Uncovering the legal issues behind cloud computing

Chris Edwards, Legal Consultant with DLA Piper looks at some of the legal issues around cloud computing

Tags: Cloud computingDLA Piper Middle EastUnited Arab Emirates
  • E-Mail
By  Chris Edwards Published  September 4, 2009

Following Web 2.0, open source software and social networking, cloud computing appears to have taken the mantle as the latest hot technology topic. Yet, cloud computing is not new and has been adopted by millions of people in recent years. Facebook, Gmail, and MySpace are but a few examples of the wide ranging appeal and growth in consumer use of cloud computing services. However, for a number of reasons adoption in the corporate world has been less enthusiastic.

This article briefly explains the scope of cloud computing and highlights key legal risks and issues which business customers should take into account when considering purchasing cloud computing services.

The Cloud

The term ‘cloud' is essentially a metaphor for the internet and is derived from the cloud symbol often used to depict networks in technical diagrams. Cloud computing refers specifically to the new wave of IT services and resources - infrastructure, platforms and software - which can be provided to customers via the internet, rather than by on-site installations of IT hardware and software.

The increasing prominence of cloud computing has sprung from technological developments that have enabled widespread access to large bandwidth, server farms able to store huge amounts of information in highly secure data centres and IT rationalisation, allowing suppliers to provide services to multiple users from a single server.

Benefits & Risks

In the wake of the economic downturn, companies and commentators alike have focused on technology as the silver bullet to reduce the impact of falling sales, revenues and profit margins. Cloud computing potentially provides CIOs with the following benefits:

  • • Financial savings - reduction in extensive IT CAPEX and OPEX (purchase of servers, company data centres and the maintenance of the same);

• ‘Pay for what you use' arrangements - companies only pay for bandwidth and server space which they use;

    • • Shared costs - as services are often provided from a single data center costs such as security, lighting and power can be shared between customers; and

  • • Efficiency - updates and upgrades to a company's IT environment can be implemented by a cloud computing provider remotely.

Yet, such benefits need to be considered in light of the risks/issues involved in cloud computing. Security, performance, service availability, available contractual remedies and supplier stability should all feature highly on a customer's checklist when assessing a potential cloud computing supplier.

Legal Issues

From a legal perspective, the supplier community has naturally sought to impose standard form contracts around the provision of cloud computing services. ‘As-is' warranties (i.e. services/goods provided as they are without any promise of being suitable or attaining a certain level of performance) and service levels, if provided, backed by weak standards of obligation are often the norm. Examples of cloud computing services contracts we have recently reviewed uncovered the following positions that certain customer's may find difficult to accept:

  • • Customer unable to decrease the number of users during a subscription term;
  • remedies for breach of a limited warranty for the services to comply materially with a user guide restricted to termination and refund of pre-paid unused fees;
  • • Supplier to delete all customer data after 30 days after termination, unless a request for such data is made within such time period by the customer; and
  • • Provision of minimal obligations around security of a customer's data. (e.g. supplier will maintain appropriate... safeguards for protection... of customer's data).

Customers who wish to procure business critical cloud computing services will need to challenge the default supplier positions present in many standard-form contracts. In turn, suppliers will need to appreciate customers' need to obtain both technical and legal assurances - especially where the customer is to procure critical services.  In such a scenario, only a fully negotiated contract can provide both parties with a satisfactory allocation of risk.

Listed below are some of the key issues that customers should focus on when negotiating contracts with suppliers for the provision of cloud computing services.

Data Security & Regulation

Where customer data is to be transferred and held on a supplier's server, customers should ensure the supplier is contractually obliged to protect such data to levels which accord with its own internal policies.
In addition, it is critical for customers to consider their position under local law. For example, companies operating in Europe are under strict obligations to ensure that processing outside the EU of personal data that they collect is done in a manner whereby adequate protection can be assured. The supplier, who may be located outside a customer's territory, will increasingly need to be aware of a customer's specific corporate and legal obligations.

Performance

A key issue for customers will be the continual availability of the services. For example, a company might experience significant business interruption and lost revenues if it is unable to access its payroll or CRM databases via the cloud. Therefore, suppliers should be questioned on the policies and procedures they have in place in order to ensure their business continuity and service availability. The following represents a sample of issues customers may wish to raise with suppliers:
What is the historical availability data for the services provided to date?
Is the supplier able to provide information around scheduled downtime of the services?
Will services be supported by bespoke back-up / disaster recovery plans?
Will the customer be able to practically switch seamlessly to an alternative supplier, if required?
Customers must be comfortable with a supplier's arrangements to deal a day-to-day operational issues as well as with a worst-case scenario (eg. a ‘force majeure' event). In addition, depending on the criticality of the services, customers may wish to inject concepts often seen in traditional IT commercial contracts such as benchmarking, change of control and service level regimes coupled with service credits.

Exit

Customers should stress-test how any cloud computing contract deals with exit scenarios. The critical issue is what happens to any company data which is located in the supplier's data centers. The following are common questions often asked of suppliers:
How long will it take for the supplier to deliver up data?
Will the customer receive its data back in the same form in which it was provided?
What obligations (if any) does the supplier have to assist the customer in transferring data to a new supplier?
An exit plan may be required which clearly sets out the obligations on each party in the event their relationship is brought to an end.

Supplier stability

As with all major service agreements that a customer enters into, due diligence of a service provider is a crucial risk mitigation step. Careful due diligence in this area may perhaps uncover scenarios that the customer may wish to address within a negotiated contract (eg. supplier over-reliance on a financially troubled sub-contractor; involvement in litigation proceedings or an ongoing third party IP infringement claim).

Conclusion

Cloud computing represents a huge acceleration away from the current delivery methods for IT services. As the market for such services matures the risk profiles agreed in cloud computing services contracts are likely to become more balanced and increasingly reflect the customer's appetite for risk.
Customers should seek out appropriate legal advice when faced with the uniformity and seemingly non-negotiable aspects of a supplier's standard form contract. In the current climate, where the business customer community is largely sceptical of the cloud model's security credentials, it may be possible for a customer to extract favourable positions from a supplier eager to prove the benefits of its particular service offering.

Chris Edwards is a Legal Consultant at DLA Piper Middle East LLP.

2480 days ago
Aryasindhu Sahu

Thanks dear,
I got a lot of information about cloud computing from your site and many of my doubts were cleared after reading the post.

..arya " http://aryasindhu.blogspot.com "

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code