Recently, more and more people have started saving documents to something called “the cloud.” But do you know that you could be commiting a FERPA violation or putting your patent rights at risk by using this technology at work?

Welcome to The Whistle’s crash course on the cloud, courtesy of Jimmy Lummis, information security policy and compliance manager in the Office of Information Technology (OIT). Read on to find out what you need to know about this technology — especially when it comes to using it for work.

Q: So what is “the cloud?”  
A: This term is a new buzzword for the Internet. Cloud services are software, storage, or servers that are run by a third party and are made available to customers via the Internet.

Q: When would I use it?
A: The most common way of using the cloud is for software on the Internet. For example, these services might include email services such as Gmail or Hotmail, or document-sharing services such as DropBox and Google Docs.

Q: If I’m a faculty member and am storing class information (about students) using cloud technology such as Dropbox or Google, are there FERPA concerns?
A: Yes, there are. Georgia Tech hasn’t entered into a contract with Dropbox or Google Docs. This means we have not negotiated the right to retain sole license over our data that is stored on or that crosses over their systems. So the provider retains full rights to all data stored on their systems, per end user license agreements (EULA). This means that storing FERPA data on their systems is a privacy violation.

Q: Are there any concerns about storing research?
A: Storing research with a cloud service provider under an EULA will, at a minimum, mean the researcher could lose patent rights. It could also represent much larger issues for Tech if the research is sponsored, and we lose patent rights for some other organization that is paying us to do the research. This is especially true for classified research, such as Department of Defense-sponsored research.

Q: What are a few things to remember when using cloud technology?

• Institute work should only take place using approved cloud service providers with whom we have an official agreement (e.g., Buzzmart or LastPass). For example, Dropbox is insecure and not approved for use at Tech. If you have a specific need for a cloud service, make sure you follow the official procurement process (contact Procurement at www.procurement.gatech.edu/contactus) and include Legal Affairs and OIT. We are familiar with the legal and contractual issues that need to be resolved when contracting a cloud service provider.
• Category three data, which includes information such as class rosters, Social Security numbers, and classified research, should not be posted to the cloud, unless the service provider has been specifically approved for use with this type of data.
• When it comes to personal use, avoid using cloud services from companies that are new and could potentially go out of business. If they do, you lose your data.

Q: Why doesn’t Georgia Tech develop its own cloud technology?
A: Tech-specific cloud resources are currently under development. For more information on the risks of cloud technology and how they can be resolved, contact Lummis.