Negotiating Cloud Computing Contracts

Cloud computing continues to grow apace, with more businesses each year considering some form of a cloud solution. This is not to say that IT departments are abandoning traditional software solutions but they are picking and choosing business functions they are willing to push to the cloud. With one foot increasingly in the cloud and the other remaining in the business, IT personnel need to keep in mind the difference between a traditional software solution and a cloud offering. With those differences in mind, you can focus on the key aspects of the cloud computing agreement.

Cloud computing involves scalable and elastic IT-enabled capabilities delivered as a service.  The vendor hosts the software and data, often your data and other customers' data held in a shared environment. In contrast, traditional software licensing involves the delivery of a good, the software, installed locally in your environment. The software is usually highly configurable so it can meet particular business needs and you retain control over the data used by the software. So going from the ground to the cloud means your focus must shift from installing and configuring software to making sure the cloud service is available when needed and secure. Let's consider availability and security each in turn.

The cloud service needs to be available for use in your business, but you are relying on the vendor, not your own IT personnel, for that availability. Pay close attention therefore to the vendor's service levels, response times for issues and remedies for unavailability. Any reputable cloud vendor should have a very high uptime warranty, guaranteeing that the cloud service will have an uptime of a certain percentage, during certain hours, measured over an agreed upon period. Carefully consider the agreed upon measurement period (e.g., daily, monthly, quarterly), as vendors want longer measurement periods because they dilute the effects of a downtime. Then ensure the vendor provides latency warranties for untimely or delayed responses from a service is effectively unavailable. The agreement needs to include a matrix for estimated resolution times for reported problems based on severity of the issue. Finally, the vendor should provide adequate service credits as a remedy for excessive downtime. The remedy should start out as modest credits towards future services and scale to larger credits and if repeated failure occurs, you should have the right to terminate the agreement without penalty.

Data security is important to protect sensitive data, both the company's and your customers'. You are accountable for complying with security and privacy laws, regardless of whether you or a cloud vendor are holding the relevant data. And data breaches are expensive. A recent study Cost of a Data Breach, Ponemon Institute, LLC examined the costs of dealing with a data breach and revealed an average total cost of $6.75 million. At a minimum, if a breach of security or confidentiality requires notification to your customers under any privacy law, then you should have sole control over the timing, content and method of such notification.

The cloud agreement needs to have specific details regarding the vendor's security measures, security incident management, and hardware, software and security policies. These should all be reviewed by someone competent in data security. Compare such policies with your own. More customers of cloud vendors are demanding the vendor match the customer's policies and provide copies of annual SAS 70 audits.Vendor data centers located in a foreign country are a big potential problem because no opportunity exists to inspect the foreign location and the location of the data may determine the jurisdiction and the law governing it. There is no global privacy law or standard and thus protections vary widely. Moreover, vendor help-desk personnel accessing your data could be located in a foreign country with limited security and privacy laws. Consider requiring the vendor's data center be located and the services be performed in the United States, and that no data be made available to those located outside the United States. If you cannot obtain these warranties, find another vendor or at least consider very carefully the data you send to that cloud.

Data format, insurance and fee escalators are three key issues to address in minimizing your cloud risk. Avoid the hidden costs of being locked in to the vendor's solution because of its proprietary file format. The agreement should require that, at termination, the vendor has to return your data both in the vendor's data format and in a platform-agnostic format, and thereafter destroy all of the customer's information on vendor's servers, all upon expiration or termination of the agreement.  Also related to data formats is the issue of deduplication and if your vendor uses it. Deduplication removes redundant data from your files to save storage space in the vendor's network. This process may remove metadata from the file which can result in many issues in the event of litigation. Companies have found themselves subject to sanctions in litigation because metadata is missing from data relevant to the litigation. Accordingly, you need to consider requiring the vendor to keep a full copy of the data, with all metadata, or you need to retain full copies.

Also, don't overlook your ability to help self-insure against risks associated with a cloud agreement. While the vendor should have technology errors & omissions insurance, consider getting a cyber-liability policy for your business. Cyber-liability insurance can protect you against unauthorized access to a computer system, theft or destruction of data, hacker attacks, denial of service attacks and malicious code or violations of privacy regulations. To avoid sticker shock from escalating prices, you should attempt to lock in any recurring fees for a period of time (one to three years) and thereafter an escalator based on CPI or other third-party index should apply.

If you are considering moving some business functions into the cloud, keep in mind the difference between the cloud and traditional software and protect your business accordingly.

Christopher C. Cain is a partner with the law firm of Foley & Lardner LLP, practicing in the firm's Information Technology & Outsourcing and Transactional & Securities practices. He routinely counsels clients on the legal, technical and transactional issues arising in technology transactions.