Due Diligence in a Cloud Environment

by Pillsbury Global Sourcing Practice
Contact

[author: Tania L. Williams]

Tania Williams highlights some of the key areas that customers should consider as part of their cloud computing due diligence exercise

Corporate customers rarely undertake a traditional outsourcing initiative lightly. They will invariably complete considerable due diligence when deciding which parts of their business to outsource, choosing a supplier and structuring and negotiating the resulting arrangements. Has this changed with the advent of cloud computing?

By virtue of the nature of cloud services, the customer's data, processing facilities and software reside outside the physical control of the customer. The supplier may subcontract infrastructure, security, access, physical computing resources, software and maintenance to third parties - with whom the customer has no contractual privity. The supplier and the third-party subcontractors may be in different countries to the customer and each other, giving rise to jurisdictional and enforcement complexities.

Moreover, the starting point for cloud contracts is primarily the suppliers' standard terms, which tend to be supplier-centric and drafted for standard services on shared infrastructure. The reality is that, from the customer's perspective, a cloud services agreement is unlikely to provide as much in the way of contractual protection as a traditional, heavily negotiated outsourcing agreement.

For these reasons, thorough pre-contract due diligence is vital before entering the cloud. I highlight below some of the key areas that the customer should consider.

Security

The supplier may be hesitant to provide details of its logical and physical security regimes for fear that disclosure may compromise security. However, for the customer, understanding the steps the supplier and its subcontractors take to maintain security is a vital part of due diligence. 

If the supplier is certified as compliant to a normative standard (e.g. ISO 27 001 or COBIT), verify the compliance certificate and its validity. With ISO 27 001 certification, the customer should also view the Statement of Applicability to understand the supplier's information security controls. 

In the absence of third-party certifications, assess the supplier's security governance processes and capabilities for sufficiency, maturity, and alignment with the customer's own security requirements and processes. The security controls should be demonstrably risk-based. The security regime should also be tested by the supplier on a regular basis (eg third-party audits and penetration testing), and the supplier should provide evidence of remedial actions for the findings. Check for resource allocation such as budget and manpower to sustain the testing and compliance processes. 

If a key obligation on the supplier is compliance with the supplier's own security policies, establish whether the supplier may change such policies and whether they have an obligation to notify the customer of changes in advance.   

The supplier must be required to ensure continuous physical security at its premises. Consider how access into and within the data centres is managed. Is the data centre located in a safe area? Has it been subject to natural disasters or civil unrest?  

The supplier should also ensure that only personnel who have been security vetted have access to the service infrastructure.  

Data

The customer must review the supplier's data access and retention practices to determine whether they are consistent with the customer's policies. If not, the customer may need to revise its policies to correct any shortfall and implement workarounds. 

Supplier and third party access to data

Consider how the supplier will access data, and the circumstances in which access is made available to third parties. 

Many suppliers have the technical capability to access customer data, and include contractual rights to access customer data for maintenance, servicing, support or security purposes. Is this appropriate for the sensitivity of the customer data? 

Suppliers' standard terms often give suppliers the right to disclose customer data on court order or request by relevant authorities. Wherever possible, subject to any laws to the contrary, require the supplier to seek the customer's consent prior to disclosure.

Where access to data occurs through supplier breach or failure, what recourse does the customer have? Many cloud contracts exclude liability for hacking, so review liability and exclusion clauses carefully. 

Data preservation, recovery and deletion

The customer may require the supplier to retain data for the purposes of regulation, litigation or other business reasons, or to retain data after contract termination whilst the customer arranges for migration of the services. What retention periods are offered by the supplier? Furthermore, can the customer retrieve data in a usable format?   

Ensure that data retention periods are not circumvented by supplier termination triggers, such as non-payment by the customer of the charges or any other breach by the customer. 

Will the supplier delete customer data when required? Deletion after termination may be particularly important to the customer with personal data, including data held by any sub-processors.   

Data location

Concerns regarding the locations in which data are stored may be triggered by many factors. In addition to the security aspects, the customer must consider the way in which compliance with legislation differs depending on the location of customer data. For example, data protection legislation applicable in the customer's local jurisdiction will be relevant as will those laws in those jurisdictions in which the customer's data may reside or be made available. Under the US Stored Communications Act, disclosure of information pursuant to criminal subpoena and other law enforcement action is possible in respect of data stored in the US. In addition, requests under the Patriot Act or other similar national security legislation could be made of the supplier without any notice to the data owner. And export control laws may restrict transfer of certain information or software to particular countries.   

Data loss or corruption

Confirm that back-ups are made at regular intervals by the supplier and that these are tested at reasonably regular intervals to check the integrity of the data. 

The customer should check that data loss and corruption caused by the supplier will amount to a breach of contract; these provisions are invariably excluded by suppliers. If the supplier is unable to restore data from the back-ups then, from the customer's perspective, the financial imitations on liability need to be sufficiently high to cover the costs of re-inputting data manually. Such costs should be explicitly mentioned as direct losses and recoverable by the customer.   

Service Descriptions and Service Levels

Service levels are an area of concern for the customer but they are unlikely to be able to negotiate improvements to the supplier's standard terms unless the customer has significant leverage. When comparing various suppliers' service offerings and service levels, consider the following:

·        What is the service availability (and point of measurement)? Do the service levels apply to the complete service or components only?

·        How does the load on the supplier's infrastructure from other users affect the customer's application performance? Are there possible latency issues or network and bandwidth dependencies? 

·        How well does the service handle peak spikes? 

·        Are there any usage limits? What rights does the supplier have if usage limits are exceeded (and what is the impact on the customer's business if those rights are exercised)?

·        What is the window for planned maintenance downtime? How much notice is given to the customer ahead of downtime?

·        Are patches to software automatically pushed to the customer? Or does the customer have the right to opt out of updates? 

·        Is there any minimum customer-side infrastructure specification required for the service levels to be met?

·        What are the service response times for failure? 

·        What are the remedies for service level failures? Are service credits available? And if so, are they the sole and exclusive remedy for the customer, or is the customer able to pursue other relief?

·        Does the supplier notify the customer of service level failures, or is the customer expected to monitor the service levels and notify the supplier of any breach? 

·        If the supplier has the right to amend service levels without the customer's consent, is the customer notified of version changes?

Business Continuity

A comprehensive cloud-computing offering will have alternative infrastructures available at a remote location from which the services can be provided in the event of force majeure or other events affecting service provision.  

What events will trigger a move to the disaster recovery site? How long does the move take? And how does the customer get access to the data? 

Encryption Regulation

Encryption devices or methods will be subject to export controls by many countries, including within the EU.  However, of particular note are the US export authorisation and licensing requirements. The export of encryption software from the US needs to be carefully monitored to ensure that the relevant rules are complied with, as the sanctions for infringements can be considerable.  

Data Protection Regulation

Where the cloud computing service involves some processing of personal data, the service will need to meet the requirements of the EU Data Protection Directive (as implemented in local member states) if the customer is established or the data is processed in an EU member state. 

The Directive requires that appropriate technical and organisational measures are taken to protect personal data. Where a third party (a data processor) is appointed to process data, the data controller must select a supplier who can offer appropriate guarantees of security, document the arrangements in a written contract and take reasonable measures to ensure compliance. 

In most member states, data controllers or processors may determine themselves what constitute appropriate technical and organisational measures. However, some countries have prescriptive requirements for security set out in their legislation with which the customer would need to comply.  

The Directive also prohibits the transfer of personal data to non-EEA countries that do not offer adequate protection. There are a limited number of exceptions to this rule, including the transfer of personal data to approved countries, transfers governed by the US – EU Safe Harbor programme and the use of approved data export agreements (known as the standard contractual clauses) to govern the data transfer.  

Despite having several potential work-arounds to enable the customer to utilise cloud services without breaching data protection laws, there are no quick fixes to the issue of protecting personal data, and complying with the relevant legislation will invariably come at a cost.  

The Customer

The financial services sector is a good example of the customer being required by legislation to undertake certain levels of due diligence. The EU Markets in Financial Instruments Directive was implemented in the UK primarily through amendments to the Financial Services Authority Handbook of rules and guidance. If a financial services customer outsources critical functions, it must take reasonable steps to avoid undue operational risk, and must not impair materially the quality of its internal control and the FSA's ability to monitor the customer's compliance with the regulatory regime. FSA-authorised firms must exercise due skill, care and diligence when entering into, managing or terminating any outsourcing arrangements. This would include conducting appropriate due diligence of a supplier's financial stability and expertise.   

In the US, the Sarbanes-Oxley Act also aims to increase transparency within the investment industry; however, its focus is on reforming internal control processes and the manner in which these are audited.

The Supplier

Performing due diligence on the supplier's viability if it is new to the market is more difficult than with an established supplier. The customer should understand the supplier's financial stability, and where the supplier contracting entity fits within the supplier's corporate structure. Does the customer have visibility as to the potential subcontractors and third parties who support the supplier's cloud services, and their respective viability? What contingency plans does the supplier have in place? 

Exit

The customer should minimise exit and transfer risk, including by requiring the supplier to place a copy of the source code and object code of relevant software with an escrow agent, ensuring that its data is backed up elsewhere and ensuring that it understands how its data will be returned. Even if open data transfer standards can be agreed, it is usually still a sizeable and risky task to transfer large data sets, so a methodical, safe plan must be put in place.

Contracting on Supplier Standard Terms

As mentioned, suppliers look to contract on their standard terms. In the UK, standard terms (particularly exclusions or limits of liability) are subject to the Unfair Contract Terms Act 1977, and therefore must be reasonable. Despite this, the customer should ensure that the supplier contract addresses the concerns already raised, and also offers the following protections:

·        where the services allow the customer access to or the use of software, to the extent that the supplier does not own the intellectual property rights in the software, it will need to arrange for the right to sublicense the software to the customer in all jurisdictions in which the customer operates;        

·        IPR indemnities for the customer's benefit for claims by third parties that use of the services by the customer infringes that third party's IPR - the IPR indemnity needs to be sufficiently broad to protect the customer in all jurisdictions in which the software will be used or services accessed;

·        an obligation on the supplier to notify the customer of any intended deletion or move of data or material, and an indemnity for any loss suffered as a result of material being unnecessarily deleted or moved;  

·        confidentiality provisions which include customer data within the definition of 'confidential information', and which provide adequate caps on liability and limited exclusions to ensure that the supplier is required to compensate the customer for breaches of confidentiality;

·        the customer's consent required for any assignment of the contract (at the very least , the customer must be notified of any assignment prior to it occurring);

·        the customer to have termination rights for change of control of supplier;

·        the customer to have audit rights to ensure compliance with the agreement and any other certifications or standards - at the very least, require the supplier to provide a SOC 2 report on a regular basis;  

·        the supplier to notify the customer of any security breaches;

·        the customer's liability should be capped, with certain liabilities excluded (eg indirect or consequential loss);

·        the supplier's right to suspend or terminate the services limited, and are exercisable subject to prior notice to the customer.

Conclusions – Moving to and Managing the Cloud

The cloud offers significant advantages to business through the speed and flexibility of development and delivery of IT, the ability to contain costs, and scalability. These expected rewards must be weighed up against the potential legal, reputational and operational risks of cloud computing. Another factor for the customer to consider is the cost (and risk) of putting in place mitigation strategies to circumvent deficiencies in the cloud service offering or the associated contract terms.

Contractual due diligence should not be limited to the period leading up to contract signature. Changes to the customer's business or the services provided should also trigger reviews of existing contracts to ensure that the protections and risk profile the customer sought remains unchanged.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury Global Sourcing Practice | Attorney Advertising

Written by:

Pillsbury Global Sourcing Practice
Contact
more
less

Pillsbury Global Sourcing Practice on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
Feedback? Tell us what you think of the new jdsupra.com!