FW moderates a discussion on negotiating cloud contracts between Mark Lundin, a partner at KPMG, John C. Eustice, a member at Miller & Chevalier Chartered, and David W. Tollen, author of The Tech Contracts Handbook.
FW: Broadly speaking, how would you characterise recent trends and developments in the cloud computing arena? In your opinion, how far does the cloud computing market enhance the effectiveness and efficiency of modern business processes?
Lundin: Cloud computing has gained widespread acceptance as a preferred computing approach because cloud providers are innovating at an unprecedented rate, and delivering solutions that address business challenges in ways that allow rapid deployment. Traditional enterprise software companies have shifted to a cloud first model to align with their customers who have a diminishing appetite for traditional on-premise software solutions. Companies want to take advantage of new features and functionality that cloud providers roll out on an ongoing basis, as opposed to having to wait for a periodic upgrade cycle. Core capabilities including on-demand self-service, broad network access and rapid elasticity that define cloud computing and enable companies to meet business needs in a way that traditional approaches cannot easily support. Adopting a cloud-based platform for application development and integration enables companies to more rapidly develop, deploy and enhance business applications. Cloud platform solutions allow companies to rapidly build and integrate applications in a way that wasn’t possible several years ago. Increasingly companies are also adopting a hybrid cloud strategy – establishing hosted or on-premise private clouds for certain operations where more direct control is desired and using public cloud solutions for other operations where it is beneficial.
Eustice: Quite simply, cloud computing allows organisations to increase their capacity for storing and moving electronic information while decreasing IT costs. Cloud computing is fast becoming the standard for storage of electronic data and communication in business due to these potent dual benefits, with multiple companies jumping into the market with new products. One interesting and enduring trend in cloud computing is the diversity of offerings from its providers. Some offer software as a service, some offer their platform as a service, and some offer infrastructure as a service. Companies can also shop among private clouds, public clouds and hybrid clouds. The cloud computing market is evolving into a space where companies can find a custom solution for almost any data storage problem.
Tollen: Software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and other cloud models offer a flexible, scalable way to use information technology. Companies of all sizes can take advantage of best-of-breed software and systems, without putting together massively expensive IT departments, data centres, or other tech resources. A corner store, in other words, can keep its data in an electronic vault as secure as IBM’s, or run payroll systems on par with a Fortune 500 firm. And a mega-corporation can offload much of its IT management on a tech vendor and focus on shoes or insurance or building a better mousetrap. Plus, none of these companies has to commit long-term to any particular technology. As the IT environment changes, customers can switch services or vendors much more easily than they could put aside traditional legacy systems. However, these advantages do come with some serious liabilities.
FW: To what extent do existing regulations and national contract laws impact on the cloud computing market? What strategies can companies employ to help them navigate their regulatory requirements?
Eustice: Generally, laws and regulations lag behind technology because the former advance far slower than the latter. In some areas, however, governments are exerting significant effort to catch up and regulate certain categories of sensitive data that companies are placing in the cloud. For example, the US is in the process of issuing new regulations in the export controls area to define when technology is ‘exported’. If a company places regulated data in the cloud, the new regulations require that the data be encrypted ‘end-to-end’. This requirement places an additional security requirement on companies doing business in this space. The best way for companies to navigate these requirements is to be aware of them before they enter into contracts for cloud services, and to make sure that those contracts take the regulations into consideration with respect to the sensitive categories of data that will be stored in the cloud.
Tollen: Both customers and vendors need to know which privacy laws govern their operations. They should recognise that foreign laws may govern them if they hold foreign consumers’ data. They should also recognise that different rules apply to different types of data, particularly in the US, where federal law imposes an alphabet soup of statutes and state laws vary widely. Finally, they should know that failure to comply with their own privacy policies can lead to trouble with government agencies, customers and consumers. In terms of putting together contracts, cloud services customers should make sure their vendors agree to comply with whatever privacy laws and policies apply. Vendors, on the other hand, should consider adding ‘excluded data’ clauses. These terms tell the customer not to upload certain data to the vendor’s systems – usually data subject to particularly strict regulation. Excluded data clauses also put the customer on notice that the vendor can’t protect that data as required by law.
Lundin: Industry regulations have a significant impact on companies, particularly to the extent they are deploying cloud solutions to process and store regulated information. Local requirements are increasingly important to companies that are deploying cloud solutions on a global basis. Companies do not want regulatory concerns to constrain their use of these solutions when they make business sense. Ensuring that the company addresses the relevant requirements requires a collaborative effort with the cloud provider. It is important to work with cloud providers and advisers who understand the global regulatory environment, the particular cloud solution, how cloud provider and customer responsibilities are distributed, and what additional measures may be required to ensure compliance with any given requirement. In some cases, this may require system modifications, a certain configuration or additional steps performed by the company.
FW: What terms of cloud computing agreements trigger the most negotiations? Why?
Tollen: In our experience, indemnity triggers the most negotiation. In an indemnity clause, one party promises to defend the other against lawsuits and pay any related settlements or judgments. Most cloud services agreements have intellectual property indemnities, and they’re often hotly negotiated. Parties struggle over issues like whether the vendor has to indemnify claims about technology built to the customer’s specifications, and whether the indemnity should cover combinations of vendor and third party technology. A relatively new indemnity appears in some cloud services contracts too. Customers want vendors to defend cases about data breaches. Vendors, on the other hand, fear they’d have to defend cases triggered by the customer’s errors, or just fear the expense, so they resist. And some vendors actually demand the opposite: the customer indemnifies the vendor against data breach cases. They argue that customers can put any data on vendor cloud-hosted computers, and the price for that open door is an indemnity from the customer covering suits about the data.
Lundin: While each contract is unique, there tends to be agreement on a lot of terms early-on in the agreement life cycle as part of the vendor evaluation process. However, in our experience there are three areas that trigger the most negotiations at the final contracting stage: limitation of liability, breach notification and use of third-party service providers. For example, in the limitation of liability area, the cloud service providers typically restrict it to the amount of service fees in scope, however that might not be sufficient for cloud user organisations given the potential for huge liabilities on them if there is breach of confidential information.
Eustice: Not surprisingly, cloud computing service providers are not eager to accept liability for any consequential damages. Accordingly, limitations of liability provisions are often rigorously negotiated. If a company is placing highly sensitive or regulated data into the cloud, that company may need to push for carve-outs to a limitation of liability provision allowing for the potential recovery of certain types of damages. For example, breaches relating to data security and confidentiality may result in the risk of third-party litigation. Another provision that usually requires robust discussion is the termination clause. Given the decreasing cost and increasing capability of cloud services, customers want to be able to terminate as painlessly as possible. Providers, meanwhile, want to lock customers in for a long term with little ability to terminate for convenience. This tension can sometimes be diffused by working in the potential for upgrades in service and renegotiation of price.
FW: How are cloud computing contracts different form the more traditional software licences? What new subject-matter should contract negotiators learn?
Tollen: Deals for vendor-hosted cloud services differ from software licences in two key ways. First, the vendor hosts and runs the technology, instead of providing software to run on the customer’s computers. Second, the customer’s data sits on the vendor’s computers. The first difference leads to the most fundamental change in legal terms – cloud services contracts don’t need a copyright licence, at least not for the vendor’s main offering. The customer won’t be copying the vendor’s software, so it just needs a subscription to access it remotely. Vendor hosting also leads to stricter and more detailed support obligations, in most cases. The second difference leads to a host of new terms. The most important are data management and security clauses, disaster recovery (DR) terms, SaaS escrows, and expanded insurance and reporting requirements. In some cases, data hosting also leads to data breach indemnities.
Lundin: The key difference remains that the contract service provider (CSP) would typically have some or full control over your data depending on the nature of the cloud service. Contract negotiators need to have an understanding of the elevated risks involved with cloud computing since they are no longer limited to buying licences without having to factor in data protection and availability. It is a shift in mindset. We have seen clients continue to work with software vendors that have recently added SaaS cloud solutions without fully updating the contract to account for the emerging risks.
Eustice: Instead of contracting for the use of a piece of software, cloud users are contracting for a service that usually includes software as a mere piece of the overall product. Cloud computing necessarily involves resource pooling, through which the cloud provider serves multiple customers by assigning and reassigning resources according to customer demand. For this reason, cloud computing contracts need to include more information than one would expect in a standard software licence contract, including where the customer’s data will be stored, who will have access to the data, how the data will be protected, and what other kinds of customers and data will be stored along with your data. Negotiators need to develop a full understanding of the laws and regulations governing their client’s data before discussing contracts to place that data in the cloud.
FW: With the rise of cloud computing, IT vendors manage their customers’ data and computer systems at a level never seen before. How should customers protect themselves from the risks of vendor mistakes and failures?
Tollen: There are six steps customers should consider. First, include a broad data management and security clause in your contract. These address technical requirements for protecting data, management of data – including ‘e-discovery’ during litigation – and handling of data breaches. Often they also call for third party audits of vendor systems. Second, request an indemnity for data breaches, but don’t be too surprised if your vendor refuses. Third, add disaster recovery terms to your contract, addressing vendor obligations to keep systems and data safe from hurricanes, terrorist attacks, and so on. Fourth, for smaller vendors, request financial and technical reporting terms. This a chance to look at the vendor’s books once in a while, to get advanced warning of financial troubles that might threaten data protection. Fifth, ask vendors to buy insurance, including useful but often elusive cyber liability insurance. Finally, consider a non-contractual remedy – a hybrid cloud, where vendors host some systems but you, the customer, run the really sensitive software and data on your own computers.
Eustice: Every contract for cloud services includes a provision regarding the cloud provider’s policies for intrusion detection, reporting and security audits. Customers, particularly those placing sensitive, confidential, or regulated data in the cloud, need to ensure that the cloud provider communicates with them during every step of the data oversight process. Customers also need to confirm that the cloud provider regularly updates its security and encryption methods. More than that, however, customers need to be comfortable with their point of contact at the cloud provider to foster trust in any dialogue that follows a mistake by the provider. Creating a list of incidents, clearly set forth in the contract, that require high-level contact between the provider and customer can go a long way toward creating a good working relationship.
Lundin: While cloud computing provides a number of compelling benefits, managing and securing a cloud infrastructure is a very complex undertaking that requires very specialised and in-demand skills. In many cases, it makes a lot of sense for a company to leverage the deep technical expertise of a reputable cloud service provider rather than trying to build comparable capabilities in house. As is the case with any important outsourcing relationship, it is important that the company performs proper due diligence to ensure the cloud solution meets the company’s expectations and requirements, to assess contractual protections, and to implement a monitoring process to ensure that the cloud provider continues to meet its responsibilities. In particular, it is advisable for the company to obtain annual SOC2 SM Type 2 audit reports from the cloud provider which includes an auditor’s opinion on the design and operating effectiveness of the cloud provider’s controls to meet a predefined set of criteria for security and optionally areas such as availability and confidentiality.
FW: In terms of the privacy and security of cloud computing, what steps should organisations be taking to address the risk of hacking attacks, theft and misuse of data?
Lundin: It is recommended that a company establish a governance structure over its use of cloud providers to ensure a consistent approach is applied to evaluating cloud providers, assessing their security posture and monitoring their use. This also enables a company to track what types of information is handled by each provider. A company should ensure that its cloud providers have controls commensurate with the types of data they are storing. Privacy and security are a shared responsibility between the cloud provider and company. It is important that the company clearly understands the system architecture and how the cloud provider secures its infrastructure, proactively addresses new threats, prevents successful attacks and handles incidents. The company also needs to understand and fulfil its security and privacy responsibilities, which may vary depending on the type of cloud service. With an IaaS solution, for example, the company will have very broad responsibilities for managing its systems, such as managing the full set of systems running on the IaaS. In contrast, with a SaaS solution, the company will typically have a narrower set of responsibilities, such as managing user access and certain system configurations.
Eustice: The most important action that companies should take to reduce their security risk is to impose and enforce significant standards for password security. Most hacking attacks are accomplished by stealing or even guessing passwords. Setting standards for passwords and insisting that employees – as well as contractors and subcontractors – who have access to data change their passwords often go a long way towards closing the security ‘front door’. Another, related action that companies should take is to reduce the number of people who have access to the data. General access should only be available to employees, contractors and subcontractors who require it. Cutting down on the number of entry points necessarily reduces risk. Finally, while cloud providers generally encrypt data, they often use different encryption levels for data at rest versus data in transit. Organisations should ask their provider to use industry-standard encryption for their cloud data at all times.
Tollen: Make data security a priority for any employee, vendor or other contractor that touches private information or other sensitive data. And hire a data security consultant to perform an internal security audit. Ideally, your consultant is an independent expert who doesn’t sell software or implementation services - or anything else, if possible – other than data security auditing services. In other words, the best consultant is truly neutral, with no incentive to twist your audit results to fit his or her products or services. Of course, a comprehensive audit can be expensive, but weigh the price against the cost of a breach, or of several. Finally, implement the recommendations coming out of the audit – as many as you can.
FW: As the scope and understanding of cloud computing technology increases, how should a safe and fair cloud contract be defined and designed, so that it meets the needs of all parties?
Eustice: Given the level of customisation available in the cloud computing market, it’s exceedingly difficult to suggest a standard contract. However, the structure of a cloud computing contract should always have as its goal complete clarity of the service being provided and the data being stored. Misunderstandings or ambiguous definitions impacting these two issues can cause complete chaos if anything goes awry during the life of the contract. Another concept that should be worked into every cloud computing contract is shared risk. Neither party should accept all of the risks relating to data security and technological advances.
Tollen: The next step is for the IT industry to get a better grasp of cloud computing legal issues and come together on some relatively standard contract terms. Older IT contracts – software licences, tech services agreements, and so on – vary a lot, but certain clauses have been relatively standard for decades. Limits of liability, NDAs and end-user software licences have become pretty consistent, so no one has to spend a lot of time negotiating their details. Even IP indemnities have pretty standard terms, despite battles around the edges. The same will probably happen for data management and security clauses, data breach indemnities, and even SaaS escrows. There’s no standard-setting body, but broad agreement will probably come out of another decade’s tug-of-war between vendors and customers, and that will save everyone time and legal fees.
Lundin: As with contracting in any emerging area, it will come with experience and real-life examples. The pressures of customers’ expectations of security, confidentiality and availability, as well as the regulatory environment, continue to be high. On the other hand, service providers need to be able to balance that with the commercial risks it can take on while offering these innovative services. CSPs will have to continue raising the bar on their internal processes and controls to a point that their common denominator meets requirements of industries and regulations in their target customer base. This should allow them to meet the needs of all parties in their target customer base.
FW: What advice would you give to companies on negotiating a cloud contract? Are there any common pitfalls or oversights?
Lundin: Inherent to the concept of cloud is resource pooling, and having that allows CSPs to have economies of scale and pass the cost benefits along to customers. For cloud customers, it is important to keep in mind that cloud services were designed for customers around the globe as opposed to custom solutions. The leading CSPs tend to be diligent about meeting the most common business and regulatory requirements; however some challenges remain. Some of these roadblocks can seem insurmountable at first, but if parties remain committed to finding a solution, hurdles can be overcome. For example, in some situations, it might mean implementing more detective and monitoring-type controls, rather than preventive controls.
Tollen: First, pay attention to technical specifications, even if you’re a technically challenged businessperson or lawyer. Specifications often appear in an attachment, like an SLA or requirements exhibit, but they form the heart of a cloud computing contract. They say what the system will and won’t do. Yet contract negotiators often leave specifications to junior IT staffers. For the customer, that could mean the contract doesn’t promise necessary business functions. The vendor, on the other hand, might find it has promised too much. And, yes, you can read specifications, even if you’re not tech-savvy. Second, don’t use an NDA for data security. NDAs protect trade secrets – business plans, financial records, source code, secret recipes – not private information. And NDAs focus on information in human hands, not data on computers. Use a real data management and security clause.
Eustice: Every customer seeking to contract for cloud computing services should come to the table with a list of questions for the potential provider to answer before pen is put to paper. These questions should cover four categories: data security, data location, data oversight and data control. More importantly, these questions should be designed to reveal to the provider the customer’s primary concerns in placing its data in the cloud. The most common pitfall for customers is the failure to develop a full game plan going into negotiations, which often leads to the acceptance of a cloud provider’s boilerplate contract provisions. Remember that a cloud provider will not understand why your business and your data is unique or different unless you explain it to them. Taking the time to do so can create a more collaborative tone in the negotiating process.
Mark Lundin is a partner at KPMG who has spent the past 15 years helping emerging technology companies to establish strong IT governance, risk and control (GRC) processes and to effectively address complex requirements for third party assurance. His clients include leading global cloud providers, security service providers, IT infrastructure providers and enterprises with complex IT environments. He leads a national Cloud and Security Assurance team and drives KPMG’s involvement in multiple international standardisation organisations. He can be contacted on +1 (408) 367 7696 or by email: email@example.com.
John C. Eustice is a member of law firm Miller & Chevalier Chartered in Washington, DC, and has developed experience in data privacy and data security issues, including issues relating to cloud computing services and cross-border transfers of electronic data. Mr Eustice advises clients on data privacy compliance and information technology contracts. He can be contacted on +1 (202) 626 1492 or by email: firstname.lastname@example.org.
David W. Tollen represents both buyers and sellers in cloud computing, software licensing and other technology transactions. He’s the author of the American Bar Association’s bestselling manual on information technology agreements: The Tech Contracts Handbook (American Bar Assn. Publishing, IP Section 2010). He’s also the founder of Sycamore Legal, P.C. in San Francisco. Finally, Mr Tollen provides in-house and public trainings on drafting and negotiating technology contracts – for contract managers, salespeople and other businesspeople, as well as for lawyers. Mr Tollen has degrees from Harvard Law School, Cambridge University and U.C. Berkeley. He can be contacted on +1 (415) 278 0950 or by email: email@example.com.
© Financier Worldwide