Cloud Computing: A Practical Framework

Volume 25 • Number 4 • April 2013 Intellectual Property & Technology Law Journal 19

This is the second part of a two-part article that provides a framework for risk manage- ment and mitigation in cloud engagements. Part I, published in last month’s issue, explored definitions of cloud computing and began the discussion of a number of specific recommendations for manag- ing cloud computing risk. Part II of the article concludes that discussion.

Specific Recommendations for Managing Cloud Computing Risk

Data—Security, Redundancy, Ownership and Use Rights, and Conversion

Ensuring customer ownership of its data and addressing the provider’s use of such customer data and the security and confidentiality of customer data are very important in a cloud computing agreement. The provider should offer detail regard- ing, and agree to reasonable provisions addressing, its competency, policies, and procedures related to:

i. protection against security vulnerabilities,

ii. data backups,

iii. the use of customer data, and

iv. data conversion.

Data Security. The need for data security is obvious. A cloud computing provider may possess

a customer’s most sensitive data, including data that may be subject to state and federal regula- tions ( e.g. , personally identifiable financial and healthcare information). A 2010 study 1 revealed that 60 percent of organizations (including 259 organizations within the Fortune 1000 (F1000) and midsize (MSEs) market throughout North America) are either already using or intending within the next two years to use cloud comput- ing infrastructure services, and the largest area of concern is security and how to deal with sensitive data. Loss or unauthorized disclosure of such data is a significant concern, because the customer is ultimately accountable for complying with security and privacy laws, regardless of where the data is stored, and data breaches have proven to be costly events for an organization. A 2009 study 2 exam- ined the costs incurred by 45 organizations after experiencing a data breach, and revealed an average total cost for a data breach of $6.75 million, rang- ing from $750,000 for the least expensive to almost $31 million for the most expensive data breach event, with data breaches costing an average of $204 per compromised record.

Customers should be aware that unique data security issues arise in a cloud computing envi- ronment. For example, in an ASP environment, a single physical server may be dedicated to the cus- tomer for hosting the application and storing the customer’s data. However, in a cloud computing environment, technologies and approaches used to facilitate scalability, such as virtualization and multi- tenancy, may result in customer data being stored on a physical server that also stores data of the provider’s other customers, which may increase the risk of un authorized disclosure. Companies are recognizing the unique security and privacy risks related to a cloud computing service delivery model, and calling on the government for legislation to enhance and strengthen security and privacy protections. 3

James R. Kalyvas , a partner with Foley & Lardner LLP, is chair of its Information Technology & Outsourcing Practice. Michael R. Overly , a partner with the firm, is a member of its Information Technology & Outsourcing and Privacy, Security & Information

Management Practices. Matthew A. Karlyn , a partner with the firm, is a member of its Information Technology & Outsourcing

Practice. The authors can be reached at jkalyvas@foley.com, moverly@foley.com, and mkarlyn@foley.com, respectively.

Cloud Computing: A Practical Framework for Managing Cloud Computing Risk—Part II By James R. Kalyvas, Michael R. Overly, and Matthew A. Karlyn

20 Intellectual Property & Technology Law Journal Volume 25 • Number 4 • April 2013

To address data security issues, customers should conduct due diligence regarding the security prac- tices of a provider and include specific contractual protections relating to information security. Part of a customer’s due diligence should include identify- ing the location of the data center where the data will be physically stored and who may have access to the data. If the data center is located in a foreign country, then the customer should be concerned as it may not have an opportunity to inspect the for- eign location to ensure it complies with customer’s information security requirements. Even if the data center is located in the United States, help desk personnel accessing the data could be located in a foreign country with limited or different security and privacy laws. In addition, the location of the data and the ability of data to be widely distrib- uted across different jurisdictions present complex issues of which law is applicable in a given trans- action. At this time, there is very little guidance from courts on these conflict of law issues. For example, if personally identifiable information is located in Europe, then European law may govern that information regardless of what is provided for in the contract. Also, a Vendor may have multiple data centers, each located in a different state in the United States, with each state having its own law regarding data privacy and security. Therefore, to minimize potential issues, the customer should consider adding a restriction against offshore work and data flow to foreign countries, including a requirement that the data center (including the hosted software, infrastructure, and data) be located and the services be performed in the United States, and that no data be made available to those located outside the United States.

In addition, the customer should identify who will be operating the data center. If the provider is not operating the data center itself ( e.g. , the provider is the owner of the software and will be providing support, but is using a third-party data center to host the software), then the provider should be required to (i) ensure that the third- party host complies with the terms of the agree- ment (including the data security requirements), (ii) accept responsibility for all acts of the third-party host, and (iii) be jointly and severally liable with the third-party host for any breach by the third-party host of the agreement. Also, the customer should consider entering into a separate confidentiality

and non-disclosure agreement with the third-party host for the protection of the customer’s data. If the provider ever desires to change the host, the pro- vider should be required to provide the customer with advance notice, and the customer should be given time to conduct due diligence with regard to the security of the proposed host and the right to reject any proposed host.

Providers should be required to provide specific details in the agreement regarding baseline security measures, security incident management, and hard- ware, software, and security policies. These details need to be reviewed by someone competent in data security—either someone within the customer’s organization, a data security attorney, or a third- party consultant. The provider’s policies should address security risks particular to cloud comput- ing, and services being delivered over the Internet and accessible through a Web browser ( e.g. , security risk relating to Adobe Flash which allows hackers to upload malicious Flash objects and launch attacks on users). Some providers will not distribute copies of their security policies but will allow customers to come to the provider’s site and inspect them. Such policy inspection should be done if the customer information at issue is very sensitive or mission critical. A customer should compare the provider’s policies to its own, and in fact, many cus- tomers demand the provider match the customer’s policies. The customer should also consider verify- ing the provider’s capabilities via a physical visit or SAS 70 audit (IT internal controls audit) conducted by a third party, or both. It is becoming far more expected that providers regularly demonstrate to their customers that their security controls remain intact and robust.

Consider the following sample of a typical data security provision:

a. In General. Provider will maintain and enforce safety and physical security procedures with respect to its access and maintenance of Customer Information (1) that are at least equal to industry standards for such types of locations, (2) that are in accordance with reasonable Customer security requirements, and (3) which provide reasonably appropriate technical and organizational safe- guards against accidental or unlawful destruction, loss, alteration, or un authorized disclosure or access of Customer Information and all other

Volume 25 • Number 4 • April 2013 Intellectual Property & Technology Law Journal 21

data owned by Customer and accessible by Provider under this Agreement.

b. Storage of Customer Information. All Customer Information must be stored in a physically and logically secure environment that protects it from unauthorized access, modifi cation, theft, misuse, and destruction. In addition to the general stan- dards set forth above, Provider will maintain an adequate level of physical security controls over its facility. Further, Provider will maintain an adequate level of data security controls. See Exhibit A for detailed information on Pro- vider’s security policies protections

c. Security Audits. During the Term, Customer or its third party designee may, but is not obligated to, perform audits of the Provider environment, including unannounced penetration and security tests, as it relates to the receipt, maintenance, use, or retention of Customer Information. Any of Customer’s regulators shall have the same right upon request. Provider agrees to comply with all reasonable recommendations that result from such inspections, tests, and audits within reasonable timeframes.

Also, it is critical to require the provider to notify the customer in the event the provider is required by law, lawful order of a court ( e.g. , request for pro- duction of documents), or governmental authority to disclose the customer’s data (unless the notifica- tion is specifically precluded by such law, lawful order, or government authority). The provider should be required to provide the customer with written notice of the request sufficiently in advance of the date specified for production of the records so that the customer can act to protect its data ( e.g. , by seeking a protective order from the court). In addition, the provider should be obligated to use reasonable efforts not to release the data pending the outcome of any measures taken by the cus- tomer to contest, otherwise oppose, or seek to limit disclosure by the provider.

Lastly, the cloud computing agreement should require that if a breach of security or confidential- ity occurs, and it requires notification to customer’s customers or employees under any privacy law, then customer should have sole control over the timing, content, and method of such notification.

The agreement should also provide that if the provider is culpable for the breach, then the provider must reimburse customer for its reasonable out-of-pocket costs in providing the notification.

Data Redundancy. Because the customer relies on the provider as the custodian of its data, the cus- tomer should demand the cloud computing agree- ment contain explicit provisions regarding (i) the provider’s duty to back up customer data and the frequency of that back up, and (ii) the customer’s ongoing access to such data or the delivery of such data to the customer on a regular basis. A good place to start is for the customer to compare the provider’s backup policies to its own and make sure they are at least as stringent.

Below is a sample data redundancy provision:

Provider will: (i) execute (A) nightly database backups to a backup server, (B) incremental data- base transaction log fi le backups every 30 minutes to a backup server, (C) weekly backups of all hosted Customer Information and the default path to a backup server, and (D) nightly incremental backups of the default path to a backup server; (ii) replicate Customer’s database and default path to an off -site location (i.e., other than the primary data center); and (iii) save the last 14 nightly database backups on a secure transfer server (i.e., at any given time, the last 14 nightly database backups will be on the secure transfer server) from which Customer may retrieve the database backups at any time.

Data Ownership and Use Rights. Detailed provi- sions should be added to clarify that customer owns all data stored by the provider for the customer. In the event that the provider stops providing services and a customer requests the return of its data, there should be no separate dispute as to ownership of the data that resides on the provider’s servers.

Because the provider will have access to, and will be storing, the customer’s sensitive information, the agreement should contain specific language (i)  regarding the provider’s obligations to main- tain the confidentiality of such information and (ii) placing appropriate limitations on the provider’s use of such customer information ( i.e. , confirming that the provider has no right to use such informa- tion except in connection with its performance under the cloud computing agreement).

22 Intellectual Property & Technology Law Journal Volume 25 • Number 4 • April 2013

Many cloud computing providers want to ana- lyze and use the customer data that resides on their servers for their own commercial benefit, in particular, the data customers create as they use the services. For example, the provider may wish to use a customer’s data, aggregated along with other customers’ data, to provide data analysis to industry groups or marketers. The provider may limit its use to de-identified customer data. These uses are very similar to what businesses and individuals have been dealing with while surfing the Internet as “cookies” follow where a user goes and what a user does.

However, the customer data in the cloud is proprietary and confidential to the customer and its business. The customer should consider such use of any of its data very carefully and, if the agreement does not mention these types of uses, then the customer should ask the provider for detailed information on data use and add a pro- vider representation about which uses, if any, are permitted. Most customers should conclude that the provider should not have any right to use the customer’s data, whether in raw form, aggregated, or de- identified, beyond what is strictly neces- sary to provide the services. An example where commercial use might be acceptable is where the provider provides a service that directly depends on the ancillary use of such data, such as aggregating customer data to provide data trending and ana- lysis to customer and similarly situated customers within an industry.

Another area of concern is the practice by some cloud computing providers called de-duplication which removes redundant data from customer files to save storage space in the provider’s network. If a customer uploads a file to the provider’s network and then later retrieves that file, while it may not appear the content of the file has been altered, the de-duplication process may have removed “metadata” from the file ( i.e. , data about the file, such as who created it, when it was created or last modified, etc.). The removal of this “hidden” infor- mation can result in many issues in the event of litigation. For example, if the customer has agreed to produce metadata in response to an electronic discovery (or e-discovery) request and later finds the data is missing or has been altered, the customer may find itself subject to sanctions in the litigation. In addition, metadata (such as dates and comments) may be useful as evidence at trial, and the customer

may not be able to rely on such evidence if it is removed or altered by the cloud computing pro- vider. Further, the file itself may not be admissible as evidence, as the removal of the metadata may bring into question the authenticity of the electronic document in its entirety. The customer should discuss these issues with the provider, and ensure its cloud computing agreement does not contain terms and conditions allowing removal of metadata from files stored in the provider’s network.

Data Conversion. Data conversion, both at the onset and termination of the cloud computing agreement, must be addressed to avoid hidden costs and being “locked in” to the provider’s solution. Going into the relationship, the customer should confirm that its data can be directly imported into the provider’s services or that any data conversion needed will be done at provider’s cost or at customer’s cost (with customer’s agreement). A customer should consider conducting a test run of provider’s map- ping scheme to see how easy or complicated it will be (likewise when checking provider’s refer- ences, a customer should ask about data migration experiences). Lastly, the customer does not want to be trapped into staying with provider because of data format issues. To that point, the agreement should include explicit obligations on the part of the provider to return the customer’s data, both in provider’s data format and in a platform-agnostic format, and thereafter destroy all of the customer’s information on provider’s servers, all upon expira- tion or termination of the agreement.

A sample data conversion provision is provided below:

At Customer’s request, Provider will provide a copy of Customer Information to Customer in an ASCII comma-delimited format on a CD-ROM or DVD-ROM. Upon expiration of this Agree- ment or termination of this Agreement for any reason, Provider shall (a) deliver to Customer, at no cost to Customer, a current copy of all of the Customer Information in the form in use as of the date of such expiration or termination and (b) completely destroy or erase all other copies of the Customer Information in Provider’s or its agents’ or subcontractors’ possession in any form, including but not limited to electronic, hard copy, or other memory device. At Customer’s request, Provider shall have its offi cers certify in writing

Volume 25 • Number 4 • April 2013 Intellectual Property & Technology Law Journal 23

that it has so destroyed or erased all copies of the Customer Information and that it shall not make any use of the Customer Information.

Insurance The customer should always address insurance

issues in cloud computing situations, both as to the customer’s own insurance policies and the provider’s insurance. Most data privacy and security laws will hold the customer liable for a security breach whether it was the customer’s fault or the provider’s fault. Thus, the customer should help self-insure against IT risks, including data and privacy issues, by obtaining a cyber-liability policy.

Cyber-liability insurance can protect the cus- tomer against a wide range of losses. Most cyber insurance policies will cover damages arising from unauthorized access to a computer system, theft or destruction of data, hacker attacks, denial of service attacks, and malicious code. Some policies also cover privacy risks like security breaches of per- sonal information, may apply to violations of state and federal privacy regulations, and may provide reimbursement for expenses related to the resulting legal and public relations expenses.

Requiring the provider to carry certain types of insurance enhances the likelihood that the provider can meet its obligations and provides direct protec- tion for the customer. The primary forms of liabil- ity insurance that a provider should be required to carry are: (a) Technology Errors and Omissions Liability Insurance and (b) Commercial Blanket Bond, including Electronic & Computer Crime or Unauthorized Computer Access Insurance. These types of insurance will cover damages the customer or others may suffer as a result of the provider’s pro- fessional negligence and intentional acts by others (provider’s employees, hackers, etc.). It is critical that the customer require the provider have these specific policies and not just a general liability policy. Many commercial general liability policies contain a professional services exclusion that pre- cludes coverage for liability arising from IT services as well as other exclusions and limitations that make them largely inapplicable to IT-related risks. The customer should also consider requiring the provider to list customer as an additional insured on its policies and allows the customer to go directly against the provider’s insurance company in the event of a claim.

Indemnification The provider should agree to defend, indemnify,

and hold harmless the customer and its affiliates and agents from any claim where the provider breaches its obligations in regards to the confidentiality and security of the customer’s data. Any intentional breach should be fully indemnified, meaning that the customer will have no “out of pocket” costs or expenses related to recovery of the data and compliance with any applicable notice provisions or other obligations required by data privacy laws. In the event the data breach is not intentional, the provider may require a cap on its potential liability exposure, which may be reasonable depending on the type of customer data in question.

The provider should also agree to defend, indemnify, and hold harmless the customer and its affiliates and agents from any claim that the services infringe the intellectual property rights of any third party. This means that the customer will have no “out of pocket” costs or expenses if some third party claims infringement. Providers often try to limit the intellectual property indemnification only to infringement of copyrights. That is not accept- able, as many infringement actions arise out of patent or trade secret rights. The indemnity should extend to infringement claims of any “patent, copy- right, trade secret, or other proprietary rights of a third party.” In addition, customers should avoid any restriction to patents “issued as of the Effective Date” of the agreement. Providers usually also limit the indemnification to “United States” intellectual property rights, and that is generally acceptable, but the customer should consider whether its use of the services will occur overseas.

Intellectual Property The customer needs to understand the impact

of intellectual property rights on its business. In the event the provider will be performing significant implementation services in connection with the cloud computing services, the intellectual property ownership structure proposed by a provider may not effectively address the customer’s business needs. If the provider’s intellectual property is incor porated into work product delivered to the customer, then such provider intellectual property may be embedded in the customer’s business processes as a result. This could encumber the customer’s business by creating uncertainty about the customer’s rights

24 Intellectual Property & Technology Law Journal Volume 25 • Number 4 • April 2013

to such processes on which the business depends. Therefore, the customer should obtain ownership of any “work product” and a very broad license to use any provider intellectual property incorporated into any work product, so that it is able to remain in sole control of the direction of its business and each of its underlying processes.

Even in the case where significant implemen- tation services are not being provided, and the customer is merely providing direction as to con- figurable screens that will be used by the customer, the customer should realize the potential impact on its business. As a provider may benefit from such ideas provided by the customer, the customer should consider adding a restriction against the provider using those same ideas in services being delivered from provider to any of customer’s competitors.

Limitation of Liability The provider’s limitation of liability is very

important in a cloud computing engagement because virtually all aspects of data security are controlled by the provider. Thus, the provider should not be allowed to use a limitation of liability clause to unduly limit its exposure. Instead, a fair limitation of liability clause must balance the pro- vider’s concern about unlimited damages with the customer’s right to have reasonable recourse in the event of a data breach or other incident.

A provider’s limitation of liability clause usually (a) limits any liability of provider to the customer to the amount of fees paid under the agreement or a portion of the agreement ( e.g. , fees paid for the portion of the services at issue), and (b) excludes incidental, consequential ( e.g. , lost revenues), exem- plary, punitive, and other indirect damages. While a customer may not be able to eliminate the limita- tion of liability in its entirety, the customer should ask for the following concessions:

• The limitation of liability should apply to both parties. The customer should be entitled to the same protections from damages that the provider is seeking;

• The following should be excluded from all limi- tations of liability and damages: (a) breach of the confidentiality and security provision by either party; (b) the parties’ respective third party indemnity obligations; (c) either party’s infringement of

the other party’s intellectual property rights; and (d) breach of the advertising/publicity provision (see section below titled “Publicity”); and

• The overall liability cap (usually limited to fees paid) should be increased to some multiple of all fees paid ( e.g. , two to four times the total fees paid or the fees paid in the 12 months prior to the claim arising). Customer should keep in mind that the overall liability cap should not apply to the exclusions in the bullet point above.

Implementation In the event significant implementation services

are being provided ( e.g. , extensive software or hard- ware installation, configuration, or customization services), the definition of “Services” in a cloud computing agreement should be broadly worded to capture all of the services being provided. For example:

“ ‘Services’ shall mean Provider’s provi- sion of software and infrastructure services described in Exhibit __ (Software and Infrastructure Services) and implementation services described in Exhibit __ (Imple- mentation Services), and any other products, deliverables, and services to be provided by Provider to Customer (a) described in a Statement of Work, (b) identifi ed in this Agreement, or (c) otherwise necessary to comply with this Agreement, whether or not specifi cally set forth in (a) or (b).”

A broad defi nition of “Services” such as the one above is recommended, as it is useful in limiting provider claims of “out of scope” activity and requests for additional money.

In addition, the customer must fully understand its requirements and the capabilities of the services being provided to determine if any additional features or functionality is needed. Any additional work required to support such features or function ality should be discussed and identified up front, as typically a cloud computing offering may have more limited configuration and customization options ( e.g. , multi- tenant application) in order for the provider to more efficiently manage the services and provide a more scalable solution. Any additional work agreed upon

Volume 25 • Number 4 • April 2013 Intellectual Property & Technology Law Journal 25

to support such features or functionality should be included in the description of services.

Fees Typically, a cloud computing service will be

offered on a “pay-as-you-go” or “pay-per-use” cost structure ( e.g. , per virtual machine each hour, per gigabyte of storage each month, per active user each month). Accordingly, the agreement should provide for the ability to both add and remove resources, with a corresponding upward and down- ward adjustment of the service fees. The best time for the customer to negotiate rates for incremental and decremental use is before signing the agree- ment. Customers should attempt to lock in any recurring fees for a period of time (one to three years) and thereafter an escalator based on CPI or other third-party index should apply.

In addition, the customer should identify all potential revenue streams and make sure that the identified fees are inclusive of all such revenue streams. For example, the provider may attempt to charge additional fees for additional storage after a certain amount of data, or additional fees for software updates. The customer should ensure that these are included as part of the negotiated fees.

Term Because the software and infrastructure are

being provided as a service, like any service, the customer should be able to terminate the agree- ment at any time without penalty upon reasonable notice (14 to 30 days). The provider may request a minimum commitment period from the customer to recoup the provider’s “investment” in securing the customer as a customer ( e.g. , sales expenses and related costs). If the customer agrees to this, then the committed term should be no more than one year and the provider should provide evidence of its up-front costs to justify such a requirement.

Warranties There are several warranties that are typically

included in a cloud computing agreement. The following is a list of warranties that the

customer should seek to obtain:

• The services will materially conform to the spe ci fications and, to the extent not inconsistent with the specifications, provider’s documentation;

• All services will be provided in a professional, competent, and timely manner by appropriately qualified provider personnel in accordance with the agreement and consistent with provider’s best practices;

• The provider will provide adequate training, as needed, to customer on the use of the services;

• The services will comply with all federal, state, and local laws, rules, and regulations;

• The customer’s data and information will not be shared with or disclosed in any manner to any third party by provider without first obtaining the express written consent of customer;

• The services will not infringe the intellectual property rights of any third party;

• The services will be free from viruses and other destructive programs;

• There is no pending or threatened litigation involving provider that may impair or interfere with the customer’s right to use the services; and

• The provider has sufficient authority to enter into the agreement and grant the rights provided in the agreement to the customer.

Publicity The customer’s reputation and good will are

substantial and important assets. This reputation and good will are often symbolized and recognized through the customer’s name and other trademarks. Accordingly, every agreement should contain a pro- vision relating to any announcements and publicity in connection with the transaction. The provider should be prohibited from making any media releases or other public announcements relating to the agreement, or otherwise using the customer’s name and trademarks without the customer’s prior written consent.

Assignment The customer should be able to assign its rights

under the agreement to its affiliates and other entities which may become a successor or affiliate due to a reorganization, consolidation, divestiture,

26 Intellectual Property & Technology Law Journal Volume 25 • Number 4 • April 2013

or the like. Any concerns the provider may have about an assignment can be addressed by the requirement that the assignee will accept all of the customer’s obligations under the agreement. Similarly, the customer should also obtain assurance that any provider assignee will agree to be bound by all of the terms and conditions of the agree- ment, including without limitation, service level obligations.

Exclusivity More and more providers are seeking exclusiv-

ity in their cloud computing contracts. To obtain the best pricing, providers are asking customers to contractually commit to an exclusive engage- ment in which the customers may not seek similar services from another provider. The challenge of these types of arrangements is that if the contract does not provide excellent service levels and other protections, the customer could find itself bound to an agreement with a poorly performing provider which it cannot terminate and which prohibits customer from seeking supplemental services from an alternate provider.

There are three primary areas to consider in entering into an exclusive arrangement:

• Is the provider offering strong service levels? To com- mit to an exclusive agreement, the customer must have confidence the cloud services will be available when needed and achieve all other performance requirements. Those service levels must be very clearly defined and not be quali- fied with dozens of vague exceptions, and there must be realistic credits to ensure the provider has sufficient incentive to achieve required performance levels and a customer termination right for continuing or substantial service level failures.

• Are there appropriate exceptions to exclusivity? There are situations that may arise in which the cloud provider cannot perform as required under the agreement, but would not be in breach. For example, the provider may be subject to a force majeure event or other circumstance that tem- porarily relieves the provider of its performance obligations ( e.g. , a period in which the provider is operating under its business continuity and dis aster recovery procedures). The problem is

that the customer may still need to conduct its business during the pendency of the event. In such cases, the customer should be relieved of its exclusivity obligations to the extent necessary to obtain temporary services from an alternate provider. Depending on the type of services at issue, if the event continues for more than a few days, the customer should have the right to ter- minate and permanently transition to an alternate provider.

• Does the agreement permit transition in anticipation of a termination ? Every cloud agreement will have a defined duration or term ( e.g. , an initial term of two years, with certain renewal terms). As that term comes to an end, the customer may want to explore a relationship with an alternate provider. To ensure a smooth transition, the customer will likely need the right to enter into an agreement with the alternate provider well before the existing agreement expires. The exclusivity provision must be drafted to include the right for the customer to enter into an agreement with an alternate provider in anti- cipation of expiration.

Exclusive engagements can provide the customer with potentially substantial pricing advantages. Nevertheless, any time a customer enters into an exclusive relationship, it is increasing the difficulty of making a change based on performance or pricing or other changes in circumstance, and the advantages of such agreements must be carefully weighed against the overall risk of the contract.

Pre-Agreement Provider Due Diligence The customer should consider performing pre-

agreement due diligence on the provider. In many instances, the due diligence may be the customer’s strongest protection in entering into a cloud engagement. This is particularly so when the cloud contract is presented as largely non-negotiable. In those cases, the customer’s only protection is to thoroughly vet the provider prior to entering into the contract.

Diligence can take many forms: site visits, product demonstrations, discussions with vendor personnel, reference site visits, discussions at user groups, industry groups, etc. In addition, diligence can be more formal. This generally takes the form

Volume 25 • Number 4 • April 2013 Intellectual Property & Technology Law Journal 27

of a customer developing a diligence questionnaire for the provider to complete.

By crafting and using a provider question- naire, the customer can, at the outset, get a good idea of the extent to which the provider can meet the customer’s expectations and, where gaps exist, eliminate them or negotiate through them. Examples of the items to cover in such a due diligence questionnaire include provider’s finan- cial condition, insurance, existing service levels, capacity, physical and logical security, disaster recov- ery, business continuity, redundancy, and ability to comply with applicable regulations. The question- naire should include language that makes clear the customer will be relying on the responses in making its decision to enter into a contract with the provider.

Where possible, the completed questionnaire should be attached to the cloud contract as an exhibit. In addition, the contract should require the parties to meet on a periodic basis to discuss updates to the questionnaire responses.

Post-Execution Ongoing Provider Assessment

Lastly, it is recommended that the customer and provider agree to implementation of a regular program of evaluating the provider’s performance, under which the provider would be required to supply the requisite information to assess the ser- vices, notify the customer of any changes with regard to the provider, and provide any recommen- dations to improve the services. This information could then be used by the customer to perform ongoing risk assessments, and determine whether to continue the provider relationship.

If possible, post-execution assessments should be coupled with express audit rights under the cloud contract.

Negotiations If the customer has substantial leverage when

negotiating a cloud computing agreement, then the customer should seek to obtain the protections described above. However, in circumstances where the customer does not have such leverage, providers may be resistant to such protections and any modi- fication of its form contract provisions. Therefore, it may not be realistic to expect that the customer can obtain all of the protections listed above.

The customer must then evaluate the business risks, including whether the services support a critical business function, involve sensitive customer information, or are customer facing. If the customer is not able to obtain the level of protection needed in the most significant areas of risk, then the customer should consider walking away from the transaction. If walking away is not an acceptable option, then the customer needs to focus on risk mitigation. For example, if the provider refuses to modify its uptime service level, arguing that it cannot separately admin- ister such a service level for different customers, then the customer should negotiate improved remedies and exit rights for a failure of such service level. In this type of situation, where a customer is unable to obtain the appropriate contractual protections and chooses to proceed, the post-execution ongoing assessment of the provider relationship described above becomes even more important.

Conclusion As businesses are rushing to the cloud to lower

costs and achieve service flexibility, there has been a growing recognition of the substantial risks that come with a cloud computing solution. Unlike traditional software licenses and hardware purchase agreements, but similar to hosting and application service provider agreements, the customer needs to focus less on configuration, implementation, and acceptance and more on service availability, performance, and the security and control of the customer’s data. By keeping these areas in mind, along with the other risk factors and recommenda- tions identified in this article, customers can more effectively manage and substantially reduce the risks presented by cloud computing relationships.

Notes

1. TheInfoPro’s 2010 Information Security Study Reveals Budget Changes, Cloud Concerns, Potential M&A Targets, The Info Pro (Feb. 23, 2010), at http://www. theinfopro.com/2010/02/tippr-022310/#.

2. 2009 Annual Study: Cost of a Data Breach , Ponemon Institute, LLC ( Jan. 2010), available at http://www. encryptionreports. com/download/Ponemon_COB_2009_US.pdf.

3. See, e.g., Building Confidence in the Cloud: A Proposal for Industry and Government Action to Advance Cloud Computing, Microsoft Corporation ( Jan. 2010), available at http://www.microsoft.com/presspass/presskits/ cloudpolicy/.

Copyright of Intellectual Property & Technology Law Journal is the property of Aspen Publishers Inc. and its

content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's

express written permission. However, users may print, download, or email articles for individual use.