As we discussed in our last installment about “the Cloud,”[1] cloud computing is a computer networking model that gives users on-demand access to shared software applications and data storage. The Cloud offers businesses a flexible, low cost alternative to hardware-heavy IT infrastructure traditionally needed to operate a technology system. For example, by storing your data off-site, you may be able to drastically reduce the size of your server room, realizing cost savings in HVAC expenses and in physical hardware and upgrades, while also reducing your company’s carbon-footprint. Further, off-site storage offers more rapid disaster recovery, allowing your business to get back up and running in a matter of hours or days rather than weeks or months. The Cloud also takes the guess work out of determining what your IT needs will be in the future – as your business grows (or contracts) you can adjust your Cloud needs accordingly and with relative ease and low cost.
Nevertheless, an important consideration before leaping head-first into a cloud services agreement is negotiating the finer points of the contract. This article sets forth some of the more important contractual provisions you’ll want to be aware of, namely:
1. Liability for Stolen Data
Your company is entrusting the cloud provider with the safety and security of its valuable information. As we reported recently, data security breaches are becoming common and adversely affect more than just the company whose system was compromised. Indeed, the recent Epsilon data breach shows that stored data remains highly vulnerable to cybercriminals. Data involving your clients’ personal information is particularly appealing for hackers. An invasive hacking event that results in the theft of customer data could have a disastrous effect on the company’s goodwill, while also requiring the company to comply with potentially expensive state and federal data breach notification laws, expose the company to civil lawsuit, and perhaps cause the company’s eventual demise. Despite these dire consequences, many cloud providers limit their liability for stolen data. Experienced counsel should be hired to assist your company in negotiating an indemnification clause for losses that are caused by the cloud provider’s negligence or the wrongdoing of its employees.
2. Release of Data
Cloud providers are allowed to release your company’s stored data pursuant to a government order. While it may be impossible to prevent such disclosure, your company can demand a contract term that requires the cloud provider to promptly notify your company when someone seeks access to your company’s stored data.
3. Physical Back-up
We all know that technology may, at times, fail. Whether it is a natural disaster, sabotage, or simple negligence, cloud providers’ data systems are not fail-safe, and alternatives are needed in case your cloud provider’s system crashes. Thus, it is important that your company negotiates a contract term that requires physical copies of your stored data to be maintained. These physical copies could take the form of paper, tape, or disc backup, and may be maintained at a third-party warehouse or on your company’s site.
4. Modification of Content
Cloud providers may also modify data that your company stores in their cloud, which could negatively affect your company’s ability to switch to another cloud provider at a later date. It is therefore necessary to negotiate contract terms to ensure that your company’s data remains in a form that is accessible to you.
There are many other considerations that may be relevant to your business[i]particular use of the Cloud including insurance coverage, international restrictions on cross-border data transfers, employment issues, etc. Simply signing a boilerplate cloud services agreement without first negotiating the small print could have disastrous consequences for your company. Hiring experienced counsel to negotiate the terms of your Cloud contract is therefore advisable.
Fernando M. Pinguelo, a Partner at Norris, McLaughlin & Marcus, P.A. and co‐Chair of the Response to Electronic Discovery & Information Group at the firm, is a trial lawyer who devotes his practice to complex business lawsuits with an emphasis on how technology impacts them. Mr. Pinguelo founded and contributes to the ABA Journal Award‐winning blog, eLessons Learned– Where Law, Technology, & Human Error Collide (www.eLLblog.com). To learn more about Mr. Pinguelo, visit www.NYLocalLaw.com or email him at info@NYLocalLaw.com.
Bradford W. Muller, an Associate with Norris McLaughlin & Marcus, P.A., and a member of the Litigation and Internet Law groups, has been published in scholarly journals on numerous topics, including cloud computing, real estate, and appellate practice. He, along with Mr. Pinguelo, spoke at a symposium on their article titled “Virtual Crimes ‐Real Damages: Challenges Posed By Cybercrimes in the U.S. and Efforts to Combat Cybercriminals,” at the University of Virginia School of Law, in conjunction with “A Primer on Cybercrimes In The United States and Efforts to Combat Cybercriminals ‐50 State and Federal Cyber Law and Proposed Legislation Survey,” University of Virginia School of Law’s Virginia Journal of Law and Technology. Download a complimentary copy by clicking SSRN
[1] Fernando M. Pinguelo and Bradford W. Muller, Avoid the Rainy Day: Survey of U.S. Cloud Computing Caselaw, 2011 B.C. Intell. Prop. & Tech. F. 011101, available at SSRN.