云计算法律与政策问题Legal__Policy_Issues .pptVIP

Legal and Policy Issues in Cloud Computing Beth Hodsdon Madelyn Wessel UVA Office of General Counsel * EXPORTING UNIVERSITY DATA AND INFORMATION TO THE CLOUD IS RISKY UNLESS… You first evaluate the data/information to determine whether it is appropriate to place outside the University The vendor or site where it will go is going to protect and secure it appropriately Any license you will sign is legal (a license IS a contract) There are no inappropriate data mining or IP rights provisions that go against law or policy You’ll be able to get the data back when you need it You’re not violating other important rules or responsibilities in the process * RULE # 1 - Do not go it alone Consult with Procurement Services, Medical Center Procurement, ITC-Information Security, Policy and Records Office, Health System Computing Services, and/or General Counsel * Evaluate your data #1 Is it HIPAA-controlled patients’ protected health information (“PHI”)? Is it FERPA-regulated student educational records? Is it subject to export control regulations? Is it ‘sensitive data” controlled by other federal or state legal requirements, e.g. SSN’s, or confidential financial data (credit card#’s)? * EVALUATE YOUR DATA #2 Is the data subject to Virginia public records requirements that require data to be available to the institution, not placed outside of the University’s control? (Safer to assume it is until determined otherwise.) Is it data that must be preserved under institutional control due to grants or research compliance requirements? For example, new NSF grants must have a data management plan that binds both the researcher and the University. * VENDOR/SITE SECURITY AND SAFETY Vendors will not provide detailed information about their technology and information security standards unless forced to through a rigorous procurement process. Online sites will entice with general language, but you don’t really know how your data will be kept, and whether it will be secure. Some da