A Hacker or Your Cloud Provider. Who Presents the Greatest Risk to Your Data?
It’s your worst nightmare. All of your most important and sensitive data, the thing your business values most, the thing your company cannot operate without, the thing your regulators require you to protect, has been taken hostage. Your business grinds to a halt. Your customers and business partners are livid. Your regulators are demanding an explanation as to how something like this could happen.
Ransomware? Insidious hacking attack? No, it’s your cloud services provider. That business partner you relied upon has turned out to be a greater threat than any hacker.
It starts in the most mundane way. You have a dispute with your cloud provider over the amount of an invoice or your cloud provider simply decides it wants to renegotiate the contract terms and manufactures a reason to take action. But, how can a cloud provider take your data hostage?
To answer that question, we must look back to a very popular contract provision found in technology contracts from 20-30 years ago. Some called it a “self-help” clause. Others called it “leverage.” The language looked innocuous. Likely it was buried in the contract fine print. It said something about the vendor being able to suspend performance or, in the event of termination, a right to withhold your data until all fees are paid and, potentially, all disputes resolved. The language cropped up in old data center and service bureau engagements.
That language from years past fell out of favor and was seldom seen in more recent times. That is, until the advent of cloud services when a resurgence in broad suspension rights has become the norm in almost all contracts. Worse yet, once thought long dead, the right to withhold customer data is also seeing a reappearance in some cloud agreements.
Let’s look at each of these rights one at a time.
Broad Vendor Rights to Suspend Access
The right to suspend performance. This right gives the vendor, frequently without prior notice, the ability to simply cut off your access to their cloud services.
That’s right. You could be in the midst of processing quarter-end invoices and find you are no longer able to access the cloud service on which that processing depends. Consider, further, that you are a healthcare provider and you have a patient sitting in your ER with an emergent condition. You need to treat her immediately. The physician goes to a terminal and finds the online electronic health record system inaccessible.
Impossible? Unfortunately, not. A growing number of online health record systems agreements include the right for the provider to suspend access.
The language is frequently incredibly broad, permitting the cloud provider to suspend performance and access to their service for a wide range of largely undefined circumstances. Some examples:
- Any set of circumstances that could pose a risk to the vendor’s systems
- Any set of circumstances that could create potential liability for the vendor
- The customer’s violation of the vendor’s acceptable use policy, which is essentially a lengthy listing of extremely vague and undefined circumstances under which the customer may be held in breach of contract and the vendor may suspend performance
- The Customer has breached any obligation under the agreement
- Customer’s failure to pay any amount due the vendor, regardless of how small that amount may be or, even, if it is the subject of a good faith dispute
Almost every cloud provider includes some or all of the foregoing suspension rights in their form agreement.
What’s a customer to do? First, narrow these provisions to the extent possible. Second, make sure any suspension right is tied to an objective standard, not merely the vendor’s discretion. Avoid references to the vendor’s “sole discretion” and require any action to be “reasonable.” Third, require at least some form of prior notice and opportunity to cure the issue. Finally, require the vendor to immediately reinstate the service as soon as the issue is resolved. Depending on the criticality of the service, other limitations may be appropriate, but the foregoing provide at least baseline protection.
In fairness to vendors, this right of suspension is based in part on a reasonable concern that the vendor must be able to protect itself from customer actions that could truly damage its systems or present material risk. In comparison, the right to hold data hostage is not based on any reasonable concern of the vendor – other than the ability to gain undue leverage over its customer in the event of a dispute.
Vendor Rights to Hold Your Data Hostage
As noted above, the language permitting a vendor to hold your data hostage is frequently non-obvious. It is generally hidden in other, lengthy provisions in the contract and framed in seemingly innocuous terms. At its heart, however, the language qualifies the customer’s right to obtain copies of its data, typically on termination of the agreement, until various criteria are fulfilled.
The most common example is “On payment of all relevant fees, Customer may download a copy of its data from the Services.” The underlined words afford the vendor the means to refuse the customer access to its data if even a penny of fees is unpaid – even if that penny is the subject of a good faith dispute.
Every customer should insist on having the unqualified right to obtain copies of its data at any time during the term of the cloud agreement and for a period (e.g., thirty days) after termination. If there is a dispute as to fees, that dispute should not turn on the vendor holding the customer’s data hostage. Rather, failure to pay constitutes a breach of the contract for which the vendor can take action and recover damages. The only reason to retain the right to withhold data is to gain leverage over (some would say extort) the customer. It is not a reasonable contract practice and should be rejected.
When entering into your next cloud agreement, look carefully for the suspension and hostage rights described above. Work to narrow and limit the suspension right and to excise the hostage right in its entirety from the agreement.