It would be difficult to miss the emergence of "cloud" as the current technology buzzword. Despite recent articles in the press highlighting how cloud computing will transform business, many lawyers remain cautious about the barriers and challenges associated with its implementation.
However, by looking more closely at what your organisation is trying to achieve, and by establishing a checklist for likely issues, those issues can be dealt with by in-house counsel sensibly and the advantages of cloud computing can be realised.
WHAT IS IT, AND WHY IS IT RELEVANT TO ME AND MY ORGANISATION?
If you use Hotmail or Twitter, buy from Amazon or on eBay, or use business applications such as Salesforce.com, you are already a cloud user.
Cloud computing is simply internet based computing (hence the cloud motif – the typical representation of the internet). The clever bit is that it is the ultimate "thin client," in that the user is able to use applications, handleand store data (all of which has been sent and received across the internet), which is stored in the most efficient and cost effective data centre locations.
Benefits of cloud computing to your organisation include:
- being low cost (pay as you go model, which avoids high initial investments and on-going upgrade fees);
- increased flexibility;
- support and maintenance, as required; and
- continuous improvement.
CONFUSION AS TO WHAT THE "CLOUD" REALLY IS?
To solve this:
- use the NIST definition http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
- be clear about what type of cloud you mean, Software as a Service ("SaaS"), for example, is very different from Infrastructure as a Service ("IaaS"); and
- appreciate the vendor's perspective (multi-tenanted, subscription based, utility service) and that cost savings are achieved through commoditisation at the supplier's end.
There is still a "service" and, consequently there are still rights, remedies, payments and an agreement to supply (although often not on a long-term basis) as well as an expected level of performance which you are paying for.
CONTRACTS PLAYING CATCH-UP
Some suppliers admit that they are still working out how to price virtualised and cloud offerings and this is reflected in the variety of divergent contractual terms on offer. Similarly, customers are unsure how to buy cloud offerings – is a standard outsourcing precedent the right starting place?
A number of providers are simply updating their previous ASP and SaaS terms, but often these feature service provision on an "as is" basis, limited data security provisions and limited remedies for breach of obligation.
This is fine for low value data and commoditised services in the SaaS space but this will not be sufficient for enterprise-grade system requirements. In such circumstances, customers will be concerned to avoid provisions that lock the customer into one provider, provide limited remedies if issues arise or feature limited data security obligations.
As in-house counsel you have an important role to play in negotiating a contract that works for your organisation (or drafting your sales terms if you are a cloud vendor). The only way to satisfy yourself that the cloud works for your organisation is to negotiate a suitable contract which clearly sets out your concerns and what happens if an issue arises.
A major concern for customers seems to surround data – personal information and the security of personal information. Potential users worry where their data will be located, whether it is split, what other data is held in the same place and whether there is a danger of crosscontamination (not to mention who owns the data).
Vendors, on the other hand, have plenty of evidence to say that the cloud is actually more secure than most traditional in-house systems.
NEGOTIATE A CONTRACT THAT WORKS – A SUGGESTED CHECKLIST
Practically, there are ways for customer-side in-house counsel to improve, or at least have some control over, the security offering. These can be worked into due diligence on the provider and the subsequent terms of the contract. These include:
- research on the hosting company and finding out which third parties that supplier works with to provide the services (and whether they can access the data);
- identifying in what jurisdiction(s) the data will be held and whether this complies with Australia's privacy laws;
- ensuring security vetting of staff;
- conducting an independent audit of the security measures currently in place (frequently throughout the contract term, not just pre-contract);
- determining whether it is possible to impose your organisation's security requirements (although this may be difficult where the supplier is serving several customers);
- confirming which third parties have access to the data;
- adding warranties regarding security;
- determining the physical security measures in place – i.e. how secure is the building against a break in? What access does the customer have the physical building? Is it going into a shared space or a dedicated area for it alone?;
- location of the premises for the data centre. It's important to be fully aware of such details in the event of, for example, a natural disaster. A recent flood in Italy destroyed several data centres;
- ensuring there is a policy for back-ups. Lost data is not secure data! Who does this, how and how often? In a DR/BC situation, what is the speed of response? Is the supplier over committing DR/BC by promising services to numerous customers?;
- confirming a step-in policy – the only time that DLA Piper has invoked step in for a client related to a data centre where the supplier had failed to make critical back ups;
- data protection – currently most SaaS providers use standard terms which should be reviewed for compliance with the security related requirements of the Privacy Act and sector specific (eg financial services organization requirements); and
- new legislation – rights to change the way the data is treated should new legislation or circumstances require).
Beware, however, that the cloud is a matrix: costs increase as customisation increases.