May 24, 2012

Navigating the Cloud: Minefields in the Uncharted Territory of Cloud Computing

Much Shelist
James M. Kunick
Much Shelist, P.C.
Sunday, November 6, 2011
Communications, Media & Internet / Insurance Reinsurance & Surety / Intellectual Property
All Federal / All States
Printer-friendly
Email this Article
Download PDF
Reprints & Permissions

In the traditional software licensing model, a vendor provides a copy of software code to the customer, who installs it on their own servers and purchases maintenance and support for that software from the vendor. In contrast, cloud computing is a different licensing model that may broadly encompass the provision of software, infrastructure, data storage, access and other online resources over a network. However, the term is most commonly used to refer to a licensing model in which a customer has the ability to access online resources on demand, from a third-party cloud provider over the Internet. The substantive difference with the traditional model is that the cloud provider may itself only serve as a "general contractor" who obtains one or more of these online resources from multiple other subcontracted service providers.

The cloud model is becoming increasingly popular as companies look for robust, cost-effective technology solutions that can be quickly and easily implemented. It may be particularly advantageous for early-stage or mid-market companies that do not have the resources to implement onsite, enterprise-class solutions. By effectively outsourcing software hosting, maintenance and support to a cloud provider, these companies may be able to obtain reliable, scalable, economical and highly available software solutions that would otherwise be out of reach.

Customers typically pay a subscription or service fee to the cloud provider for providing Internet-based access to software, services or data, as well as the maintenance and support to keep the cloud solution available to users and at the state of the art in the IT industry. Because the cloud is a hybrid solution combining software and service, the terms and conditions governing the customer-provider relationship are typically a blend of legal and commercial terms found in both license and technology services agreements. These complex agreements must be crafted carefully in order to mitigate the risks inherent in such contractual relationships.

Stay Secure

Utilizing the cloud often requires you to disclose confidential or proprietary information to the cloud provider for storage or processing. The recent, well-publicized data security breach at Epsilon Data Management, a leading provider of e-mail marketing services, illustrates the risks of such disclosure. In April 2011, Epsilon announced that its database had been breached by an unknown third party, allowing unauthorized access to the e-mail addresses of its clients' customers. Companies that had outsourced e-mail marketing to Epsilon—including JP Morgan Chase, TiVo, Capital One, Best Buy, Target and Walgreens—had to take measures to address the breach, including notifying their affected customers as required by various state breach notification laws.

The unauthorized disclosure, loss or destruction of personally identifiable information or other sensitive data can have severe consequences, including the significant costs of recovering data and notifying affected individuals of the breach. Before signing up to provide any information to a cloud provider, you should conduct due diligence to make sure both the provider and its subcontractors are capable of safeguarding the information, and should also work with an experienced attorney to put appropriate contractual provisions in place.

Get It in Writing

There are a variety of contractual protections that can be used to manage data privacy and security risks, and to stipulate the responses required if a breach occurs. These measures are important not only as a good business practice, but also to comply with applicable federal and state laws, including HIPAA, the HITECH Act, the Gramm-Leach-Bliley Act, the Red Flags Rule and evolving state privacy laws.

At a minimum, a contract that involves the transfer of sensitive data to a cloud provider should require the provider to comply with all applicable laws, as well as any standards that you have set for your service providers. For example, a retailer will likely require its third-party providers who process cardholder data to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS), even though it is currently a legal requirement only in Minnesota, Nevada, Washington and Massachusetts.

Cloud contracts should also require that the provider maintain appropriate protections against the loss or destruction of data. For example, there might be a general requirement to maintain the safeguards discussed above, and, more specifically, that the provider use firewalls, password protection and the like. Contractual protections can also require a cloud provider to develop and maintain procedures to back up data, and to reconstruct data that is destroyed, lost or corrupted.

Another critical issue to address contractually is which party will bear the costs of remedying a data breach, including the costly process of notifying customers. Unless the issue is addressed clearly in the agreement, it may be difficult to recover those costs from the provider.

Monitor Compliance with Audits

Periodic audits are one way to monitor whether a cloud provider has appropriately implemented the required safeguards to protect your data. A common approach is to contractually require a provider to undergo an annual, independent audit of its data security controls for each facility where your company's data is stored. The provider should also be required to take appropriate measures to resolve in a timely fashion any issues identified in such an audit report. In today's data-driven world, you should be skeptical of a provider that does not—or is unwilling to—perform regular audits of its data centers.

Insure Yourself

Insurance is another way to manage your cloud-related privacy and data security risks. While customers should be appropriately insured, cloud providers should be required to maintain insurance naming the customer as an additional insured, covering both of the following:

  • The customer's losses from a data security breach (such as notification and credit-monitoring costs, costs to change account numbers, lost business income, and data restoration expenses)
  • Payments to third parties that are required as a result of a breach (such as costs and liabilities arising out of lawsuits brought by customers, employees, banks, retailers and other third parties whose data was compromised, as well as actions or investigations brought by regulatory agencies)

Availability and Performance

In moving to a cloud solution, you virtually hand over control of your technology functions to the provider, including availability of the solution. While assigning responsibility to a third-party provider can allow you to reduce costs and improve availability and reliability, there are also risks. If the cloud provider experiences a problem—either with its own software and systems or those of a third-party service provider on which it relies—your business could be affected. For example, Amazon.com recently experienced a major failure of its cloud platform, disabling a variety of websites and service providers that relied on it to provide their cloud infrastructure.

Performance issues should also be addressed with the cloud provider in the agreement, including an availability service level describing when the cloud services will be available for use. While limited exclusions for scheduled and emergency maintenance are often reasonable, broader exclusions may undermine the availability commitment. In addition, you should ask the cloud provider to commit contractually to any other performance standards that your company requires, such as minimum transaction processing speeds and support response times.

Equally important are the remedies available if the provider fails to make the cloud services available as agreed. Credits against fees, termination rights and/or other rights triggered by a provider's failure to meet its service levels may be appropriate to give customers a meaningful remedy and to incentivize the provider to deliver the agreed-upon level of performance.

Cloud agreements typically seek to limit a customer's legal remedies to recovering a credit against fees in a specified amount when the provider fails to meet its service levels. This limited-credit remedy is typically a point of negotiation in a contract for cloud services, and you should very carefully consider whether the credit offered takes into account the amount of damages you could incur as a result of a performance failure, depending on the severity of the failure.

Termination and Suspension

When you hand over your data and entrust your information to a cloud provider, you risk putting your company's most valuable asset—its data—at the mercy of the provider in the event of a dispute. If the provider pulls the plug on the services or refuses to allow you access to your data, you may not be able to run your business. Some important protections to incorporate into your agreement include the following:

  • Appropriate termination rights;
  • Cure periods to allow you to cure a breach before services are terminated; and
  • Rights to access and retrieve your data at any time during and after the term of the agreement.

Providers often request broad rights to suspend a customer's access to the cloud solution, without terminating the agreement, in the event of non-payment or other breaches of the agreement by the customer. These types of suspension rights can be dangerous, allowing the provider to cut off access to the cloud product without giving you the ability to transition to a new solution. From a customer's perspective, there are a number of ways to address suspension rights, including:

  • Replacing them with termination rights;
  • Limiting them with cure periods and exclusions; and
  • Providing for uncapped provider liability in the event that the provider suspends access to the cloud product and the suspension is later determined to have been unjustified.

At a minimum, in the event of a difference of opinion with the provider, you should be able to continue to run your business while the dispute is being resolved, and obtain the assistance you need to move to another provider if necessary.

© 2012 Much Shelist, P.C.

About the Author

James M. Kunick
Principal

James M. Kunick, Chair of the firm's Intellectual Property & Technology practice group, has nearly two decades of experience representing regional and multinational clients in a broad range of intellectual property, information technology and corporate transactions. Jim's experience includes technology transactions and licensing, outsourcing, media transactions, franchising and corporate matters.

jkunick@muchshelist.com
312-521-2772
www.muchshelist.com

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. NLR does not accept advertising from attorneys or law firms. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be an advertisement or a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.