Cloud Vendor Policy

Purpose

This policy defines the requirements for cloud vendor service providers who contract with the College.  This policy is considered an addendum to vendor contracts.

Scope

Any cloud vendor service provider that will be connecting to the College network or interacting with College information sources.

Audience

This policy applies to all faculty, staff, and students of F&M.  

Policy Maintenance

The College Information Technology Committee periodically reviews and revises this policy based upon emerging best practices.

Definitions
“Cloud vendor service providers” or “vendor” are service providers with which the College contracts with for information services.  This definition includes any subcontractors or subservicers working for the vendor. Also referred to as third party vendors or contractors.

“Personal information” refers to any nonpublic and/or proprietary information in any form concerning any community member that is submitted under this addendum or which vendor becomes aware of throughout the agreement period.  The College classifies this type of information as “sensitive” per the Data Classification Policy.

“Nonpublic personal information” is any personally identifiable financial information.  This definition is taken from the FTC Privacy Rule regardless of whether community members seek or obtain any financial product or service.  The College classifies this type of information as “confidential” per the Data Classification Policy.

“Community” members include current or former or prospective faculty, staff, students, volunteers, trustees, or representatives of the College or its affiliates.

Policy Statement

Vendor shall provide adequate safeguards for the protection of the confidentiality, integrity, and availability of such information.  To the extent applicable under the agreement, those safeguards shall conform to the current requirements in:

  • Family Educational Rights and Privacy Act (FERPA)

  • Gramm-Leach-Bliley Act (GLBA)

  • Regulations issued by the Federal Trade Commission (FTC) including, but not limited to, the Red Flags Rule and The Safeguards Rule

  • General Data Protection Regulation (GDPR)

  • Fair and Accurate Credit Transactions Act (FACTA)

  • Americans with Disabilities Act (ADA)

  • Federal banking regulatory agencies

  • And other regulations that may pertain to this contract or service

 

Personal Information Confidentiality and Nondisclosure

  1. Personal information shall be considered property of the College.  

  2. Vendor shall hold all personal information in the strictest confidence and in accordance with applicable laws and regulations as well as College policies, procedures, standards, and guidelines.

  3. Vendor shall obtain no proprietary rights (directly or indirectly) in or to the personal information.  

  4. Vendor shall not disclose the personal information to any third party without prior written consent unless (i) required to perform vendor’s obligations under the agreement or (ii) required by law in which event vendor shall promptly notify the College of such request or requirement.  

  5. Vendor shall use such personal information only in connection with the furtherance of the business relationship between the parties, and vendor shall make no further use, in whole or in part, of any such personal information.

  6. Vendor further agrees to disclose the personal information only to its employees and contractors whose services are required in furtherance of the objectives of the business relationship between the parties, and to require each of its employees and contractors to comply with the terms of this agreement, prior to the disclosure to such employees and contractors.

  7. Upon the expiration or termination of this agreement, for any reason, vendor shall promptly return to the College all personal information, or upon direction from the College, securely destroy all personal information immediately.
     

Vendor Safeguards Statement

  1. Vendor has submitted a cloud vendor assessment that defines the steps vendor shall take to protect personal information and related data.  This can be the Franklin & Marshall custom cloud vendor assessment tool or the Educause higher education cloud vendor assessment tool (HECVAT).

  2. Vendor shall revise and re-submit updated cloud vendor assessment when significant changes in business operations or service delivery have occurred.  

  3. Any contract involving vendor access to, creation of, or maintenance of Protected Health Information (PHI) must include a Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement (BAA).

  4. Any contract involving vendor provided credit card services must require that the contractor provides assurances that all subcontractors who provide credit card services pursuant to the contract will comply with the requirement of the Payment Card Industry Data Security Standard (PCI DSS) in the provisioning of the services.

  5. The College may annually (or more frequently as circumstances require in the College’s judgment) conduct a review of vendor’s compliance with the agreement.

 

Vendor Agreements, Acknowledgments, Representations and Warranties

Vendor agrees, acknowledges, represents and warrants as follows:

  1. The agreement permits vendor access to personal information.

  2. Vendor shall hold the personal information in strict confidence and access it only for the explicit business purpose of the agreement.

  3. Vendor stipulates to allowing the entry of injunctive relief without the posting of bond in order to prevent or remedy breach of the confidentiality obligations of the agreement.

  4. Vendor stipulates that any violation of these requirements shall constitute a material breach of the agreement and entitles the University to immediately terminate the agreement without penalty to the University.

  5. Vendor shall maintain controls to ensure that any subservicer or subcontractor used by vendor is also subject to the terms of this agreement.

  6. These requirements shall survive any termination of the agreement.

 

Vendor Data Protection Agreements and Acknowledgments

  1. Vendor shall ensure compliance with the confidentiality and security conditions of the agreement.

  2. Vendor shall protect the personal information it accesses in accordance with cloud vendor assessment submission.  

  3. Vendor shall notify the College of any security breach or unauthorized access of College personal information as soon as practical, but not later than 48 hours, after discovery.  Notifications shall be directed to Information Technology Services at the College and the contact person indicated in the agreement.

  4. Vendor agrees that it will not notify any affected individuals of a security breach or unauthorized access without first consulting with and obtaining consent from the College.

  5. Vendor shall take immediate steps to remedy any security breach or unauthorized access at vendor’s expense.

  6. Vendor shall be responsible for actual costs incurred by the College in responding to and mitigating damages caused by any security breach or unauthorized access, including notification, credit monitoring, or other remediation.

--------

Policy Maintained by: Information Technology Services, Vice President and Chief Information Officer

Last Reviewed: 21 December 2018