Martin Kratz is trying really hard not to be a party pooper.
It’s mid-morning at the Brookstreet Hotel just outside Ottawa, where a group of service providers, consultants, and other experts have gathered for a conference called “CloudLaunch.” They are discussing the promise of cloud computing in Canada and how widespread adoption could be accelerated. There has already been a considerable level of hype and optimism, and it’s not even 11 a.m. yet. That’s when Kratz, head of the intellectual property group at Bennett Jones LLP in Toronto, takes the stage to patiently explain why so many organizations are increasingly wary about the risks involved in cloud computing contracts, and why the companies that provide such services are going to have to make some major changes in the way they operate.
“When you have relationships, you’re going to have divorces,” Kratz says bluntly when he talks about the need for an effective exit strategy before an agreement is signed. “Right now many organizations are still in the ‘romance’ phase.”
That’s putting it mildly. Whether it is seen as a cost-saving maneuver, a productivity booster, or a means of maximizing IT resources, cloud computing has become the approach advocated by all kinds of technology vendors, primarily through what are called software-as-a-service or infrastructure-as-a-service offerings. Suppliers once satisfied with selling software that resides on a customer’s servers are now using every marketing trick at their disposal to encourage them to move to a subscription-based model whereby applications or other technologies are hosted in their own data centres and provided on an as-needed basis. To a certain extent, they are making headway. In a recent webinar hosted by Stamford, Ct.-based technology market research firm Gartner Inc., research director Ed Anderson predicted that, within the next two years, 57 per cent of organizations across North America will consider moving applications to a cloud computing model.
“We rarely have a conversation these days with either an IT service provider or an end-user organization who is not having a discussion about cloud,” he said.
The only problem is, according to even the most ardent cloud proponents, in-house counsel is often left out of those conversations until it’s too late. Important information about what data will now reside with a provider — and where that provider is located — is left with IT or other parts of the business who set up agreements on their own, according to Kratz. Risks are not properly evaluated, and sometimes the implications for IT security are not properly understood. Contract terms are often non-negotiable, with limited warranties that exclude provisions for data loss, data corruption, or loss of service. And even when corporate counsel are brought into the loop, they’re not always prepared to offer the best advice.
“I think the challenge for in-house counsel is that they are rarely specialists. You’ll have one GC who is very experienced but not necessarily in the specifics of something like cloud computing,” says Edward Fan, a lawyer with Torys LLP who gave a presentation to in-house lawyers on the cloud in September. “Without an awareness of what the major issues are, or being part of specific conversations, there can be things that get lost in translation.”
Charles McCarragher can sympathize. As senior counsel at TD Bank Group, he focuses exclusively on technology law, and he acknowledges that in most small or mid-market firms, in-house lawyers wear many hats. However, some things about service level agreements and audit requirements around cloud computing are reasonably standard.
“It’s a commercial contract. To the extent you’re familiar with those traditional areas of law, it will be familiar to you. It’s not that new in this context,” he says. “It’s more about what are you asking the vendors to do in relation to the uptime of their systems, the break-fix they’ll do, and so on. Those are things that are not necessarily intuitive unless you’ve done them before. It takes some knowledge of the industry.”
Depending on how you define it, McCarragher says, TD Bank has been using cloud computing services for a long time. This would include situations where vendors would host or manage an application on the bank’s behalf. In some cases data storage is done remotely, either by sites managed by TD’s IT department or by the vendor. Often the latter have been dedicated environments, meaning they are run only for TD, with TD’s data. This segregation or isolation of client data is usually the best way of mitigating many of the risks, as opposed to being part of what cloud providers call a “multi-tenant” environment where data from several different organizations are running in the same servers or data centre.
In an ideal scenario, McCarragher says organizations should ensure their cloud computing contract stipulates they retain 100 per cent ownership of the data being hosted or managed by a provider. If that’s not possible, corporate counsel should ensure the right use restrictions are in place. Secondary use of data is just one example. “You could find yourself in a scenario where your vendor is taking your data and using it to gather business intelligence for certain markets,” he points out. “It’s not necessarily illegal, and they may not be doing it in a bad way, but there’s a risk of identification.”
Then there’s the question of where the data might be headed. Frank Giblon, in-house counsel at a construction industry software firm called CMIC Global, said firms sometimes aren’t aware when they sign a cloud services agreement with one provider that they’re actually doing business with a cloud collective of sorts.
“A lot of that stuff from outsourcing carries over and is a starting point, but you have to take it further and look at downstream providers. Where is the data? Is it in India? What have the outsourcers or cloud providers outsourced themselves? Do you really know where the data is, and does that matter? You have to validate that it’s secure, that it meets the various standards and requirements of whatever your industry is.”
The old world of IT outsourcing had sub-contractors too, Fan notes, but the difference here is that companies can now be locked into multi-party delivery from multiple jurisdictions. “You used to ask where the outsourced vendor was located. Now you ask where their server farms are,” he says.
This is an important point because agreements need to specify whether or not, for example, a sub-contractor in the U.S. or another country is allowed to replicate client data, even for backup purposes, and when and how that backup data might be used or destroyed.
“It has happened and sometimes it is kind of scary,” Fan admits. “If you sign yourself up to a service where they’re allowed to replicate and store backups, you don’t always have a right to ask your vendor to delete all that off of their service. The card you’re left with is if you want to renew. It becomes a business negotiation. There’s no legal solution at that point.”
Some CIOs and other business executives have worried about data being hosted in the U.S. that might fall under the Patriot Act, but according to Kratz, there are many other agreements between law enforcement agencies in Canada and the States that would be more likely used as a means of accessing information about citizens here. There are also no clauses under Canada’s Personal Information Protection and Electronic Documents Act or various provincial privacy laws that would prevent companies from hiring a foreign-based cloud provider to host their applications or data. As long the provider can prove it keeps the data secure and allows for audits, the main point is to make sure agreements only allow information to be used for the right and intended purpose, and for notification rules to be in place if something bad happens.
“It’s important to ensure you have the permissions to come in and inspect (data centres) as part of audits,” he says.
Up until now, when most software or computer resources were hosted “on-premise,” the organization assumed the risks of using the technology. In a cloud environment, the provider is supposed to assume that risk, but even the providers are still learning. Softchoice Corp. is one of Canada’s largest resellers of applications, and recently launched its own set of cloud services. Its CIO, Kevin Wright, says the company has been using SaaS internally as well, and like many of his peers and in-house lawyers, he isn’t always told when business units decide to try out the cloud. “From a legal perspective, though, what I’m more worried about are the contractual issues in terms of what we need to do for our customers,” he says.
Once questions around data portability and usage are nailed down, in-house counsel may also need to revisit the financial assumptions that drove the business case around cloud computing in the first place. McCarragher says many organizations remain motivated to move to the cloud as a way of easing the financial burden associated with IT. “The traditional software model was, you take a one-time perpetual licence fee, you get access to the code and on an annual basis you would pay 18 to 22 per cent for maintenance fees,” he says. “The (cloud) pricing model is very different, and attractive to the business unit, because it gives them the ability to spend less up front.”
Giblon, however, says those expectations need to be managed over the lifespan of a contract. “It isn’t necessarily cheaper in the long run, but you can avoid large capital outlays,” he says. Fan agrees, suggesting the average savings are “not nearly as high as advertised.”
No matter the issue, though, cloud computing agreements will be a lot easier to manage if and when corporate counsel are consulted earlier in the process. There’s not much even the best lawyers can do if they’re caught by surprise. “It really depends on having an open communication with your CIO, with your IT department, with your strategic sourcing people,” Glibon says. “It needs to be a situation where you are part of the team that’s doing the upfront analysis, as opposed to trying to play catch-up.”
In the meantime, lawyers are getting educated about the cloud both formally and almost unconsciously in some ways. “It’s all around, and not in our corporate lives but in our personal lives, like Gmail,” says Giblon, referring to Google’s e-mail service which is hosted online. “People are starting to get more familiar with the concept and a little more clued in.”
Even if everyday people are using cloud services en masse, however, McCarragher says it may be up to corporate counsel to occasionally point out the essential differences in adopting SaaS or IaaS in an enterprise environment.
“As a consumer, you really don’t know where your data is, other than it’s somewhere in the cloud,” he says. “How they distribute their data is up to them.”
For businesses, it should be up to the lawyer.
5 Cloud ‘gotchas’ every in-house lawyer should know
Don’t overlook a ‘deadbeat’ clause: Some agreements may not specify it, but cloud providers must be prohibited from deleting data for non-payment, delayed payment, or other contractual hiccups.
Get the right SLA guarantees: Often cloud service level agreements distance themselves from quality of service issues. If the service is available, for example, but performs poorly, clients might not be compensated. If they are, it might simply be a credit for additional cloud services, and in some cases there might be a cap on such credits or the liability to which providers are willing to compensate their clients.
Signed, sealed, or deleted? When companies want to change cloud service providers, how will data from the first provider be handed over? Will it be returned back to the customer in the same format in which it was given, or should it be in a different format? Does the agreement ensure that what is handed over and returned is the only copy, and that data does not remain in any form on the previous provider’s servers?
Beware of unscheduled maintenance: It happens, and it could mean service interruptions, lost data, or worse. If your firm is depending on the cloud to run a business, there needs to be proper notification before anything gets turned off, even for repairs.
Don’t be a customer for life: Understand clearly what happens at the end of year one in a cloud service contract. Is renewal automatic, and if so, can the renewal occur with an escalated price? What other terms might change or be amended following the renewal? Define these parameters before the agreement begins.