Negotiating Cloud Computing Contracts · Negotiating Cloud Computing Contracts Christopher Millard...

Negotiating Cloud Computing Contracts Christopher Millard

IAPP Academy 2012 1

Negotiating Cloud Computing Contracts

Professor Christopher Millard IAPP Academy San Jose, 12 October 2012

Key questions we will tackle today…

•  Why is cloud computing such a hot topic?

•  What should you watch out for in ‘click-through’ cloud contracts?

•  When can you negotiate cloud deals?

•  What are the most contentious issues in cloud negotiations?

•  Whose laws apply if you have a cloud dispute?

•  Is privacy compliance a serious obstacle?

•  Can you control where your data are stored in clouds?

•  What practical steps can you take to manage cloud-related risks?

•  And finally… “What’s the forecast?”


IAPP Academy 2012 2

What is ‘cloud computing’?

•  Basically… scalable IT resources on demand, delivered via the Internet

•  Prominent examples include:

•  Amazon Web Services

•  Gmail and GoogleApps

•  IBM Smart Business + CloudBurst (previously Blue Cloud)

•  Microsoft Hotmail + Office 365 + Windows Azure

•  Safesforce.com

•  AND …Facebook, Apple, PayPal and other cloud app platforms

Why is cloud computing such a hot topic?

•  Remote computing has come of age thanks to high-bandwidth / low-cost connectivity, development of large server farms and enabling techniques such as virtualisation and sharding

•  Cloud is attractive in current economic climate as a means of: •  achieving rapid outsourcing efficiencies •  reducing costs / converting capex to opex •  simplifying hardware and software maintenance •  smoothing fluctuations in demand levels •  delivering public sector services more efficiently, see eg.

Ø  In the US - Apps.gov Ø  In the UK - G-Cloud


IAPP Academy 2012 3


IAPP Academy 2012 4

Cloud architectures and risk diversification

Cloud stacks and hidden layers (simplified!)

Cloud InfrastructureIaaS

PaaS

SaaS

Infrastructure as a Service (IaaS) Architectures

Platform as a Service (PaaS)Architectures

Software as a Service (SaaS)

Architectures

Cloud Infrastructure

SaaS


PaaS

SaaS


PaaS


PaaS


From http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt


IAPP Academy 2012 5

What is likely to be in an ‘off the shelf’ cloud contract?

•  Many cloud service providers use ‘click-wrap’ terms of business

•  Such terms of business may state, for example, that:

•  the service provider has minimal, or even no, liability for loss or damage caused by failure of the cloud computing service

•  the service may be modified or be discontinued without cause, without notice and without liability to users

•  subcontracting may be unrestricted

•  customers may have limited / no ability to recover data following termination of service

“Contracts for clouds: comparison and analysis of the terms and conditions of cloud computing services”, Bradshaw, Millard & Walden (2010)

•  We reviewed 31 sets of standard T&C (defined broadly)

•  20 main categories of clause were identified

•  Each set of T&C was then mapped against these categories

•  Hypothesis = that where significant variations exist between terms of service, differences would correlate significantly to:

•  Type of service and target market

•  Commercial and technological legacy (if any) of the provider

•  Key findings include:

•  T&C for particular services can be predicted to a significant extent

•  Few contracts deal adequately with complexity of cloud arrangements

•  Many provisions appear to be inappropriate / unenforceable / illegal


IAPP Academy 2012 6

Extensive disclaimers are common, eg.

THE SERVICE OFFERINGS ARE PROVIDED “AS IS.” WE AND OUR AFFILIATES AND LICENSORS MAKE NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE REGARDING THE SERVICE OFFERINGS OR THE THIRD PARTY CONTENT, INCLUDING ANY WARRANTY THAT THE SERVICE OFFERINGS OR THIRD PARTY CONTENT WILL BE UNINTERRUPTED, ERROR FREE OR FREE OF HARMFUL COMPONENTS, OR THAT ANY CONTENT, INCLUDING YOUR CONTENT OR THE THIRD PARTY CONTENT, WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED. Q. Will that be good enough? A. It depends what you are going to use the service for (and how)

What about disclosure of your data to third parties?

Would you feel more comfortable signing up to this… “The Receiving Party [Salesforce.com] may disclose Confidential Information of the Disclosing Party [the customer] if it is compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure.”

… or this?

“You authorize ADrive to disclose any information about You to law enforcement or other government officials as ADrive, in its sole discretion, believes necessary, prudent or appropriate, in connection with an investigation of fraud, intellectual property infringement, or other activity that is illegal or may expose ADrive to legal liability.”


IAPP Academy 2012 7

Whose laws apply if you have a cloud dispute?

Choice of law specified by cloud provider… Number *

US State: California (most common), Massachuse6s (Akamai), Washington (Amazon), Utah (Decho), Texas (The Planet)

15

English law, probably because service provider based there 4

English law, for customers in Europe / EMEA 4

Other EU jurisdicAons (for European customers): eg. Ireland (Apple), Luxembourg (some MicrosoN services)

2

ScoBsh law (Flexiant) 1

The customer’s local law 2

No choice of law expressed or implied, or ambiguous choice (eg. “UK Law” for g.ho.st)

3

* Number in each category is out of 31 contracts analysed by QMUL Cloud Legal Project: h@p://www.cloudlegal.ccls.qmul.ac.uk/

When can you negotiate cloud deals?

•  Although not generally advertised, major cloud vendors often go off piste if a deal merits it in terms of value or strategic importance

•  One-off contracts are usually confidential but some public sector contracts have been published, eg CSC / Google / City of LA

•  The QMUL Cloud Legal Project recently conducted detailed, off-the-record, interviews with cloud suppliers (including integrators), customers and advisors

•  We also made various Freedom of Information requests

•  From an analysis of the research data, six issues emerged as subject to the heaviest negotiation or as deal breakers…


IAPP Academy 2012 8

“Negotiating Cloud Contracts: Looking at Clouds from Both Sides Now” – Hon, Millard & Walden (2012)

Top 6 issues in negotiated cloud deals:

1.  Exclusion / limitation of liability, esp. data integrity + disaster recovery

2.  Service levels, including availability

3.  Security and privacy, esp. EU data protection compliance

4.  Lock-in and exit, including term, termination and return of data

5.  Providers’ ability to change service features unilaterally

6.  IPRs, esp. re apps developed / deployed on Iaas / Paas + ownership of bug fixes / enhancements / etc

A detailed report on the research is available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2055199

Liability

•  Standard = broad exclusion / limitation of provider's liability

•  Difficult to negotiate - even for very large users

•  May be deal breaker, but sometimes liability negotiated…

•  For defined types of losses, with caps (eg. 100%, 125%, 150% fees)

•  Liability for breach of confidentiality / privacy / data protection

•  Data integrity / backups

•  Integrators may be more willing to accept liability

•  Consider ‘self-help’ eg backup to own servers / another cloud


IAPP Academy 2012 9

Service Level Agreements

•  Commercial / pricing-related but often high anyway

•  Lack of standards to measure / compare

•  For mission-critical / real-time applications users may insist on higher availability, more notice, etc

•  Remedies for breach of SLAs

•  Usually restricted to service credits

•  Monetary rebates sometimes available

•  More negotiable than service levels

Security and privacy

•  Key security concerns: •  Who is responsible for security and to what standard?

•  Pre-contract pen testing (ongoing is rare)

•  Audit - including roles of providers and third parties

•  Security breaches – monitoring / informing users / termination events

•  Most negotiated privacy and data protection terms: •  Data location

•  Confidentiality / access / disclosure

•  Data processor agreements

•  Role of sub-providers – identities and locations / control over appointment and operations may matter


IAPP Academy 2012 10

Inside the location matrix: understanding EU restrictions

Cloud customer Cloud provider Data centre 1 EEA EEA EEA 2 EEA EEA Non-EEA 3 EEA Non-EEA EEA 4 EEA Non-EEA Non-EEA 5 Non-EEA EEA EEA 6 Non-EEA EEA Non-EEA 7 Non-EEA Non-EEA EEA 8 Non-EEA Non-EEA Non-EEA 9 EEA Anywhere Multiple 10 Non-EEA Anywhere Multiple

Lock-in and exit

•  Initial minimum term

•  3 years typical

•  Automatic renewal / roll-over common (but negotiable)

•  Basic services may be on demand / monthly rolling

•  Exit strategy – termination on notice, insolvency etc

•  Data retention (during term and post-termination)

•  Data deletion (how / when / privacy compliance implications)

•  Dependence on proprietary service, data / metadata formats



Unilateral service changes / termination

•  Enterprise-oriented providers more likely to restrict

•  SaaS commodity services

•  May be no choice

•  User concerns are mainly notice + termination rights

•  Changes to privacy policies are common

•  IaaS / PaaS

•  Users may have to update application code

•  For core services consider consent / longer notice

Intellectual property rights

•  Clarification may be sought re:

•  Ownership / licensing of user or integrator-developed IaaS / PaaS applications (including post-termination)

•  Customisations, user-contributed improvements

•  Whether cloud service pricing includes application licences

•  Third party applications – licences?

•  Included with service, or user’s own licence if ‘portable’ (logging VM numbers / locations may be problematic)

•  Licensing basis, eg. annually in advance / rolling monthly per user



Managing data protection and security risks

•  Despite common concerns, cloud processes may be safer than DIY, not just for SMEs and individuals but also large corporates and governments

•  Applying data protection rules can be complex, so consider… •  What is regulated as ‘personal data’ in a particular cloud arrangement?

•  Who is responsible (providers / their suppliers / customers / their customers)?

•  Which national law(s) will regulate personal data in a cloud?

•  Where can you transfer cloud data to?

•  EU 2012 proposal for a General Data Protection Regulation might: •  Reduce scope for keeping anonymised data out of regulatory scope

•  Increase compliance obligations for both ‘data controllers’ and ‘data processors’

•  Fail to establish a promised ‘one stop shop’ for compliance

•  Maintain cumbersome restrictions on international data transfers

Strategic questions for prospective cloud customers

•  Is cloud use managed adequately now (eg. procurement bypass)?

•  What roles should IS / procurement / legal / risk / etc play?

•  What functions should we migrate and to which provider(s)?

•  Is it worth negotiating terms (yet), even for a pilot / trial?

•  Can a better deal be obtained indirectly, eg. from an integrator (pricing / service levels / liability / other terms)?

•  Will insurance be available with adequate coverage?

•  Are there any regulatory implications (eg. financial services / DP)?

•  Do contracts with our customers affect use of cloud services?



Due diligence checklist for cloud customers

•  Is the infrastructure multi-layered and, if so, in what way?

•  Where will our data be processed (inc. storage / replication)?

•  Who controls the critical infrastructure (and from where)?

•  How easily can third parties get access to our data?

•  What happens if the cloud provider / their provider goes bust?

•  How easily could we move our data to another cloud service (or back to our own systems) and how long would it take?

•  How confident are we that we could regain control of our data without leaving behind copies and / or key metadata?

•  Is the contract OK (inc. TOS, T&C, SLA, Privacy Policy, AUP, etc)?

Forecast: cloudy and changeable… but bright!

•  Putting data / processes into clouds may save money and facilitate risk management - it may also have unintended consequences

•  Physical location can be highly significant in virtual environments

•  Sophistication and flexibility of cloud providers is highly variable

•  Risks of compelled disclosure and other disruptions are real

•  Regulators will take a while to get comfortable with clouds

•  Adoption of cloud services looks set for continued rapid growth

•  Cloud contracts are likely to evolve rapidly in response to competitive positioning, customer demands and regulatory / judicial intervention



Any questions…

Thanks for listening! For background papers please visit: http://www.cloudlegal.ccls.qmul.ac.uk/

Negotiating Cloud Computing Contracts · Negotiating Cloud Computing Contracts Christopher Millard...

Documents

Transcript of Negotiating Cloud Computing Contracts · Negotiating Cloud Computing Contracts Christopher Millard...