Cloud Computing: The Contractual Relationship with a Cloud Service Provider

In our most recent post on cloud computing, we looked at common legal concerns in cloud transactions. Today, we’re expanding on the topic with this post on researching and establishing a contractual relationship with a cloud service provider.

The primary risk of cloud computing is the threat of an operational disruption caused by elements entirely outside of a customer’s control. When companies depend on the cloud for core-business communications or processes, any service interruption can negatively impact business. A company’s cloud-stored data could be irretrievably lost, for example, or a cloud vendor could fail to protect trade secrets or the personally identifiable consumer information the company collects.

A company can limit the risk of operational disruption by carefully evaluating the cloud computing relationship before negotiating with a service provider, with a close eye on the following issues:

Service levels: Know the service provider’s minimum level of “uptime”—the amount of time the system is working and available—and the consequences for failing to deliver this level.

Security: Clarify how the service provider will secure company data in transit and company data at rest. Many service providers encrypt data in transit but do not encrypt data at rest. Where the underlying service processes or hosts personal information, regulatory issues are increasingly complicated.

Incident response: Understand how the service provider will assess, respond to, and repair a security breach or service failure, including the company’s role in the incident response process.

Use limitations: The company’s current relationships with suppliers, employees, and clients may limit or otherwise affect its ability to outsource data storage processing to the cloud. Companies should also clarify what the service provider can do with data in its possession.

Auditing, reporting, and recourse: Understand whether the contract with the provider addresses each of the above considerations individually, or if the company intends to rely upon the provider’s terms of service.

Data de-coupling and transfer: Make sure the company’s data is at least partially “de-coupled” from the cloud service and that a clear process exists for changing service providers.

Risk Mitigation Planning: The company should integrate into its business continuity plan a scenario addressing full or partial failure of the cloud service.

Insurance: Make sure the company insurance covers business losses and liability to third parties stemming from a full or partial failure of the cloud service.

Cloud computing services contracts increasingly reflect the growing importance enterprises place on data storage, transfer, and processing – capabilities that cloud computing simultaneously makes available to a company and which may in turn be removed from the enterprise’s direct control. A company that cannot access its computing resources cannot function. Where a cloud computing provider assumes control of a company’s computing resources, it’s critical to ensure that the underlying contract reflects the importance of those resources (and availability) to the operation of the company. But, at the same time, it may be imprudent to rely solely on the contract itself to provide recourse in the event the underlying services are lost or unavailable.

In our next post, we’ll look at additional concerns related to government regulation of data stored on the cloud.

= required field