I believe that we can all agree that numerous benefits may be realized by moving to cloud computing. Benefits include the ability to meet business demands quickly, increase efficiency, eliminate need for capital expenditure (since services are typically pay as you go), improve cash flow and enable faster project startup. All of these benefits can be measured objectively to demonstrate real value to the organization.
What many organizations might not realize is that cloud computing is much more than buying IT hardware or software. Cloud computing is a shift away from buying IT as a capital expenditure to buying IT as a service, which requires organizations to rethink the way they contract for IT in order to address elements unique to cloud computing environments.
Cloud contract strategy is still immature. Many cloud vendors have gotten away with skirting buyers’ IT and procurement personnel and selling directly to business buyers, who often have limited ideas about technology sourcing or contract requirements. Although there are certainly technical considerations and changes involved with cloud services, the more substantive issues lie in the business and contracting models applied to the cloud. Planning with the necessary agency stakeholders such as CIOs, general counsel, privacy officers, records managers, CISOs and others is critical to ensure that the organization and the information assets are being protected and the organization is not being subject to undue risks or expenses.
We have seen real situations that in a number of our clients have encountered where legal counsel representatives are reviewing contracts without adequate knowledge and understanding of cloud technology and associated risks. One recent example will demonstrate how the old school approach used by a client’s legal counsel to review a cloud contract involving a totally new technology environment did not work. The client was contracting for the use of a new application in a cloud environment. Legal counsel would not approve the contract until the cloud provider amended the contract to include an escrow account for the source code to the application. The cloud provider was more than happy to provide an escrow account for an additional charge of several thousand dollars a year, for which the client was happy to pay. In fact, the cloud provider had played on the ignorance of the client’s legal counsel to charge them the extra fee for an escrow account that was not valid--since an organization using an application in a cloud environment is only paying for the use of the application and does not own an actual software license. If the cloud provider of the application went out of business, the client would have no rights to the source code since the client doesn’t own a software license. Inappropriate business practices by the cloud provider? I would totally agree! The cloud provider saw a way to take advantage of a naïve client to obtain additional revenue and the client was naïve in looking at the cloud environment in as traditional software delivery model.
Cloud computing is an entirely different animal to deal with from a contractual perspective. Cloud computing is about engaging a service through a provider and the provider is entrusted to manage critical assets and services. The engagement must be conducted with transparency and visibility. Contracts need to spell out issues, such as:
- Data Privacy - Different data is subject to different requirements under various statutes governing the privacy and confidentiality of specific types of information. Whatever those requirements may be, the privacy and confidentiality of customer data must be protected. Any such requirements or desires should be set forth expressly in the contract, or they may not be enforceable.
- Data Storage - Some contracts expressly reserve the right to store customer data in any country in which the service provider conducts business. Some contracts don’t address the issue, but the provider may follow similar practices on the (generally legitimate) theory that what is not expressly prohibited is thereby permitted. While dispersed geographical storage is beneficial from a data protection and backup perspective, it can raise export control (EAR/ITAR) and legal issues in the context of the data.
These are only a few of the contractual considerations that need to be considered when entering into a contact the client conducts a cloud provider. Legal counsel must gain a technical understanding of the new cloud environment and become familiar with the risks associated with the environment to ensure that contracts do not unwittingly favor the cloud provider and place the risk and burden on the organization using the cloud.
If you would like additional information on critical cloud contractual considerations, please contact Eric Wright at (412) 697-5328 for advice on cloud contracts and associated risks.
© 2013 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.