Below is a list of the top ten issues that warrant particular attention in outsourced vendor contract negotiations.
Contract should require the entity to maintain all of the legal technical and procedural requirements of all public privacy laws, including but not limited to the Privacy Act of 1974; the Family Education Rights Privacy Act of 1974, amended; the Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactions Act of 2003; the Health Insurance Portability Accountability Act of 1996, as amended; the Gramm-Leach-Bliley Act of 1999; and the Payment Card Industry Data Security Standards, most recently updated as of 2010.
To date no federal law requires notification in the event of a breach of personally identifiable information. A majority of state laws do, and interpretations about how and in what ways they apply to other states differ among legal theorists. This uneven and ever-changing landscape makes clear and consistent contractual language difficult to impose. Be that as it may, institutions may decide either to impose those rules found in their home state or to require the entity to adhere to the state with the most rigorous standards of notification and protection. A third approach may be for the institution and the entity to create its own standards for the management of breaches that would include provisions about who reports the matter to whom, the test for a breach and the technical criteria used to do the assessment, and finally which party has responsibility for notifications and follow up, such as credit reporting arrangements. Indeed, such efforts, if done collaboratively among institutions and smartly with the vendor could in fact lead to adoption by the federal government at such time as it will almost inevitably pass legislation.
Allegedly "free" services require the entity to ask the question of "what is in it for the vendor?" For many web vendors, their business model revolves primarily around advertising; marketing plays a supporting role. In order to achieve that goal in a highly competitive environment, vendors must take advantage of the information under their control; for example, user web search terms and the content of stored information in mail or other file folders. Data mining, aggregation, and sale for targeted marketing is a very significant portion of their revenue. It is therefore imperative that an institution representing its users must examine its own culture, law, and traditions in the area of information privacy and be prepared to make clear claims regarding what is and is not acceptable behavior on the part of the vendor.
For example, the current standard Google student mail contracts reveal nothing about what Google does with web search terms. It clearly states that the stored mail will be mined, but anonymized, and that not until the student graduates will it feature advertisements on the site. Some institutions may want to bear down on these issues, for a minimum requiring that if Google does mine search terms, that it do so mechanistically and with anonymizing features. Moreover, most institutions would want assurances up front that no personally identifiable information will ever be aggregated for advertising and marketing purposes while the user still uses the account as a student. For faculty and staff mail services, the institution might want to make that assurance a permanent feature of the agreement. Finally, opt-in and opt-out services might also be offered, for example, on user search terms. The institution would contract explicitly on this point to be sure not only that options exist, but also that clear user education and training materials include information about all of these features and about how a user may optimize the privacy of their communications. Specific points to clarify might include: information about any anonymization techniques that the entity uses to separate information from user identity; whether the entity captures search terms and/or queries; whether the entity does or does not associate those terms and queries with individual users; what the entity does with and how it manages the security of that information; whether it sells the information; how long it maintains records of individual's searches; what other uses it makes of that information; and that the entity promises to permanently purge that information as of a specified date.
The institution should, before entering into contract negotiations, do a cost-benefit analysis of how and in what ways to manage e-discovery concerns for which it maintains liability. For example, no liability may attach to student mail, but most certainly the institutions must consider e-discovery implications of sourcing faculty and student mail, as well as materials sourced in course management systems or data centers. Entities such as Google offer services, such Postini, which the institution should consider as a part of its analysis in the context of its entire sourcing portfolio, together with whatever in-house technical, policy, and procedural approaches that the institution may already have in place and in which it may have made significant investments (for example, inventory materials, appropriate offices designated to engage with affected parties, technologies such as back up systems prepared to make non-deleting continuous back ups, and the necessary policy materials used to educate and inform affected parties).
Entity should be willing to warrant that they actually own the technologies and business processes foundational to their operations and indemnify the institution against any potential patent infringement action that should come about as a result of its technologies or business processes.
Entity should make explicit in the contract exactly what other terms of the agreement are included by incorporation via links, URLs, or any other documents associated with the contract. Moreover, the entity should promise not to alter any of its material terms in those incorporated documents and to service notice on the institution and/or its users in the event of any non-materials change.
The United States has specific export control laws which the institution and/or its users may be in violation of if the entity stores (and possibly even if it transmits) certain kinds of encryption software not allowed outside of the U.S. In the event that the vendor/entity has data and/or routing centers outside of the United States, the institution must either restrict such users from those services, or contract with the entity to promise that such data is neither stored not transmitted outside of the United States.
The institution should insist upon clear language from the entity about how much lead time each party requires before implementation of the agreement and what, if any, penalty exists for failure of a timely implementation.
The parties should make clear for what specific reasons either party can suspend or terminate the agreement (taking into account a reasonable time period for the institution to either rebuild its services or to shift to another vendor) as well as how, in what ways, and in what time frames the institution will have access to its information, stored or continuing to be transmitted, before, during, and after suspension or termination period. In the case of institutional information, the contract should be crystal clear about what happens to the information after termination of the contract; one could hardly imagine a case where the rule would not require the entity to instantiate that information for the institution and to destroy its copies.
The institution should outline the specific circumstances whereby it demands and expects information from the entity or vendor, for example, in instances of a concern for the health or safety of a student, to check on that student's use of e-mail services and possibly even the content of his or her e-mail messages. The institution should review its existing or desired practices in this area (death of student, health or safety emergency of the individual, health or safety emergency of the institution or other people) and establish a process by which affirmations may be offered as to the circumstances and promises for prompt response, especially in urgent emergency circumstances per an agreed upon procedure. In the case of faculty and staff mail, again the institution should first review its own policies and procedures for access or disclosure of such information (content as well as system and network logs) and attempt to incorporate such access rules and procedures in the context of the relationship between the vendor and the institution. Additionally, the contract should incorporate the ability to review the procedures for effectiveness and efficiencies according to technological, social, or other changed practices.
Most likely, vendors or entities do not provide a warranty of anything! This area of the contract can be a "throw away"-that is, a meaningless term stating that the entity makes no warranty (which, in the case of negligence, will not absolve its liability). Indemnification is the other side of the coin. It is not reasonable to list out every possibility of what a vendor might attempt to indemnify itself against in a contract. The institution should nonetheless scrutinize this section carefully to see whether the entity is using the section as a "get-out-of-court-free card" or similar kind of provision or if the entity has narrowly tailored the section to indemnify it against actions that are in fact not its responsibility.
By contract, vendors commonly choose their own jurisdiction. The preferred position is to eliminate this provision from the contract altogether and rely on existing jurisdiction law in the event of a suit. In most cases that means that if the vendor brings a suit against the institution, default rules of civil procedure require the vendor to bring it in the institution's location, which usually, although not always, is the preferred posture.
You can call our customer service 24 hours a day / 7 days a week.
86(029)68570867