Tips for Contracting Cloud ServicesWhat Organizations Need to Consider Choosing a Vendor
Cloud services contracts often provide little to no wiggle room for organizations. In planning to use cloud computing services, what steps do organizations need to take before signing any contract? IT security lawyer FranÃ§oise Gilbert offers some key strategies.
Gilbert, a founder and managing director of the IT Law Group, says most cloud providers offer their services with no room for customization, except for their bigger customers. Knowing this, organizations need to approach service agreements cautiously.
To begin, organizations need to figure out if they can enter a cloud contract legally. This means if a U.S. healthcare organization, for example, wants to enter into a contract with a cloud provider, they need to abide by the regulatory requirements of HIPAA, which might suspend them from doing that, Gilbert says.
Next, organizations need to complete due diligence of the service they want. "How good is it? What kind of reputation does it have? Is it reliable," Gilbert says in an interview with Information Security Media Group's Eric Chabrow [transcript below].
Once an organization chooses a cloud provider that's right for them, they need to read the contract and understand it thoroughly. "You have to remember that in most situations, this contract is not going to be negotiable," Gilbert says. "Read this contract and understand it."
Organizations need to be on the look-out for other issues as well, such as liability. "What happens if there's a problem," Gilbert says. "What will the company do?" For example, organizations should look to whether the cloud provider has a warranty on the data it's storing, and if it's lost, if they reimburse the organizations or not. "You should understand the consequences," she explains.
In the interview, Gilbert also discusses:
- Common mistakes user organizations make when entering into a cloud computing contract;
- Data ownership of information placed on a cloud provider's server;
- Essential steps user organizations should take when contracting for cloud services;
- Contractual clauses that should be in contracts to protect the user organization.
Gilbert specializes in information technology, Internet, IT security and privacy law, and counts a number of Fortune 500 and other global companies as her clients. She has taught technology and data protection law in the Graduate School of Health Information Science at the University of Illinois in Chicago since 1992, and has been a frequent guest speaker at John Marshall Law School in Chicago and at the Silicon Valley Center for Entrepreneurship at San Jose State University in California. Gilbert, who serves on the board of the International Technology Law Association, speaks worldwide to industry and legal groups on privacy, security, risk management, outsourcing, information technology and e-business law.
Gilbert has earned law degrees in Chicago and Paris, and earned undergraduate and graduate degrees in mathematics, engineering and education from the University of Paris and University of Montpellier, both in France. She also is an accredited as Certified Information Privacy Professional.
ERIC CHABROW: Many managers that approach cloud computing are aware of its technical and financial benefits, but often don't think of its legal ramifications. Why is such an approach risky?
GILBERT: It's risky because the contracts that we see for cloud services are most of the time very much one-sided. If you don't pay attention to the contract that you sign, or the one you click on the web, you will find yourself in a situation that's not really what you thought it was going to be. This contract can be terminated at any time. The terms can change any time. The price can change at any time. That's not really what the typical company expects when buying services.
CHABROW: One of the things that struck me - that you said - was that they just click on an agreement. So this is the same kind of agreement that seems to some users as though they're going to use Adobe Acrobat?
GILBERT: Yes, people are used to clicking on anything when they go on the web because they're in a hurry and they want to download this or that, and so there's a user agreement, and they're so eager to get the next app or the next game, that they click on that agreement. They do the same thing, unfortunately, when they're buying very serious, very significant cloud computing services for their company, and they click on the user agreement or the customer agreement or the terms and conditions - you name it - without often paying attention to the terms of the agreement.
CHABROW: That's one mistake that people make. What are some of the other common mistakes that organizations make, from a legal perspective, as they pursue cloud computing contracts with service providers?
GILBERT: The first mistake is that some people use cloud computing when they should not. They ignore the laws to which they are subject. For example, when you're a regulative company, you cannot just go into a contract without any process. As an example, the healthcare industry uses a service provider, and the service provider is often deemed a business associate. And there are rules. You cannot just enter a contract with a business associate by clicking on a document ... without any reference to these restrictions. Business associate agreements have a number of clauses and they have provisions that are dictated by Heath and Human Services. You have to have these provisions. If you go on Amazon and you click on the Amazon contract, there will not be any provisions to meet these requirements.
I've heard companies in particular in the healthcare field that are using cloud services and I question [if] they thought about the fact that this is regulated and you have to have a business associate agreement. And it applies in other circumstances.
I used the example of a regulated entity, but take just a simple company. Under California law, there's a requirement that if you're going to use a service provider connection with the processing of certain types of information, such as Social Security numbers, record information, health information, you have to have a specific written contract with that service provider that has specific security measure requirements.
CHABROW: Service providers that provide a contract online, are they reluctant to deal otherwise, or if they're contacted, they're more than willing to start negotiating terms?
GILBERT: It depends, because one thing that's very important to understand in the cloud computing business model is that it's big business. It's like reaching from the flower shop around the corner and going to the big store. They have a different business model. The business model is to treat the customer in a very generic way. They will use the economy of size to use the fact that they have a "zillion" servers and they put everybody in there. Their business model is different. It's not that they're bad people who don't want to be nice to their customers; it's just that it does not fit in the business model.
For example, I store videos that I do for my work - training videos - with a service provider, and the cost is about $2 a month. What did you expect to get for $2 a month? You can't expect to get very significant security. It's a give and take, and you have to understand that if you pay such a small amount to store your data, you cannot be buying the services of Fort Knox, for example.
CHABROW: Is there a problem at all about who owns the data, and is that discussed in these contracts?
GILBERT: It's not discussed in these contracts very much. The service providers request to have access to the data and to be able to use the data in connection with the provisional services. They usually don't claim ownership of the data. Frankly, I think they don't really care, unless there are specific entities that would like to mine the data for advertising purposes. It depends on the type of hosting that you have. If you are a business and you're hosting your e-mail with Microsoft or with Google, this is one situation. If you're an individual and you're hosting your videos with YouTube, it's a different situation, because on one end, you pay, and on the other one it's free. So those service providers, those cloud providers who provide services for free, tend to want to have an ownership of the data. Look at, for example, what Facebook is doing. In this case, there may be questions about who owns the data and who wants to take ownership of the data. In the business world, it's less of an issue.
Essential Steps in Contracting Cloud Services
CHABROW: What are some of the essential steps an organization should take when planning to use cloud computing services from a legal perspective?
GILBERT: The first thing to do would be to figure out if they can legally do that, and if there are any legal requirements that suspend them from doing that. I gave you earlier the example of the HIPAA regulated entities; definitely they should take a look at what they're doing because there are restrictions. It's not just for the regulated entities; there may be circumstances where the company has made representation, so it has agreed in the contract to do certain things such as not to use service providers. They can't do that if they made this commitment not to use a service provider. That's the first thing to do. Do your own due diligence and figure out whether you can do what you want to do.
The second one would be to do due diligence of that service that you want. How good is it? What kind of reputation does it have? Is it reliable? For example, we've seen a number of outages with companies. If you have ... data that are very sensitive, that are very important to you, you may decide not to use the cloud now, because you may be concerned about outages. On the other end, if you use cloud just for basic storage purposes, then maybe that's okay. If there's an outage and you lose data for a day, it may not be important to you. Look at what other companies offer and whether that fits with your own business model.
Then, once you have identified the right company for you, the next thing is to read the contract and understand them. You have to remember that in most situations, this contract is not going to be negotiable. There are cases where the contracts are negotiated, when it's a big deal and it's a large enough deal that the cloud provider is willing to open up. But in most circumstances, the contract will not be negotiated. It will be whatever you find on the web. Read this contract and understand it.
For example, in looking at a few contracts in preparation for this interview, if you take an Amazon AWS [Amazon Web Services] customer agreement, the current version, this contract may change and continue at any time. This is very important because if your data and the service changes, what do you do? There are provisions that are very important. One day you pay $2. The following week, it's $20, and you have to accept the fact that the price can change and you only have 30 days to move your data and find a place to host your data. So that's something to think about.
And there are other issues. For example: liability. What happens if there's a problem? What will the company do? For example, the Google Apps contract - in that contract, the liability of the company is limited to 12 months worth of fees that you have paid. It's very typical and I have seen that many times in other circumstances with other contracts. But going back to my example - my $2 storing of my videos - if Google loses my videos, 12 x 2 = $24. That's all I can expect. If all of my videos are gone, I'll get $24. Can I live with that or not? It depends on the situations; it depends on what you want to do with your data. But you should understand the consequences. If you look at the Amazon contract, there's no warranty at all. The services are provided as-is. In this case, if they lost my videos, I would get $0, not even $24.
CHABROW: This would include if they're hacked in some form?
GILBERT: Hack, or a computer that crashes and just loses the data. These things happen. Technology is wonderful but it's not totally magic. Sometimes there are some things being lost.
CHABROW: Are there any kinds of contractual clauses that an organization could ask the provider to have in the contract?
GILBERT: Oh, many of them. That depends on the negotiation power, how much bargaining power the company has. But definitely, I would be concerned about the pricing. For example, a change in price may be something that would be important. Or making sure that, if there is a change in price, that there's a cap that they can change the price up to a certain amount. That's a better provision. In terms of warranty, you would want to ask that service provider for a warranty of its services that will provide the services in accordance to the description that it set for itself. For example, if you look at the Google contract - I know I said that Amazon doesn't make any warranties - Google does make a warranty. They warrant that they will provide the services in accordance with their own software service level agreement. These are things that should be in a contract.
CHABROW: It sounds like, unless you're in an organization of some size, and I'm not quite sure what that size would be, you may not have very many options. Basically, you take what's provided in the contract and you have to do your risk management assessment to see if it's worth doing.
GILBERT: Yes, exactly, and there's nothing wrong with that. It's just that it's a different world, it's a different offering and there's a price for everything. Remember, if you don't use the cloud, your storage, your service, your apps, your applications, all of that will very likely cost you more. So there's a financial savings, but there's no miracle. The savings comes to the detriment of something else.