Basic Understanding Can Clear Fog Around "Cloud Computing" Agreements | submitted by Christopher C. Cain

As businesses increasingly consider online software to address specific business needs, a basic understanding of how so-called "cloud computing" agreements differ from traditional software licensing agreements can go a long way toward helping a business strike the best deal possible.

Simply defined, cloud computing refers to the practice of accessing a vendor’s software and infrastructure remotely, which oftentimes leads to a business storing its data with that vendor. Effective cloud computing can allow a business to reduce or free up existing internal resources that would otherwise be used to maintain, support and store software and data, thereby creating cost efficiencies.

It’s an emerging trend among chief information officers. A recent Gartner survey indicates cloud computing is a top priority for CIOs this year as businesses look to transition more business functions from on-premise hardware and software to hosted solutions. The survey also leads Gartner to predict that cloud computing will lead to roughly 20 percent of businesses ridding themselves of all physical IT assets by 2012.

In a traditional software licensing engagement, the vendor installs the software in the client’s environment. The client has the ability to have the software configured to meet its particular business needs and retains control over its data. In a cloud computing environment, the software and the client’s data are hosted by the vendor, typically in a shared environment (i.e. many clients per each vendor server) and the software configuration is much more homogeneous across all clients.

Accordingly, the client’s top priorities shift from configuration, implementation and acceptance to service levels (availability, responsiveness and remedies) and data (security, redundancy and use). However, like a traditional software licensing agreement, provisions such as insurance, indemnity, loss limitations and warranties remain important as well.

The following are some key points that CIOs and other executives should be aware of when entering into a cloud computing agreement.

Service Levels

One of the most critical aspects in drafting and negotiating a cloud computing agreement is establishing appropriate service levels in relation to the availability and responsiveness of the software. Because the software is hosted by the vendor, outside the control of the client, service levels serve two main purposes.

First, service levels assure the client that it can rely on the software in its business and provide appropriate remedies if the vendor fails to meet the agreed service levels. Second, service levels act as benchmarks that facilitate the vendor’s continuous quality improvement process and provide incentives that encourage the vendor to be diligent in addressing issues.

The most common service level issues that a client should address are: uptime — or reliable availability to the software — response time for service needs, and problem resolution. The vendor needs to provide a stable environment where the software is available to the client at least during the client’s "normal" business hours, if not 24/7. The uptime service level addresses this issue by having the vendor agree that the software will have an uptime of a certain percentage, during certain hours, measured over an agreed upon period.

Closely related to and, in fact, often intertwined with the uptime service level is the response time service level. This service level sets forth maximum latencies and response times that a client should encounter when using the software. Remote software that fails to provide timely responses to its users is effectively unavailable.

Finally, the vendor’s obligation to resolve issues in a timely manner needs to be included in any cloud computing agreement. Vendors often include only a response time measurement, meaning the time period from when the problem is reported to when the vendor begins working to address the issue. These obligations typically fall short of what is necessary. The service level should instead include both an escalation matrix (defining both levels of severity and estimated response times for each) and specific vendor obligations to address the problem or provide an acceptable workaround.

Data Security

The vendor’s use of client data and the security and confidentiality of that client data are very important in a cloud computing agreement. The vendor should provide detail regarding, and agree to reasonable provisions addressing, its competency, policies and procedures related to: protection against security vulnerabilities, disaster recovery and business continuity, data backups, and the use of, and return of, client data.

The need for data security is obvious. While it might seem that cloud computing vendors would want their agreements to include detail about their data security, they too often do not. Accordingly, clients should demand that vendors provide specific details in the agreement about data security, specifically hardware, software and security policies and regular security audits. These details need to be reviewed by someone competent in data security — either someone within the client’s organization, a data security attorney or a third-party consultant.

Insurance

The client should always address insurance issues in cloud computing situations, both as to the client’s own insurance policies and the vendor’s insurance. Most data privacy and security laws will hold the client liable for a security breach whether it was the client’s fault or the vendor’s fault. Thus, the client should help self-insure against IT risks, including data and privacy issues, by obtaining a cyber-liability policy, and the client should ensure that the vendor has technology errors & omissions insurance.

Indemnification

The vendor should agree to defend and indemnify the client from any claim where the vendor breaches its obligations in regards to the confidentiality and security of the client’s data. Any intentional breach should be fully indemnified, meaning that the client will have no "out of pocket" costs or expenses related to recovery of the data and compliance with any applicable notice provisions or other obligations required by data privacy laws. The client, not the vendor, should control any notices to its customers necessitated by a breach.

Limitation of Liability

The vendor’s limitation of liability provision is very important in a cloud computing engagement because virtually all aspects of data security are controlled by the vendor. Thus, the vendor should not be allowed to use a limitation of liability clause to unduly limit its exposure. Instead, a fair limitation of liability clause must balance the vendor’s concern about unlimited damages with the client’s right to have reasonable recourse in the event of a data breach or other incident.

These are several key points, but not the only ones, to consider when pursuing a cloud computing service and the vendor’s agreement terms. Matters such as termination agreements, warranties, and use of client trademarks should also be considered to ensure a fair contract for both sides.

In conclusion, cloud computing agreements, like traditional software license agreements, should be negotiated with the client’s needs in mind as vendor forms invariably are one-sided. Unlike traditional software licenses however, the client needs to focus less on configuration of the application and more on its availability and the security of its data.

Christopher C. Cain is a partner with Foley & Lardner LLP. Mr. Cain is a member of the firm’s Information Technology & Outsourcing Practice Group.

Sign up for the free IB Update — your weekly resource for local business news, analysis, voices and the names you need to know. Click here.