Skip to main content

IT@Cornell


Information Management

For some years now information privacy and security professionals have felt as if they were crying in the wilderness. Information management has not been a strong suit for higher education where the feudal structures resulted in silos of data resistant to comprehensive fair information practices and consistent technical security requirements. State data breach notification laws brought some weight to the latter over the last decade, and only recently have some institutions, particularly those with medical centers, begun to think and act deeply about privacy as an equal component of information management.  

Depending on where your institution is on this learning curve, cloud computing is either going to make the situation much better or much worse. One thing is for sure, however: cloud computing necessitates comprehensive information management.  Without it, an institution exponentially raises its risk profile for inappropriate disclosure of information. If the last decade was about technical security challenges and data breaches—from lost or stolen laptops, unwitting posts of confidential data on the web, or willful penetrations of our network systems whether by adolescent vandals or foreign organized crime—this decade will be about institutional information floating around on the wings of applications synced with contracted services in the cloud.  

THE CURRENT ENVIRONMENT COMPARING INFORMATION MANAGEMENT TO CLOUD COMPUTING

The cat, as we know, is already out of the bag. Staff, students and faculty all use Gmail and Google Docs, many in institutions that have no contractual relationship with Google. By their very nature, these are cloud applications. When in use, the data is on a Google server that, even for enterprise customers, is not guaranteed to be anywhere particular in the world.  Without a contractual relationship, moreover, Google has stated clearly in their new combined privacy policy that the data is subject to mining.  Right off the bat, that is a problem for institutions whose bread and butter is education records, because mining is expressly prohibited by the Department of Education’s regulations for those records.

Mining is the technological process that collects and recombines data in a myriad of ways and for a variety of purposes. The more benign reasons are for maintenance and security of their own network systems and/or for the benefit of the user, for example, indexing and search functions that make the product more appealing to customers. Because the word “mining” has taken on a pejorative connotation for good reasons to be described below, it is important to distinguish the necessary and “good” purposes for which it is done from ones that have or could have a deleterious impact on individuals.

Intrusive mining purposes may be for the benefit of the company. Virtually all Internet companies mine data for their own marketing and sales purposes. Targeted customer advertising has become not only an accepted practice, but, we are told by companies, expected and desired by consumers. Beneath the surface of targeted advertising lay yet more manipulative uses of the information. Some companies collect and sell names and email addresses. This information often goes not only to other advertisers, but also to companies that collect and recombine information about individuals to create “profiles.”  These profiles become even more profitable to other companies that use the information for everything from their own risk management purposes, for example, if they are in the banking in loan business, to still more targeted sales, especially for items with higher ticket prices such as cars, real estate, or securities.

“How can this be!” you say, “Aren’t there laws to protect us?”  The simple answer is “No.” The United States prides itself on a free-market approach, which in the information age translates into very weak regulatory counterbalance to powerful business interests. Privacy policy requirements for commercial web sites are a good example. There are no requirements except that the company has to have a policy and follow it. It does not take a law degree to recognize the leeway this rule offers. Companies that want to sell your information only have to say they are doing it, and they frequently do so in language that makes the actual intent and action difficult to decipher. But the real doozy is that a company can change the provisions at any time. The company has to follow the policy it has posted on any given day, that day. This loophole effectively invalidates the protections that a privacy policy implies.

What does this mean for higher education? First, when faculty, students and staff use these applications for institutional information, they subject it to a largely unregulated, aggressively avaricious market hungry for data in an information economy. Second, in many cases when that information involves education, financial and/or patient health care records, the institution may be out of compliance by exposing its information to mining or any other form of disclosure, technological or otherwise. Third, it behooves higher education to create environments regulated, therefore, by contract for the purposes of compliance and integrity. Finally, institutions must take information management seriously at the highest levels of decision making.  

That level begins with the Board of Trustees.  Among information technology professionals, the stories of CIOs being dragged to Board of Trustee meetings and pilloried for data breaches are legion. It is time to turn the tables. Board members, the lion’s share of them corporate leaders, know well that information management (and privacy compliance in particular), are standard operating procedure in their companies. They may assume that it is the case for higher education, but, alas, it is not. Consequently, Board members should be asking about this issue proactively. With encouragement from the Board, CIOs and other institutional leaders will be well positioned to turn to staff who can establish comprehensive privacy compliance programs and make information management a permanent part of the institution’s culture.  Building those programs—and the analysis inherent in them—properly puts the horse before the cart. Cloud computing ideally should not be pushing comprehensive information management.  Rather, information management should be in place in order that strategic thinking about cloud computing can be done seamlessly.  

The question then becomes “What difference will this shift make?” It provides higher education with the advantage going into cloud computing, both as institutional strategic direction and in specific vendor negotiations.  Institutional strategic directions that prioritize issues such as contract language commensurate with appropriate use for educational or financial records, or that integrates a business associates agreement for HIPAA automatically, save the institution from headaches among its constituents now and potential liability later.  Establishing those expectations with vendors early in negotiations is critical to an outcome that elevates colleges and universities in the enterprise cloud environment. In fact, increasingly these issues have become competition points among and between vendors, and, for once, higher education could not be more delighted to watch the competition. May the vendor who promises the greatest degree of information protection win!

CONCLUSION

Let’s go back to our initial premise about the cat being out of the bag. Methinks it not the right answer to say, then, to hell with it, let the cat go!  Rather we should be calling Whiskers back home, gently as one does with a cat, or, as the metaphor goes in higher education, with the herding of many cats. Speaking of metaphors, what geography did your parents use when making the point about not following the crowd thoughtlessly?  Because I grew up a tenth of a mile from the Erie Canal, that is what it was for me, and many a time I could see myself going to where the waters of the Genesee River and Canal meet in Genesee Valley Park and jumping off of one of the beautiful arched bridges there … not! The old adage about two wrongs not equaling a right comes to mind as well. The time is long overdue for higher education to take information management seriously.  Among the many threats that our institutions face in this calamitous era of shrinking budgets, rising costs, and skyrocketing prices, for-profit competition, and criticisms from almost sector of society, we cannot add problems from matters that are within our control. Information management is a challenge, to be sure, but we can something about it.  That something may never be perfect, compliance never is.  But imperfection is no excuse for doing nothing.  And either we do it for ourselves, or cloud computing will do it to us.

See Also: