Cloud
computing has revolutionized the way we store data. Now, with an Internet
connection, you can send data to a third-party vendor – across the street or
across an ocean – who will store the data for you in "the cloud,"
charging you only for the space you need and use. On most occasions, resorting
to cloud computing is an attempt to eliminate the need to buy additional
hardware, avoid the ongoing chore of keeping your software up-to-date, make
data available to your staff from any remote location, or possibly eliminate
the expense of an internal IT staff.
However,
while there may be some financial benefits, there are several legal and
practical issues to consider before you choose cloud computing, and more than a
few "must haves" in your cloud computing contract.
Data Security – It’s Not As Bad As You May
Think
The
first issue that concerns many businesses is data security. Many feel that
putting their data on the Internet is a breach waiting to happen. It is likely,
however, that responsible cloud vendors may offer better protection than your
company provides. A reputable vendor should have its own IT security staff,
should constantly monitor for intrusions and attempted breaches, and will
continually upgrade its hardware, software, and firewalls.
The
only way to assess whether a vendor’s data security is adequate is to first
evaluate how confidential and valuable your information to be stored really is.
Some information (medical records, payroll records, etc.) is extremely
sensitive; the menu at last year’s holiday party is less so. The level of
assurance should be appropriate for the type of data you are placing in the
cloud.
Ask for
a copy of the vendor’s Statement on Standards for Attestation Engagements
(SSAE) 16 audit, and ask that the contract require the vendor to deliver it
each year. For a cloud host, this is an auditor’s report of the vendor’s
description of its "system" and security measures, along with a
written assertion by management of its compliance with that system. It is not a
perfect description of the system, and management does not specifically
identify its failings, but it is often the best information available.
Viability and Reputation
Choosing
a cloud vendor is choosing a partner: The success of your business depends on
how your vendor performs. Perform credit and reference checks, especially if
the data you store in the cloud is critically important for your business. If
the cloud host is financially troubled, its creditors could seize the building
or the servers on which your data is located. Ask for a representation in the
contract that the vendor owns, not leases, the equipment on which your data
will be stored, and that no creditor of the vendor has the right to seize that
equipment.
Data Availability
The
cloud vendor cannot guarantee 100% availability of your data or software. In
this regard, computing in the cloud truly is the same as maintaining your own
office system. Ask that your contract include Service Levels Agreements (SLAs)
regarding the environment, data availability, and announcements of scheduled
maintenance. SLAs are the most common method of measuring availability and
holding the vendor accountable – but these will not provide useful remedies.
They are best used to measure the vendor’s performance against its own
promises, and they also reveal the quality the vendor expects from itself. If
the SLAs establish a low threshold, the vendor may not be as concerned as you
are with maintaining higher standards.
Whether
the SLAs are set high or low, the vendor will not absorb the liability for
losses and damages if your business loses data. You should ask that your
contract give you the right to terminate the agreement if the SLAs are breached
repeatedly. Another means of confirming availability is to carefully examine
and make sure you understand the vendor’s use of back-ups, and their disaster
recovery and business continuation policies. You also should maintain your own
back-up and disaster recovery systems: NEVER put your only copy of the information
or software in the cloud.
Confidentiality and Intellectual
Property
As
important as it is to protect your data from outside intrusions, it is equally
important to prohibit the cloud vendor from using or disclosing your data and
other confidential information and intellectual property. Any agreement that
transfers data or software off-site must clearly protect the confidential and
intellectual property rights of both parties. Ask for a provision assuring that
if the vendor is served with any subpoena, warrant, national security letter,
or similar process, it will provide you with immediate notice and will withhold
compliance until the last date permitted by law – which then allows you to seek
protection from an appropriate court.
Software Licenses
Many
software vendors grant licenses that are restricted to a specific machine that
you register upon initial installation. The same holds true if you purchase
multiple licenses or "seats" that are maintained on the company’s
server. Surprisingly, some enterprise software vendors charge an additional fee
and require agreements from the cloud host if the software is to be moved to or
housed in the cloud. Before placing your operating software in the cloud, make
sure to review your software licenses, or ask your software sales
representatives whether the licenses permit operating in the cloud.
Location/Governing Law
Unlike
most agreements, a cloud agreement may be subject to the laws of multiple
jurisdictions simultaneously, as many states and the European Union have
announced that their laws apply to the data of their residents regardless of
where in the world the data is stored. To complicate matters, some cloud
vendors cannot or will not tell you where your data is stored. This is typically
explained as an additional security measure, but most vendors want the
flexibility to move a client’s data with no restrictions. If your type of
businesses is required by law or regulation to have the ability to audit the
physical security of the servers that house your data, you need to ask for a
representation of the location of their servers and an agreement that you may
have physical access to their premises. Depending on your business, you may
also need to ask for a provision that forbids the vendor from moving the data,
or at least forbids it from moving your data or software across jurisdictional
borders.
Whose Cloud Is It?
If you
are entering the cloud as part of a package sale by a software vendor (or
another reseller of data storage), the actual cloud host (the owner of the
hardware and the premises where the hardware is located), may be a third
company. So you must ask for a representation that requires your direct
provider to impose the obligations listed here on its subcontractors. The third
party must be checked as closely as the software vendor, including credit
reports and the SSAE16.
Insurance and Business Interruption
Insurance: A Final Note
Entering
into a business agreement with a cloud vendor poses risk. You are relying on
the vendor to stay in business and keep the data secure and available. If the
vendor fails in these tasks, your next calls will be to your lawyer and your
insurance carrier. Before you have to make those calls, review your company’s
insurance policy to see whether you are covered if your data is lost or its
security breached. You can purchase a specialized cybersecurity policy which
would supplement a standard business insurance policy.
While
cloud computing is here and will only grow more common in the future, companies
must be appropriately diligent in assuring that they have taken steps to assure
that where and how their data is stored and maintained is appropriate. Before
entering into an agreement with a cloud computing vendor, you should carefully
vet the potential vendor, review all relevant data security regulations, and
make sure your contract(s) maximize your protection.
For assistance with cloud
or other technology contracts, or any other corporate law needs, please contact John F. Bradley, the author of this alert, and partner in the firm’s Data Privacy and Security and Corporate Practice Groups, or Robert P. Maloney, Chair of the Prince Lobel’s Corporate Practice Group. You can reach John at 617 456 8076 or jbradley@princelobel.com, or Bob at 617 456 8008 or rmaloney@princelobel.com