Vendor data centers located in a foreign country are a big potential problem because no opportunity exists to inspect the foreign location and the location of the data may determine the jurisdiction and the law governing it. There is no global privacy law or standard and thus protections vary widely. Moreover, vendor help-desk personnel accessing your data could be located in a foreign country with limited security and privacy laws. Consider requiring the vendor's data center be located and the services be performed in the United States, and that no data be made available to those located outside the United States. If you cannot obtain these warranties, find another vendor or at least consider very carefully the data you send to that cloud.
Data format, insurance and fee escalators are three key issues to address in minimizing your cloud risk. Avoid the hidden costs of being locked in to the vendor's solution because of its proprietary file format. The agreement should require that, at termination, the vendor has to return your data both in the vendor's data format and in a platform-agnostic format, and thereafter destroy all of the customer's information on vendor's servers, all upon expiration or termination of the agreement. Also related to data formats is the issue of deduplication and if your vendor uses it. Deduplication removes redundant data from your files to save storage space in the vendor's network. This process may remove metadata from the file which can result in many issues in the event of litigation. Companies have found themselves subject to sanctions in litigation because metadata is missing from data relevant to the litigation. Accordingly, you need to consider requiring the vendor to keep a full copy of the data, with all metadata, or you need to retain full copies.
Also, don't overlook your ability to help self-insure against risks associated with a cloud agreement. While the vendor should have technology errors & omissions insurance, consider getting a cyber-liability policy for your business. Cyber-liability insurance can protect you against unauthorized access to a computer system, theft or destruction of data, hacker attacks, denial of service attacks and malicious code or violations of privacy regulations. To avoid sticker shock from escalating prices, you should attempt to lock in any recurring fees for a period of time (one to three years) and thereafter an escalator based on CPI or other third-party index should apply.
If you are considering moving some business functions into the cloud, keep in mind the difference between the cloud and traditional software and protect your business accordingly.
Christopher C. Cain is a partner with the law firm of Foley & Lardner LLP, practicing in the firm's Information Technology & Outsourcing and Transactional & Securities practices. He routinely counsels clients on the legal, technical and transactional issues arising in technology transactions.
