Cloud computing is growing increasingly prevalent, and IT leaders are rapidly learning the ins and outs of negotiating with cloud providers. From determining and enforcing service-level agreements, to planning disaster-recovery scenarios, cloud opens a raft of new challenges. One of the more difficult areas for IT leaders to come to terms with is the legal implications of cloud computing. What if sensitive customer data are stolen from your cloud provider? Who foots the bill if aliens abscond with your provider's servers? Who is liable when the lawsuits start flying?
I sat down with Marcus Lee, an attorney at Moore & Van Allen who specializes in IT law. Marcus has recently worked with several large companies to negotiate their contracts with cloud providers, and I asked him what advice he is giving his clients on dealing with some of the legal aspects of cloud computing.Data security and ownership
One of the critical concerns of cloud computing is data security. While you may think you "own" the data that your provider uses and gathers on your behalf, detailing the ownership of data in the contract with your service provider is critical. Lee suggests that "Data encryption; a right to audit security procedures and data centers; a requirement to be notified immediately of any security beach; and a requirement to allow an outside auditor to assess controls and procedures for storing, handling and transmitting data" should all be detailed in the contract. He also suggests that ownership of data not be left to assumptions. "The contract should clearly state that all data is owned by the client, and contain a provision that at the termination of the contract, the provider should agree to deliver a copy of client data, and permanently destroy all copies of the data in its possession."Protecting yourself
We have all seen the dreaded "limitation on liability" clause in everything from amusement parks to complex vendor contracts, and working in the cloud is no exception. The first iteration of a contact is always in the favor of the drafting party, and Lee notes that cloud vendor contracts are no exception, especially around limitation on liability clauses. The provider "typically includes a provision that limits its liability to a fixed amount, often based on fees paid to the provider" says Lee. If you are served with a high-dollar lawsuit related to a customer data breech or suffer damages to your business when the provider has a technical problem, this is unlikely to cover the damages if the breech or outage was a result of the cloud provider's negligence.The "green men from Mars" clause
Force majeure clauses (sometimes called "Acts of God") are unforeseen circumstances that would prevent the cloud provider from delivering on their promised services (often services for which you have paid in advance). These could range from the relatively mundane, like a key communications link being severed by a wanton backhoe, to all manner of natural disasters, terrorist incidents, and, yes, even little green men from Mars shutting down your provider. While you cannot expect your cloud provider to stay up and running through every unforeseen disaster scenario, Lee encourages clients to protect themselves from paying for a service they cannot use.
"A contract should only allow a force majeure clause to apply if the provider is in compliance with its backup obligations," says Lee, "and the client should receive a credit for each day of interruption, and be allowed to terminate the contract should the force majeure event last more than an agreed-upon time." In short, your cloud provider should not be able to claim force majeure if that "state of the art backup data center" is really someone's dorm-room closet and cannot handle the demand if the primary data center fails due to an earthquake.
While cloud can be cost effective and let you focus on more important activities or provide your organization with unique capabilities, it is obviously not without risk. On what seems like a regular basis, we hear about providers "losing" a batch of backup tapes with sensitive customer information or a security breach resulting in a similar loss. Lee recommends several protections, including provisions that "indemnify, defend and hold harmless" the company engaging the cloud provider should the company be sued as a result of the provider's negligence.
In addition to legal concerns, many players in the cloud space are relatively new and untried, and some are bound to fail as the market matures. For a particularly risky provider, or in a situation where you cannot easily recreate the data held by your cloud vendor, Lee recommends your data be escrowed with a third party and that contractual provisions require the vendor to return your data and destroy any copies before turning off the lights and skipping town.
Just as with any other critical vendor, be it an implementation partner or the supplier of a critical component for a new product, old-fashioned due diligence can save you many legal and technical headaches. When asked what single factor could prevent many of the legal hurdles to cloud computing, Lee notes: "Even if you have a great contract with the cloud provider with all the right protections, it is still very important for the company to do a thorough due diligence on the cloud provider to be sure it is adequately secured and has appropriate backup capabilities."
Patrick Gray is the founder and president of Prevoyance Group and author of Breakthrough IT: Supercharging Organizational Value through Technology as well as the companion e-book The Breakthrough CIO's Companion. Prevoyance Group provides strategy consulting services to Fortune 500 and 1000 companies. Patrick can be reached at email@example.com, and you can follow his blog at www.itbswatch.com.
Patrick Gray works for a global Fortune 500 consulting and IT services company and is the author of Breakthrough IT: Supercharging Organizational Value through Technology as well as the companion e-book The Breakthrough CIO's Companion. He has spent over a decade providing strategy consulting services to Fortune 500 and 1000 companies. Patrick can be reached at firstname.lastname@example.org, and you can follow his blog at www.itbswatch.com. All opinions are his and may not represent those of his employer.