The notion of software applications or data hosted on 3rd party internet servers has been around for years. Anyone heard of Hotmail or Gmail? However in the last year or so, “cloud computing” has really gained major traction in corporate boardrooms and now are becoming the catalyst for most IT transformation projects with CFOs eyeing the cost reductions. You would be hard pressed to find a tech lawyer who hasn’t had to review at least one cloud service provider contract in the last 12 months.
The hard part for non-IT corporate counsel is the minefield of technical jargon that will be thrown around in the business discussions – SaaS, IaaS, private cloud, public cloud, hybrid cloud, CDN, elastic computing, etc. Somewhat ironically, I’ve been asked quite a few times (even by emerging technology companies who offer outsourcing services?!) what the legal dangers are with cloud computing.
At a fundamental level, the majority of the legal issues surrounding cloud computing implementations are no different to traditional data center or business process outsourcing arrangements. There is certainly no shortage of law firms and legal commentators who have written on the subject. Just do a Google search. It really is horses for courses though – the key objectives for customers should be performing proper due diligence and assessing whether the actual commercial benefits of the cloud computing model being proposed outweighs the loss of corporate in-house control.
The data sovereignty issue (e.g. US Patriot Act overreach) is a somewhat overblown fear which the large multinational vendors are well versed at dealing with (customers should insist on at least notification if not control of disclosure in these hypothetical situations). Sometimes there may be sensitivity to keep the hosted data onshore but quite often network latency concerns have more practical influence on the location decision than the fear of potential foreign subpoenas. Regulated industries are definitely required to adhere to a much more structured compliance approach to cloud projects which inevitably leads to lots of negotiation discussions about contractual warranties and indemnities with the cloud services provider.
Corporate cloud computing can range from small non-core applications, moving board papers into an online portal, migrating to an online document management system to full blown mega-IT projects involving migrating all enterprise data onto 3rd party infrastructure. A lot of the key issues (and any additional cost impact) to look out for remain the same:
- What data is being stored and processed externally? Is it sensitive or regulated information? Is the right cloud model being used? If its a private cloud – is it truly private dedicated infrastructure?
- If so, what type of security or encryption is needed?
- Is the vendor aligned to the customer’s relevant data retention, e-discovery and disaster recovery practices?
- What happens if the vendor’s infrastructure is compromised or there is a security hack or breach? Will the customer be notified?
- What jurisdiction or data protection compliance regime is going to apply or be used? EU data processor or data controller? Use SCCs? US-EU Safe Harbor?
- What are the customer’s access rights to hosted data? Any restrictions or hooks?
- How is the transition/service provider exit going to be managed?
- Can the pricing throttle down as well as up?
- Are the service availability guarantees appropriate for the business processes that will be supported by the cloud services (as opposed to comparing them to the service fees)? How is availability measured and what are the exclusions?
- On what grounds can the services tap be turned off?
- Will any audits need to be conducted. If yes, how and when?
If you’re a customer, unless you are negotiating a large enterprise cloud outsourcing deal or have the commercial clout or are just plain lucky, the contract paper will be using the vendor’s terms. If it’s a commodity cloud service using standard terms of service, its highly likely there will be a unilateral right by the supplier to revise the T&Cs (just like website terms of use) that you may need to come to terms with. It is usually the smaller cloud service provider terms of service that are going to cause in-house counsel/risk managers the most angst with low liability caps and/or minimal service remedies. In reality, you may need to be realistic about your demands for data compliance, liability or service level agreements relative to the nature of what is being outsourced and the charges. The hallmark of the more mature cloud providers though are their packaged technical and compliance responses to the big ticket risk questions. Alternatively, you can always look at other vendors or revisit whether a cloud solution is actually the appropriate model.
If you’re a supplier (or on-supplying commercial services that rely on back-end third party cloud providers) be prepared to demonstrate your security, infrastructure, service level capabilities and accept vendor liability risk allocation (or get commercial risk insurance coverage) that the more mature clients are going to demand in a competitive cloud market.
Cloud Computing potentially offers businesses a lot of productivity and cost benefits. Like any outsourcing arrangement, there are risks – so the key is making sure appropriate risk management and mitigation measures are in place both contractually, in the implementation itself and during the life of the commercial relationship.
Image: By 百楽兎
