Data Security Clauses

Data Security is very important to WSU. Several federal and state laws as well as WSU policies require that information about individuals be carefully protected. When contracting with a party wherein there will be any exchange of security sensitive information or where the other party may have access to security sensitive information, the following clauses should be used. The second clause applies where student information is transmitted or accessable by the other party.  The third clause applies where credit card information is transmitted or accessable by the other party. The fourth clause should be applied whenever we allow a third party to retain any of our data.

1) Basic Confidentiality

    The University may disclose, or Contractor may learn of and/or develop, certain confidential information (“Information”) owned by the University in the course of the performance of the services with the University or through use of the University’s facilities or resources.

    The Information shall include all information of any type, financial, commercial, and/or technical, whether or not marked or otherwise identified as confidential, relating in any way to the University or its faculty, staff or students.

Contractor will maintain the Information in strictest confidence and shall not disclose or publish any part of the Information. Contractor shall use the Information solely for the purpose of doing Contractor work for the University and performing Contractor duties to the University. Contractor shall not use the Information for Contractor’s own benefit or the benefit of third parties or disclose the Information to or for third parties.

Contractor shall take all reasonable precautions in handling the Information, shall limit disclosures to a strict need-to-know basis, even within the University, and shall comply with all security measures adopted by the University for the Information.

Contractor will not make or cause or permit to be made any copies, recordings, films, tapes, disks, diskettes, or summaries (collectively, “Copies”) of all or any part of the Information in any media except such as are necessary to or used in Contractor work or the performance of Contractor duties. No copies, material or other equipment will be removed from the University’s designated worksite locations Premises without the University’s prior written approval; if Contractor work is done elsewhere, no copies will be removed from the Premises where the work is performed without the University’s prior written approval. Upon completion of the services or, if earlier, termination of Contractor relationship with the University, Contractor will deliver to the University (retaining no copies in any medium) all originals and copies.

Contractor will indemnify and hold harmless the University and its clients against third party claims of noncompliance with Contractor confidentiality obligations to others.

Immediately upon becoming aware of any unauthorized access or disclosure of such information, Contractor will notify the University, investigate the breach and fully cooperate to remedy the situation.  Contractor will comply with and will fully cooperate to assist the University to comply with data security laws and security breach notification laws.

 

Contractor agrees that at no time will any information provided by the University to Contractor be stored on any server or in any location outside the United States.

2) FERPA

The parties acknowledge that students’ education records are protected by the Family Educational Rights and Privacy Act (FERPA), and that Contractor will be considered a "School Official" (as that term is used in FERPA and its implementing regulations) and will comply with FERPA.  Student education records will only be used for the purposes of carrying out this agreement.  Student permission must be obtained before releasing specific data to anyone other than University and Contractor employees who have a legitimate educational purpose. 

3) Compliance with Payment Card Industry Data Security Standard and Cardholder Information Security Program

    Contractor represents and warrants that all of its Network Components, Applications, Servers, and Subcontractors (if any) comply with the Payment Card Industry Data Security Standard (“PCIDSS”) and with Visa’s Cardholder Information Security Program (“CISP”). For purposes of this Agreement, “Network Components” shall include, but are not limited to, Contractor’s firewalls, switches, routers, wireless access points, network appliances, and other security appliances; “Applications” shall include, but are not limited to, all purchased and custom external (web) applications. “Servers” shall include, but are not limited to, all of Contractor’s web, database, authentication, DNS, mail, proxy, and NTP servers. “Subcontractors” means all parties with which Contractor contracts, directly or indirectly, in order to perform its obligations under the Agreement.

Contractor further represents and warrants on behalf of itself and each of its Subcontractors (if any) that (i) it shall be responsible for the security of all Cardholder Data in its possession; (ii) it shall use Cardholder Data only for assisting cardholders in completing a transaction, supporting a loyalty card program, providing fraud control services, or for other uses specifically required by law; (iii) it has a business continuity program which conforms to PCIDSS to protect Cardholder Data in the event of a major disruption in its operations or in the event of any other disaster or system failure which may occur to Contractor’s operations; (iv) it shall continue to safeguard Cardholder Data in the event this Agreement terminates or expires; and (iiv) it shall ensure that a representative or agent of the payment card industry and a representative or agent of the University shall be provided with full cooperation and access to conduct a thorough security review of Contractor’s operations, systems, records, procedures, rules, and practices in the event of a security intrusion in order to validate Contractor’s compliance with PCIDSS. For purposes of this Agreement, “Cardholder Data” shall mean any personally identifiable data associated with a cardholder, including, by way of example and without limitation, a cardholder’s account number, expiration date, name, address, social security number, or telephone number.

4) Response to Legal Orders, Demands or Requests for Data

 

a.         Except as otherwise expressly prohibited by law, Contractor will:

(i)         immediately notify University of any subpoenas, warrants, or other legal orders, demands or requests received by Contract seeking University data;

(ii)        consult with University regarding its response;

(iii)       cooperate with reasonable requests in connection with efforts by Contractor to intervene and quash or modify the legal order, demand or request; and

(iv)       upon request, provide University with a copy of its response. 

           

b.         If University receives a subpoena, warrant, or other legal order, demand or request seeking University data maintained by Contractor, University will promptly provide a copy to Contractor.  Contractor will promptly supply University with copies of data required for University to respond, and will cooperate with University's reasonable requests in connection with its response.

c.         This section will survive the cancellation of the agreement for the thirty (30) days after cancellation described above, unless prohibited by legal order.