This tip is a part of the SearchCloudSecurity.com mini learning guide series, Cloud computing legal issues: Developing cloud computing contracts.
Cloud service relationships are very complex. Numerous important issues are at stake. In many cases, the use of cloud services may jeopardize an entity’s ability to comply with the numerous laws to which it is subject. In addition, even if there are no specific legal compliance requirements, sensitive data and significant intangible assets might be at risk. Thus, before venturing in the cloud, it is of utmost importance for an entity to understand the scope and limitations of the service that it will receive, and the terms under which these services will be provided.
In this tip, we review critical steps for developing, maintaining and terminating cloud computing contracts.
Read and negotiate the contract
Once you have chosen one or several cloud vendors or cloud offerings, the next step is to enter into a written contract for these services. The contract is intended to accurately describe the agreement and understanding of the parties. It should address the major issues that are critical for the survival of your business.
Depending on the nature of the services, the volume of data, and the leverage of the company, the contract may be in the form of a click-wrap agreement, which is not negotiated, or the parties may negotiate a more complex written document that is tailored to the specific situation.
If only a click-wrap agreement is available, the contract is likely to be one-sided in the favor of the service provider and to lack most of the warranties and protections that a purchaser of the service would wish to receive. In this case, you should balance the risks from foregoing negotiations and protections against the actual benefits, financial savings and ease of use promised by the cloud service provider.
If you have the ability to negotiate the cloud computing contracts, you may be able to add or modify provisions that address your company’s needs while defining the obligations of the parties both during the term of the contract and upon termination. Detailed, comprehensive provisions tailored to the unique risks of operating in a cloud environment should be negotiated.
For example, it is important to know where the data will be stored or processed, because the fact that the data is held on a server in a particular state or country is likely to subject the data to the jurisdiction of the country where the server is located. You may want to look for guarantees with respect to the scope of the services, the prices, the support offered and the downtime. You should also seek commitment from the cloud vendor that it will protect your data with adequate security measures. You may also need to ensure the vendor will inform you promptly if a security incident has affected the data that you placed in its custody. As the custodian of your employees’ or customers’ personal information, you may have an obligation under U.S. state law to inform them of loss or compromise of their data.
Cloud computing contracts and termination
Numerous events may lead to the termination of cloud computing contracts and relationships. The contract may expire at the end of its term and not be renewed. It may be terminated for default or material breach, financial difficulties or bankruptcy. Each such event raises the issue of access to, and ownership of assets; organizations must plan to ensure they will be able to retrieve their data.
Keep in mind that your data will be the most at risk upon termination of the contract. The cloud vendor has no incentive to be nice to a customer that is leaving. Worse, the cloud vendor may be experiencing financial difficulty, which significantly increases the risk of loss and vulnerability of the data. Provide for the proper -- and secure -- winding down of the relationship in order to ensure business continuity and to limit the risk of loss or alteration of the data.
Plan for termination of the contract before signing it. Ensure the service agreement lays out whether and how the data will be returned to your company or destroyed, the cost associated with this return, and the procedures to be used in the event of termination.
The volume of data to be returned might require planning and proper logistics. The data might have been commingled with other customers’ data to save space or for technical reasons. This entanglement might make it difficult, time consuming, expensive or perhaps impossible to disentangle the data.
The cloud environment may create unique risks or enhanced exposure. The technology used -- i.e., a distributed computing environment -- may make it difficult to locate the data. The amount of data may be so large that practical difficulties in collecting the data are very likely. Further, the parties are likely to be located in different jurisdictions, each with a different legal regime, which will increase the uncertainty and complexity.
Throughout the life of the relationship, keep monitoring the activities of the vendor to ensure the performance of the contract according to its terms. To the extent possible, monitor, test and evaluate the services provided in order to verify the required service levels are reached, the promised privacy and security measures are being used, and the agreed upon processes and policies are being followed.
Keep in mind also that further revisions to the contract might be necessary from time to time. They may be required by external or internal changes. For example, the cloud service provider may have to change its security practices and procedures in order to address new security threats. It may have developed new products or applications that are better suited to your company’s needs. Both the cloud service provider and the customer may need to adapt to new compliance requirements if new laws are passed or regulations are enacted during the term of the contract.
Talk to your lawyer early
In most cases, entrusting your company’s data to a third party will be an important decision. Get help from experienced professionals. Do not wait until the last minute to speak with your lawyer. The more you procrastinate, the more you expose your company to errors and failure. It’s like starting a game with part of the team missing, and waiting until the last 10 minutes to bring in the remainder of the players. It may work occasionally, if you are lucky, but most of the time, playing with an incomplete team will cause you to fail or take unnecessary risks. Your attorney will help you navigate the maze of multilayered cloud computing contracts, decipher obscure, complex, cloud agreements, identify what is missing, and see through puffing and other empty promises.
About the author:
Francoise Gilbert is the managing director of the IT Law Group, and serves as the general counsel of the Cloud Security Alliance. She focuses on information privacy and security and data governance.She has been recognized by Chambers USAand Best Lawyers in America as a leading lawyer in the field of Information Privacy and Security. US News has ranked the IT Law Group as one of the top law firms in the Information Technology Law area.Gilbert is the author and editor of the two-volume treatise Global Privacy & Security Law, which analyses the data protection laws of 60-plus countries on all continents. She serves on the board of directors of the International Technology Law Association, and on the Technical Board of Advisors of the ALI-ABA.