We all know that “cloud computing” is one of the most tired and overused phrases in the technology industry, and it has been for years. Everyone has gone “to the cloud” now, right? Not so fast. When it comes to cloud-based enterprise email, the market has lagged somewhat behind.
A Gartner report published on February 1, 2016, found that “[t]he cloud email market is still in the early stages of adoption with 13 percent of identified publicly listed companies globally using one of the two main cloud email vendors.” Those two leading cloud email vendors are: (a) Microsoft, which offers Microsoft Office 365 and has an 8.5% adoption rate among global companies; and (b) Google, which offers Google Apps for Work and has a 4.7% adoption rate among global companies. There are other providers in this space, including Amazon Web Services and Rackspace, which also provide cloud email solutions.
Gartner’s view is that cloud email adoption is “growing rapidly,” which means many business executives will soon be faced with a decision whether to have their organizations join the burgeoning cloud email ranks.
The perceived benefits are pretty well documented. But what about the risks? How risky can email possibly be? Decision makers should understand that migrating an email system to the cloud is a strategic transaction. After all, a company’s email is the intravenous system that connects all components within an organization as well as to the outside world. If something goes wrong, then the ripple effects could be devastating.
Because of the strategic nature of such a deal and the inherent risks in relinquishing control over the processing and storage of all email, a company’s decision makers should be aware of certain key issues when negotiating a cloud email transaction. These key issues include but are not limited to:
- Contracting strategy
- Data protection
- Catastrophic outages and data loss
- Provider suspension and termination rights
- Post-termination assistance by the provider and continued use by the customer
A common corollary to the above statement is: “Not only do we not entertain changes to our documentation, but as our solution changes, we will need to be able to make changes to the documentation in our discretion and without notice.” This view will make any lawyer uneasy—if the documents can change at any time at the provider’s discretion, then this calls into question whether the transaction is even binding on the provider. At the same time, a customer may agree with the provider that certain documentation may require updating as the technical solution evolves and improves over time. One compromise approach is to permit certain types of changes but require that such changes only be made if they do not materially degrade the functionality of the service or the customer’s rights under the contract.
Catastrophic Outages and Data Loss
One key area to vet with the cloud email provider is the provider’s commitment to service performance. Does the provider offer service levels (e.g., availability of the system) and service credits in the event the provider fails to meet such service levels? If so, does the contract permit the customer to seek damages for catastrophic failure in addition to or in lieu of the receipt of service level credits? This last question is important because providers so often only offer such minimal service credits that a customer would not come close to being made whole for the damages it would incur resulting from a catastrophic email outage. While service credits are not designed to serve as liquidated damages, if service credits are the customer’s sole and exclusive remedy, then the customer would have no other recourse.
Related to the question of whether a customer can seek damages for a catastrophic email outage, the customer should inquire about the provider’s committed recovery point objective (RPO) in order to evaluate the risk of potential data loss that may occur in the event of such outage. Even a few minutes of lost email data could materially disrupt an enterprise that depends so critically on functioning email to run its business. While a provider’s RPO commitment is often not subject to negotiation, a customer should be aware of this data point in order to make an informed decision about whether the risk is acceptable before entering into the transaction.
A cloud email customer should also perform its due diligence on a wide range of data protection issues related to the provider’s solution. Where will the customer’s data be processed and stored? Will subcontractors have the right to access the data? If so, who are these subcontractors? Will customer’s data be isolated in its own tenant or does the solution call for a shared tenant? Will the customer’s data be comingled with other customer data? Does the provider have in place a comprehensive system of safeguards designed to protect the customer data that meet or exceed industry standards? Does the provider conduct vulnerability and penetration testing? Does the provider have relevant SSAE 16 audits conducted at its datacenters? These are all questions a company should ask when performing its due diligence with a cloud email provider. Furthermore, these are all issues that should be discussed, negotiated, and incorporated into the underlying agreement between the parties.
Provider Suspension and Termination Rights
Another key issue that often gives cloud email customers great concern is a provider’s position that it has broad rights to suspend and/or terminate the service on an enterprise-wide basis. The provider might argue that if there is a security breach or other unlawful activity (e.g., virus dissemination, spamming, etc.) emanating from a user, then the provider should have the ability to shut down that user to eliminate the activity and mitigate ongoing harm. That argument is certainly reasonable, but problem is the provider’s form contract language will often overreach and permit the provider to suspend and/or terminate the customer’s entire enterprise for almost any reason.
Therefore, the customer should ensure that any suspension rights are sufficiently tailored in the contract. Key negotiation points include: i) ensuring that the suspension “trigger” is sufficiently limited to activity that is justified; ii) limiting the suspension right to the most minimal number of offending users and restricting the provider from suspending the customer’s entire enterprise; and iii) only permitting the suspension for the minimal amount of time required in order to halt the offending activity and mitigate the ongoing harm. These negotiation points are critical because without these limitations, the provider could shut down the customer’s entire email system (even if for potentially legitimate reasons), which in turn would result in a disruption of all business operations.
Post-Termination Assistance by the Provider and Continued Use by the Customer
Customers often fail to focus on their rights following termination or expiration of a contract with a service provider, but in a cloud email relationship especially, these rights are critical. At a bare minimum, the customer should have a right to continue “steady state” use of the service upon termination and expiration because there simply cannot be a period of time during which the enterprise fails to have fully functioning email. (The risks are similar to broad, enterprise wide suspension rights.)
In addition to receiving the service as-is, the customer will need to consider how it will migrate its email solution to the next service provider. Does the customer require migration assistance from the incumbent provider? Can the customer hire a third party to provide this migration assistance? Will the customer have ready access to its own data in a format that is useful? Will the incumbent provider attempt to charge the customer a fee for such data access? The above questions implicate both operational and commercial risk, and the customer should make sure the contract addresses these points before entering into the relationship.
For an organization that has elected to process and store email on-premises, email is often merely considered to be just another software product (albeit critical to operations). Therefore, moving an enterprise’s email solution to the cloud should be considered a strategic outsourced service. A challenge is that most cloud email providers still tend to negotiate their contracts as though they are providing on-premises software products, using a “take it or leave it” negotiation approach. Until the market experiences a drastic shift in mindset, this approach will be difficult to break. But customers still have room to negotiate—and they should—especially when it comes to certain key operational and commercial risk issues arising from the cloud email solution that could have a dramatic impact on the customer’s business operations.