Francoise Gilbert

The characteristics of cloud computing — on-demand self-service, elasticity, metered service or ubiquitous access — make it look like a simple and casual operation. Easy to get in, easy to get out, easy to augment, and easy to shrink; Just pay with your credit card. Attractive pricing structures are often justified by presenting cloud solutions as a “one-size-fits-all” product where standardization is key to reduced cost.

Consistent with this model, which benefits from uniformity and standardization, many cloud services agreements are presented in the form of a click-wrap agreement, where no negotiation is possible, and the customer clicks on an “I agree” button to express consent to the terms. The apparent ease of entry into these contracts makes the process seem as easy or inconsequential as purchasing a song from iTunes.

However, the fact that in most cases the purchaser of cloud services is pushed to interact with vendors through websites and generic form agreements does not adequately reflect the unique complexity and importance of cloud service contracts. Cloud computing relationships are extremely complex and fragile. They involve relinquishing control over, and custody of, a company’s vital data, documents and applications to one or more service providers with whom company executives may not have ever met, and which may be hidden or difficult to identify in the fog created by the so-called cloud. Cloud contracts, however, raise numerous complex technical, business and other issues that could create significant exposure to financial disasters, embarrassment and other problems if not attended to with sufficient precautions.

Cloud computing legal issues, in particular, abound. These issues include: ensuring access, availability and performance; customization and integration with existing technologies; cost and pricing; compliance with regulatory requirements; ability to terminate and move to another service provider or take data in-house; and much more. The security measures used to protect the data entrusted to the vendor are crucial. It is also important to define how liability for the loss of data will be allocated; or to address the extent to which the customer will be able to have access to the data or retrieve the data in case of termination.

Do not be fooled by the appearances; be careful when stepping in the cloud. In part one of this two-part article, we’ll review cloud computing preliminary legal considerations and the due diligence required before choosing a cloud service provider. Part two covers critical steps for developing, maintaining and terminating a cloud service provider contract.

Think before you click

First, do not rush into a cloud service agreement. Cloud providers have made it very easy to purchase their services on the Internet. It is almost as easy to purchase a book from Amazon as it is to purchase a subscription to Amazon’s EC2 services. Wait! Do not click on the “I agree” button until you understand what you are getting, and more importantly, what you are not getting. Just because the service appears so easily available from the vendor’s website does not mean it is the right service for you, or that the terms of the offering are fair and balanced.

Ensure there are no cloud computing legal obstacles

Are you sure that using cloud for the type of data and the types of services that you envision is legal? Companies are the custodians of the personal and other data entrusted to them. These data are frequently protected by laws, regulations or contracts that prohibit, restrict or limit the disclosure or transfer of the data to a third party. For example, health information protected under HIPAA cannot be transferred to a third party or “business associate” without imposing specific obligations to that business associate. Some U.S. state laws require that Social Security numbers, drivers’ license numbers, financial information, and other similar information be encrypted before being transferred to a third party. Other laws require entering into a written agreement with the service provider, with specific terms.

If your data originate in one of the 40-plus countries that have adopted comprehensive data protection laws, it’s likely that the data may not be taken out of its country of origin and transferred abroad because the recipient country is probably not going to provide the adequate protection for the privacy rights of the individual to whom the data pertains unless specific contracts are signed or other specified arrangements are made.

Perhaps your company has signed a confidentiality agreement or a data-transfer agreement with a third party from which it received sensitive data, such as personal information or trade secrets. In this case, this agreement probably prohibits you from transferring the data to a third party without the prior permission of the data owner. Thus, moving the data to a cloud without the prior permission of the data owner would breach this agreement.

Remember: Before exploring the cloud services offering, determine whether your business model and the contracts that bind your company allow for the use of these services, and under which conditions.

Due diligence questions

Once you are confident that a particular application or database may be moved to the cloud without breaching any laws or existing contracts, you must investigate the vendor. Just because a service is attractive or works well for the company next door, does not mean that it is right for you.
Organizations should conduct a thorough due diligence of a proposed cloud service provider in order to determine whether the services offered correspond to its needs. Myriad questions need to be asked and their answers carefully analyzed; for example:

  • What services will be provided?
  • Will the service allow the company to fulfill its computing and access needs?
  • What are the vendor’s technical capabilities?
  • What are its financial capabilities? What is the likelihood that it will remain in business for the next few years?
  • What service levels will be offered? Is there any possibility of downtime?
  • How secure are its operations? What security measures are used?
  • Is the cloud vendor equipped to handle business interruption and disaster?
  • What support will be provided?
  • What will happen if there is a security incident?

Different methods may be used to conduct a due diligence. For example, you could speak with existing clients, send questionnaires and review the answers, review audit reports, and survey comments from current customers on listservs and other forums on the Internet.

Remember that this due diligence is necessary to understand and evaluate the entity to which you will entrust important company information. It’s a well-known “best practice” and required by several laws. Skipping this important step would expose the company and its management to potential claims of negligence and breach of duty of care.

For part 2 of this article click here.

This article was first published by TechTarget (registration required) in February 2011.