References to Third Party Compliance with Applicable Federal, State, and Local Laws and Regulatory Requirements

#Why is this Important
#Reference
#Overview
#Criticality
#Sample RFP Language
#Sample Contract Clauses

Why is this Important:
Institutions of higher education might have other obligations regarding use of data under federal, state, and local laws. Generally speaking, an institution may not be able to alleviate such obligations by contracting with a third party to perform functions that use regulated data. Clauses that include instructions to contracting third parties regarding regulatory requirements help to protect the institution in the event of an unauthorized disclosure or breach.

Reference:
Appendix 1 ISO/IEC 27002:2005, Reference 6.2.3(r); (s)
Appendix 2 NIST Sp. Pub. 800-53, Rev. 2; Control SA-9 (External Information System Services)

Overview:
Clauses include instructions to the contracting parties about compliance with regulatory requirements that the originating institution must comply with regarding the underlying data.

Criticality: Category 1 and Category 2.

Sample RFP Language:

  • Not Applicable. Theme best addressed with contract clauses.

Sample Contract Clauses:

  1. [Vendor] and/or its agents or employees agree to comply with all laws, statutes, regulations, rulings, or enactments of any governmental authority. [Vendor] shall obtain (at its own expense) from third parties, including state and local governments, all licenses and permissions necessary for the performance of the work.
  2. [Vendor]'s product must be compliant with any federal, state, and local privacy laws or regulations applicable to the Institution, including but not limited to: the Family Educational Rights and Privacy Act (FERPA) (Pub. L. No. 93-380 (1974), codified at 20 U.S.C. § 1232g); the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. No. 104-191, § 264 (1996), codified at 42 U.S.C. § 1320d; Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. § 160 (2002), 45 C.F.R. § 164 subpts. A, E (2002); the Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102 (1999), privacy protections are codified at 15 USC § 6801 et seq.).
  3. Vendor contracts must require that vendors comply with all applicable Institution rules associated with this policy, practice standards and agreements, and address all Federal and State laws to which Institution must adhere to ensure that Institution remains in compliance with such law.
  4. [Vendor] warrants and represents that it shall, at all times, comply with FERPA, GLBA and other applicable federal and state statutes. [Vendor] also warrants that, in the event of a security breach (within its control) covered under sections [insert state law code sections pertaining to security breach if applicable], [Vendor] shall bear all responsibility and expense for complying with the disclosure and notification requirements of the statute.

#Top

Core Language

(question) Questions or comments? (info) Contact us.

(warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).

  • No labels