Despite what your Cloud provider may suggest, there’s room for you to negotiate – and plenty of reasons to do so.
Have you been thinking about moving some, maybe all, of your services or data to the Cloud? The push to get you to do just that is on, spurred by Amazon, Google and various other providers whose advertising is designed to convince us all that Cloud-based operations are an essential element of any sane 21st Century business.
They may be right – but what they often don’t tell you is that their Cloud Customers (i.e., possibly, you) can put themselves at substantial legal and business risk by signing on to the boilerplate, provider-friendly service agreement drafted by, and for the benefit of, the provider. Such agreements invariably include vendor-favoring provisions that can and should be modified through negotiation.
This is a matter of particular concern for broadcasters, telecommunications companies and other businesses operating in a regulated environment. Provider-friendly service provisions can, and often do, hinder – and possibly prevent – the Cloud Customer from complying with regulatory and other legal requirements to which they are subject. At a minimum, prospective Cloud Customers should conduct an initial review of all Cloud-related contract documents to identify and mitigate, to the extent practicable, such potential problems.
The following is intended to provide a cautionary glimpse of key issues and pitfalls businesses face when negotiating contracts for Cloud services.
Defining your particular cloud
The notion of “Cloud services” is not monolithic. To the contrary, a wide assortment of separate and distinct Cloud services are available: they may be individually-provided or individually-hosted and may entail the processing and/or storage and/or transport of data. Cloud providers generally rely on shared platforms and resource pooling, and offer measured service and various pricing models. These lead to the essential characteristics of Cloud services: on-demand availability and scalability through broad network access across multiple user devices.
Typical Cloud offerings include: Software as a Service (SaaS); Platform as a Service (PaaS); and Infrastructure as a Service (IaaS). These may be deployed as a public Cloud, community Cloud, private Cloud, or hybrid Cloud. For purposes of our discussion here, we will focus on “public Cloud” service, i.e., arrangements through which a private organization sells generic Cloud services to a Customer and the general public. This differs from on-premises computing, data center, and so-called “private Cloud” offerings, where Cloud infrastructure is managed solely for the Customer by a third party on the Customer’s behalf.
Don’t let yourself be pushed into signing
Cloud providers often present prospective Cloud Customers with a “form contract” whose terms, according to the provider, cannot (with very limited exceptions) be modified. In law school, this is known as a “contract of adhesion”; you may think of it as a “Take it or leave it”/ “My way or the highway” type of offer. Don’t be browbeaten into accepting a deal that includes terms you cannot and should not live with. Raise objections, offer alternative language, and stick to your guns. A Cloud provider’s sales representative may try to ignore your requests for changes, or may simply delay any response ad infinitum in order to put time pressure on you to sign the provider’s preferred contract. Stand fast!
As a practical matter, it is not unusual for a vendor to have a fallback provision for the most draconian or Customer-unfavorable terms. So even if your bargaining power may be relatively small, there is no reason not to push for better terms than the initial boilerplate offer entails.
And another tip for your general review of the initial terms offered by the Cloud provider: Do NOT accept terms that can be changed unilaterally by the vendor (by, e.g., simply posting the revised terms on its web site and incorporating them by reference into the executed contract long after the contract has been signed). Such terms normally enable the provider to change the deal in important ways without any prior consent by you.
Don’t forget your obligations under privacy and other data regulations
Many Customers, particularly regulated entities, are subject to data security obligations that are not delegable/assignable to the Cloud computing services provider (or anyone else, for that matter). As a prospective Cloud Customer, you must understand both the obligations to which you are subject and the unique data security risks inherent in the public Cloud environment.
Data security obligations arise from a range of sources, including particularly industry-specific federal regulations and state laws. These requirements relate to the security of the information and data of the regulated entity regardless of where the information and data are stored. So if the regulated entity opts for a Cloud environment for such storage, that entity remains subject to the security requirements. Such requirements can arise from, for example, HIPAA (Healthcare), GLBA (Consumer Financial Services), FTC Section 5 (Consumer Protection), FCC privacy rules and/or state laws addressing security and notification concerns, particularly when breaches occur that involve social security numbers, credit card information, bank account information, and other financial and related information. Laws related to personally identifiable information (“PII”) likewise apply both generally and specifically to each of these areas/industries.
And let’s face it: Data and information maintained in the Cloud are under constant threat. How? Consider the following factors:
- The “multitenant” nature of a shared computer server environment. Your data could be sharing a hardware and software universe with many other businesses. That increases risks of infection of your data through malware and viruses from other user applications.
- The limited knowledge of a Customer with regard to actual location of the server or “server farms” that store its data. If you don’t know where or how your data are being stored, you will have a hard time demonstrating that you have taken effective steps to ensure the data’s security.
- The Cloud Customer’s limited control over actions that can mitigate improper disclosures and/or damages in the event of breach or data compromise. Again, if you are not in a position to control at all the disclosure of your data, you will not be in a position to take effective steps in the event that an improper disclosure occurs.
- The fact that Cloud service providers are “ideal targets” for hackers due to the volume of information located in a single “virtual environment.” In the 1920s and ’30s, renowned criminal Willie Sutton reportedly remarked that he robbed banks because “that’s where the money is”. In the current day and age, data may be more valuable than money in the hands of some malefactors, so those malefactors can be expected to aim for targets of maximum opportunity, which obviously include server farms maintained by Cloud providers.
As you consider these factors, you should also be prepared to get straight with your prospective Cloud provider about related considerations, like:
- Who owns what in the system/service/data resident in the Cloud? In other words, what are your intellectual property and data control rights? It is important that you NOT surrender any rights you will need to fulfill your legal and regulatory responsibilities and operate your business.
- How, when and for what purposes do you have access to your data? You may be faced with judicial or regulatory requests for e-discovery and the like – in which case you will need to be able to get to your data. Similarly, if you eventually opt to move your operations to a different provider, you will want to be able to move your data at your convenience, not your soon-to-be-former provider’s.
All of this means that Customers should be sure that any Cloud computing solutions they embrace will be compatible with the privacy and data security laws applicable to the industry in which they operate. And that, in turn, means that the Customer must, as a starting point, analyze (a) the specific type and nature of the PII and other potentially sensitive data it stores and (b) any regulatory requirements to which that storage is subject. Such analysis is essential before a Cloud computing contract can be entered into confidently.
Quality of service, liability and other considerations
A Cloud services arrangement normally stretches over an extended period of time. As we all know, things change – especially when it comes to digital technology. That being the case, it’s prudent to be clear how change is to be addressed over the course of the arrangement. For example, what happens if the vendor’s technology changes during your long term contract? Will you have to conform at your potentially substantial own expense? Are you locked in, or can you terminate your contract or require your vendor to continue to support your original system?
What about if the service quality deteriorates? What are your remedies? In this connection, it’s safe to say that detailed and enforceable Service Level Agreements (SLAs) are a must in any Cloud computing agreement.
Another consideration to bear in mind: what is your potential exposure if your data get hacked or subjected to inappropriate use. What are your third party indemnification requirements? What is the governing law for any breach? Most vendor-drafted Cloud contracts impose substantial liabilities on Customers for both their own and third party breaches. Cloud providers also typically require disputes to be heard in a forum friendly to the vendor – either through arbitration or in the courts of the vendor’s home jurisdiction.
To the maximum extent possible, one-sided terms in these (and other) regards that heavily favor the Cloud provider and equally heavily disfavor the Cloud Customer should be mitigated. Similarly, you should be clear on what remedies will be available to you if hacking, inappropriate use or other problems arise because of the provider’s fault. Not surprisingly, most Cloud vendors insert broad exculpatory clauses in their favor to limit their own liability while, again, requiring that disputes be heard in a forum that is inconvenient to the Customer. Asymmetric (i.e., hopelessly lop-sided) obligations in such clauses need to be negotiated, the goal being balanced reciprocal provisions.
When you’re ready to move to the Cloud …
Once you have done all your homework and have a solid sense of what you will need in a Cloud service agreement, let the negotiations begin! From our experience, such agreements can, through negotiation, be modified to include the following:
- Objective and enforceable – not merely aspirational – SLAs that clearly reflect the level of service quality to which the Cloud Customer will be contractually entitled.
- Data security requirements that are specifically defined and implemented in accordance with applicable industry regulations and legal requirements.
- Prohibitions preventing the provider from re-using and/or disclosing Customer data to third parties.
- Breach notification rules that go beyond what is required by applicable laws and regulations to allow lead time for the Customer to notify data subjects and regulatory authorities, and to formulate an action plan following a breach.
- Liability and indemnification provisions to mitigate Customer exposure and maximize remedies. Governing law and venue may also be negotiable depending upon the Customer’s bargaining power.
- Audit rights and other mechanisms (including software applications) to monitor the performance of the Provider.
Finally, give yourself plenty of time to get all this done. We recommend that Customers engage with Cloud vendors sufficiently in advance of the Customer’s business deadlines to provide the lead time necessary to address the above issues. That, in turn, means that the preparatory work necessary to get up to speed for the negotiation must start even earlier.