This tip is a part of the SearchCloudSecurity.com mini learning guide series, Cloud computing legal issues: Developing cloud computing contracts.
April and May have provided numerous examples of significant service interruptions at major providers. In April, Amazon AWS service was down for 12 to 30 hours, affecting many companies that rely on Amazon services, including Foursquare, Hootsuite, Quora and Reddit. In April, and again in May, the Sony PlayStation service was interrupted, being the victim of a massive hack attack. Most recently, there were outages with Microsoft’s Business Productivity Online Services, and Google’s Blogger service.
When a cloud service goes down, users lose access to their data; they may also be deprived from the processing capabilities that are provided as part of the cloud offering. In turn, they may be unable to provide services to their own customers, and be exposed to significant liability for failure to provide these services. When is a cloud user compensated for the loss of service, and to what extent? Let’s examine some cloud computing contracts and their provisions for cloud outages.
Free cloud computing contracts
If a service provided at no cost goes down, is interrupted or is not available for any reason, usually users do not receive any compensation for the loss of availability, loss of data or other loss. The business rationale is if the service is provided for no fee, there is no financial loss for the user.
Service providers will disclaim their liability in their “Terms of Service,” or “Terms and Conditions.” This is usually achieved through Disclaimer of Warranty and Limitation of Liability provisions. Some contracts also include a limitation of damage provision.
The Disclaimer of Warranty states that the company makes no warranty with respect to the service, including, no warranty that the service will be available, or will not lose the data.
For example, many entities -- including businesses -- have come to rely on YouTube to publish information in video format. The YouTube service is provided free of charge, and is funded through the advertising revenues that are generated from displaying ads related to the content being viewed.
The YouTube Terms of Service Disclaimer of Warranty provision (section 9) states:
YOU AGREE THAT YOUR USE OF THE SERVICES SHALL BE AT YOUR SOLE RISK. …. YOUTUBE …. DISCLAIM [S] ALL WARRANTIES, EXPRESS OR IMPLIED, IN CONNECTION WITH THE SERVICES …. YOUTUBE …. ASSUMES NO LIABILITY OR RESPONSIBILITY FOR …. (IV) ANY INTERRUPTION OR CESSATION OF TRANSMISSION TO OR FROM OUR SERVICES, (IV) ANY BUGS, VIRUSES, TROJAN HORSES, OR THE LIKE WHICH MAY BE TRANSMITTED TO OR THROUGH OUR SERVICES BY ANY THIRD PARTY ….
Limitation of Liability provisions are intended to limit the scope of liability in terms of the nature of the liability, such as liability for direct or consequential damages, or liability for negligence. Limitation of Damages provisions limit the dollar amount for any liability, and state the maximum amount of damages for which the provider might be responsible. For example, the YouTube Terms of Service Limitation of Liability provision (section 10) states in part:
IN NO EVENT SHALL YOUTUBE …. BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL ….. DAMAGES …. RESULTING FROM …. (IV) ANY INTERRUPTION OR CESSATION OF TRANSMISSION TO OR FROM OUR SERVICES, (IV) ANY BUGS, VIRUSES, TROJAN HORSES, OR THE LIKE, WHICH MAY BE TRANSMITTED TO OR THROUGH OUR SERVICES BY ANY THIRD PARTY ….
In other words, whether you have uploaded a clip of last Sunday’s picnic, or the installation instructions for a sophisticated piece of equipment that your business sells, YouTube will not compensate you if its network goes down or is attacked. There will be no compensation for loss of service or for loss or corruption of the data. And no compensation for the loss of business if your customers return their purchases because they could not access the installation instructions and were unable to install the products they purchased from you.
Thus, while using a free service is financially attractive, this is true only to the extent that the service operates without problems. If there is any loss of connection, processing capability or data -- there may be significant consequences for the users of these services. The service provider will not compensate for any of these losses. As the saying goes, “There is no such thing as a free lunch.”
Paid cloud computing contracts
In order to find out what terms a cloud service provider offers to address a service interruption, you should look at the contract for these services, which may be found in several documents. First, look at the Services Agreement. This is usually the main agreement that defines the terms and conditions for access to the service. There, you may find a provision that describes the cloud provider’s commitment to provide continuous -- or almost continuous -- service.
For example, the Salesforce.com Master Services Agreement describes the company’s commitment to provide services 24 hours a day (see Section 4.1), except for planned downtime and a number of specific circumstances out of the company’s control, such as denial-of-service attacks. The company also makes a commitment to protect the security, confidentiality and integrity of the user’s data (see Section 4.2).
Some companies supplement their general terms and conditions with a separate Service Level Agreement (SLA) For example, in addition to its service agreement, Rackspace Cloud Terms of Service, Rackspace uses several SLAs.. The Rackspace Cloud Servers SLA provides:
We guaranty our data center network will be available 100% of the time in any given monthly billing period, excluding scheduled maintenance.
The document defines “scheduled maintenance” as “maintenance that is announced at least ten business days in advance, and that does not exceed sixty minutes in any calendar month.” There is no explanation of what happens if “scheduled maintenance” needs to take more than sixty minutes in a calendar month. Since this does not fit under the definition of “scheduled maintenance,” what is it?
The basic result is the same in both contract structures (i.e., single services agreement or services agreement combined with an SLA). If the service were interrupted, one or several of these clauses -- in the Services Agreement or in the SLA -- would be the basis for defining the bargain between the two parties.
Some contracts are very specific about the way the cloud provider will compensate the client for the damages resulting from a service interruption. For example, the Rackspace Cloud Servers SLA provides:
If we fail to meet a guaranty stated above, you will be eligible for a credit. Credits will be calculated as a percentage of the fees for the Cloud Servers™ adversely affected by the failure for the current monthly billing period during which the failure occurred (to be applied at the end of the billing cycle), as follows:
Network: Five percent (5%) of the fees for each 30 minutes of network downtime, up to 100% of the fees. …
…. This Service Level Guaranty is your sole and exclusive remedy for Cloud Servers™ unavailability.
Note that the compensation will only be for the loss of service, and will amount only to a percentage of your monthly service fee. There is no compensation for the loss of data, business, reputation or other loss. These terms are consistent with what is generally offered in the industry.
Tips for navigating cloud contract clauses
Before entering into a contract for cloud computing or similar services, review carefully its clauses. They will be essential if the service is interrupted, and the user looks for compensation for the harm or losses resulting from the interruption.
Read slowly and carefully. Most of these clauses provide some compensation for the unavailability of the services, typically as a percentage of the monthly fee, but not much else.
Ensure the method of calculation is clearly defined. For example, what constitutes “downtime”? How is the duration of service interruption computed? Do intermittent failures count as “downtime”? For example, if the service is up for one minute, down for one minute, and again, up and down for one minute at a time, is the interruption computed as the total of the periods when the system is down? Or is it the entire time when the service is so unreliable that processing is stalled or interrupted?
And, there are more complex questions. For example, is a cloud outage caused by a hacking circumstance out of the control of the service provider, and should therefore result in no liability? Or was the hacking possible due to gross negligence, and failure to install commonly known safeguards?
You should also understand that, unless there has been a negotiated contract with clear and specific commitments, there will be no compensation for the loss of data or the loss of business. The cloud provider is furnishing only a specific service, such as hosting and computing. It has no way to know whether the data in its custody are critical company secrets or sensitive personal data. In addition, the cloud services are usually not priced to address the nature of the data being hosted or processed. If the agreement pertains to a certain volume of data, all that counts is just that: the volume of data stored or processed. There is no room for distinguishing between “regular data” and “highly sensitive data.”
Thus, if your data matter to your business, are critical to your operations or are the lifeline to your activities, make sure you understand the risks of cloud computing. Consider redundant systems, local storage and other technical or physical means to ensure business continuity, even when the cloud is out of service.
There is no perfect, infallible cloud service. Interruptions and downtime are bound to happen, whether they are caused by a natural event (e.g., an equipment break-down) or by a man-made one (e.g., a breach of security or a denial-of-service attack). Users and cloud service providers need to be clear on what happens when there is an interruption in the service. Any uncertainty in the terms for compensating the customer for service interruptions and downtime will only cause problems when such cloud outages occur. Clarity will save time, money and aggravation to both parties if these terms are adequately defined in the contract for these services.
About the author:
Francoise Gilbert is the managing director of the IT Law Group and serves as the general counsel of the Cloud Security Alliance. She focuses on information privacy and security, cloud computing, and data governance. She has been named one of the country’s top privacy advisors in a recent industry survey and has been recognized by Chambers USA and Best Lawyers in America as a leading lawyer in the field of information privacy and security. .Gilbert is the author and editor of the two-volume treatise Global Privacy & Security Law, which analyzes the data protection laws of 60-plus countries on all continents. She serves on the Technical Board of Advisors of the ALI-ABA and co-chairs the PLI Privacy & Security Law Institute. This article only reflects her personal opinion and not that of her clients or the Cloud Security Alliance.