Drafting Contracts for the Cloud
by Rob Scott
As more companies adopt cloud computing services, corporate and outside counsel are being asked to review cloud agreements. The unique business, legal and regulatory risks associated with cloud computing arise from the fact that customer data is stored and processed by the cloud vendor. This article highlights these risks and describes recommended methods for risk balancing between the parties.
Data Risk: Data security is a primary concern for parties to cloud computing agreements. Each party endeavors to place data security risk on the other. In our experience the risk is best balanced by putting data security liability on the vendor, then transferring that risk to a professional liability carrier. By structuring the limitations of liability, indemnity and insurance provisions properly, both sides can reduce the risks associated with data security and privacy.
Service Interruption: The next significant business risk is the access and availability of the service and the impact to the business if the service is unavailable for any reason. Access and availability commitments are typically contained in a Service Level Agreement (SLA) that is part of many cloud computing contracts. The best SLA’s contain custom service metrics narrowly tailored to the customer’s business requirements.
Many times the cloud solution may be comprised of two or more third-party platforms. So customers should ensure that the SLA addresses subcontractor liability for third party service failures. Also, the SLA should define service failure remedies and action plans for resolution of service interruptions.
Termination of the Agreement: Because the data is controlled by the cloud vendor, cloud computing agreements should contain an effect of termination clause that sets out a process for returning customer-owned data to the customer post-engagement. It should also specify the circumstances under which the provider can withhold services or preclude the customer for accessing the service.
Intellectual Property Ownership: In cloud contracts, data provided by the customer is generally understood to be owned by the customer. It is not necessarily obvious, however, who owns intellectual property that is not customer data. For instance, it is common for a vendor to customize its service offering to meet a customer requirement. The agreement should specify whether additional code written by the vendor to customize its solution for a customer is the property of the vendor or considered a “work for hire” owned by the customer. If the vendor will own the customizations, the customer may ask for exclusive use of the customizations throughout the term of the agreement.
Litigation and Discovery: The customer must have access to its data in the event of litigation. Cloud agreements should define policies for data retention and procedures for discovery production that provide the customer with significant control. In addition, data retention in the cloud should match the customer’s internal retention policies.
Compliance with industry and regulatory requirements is one of the most vexing issues facing a customer contemplating cloud services. From HIPAA/HITECH to PCI, FTC Red Flags Rules to state security and privacy statutes, many companies are required to comply with one or more data privacy and security regulations. In many cases, the cloud vendor is subject to the same data security regulatory requirements as its customers.
Whether and to what extent a vendor or customer is a covered entity under privacy and data security regulation is something both parties must evaluate separately. Much to the chagrin of cloud vendors, attempts to specifically reject responsibility for compliance with applicable regulatory requirements are prohibited by some of the more recent privacy and security statutes. Where a regulation is particularly important to the customer or vendor, contract language should track the applicable statutory language. In other cases, a provision requiring both parties to comply with applicable laws and regulations related to the services may be sufficient.
The two important steps to take before entering into any cloud computing agreement is to identify the risks described above to determine your client’s comfort level with respect to each and begin the discussion of risk balancing early in the negotiation. Lengthy, unsuccessful negotiations can be avoided if each side is clear as to their “deal-breakers” with respect to these risks upfront.
Rob Scott, the managing partner of Scott & Scott, LLP, handles intellectual property and technology matters. He can be reached at firstname.lastname@example.org.