United States: Five Practice Pointers: Risk Allocation In Enterprise Cloud Service Agreements

Outsourcing information technology functions to the cloud entails risk for both companies and cloud service providers, especially when sensitive data is stored in the cloud. Sensitive data carries business risk and may be subject to a host of legal and regulatory requirements. Cloud service agreements, which typically use the cloud service provider's forms, do not by default align enterprise risks with provider obligations.

Risk allocation may shift based on a variety of factors, including the cloud service model (Software as a Service, Platform as a Service, or Infrastructure as a Service), deployment model (public, private, hybrid, or community cloud), and the data being hosted. The degree to which a cloud transaction can be negotiated likewise varies, so companies should involve legal counsel early in the procurement process to help tailor their agreement to fit the organization's risk profile. At a minimum, such tailoring includes clearly documenting the cloud service provider's responsibilities (particularly those related to both data privacy/security and allocations of liability), and providing for meaningful remedies in the event of a breach of contract.

As part of our year-end review series, below we provide five practice pointers regarding provider responsibility in enterprise cloud service agreements. Cloud service providers should (1) furnish evidence of data security standards and promise compliance with applicable laws, (2) indemnify enterprise customers against major risks, (3) accept higher limitations of liability for major risks where the provider is at fault, (4) carry adequate insurance, and (5) acknowledge customer ownership of data and limit use of that data to contractually stipulated purposes.

  1. Representations and Warranties

Boilerplate cloud service agreements may not obligate cloud service providers to maintain robust data security procedures and practices. While a lower level of security may be acceptable for an entry-level service (such as Software as a Service deployed through a public cloud) when sensitive data is not involved, higher levels of security should be required when sensitive data is at issue. Stakeholders should carefully review the cloud service provider's data security standards to ensure alignment with the risk tied to the data. The information security team should measure the provider's standards against the company's internal standards, and business stakeholders and legal counsel should assess whether the provider's standards meet applicable business and legal requirements.

Many cloud service agreements contain provisions obligating the provider to implement "reasonable security measures," but this standard is vague and can be difficult to enforce. Similarly, many cloud service agreements reference third-party information security certifications such as ISO 27001 (a set of requirements for an information security management system). Third-party data security certifications merely serve as a starting point for a thorough review of the provider's data security practices. Companies should request copies of the cloud service provider's internal data security policies, which could be provided subject to a non-disclosure agreement.

Audit provisions grant companies the right to monitor the provider's security practices. Companies may find it difficult to obtain first-party audit rights (such as site visits and penetration testing) given the shared environment of the cloud implementation. For example, allowing penetration testing by one customer may constitute a breach with respect to other customers. Further, the cost of auditing, even when permitted, may be prohibitive. Regardless of whether first-party audit rights are available, companies should require their providers to verify operational integrity via third-party audits results, such as SOC 2 Type II reports (which evaluate a service provider's information systems based on principles such as security, confidentiality, and privacy).

Several key warranty provisions should be sought in addition to a general warranty of adherence to industry best practices. For one, cloud service providers should warrant that they will comply with all laws and regulations applicable to them. Consider expressly naming any laws of particular relevance in the agreement.

Cloud service providers also should warrant that their technology does not infringe the intellectual property (IP) rights of any third parties. A provider's cloud technology may involve a complex interplay between systems and network appliances, proprietary technology, licensed third-party software and open source software. As the architect of the service, the provider should bear the responsibility for establishing their IP rights and for protecting their enterprise customers against any potential infringement claims.

Finally, cloud service providers should warrant that they will provide notice of material confidentiality and security breaches to companies. Companies may have a duty to notify affected individuals of such breaches if required by state breach notification laws or other applicable privacy laws. Regardless of the cloud service provider's culpability for a breach, providers often detect breaches first. As such, they should inform companies of breaches upon actual knowledge or reasonable suspicion of a breach.

  1. Indemnification

At minimum, cloud service providers should provide indemnification against gross negligence or willful misconduct by the provider's employees and subcontractors. More generally, providers should provide indemnification against provider errors that give rise to high remedial costs.

Breaches of confidentiality and security can be expensive. Although some breaches may be attributable to the provider's failure to comply with contractual requirements or applicable laws, other breaches might not rise to this level. Draft the indemnity provisions based on the level of responsibility attributable to the cloud service provider. Companies can seek a higher cap for costs and expenses of a breach attributable to provider fault, and a lower cap for other breaches.

Consider the difference between first-party and third-party costs when the provider is at fault for the breach. When a breach occurs, companies incur significant first-party costs for providing notice to affected individuals, as well as from credit monitoring services, call center staffing, forensic investigation, legal counsel, and reputation management. Accordingly, the agreement should contemplate coverage of first-party costs (especially for notice and credit monitoring) and third-party claims when the provider is at fault. Reserve the right both to control the distribution of all required notice and to choose a reasonable provider of credit monitoring services.

Cloud service providers also should indemnify companies against IP infringement claims and remedial costs arising from violations of law. While a provider's boilerplate language may only provide protection against claims of copyright infringement, IP indemnity provisions should cover all potential IP claims. Patent infringement suits are particularly expensive, and increasingly frequent in the cloud context. Likewise, companies should not bear the costs of remedying any violations of the law caused by the provider. Both parties should accept financial responsibility for compliance with all applicable laws and regulations.

  1. Limitation of Liability

The baseline limitation of liability cap typically reflects some multiplier of fees or a fixed dollar amount. Cloud service provider liability for fraud, gross negligence, and willful misconduct usually is not capped. Consider a carve-out approach to address breaches of confidentiality and security, IP infringement, and violations of law. Be careful to ensure that no other provisions in the agreement limit the amount recoverable under the carve-out. The agreement can specify a higher cap if the breach is attributable to the conduct of the provider and a lower cap for other breaches, but this approach demands a clearly defined set of provider obligations concerning data security and confidentiality.

Recently, some cloud service providers have hesitated to reimburse the costs for notice and credit monitoring services to a company's customers following a data breach attributable to the acts or omissions of the service provider. The providers considered these costs to be included in direct damages. Ensuring that the responsibility for these costs is clearly defined in the agreement can help avoid complications in the event of a security breach.

Where cloud service providers bear responsibility for IP infringement, they should in turn bear the costs for resolving infringement claims. Depending on the limitation of liability cap for IP infringement claims, the customer may want to retain control of any lawsuits.

  1. Insurance

If a cloud service provider does not maintain sufficient liquidity, appropriate insurance coverage improves the likelihood that the customer will be reimbursed for costs associated with a qualifying event.

Commercial general liability policies typically do not cover costs associated with technology-related errors. Accordingly, cloud service providers should carry a commercial blanket bond to cover any grossly negligent acts or willful misconduct by the provider's employees, and coverage for technical errors and omissions also should be sought. In terms of coverage amounts, risk management teams can identify threshold dollar figure requirements for each type of coverage.

Where appropriate, the company may request to be named as an additional insured on the cloud service provider's policies, allowing the company to pursue reimbursement directly from the provider's insurance carrier. Additionally, companies may seek a waiver of subrogation to prevent subsequent lawsuits initiated by insurers to recover costs from the party deemed to be at fault. In some cases, the willingness of a provider to meet such insurance requirements may be conditioned upon the company carrying similar coverage.

In addition, companies should consider obtaining cyber risk insurance to protect against losses associated with data security breaches, theft of personal information, data loss or destruction, and denial-of-service attacks. Cyber insurance policies offer a range of coverage, so companies should carefully weigh coverage needs against anticipated risk.

  1. Data Ownership and Use

Ownership and data usage rights should be clearly defined in the cloud service agreement. Cloud service agreements frequently include provisions granting the provider a license to use the customer's data for analytics and service improvement purposes. The agreement should distinguish between using company data or metadata in an application that allows the company to evaluate cloud service performance and using such data in other applications or for other purposes.

Cloud service providers also frequently indicate that they will aggregate and/or de-identify customer data. Companies should determine the specific method(s) of de-identification or anonymization utilized by the provider. Note that data sharing by providers with third parties (such as analytics companies and advertisers) may risk violating a company's confidentiality obligations, so carefully evaluate the implications of granting any permissions to the provider in this respect. Consider allowing the provider to use company data only for purposes absolutely necessary to the provision of the service, while prohibiting all other uses.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions