Part of the charm of cloud computing for many corporate leaders is its seemingly simple set up: sign on the dotted line, flip a switch, and the service is up and running. But taking that first step too lightly can lead to complex and costly problems down the road for cloud buyers.
"Many customers look at these deals in the same light as signing up for Gmail," says Edward J. Hansen, partner at Baker & McKenzie. "In some respects its unfair to expect CIOs and CFOs to fully understand the implications of the cloud. Many of the issues can be hyper-technical from a legal standpoint but can profoundly impact operations and integrity."
Cloud computing vendors are quick to point out that standardization is at the core of the value proposition for "as-a-service" offerings, right down to the service agreement itself. But that standard boilerplate cloud contract—an ostensibly innocuous one- or two-pager—has actually been carefully hammered out to the provider's favor, and potential customers would be wise to approach it with care. But behind that basic façade are often complex calculations the provider has made that could prove detrimental to the client, says Hansen. Some common hidden time bombs in standard cloud computing contracts include provisions that disclaim liability if confidential information is published, make access to data at the discretion of the vendor upon termination, or require the customer to change its security policies to match the cloud providers, points out Pamela T. Church, partner and head of the intellectual property group in the New York office of Baker & McKenzie.
"There is a lot of pressure for companies to quickly move to a cloud computing model to realize the cost savings, gain access to new technology, and achieve higher levels of service," adds Todd Fisher, partner in the outsourcing and commercial transactions practice of K&L Gates. "That pressure can cause some customers to focus on the upside, while not adequately accounting for the risk."
Just because the total value of a cloud computing contract may be lower than a typical outsourcing deal doesn't mean it requires less caution and scrutiny. "Too many times the business associates risk with dollar value," says Hansen. "That is not the correct analysis, and procedures should be put in place that assess risk in a more sophisticated manner."
Here are four legal traps to watch out for before signing on the dotted line for a cloud-based service.
1. Intellectual Property Exposure
Every company has valuable intellectual property and trade secrets. From a legal perspective, it's that company's duty to protect those knowledge assets, not its vendors. "When moving trade secrets to the cloud, the customer must ensure the cloud provider has adequate protections in place to maintain the secrecy of the information," says Fisher. "The customer needs to fully understand the protections in place to protect its proprietary information, processes and services, and then make a determination as to whether it's an acceptable amount of risk to accept."
Don't settle for a provider's standard contract when there are IP issues at stake, says Fisher. "Intellectual property is the lifeblood of many companies, so it is important to understand exactly how the customer will use the cloud computing services and whether any intellectual property will be developed."
Potential cloud buyers should take care with the contract to make sure they retain ownership of all their own data and the provider uses it only to deliver the service, particularly IP-related information. An explicit provision preventing the vendor from misusing or disclosing customer IP is also a good idea.
In addition, new intellectual property can be created in the course of a cloud computing engagement and the customer may want to add provisions that give them ownership of assets created in the course of the deal. When a client hires a vendor to run a private cloud for them, for example, the vendor may create customizations and other intellectual property. Or a cloud provider may develop buyer-specific interfaces to access services. A customer may want to include a clause to retain ownership of such IP or preclude the vendor from using it with other customers, Fisher explains.
2. Bait and Switch Terms
It may go without saying to never sign a contract before reading it, but when it comes to cloud computing, many first-time customers sign on the dotted line based on what they've read about the offering or claims on the vendor's web site. Always read the contract in front of you, not the vendor web site, says Church. It's not uncommon that vendor advertising contradicts their actual agreements.
Equally as troubling is any cloud contract that's as vague as the vendor's marketing collateral. Terms that merely require conformity to "industry standards" or performance that is "appropriate," "sufficient" or "best practice" are red flags. Cloud computing customers should define specific standards of performance such as results, services levels or tasks to be achieved.
3. Weak Disaster Recovery and Business Continuity Processes
There has been no shortage of high-profile cloud computing failures and service disruptions in recent years. Yet business continuity and disaster recovery continue to get short shrift in cloud computing agreements.
It's in a cloud provider's best interest to have robust disaster recovery and business continuity plans, but customers can't simply rest on vendor good intentions. Instead, cloud clients can contractually require cloud vendors to meet certain data back up and recovering requirements. They can even specify as a service level a recovery point objective (RPO)—the point in time to which the provider must recover data—and recovery time objective (RTO)—the speed with which the provider must restore the data, says Fisher.
When a service disruption or disaster occurs, many cloud computing clients are surprised to find their contracts silent on disaster recovery and business continuity and the cloud provider operating under a much less stringent RPO and RTO than expected, says Fisher.
4. Pin the Failure on the Customer
While it's critical to hold the cloud provider to certain performance standards in a cloud computing contract, it's also imperative to understand provisions that would hold the customer liable for poor performance or in breach of the contract. "When moving processes and services to the cloud, customers sometimes transfer certain software applications for the cloud provider to run or access," says Fisher. "The customer should make sure the customer's license agreement for those applications allows access or use by the cloud provider for the customer's benefit. Otherwise, the customer could be facing a breach of the license agreement and a subsequent infringement claim."
As with any services deal, the supplier may blame the customer when a disagreement arises. Cloud computing clients may wish to require the supplier to provide written notice to a specified individual within the client organization if the supplier asserts that the customer is failing to meet its obligations. Such a provision makes it easier to identify the true cause of performance problems and solve them before they get too costly or litigious.