More and more businesses are looking to use cloud computing to access a broad range of computer software and services. At its most basic level, 'cloud computing' is defined as the delivery of information technology as a service over the Internet. Cloud computing offers companies substantial cost savings and greater flexibility; but despite these obvious benefits, it also presents significant risks, particularly in relation to the security of data stored in the cloud. It is therefore important that a business considering the use of cloud computing takes appropriate steps to mitigate the dangers, both legal and commercial. A company can quickly become dependent on the ability to access the cloud and may be paralysed in the event of service interruptions.
While a number of issues should be considered in a cloud computing contract (eg, performance monitoring, interoperability and transitional arrangements), this update focuses on a contract term that often does not receive the consideration it deserves, normally to the detriment of a cloud computing customer: the force majeure clause.
Despite the recent surge in popularity of cloud computing, the cloud market is still relatively young. This is reflected in cloud service providers' standard contract terms, which are often non-negotiable and generally weighted heavily in favour of the service provider.
A report on a recent survey by the Cloud Industry Forum into the terms used in cloud computing contracts found that only 52% of companies using cloud service providers negotiated their contracts, and that even among large companies this rose only to 60%. The report attributes this to the prevalence of 'click-through' contracts that are designed for high-volume, low-cost commoditised services.
While many small and medium-sized companies may have no choice but to agree to service providers' standard terms and conditions, businesses should seek to negotiate key terms where possible in order to ensure that they are not agreeing a contract that exposes them to unacceptable commercial and contractual risk.
A force majeure clause excuses a party for a failure to perform its obligations under a contract following the occurrence of certain events. The term 'force majeure' itself has no recognised meaning in English law, so the contractual definition is key. A force majeure provision either will refer to a finite list of specified events (eg, war, acts of God or flooding) or will more usually be expressed as excusing performance failures resulting from events that are beyond the control, or reasonable control, of the affected party. This second formulation is normally followed by an illustrative (but non-exhaustive) list of the type of event that the clause is intended to cover.
As previously mentioned, force majeure provisions of a cloud computing contract are often disregarded as 'standard boilerplate' and not given the consideration that they deserve. While the inclusion of force majeure clauses in commercial contacts is often uncontroversial, the cloud computing arena is one in which the force majeure clause may significantly improve the risk profile of the cloud service provider at the expense of the customer.
It is worth remembering that the cloud is not always dependable and failures at data centres are frequent and often well publicised. Outages can cause a great deal of disruption and businesses can incur significant costs as a result. Even the largest, highest-profile (and best-financed) public clouds are not immune from downtime, as demonstrated by the widely publicised Leap Day outage in March this year. The recent devastation to the East Coast of the United States caused by Hurricane Sandy further underlines the very real possibility of power failures.
Cloud users that do not carefully consider the wording of a service provider's standard force majeure clause risk being left without a remedy if the cloud service provider goes offline for "reasons beyond its reasonable control".
When considering force majeure clauses in cloud computing contracts, it is advisable to take certain precautionary measures:
- Ensure that the list of force majeure events includes nothing that is (or should be) within the reasonable control of the cloud service provider. For example, it is often worth clarifying whether any labour dispute or non-performance by suppliers or subcontractors would fall under the definition of 'force majeure'.
- Consider whether a power failure should excuse performance or whether the customer should expect the supplier to have back-up arrangements in place in case of a power cut.
- Ensure that the supplier maintains appropriate disaster recovery and business continuity arrangements. Attach a copy of these arrangements to the agreement for cloud services or include a provision to make them available on request.
- Ensure that the cloud supplier implements those business continuity arrangements before being entitled to rely on force majeure to excuse performance failures.
- Identify critical data and documents and have a contingency plan in place to ensure that a duplicate copy is available during any cloud service interruption.
- Consider purchasing business interruption insurance so that the company is protected if a disaster affects the cloud service provider's data centre.
As always, care taken upfront will go a long way to ensure that a party obtains its intended benefit from a contract. If a business finds that cloud service providers are unwilling to address its reasonable concerns, it may be that the risks still outweigh the benefits and an alternative non-cloud solution may be preferable.
For further information on this topic please contact Peter Lumley-Savile or Sanjay Pritam at RPC by telephone (+44 20 3060 6000), fax (+44 20 3060 7000) or email (firstname.lastname@example.org or email@example.com)
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.