Cloud Service Contracts: What CIOs Need to Know
Cloud outages can be damaging to your brand and to your bottom line. How can you best protect your organization if disaster strikes or other issues arise concerning your cloud-service provider? Know what's in your contract.
By Kevin C. Taylor
A recent lightning storm in Virginia caused Amazon Web Services' cloud service to go down, however, not all customers suffered equally. Some, such as Fox Entertainment, Unilever and Spotify, as well as nearly 200 government agencies and several hundred small start-ups, store their digital data with Amazon's computer-based service. These customers, that may have had their data mirrored or duplicated on multiple sites, avoided outages. But other business, Web sites like Netflix, Pinterest and Instagram, were unavailable for hours.
The damage to those brands is hard to calculate, yet estimates could reach millions of dollars. While we may not know what's in their cloud service contracts, take a lesson from the less fortune and be certain what's in yours. How can you best protect your organization if disaster strikes or other issues arise concerning your cloud-service provider?
1. Do Your Pre-Contract Due Diligence
As always, doing due diligence on your cloud service provider is critical. You need to ensure that the provider will meet your organization's cost, quality-of-service, regulatory compliance and risk management requirements. Your cloud-service provider due-diligence review should include, at a minimum:
Data classification: How sensitive is the data your organization will place in the cloud? Is it confidential? Critical? Public? What controls should be in place to make sure it is properly protected? Does the cloud service provider appropriately encrypt or otherwise protect non-public personal information (NPPI), material non-public information or other data whose disclosure could harm your organization or its customers?
Data segmentation: Will your organization's data share resources with data from other cloud clients? Will your data be transmitted over the same networks and stored or processed on servers that are also used by other clients? If so, what controls does the service provider have to ensure the integrity and confidentiality of your organization's data? Where will your organization's most sensitive data be kept?
Recoverability: How often are back-ups done? How does data recovery work when there is a blackout or technology shuts down? How will the cloud service provider respond to disasters and ensure continued service? And how quickly? Do your organization's disaster recovery and business continuity plans include appropriate consideration of the risks of cloud service outsourcing, the service provider's disaster recovery and business continuity plans, and the availability of essential communications links within the cloud?
2. Define "Act of God" Narrowly
An event of force majeure (an "Act of God," circumstance beyond control-from an earthquake to a riot) can allow a vendor to get out of commitments, including service-level agreements, or SLAs. Make sure that in its cloud service contract your organization negotiates a narrow definition of force majeure.
Also, there should be a right to terminate the agreement if the force majeure event goes on for too long. Understand the cloud service provider's back-up procedures, how the provider's cloud is structured (for instance, to make sure a data center is not located directly on an earthquake-prone fault), and the service provider's disaster recovery plan. What's more, you should be able to readily transfer to another cloud-service provider, if needed.
3. Know What You Should Know
As regulations already require financial institutions to do, you must understand where your organization's cloud service-stored data will be kept, how it will be kept, who can look at it, how you can get it back if needed, how quickly it will be restored if there is a disaster. You must be able to answer these questions before entering into a cloud services transaction for your organization.
Cloud service providers are learning that they must give more information if they want to acquire larger, more sophisticated customers. Even outside the financial-services industry, for large public companies that handle large amounts of data, especially sensitive data, there would be significant risks, financial and otherwise, in not asking and answering the questions posed here.
Kevin C. Taylor, a Schnader Harrison partner, has over 19 years' corporate counsel and trial experience concerning outsourcing, technology, financial services and other matters. Taylor is a legal representative for GE Capital, Societe General, Citibank and many more enterprises.
This article was originally published on 09-19-2012