Considerations for Companies Contemplating Cloud Computing
As cloud computing service providers continue to expand their services from simple data storage to software services hosted on their servers, companies considering cloud computing services should become familiar with both the legal and operational issues inherent in outsourcing IT functions to third parties. Cloud computing is the wave of the future, and entering into an agreement with a cloud computing service provider can provide users with substantial savings by reducing the need to (i) continually invest in expensive hardware, and (ii) employ a staff of in-house IT professionals. Nevertheless, notwithstanding the cost savings, potential users should be fully aware of the risks presented by cloud computing.
Start Up Costs
The user usually will be expected to provide the hardware and software necessary to access the provider’s services. Therefore, the prospective user first should obtain information from the provider regarding what types of hardware and software are required to use the provider’s services effectively. If new hardware and/or software is required to use the cloud services, the cost of the service may be significantly higher than it seems initially. Consequently, providers should confirm in writing that the user’s existing hardware and software are adequate, or if not, exactly what upgrades are required to meet the cloud provider’s requirements.
If the cloud provider is expected to store the user’s data, there can be substantial work involved in putting the information in the form required by the provider. The user can incur substantial and unexpected costs in both man-hours of work and other conversion costs just to transfer data from the user’s systems to the provider’s servers, so the parties’ agreement should clearly delineate the user’s obligations in transferring its information successfully to the provider’s servers.
Security can be an issue if any of the user’s data includes protected personal information (such as employee social security numbers or health-related records ) or the user’s own confidential data and trade secrets. Normally, the provider endeavors to limit its liability to the greatest extent possible, including its indemnification obligations in the event of a security breach. On the other hand, user companies usually have very stringent obligations under state privacy laws, such as the Maryland Personal Information Protection Act, which can be extremely expensive in the event of a computer security breach.
Where will the user’s data be stored? The data may be stored by third parties, whose security, financial stability and reliability are unknown. The user must inquire whether the provider subcontracts storage services to third parties, whose servers may not be housed within the United States. If a potential user is not comfortable with how or where its data will be stored and handled, then it may be better to investigate another alternative before entering into a long-term commitment.
Dispute Resolution and Exit Strategy
What mechanism is provided for resolving disputes? If a dispute develops, the user never wants to be left in a position where the provider can terminate its services, leaving the user without a means to operate. Similarly, if the provider experiences a system-wide failure, the user may encounter problems operating without cloud computing services, and have a great deal of difficulty in quickly replacing those services. It is common in standard cloud computing agreements for the provider to disclaim all warranties that its services will be uninterrupted or error free. While there may be certain guarantees that the promised services will be available 99% of the time or better, the offered remedy in the event of a failure that causes substantial downtime may only be a credit against the charges rendered by the provider. The provider’s agreement usually will state that it is not responsible for damages suffered by the user arising from its system failures.
In the event of a termination, or at the expiration of the user’s cloud services agreement, the user should have an exit strategy in place for extracting its data and moving it to another cloud computing provider or its own computers. Some agreements provide that at the termination of the agreement, the provider will provide the user’s data back to the user in “comma separated value (CSV) format,” which may be difficult to put in usable form. The user must assure that the format of the data that will be returned is both complete and in a form that can be easily used by a substitute provider or its own computers.
Some cloud computing providers may be unwilling to negotiate any terms of their standard agreements, particularly the liability disclaimers. However, it is important to review the agreement fully in order to understand and clarify the parties’ respective obligations and protect the user’s rights to the greatest extent possible.
Ted Goldstock is a business attorney at Lerch, Early & Brewer in Bethesda, Maryland who frequently drafts and reviews service provider contracts, including IT outsourcing agreements. For more information about cloud computing agreements, contact Ted at (301) 347-1274 or email@example.com.