Cloud Services Contracts: What CIOs Need to Know
lightning storm in Virginia caused Amazon's cloud services to go down, however,
not all customers suffered equally. Some, such as Fox Entertainment, Unilever
and Spotify, as well as nearly 200 government agencies and several hundred
small start-ups, store their digital data with Amazon's computer-based service.
These customers, that may have had their data mirrored or duplicated on multiple
sites, avoided outages. But other business, Web sites like Netflix, Pinterest
and Instagram, were unavailable for hours.
The damage to those brands is hard to calculate, yet estimates could reach millions of dollars. While we may not know what's in their cloud service contracts, take a lesson from the less fortune and be certain what's in yours. How can you best protect your organization if disaster strikes or other issues arise concerning your cloud-service provider?
1. Do Your
Pre-Contract Due Diligence
always, doing due diligence on your cloud service provider is critical.
You need to ensure that the provider will meet your organization's cost,
quality-of-service, regulatory compliance and risk management requirements. Your
cloud-service provider due-diligence review should include, at a minimum:
classification: How sensitive is the data your
organization will place in the cloud? Is it confidential? Critical? Public? What
controls should be in place to make sure it is properly protected? Does the
cloud service provider appropriately encrypt or otherwise protect non-public
personal information (NPPI), material non-public information or other data
whose disclosure could harm your organization or its customers?
segmentation: Will your organization's data
share resources with data from other cloud clients? Will your data be
transmitted over the same networks and stored or processed on servers that are
also used by other clients? If so, what controls does the service provider have
to ensure the integrity and confidentiality of your organization's data? Where
will your organization's most sensitive data be kept?
Recoverability: How often are back-ups done? How does data recovery work when there is a blackout or technology shuts down? How will the cloud service provider respond to disasters and ensure continued service? And how quickly? Do your organization's disaster recovery and business continuity plans include appropriate consideration of the risks of cloud service outsourcing, the service provider's disaster recovery and business continuity plans, and the availability of essential communications links within the cloud?
2. Define "Act of
event of force majeure (an "Act of God," circumstance beyond
control-from an earthquake to a riot) can allow a vendor to get out of
commitments, including service-level agreements, or SLAs. Make sure that
in its cloud service contract your organization negotiates a narrow definition
of force majeure.
Also, there should be a right to terminate the agreement if the force majeure event goes on for too long. Understand the cloud service provider's back-up procedures, how the provider's cloud is structured (for instance, to make sure a data center is not located directly on an earthquake-prone fault), and the service provider's disaster recovery plan. What's more, you should be able to readily transfer to another cloud-service provider, if needed.
3. Know What You Should
As regulations already require financial institutions to do, you must understand where your organization's cloud service-stored data will be kept, how it will be kept, who can look at it, how you can get it back if needed, how quickly it will be restored if there is a disaster. You must be able to answer these questions before entering into a cloud services transaction for your organization.
service providers are learning that they must give more information if they
want to acquire larger, more sophisticated customers. Even outside the
financial-services industry, for large public companies that handle large
amounts of data, especially sensitive data, there would be significant risks, financial
and otherwise, in not asking and answering the questions posed here.
Kevin C. Taylor, a Schnader Harrison partner, has over 19 years' corporate counsel and trial experience concerning outsourcing, technology, financial services and other matters. Taylor is a legal representative for GE Capital, Societe General, Citibank and many more enterprises.