Too many companies merely accept click agreements for Cloud services without considering what they are committing to, but there are at least 3 terms that cause major problems including “Access to Data, Privacy, and Audits” as I explain in my May 2015 monthly column at eCommerce Times entitled “The Cloud’s Threatening Legal Storm.” Here are the details on those terms:

Contract Term No. 1: Limit Access to Data

The customer’s data must not be used by the cloud provider, and the cloud contract needs to specifically state that limitation. Similarly, the cloud provider must provide the customer a means to verify that the customer data has not been compromised, and that means the contract needs to include the right to audit (discussed below). For instance, make sure that the cloud provider does use the customer data for its own purposes for target marketing.

Contract Term No. 2: Privacy

Since there are so many different privacy laws around the world, it is critical that the cloud provider specifically specify in the cloud contract how the cloud provider will properly comply. For example, in the U.S., protection of patient records under HIPAA (Health Insurance Portability and Accountability Act) is mandatory, and any entity holding patient records must be sure that the cloud provider is HIPAA-compliant. Having cyberinsurance for possible HIPAA violations may not be enough to protect liability for failure to protect HIPAA data. Also, laws in the EU (1995 Data Directive), Canada, Japan, Australia, and many other places are significantly different than in the U.S., so the cloud provider must allow customers to understand where their data is stored, and be compliant with local requirements.

Contract Term No. 3: Customer Audits

Although audit rights may seem simple and reasonable, many cloud providers do not permit audits, or they create so many roadblocks that no meaningful audits can be conducted. It is critical that before agreeing to a cloud contract, the customer determine whether it has the right to audit — and if not, either negotiate that provision or select a different cloud provider.

Let me know what you think.