Cloud computing and SaaS arrangements are growing increasingly commonplace, and the benefits of getting IT out of the infrastructure business are obvious. While the technology is rapidly maturing and moving from novelty to commodity, negotiating contracts with cloud vendors can be a challenge.
What if sensitive customer data are stolen from your cloud provider? Who foots the bill if aliens (or government actors) abscond with your provider's servers? Who is liable when the lawsuits start flying?
I sat down with Marcus Lee, an attorney at Moore & Van Allen, who specializes in IT law. Lee has recently worked with several large companies to negotiate their contracts with cloud providers, and I asked him what advice he is giving his clients on dealing with some of the legal aspects of cloud computing.
Data security and ownership
One of the critical concerns of cloud computing is data security, especially with the recent focus on data theft. While you may think you "own" the data that your provider uses and gathers on your behalf, detailing the ownership of data in the contract with your service provider is critical.
Lee suggests that "Data encryption; a right to audit security procedures and data centers; a requirement to be notified immediately of any security breach; and a requirement to allow an outside auditor to assess controls and procedures for storing, handling, and transmitting data" should all be detailed in the contract.
He also suggests that ownership of data not be left to assumptions. "The contract should clearly state that all data are owned by the client and contain a provision that, at the termination of the contract, the provider should agree to deliver a copy of client data and permanently destroy all copies of the data in its possession."
We have all seen the dreaded "limitation on liability" clause in everything from amusement parks to complex vendor contracts, and working in the cloud is no exception. The first iteration of a contract is always in favor of the drafting party, and Lee notes that cloud vendor contracts are no exception, especially around limitation on liability clauses.
The provider "typically includes a provision that limits its liability to a fixed amount, often based on fees paid to the provider," says Lee. If you are served with a high-dollar lawsuit related to a customer data breach, or suffer damages to your business when the provider has a technical problem, this is unlikely to cover the damages if the breach or outage was a result of the cloud provider's negligence. With SaaS fees falling to commodity prices, a liability based only on fees paid to the provider can leave your company overly exposed.
The "green men from Mars" clause
Force majeure clauses (sometimes called "Acts of God") are unforeseen circumstances that would prevent the cloud provider from delivering on their promised services, oftentimes services for which you have paid in advance.
These scenarios could range from the relatively mundane-such as a key communications link being severed by a wanton backhoe-to all manner of natural disasters, terrorist incidents, and yes, even little green men from Mars shutting down your provider.
While you cannot expect your cloud provider to stay up and running through every unforeseen disaster scenario, Lee encourages clients to protect themselves from paying for a service they cannot use.
"A contract should only allow a force majeure clause to apply if the provider is in compliance with its backup obligations," says Lee, "and the client should receive a credit for each day of interruption, and be allowed to terminate the contract should the force majeure event last more than an agreed-upon time."
In short, your cloud provider should not be able to claim force majeure if that "state-of-the-art backup data center" is really a closet in a strip mall and cannot handle the demand if the primary data center fails due to an earthquake.
Similarly, ensure you understand how your provider will handle your data in the event of a government subpoena or other action. When you control the data you may have time to get your legal "ducks in a row" should a government action take place, whereas your cloud provider may simply turn over anything and everything related to your business without a prior agreement in place.
When bad things happen to good companies
While cloud can be cost effective and allow for innovative new capabilities, it is obviously not without risk. On what seems like a regular basis, we hear about providers "losing" a batch of backup tapes with sensitive customer information, or a security breach resulting in a similar loss.
Lee recommends several protections, including provisions that "indemnify, defend, and hold harmless" the company engaging the cloud provider should the company be sued as a result of the provider's negligence.
In addition to legal concerns, many players in the cloud space are relatively new and untried, and some are bound to fail as the market matures. For a particularly risky provider, or in a situation where you cannot easily recreate the data held by your cloud vendor, Lee recommends your data be escrowed with a third party, and that contractual provisions require the vendor to return your data and destroy any copies before turning off the lights and skipping town.
Just as with any other critical vendor, be it an implementation partner or the supplier of a critical component for a new product, old-fashioned due diligence can save you many legal and technical headaches.
When asked what single factor could prevent many of the legal hurdles to cloud computing, Lee notes: "Even if you have a great contract with the cloud provider with all the right protections, it is still very important for the company to do a thorough due diligence on the cloud provider to be sure it is adequately secured and has appropriate backup capabilities."
Patrick Gray works for a global Fortune 500 consulting and IT services company, and is the author of Breakthrough IT: Supercharging Organizational Value through Technology, as well as the companion e-book The Breakthrough CIO's Companion. Patrick has spent over a decade providing strategy consulting services to Fortune 500 and 1000 companies. Patrick can be reached at firstname.lastname@example.org and you can follow his blog at www.itbswatch.com. All opinions are Patrick's alone, and may not represent those of his employer.