Know the key legal and security risks in a cloud-computing contract

Make sure you know how to get your data back when the contract ends

Enterprises that store data with cloud providers may no longer have physical control over it, but they're still on the hook legally for its protection and security.

Knowing what goes into a SaaS contract -- and the risks associated with what's not included -- can mean the difference between a costly lawsuit or a successful partnership, according to technology attorney Milton Petersen.

Petersen, a partner in the information technology practice group at the law firm of Hunter, Maclean, Exley & Dunn in Savannah, GA, spoke at the recent Storage Networking World event.

The two most important words to look for in a vendor contract are "vendor shall," Peterson said. Words such as "we'll strive to," "our goals," "targets" and "objectives" should raise red flags for users as they offer no concrete guarantees and give the vendor legal wiggle room.

Cloud computing contracts also tend to be more commoditized today, compared with big outsourcing deals that once involved heavy negotiations carried out over days.

"It used to be that a customer could negotiate a lot of protections in," Petersen said. "To some extent ... [now], you have to take contract terms they're offering."

Questions to ask

Users should be aware of a cloud provider's implementation process -- how your company's data will be ingested into their cloud infrastructure. Things to consider include whether there will be a lot of work converting your data into their format, or whether they're simply starting with fresh data at the point the contract is signed. Will the data be encrypted? If not, are there data breach notification laws in the state or country where it will be stored?

Most states now have such laws, Petersen said.

It's also better if you have time to check out a vendor and see how the technology works and whether it does what it's supposed to, Petersen said.

Among the more important nuances of a cloud contract is how your company will end the pact and transition data out of the cloud, either back into a private data center to a new cloud provider.

If your data is no longer in a format your company natively uses, you'll want to be sure it's in some type of industry standard format that will make it easy to convert or use.

"Make sure you're not held hostage where they charge you an exorbitant fee for getting your data back," Petersen said. "Also, look for some kind of cooperation and assistance from the vendor in getting your data out. [And] make sure there's an agreement around what they can or cannot destroy."

It's particularly important to know whether a vendor plans to destroy data after a certain time, particularly if that data has the potential to be used in litigation with a client and might be placed into a legal hold status.

Limiting risk

Because you're giving over control of corporate data to a vendor, it's important to define basic communications processes. Ensure there's some well-defined process around notifying you when a vendor makes changes to their infrastructure that may effect your data. And request that there be periodic, structured meetings scheduled with the vendor between executive-level employees so that you can head off any surprises.

Also, make sure there is a formal dispute escalation or resolution process where you and your vendor can talk about problems before you have to "resort to a legal resolution," Petersen said. A lack of specifics really benefits the vendor in those cases, he added.

"Look for phrases like, 'the vendor shall provide the services in a timely, professional manner in accordance with industry standards,'" Petersen said.

Problem response and resolution should also be hammered out in the contract, ensuring there's some commitment to respond to a problem in a specified period of time; it need only be an affirmation that they know about a problem and are working on it.

Problem resolutions can be more difficult as every issue may take more or less time to resolve, but again, it's important that they agree to keep you updated on what's being done.

Being able to monitor service levels and application uptime is also key to understanding service provider performance.

Some vendors offer automated monitoring and reports for their customers rather than reports on request. And if your site goes down due to a SaaS outage, make sure you know how the vendor will reimburse you for any loss of business. That reimbursement often comes in the form of credits that can be used toward the cost of the contract. But don't expect credits to cover your entire loss due to site downtime.

"You'll almost always see a cap on direct damages ... as well as the exclusion of indirect damages," Petersen said.

More importantly, if there's an ongoing issue, ensure there's clear contract language in that allows your company to bail out of a deal and reclaim data. Typically, there will be some early termination fee associated with leaving a contract early; companies should know what it is.

"You need termination rights for chronic or recurring failures," Petersen said. "The real remedy is to be able to bail out of the deal and find another service provider."

Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian or subscribe to Lucas's RSS feed. His e-mail address is lmearian@computerworld.com.

See more by Lucas Mearian on Computerworld.com.

Read more about cloud computing in Computerworld's Cloud Computing Topic Center.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags SaaScloud computingKnointernetSoftware as a service

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucas Mearian

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?