Cloud Services Contracts: What CIOs Need to Know

Kevin C. Taylor Avatar

Updated on:

A recent
lightning storm in Virginia caused Amazon’s cloud services to go down, however,
not all customers suffered equally. Some, such as Fox Entertainment, Unilever
and Spotify, as well as nearly 200 government agencies and several hundred
small start-ups, store their digital data with Amazon’s computer-based service.
These customers, that may have had their data mirrored or duplicated on multiple
sites, avoided outages. But other business, Web sites like Netflix, Pinterest
and Instagram, were unavailable for hours.

The damage
to those brands is hard to calculate, yet estimates could reach millions of
dollars. While we may not know what’s in their cloud service contracts, take a
lesson from the less fortune and be certain what’s in yours. How can you best
protect your organization if disaster strikes or other issues arise concerning your
cloud-service provider?  

 

1. Do Your
Pre-Contract Due Diligence

As
always, doing due diligence on your cloud service provider is critical.
 You need to ensure that the provider will meet your organization’s cost,
quality-of-service, regulatory compliance and risk management requirements. Your
cloud-service provider due-diligence review should include, at a minimum:

Data
classification:
How sensitive is the data your
organization will place in the cloud? Is it confidential? Critical? Public? What
controls should be in place to make sure it is properly protected? Does the
cloud service provider appropriately encrypt or otherwise protect non-public
personal information (NPPI), material non-public information or other data
whose disclosure could harm your organization or its customers?

Data
segmentation
: Will your organization’s data
share resources with data from other cloud clients?  Will your data be
transmitted over the same networks and stored or processed on servers that are
also used by other clients? If so, what controls does the service provider have
to ensure the integrity and confidentiality of your organization’s data? Where
will your organization’s most sensitive data be kept?

Recoverability:
How often are back-ups done?  How does data recovery work when there is a
blackout or technology shuts down?  How will the cloud service provider
respond to disasters and ensure continued service? And how quickly?  Do
your organization’s disaster recovery and business continuity plans include
appropriate consideration of the risks of cloud service outsourcing, the
service provider’s disaster recovery and business continuity plans, and the
availability of essential communications links within the cloud?

 

2. Define "Act of
God" Narrowly

An
event of force majeure (an "Act of God," circumstance beyond
control-from an earthquake to a riot) can allow a vendor to get out of
commitments, including service-level agreements, or SLAs.  Make sure that
in its cloud service contract your organization negotiates a narrow definition
of force majeure.

Also,
there should be a right to terminate the agreement if the force majeure event
goes on for too long.  Understand the cloud service provider’s back-up
procedures, how the provider’s cloud is structured (for instance, to make sure
a data center is not located directly on an earthquake-prone fault), and the
service provider’s disaster recovery plan.  What’s more, you should be
able to readily transfer to another cloud-service provider, if needed.

3. Know What You Should
Know

As
regulations already require financial institutions to do, you must understand
where your organization’s cloud service-stored data will be kept, how it will
be kept, who can look at it, how you can get it back if needed, how quickly it
will be restored if there is a disaster.  You must be able to answer these
questions before entering into a cloud services transaction for your
organization.

 

Cloud
service providers are learning that they must give more information if they
want to acquire larger, more sophisticated customers. Even outside the
financial-services industry, for large public companies that handle large
amounts of data, especially sensitive data, there would be significant risks, financial
and otherwise, in not asking and answering the questions posed here.

Kevin C.
Taylor, a Schnader Harrison partner, has over 19 years’ corporate counsel and
trial experience concerning outsourcing, technology, financial services and
other matters. Taylor is a legal representative for GE Capital, Societe
General, Citibank and many more enterprises.