Negotiating Cloud
Computing Contracts
Professor Christopher Millard
IAPP Academy
San Jose, 12 October 2012
Key questions we will tackle today…
• Why is cloud computing such a hot topic?
• What should you watch out for in ‘click-through’ cloud contracts? • When can you negotiate cloud deals?
• What are the most contentious issues in cloud negotiations? • Whose laws apply if you have a cloud dispute?
• Is privacy compliance a serious obstacle?
• Can you control where your data are stored in clouds?
• What practical steps can you take to manage cloud-related risks? • And finally… “What’s the forecast?”
What is ‘cloud computing’?
• Basically… scalable IT resources on demand, delivered via the Internet • Prominent examples include:
• Amazon Web Services • Gmail and GoogleApps
• IBM Smart Business + CloudBurst (previously Blue Cloud) • Microsoft Hotmail + Office 365 + Windows Azure
• Safesforce.com
• AND …Facebook, Apple, PayPal and other cloud app platforms
Why is cloud computing such a hot topic?
• Remote computing has come of age thanks to high-bandwidth / low-cost connectivity, development of large server farms and enabling techniques such as virtualisation and sharding • Cloud is attractive in current economic climate as a means of:
• achieving rapid outsourcing efficiencies • reducing costs / converting capex to opex • simplifying hardware and software maintenance • smoothing fluctuations in demand levels
• delivering public sector services more efficiently, see eg. Ø In the US - Apps.gov
Cloud architectures and risk diversification
Cloud stacks and hidden layers (simplified!)
Cloud Infrastructure IaaS PaaS SaaS
Infrastructure as a Service (IaaS) Architectures
Platform as a Service (PaaS) Architectures Software as a Service (SaaS) Architectures Cloud Infrastructure SaaS Cloud Infrastructure PaaS SaaS Cloud Infrastructure IaaS PaaS Cloud Infrastructure PaaS Cloud Infrastructure IaaS From http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
What
is likely to be in an ‘off the shelf’ cloud contract?
• Many cloud service providers use ‘click-wrap’ terms of business • Such terms of business may state, for example, that:• the service provider has minimal, or even no, liability for loss or damage caused by failure of the cloud computing service • the service may be modified or be discontinued without cause,
without notice and without liability to users • subcontracting may be unrestricted
• customers may have limited / no ability to recover data following termination of service
“Contracts for clouds: comparison and analysis of the terms and conditions of cloud computing services”, Bradshaw, Millard & Walden (2010)
• We reviewed 31 sets of standard T&C (defined broadly) • 20 main categories of clause were identified
• Each set of T&C was then mapped against these categories • Hypothesis = that where significant variations exist between terms of
service, differences would correlate significantly to: • Type of service and target market
• Commercial and technological legacy (if any) of the provider • Key findings include:
• T&C for particular services can be predicted to a significant extent • Few contracts deal adequately with complexity of cloud arrangements • Many provisions appear to be inappropriate / unenforceable / illegal
Extensive disclaimers are common,
eg.
THE SERVICE OFFERINGS ARE PROVIDED “AS IS.” WE AND OUR AFFILIATES AND LICENSORS MAKE NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE REGARDING THE SERVICE OFFERINGS OR THE THIRD PARTY CONTENT, INCLUDING ANY WARRANTY THAT THE SERVICE OFFERINGS OR THIRD PARTY CONTENT WILL BE UNINTERRUPTED, ERROR FREE OR FREE OF HARMFUL COMPONENTS, OR THAT ANY CONTENT, INCLUDING YOUR CONTENT OR THE THIRD PARTY CONTENT, WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED. Q. Will that be good enough?
A. It depends what you are going to use the service for (and how)
What about disclosure of your data to third parties?
Would you feel more comfortable signing up to this… “The Receiving Party [Salesforce.com] may disclose Confidential Information of the Disclosing Party [the customer] if it is compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally
permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure.”
… or this?
“You authorize ADrive to disclose any information about You to law enforcement or other government officials as ADrive, in its sole discretion, believes necessary, prudent or appropriate, in connection with an investigation of fraud, intellectual property infringement, or other activity that is illegal or may expose ADrive to legal liability.”
Whose laws apply if you have a cloud dispute?
Choice of law specified by cloud provider… Number * US State: California (most common), Massachuse6s (Akamai),
Washington (Amazon), Utah (Decho), Texas (The Planet) 15 English law, probably because service provider based there 4 English law, for customers in Europe / EMEA 4 Other EU jurisdicAons (for European customers): eg. Ireland (Apple), Luxembourg (some MicrosoN services) 2
ScoBsh law (Flexiant) 1
The customer’s local law 2
No choice of law expressed or implied, or ambiguous choice
(eg. “UK Law” for g.ho.st) 3
* Number in each category is out of 31 contracts analysed by QMUL Cloud Legal Project: h@p://www.cloudlegal.ccls.qmul.ac.uk/
When can you negotiate cloud deals?
• Although not generally advertised, major cloud vendors often go off piste if a deal merits it in terms of value or strategic importance • One-off contracts are usually confidential but some public sector
contracts have been published, eg CSC / Google / City of LA • The QMUL Cloud Legal Project recently conducted detailed,
off-the-record, interviews with cloud suppliers (including integrators), customers and advisors
• We also made various Freedom of Information requests • From an analysis of the research data, six issues emerged as
“Negotiating Cloud Contracts: Looking at Clouds from Both
Sides Now” – Hon, Millard & Walden (2012)
Top 6 issues in negotiated cloud deals:
1. Exclusion / limitation of liability, esp. data integrity + disaster recovery 2. Service levels, including availability
3. Security and privacy, esp. EU data protection compliance 4. Lock-in and exit, including term, termination and return of data 5. Providers’ ability to change service features unilaterally
6. IPRs, esp. re apps developed / deployed on Iaas / Paas + ownership of bug fixes / enhancements / etc
A detailed report on the research is available here:
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2055199
Liability
• Standard = broad exclusion / limitation of provider's liability • Difficult to negotiate - even for very large users
• May be deal breaker, but sometimes liability negotiated…
• For defined types of losses, with caps (eg. 100%, 125%, 150% fees) • Liability for breach of confidentiality / privacy / data protection • Data integrity / backups
• Integrators may be more willing to accept liability
Service Level Agreements
• Commercial / pricing-related but often high anyway • Lack of standards to measure / compare
• For mission-critical / real-time applications users may insist on higher availability, more notice, etc
• Remedies for breach of SLAs
• Usually restricted to service credits • Monetary rebates sometimes available • More negotiable than service levels
Security and privacy
• Key security concerns:
• Who is responsible for security and to what standard? • Pre-contract pen testing (ongoing is rare)
• Audit - including roles of providers and third parties
• Security breaches – monitoring / informing users / termination events
• Most negotiated privacy and data protection terms:
• Data location
• Confidentiality / access / disclosure • Data processor agreements
• Role of sub-providers – identities and locations / control over appointment and operations may matter
Inside the location matrix: understanding EU restrictions
Cloud customer Cloud provider
Data centre
1 EEA
EEA
EEA
2 EEA
EEA
Non-EEA
3 EEA
Non-EEA
EEA
4 EEA
Non-EEA
Non-EEA
5 Non-EEA
EEA
EEA
6 Non-EEA
EEA
Non-EEA
7 Non-EEA
Non-EEA
EEA
8 Non-EEA
Non-EEA
Non-EEA
9 EEA
Anywhere
Multiple
10 Non-EEA
Anywhere
Multiple
Lock-in and exit
• Initial minimum term
• 3 years typical
• Automatic renewal / roll-over common (but negotiable) • Basic services may be on demand / monthly rolling
• Exit strategy – termination on notice, insolvency etc • Data retention (during term and post-termination)
• Data deletion (how / when / privacy compliance implications) • Dependence on proprietary service, data / metadata formats
Unilateral service changes / termination
• Enterprise-oriented providers more likely to restrict • SaaS commodity services
• May be no choice
• User concerns are mainly notice + termination rights • Changes to privacy policies are common
• IaaS / PaaS
• Users may have to update application code • For core services consider consent / longer notice
Intellectual property rights
• Clarification may be sought re:
• Ownership / licensing of user or integrator-developed IaaS / PaaS applications (including post-termination)
• Customisations, user-contributed improvements
• Whether cloud service pricing includes application licences • Third party applications – licences?
• Included with service, or user’s own licence if ‘portable’ (logging VM numbers / locations may be problematic)
Managing data protection and security risks
• Despite common concerns, cloud processes may be safer than DIY, not
just for SMEs and individuals but also large corporates and governments
• Applying data protection rules can be complex, so consider…
• What is regulated as ‘personal data’ in a particular cloud arrangement?
• Who is responsible (providers / their suppliers / customers / their customers)?
• Which national law(s) will regulate personal data in a cloud?
• Where can you transfer cloud data to?
• EU 2012 proposal for a General Data Protection Regulation might:
• Reduce scope for keeping anonymised data out of regulatory scope
• Increase compliance obligations for both ‘data controllers’ and ‘data processors’
• Fail to establish a promised ‘one stop shop’ for compliance
• Maintain cumbersome restrictions on international data transfers
Strategic questions for prospective cloud customers
• Is cloud use managed adequately now (eg. procurement bypass)? • What roles should IS / procurement / legal / risk / etc play?
• What functions should we migrate and to which provider(s)? • Is it worth negotiating terms (yet), even for a pilot / trial? • Can a better deal be obtained indirectly, eg. from an integrator
(pricing / service levels / liability / other terms)? • Will insurance be available with adequate coverage?
• Are there any regulatory implications (eg. financial services / DP)? • Do contracts with our customers affect use of cloud services?
Due diligence checklist for cloud customers
• Is the infrastructure multi-layered and, if so, in what way? • Where will our data be processed (inc. storage / replication)? • Who controls the critical infrastructure (and from where)? • How easily can third parties get access to our data?
• What happens if the cloud provider / their provider goes bust? • How easily could we move our data to another cloud service
(or back to our own systems) and how long would it take? • How confident are we that we could regain control of our data
without leaving behind copies and / or key metadata?
• Is the contract OK (inc. TOS, T&C, SLA, Privacy Policy, AUP, etc)?
Forecast: cloudy and changeable… but bright!
• Putting data / processes into clouds may save money and facilitate
risk management - it may also have unintended consequences
• Physical location can be highly significant in virtual environments
• Sophistication and flexibility of cloud providers is highly variable
• Risks of compelled disclosure and other disruptions are real
• Regulators will take a while to get comfortable with clouds
• Adoption of cloud services looks set for continued rapid growth
• Cloud contracts are likely to evolve rapidly in response to competitive
Any questions…
Thanks for listening!
For background papers please visit: http://www.cloudlegal.ccls.qmul.ac.uk/