Know the key legal and security risks in a cloud-computing contract

Make sure you know how to get your data back when the contract ends

Enterprises that store data with cloud providers may no longer have physical control over it, but they're still on the hook legally for its protection and security.

Knowing what goes into a SaaS contract -- and the risks associated with what's not included -- can mean the difference between a costly lawsuit or a successful partnership, according to technology attorney Milton Petersen.

Petersen, a partner in the information technology practice group at the law firm of Hunter, Maclean, Exley & Dunn in Savannah, GA, spoke at the recent Storage Networking World event.

The two most important words to look for in a vendor contract are "vendor shall," Peterson said. Words such as "we'll strive to," "our goals," "targets" and "objectives" should raise red flags for users as they offer no concrete guarantees and give the vendor legal wiggle room.

Cloud computing contracts also tend to be more commoditized today, compared with big outsourcing deals that once involved heavy negotiations carried out over days.

"It used to be that a customer could negotiate a lot of protections in," Petersen said. "To some extent ... [now], you have to take contract terms they're offering."

Questions to ask

Users should be aware of a cloud provider's implementation process -- how your company's data will be ingested into their cloud infrastructure. Things to consider include whether there will be a lot of work converting your data into their format, or whether they're simply starting with fresh data at the point the contract is signed. Will the data be encrypted? If not, are there data breach notification laws in the state or country where it will be stored?

Most states now have such laws, Petersen said.

It's also better if you have time to check out a vendor and see how the technology works and whether it does what it's supposed to, Petersen said.

Among the more important nuances of a cloud contract is how your company will end the pact and transition data out of the cloud, either back into a private data center to a new cloud provider.

If your data is no longer in a format your company natively uses, you'll want to be sure it's in some type of industry standard format that will make it easy to convert or use.

"Make sure you're not held hostage where they charge you an exorbitant fee for getting your data back," Petersen said. "Also, look for some kind of cooperation and assistance from the vendor in getting your data out. [And] make sure there's an agreement around what they can or cannot destroy."

It's particularly important to know whether a vendor plans to destroy data after a certain time, particularly if that data has the potential to be used in litigation with a client and might be placed into a legal hold status.

Limiting risk

Because you're giving over control of corporate data to a vendor, it's important to define basic communications processes. Ensure there's some well-defined process around notifying you when a vendor makes changes to their infrastructure that may effect your data. And request that there be periodic, structured meetings scheduled with the vendor between executive-level employees so that you can head off any surprises.

Also, make sure there is a formal dispute escalation or resolution process where you and your vendor can talk about problems before you have to "resort to a legal resolution," Petersen said. A lack of specifics really benefits the vendor in those cases, he added.

"Look for phrases like, 'the vendor shall provide the services in a timely, professional manner in accordance with industry standards,'" Petersen said.

Problem response and resolution should also be hammered out in the contract, ensuring there's some commitment to respond to a problem in a specified period of time; it need only be an affirmation that they know about a problem and are working on it.

Problem resolutions can be more difficult as every issue may take more or less time to resolve, but again, it's important that they agree to keep you updated on what's being done.

Being able to monitor service levels and application uptime is also key to understanding service provider performance.

Some vendors offer automated monitoring and reports for their customers rather than reports on request. And if your site goes down due to a SaaS outage, make sure you know how the vendor will reimburse you for any loss of business. That reimbursement often comes in the form of credits that can be used toward the cost of the contract. But don't expect credits to cover your entire loss due to site downtime.

"You'll almost always see a cap on direct damages ... as well as the exclusion of indirect damages," Petersen said.

More importantly, if there's an ongoing issue, ensure there's clear contract language in that allows your company to bail out of a deal and reclaim data. Typically, there will be some early termination fee associated with leaving a contract early; companies should know what it is.

"You need termination rights for chronic or recurring failures," Petersen said. "The real remedy is to be able to bail out of the deal and find another service provider."

Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian or subscribe to Lucas's RSS feed. His e-mail address is lmearian@computerworld.com.

See more by Lucas Mearian on Computerworld.com.

Read more about cloud computing in Computerworld's Cloud Computing Topic Center.

Join the PC World newsletter!

Error: Please check your email address.

Tags SaaScloud computingKnointernetSoftware as a service

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucas Mearian

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?