In the past few weeks we have explored how cloud computing procurement can go wrong and how an adjusted approach to the same situation can result in a beneficial outcome.
However, we ended last week’s post with a disclaimer — there are a number of pitfalls that you must be wary of when entering into a cloud computing contract. Even experienced strategic commissioners can easily find themselves tripped up by somewhat unique cloud computing contract terms.
Because the cloud is still in its infancy, there is very little in the way of cloud case law to reveal whether or not the Courts will reject these contract terms as unreasonable. When combined with a provider’s (unsurprising) unwillingness to concede any express term that is in its favour, you have a recipe for poorly balanced contracts.
With the above in mind, I want to reveal a number of potentially damaging terms that you may find in cloud computing contracts.
Responsibility and Liability in Cloud Computing Contracts
But before I get onto that I first want to outline the key differences between “old world” strategic commissioning contracts and “new world” clickwrap contracts.
Whilst the British legal system can provide help in protecting buyers from onerous contract terms, cloud computing is a brave new world. If you’re not too careful, you can be staring down the the barrel of complete responsibility and liability in service delivery.
In the table below are twelve key contract points (or “risk items”) and the differentiation between “traditional” strategic commissioning contracts and cloud contracts:
[table id=1 /]
In reality, you can ensure that a lot of these terms are turned in your favour by following the advice offered in the previous two posts in this series. The key is to be extremely wary of clickwrap contracts and aware of what the provider may try to enforce.
5 Common Cloud Contract Terms to Look Out For
Now lets move onto some specific contract terms that you will find in many cloud computing contracts. Over a three year period from 2009, Queen Mary, University of London conducted the Cloud Legal Project (CLP) in an attempt to unearth common cloud provider terms. Their findings were rather alarming.
1. Data Confidentiality and Integrity
Improved physical and data security is a key driver for moving to the cloud, but in many cloud contracts, responsibility for data confidentiality and integrity is expressly placed upon the customer.
The impact of this is potentially devastating — the contract expressly negates provider responsibility, and as the buyer, you cannot contract out of your legal, statutory and industry compliance obligations.
2. Data Storage Restrictions
Customers often hold sensitive or personal data subject to data protection legislation. Public sector bodies are particularly exposed to data protection and freedom of information obligations, including where in the world the data resides.
In spite of this, many cloud contracts do not specify any restrictions on data location. And even when the option is provided, there is usually no warranty. Given the nature of virtual machines, files can be easily moved around the world. Not only does the customer have no real idea of where data is being stored, it remains liable for any discovered data protection non-compliance.
None of the 31 contracts that were studied as part of the CLP offered a refund of charges as a remedy for negligence or failure. The best compensation on offer was either service credits or one month’s charges.
The impact of this should be plain. RBS’ problems in the summer demonstrate how orgnisations can suffer severe financial and reputational loss when their IT fails them, but many cloud contracts major on limited liability.
4. Changes to the Terms
Many cloud contracts can be varied unilaterally by the service provider simply posting new terms on their website, with the onus being on the customer to keep abreast of changes. This is completely contrary to traditional strategic commissioning contracts, in which terms would generally remain in place for the lifetime of the agreement, unless they were varied by mutual agreement.
The effect that this could have on you is of course completely dependent upon the nature of any changes made to the contract terms, but this kind of exposure should be considered unacceptable.
5. Dispute Resolution
Around half of the contracts studied were governed by US law and gave the provider their home court as the exclusive jurisdiction to hear any disputes. If the worst does happen, fighting an action overseas can quickly become expensive in terms of expended money and time, not to mention the potential effect on the business.
Furthermore, aspects of UK law that assist the customer, such as being able to imply terms into an unfair contract or the ability to challenge unfair express contract terms, may not apply.
Unique Challenges in a New World
Cloud computing is likely to become more and more popular in the future — the potential benefits are huge. That is of course why so many organisations are moving to the cloud. However, one must step very carefully and ensure that exposure to risk and liability is always kept at bearable levels.
If you would like to understand more about cloud computing procurement, download our free white paper: How to Successfully Contract for Cloud Services.
Creative Commons image courtesy of shho