Archive for March, 2011

Cloud service relationships are very complex. Numerous important issues are at stake. In many cases, the use of cloud services may jeopardize an entity’s ability to comply with the numerous laws to which it is subject. In addition, even if there are no specific legal compliance requirements, sensitive data and significant intangible assets might be at risk. Thus, before venturing in the cloud, it is of utmost importance for an entity to understand the scope and limitations of the service that it will receive, and the terms under which these services will be provided.

In part 1 of this article we discussed the preliminary planning and due diligence involved with choosing a cloud service provider.

In this part 2, we review critical steps for developing, maintaining and terminating cloud computing contracts.

Read and negotiate the contract

Once you have chosen one or several cloud vendors or cloud offerings, the next step is to enter into a written contract for these services. The contract is intended to accurately describe the agreement and understanding of the parties. It should address the major issues that are critical for the survival of your business.

Depending on the nature of the services, the volume of data, and the leverage of the company, the contract may be in the form of a click-wrap agreement, which is not negotiated, or the parties may negotiate a more complex written document that is tailored to the specific situation.

If only a click-wrap agreement is available, the contract is likely to be one-sided in the favor of the service provider and to lack most of the warranties and protections that a purchaser of the service would wish to receive. In this case, you should balance the risks from foregoing negotiations and protections against the actual benefits, financial savings and ease of use promised by the cloud service provider.

If you have the ability to negotiate the cloud computing contracts, you may be able to add or modify provisions that address your company’s needs while defining the obligations of the parties both during the term of the contract and upon termination. Detailed, comprehensive provisions tailored to the unique risks of operating in a cloud environment should be negotiated.

For example, it is important to know where the data will be stored or processed, because the fact that the data are held on a server in a particular state or country is likely to subject the data to the jurisdiction of the country where the server is located. You may want to look for guarantees with respect to the scope of the services, the prices, the support offered and the downtime. You should also seek commitment from the cloud vendor that it will protect your data with adequate security measures. You may also need to ensure that the vendor will inform you promptly if a security incident has affected the data that you placed in its custody. As the custodian of your employees’ or customers’ personal information, you may have an obligation under U.S. state law or foreign laws to inform them of loss or compromise of their data.

Cloud computing contracts termination

Numerous events may lead to the termination of cloud computing contracts and relationships. The contract may expire at the end of its term and not be renewed. It may be terminated for default or material breach, financial difficulties or bankruptcy. Each such event raises the issue of access to, and ownership of assets; organizations must plan to ensure they will be able to retrieve their data.

Keep in mind that your data will be the most at risk upon termination of the contract. The cloud vendor has no incentive to be nice to a customer that is leaving. Worse, the cloud vendor may be experiencing financial difficulty, which significantly increases the risk of loss and vulnerability of the data. Provide for the proper — and secure — winding down of the relationship in order to ensure business continuity and to limit the risk of loss or alteration of the data.

Plan for termination of the contract before signing it. Ensure that the service agreement lays out whether and how the data will be returned to your company or destroyed, the cost associated with this return, and the procedures to be used in the event of termination.

The volume of data to be returned might require planning and proper logistics. The data might have been commingled with other customers’ data to save space or for technical reasons. This entanglement might make it difficult, time consuming, expensive or perhaps impossible to disentangle the data.

The cloud environment may create unique risks or enhanced exposure. The technology used — i.e., a distributed computing environment — may make it difficult to locate the data. The amount of data may be so large that practical difficulties in collecting the data are very likely. Further, the parties are likely to be located in different jurisdictions, each with a different legal regime, which will increase the uncertainty and complexity.

Continuous monitoring

Throughout the life of the relationship, keep monitoring the activities of the vendor to ensure the performance of the contract according to its terms. To the extent possible, monitor, test and evaluate the services provided in order to verify that the required service levels are reached, the promised privacy and security measures are being used, and the agreed upon processes and policies are being followed.

Keep in mind also that further revisions to the contract might be necessary from time to time. They may be required by external or internal changes. For example, the cloud service provider may have to change its security practices and procedures in order to address new security threats. It may have developed new products or applications that are better suited to your company’s needs. Both the cloud service provider and the customer may need to adapt to new compliance requirements if new laws are passed or regulations are enacted during the term of the contract.

Talk to your lawyer early

In most cases, entrusting your company’s data to a third party will be an important decision. Get help from experienced professionals. Do not wait until the last minute to speak with your lawyer. The more you procrastinate, the more you expose your company to errors and failure. It’s like starting a game with part of the team missing, and waiting until the last 10 minutes to bring in the remainder of the players. It may work occasionally, if you are lucky, but most of the time, playing with an incomplete team will cause you to fail or take unnecessary risks. Your attorney will help you navigate the maze of multilayered cloud computing contracts, decipher obscure, complex, cloud agreements, identify what is missing, and see through puffing and other empty promises.

This article was first published by TechTarget (registration required) in February 2011.

The characteristics of cloud computing — on-demand self-service, elasticity, metered service or ubiquitous access — make it look like a simple and casual operation. Easy to get in, easy to get out, easy to augment, and easy to shrink; Just pay with your credit card. Attractive pricing structures are often justified by presenting cloud solutions as a “one-size-fits-all” product where standardization is key to reduced cost.

Consistent with this model, which benefits from uniformity and standardization, many cloud services agreements are presented in the form of a click-wrap agreement, where no negotiation is possible, and the customer clicks on an “I agree” button to express consent to the terms. The apparent ease of entry into these contracts makes the process seem as easy or inconsequential as purchasing a song from iTunes.

However, the fact that in most cases the purchaser of cloud services is pushed to interact with vendors through websites and generic form agreements does not adequately reflect the unique complexity and importance of cloud service contracts. Cloud computing relationships are extremely complex and fragile. They involve relinquishing control over, and custody of, a company’s vital data, documents and applications to one or more service providers with whom company executives may not have ever met, and which may be hidden or difficult to identify in the fog created by the so-called cloud. Cloud contracts, however, raise numerous complex technical, business and other issues that could create significant exposure to financial disasters, embarrassment and other problems if not attended to with sufficient precautions.

Cloud computing legal issues, in particular, abound. These issues include: ensuring access, availability and performance; customization and integration with existing technologies; cost and pricing; compliance with regulatory requirements; ability to terminate and move to another service provider or take data in-house; and much more. The security measures used to protect the data entrusted to the vendor are crucial. It is also important to define how liability for the loss of data will be allocated; or to address the extent to which the customer will be able to have access to the data or retrieve the data in case of termination.

Do not be fooled by the appearances; be careful when stepping in the cloud. In part one of this two-part article, we’ll review cloud computing preliminary legal considerations and the due diligence required before choosing a cloud service provider. Part two covers critical steps for developing, maintaining and terminating a cloud service provider contract.

Think before you click

First, do not rush into a cloud service agreement. Cloud providers have made it very easy to purchase their services on the Internet. It is almost as easy to purchase a book from Amazon as it is to purchase a subscription to Amazon’s EC2 services. Wait! Do not click on the “I agree” button until you understand what you are getting, and more importantly, what you are not getting. Just because the service appears so easily available from the vendor’s website does not mean it is the right service for you, or that the terms of the offering are fair and balanced.

Ensure there are no cloud computing legal obstacles

Are you sure that using cloud for the type of data and the types of services that you envision is legal? Companies are the custodians of the personal and other data entrusted to them. These data are frequently protected by laws, regulations or contracts that prohibit, restrict or limit the disclosure or transfer of the data to a third party. For example, health information protected under HIPAA cannot be transferred to a third party or “business associate” without imposing specific obligations to that business associate. Some U.S. state laws require that Social Security numbers, drivers’ license numbers, financial information, and other similar information be encrypted before being transferred to a third party. Other laws require entering into a written agreement with the service provider, with specific terms.

If your data originate in one of the 40-plus countries that have adopted comprehensive data protection laws, it’s likely that the data may not be taken out of its country of origin and transferred abroad because the recipient country is probably not going to provide the adequate protection for the privacy rights of the individual to whom the data pertains unless specific contracts are signed or other specified arrangements are made.

Perhaps your company has signed a confidentiality agreement or a data-transfer agreement with a third party from which it received sensitive data, such as personal information or trade secrets. In this case, this agreement probably prohibits you from transferring the data to a third party without the prior permission of the data owner. Thus, moving the data to a cloud without the prior permission of the data owner would breach this agreement.

Remember: Before exploring the cloud services offering, determine whether your business model and the contracts that bind your company allow for the use of these services, and under which conditions.

Due diligence questions

Once you are confident that a particular application or database may be moved to the cloud without breaching any laws or existing contracts, you must investigate the vendor. Just because a service is attractive or works well for the company next door, does not mean that it is right for you.
Organizations should conduct a thorough due diligence of a proposed cloud service provider in order to determine whether the services offered correspond to its needs. Myriad questions need to be asked and their answers carefully analyzed; for example:

• What services will be provided?
• Will the service allow the company to fulfill its computing and access needs?
• What are the vendor’s technical capabilities?
• What are its financial capabilities? What is the likelihood that it will remain in business for the next few years?
• What service levels will be offered? Is there any possibility of downtime?
• How secure are its operations? What security measures are used?
• Is the cloud vendor equipped to handle business interruption and disaster?
• What support will be provided?
• What will happen if there is a security incident?

Different methods may be used to conduct a due diligence. For example, you could speak with existing clients, send questionnaires and review the answers, review audit reports, and survey comments from current customers on listservs and other forums on the Internet.

Remember that this due diligence is necessary to understand and evaluate the entity to which you will entrust important company information. It’s a well-known “best practice” and required by several laws. Skipping this important step would expose the company and its management to potential claims of negligence and breach of duty of care.

For part 2 of this article click here.

This article was first published by TechTarget (registration required) in February 2011.