Know the key legal and security risks in a cloud-computing contract

Make sure you know how to get your data back when the contract ends

ORLANDO -- Enterprises that store data with cloud providers may no longer have physical control over it, but they're still on the hook legally for its protection and security.

Knowing what goes into a SaaS contract -- and the risks associated with what's not included -- can mean the difference between a costly lawsuit or a successful partnership, according to technology attorney Milton Petersen.

Petersen, a partner in the information technology practice group at the law firm of Hunter, Maclean, Exley & Dunn in Savannah, GA, spoke at SNW here today.

The two most important words to look for in a vendor contract are "vendor shall," Peterson said. Words such as "we'll strive to," "our goals," "targets" and "objectives" should raise red flags for users as they offer no concrete guarantees and give the vendor legal wiggle room.

Cloud computing contracts also tend to be more commoditized today, compared with big outsourcing deals that once involved heavy negotiations carried out over days.

"It used to be that a customer could negotiate a lot of protections in," Petersen said. "To some extent ... [now], you have to take contract terms they're offering."

Questions to ask

Users should be aware of a cloud provider's implementation process -- how your company's data will be ingested into their cloud infrastructure. Things to consider include whether there will be a lot of work converting your data into their format, or whether they're simply starting with fresh data at the point the contract is signed. Will the data be encrypted? If not, are there data breach notification laws in the state or country where it will be stored?

Most states now have such laws, Petersen said.

It's also better if you have time to check out a vendor and see how the technology works and whether it does what it's supposed to, Petersen said.

Among the more important nuances of a cloud contract is how your company will end the pact and transition data out of the cloud, either back into a private data center to a new cloud provider.

If your data is no longer in a format your company natively uses, you'll want to be sure it's in some type of industry standard format that will make it easy to convert or use.

"Make sure you're not held hostage where they charge you an exorbitant fee for getting your data back," Petersen said. "Also, look for some kind of cooperation and assistance from the vendor in getting your data out. [And] make sure there's an agreement around what they can or cannot destroy."

It's particularly important to know whether a vendor plans to destroy data after a certain time, particularly if that data has the potential to be used in litigation with a client and might be placed into a legal hold status.

Limiting risk

Because you're giving over control of corporate data to a vendor, it's important to define basic communications processes. Ensure there's some well-defined process around notifying you when a vendor makes changes to their infrastructure that may effect your data. And request that there be periodic, structured meetings scheduled with the vendor between executive-level employees so that you can head off any surprises.

Also, make sure there is a formal dispute escalation or resolution process where you and your vendor can talk about problems before you have to "resort to a legal resolution," Petersen said. A lack of specifics really benefits the vendor in those cases, he added.

"Look for phrases like, 'the vendor shall provide the services in a timely, professional manner in accordance with industry standards,'" Petersen said.

Problem response and resolution should also be hammered out in the contract, ensuring there's some commitment to respond to a problem in a specified period of time; it need only be an affirmation that they know about a problem and are working on it.

Problem resolutions can be more difficult as every issue may take more or less time to resolve, but again, it's important that they agree to keep you updated on what's being done.

Being able to monitor service levels and application uptime is also key to understanding service provider performance.

Some vendors offer automated monitoring and reports for their customers rather than reports on request. And if your site goes down due to a SaaS outage, make sure you know how the vendor will reimburse you for any loss of business. That reimbursement often comes in the form of credits that can be used toward the cost of the contract. But don't expect credits to cover your entire loss due to site downtime.

"You'll almost always see a cap on direct damages ... as well as the exclusion of indirect damages," Petersen said.

More importantly, if there's an ongoing issue, ensure there's clear contract language in that allows your company to bail out of a deal and reclaim data. Typically, there will be some early termination fee associated with leaving a contract early; companies should know what it is.

"You need termination rights for chronic or recurring failures," Petersen said. "The real remedy is to be able to bail out of the deal and find another service provider."

Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at  @lucasmearian or subscribe to Lucas's RSS feed . His e-mail address is lmearian@computerworld.com.

See more by Lucas Mearian on Computerworld.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies