Technology: Contracting for cloud services, a roadmap for cloud users
Businesses with market leverage have been able to negotiate some changes in standard terms of service for cloud services in four key areas.
December 20, 2013 at 03:00 AM
9 minute read
The original version of this story was published on Law.com
Despite all the hype surrounding cloud computing, the business cloud services market is still relatively immature — with many cloud service providers (CSPs) using a commoditized approach for delivering high-volume, low-cost, standardized services offered to a large group of users. As a consequence, not all CSPs will negotiate their terms of service. However, as is the case with most contracts, businesses with market leverage have been able to negotiate some changes in standard terms of service. Some of the most frequently negotiated areas of cloud services agreements include:
- Limitations on liability
- Availability of the cloud services
- Security, privacy and regulatory
- Termination of services and exit
Limitations on liability
Limitations on liability, particularly for outages, data breaches and data loss, has been a concern for cloud users. Many standard cloud contracts provide the CSP with broad limitations of liability. When these provisions are negotiated, the losses are often limited to specific defined “direct” losses and are typically capped with limits tied to a percentage of the total amounts paid by the user over a stated period (such 100 percent of the total amount paid for services over the past 12 months). To the extent that a cloud user is able to negotiate the limitation of liability, it should consider whether the cap amount is appropriate based on the scope of the cloud user's risks and also seek to exclude breaches of confidentiality and breaches of representations and warranties from the cap and ensure that any service level credits or payments (discussed below) do not count toward the cap.
Availability of data and services
Availability of the cloud services is another important area of consideration in cloud contracting. Service level agreements (SLAs) vary among cloud providers and uniform standards have not yet been developed, making it difficult for cloud users to compare different services. It is important for cloud users to determine the functionality and performance requirements they need from cloud services before beginning their cloud services procurement process. Once these have been determined, the cloud user can compare them to what the CSP is offering. Be sure that the cloud services agreement states how availability of the services is measured (i.e., every 5 minutes, 15 minutes or on the hour, etc.). Note that most CSPs offer service credits as a remedy for a breach of service levels and even these credits may be limited to circumstances where the lack of availability was within the CSP's control.
Ensuring the confidentiality, integrity and availability of cloud data and applications is essential. While many cloud users focus on the liability resulting from data security breaches, it is also important to address the responsibility for data loss and corruption and include monetary compensation for data loss and recovery costs. Make sure that the cloud services agreement addresses the CSP's business continuity and disaster recovery obligations.
In negotiating the SLA, cloud users should consider how the CSP handles peak spikes and the risk that additional users can adversely impact the availability of the cloud services. Cloud users should also seek a commitment on response times, bandwidth, error correction/resolution, user support and technology upgrades. Downtime is a real risk in using cloud services, as recent network outages by Amazon, Skype, and Google Gmail illustrate. Many cloud users impacted by these outages were unable to properly function as a consequence, and some data was permanently lost. Maintenance also impacts availability of cloud services so be sure to carefully address in the SLA how this is scheduled and place the responsibility for documenting down time on the CSP and not the cloud user.
Information security, privacy and regulatory considerations
Each cloud user has different security, privacy and regulatory obligations that must be considered when contracting for cloud services. For example, cloud users should be aware that, depending on the cloud service, the cloud user's data may be co-located with third-party data. This multi-tenancy may create the risk for the cloud user's data may be accessed by third-parties which could result in the waiver of certain privacy protections as well as expose the cloud user to liability for violation of privacy regulations.
Make sure the agreement is clear about who owns the information placed into the cloud and that the agreement restricts the CSP's use, sale, rental, transfer, distribution, or other disclosure of the information solely and exclusively for the purposes of providing the cloud services.
The cloud services agreement should address the collection, access, use, storage, disposal and disclosure of personal information and whether those procedures comply with the federal and state privacy and data protection laws applicable to the cloud user's business. At a minimum, the CSP's information security safeguards should include: (i) limiting access to the cloud user's information to authorized employees of the CSP; (ii) securing the CSP's business facilities, data centers, physical files, servers and other computing equipment (including mobile devices and other equipment with information storage capability); (iii) implementing network, device application, database and platform security; (iv) securing information transmission, storage and disposal; and (v) implementing authentication and access controls within media, applications, operating systems and equipment.
Be sure to address the geographic location of the data centers used by the CSP. If the data is sensitive or if there are regulatory concerns, the cloud user should contractually require the data to be stored solely in the United States. Cloud users should understand how data can be located and retrieved, such as for e-discovery purposes, and address location and retrieval of data in the cloud services agreement.
The cloud services agreement should also address what constitutes a security breach and establish procedures which require the CSP to provide cloud user with the name and contact information for an employee of CSP who shall serve as cloud user's primary security contact and be available to assist cloud user 24 hours per day, seven days per week in resolving obligations associated with a security breach; and notify the cloud user of a security breach as soon as practicable, but no later than 24 hours (or such shorter period of time as may be required by a particular business' regulatory obligations) after the CSP becomes aware of the security breach; and making available all relevant records, logs, and other materials required to comply with applicable law, regulation, industry standards or as otherwise specified by the cloud user. The allocation of financial and other responsibility for remedying a security breach should be addressed in the cloud services agreement. Ideally, the CSP should be obligated to immediately remedy, at CSP's expense, any security breach caused by the CSP. However, this is often a subject of negotiation between the CSP and cloud user.
Oversight of security compliance
Cloud users should include a provision that the CSP will provide or allow the cloud user to conduct an annual audit of the information technology and information security controls for all facilities used in supplying the cloud services, including obtaining a network-level vulnerability assessment performed by a recognized third-party audit firm based on the recognized industry best practices. The cloud services agreement should require the CSP to provide to the cloud user, upon its written request, certain specified reports such as the CSP's latest Payment Card Industry (PCI) Compliance Report, SOC 2 or SOC 3 reports and any other reports such as the CSP's ISO/ICE 27001 certification. A process for the CSP to address any exceptions noted on the SOC or other audit reports should also be included in the cloud services agreement.
Termination of services; exit
Make sure that the cloud services agreement specifies that CSP cannot terminate the cloud service without first providing the cloud user with notice and consent. Cloud users need to be sure that the cloud services agreement provides for the immediate return of the cloud user's data in a pre-agreed format and a requirement that the CSP assist the cloud user in its transition to a new vendor. The cloud services agreement should also require the CSP to make available to the cloud user a complete and secure (i.e., encrypted and appropriated authenticated) download file of the cloud user's data in a cloud user-specified format along with attachments in their native format. The CSP should be required to be available throughout a specified period to assist with the migration of the cloud user's data to another cloud service.
Note that even if the cloud services agreement provides such advance notice of termination, cloud users need to be prepared for the possibility that the cloud service may suddenly terminate with little or no notice and have a back-up plan if the service is terminated unexpectedly. For example, in January 2012, the U.S. Justice Department shut down a one of the world's most popular providers of remote data storage and seized its domain name and approximately 1,000 of its servers. After the government shut down the site, users could not access their data, did not know where it was physically located and did not know who had access to the data. More recently, another well-known provider of back-up cloud services announced it will no longer offer its cloud service designed to make it easy for small businesses and remote branch offices to back up their data. This CSP provided its cloud users with little notice of the service ending and the cloud users will have to migrate their own data to any alternative service since the CSP is not offering any data migration services in connection with the cancellation of the service.
Conclusion
Cloud service contracts are continuing to evolve as CSPs receive more requests and pressure from cloud users to address important privacy and security issues — so ask the CSP for any necessary modifications. With cloud contract terms often spread among several documents (i.e., the Terms of Service, Service Level Agreement, Acceptable Use Policy, Privacy Policy and Intellectual Property Notices), it is important to review, negotiate and coordinate the terms of each of these documents before entering into a cloud services agreement. The high risk of lock-in and increased dependency and reliance upon the CSP due to the decreased portability to, or interoperability with, other solutions make is essential to ensure that the terms of the cloud services agreement meet the legal and business requirements for your company.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Policy Wonks' Obsession: What Will Tuesday's Election Mean for FTC Firebrand Khan?
6 minute read
The FTC's Rebecca Slaughter Wants Fair Competition, and a Good Night's Sleep
New Merger-Review Process Could Doom Some Deals, Add Headaches, Subjectivity to Others
7 minute readTrending Stories
- 1Infant Formula Judge Sanctions Kirkland's Jim Hurst: 'Overtly Crossed the Lines'
- 2Abbott, Mead Johnson Win Defense Verdict Over Preemie Infant Formula
- 3Preparing Your Law Firm for 2025: Smart Ways to Embrace AI & Other Technologies
- 4Meet the Lawyers on Kamala Harris' Transition Team
- 5Trump Files $10B Suit Against CBS in Amarillo Federal Court
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
