Image

Be Bright about Cloud Computing

Dec. 7, 2011
Getting benefits from offloading IT responsibilities requires you to understand what you may be giving up.

Fifty years ago, a technologist remarked, “If computers of the kind I have advocated become the computers of the future, then computing may someday be organized as a public utility just as the telephone system is a public utility.”

With all the hype that has surrounded the launch of cloud computing in the past several years, it is amazing to think that some of its fundamental concepts are so old. At its core, the premise of cloud computing is this: it is no longer necessary for individuals and businesses to maintain private, closed IT systems to meet their computing needs.

Instead, cloud computing promises to meet those needs through on-demand access to a shared pool of computing resources that can be provisioned with minimal management by the consumer and minimal interaction between the consumer and provider.

If a technology can meet the promise of being as dependable and inexpensive as utility services, legal concerns will most certainly be diminished. Contrast 1) the last time you felt your software vendor overcharged you or underperformed with 2) the last time you had a contractual dispute with your electric company or switched natural gas providers.

Keep in mind, cloud computing providers are not public utilities. They are private entities and the legal rights and protections of the customers of such entities are governed almost entirely by the contracts that the customers negotiate and agree to. There is no public service commission or similar body charged with regulating cloud providers. So, before you simply sign the “standard” contract or hit the “I accept” button to a “click wrap” agreement that you most likely never actually read, it’s worthwhile to consider the laws and legal principles that govern such contracts.

Service, Not a License

Even though cloud offerings have been around for a few years, the transactional model and contracts governing that model are still a bit unfamiliar. Many IT professionals and lawyers are familiar with contracts for the purchase or lease of hardware and for the licensing of software. Hardware contracts are, fundamentally, contracts that transfer ownership or rental rights in real property from one party to another.

A software license is a grant of rights to the buyer of the intellectual property rights (copyrights mostly) of the software vendor. But when a cloud offering is purchased, the vendor does not (except perhaps for some client software) leave behind a copy of any software that is installed on the buyer’s IT system. So, what rights does the buyer receive? Simply, the buyer is purchasing a service and has the right to receive the service in exchange for payment.

Typically, a cloud service agreement grants the buyer the right to “access and use” the “Service” in accordance with the terms and conditions of the agreement. When the service agreement expires, the buyer generally has no rights to use any of the vendor’s software. Table 1 provides a comparison of a software license with a cloud service agreement with respect the following provisions: grant of rights, installation, pricing, maintenance and support, escrow, service level agreements (SLAs), and data management and security.

Do I Still Own “My Data”?

The sea change from conventional IT to cloud offerings is the loss or reduction of control of data and content (collectively “data”). If you keep your data and software on local drives (with remote backups in roughly the same geographic area) the location of your data is known. In a cloud offering your data leaves your local system and is placed in the possession of the provider.

Where in the cloud that data is stored may or may not be known. The data may even leave its country of origin. Depending on what data is being transferred, knowing the specific location or jurisdiction of its residence may not matter.2 What most customers assume though is that the transfer of possession of the data does not result in a loss of ownership of that data. Generally, this is true. However, provisions regarding the rights of vendors to use and disclose data provided to them by customers vary widely.

In some cases, buyers may be surprised about the broad scope of rights that vendors grant themselves in contracts to use and distribute data provided to the vendors by their customers. In extreme cases, customers may actually lose rights in their data. So, reading the “fine print” matters here.

Data Security, Privacy and Maintenance

The loss of location control of a customer’s data is also accompanied by a loss or reduction of access control of the data. After all, your data is sitting on someone else’s server. Who is ensuring that only authorized persons access the remotely stored data?

While an assumption could be made that the responsibility of controlling access to the data falls on the vendor, cloud services contracts commonly limit the vendor’s legal obligations to maintain data securely. Thus, all buyers of cloud offerings need to either find a provider that offers an acceptable level of security or negotiate security provisions appropriate for the type of data being provided to the vendor. And, of course, “get it in writing.” In some circumstances, security concerns may rule out using a cloud offering.

Data privacy laws vary widely from country to country. In the U.S. there are some federal laws that relate to financial information and medical information. There are numerous state laws as well, particularly related to notification of security breaches. The subject of privacy is too large to adequately address in this article, but cloud computing creates another layer to consider when attempting to comply with privacy laws.

For example, a breach of security at a cloud provider holding data belonging to customers of a service buyer could trigger a breach notification requirement on the part of the buyer. So, it is critical that the impact of transitioning from an in-house system to a cloud offering with respect to privacy issues be considered and appropriate provisions be negotiated with the provider; for example, an obligation of the provider to report security breaches to the buyer.

Data maintenance is a related subject and covers the maintenance of the data while the services contract is in effect and after its termination. Data maintenance helps reduce risk against such events as a storage failure that erases data. Appropriate contract provisions related to data back up must be considered. In addition, a contractual provision for obtaining the buyer’s data back from the provider after termination should be included in nearly all cloud computing contracts.

Dude, Where’s My Warranty?

In the author’s opinion, particularly in comparison to other industries (for example, the automotive industry), the warranties provided by most technology companies are slim. Buyers won’t see a “five year or 50 billion mouse clicks” warranty touted in the “model 2012 releases.”

When looking at warranties for cloud offerings, buyers will find similarly pared down warranties. However, in some cases vendors have moved to “as is” provisions, meaning the services are provided with no warranties at all. Such disclaimers are tolerable for individuals spending $9.95 a month, but when vendors charge fees of tens of thousands of dollars per year or per month, disclaimers of all warranties are unacceptable.

Again, reading the fine print is required and negotiation may be needed to obtain a warranty that matches the expenditure being made.

Final Thoughts

While the paradigm is different, protecting yourself when purchasing a cloud offering requires exhibiting the same vigilance as one would use in other commercial transactions. Read the contract, understand what it means, and negotiate its provisions to obtain the best possible outcome.

Derek Stettner is a partner in the Intellectual Property Practice Group at Michael Best & Friedrich LLP. He can be reached at (414) 225-4947, or by e-mail at [email protected].