This article has been written by Lalit Chhatria.

Introduction

Cloud computing means directly accessing the software and infrastructure of a provider and also means storing the data of the client with that provider. To that end, cloud computing arrangements are somewhat similar to conventional licencing agreements for software, but also have more in common with agreements for hosting or application service providers. As such, cloud infrastructure arrangements are similarly applicable to the most important problems and issues that occur with hosting and application service provider arrangements.

Key issues to consider when drafting and negotiating cloud computing agreements include:

• Service availability
• Service levels
• Data – security, redundancy, ownership and use rights, and conversion
• Insurance
•  Indemnification
•  Intellectual property
•  Limitation of liability
•  Implementation
•  Fees
• Term
•  Warranties
•  Publicity and use of the customer’s trademarks
•  Assignment
•  Post-execution ongoing provider assessment
• Final Risk Assessment

Let us look at each of these aspects in detail

Service availability

A client must continue to run its business and at all times have access to its data. In order to resolve the various risks relating to service availability, the consumer must ensure that it has the correct contractual safeguards.

The customer will have no or restricted access to the services of the provider (which may help a vital business function) and, even more significantly, no access to its data stored on the systems of the provider if the provider ceases providing the customer with services, likely because of the following reasons – 

• If a server is down,
• The failure of a telecommunications link,
• A natural catastrophe that causes harm to the data centre of the provider,
• Because of a fee dispute, or the company withdrawing services
• The supplier is closing its company due to financial difficulties.

Service levels

Reasonable service standards are expected to ensure that the provision of services is consistent with the needs of the consumer and should be delineated in the agreement. Effective remedies should also be available to ensure that the supplier is motivated to operate in compliance with the service standards decided upon.

In the drafting and negotiation of a cloud infrastructure agreement, one of the most important aspects is the establishment of appropriate service standards in relation to the availability and responsiveness of the services. Since the software and infrastructure are hosted by the supplier, service levels serve two key functions beyond the customer’s control:

1. Service standards ensure that the customer can rely on the services in his undertaking and have reasonable solutions if the supplier fails to meet the agreed service levels.
2. Service levels include agreed-upon metrics that promote the continuous quality assurance process of the supplier and provide rewards that motivate the supplier to resolve problems diligently.

The most common problems with the service level that the client can fix are:

• Uptime
• Response time of operation
• Concurrent visitors
• Question reaction time and resolution time,
• Return of data and
• Remedies

Uptime service level

The company must have a secure atmosphere in which the services are available to the consumer, if not 24/7, at least during the regular business hours of the client. The provider should then accept that the services would have an uptime, or availability, of a certain amount, calculated over an agreed-upon duration during certain hours.

Response time of operation

The response time service level is closely linked to and frequently intertwined with the uptime service level. The response time service level sets out maximum latencies and response times for a customer’s usage of the services. Services which do not provide their users with timely responses are effectively unavailable.

Concurrent visitors

If the customer requires the services to serve multiple simultaneous users, as is normally the case, then a service level should be included to specifically define such requirements. The customer can perform an estimate and measure the total number of users that it expects to use the service at any given time.

Question reaction time and resolution time

The customer must include in the agreement the provider’s duty to timely address service quality problems. Providers also have only a response time calculation, meaning the time period from when the problem is identified to when the provider notifies the customer and starts working to resolve the issue.

Return of data

The customer may also add a service standard for services involving a vital business feature or confidential customer details that monitors the time interval between the customer’s request for data and the return of such data by the provider.

Remedies

Usually, remedies for failure to reach a service level start out as credits toward the next period’s operation.

Data – Security, Redundancy, Ownership and Use Rights, and Conversion

In a cloud storage arrangement, maintaining customer control of its data, addressing the provider’s use of those customer data, and safeguarding the protection and confidentiality of customer data are very relevant. The provider should provide information of its competence and its policies and procedures relevant to, and consent to fair provisions covering,

• Security vulnerability defence,
• Backups of records,
• Usage of data from clients, and
• conversion of results.

Insurance

In cloud storage cases, the client should often fix insurance concerns, both with respect to the customer’s own insurance plans and the insurance of the provider. If it was the customer’s fault or the provider’s fault, most data protection and security regulations keep the client responsible for a security breach. Thus, by obtaining a cyber-liability policy, the consumer can help to self-insure against IT threats, including those related to data and privacy concerns.

Cyber liability insurance is able to shield the consumer from a wide variety of damages. Many cyber insurance policies cover harm, data theft or loss, hacker attacks, denial of service attacks, and malicious code resulting from unauthorised access to a computer system. Some policies often cover privacy risks such as personal information breaches of confidentiality, may refer to violations of state and federal privacy laws, and may include compensation for expenses related to the subsequent expenses for legal and public relations.

Requiring the insurer to provide these forms of insurance increases the probability of the company being able to satisfy its commitments and provides the consumer with direct security. The primary types of liability insurance that should be required for a provider to bear are – 

• Technology errors and omissions liability insurance
• A commercial blanket bond, providing protections against cyber and computer fraud or unauthorised access to computers.

These forms of insurance would cover damages that the client or others may incur as a result of the professional negligence or malicious actions of others (employees of the provider, hackers, etc.) by the provider.

It is necessary for the client to expect the provider to have certain kinds of policies and not just a general policy of liability. Many general commercial liability policies include an exclusion from professional services that precludes compensation for liability arising from IT services, as well as other exclusions and restrictions that render them essentially inapplicable to the risks associated with IT. The customer may also consider asking the insurer to list the customer on its plans as an extra insured; this enables the customer to go directly towards the insurance firm of the insurer in the case of a lawsuit.

Indemnification

The provider should promise to cover, indemnify and keep the customer and its affiliates and agents harmless from any lawsuit where the provider violates its obligations in terms of confidentiality and data protection. Any deliberate violation, shielding the consumer from out-of-pocket costs or expenditures related to data recovery and compliance with any relevant notification requirements or other responsibilities imposed by data privacy laws, should be completely compensated for. In the case that the data breach is not malicious, the provider may request a cap on its future exposure to liability, which may be fair depending on the type of consumer information in question.

The supplier should also consent to cover, indemnify and hold harmless the consumer and its associates and agents against any argument that the services are in violation of any third party’s intellectual property rights. If a third party suspects infringement, this prevents the client from out-of-pocket costs or expenditures.

Providers also want to restrict the fee for intellectual property only to the violation of copyrights. When several infringement proceedings arise out of patent or trade secret rights, that is not appropriate. Infringement claims against any “patent, copyright, trade secret, trademark, or any other exclusive rights of a third party” should be protected by the award. In addition, consumers should prevent any limitation on patents “provided as of the contract’s Effective Date.” Providers typically often restrict the payout to the intellectual property rights of the ‘United States,’ which might be appropriate if the consumer does not use the services outside the United States. The client should, however, decide whether his use of the services would take place overseas.

Intellectual Property

The consumer must consider the effect on his business of intellectual property rights. The intellectual property ownership arrangement proposed by a provider does not adequately meet the business needs of the customer if the provider provides substantial implementation services ( e.g. comprehensive software or hardware installation, setup, or customization services) in relation to cloud computing services. If the intellectual property of the provider is integrated into the work product supplied to the customer, as a result, that intellectual property of the provider may be embedded in the business processes of the customer. This might stress the business of the customer by creating confusion about the rights of the customer to those processes on which the company depends.The customer should therefore gain ownership of any work product and a very large licence to use any intellectual property supplier integrated in any work product in order to maintain full control of the course of his company and of any of the processes underlying it.

Even if essential implementation services are not offered, and the customer merely receives feedback on configurable displays that the customer can use, the customer should realise the potential effect on his business. As a supplier may benefit from certain ideas given by the customer, the customer could consider adding a restriction on the supplier’s use of the same ideas in services supplied by the supplier to any competitor of the customer.

Limitation of Liability

The limitation of responsibility of the provider in a cloud computing engagement is very significant since the provider manages nearly all aspects of data protection. Therefore, the provider should not be permitted to use the liability restriction clause to unduly limit its publicity. In the case of a data breach or other incident, a rational restriction of liability clause must balance the provider’s concern about limitless damages with the customer’s right to have appropriate remedies.

The restriction of liability provision of the provider generally (1) restricts any liability to the consumer to the amount of fees charged under the agreement or section of the agreement (e.g. fees paid for the part of the service in question) and (2) excludes incidental, consequential (e.g. lost revenue), exemplary, punitive, and other indirect damages. Although a client might not be able to remove the restriction of liability in its entirety, the following concessions should be requested:

• The liability restriction should be applicable to all parties. The consumer should be entitled to the same damage insurance the provider is seeking.
• The following should be exempt from all restrictions on liability and damages: (1) violation by either party of the confidentiality and protection clauses, (2) allegations under which the provider is protected, (3) the relevant third party enforcement obligations of the parties, (4) violation by either party of the intellectual property rights of the other party, and (5) infringement of the advertising / publicity provisional
• The maximum liability cap (usually limited to fees charged) should be raised to several times the amount of all fees paid (e.g. twice or four times the total fees paid or the fees paid 12 months before the claim arises). The consumer should bear in mind that the total liability limit in the bullet point above should not extend to the exclusions.

Implementation

In the event that substantial implementation services are offered, the concept of “services” should be broadly worded in a cloud infrastructure agreement to capture all of the services provided. For instance:

‘Services’ means the provision by the Provider of the software and infrastructure services described in Exhibit A (Software and Infrastructure Services) and the implementation services described in Exhibit B (Implementation Services) and any other goods, deliverables and services to be provided by the Provider to the Customer I as described in the Statement of Work, (ii) as described in this Agreement, or (iii) any other items, deliverables and services to be provided by the Provider to the Customer I as described in the Statement of Work,

A broad description of services restricts the allegations of “out-of-scope” operation by the provider and demands for additional capital.

In addition, in order to decide if any additional features or functionality are necessary, the client must fully understand its expectations and the capabilities of the services being offered. Any additional work needed to enable such features or capabilities should be addressed and defined upfront, as a cloud storage platform may usually provide more limited configuration and flexibility options ( e.g. multi-tenant application) in order for the provider to handle the services more effectively and have a more flexible solution. The definition of services should include any additional work decided upon to support certain features or functionality.

Fees

Usually, on a “pay-as-you-go” or “pay-for-use” cost structure ( e.g., each hour for a virtual computer, per gigabyte of storage per month, per active user per month), a cloud computing service is offered. The agreement should also allow for the right to both add and withdraw services, with an upward and downward equivalent adjustment of the service fees. Before signing the agreement, the client should negotiate rates for incremental and decremental use, and should try to lock in any recurring payments for a period of time (one to three years). An escalator based on a cost-efficiency index ( CPI) or another third party index can then be used.

In addition, all possible revenue streams should be identified by the consumer and ensure that the charges identified are inclusive of all such revenue streams. For instance, after a certain amount of data, the provider might try to charge additional fees for additional storage, or additional fees for software updates. As part of the agreed payments, the consumer should ensure that these are included.

Term

The customer should be allowed to cancel the arrangement at any time without penalty upon fair notice (14 to 30 days) because the software and facilities are delivered as a service, like any service. The provider may request from the customer a minimum commitment period to recover the ‘investment’ of the provider in securing the customer as a customer ( i.e. sales expenses and related costs). If the customer agrees, the commitment period does not exceed one year, and to justify such a provision, the provider should provide proof of its upfront costs.

Warranties

There are other protections that are usually provided in a cloud storage arrangement, beyond the warranties mentioned above.

The provider should represent the following and warrant them:

• The services will significantly adhere to the requirements and, to the degree that they are not inconsistent with the requirements, the documentation of the provider.
• In compliance with the agreement and in accordance with the best practises of the supplier, all services will be rendered in a professional, knowledgeable and timely manner by adequately trained supplier staff.
• The provider will provide the client with appropriate training on the use of the services, if required.
• All federal, state and local laws, rules, and regulations will comply with the services.
• The data and information of the customer will not be exchanged with or revealed in any way by the provider to any third party without first obtaining the customer’s express written consent.
• Services shall not violate any third party’s intellectual property rights. Viruses and other disruptive programmes would be free from the facilities.
• No litigation involving the provider is pending or threatened that may impede or interfere with the right of the consumer to use the services.
• The provider has ample power to enter into the agreement and give the customer the rights given in the agreement.

Publicity and Use of the Customer’s Trademarks

The prestige and goodwill of the client are substantial and valuable assets. Via the name of the consumer and other trademarks, this prestige and goodwill are also symbolised and remembered. Every agreement should therefore include a clause covering any announcements and advertising in connexion with the transaction. Without the prior written permission of the consumer, the provider should be forbidden from publishing any media releases or making other public statements relating to the agreement or otherwise using the customer’s name and trademarks.

Assignment

The customer should be able to delegate his rights under the agreement to his affiliates and to other organisations which, due to reorganisation, restructuring, divestiture, or the like,-become successors or affiliates. The customer may request any assignee to recognise all the responsibilities of the customer under the agreement in order to resolve any concerns the provider has about such an assignment. Similarly, the consumer should be confident that every assignee of the supplier intends to be bound by all the terms and conditions of the arrangement, including, without limitation, obligations at the service level.

Post-Execution Ongoing Provider Evaluation It is recommended that the customer and the provider agree to implement a routine performance appraisal programme in which the provider will be expected to provide the appropriate information to review the services, to notify the customer of any changes to the system, and to provide any recommendations for enhancing the service. This information could then be used by the client to conduct ongoing risk assessments and decide whether to maintain a partnership with the provider.

Final Risk Assessment

When negotiating a cloud storage arrangement, if the customer has considerable power, then it should attempt to obtain the above-mentioned safeguards. However, in cases where such leverage is not applicable to the consumer, suppliers can be immune to such safeguards and to any alteration of the terms of their formal contract. Therefore, assuming that the consumer will receive any of the above safeguards should not be practical.

The client must then determine the business risks, including whether the services serve a vital business purpose, require confidential customer data, or are customer-facing. If the consumer is unable to receive the degree of security necessary in the most critical areas of risk, then walking away from the transaction should be considered. If it is not an appropriate choice to walk away, then the client needs to concentrate on risk reduction. For example , if the company refuses to adjust its level of uptime service, claiming that it does not manage such a level of service individually for various customers, then the consumer can negotiate enhanced solutions and exit privileges for a failure of that level of service. In this type of case, where a customer is unable to receive the necessary contractual safeguards and decides to continue, the continuing review of the supplier relationship mentioned above becomes even more relevant after execution.

Conclusion

Many organisations, including those in highly controlled service areas such as the financial services sector, are also using cloud services, hosting their most confidential information in certain cases. Cloud computing has become an increasingly appealing choice for companies by exploiting economies of scale, commoditizing resources, regional delivery, and open source software to reduce costs. The question is no longer when an organisation can migrate to the cloud, but when it does, it will have the processes in place to efficiently balance cloud computing’s risks and rewards.

Cloud storage is not without considerable threat, particularly at a time when organisations of almost any kind are subject to an ever-expanding set of state and federal data protection and privacy regulations, criteria for record preservation, and other transparency standards. This is expressed in the key cloud computing field that has failed to resonate with enterprises: the use of cloud-based security services ( e.g. user access and provisioning, two-factor authentication services, etc.). A recent semi-annual survey of information security professionals in large and medium-sized companies in North America asked respondents if they would consider using cloud-based security services, with less than 15% answering that they would definitely do so.

Although cloud computing risks mainly revolve around confidentiality, honesty, and accessibility of data, they apply to other key relationship issues of provider transparency, price regulation, international data transfers, and due diligence. Industry initiatives have been made to resolve cloud computing concerns, such as the CloudAudit Working Group, which works to provide cloud computing providers with a shared interface to automate the audit, assertion, evaluation, and confirmation of their cloud computing environments and enable approved customers to access that data. Moreover, since the rights that a consumer can negotiate with the provider are restricted in many instances, industry insiders, privacy advocates, and others are calling for legislation and regulation in the cloud computing sector. If they do arrive, these safeguards are good for the future and are unlikely to solve the broad range of threats posed today by cloud computing.

References

1. https://www.mondaq.com/unitedstates/it-and-internet/222614/cloud-computing-a-practical-framework-for-managing-cloud-computing-risk
2. https://www.mondaq.com/unitedstates/healthcare/209906/cloud-computing-for-health-care-organizations–a-practical-framework-for-managing-risks