One area of the Cloud space that is not well covered to date has been the contracts around services.
I have been raising the profile of contracts and organisation legal teams since a presentation I did earlier this year on Cloud adoption. My premise was that many organisations are focused on educating the technical staff or IT teams within their business. Yet there is a great need to skill up both the legal and finance teams too. As organisations look to adopt (or deliver) Cloud services their legal and finance teams are going to be reviewing contracts and models that might be very new to them. Smart companies are going to prepare these groups alongside their IT staff.
Hence I was really pleased to see that Brett Winterford, editor at
ITNews, put together an
event discussing Cloud computing Contracts.
Some background on the event.
- The room was full, standing room only, so there is certainly a need within the market for information on contracts.
- The event was sponsored by VMware, but it was in no way a VMware sales pitch which was great.
- The main presentation was by Mark Vincent, Technology and Intellectual Property Law Partner at Truman Hoyle Lawyers.
- Mark presented a white paper titled "Cloud Computing Contracts - White Paper - A Survey of Terms and Conditions". The paper reviewed 25 Cloud contracts to understand whats on offer in the market. Okay, you might think these things are a dry read, but its really very interesting if you deal with this stuff day to day!
Now to some details on this great white paper and my thoughts on it.
The survey covered providers of SaaS, PaaS and IaaS which are focused on the corporate rather than the consumer space. The issues that were covered in the review were
- choice of law jurisdiction and dispute resolution
- variation in terms
- privacy laws and transborder data flows
- security and backup
- service level agreements
- transition out arrangements
- warranties and liability limitations and
- multiple parties in the cloud stack
An item that stood out the most to me as I read was the repeated reference throughout the document to the benefits of larger providers. For a 21 page paper (with only 17 of those being content) there are 7 different references to large providers.
- In relation to contracts overall "For the small to medium enterprise ("SME") procuring any entry-level cloud service, the opportunity to negotiate may, in some cases, be more limited. Choice of vendor requires not just an assessment of contractual terms but requires a relationship of trust and confidence, which larger providers with global scope will frequently demonstrate."
- In relation to variations in terms "Contracting on terms that can be amended without notice involves an element of trust on the part of the customer that the provider will not change its terms in a way that is detrimental to the customer. This underlines the importance of selecting a vendor with an established reputation which it is unlikely to put at risk by a capricious use o the discretion."
- In relation to Security, Encryption and Backup, "A key concern for a business considering cloud services is the security and integrity of its data. The concern is equally held by service providers who recognise that the future lies in the cloud and with it, their reputation." ... "White the customer can control some aspects of security and data integrity, such as maintaining independent back-ups and using data encryption, many aspects of data security in a cloud based environment are out of the customer's control (or even knowledge). This includes the physical security of the data centre, virus protection, protecting against external attacks and maintaining security of data as it is transferred between data centres. Again, this underlines the importance of choosing a reputable service provider with strong data protection policies and procedures." ... "In this area, the importance of choosing a vendor which shares a customer's reputational risk may be one of the most important aspects of vendor choice. The assessment of impact on the vendor of a security breach should form part of the commercial assessment involved in procuring cloud offerings."
- In relation to Consequential Loss, "The contract will not act as insurance against all loss and many providers will be keen to avoid the reputational damage caused by a failed service. When accessing this issue, it is important to consider the differing impacts of outages for major global providers as opposed to small start up companies providing cloud offerings."
- Last, the final sentence in the conclusion "this focus highlights the importance of confidence in the cloud and demonstrates the benefits that engaging a trusted provider who is at the forefront of development of best practices in the area and whose reputation both relies on and supports the principles of data protection and security, can bring."
Wow, when you put all of those together its a strong message.
Some other interesting points
- More than half the companies surveyed had their choice of law based outside of Australia. Ten give an Australian state as a choice of law for venue. According to Marks comments in is not an exercise you want to start in a US based court based on his experience. I suppose the message here is look for an appropriate choice of law where your organisation has a legal presence to execute on.
- In the variations on terms there is a propensity to use T&Cs which are updated on a web-site and that a customer must review as required. This was one of those comments around trusted providers who either have good experience with this (or maybe a bad experience with the ACCC and hence now better) or have a reputation that they need to keep through good behaviour.
- Transborder Data Flows, sending of data across country boundaries received a lot of discussion. The take away here was that it can be really hard to get clarity on where your data might be and that you must have a good understanding of your requirements in the "National Privacy Principals under the Privacy Act". There is some good information about "an Exposure Draft of the Australian Privacy Principals ("APPs" that are proposed to replace the current NPPs. Under that exposure draft, APP 8 and a proposed new Section 20 of the Act will regulate cross-border disclosures of personal information". So if you are going to place any personal information into the Cloud best be prepared to know where all of your data is located, including back-ups.
- No surprisingly there is a reference to the APRA statement, mentioning that "Accordingly cloud based services may need to be subject to the same rigour as any other outsourcing arrangement and risk management frameworks as outlined in applicable ARPA Prudential Standards and Prudential Practice Guides."
- There is some discussion and comments in the presentation around the challenges of security. Such as "Cloud service providers can assist customers to perform the appropriate risk assessments by being open about the security regimes they have in place to protect data stored within their cloud service and by contractually committing to specified levels of security. The risk assessment should fairly compare the arrangements that are currently in place to secure data on existing IT systems with the protection proposed by the cloud vendor. Often cloud vendors will be in a position to offer very sophisticated approaches to security beyond the capability of many individual businesses."
- The review of SLAs was interesting. An example was given of a contract that stated "... [We] guarantee one hundred percent (100%) uptime ..." and then goes on to only consider outages which have a duration over 30 minutes for credits. Another area of interest is where providers "make representations about their security and service they provide, either on their web-sites, or during negotiations for the provision of the services, such as: [...] your critical information is safe and secure [...] [The services are] designed to provide you with a secure and reliable platform for your data." but then exclude these representations from the terms of the agreement that is ultimately entered into!
- Transit Out is discussed as an area where many of the contracts lack clarity and that there is a big differences in what is provided. This is most important for SaaS consumption so that "the data can be retrieved in a vendor neutral format so that it can be imported to an application provided by a new third party software provider". It was interesting to "Note that virtually all contracts surveyed allowed the vendor to terminate the agreement immediately for cause in at least some circumstances. Of these only 1 specifically gave the customer the right to retrieve its data in those circumstances." Another good pointer is "that of the vendors who terms and conditions were surveyed very few provided for destruction of customer data after the contract has ended. It may be important for some customers to have certainty as to the destruction of their data when a contract ends."
Some good elements to ponder there. I recommend you read it yourself. You can access the paper here.
As the paper states in the conclusion "As the cloud evolves we can expect to see a corresponding evolution in the terms and conditions applying to the delivery and use of cloud services". This is certainly true. The paper does a good job of starting the discussion around a topic that to date has been very quiet but needs to be occuring more in our industry.
Rodos
P.S. As usual this is all my personal view. I do just happen to work for a company that provides Cloud services, they were not one of the providers who's contract was reviewed.