Lawyer Up

Lawyers identify the six biggest legal issues facing IT today, and how CIOs can avoid a run-in with the law.

Putting a CIO and a lawyer together in the same room may give you the start of a pretty decent joke, but it could also save your institution millions of dollars in legal fees. While the IT chief understands the systems that fall under the purview of compliance, the attorney is the go-to pessimist for identifying the "gotcha" elements when it comes to the law. Working together, they are equipped to anticipate--and resolve--legal worries before they mushroom into headaches. CT talked with legal experts to identify the six biggest legal issues that your institution's dynamic duo should be addressing together.

1. Digital Defamation
When a student publishes a derogatory post about other people, particularly a statement that could damage their reputation and cause injury, that's cyberbullying. Even if the post doesn't break a state criminal law, the poster may still face a lawsuit for libel or violation of state privacy laws.

So what should a school do about an entire website devoted to gossip and rumor? That was the dilemma facing university administrators nationwide when the JuicyCampus site became wildly popular as a destination for anonymous college posters. Before the site closed down in February 2009, a few IT administrators decided to ban access to it on their college networks.

But that's the wrong approach, says Joseph Storch, associate counsel in the Office of General Counsel for the State University of New York. "We've advised consistently that the answer to cyberbullying and digital defamation is not to block access to websites."

The reasons are many. For one, it's a slippery slope. "It's easy to agree to block JuicyCampus or [similar sites]," continues Storch. "But what about when someone is defamatory on Facebook? It's one thing to block access to a gossip site and another to block access to Facebook."

For another, the school has to remember that it operates within its own bounds. "Institutions don't go out and patrol the outside world," Storch notes. "As an institution, we have limited jurisdiction and it doesn't include significant control over external private parties. Here the issue is digital, but the same rules apply."

Finally, even if a site is blocked via the school network, most students can find ways to access it anyway. "Students can just go to their smartphones and pull up the same content," Storch points out. "So what are we gaining by blocking access?"

While Storch advises against blocking sites, he stresses that colleges are by no means powerless. "In addition to responding to reports of cyberbullying through the judicial code and, in some cases, the Title IX officer, the approach we recommend is to start at the beginning and do what colleges do best: education," he explains. "Working with orientation or student affairs, IT folks can educate students and model good behavior. Educate them during orientation or during some other residence life program: 'Things you say on the internet have real consequences.'"

2. Intellectual Property
With increasing numbers of faculty and students developing apps on campus, the question of intellectual property (IP) rights has moved front and center. Depending on law and policy, deciding what a campus can do with the output of instructors is commonly the purview of the faculty-governance entity, such as the faculty senate. What schools can do with products or content developed by students, however, is often less formalized.

"Your institution's policies can govern the relationship with students regarding IP rights in the content they create," advises Storch. When placing that content online, however, "you should ask the student's permission." All it takes, he says, is a short agreement that "includes language that licenses the student's intellectual property rights in a nonexclusive license to the institution so [the school] can put it up on the web."

The likelihood that a student would object, let alone sue, is small, but attorneys are trained to ponder potential consequences. "You never know when your unassuming junior student in music turns out to be the next Adele or Lady Gaga," notes Storch. "All of a sudden, her music is worth quite a bit of money, you've got some of her songs up on your website, and her people are contacting you to take it down."

The same is true with student-developed programs that might be of value on campus. A school representative should approach the developer before it's distributed on any school sites and say, "We really like what you did. We want to use it. However, it's your IP. We would be happy to give you credit, or throw you a few bucks, or work something out. Let's sign an agreement memorializing that." The point is to give the person the opportunity to say yes or no, which is their right.

3. Illegal Downloading
If you thought peer-to-peer downloading was so last decade, think again. Several sections of the Higher Education Opportunity Act signed into law in 2008 deal with unauthorized file sharing on campus networks. Schools have two responsibilities under this law:

  • To develop, implement, and regularly review written plans to combat unauthorized distribution of copyrighted material by users of the institution's network
  • To inform and educate their communities about the appropriate use of copyrighted material

To comply with these federal mandates, SUNY's Storch insists that IT and the judicial side of the house need to team up: "When a student is accused, either because the campus receives a DMCA [Digital Millennium Copyright Act] notice, or it otherwise comes to the attention of the campus, IT can do the initial fact-finding: Is this accurate? Who does this IP address match to on our campus? Is it a student or a faculty member? Then the actual judicial work can be done by the judicial or conduct office." Ultimately, he insists, the best way to approach the issue "is with a partnership." (For more information on dealing with illegal downloading on campus, read "Catching Illegal Downloaders")

For higher ed institutions, the legal ramifications of copyright infringement could become far greater depending on the ultimate outcome of legislation under consideration in Congress. In January, the bills--known as PIPA (the Protect IP Act) and SOPA (Stop Online Piracy Act)-- were shelved after vocal opposition from sites such as Google and Wikipedia, which claimed that they would muzzle free speech on the internet.

4. Data-Privacy Compliance
According to the National Conference of State Legislatures, data-breach notification laws are on the books in 46 states. These laws are layered on top of other federal regulations, such as the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA). And that may be just the beginning. "I actually think that the regulatory and compliance hurdles will only increase moving forward," says Heidi Wachs, director of IT policy and privacy officer for Georgetown University (DC).

When Wachs does a presentation on campus about data privacy, however, she doesn't dwell on what the various laws require. "We focus on our strong good behavioral practices that, if followed, will protect the privacy and the integrity of the data," she says.

Experience has taught her what's important. In January 2008, just a few months after she joined the IT division at Georgetown, an external computer hard drive was stolen from an administrative office. The institution had to inform about 38,000 students, staff, and faculty that identifiable personal information, including Social Security numbers, had been stored on the hard drive. Trained as a lawyer, Wachs was quickly pulled into the realm of data-privacy compliance, and spent the next several years wading through the mop-up work related to that breach.

This included the development of remediation plans to address the extensive use of Social Security numbers on campus. It wasn't a simple matter of declaring them off-limits and doing a massive find-and-delete operation on computer systems. Campuses aren't like corporations, with a centralized IT structure that can be scoured. "Universities are far more distributed than that," Wachs says. "Professors buy their own laptops; business departments sometimes run their own servers."

Plus, universities are employers. "You have to collect Social Security numbers, because that's how any employer that conducts payroll communicates with the IRS," notes Wachs. Furthermore, students and their parents have to provide SSNs for financial-aid applications. "We have to have Social Security numbers."

As a result, education has been crucial. In the aftermath of the breach, the approach has been to focus on changing "little by little" the business processes and systems used on campus. "We have to go in and make sure the security is really good, and access is limited only to those who actually need it," Wachs explains.

Today, Wachs is often called upon to offer advice whenever university departments shop for services or are asked to share data with internal groups. In the benefits area, for example, the university has pressed vendors on why they need to use SSNs as the primary identifier for customers. In fact, during the period immediately following the breach, the institution stopped working with some vendors over the issue.

Now when a SSN field is required as part of the work, Georgetown looks for a way to mask it, so that anybody accessing the files can't easily view it. Also, vendors are required to fill out a form verifying that they require the SSNs for a legal purpose. And, says Wachs, "it has to be signed by either their privacy officer or [legal] counsel."

Sometimes it's an internal source asking for access to sensitive data. In such cases, the first step is to examine the business process and find out why the internal source doesn't have access already--and what prompted the request in the first place. If a decision is made to share the data, the focus then shifts to ensuring the transfer happens securely. At different points, both phases require input from IT and Legal.

5. Cloud Computing
Once you get past the technical and financial aspects of implementing a cloud solution, you need to sign a contract with the service provider. If you're relying on the vendor to supply that contract, though, it's time to get your legal people involved. "Form contracts are written in favor of the party that wrote them, not in favor of the other party, which is us," proclaims Steve McDonald, a member of the General Counsel Department at Rhode Island School of Design. "So you have to work through it and make sure it's actually the deal you want."

As an example, McDonald recalls a contract negotiation that involved the off-site processing and storage of data. The vendor's form contract stated that the vendor had no liability in the event of a data breach. "I said, 'Wait a minute. This is your system. The data is on your system. You're processing it. You're supposed to be protecting it. We have nothing to do with any of that and no ability to affect it, but you're saying it's our problem?'" relates McDonald. "They said, 'Oh, yeah. Our insurance company said that's a black hole liability, and we can't take it on.'"

Discussions continued until both parties came up with something that worked, "partly through negotiation and partly through deciding how we would use the system," he explains.

A lawyer's job, says McDonald, is to make sure the contract reflects what the school wants or gets as close to that ideal as possible. "A contract isn't really a legal document," he explains. "Rather, it's a business document that is enforceable by law. Its main job is to express the business deal, which isn't the lawyer's call. The problem is that people tend to view contracts as these dense legalistic traps. They don't want to read them or think them through, because they feel like, 'We have this deal.'"

For anyone who views contracts in this way, McDonald trots out one of his favorite Yogi Berra quotes: "You've got to be very careful if you don't know where you're going, because you might not get there." As he notes, "If the salesman promised a whole bunch of things that aren't in the contract, those promises aren't part of the contract and probably aren't enforceable."

Much like the outsourcing contracts of a decade ago, today's cloud contracts must address a host of issues, including:

  • FERPA and other privacy concerns
  • Data security
  • E-discovery
  • Export controls
  • Control of data in the event of service cancellation
  • Indemnification
  • Location of jurisdiction

"There are certainly advantages to cloud computing," notes McDonald, "but you shouldn't just assume that the cloud is instantly solving all your problems and you have nothing to worry about."

That's where a good lawyer comes in--not to tell you what should be in the contract, but to help you think through what you need and make sure the contract provides it. As McDonald noted in a recent Educause presentation (no doubt after studying the copyright surrounding BASF's old ads): "Lawyers don't make your decisions. Lawyers help make your decisions better."

Legal Eagle in the Cloud
In an online CT exclusive, Steve McDonald, a lawyer for Rhode Island School of Design, discusses the legal issues to consider before signing any cloud computing contract.

6. Distributed Antenna Systems
Seldom are CIOs involved in deals where a vendor wants to pay the institution. But setting up a distributed antenna system (DAS) is one of them.

A DAS is an array of small, low-powered antennas that effectively form one large virtual antenna to provide wireless service within an area or structure. "Whereas a typical cell site covers something measured in acres or square miles, with these you get coverage in a much smaller area, which significantly increases the density of the throughput you can get," says J.G. Harrington, an attorney with DowLohnes. "That's a big advantage for the wireless providers."

The companies involved may be well-known cell providers, or they may be "neutral" providers that install a DAS on a campus and then find carriers to use their setup. Campuses are particularly attractive for DAS installations because they're filled with people "who live on their mobile devices," notes Harrington. "Finding a way to improve their coverage and improve the amount of throughput they can get in the area is pretty important to a carrier."

But negotiating the right DAS deal for your school poses potential legal challenges, warns Harrington. For example, older schools might need to adhere to historic-preservation issues under federal law that governs placement of antennas. There are likely to be local zoning rules, too, as well as regulations governing emissions of radio frequency (RF) waves. As if that weren't enough, providers will also be expected to comply with requirements pertaining to e911, which will affect how the DAS is deployed.

One other issue that is easy to overlook: Campuses may have research operations that could be affected by emissions. "If you don't account for that possibility, you could find yourself creating trouble for researchers on campus," Harrington points out.

For public institutions, there is yet more to consider, especially when it comes to state procurement requirements. "The last thing you want is to set up a bidding process where the amount of money you get is the only factor and then you lose coverage as a consequence," warns Harrington. Schools also need to protect themselves from vendors that want to restrict access: If the new system doesn't accommodate students and faculty who use other carriers, administrators are likely to get an earful.

At the same time, few colleges will want a contract with more than one vendor. Although each wireless provider operates on its own frequencies, notes Harrington, in certain situations their RF streams could conflict with one other or the total amount of radiation could exceed legal limits.

Harrington urges schools to avoid a situation where they find themselves "mediating conflicts between two providers that both say they have the right to be there and the other one doesn't. Those conflicts are always messy. Everyone wants to blame the other party."

Whatever they do, administrators should make sure that the contract addresses all their issues, because they're probably going to have to live with it for a long time--DAS contracts are frequently five or 10 years long, with renewal options on top of that. "There's a certain inertia that you get in these contexts," explains Harrington. "Once you have somebody there, that somebody will probably stay around for a long time."

Featured