Cloud computing — for example, providing software as a service over the Internet or over the intranet — is the fastest growing means by which technology companies offer their products today. Cloud computing offers myriad advantages, including the ability to rapidly increase capacity or add capability without investing in new infrastructure, training new personnel or licensing new software. Users have access to the latest technology, whether hardware or software, and organizations no longer need to operate and maintain servers/ infrastructure at all hours of the day or night. Cloud computing is often touted as “cheaper” and easier, particularly in the case of public clouds, which are run by third-party cloud providers that manage nearly every detail of the operation.
However, all is not perfect in the world of the cloud. Cloud computing comes with significant legal and business risks. The following article will canvass a few, but not all, such risks.
Prospective cloud customers should be sure that their cloud agreement states that the customer explicitly owns its data, including in the event of termination, bankruptcy or similar developments. Even so, while a customer may still own its own data, it may not necessarily control it (at least in a public cloud). Once a customer uploads data to a cloud, the cloud provider will assume a fair amount of control over it. Unfortunately, certain security measures that the customer would normally take to protect its own sensitive data are not necessarily guaranteed by the cloud provider’s service level agreement.
Minimal Representations and Warranties/Limitation of Liability
Generally speaking, representations and warranties in cloud agreements are scarce and will attempt to distance the cloud provider from assurances of quality. Cloud agreements are famous for being “as is” types of agreements and often focus on the provision of service credits to deal with performance concerns. Very often, the agreements do not warrant that the cloud provider’s services will function as described, nor will the services be uninterrupted or error free (shortcomings that could result in loss of data or worse). Additionally, the limitation of liability clauses typically exempt the cloud provider from all kinds of damages (direct, indirect, incidental, special, consequential) and losses may be limited to the amount actually paid by the customer for the services, which will not adequately compensate a customer in the event of data breach or loss of a key proprietary trade secret.
Indemnities in cloud agreements are usually fairly broad and are almost always in favour of the cloud provider. It is not unusual to see references to the cloud provider’s affiliates, licensors, business partners, each of their respective employees, officers, directors and representatives. The customer is often asked to indemnify the above parties for many reasons, including claims arising out of the customer’s use of the services in violation of applicable law, because of user-generated content or other content uploaded by the customer or its employees, for any violation of the cloud provider’s terms of service, or for any third-party intellectual property violation caused by the customer’s data.
Cloud providers tend to provide these in separate documents from the master agreement and will commit to a certain level of functionality at all times, i.e., 99 per cent uptime. Service credits, if available, may be calculated as a percentage of the fees that the customer has paid, which are returned back to the customer in the event of a service interruption. However, many cloud providers routinely exempt large portions of their service from such calculations, whether for maintenance, emergency maintenance, or Internet interruptions, so largely they do not end up compensating customers for failures. Also, service credits are usually limited to a maximum amount per month or day. Most service level agreements should outline what happens when data is lost due to a service interruption, but many cloud agreements do not. In fact, in some agreements data retrieval issues caused by an inability to access the service provided do not constitute a failure under the service agreement. Additionally, many service level agreements exclude any guarantee of access to data or uptime if there has been a suspension or termination of the customer’s right to use the data provided, so customer data can essentially be held “hostage.”
Loss of Data
For the most part, the customer owns the data that it uploads into the cloud, but some cloud computing agreements are less clear on ownership rights. For example, a potential customer must ask whether its data will be deleted following termination of the agreement, kept by the cloud provider (locked in), or transferred back in a non-proprietary form to the customer. Many providers refuse to return data unless all fees are paid and are up to date, so what happens in the event of a fee dispute? Some cloud providers will delete customer data upon the termination of an account or unpaid accounts. Customers should negotiate that any disputes over fees will never result in any suspension of data (suspension of use is a better alternative).
Perhaps the most problematic aspect of cloud computing agreements are privacy issues. For example, under Canada’s federal privacy laws, if companies are collecting personal information and are storing it in the United States, the company will have to disclose this fact to its customers. Additionally, the customer still has legal obligations to ensure that its clients’ personal information is adequately protected (through technological, organizational and physical means) by the cloud provider. Depending on the sensitivity of the information, this may also include other access controls, encryption, etc. Customers need to know that they will not be off the hook for any data that is outsourced and in fact, have a legal obligation to use contractual or other means to ensure that the cloud provider, as the third-party data processor, provides a comparable level of protection while the information is being processed by such third party. The difficulty is that many cloud providers are not very open about their data protection measures/policies. Therefore customers should negotiate into their cloud agreements that the cloud provider will comply with terms and conditions of Canadian privacy laws where applicable.
Additionally, Alberta’s Personal Information Protection Act (PIPA) was amended in 2010 to require organizations to notify individuals before transferring information to a foreign service provider, including notifying individuals if the service provider is outside of Canada, when the primary organization will be transferring individual’s personal information outside of Canada and include information regarding this outsourcing practice in the organization’s policies and procedures. Alberta’s PIPA also requires that organizations in Alberta are required to notify the Privacy Commissioner if personal information under the organization’s control (including data held by its third-party contractors) is lost, accessed or disclosed without authorization. Failure to notify the Commissioner of a breach that may pose a real risk of significant harm to individuals is an offence, so customers must include such notification requirements into their contracts with cloud providers.
Many of the above risks can be addressed through adequate negotiations and amendments to the cloud provider’s standard terms. Prospective customers are warned to review their cloud computing agreements carefully before signing them, focusing on areas of key concern to their particular organization. For example, customers should ensure that they can preserve and retrieve their data, regardless of the cause of termination or expiration of the agreement. Customers should find out as much as possible about the cloud provider’s reputation, security measures and infrastructure. Before entering into a cloud agreement, prospective cloud customers should evaluate whether the cloud is right for them, as not all data is a good candidate for cloud computing. Mission critical applications and highly sensitive data may be simply inappropriate for placement in a public cloud and in such instance, a private cloud may be more suitable. Weigh the benefits and risks carefully!