that strong a term in place, at least push for notice rights. If there is a breach of security related to student data, the district needs to know. Insist on notice within 24-48 hours, including an explanation of the scope of the breach, which students’ data may have been compromised, and the company’s plans to recover the data and prevent future breaches.
Planning for the End
Your district has legal obligations related to access to student records in a timely fashion, so it cannot end up in a situation where data is unavailable for a long period of time or lost entirely. Your contract rider should include provisions that define how the district’s relationship with the provider will end: termination notice periods, what format the data must be returned to the district in (avoid proprietary data formats!), how long the vendor must maintain the data and when the data must be destroyed, etc. It may take six months or more for your district to transition to a new cloud provider—the district will need consistent access to its data during the transition period.
Beyond the Contract
As with any area of contract review, there are many more details that could be negotiated in any given cloud computing agreement. The points above are merely an overview of some of the major issues that can help your district avoid unexpected disappointment or even legal liability. Even if you cannot convince particular providers to negotiate on these issues, you can at least present your districts with a clear understanding of the risks they may be taking with any particular provider. Every time some other district’s data is sold in a bankruptcy proceeding or lost in the snows of Siberia, they will thank you.
[PTAC Requirements and Best Practices (February 2014), PTAC Transparency Best Practices (July 2014), PTAC Model Terms of Service (January 2015)]
Steve Rawson is an associate attorney in the Education Section at Tharrington Smith LLP. This article was originally published in the November 2015 issue of Education Law, the Newsletter of the Education Law Section of the North Carolina Bar Association.