In past issues of the JMBM Corporate Law Newsletter, we discussed some of the benefits and challenges of cloud computing. As discussed in those articles, while there are a number of advantages which make cloud computing attractive, there are also a number of business and strategic challenges of cloud computing which need to be considered. These benefits and concerns, while not unique to cloud computing, reflect the qualities of accessing software and data through the Internet. This article briefly reviews some of the legal considerations and resolutions that clients can use to address those challenges.
What is Cloud Computing?
To review, "cloud computing" commonly refers to delivering computing services – software, storage capacity or other products and services – over the Internet. We use these products and services regularly, including off-site data storage (such as Internet-based automatic file backup), online banking, Gmail, online search engines and online photo albums. Most of us use the cloud every day, by accessing search engines, social networks and email.
Cloud computing, however, is different. While most of these functions are for convenience, businesses using cloud computing may transfer essential functions from in-house operations to Internet-based services.
Benefits and Challenges of Cloud Computing
We’ve identified a number of the advantages of cloud computing, including cost savings, staffing benefits, scalability, mobility, information security and regulatory compliance. At the same time, we warn clients to consider a number of potential pitfalls, such as whether cloud computing is actually less expensive over time, whether the relationship will create the flexibility, especially as to expansion and reduction of services, that the user seeks, how cloud computing raises security concerns, the need to retain a technical edge as a key advantage of cloud computing, and the challenges of disaster recovery programs.
Addressing Key Business Concerns
In order to make the cloud computing relationship work – that is, in order to make sure that the customer actually obtains the promised benefits – clients should consider a few key guidelines.
Expert Assistance. Few companies have the in-house capability to evaluate effectively either their computing needs or the ability of a vendor to meet those needs. The added features of cloud computing, with Internet-based applications or services, remote maintenance and assistance and other factors, makes it even less likely that a typical firm possesses the ability to complete this evaluation. Based on our experience, companies that engage technical and legal consultants to guide them through the process of identifying needs, engaging vendors and evaluating compliance are much more likely to be satisfied with their experience. Companies that rely on vendors to perform these duties are “hiring the fox to guard the henhouse,” and their experiences are often unsatisfactory.
Due Diligence. Before entering into an agreement for cloud computing services, a customer should take the time to investigate the history and performance of the vendor. Has the vendor been involved in litigation, particularly litigation claiming breach of contract or failure to perform? Are there independent user groups or blogs that have identified shortcomings in the vendor and can provide real-life evaluations? How does the vendor compare to its competitors? All these are valid concerns which should be considered before making a final choice of vendor.
Operating Characteristics. Surprisingly, many cloud computing agreements fail to identify the functions that the customer believes it is buying. While a customer may have been provided with significant marketing materials and while the vendor’s website might extol the virtues of its products and services, the vendor’s agreement may not reference those claims and may, in fact, disclaim any warranty based on those materials. If the cloud computing vendor fails to provide the benefits the customer believed it was purchasing, the customer may not have meaningful recourse unless key functionalities are described and incorporated into the agreement. More importantly, identifying key functions in advance will help avoid expensive disputes altogether.
Service Availability. Because cloud computing services are provided over the Internet, and because cloud computing vendors provide services remotely, the customer and vendor must identify any anticipated disruptions in service, and who will be responsible for those interruptions. This is essential when a customer enters into an agreement for a cloud computing vendor to provide critical, sensitive services, and where disruption in those services could hamstring the customer’s operations, its relationship with its own customers, vendors and employees, or hinder compliance with obligations to lenders, investors and regulators.
Support. Similar to service availability, any agreement between a vendor of cloud computing services and a customer should identify how and when the vendor will provide support. The agreement should identify support levels – for example, what constitutes a minor problem, and what constitutes a major failure – and also identify the response times by the vendor.
Cessation of Services for Non-Payment. Most cloud computing agreements provide that if the customer does not pay invoices promptly, the vendor will have a number of remedies, including the ability to terminate service. Customers should consider the impact of the loss of critical computing functions where there may be a dispute over payment or a disagreement as to whether the vendor has provided the services promised. If at all possible, the likelihood of a termination of service should be eliminated.
Termination and Duties on Termination. As with any service agreement, the vendor’s right to terminate services should be reviewed very carefully and appropriately limited. Moreover, particular thought should be given to the duties of the vendor on termination. One key concern should be the ability of the customer to obtain the information held by the vendor in a format that the customer can use. Any agreement should identify with specificity the obligations of the vendor to deliver the customer’s information on termination, the format in which it will be delivered, and the continuing obligation of the vendor to assist the customer after termination in assuring the completeness, accuracy and availability of that information. As an adjunct, steps should be taken to assure that the vendor will not be able to use confidential or sensitive information following termination of the relationship.
Vendor Failure; Back-Up and Recovery Options. Company’s should consider the consequences of a business failure by a cloud computing vendor; as the past few years have demonstrated, even well-known and seemingly stable companies can fail. If a cloud computing vendor fails, its customers may lose access to key company information. Among the steps a company should take include requiring the vendor to demonstrate and maintain its back-up and recovery options, provide hard and electronic copies of the customer’s information to the customer on a regular basis, and give the customer access to software, typically through a source code escrow agreement, in the event of failure.
Improvements and Enhancements. One of the anticipated benefits of a cloud computing relationship is the availability of continually improved and enhanced software and services. The agreement between the vendor and customer should identify how these improvements and enhancements are implemented, the cost, if any, for the improvements, how customer requests for enhancements are treated, and related matters.
Security. As we discussed in earlier articles, identity and information thieves may find cloud computing services attractive targets. A cloud computing vendor should make clear representations as to its privacy and security policies and procedures, including compliance with applicable state and federal laws and regulations, as well as various industry standards. For example, a cloud computing provider that processes credit card transactions should be in full compliance with the Payment Card Industry’s Data Security Standards. The agreement between the vendor and customer should also allocate responsibility for addressing any breach involving the customer’s security. In most cases, the customer will want to control any communication with its customers, employees and other affected constituents, but will want the cloud computing vendor to be responsible for costs incurred because of a breach.
Accessing software, storage capacity and other products and services over the Internet bears the promise of achieving benefits key to many companies. At the same time, cloud computing customers need to understand what can stand in the way of those benefits. Jeffer Mangels Butler & Mitchell LLP regularly counsels clients on negotiating and implementing cloud computing and other technology agreements.