Posted: Friday, 25 January 2013 @ 10:33
Cloud computing has been around for some time, but it is now becoming more widely used. Many businesses not already using cloud services are considering doing so for at least part of their IT needs.
The selection of a cloud service to use will depend on a range of factors – cost, risk, technical, commercial, practical and legal issues. Businesses vary in their response to cloud computing depending upon how they perceive the benefits and risks. Although this article concentrates on legal issues, these factors are often closely linked.
What is meant by ‘cloud computing’
There is no hard and fast definition of what is meant by cloud computing; it varies in the sector. A broad general definition offered by the Information Commissioner’s Office (ICO) in their ‘Guidance on the use of cloud computing’ is “access to computing resources, on demand, via a network.” The ICO goes on to elaborate on each component of this definition.
Cloud computing is a service and the service is generally categorised into three types: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).
The US National Institute of Standards and Technology identified some common features:
- On-demand – accessible as required by the customer
- Network access – accessible when and where required
- Resource pooling – supplier, or ‘cloud provider’ facilitates cost savings by serving a number of customers so produces economies of scale
- Rapid elasticity – the system can respond quickly to business demands of the customer
- Measured service – the customer pays for what it uses, so can reduce its outlay
Most cloud services tend to be standard offerings on the cloud provider’s standard terms, generally with little room for negotiation, except perhaps for the largest customers. The cloud service will be a key part, if not crucial, for the operation and success of the business. It is therefore most important to carry out proper checks before committing to a particular cloud service contract. This step, often referred to as due diligence, should cover all the main areas likely to be of concern to a customer including:
- understanding the service to be provided and being satisfied that it meets the needs of the business
- the costs involved
- the standards to which the service will be operated
- the support available and whether this will meet the needs of the business
- physical and technical security measures in place
- the accessibility and transferability of the data stored and processed using the system
- compliance with data protection and any other applicable industry-specific governance e.g. in financial services
The first of these is something which will need to be assessed by each individual business and should include a check as to minimum requirements the customer’s IT system is expected to meet for successful use of the cloud service in case any hardware upgrades will be needed. Some of the other points are discussed in more detail below.
The cost of the service is likely to be one of key drivers in the decision about transferring to a cloud service. Cloud services are usually priced on two main models:
Periodic charges – a standard fee per month/quarter/year for the service calculated on the basis of the number of users and commonly with a limit on the amount of data. This gives certainty provided the standard service does not require too many add-ons which may be less favourably priced.
Usage-based charges – the fee will vary according to the use made of the service, so is more flexible provided that customer has accurately assessed its likely requirements and keeps usage under control e.g. of data storage capacity.
In either case, the customer needs to understand what may give rise to additional costs and the level of those costs e.g. for maintenance and support. It is usually preferable to agree those costs at the outset rather than waiting until the additional service is needed, so that the cost is a known quantity. It is also the area around which a cloud provider may be more open to negotiations.
The cloud computing market is a developing one at present so is competitive as new cloud providers enter and existing providers need to keep their prices under review. This can be to a customer’s advantage, but as with any contract the detail is important. A favourable initial price will not seem so attractive if subsequent increases are significant.
In a longer term contract, check if there is a cap on the cloud provider’s ability to increase prices over the term either by a fixed percentage or by reference to a price increase index which might be inflation-linked. If the contract is only for a short initial term the price might well be fixed for that term, but check if there is a right to renew on terms which do not involve a significant jump in the price. Although there would be the option of moving to a new provider that is not always a practical solution for a customer.
After price, security is one of the main concerns often expressed by customers considering going over to a cloud service. There are various aspects to security which need to be considered:
- physical security of any premises used by the cloud provider – are the premises constantly secure with only authorised staff allowed access.
- technical security - is the type of cloud offering suitable for the data storage and processing needs of the business in terms of whether it is a public or multi-tenanted. Encryption may resolve concerns or businesses with particularly sensitive data may want to look at a private cloud solution, although either of these solutions would affect cost benefits.
- staff – what type of vetting and checks are carried out by the cloud provider on any staff involved in the delivery of the service.
Disaster recovery and business continuity
A customer’s concerns about the ability of a cloud provider to respond in the event of some major impact on the service should be addressed primarily as part of the preliminary due diligence checks. If either the customer’s business or the cloud provider suffers fire, theft, terrorist attack, flood, natural disaster or other significant disruption, it is important for the customer to know that the cloud provider has robust data storage and recovery procedures in place to protect the data. These should include regular backups and testing to ensure adequate restoration in the event of loss or corruption of the data.
Quality of the service received and standards of performance will be of ongoing importance to the customer’s business throughout the contract term. The way this can be addressed in the contract is by having agreed service levels and a system of service credits if the cloud provider’s performance falls short of the agreed levels and/or a bonus system for achievement above target if that would be of interest to both customer and cloud provider.
The starting point will be a description of the service in the contract which is suitably comprehensive. The service levels should cover the areas of performance which are important for the customer’s business - matters such as the availability of the service and response times. The customer’s requirement as regards availability will depend on whether its business operates 24/7 or during normal business hours. Response times will apply to the system itself and other aspects such as resolution of calls to the helpdesk or other requests for support.
The standard terms and conditions of many cloud providers will not deal with such issues as service standards or offer service levels and service credits, so these are items which will need to be raised and negotiated by the customer.
Use of software, content and other intellectual property
A vital part of the cloud service for the customer will be the right to use software applications. Even though this use will be as part of the online service, the customer will need still an appropriate licence to do so in order that it is not infringing the rights of the copyright owner. The owner may be the cloud provider or some third party. Where the cloud provider is not the owner, then as part of the cloud service arrangements the cloud provider should have the right to sublicence use to the customer or arrange for the customer to be licensed directly by the owner.
The cloud provider will usually seek to exclude liability for content stored using its cloud service and reserve a right to remove data from its server in order to be able to comply with EU obligations. The customer should require advance notification of this to be given and look for an indemnity for any loss to its business for any unreasonable action.
Data protection is a large subject in its own right and a detailed analysis is beyond the scope of this article. Cloud service customers need to be aware that they will retain obligations under the data protection legislation for ensuring that data they transfer using the cloud service are secure and not transferred in breach of that legislation. To a large extent a customer will be dependent upon the cloud service provider to ensure that it can meet these obligations, so preliminary due diligence and contractual safeguards backed up by ongoing checks will all be important. The EU recognises that the current data protection law does not fit well with cloud computing and is working on new legislation, but that is a possible future development and does not remove the need to comply with the current rules.
Termination and exit
The cloud computing contract should cover what is to happen when the contract ends. Whatever the reason, there should be provision as to what will happen to the customer’s data, particularly if its present cloud provider becomes insolvent. Without adequate provisions in place the customer could find itself locked into an unsatisfactory arrangement and in great difficulty if the provider fails. This is one reason why the preliminary checks as to security and business continuity are vital.
The way forward
Cloud computing is a developing area and becoming much more widely used and accepted by business users. As is often the case with technological change, legal considerations have not always kept pace. There are likely to be legal developments affecting this area, so it is a case of watching out for those developments as and when they are introduced. In the meantime be aware of the relevant issues, carry out proper preliminary checks, weigh up the potential benefits, risks and legal obligations and make sure that whatever is finally agreed in relation to the cloud service provision is recorded in a written contract.
For assistance in drafting, reviewing or understanding any commercial agreement please contact Sue Mann, business contracts solicitor.
Blog by Sue Mann
Sue is an experienced commercial solicitor based in Birmingham from where she helps businesses all over the country advising on, drafting, and reviewing business contracts and commercial agreements. View profile
This blog is not intended to constitute legal advice, nor is it intended to be a complete and authoritative statement of the law, and what we say might be out of date by the time you read it. You should always seek legal advice to confirm whether or how any information in this article applies to your particular situation. We offer a free telephone consultation
to discuss your particular circumstances.