Home

Overview

Program

Schedule

Committee

Registration

Contributors

Tucson

Hotel

Travel Information

It’s Past Midnight: Do you know where your data are?

Mary Pickering, Georgetown University

In Spring of 2006 Georgetown joined the inauspicious ranks of those who have had their information security breached; as a result the university was faced with the potential loss of protected information about recipients of Medicare. The incident cost the university close to $300,000 and took nearly 200 staff hours to manage the response: determining the extent of the data loss, identifying individuals affected, preparing and delivering disclosure letters and responding to public and media inquiries about the situation.

Due to this incident and in light of the growing number of states with strict disclosure laws, Georgetown University decided to implement a review stage for all contracts involving information technology. No contract involving information technology can be executed without the express and documented approval of University Information Services. As contracts have been submitted from all around the university and for amounts from the minor to the mind-blowing, it has become obvious how few people know how to prepare a good contract and how few contracts truly protect our data.

The new process has been challenging, both for the university community to accept and for the central IT organization to implement. To support the process and to lessen the impact on staff, we’ve developed supporting documents, presentations, templates and boilerplate language for common actions. This presentation will outline the contract review process and provide some tips for universities seeking to protect their data at the contractual level.