By Michael Brown 1

Whenever we address the lack of security in the context of cloud-based file sharing, most people tend to think of healthcare, finance, retail or some other data-sensitive industry. By and large, these industries understand the importance of security; they know the risks and what they should be doing in order to protect private information. Schools, on the other hand, not so much.

TheJournal.com summed up a recent Fordham University study on the use of cloud computing within the public school system – and the results came back with lots of red ink. Writes Dian Schaffhauser:

“Schools are fairly clueless regarding the impact of their decisions on student privacy in adopting cloud services, according to a new study by Fordham Law School's Center on Law and Information Policy (CLIP). A report put together by six members of Fordham's School of Law stated that cloud Services are "poorly understood, non-transparent, and weakly governed" in the school districts where they've been adopted. Only a quarter of districts inform parents when cloud services are put in use, and a fifth of districts fail to have policies in place for the use of online services. Also, many have gaps in their contract documentation, including missing privacy policies. And no districts specifically prohibit the sale and marketing of children's information.”

Ouch. Now I know that schools systems probably aren’t the sweet spot for most MSPs. Nevertheless, this story provides some important lessons for clients of any industry with regard to:

User agreements: Can you imagine deploying a cloud solution for a client and only providing documentation for one or two people? Sounds crazy, but that is what’s happening in the public school system. Of those agreements that do exist, most are riddled with questionable policies. Keeping clients in the dark on the terms of their service doesn’t benefit anyone – not the client, not the MSP and certainly not the students. 

Data ownership: When the cloud is being leveraged, it’s critical for the client to understand who actually owns the data and what responsibilities come with said ownership. Joel Reidenberg, a professor at Fordham Law School and the founding director of CLIP (Center on Law and Information Policy), noted that vendors  aren't generally subject to federal privacy laws and have put schools in a "precarious position" with regard to how children's data is handled. "We believe there are critical actions that school districts and vendors must take to address the serious deficiencies in privacy protection,” he said.

Compliance: If a cloud solution isn’t compliance with the rules and regulations needed by the client, then what’s the point of installing it? Most of the time, this applies for companies that must comply with HIPAA, but the public school system has an entirely different set of regulations – none of which seem to be satisfied by current cloud solutions. The article states that “Most cloud service contracts don't mention anything about parental notice, consent, or access to student information, even though those are specifically regulated by FERPA, PPRA and COPPA. The researchers found that some services even require parents to activate accounts and in doing so consent to privacy policies that may contradict those in the district's agreement with the vendor.”

It looks like public schools were absent the day they taught cloud computing. MSPs would be wise to learn from their mistakes.