United States: Key Considerations In Cloud Contracting

Keywords: cloud computing, data protection, compliance

The economics of cloud computing are compelling and cloud solutions offer customers the flexibility to rapidly provision and release computing elements. As a result, use of cloud services is clearly growing. However, buying cloud services is different from buying traditional outsourced services. Cloud providers are able to offer low cost, flexible solutions because they standardize their offerings for multiple customers. Accordingly, cloud providers are less likely than traditional outsource providers to adapt their solutions to the customer's needs or negotiate contract terms to meet the customer's requirements. The key to successful cloud computing is to find the right fit between the cloud solution and your business needs.

Approach to Cloud Services

You need to carefully select the cloud solution to meet your needs and manage the associated risks. The following are important steps in that process.

Know Your Requirements

You should start with an understanding of the attributes of the outsourced function. How critical are the outsourced services to your business? Is the data involved personal data or competitively sensitive? These attributes will drive important requirements for the cloud services.

Select the Right Cloud

You need to understand the cloud options available from your provider. Cloud solutions can be deployed in several distinct ways: private cloud, under which cloud elements are dedicated to the customer; public cloud, under which cloud elements are used for multiple customers; and hybrid solutions. Private clouds offer flexibility in terms of the solution and contract terms but come at a higher price; public clouds offer little flexibility but are available at a low cost; and hybrid clouds fall somewhere between private and public clouds in terms of cost and flexibility. A public cloud may work well where the outsourced service is not critical and the data is not sensitive, but a private cloud may be a better solution for critical services involving sensitive data.

Good Due Diligence is Essential

Given the limited ability of the provider to customize a cloud solution (in particular, in a public or hybrid environment), you must conduct thorough due diligence on the cloud solution to determine what gaps exist between your requirements and the provider's services and whether there are workarounds to fill the gaps. This should include an understanding of the provider's data flows, security standards and options available to address your compliance requirements, and the provider's change process.

Key Risks and Challenges

Criticality of the Outsourced Services. Below are some of the key risks and challenges in contracting for cloud services to be considered and managed.

Continuity of Services

Customers have more risk as to continuity of services in cloud transactions than in traditional outsourcing. For example, cloud providers demand suspension rights for non-compliance with rules of use. Customers can often negotiate some protections around such suspension rights, such as limiting the suspension to the minimal extent necessary to address the violation and prompt reinstatement of services upon cure of the violation.

Provider Rights to Change Terms

Cloud contracts typically incorporate by reference other provider terms and conditions, and the provider maintains flexibility to change those terms and conditions without the customer's approval. Some providers will agree to compromises in this area, such as a requirement that the changes not degrade the services or ease security requirements or that notice of changes be given, with a right for the customer to terminate if the changes that are unacceptable to the customer.

High Level Service Descriptions with Few Warranties

In public cloud contracts, services are often described at a high level with little detail, and providers are reluctant to give general performance warranties, which limits the customer's ability to bring claims for damages for deficient services. Providers may agree to include core features of the services and limited performance warranties.

Service Levels

Cloud contracts may contain few service levels, typically with no methodology for allocating at-risk amounts across service levels. Service level credits are relatively small, and providers often demand that service level credits constitute a customer's sole and exclusive remedies. If your company is considering using cloud services for critical functions, you should consider whether you need more protections than those offered by the provider. Providers of private clouds may agree to higher incentives and language permitting damages if another claim can be made under the agreement.

Data Privacy Compliance

As noted above, it is essential to consider the sensitivity of the data to be placed in the cloud. Cloud solutions are often designed to permit the provider to move data from location to location. However, movement of data is often at odds with the customer's need to comply with data privacy laws and policies. For example, privacy laws require safeguards around the collection, processing, storing and transferring of customer data and that customers know where there data is located. In selecting a cloud solution, you need to understand how the solution will handle the flow of data.

Standard Security Offerings

Providers have a standard cloud security protocol to offer customers and typically will not customize the security safeguards to a customer's particular needs. You need to understand whether those security protocols allow you to meet your obligations. Some providers may warrant that they will maintain certain certifications, such as ISO 27001, but you need to consider with which certification standards the provider complies.

Other Compliance Requirements

You need to consider compliance obligations beyond just data security. For example, will the provider be able to effect litigation holds on data in the cloud? You may be able to manage compliance risks by retaining the compliance obligations yourself as long as the solution provides the tools you need to meet those obligations.

You can successfully use cloud solutions if you make informed decisions about the solutions selected, understanding the needs of your business, the ability of the provider to meet those needs and the contractual terms that can be obtained.

This article was originally published by Inside Counsel.

Originally published on 9 October 2014

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2015. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.