Regulatory Language in Vendor Contracts Revisited

Call a lawyer today!  That is more or less why I have come to D.C. for the NACUA conference on compliance for the last couple of days. I wanted to hone in on what, precisely, the legal language would be in a vendor contract to address the need that higher education has to protect its institutional information and take advantage of selective cloud providers of transmission and storage services. Madelyn Wessel, among others, has been doing heavenly work in this area and has nailed it.  Before I quote it for public consumption, allow me to point out an important distinction: it is not (as I suggested earlier) that our institutions want the vendor to "comply" with the laws because that would involve so many other factors that are irrelevant to the vendor contract, but that vendors must be "in compliance with and enable the institution to be compliant with the relevant requirements of all laws and regulations."  That is why it is so important to work with institutional counsel.  Just that slight turn of phrase might make all the difference in closing a successful deal.

 

In the previous post I said that the contest is on, and the first big Internet company vendor that can provide us with these assurance wins!  That thought remains.  If we push into contracts without these assurances, we then have to direct stewards and custodians of vast swaths of institution information NOT to use the service, for example student and employee data, financial and (a great deal of ) research information (certainly anything that includes human subjects).  For all intents and purposes, that renders the service unusable for most administrative and much research information.  Restricting usability means the service will shrink to a small productivity tool, soon to be dwarfed by the vendor who steps up, gets the point, and makes their service viable for broad extensive use.  Moreover, compliance with these rules is increasingly becoming industry standard practice.  For that reason alone, vendors should be quick to adopt it.  Not having to quibble over every detail such as whether they do intrusion detection or background checks on employees should be a bonus.  We need not micromanage their network, data and security program, and won't if we have to if assurances grounded in law and regulation become standard contract language for cloud services.  Win-Win!

 

Okay, here is chapter and verse of the sample language:  

 

a. Vendor will comply with all applicable laws and industry standards in performing services under this Agreement.  Vendor personnel visiting or using remotely the institution's facilities will comply with all applicable institutional-level policies regarding access to, use of, and conduct within such facilities.  Each institution will provide copies of such policies to Vendor upon request.  

 

b. Vendor warrants that the service it will provide to the institution is fully compliant with and will enable the institution to be compliant with relevant requirements of all laws, regulation and guidance applicable to the institution and Vendor including but not limited to: the Family Education Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), and Health Information Technology for Economic and Clinical Health Act (HITECH), Gramm-Leach-Bliley Financial Modernization Act (GLB), Payment Card Industry Data Security Standards (PCI-DSS), Americans with Disabilities Act (ADA) and Federal Export Administration Regulations.