Last year, a global food manufacturing and distribution company set out to move its HR talent management processes to a software-as-a-service provider. But as attorneys for the food company reviewed the proposed contract, they found some potentially serious legal land mines.
For starters, the SaaS provider had operations in the U.S., Europe and Canada. "Europe and Canada are two jurisdictions that heavily regulate [the use of] personal information. Since this was an HR system, there would be a lot of personal information," recalls Rebecca Eisner, an attorney specializing in outsourcing who represented the food company.
The provider also wanted the flexibility to move the company's information to data centers anywhere in the world, and that would subject the company to the laws of whatever country the data passed through or landed in.
As Masur puts it: "You have data moving all over the world to wherever [the cloud provider] has capacity. It's not just the provider, but a whole web of subproviders and subcontractors and platforms. Where exactly is it at any moment in time? How many countries is it hitting and thereby [subject to] the laws of those countries? Even if you have a contract in place with the provider, can you really be sure they have flow-down clauses that apply the contract terms to this web of subcontractors?"
Customers need to insist that the subcontractors be identified and that contract terms apply -- or "flow down" -- to them, Masur says. The good news is that some major cloud providers will offer U.S.-only public clouds, as well as assurances that the relevant terms of the contract have been applied to subcontractors.
At Schumacher Group, a Lafayette, La.-based healthcare company, about 80% to 90% of IT processes are hosted in the cloud through 12 different service providers.
Cloud users should also know that the location of the provider or its servers could determine where a lawsuit would be brought if a problem arose. "You may find yourself defending an action in another state or another country, depending on where your provider is located," Dinkel says.
Schumacher Group's cloud contracts require that data be stored at centers inside the U.S. "It doesn't make sense for them to store our data overseas," Menefee says.
3. Search Warrants
Big cloud providers are aware of the need for prompt action on e-discovery requests, and they're often able to track and retrieve data quickly by maintaining the original metadata attached to the records.
Lawyers say cloud contracts should require vendors to maintain metadata for easy retrieval and compel them to meet deadlines for producing electronic documents when requested.