The Cloud and the Law: An Interpretation of Key Contract Clauses for late adopters like the Healthcare Sector

stg-cmriadmin18

stg-cmriadmin18

The impact of cloud computing is visible across industries, including late adopter verticals such as the Healthcare sector. Cloud services span a range of functionalities and encompass different levels of service, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

Given all the promise and benefits ascribed to cloud technologies, it is not surprising that most technology managers are eager to sign-up on service contracts to gain a competitive edge to be one of the first users employing the cloud. It is this excitement that leads to trouble.

For a healthy business relationship, general wisdom mandates that it is prudent to enter into a written agreement that outlines relevant terms, obligations and responsibilities of each of the parties. When we consider cloud, the same principles apply here. There are essential terms and provisions in the cloud service agreements that warrant clear attention.

When contemplating moving to the cloud, customers should understand the criticality of the software, the unique issues associated with cloud computing, and the availability and price of various alternatives. It may make sense for customers to accept loosely defined contract terms for non-core business tools or services involving routine, non-sensitive data. For mission critical systems on the cloud involving regulated personal data or sensitive business intelligence, it is prudent to do a critical due diligence on clauses in the contract.

Some of the key provisions that an IT head must pay attention to in a contract are discussed below:

1. Choice of Law and Jurisdiction: One of the prime attractions for using cloud computing lies in the premise that data can be accessed from anywhere, irrespective of where the data is stored. While it is exciting for information to be stored and accessed from anywhere, it leads to legal uncertainty over jurisdiction and choice of law. For instance, the data sent or received by an organization or individual using a cloud computing service could be physically located in the U.S. or any other country in the world.

When entering into cloud computing agreements, pay attention to the choice of law and jurisdiction and ensure that you choose a law to govern the agreement and a jurisdiction where your business is currently based.

2. Understanding of terms: The agreement should provide a clear description of the cloud service, including the type of services and functionalities. The agreement should also provide for whether and how the terms will evolve during the life of the contract.

Quite often, the contract grants vendors the freedom to amend the terms. This flexibility may be used to allow vendors to update contracts due to technological developments and/or regulatory requirements. Such a flexibility does away with the need for multiple amending agreements.

Ensure that prior consent in the agreement is taken from you prior to changes in terms and service.

3. Business Continuity: To ensure ongoing access, especially for mission critical applications, customers should check with their cloud vendor to ensure they understand what hardware, operating system, and other software is needed and how much it costs.

Customers should insist on knowing the name and content of the service, and the type of service such as SaaS, PaaS, IaaS and the business purpose of the Service. In case of an IaaS service, the vendor should specify the price for CPU time, network bandwidth and storage capacity. The vendor should specify OS and its version, database vendor and version, IDE tool version in case of a PaaS service. In case the service provided is SaaS, the vendor should specify how this service integrates with other services provide by cloud vendor, or with services outside of the cloud vendor platform.

Look at the fine print and verify the information provided prior to signing a cloud agreement. This will enable better planning for the future, including when making appropriate transition plans.

4. Security and Privacy: Concerns have been repeatedly raised over the ability of law enforcement bodies to access sensitive corporate and personal information stored in cloud computing solutions. With privacy laws varying substantially from country to country, and even state to state in a large developed country such as the United States, the potential lack of control over the physical locations of storage and processing creates serious data protection and privacy concerns. To highlight the risk, in some jurisdictions, law enforcement could obtain access to the information stored without the affected party ever knowing. Companies should take note that the concerns over security and privacy are not limited to law enforcement. If a cloud service provider does not indicate where the relevant data is being stored, then arguably the customer is not in a position to know which privacy scheme (or schemes) apply. For example, if the cloud provider transfers personal data to a server located in Argentina, Belgium or Canada, the data will be subject to the local laws of those countries. And, the data protection laws of these countries contain very specific provisions, limiting how personal data may be transferred out of that country.

A company considering a cloud computing arrangement will need to know what steps the cloud vendor takes to ensure that a customer�s data is not inadvertently disclosed to another customer who may be sharing the same resources.

5. Intellectual Property Licensing and Contractual Issues: It is important to understand the ownership of the IPR employed in the cloud service. In those cases, where the cloud vendor is the owner, a license to use such software is provided as part of the service. In case a third party owns the cloud software, the cloud provider should have the right to sublicense and provide the software to you as part of the cloud service. This will ensure that you are not in breach of any third party�s intellectual property rights in the software.

It is absolutely essential for you to understand the precise scope of the licenses granted to each other’s intellectual property. Understanding the scope of the license granted or received would help in making au informed decision on the pros and cons of selecting a cloud service.

6. Indemnification: Indemnification provision is the part of an agreement that provides for one party to bear the monetary costs, either directly or by reimbursement, for losses incurred by a second party.

For instance, a cloud vendor may agree to indemnify its client if the technology used to provide the services infringes or misappropriates a third party’s intellectual property rights. Similarly, the client might agree to indemnify the cloud vendor for actions committed by the client and resulting in the vendor facing a third party’s claim.

Do look for the indemnification clause in the contract. While this is a beneficial clause for customers and ideally should be present, it may be missing from the contract. If anything goes wrong with cloud services, the indemnity clause provides the customer with an opportunity to sue the cloud vendor.

7. Termination: It is important to understand the events and the ground that can lead to the termination of the agreement. Knowing the date of termination of contract is not enough. It is prudent to anticipate what will happen upon termination of the contract. Will the data be secure? What will happen to the data? How can the data be retrieved? Will the service provider take steps to protect data during the transition period?

A clear understanding of the procedure is needed for a customer to be able to transfer data back to company control or to another service provider. Customers should check on what format the data will be in, what hardware will be needed to run it if they decide to move it back their inhouse facility. If data is stored as part of a SaaS application, it may be important that the data can be retrieved in a vendor neutral format so that it can be imported to an application provided by a new third party service provider.

8. Penalty: The contract may provide for penalty clauses that would specify fines or other measures that the vendor must pay if a particular condition(s) is/are not met. For instance, the vendor may specify one month of free cloud services upon signing-up, and up to three months of free service in case the vendor fails to provide 99% uptime for a cloud service over the course of a year. One major downside with penalty clauses is that the cloud vendor may not have substantial assets to support services, or maybe in the brink of filing bankruptcy.

Prior to signing up, it is prudent to check on the penalty clause. In addition, a due diligence on the financial health of the service vendor is crucial.

Conclusion

Cloud computing is already changing the way organizations and individuals interact with their information. Cloud services have the potential to transform a company’s information technology architecture and create significant cost savings, when used in an appropriate environment. When entering into a cloud computing arrangement, the agreement should be fully reviewed and discussed in detail with the company’s legal counsel. When discussing and deciding on a cloud vendor over another, a major consideration should go to the clauses in the contract. One of the biggest errors that a potential customer can make is to assume that the contract provided by a cloud vendor provides adequate customer protection or presuming that there is no room for negotiations.