Philip James, Partner, and Carolyn Butler, Solicitor at Pitmans LLP examine some of the legal issues you should consider when moving to cloud computing and selecting a vendor.
1. Know the Flight Plan (negotiation and contract)
Carefully review the terms on which you are intending to contract with your cloud provider. Is the contract open to negotiation or are you expected to contract on the cloud provider’s standard terms? If the former, consider your specific requirements, and ensure your contract:
Adequately reflects your requirements in unambiguous language in a layout that’s easy to follow (in other words, don’t bury your specifications across numerous schedules).
Clearly delineates the roles and responsibilities of both the cloud provider and your organisation.
Has quantifiable metrics or KPIs to verify the performance of your cloud provider.
If the latter, review the terms carefully to ensure, firstly, that they are fair and that there are no unpleasant surprises lurking and, secondly, that they cover everything you need them to. If not, seek to vary the standard terms with your cloud provider accordingly.
Look at the extent of the remedies available under the contract. The contract will probably contain limitations of liability, so if you are intending to outsource critical internal infrastructure, check whether those limitations adequately reflect the allocation of liability to your cloud provider.
What limitation should apply?
Are there risks for which liability should or should not be excluded? E.g. does the supplier exclude liability for loss of data (this is not much good if you are outsourcing your CRM database!)
In some cases, damages for breach of contract may not be a sufficient remedy if things go wrong, and you may wish to set out alternative, more appropriate remedies under the contract. Other key issues to look out for in your contract are explored in more detail below. In all cases, always seek specific legal advice if you are unsure about the effect of any element of your contract.
Before negotiating a contract with a cloud provider, the European Network and Information Security Agency’s Information Assurance Framework for Cloud Computing, which sets out questions that an organisation should ask a cloud provider, is essential reading.
2. First Class, Business Class or Economy Class? (service levels)
Service levels need to be agreed upfront, and should be expressed in the service-level agreement in terms that are both clear and measurable, including maximum periods of downtime, the relative importance to the business of different elements of the service and processes for remedying defaults. While many businesses look to cloud providers as part of their business continuity strategy, it is also necessary to consider what would happen if the cloud provider’s operations become disrupted. How does your cloud provider manage its response to incidents such as natural disasters or security breaches to ensure disruption is kept to a minimum?
Before you sign up, ask your cloud provider about any extra costs and charges, work out which of these are relevant to your business and budget accordingly. You should also ensure your future as well as your present needs are taken into account: find out how quickly and by how much your cloud provider can scale up the services it provides, and, if you plan to expand your business abroad, whether your provider has the capabilities to meet your needs in other jurisdictions.
It is important that the ramifications of failing to meet the agreed service levels are clearly set out (often a service credits mechanism is used) and that the parties agree a process of escalating remedies in the event that problems supplementary to the agreed remedial mechanisms arise. The resolution of disputes can be a costly and time-consuming exercise, and it is in the interests of both parties to have workable and effective escalation processes in place to ensure problems are worked out amicably, the business relationship is preserved and any disruption is kept to a minimum.
3. Security Checkpoints (security and data protection)
It is essential to verify with your cloud provider what responsibilities for security lie within the remit of your organisation and which are their responsibility.
While your cloud provider may be unable to give you precise details about the security measures it has in place (since a detailed disclosure of the systems in use could impair their integrity), a high-level description of those measures should be given, for example, the extent to which data encryption is used, whether anomaly detection systems are applied, the protocols in place to deal with the theft of user credentials and the physical security used to protect the locations where data is stored. Your cloud provider should also be able to tell you whether it meets any of the existing web standards and give you details of the security features on offer for users, such as user authentication and authorisation/administration controls. Find out whether your cloud provider offers any guarantees that customer resources are fully isolated from one another, and to what degree data, metadata or other traces of use by your organisation is erased before machines are reallocated. You should request sufficient information to allow you to make a sensible judgement about the adequacy of the security measures offered by your cloud provider, whether additional measures are required and need to be agreed in your contract.
Further, your cloud provider may intend to outsource or subcontract any of the operations that it is contracted to supply to you, and, if they do, find out who those third parties are, where they are based, what procedures are used to verify and monitor the quality of services they provide, and the security controls in place to protect your data. For instance, it is not much use having contractual protections in your agreement with your provider if the ‘subbie’ to whom the service is sub-contracted is not subject to the same terms agreed with your supplier (you may also not have conducted due diligence in respect of that subbie).
4. Final Destination (location)
Just as importantly, find out where your cloud provider will physically hold your data. Your data should be stored in a jurisdiction where an acceptable level of protection is mandated by law. Data protection standards vary from one jurisdiction to another and, although efforts are being made to harmonise the requirements across the EU as a whole, outside of the EU they may be non-existent. Nevertheless, if you are a business based in the UK, and the data in question is being processed in the context of that business, the full extent of the UK rules will most likely apply.
Further, if you are intending to store personal data in the cloud, such as HR records, take note that the transfer of personal data to a country or territory outside of the EEA is prohibited, unless equivalent protection in that country or territory is assured (and in this respect, if it is to be stored outside the EEA, seek specific legal advice on this issue as there are a number of compliance requirements which may need to be dealt with). Where this is concerned, it is always easier from a data privacy compliance perspective to engage a supplier whose data centre is located in the UK or Europe than enter into an arrangement with a supplier whose servers are in the US or China (or worse still, in a virtual data centre i.e. you don’t know where it is stored!).
Note also that, where HR data is concerned, it is also likely to contain sensitive personal data. As such, there are a number of more stringent restrictions as to how this type of data may be processed and specific consents may need to be obtained from the data subjects (i.e. the person to which such personal data relates). Ideally, find a cloud provider based in your jurisdiction that can provide assurances that data (and at the bare minimum, personal data) will not be transferred outside of the EEA.
It is important to ensure your contract with your cloud provider clearly states the choice of territorial jurisdiction (that is, the country in which any dispute in relation to the country will be heard) and the choice of law that the courts will apply in determining any dispute. Ideally, this should be a jurisdiction in which your organisation operates. If a dispute arises, and the choice of law and jurisdiction has not been specified, under EU law a defendant may be sued where they live, or where the contractual obligation was performed. The applicable law, however, will be the law with the closest connection to your contract. It is easy to see how this can create problems in a cloud computing environment where there are cloud providers all over the globe eager for your business, and where your data could potentially be stored anywhere in the world, so explicitly state in the contract what’s intended.
5. Take a Moment to Find the Nearest Exit (transitioning)
Although it may feel like a remote prospect, before you enter into a cloud contract it is necessary to anticipate how you intend to exit those arrangements. Care should be taken to ensure the portability of your data, including your metadata. Review your contract to determine what events could trigger a right to terminate the agreement by either you or your cloud provider. Ask what procedures are in place to export your data (in an orderly fashion) if you change cloud providers or in the event that the agreement is terminated. Find out whether those procedures are regularly tested to ensure that they work.
Also, if there is a specific format in which you expect to receive your ported data, you should try and specify that (to the extent that is possible) in your contract with your supplier. Please note: there may be additional costs associated with ensuring your data is in a format which is compatible with your systems. The ownership of intellectual property (IP) can be a particularly contentious issue in the cloud environment. Examine the IP provisions in the agreement with your cloud provider to determine how data ownership is dealt with, and whether those provisions are acceptable to you. IP is a technical area of law; as such, therefore, if in doubt, always seek specific legal advice to ensure you are adequately protected.
Once you have moved your data, you will no doubt be seeking assurances from your cloud provider that all traces of your data will be deleted as soon as possible. So, before you commit to a particular cloud provider, find out whether this is a realistic prospect: it may take a number of weeks for your data to be deleted if it is stored in more that one place (for example, if it is copied on to back-up tapes) and it may be impossible to destroy your data completely if your cloud provider allows you to share disk space with other customers. If that’s not good enough, give your cloud provider the opportunity to put satisfactory processes in place for you.
NOTE: This note has been prepared to provide general guidance on the benefits as well as some of the risks associated with cloud computing. As such, it should not be relied on. Always seek specific legal advice in relation to your specific circumstances in questions.