Tania Williams highlights some of the key areas that customers should consider as part of their cloud computing due diligence exercise
Corporate customers rarely undertake a traditional outsourcing initiative lightly. They will invariably complete considerable due diligence when deciding which parts of their business to outsource, choosing a supplier and structuring and negotiating the resulting arrangements. Has this changed with the advent of cloud computing?
By virtue of the nature of cloud services, the customer's data, processing facilities and software reside outside the physical control of the customer. The supplier may subcontract infrastructure, security, access, physical computing resources, software and maintenance to third parties - with whom the customer has no contractual privity. The supplier and the third-party subcontractors may be in different countries to the customer and each other, giving rise to jurisdictional and enforcement complexities.
Moreover, the starting point for cloud contracts is primarily the suppliers' standard terms, which tend to be supplier-centric and drafted for standard services on shared infrastructure. The reality is that, from the customer's perspective, a cloud services agreement is unlikely to provide as much in the way of contractual protection as a traditional, heavily negotiated outsourcing agreement.
For these reasons, thorough pre-contract due diligence is vital before entering the cloud. I highlight below some of the key areas that the customer should consider.
The supplier may be hesitant to provide details of its logical and physical security regimes for fear that disclosure may compromise security. However, for the customer, understanding the steps the supplier and its subcontractors take to maintain security is a vital part of due diligence.
If the supplier is certified as compliant to a normative standard (e.g. ISO 27 001 or COBIT), verify the compliance certificate and its validity. With ISO 27 001 certification, the customer should also view the Statement of Applicability to understand the supplier's information security controls.
In the absence of third-party certifications, assess the supplier's security governance processes and capabilities for sufficiency, maturity, and alignment with the customer's own security requirements and processes. The security controls should be demonstrably risk-based. The security regime should also be tested by the supplier on a regular basis (eg third-party audits and penetration testing), and the supplier should provide evidence of remedial actions for the findings. Check for resource allocation such as budget and manpower to sustain the testing and compliance processes.
If a key obligation on the supplier is compliance with the supplier's own security policies, establish whether the supplier may change such policies and whether they have an obligation to notify the customer of changes in advance.
The supplier must be required to ensure continuous physical security at its premises. Consider how access into and within the data centres is managed. Is the data centre located in a safe area? Has it been subject to natural disasters or civil unrest?
The supplier should also ensure that only personnel who have been security vetted have access to the service infrastructure.
The customer must review the supplier's data access and retention practices to determine whether they are consistent with the customer's policies. If not, the customer may need to revise its policies to correct any shortfall and implement workarounds.
Supplier and third party access to data
Consider how the supplier will access data, and the circumstances in which access is made available to third parties.
Many suppliers have the technical capability to access customer data, and include contractual rights to access customer data for maintenance, servicing, support or security purposes. Is this appropriate for the sensitivity of the customer data?
Suppliers' standard terms often give suppliers the right to disclose customer data on court order or request by relevant authorities. Wherever possible, subject to any laws to the contrary, require the supplier to seek the customer's consent prior to disclosure.
Where access to data occurs through supplier breach or failure, what recourse does the customer have? Many cloud contracts exclude liability for hacking, so review liability and exclusion clauses carefully.
Data preservation, recovery and deletion
The customer may require the supplier to retain data for the purposes of regulation, litigation or other business reasons, or to retain data after contract termination whilst the customer arranges for migration of the services. What retention periods are offered by the supplier? Furthermore, can the customer retrieve data in a usable format?
Ensure that data retention periods are not circumvented by supplier termination triggers, such as non-payment by the customer of the charges or any other breach by the customer.
Will the supplier delete customer data when required? Deletion after termination may be particularly important to the customer with personal data, including data held by any sub-processors.
Concerns regarding the locations in which data are stored may be triggered by many factors. In addition to the security aspects, the customer must consider the way in which compliance with legislation differs depending on the location of customer data. For example, data protection legislation applicable in the customer's local jurisdiction will be relevant as will those laws in those jurisdictions in which the customer's data may reside or be made available. Under the US Stored Communications Act, disclosure of information pursuant to criminal subpoena and other law enforcement action is possible in respect of data stored in the US. In addition, requests under the Patriot Act or other similar national security legislation could be made of the supplier without any notice to the data owner. And export control laws may restrict transfer of certain information or software to particular countries.
Data loss or corruption
Confirm that back-ups are made at regular intervals by the supplier and that these are tested at reasonably regular intervals to check the integrity of the data.
The customer should check that data loss and corruption caused by the supplier will amount to a breach of contract; these provisions are invariably excluded by suppliers. If the supplier is unable to restore data from the back-ups then, from the customer's perspective, the financial imitations on liability need to be sufficiently high to cover the costs of re-inputting data manually. Such costs should be explicitly mentioned as direct losses and recoverable by the customer.
Service Descriptions and Service Levels
Service levels are an area of concern for the customer but they are unlikely to be able to negotiate improvements to the supplier's standard terms unless the customer has significant leverage. When comparing various suppliers' service offerings and service levels, consider the following:
· What is the service availability (and point of measurement)? Do the service levels apply to the complete service or components only?
· How does the load on the supplier's infrastructure from other users affect the customer's application performance? Are there possible latency issues or network and bandwidth dependencies?
· How well does the service handle peak spikes?
· Are there any usage limits? What rights does the supplier have if usage limits are exceeded (and what is the impact on the customer's business if those rights are exercised)?
· What is the window for planned maintenance downtime? How much notice is given to the customer ahead of downtime?
· Are patches to software automatically pushed to the customer? Or does the customer have the right to opt out of updates?
· Is there any minimum customer-side infrastructure specification required for the service levels to be met?
· What are the service response times for failure?
· What are the remedies for service level failures? Are service credits available? And if so, are they the sole and exclusive remedy for the customer, or is the customer able to pursue other relief?
· Does the supplier notify the customer of service level failures, or is the customer expected to monitor the service levels and notify the supplier of any breach?
· If the supplier has the right to amend service levels without the customer's consent, is the customer notified of version changes?
A comprehensive cloud-computing offering will have alternative infrastructures available at a remote location from which the services can be provided in the event of force majeure or other events affecting service provision.
What events will trigger a move to the disaster recovery site? How long does the move take? And how does the customer get access to the data?
Encryption devices or methods will be subject to export controls by many countries, including within the EU. However, of particular note are the US export authorisation and licensing requirements. The export of encryption software from the US needs to be carefully monitored to ensure that the relevant rules are complied with, as the sanctions for infringements can be considerable.
Data Protection Regulation
Where the cloud computing service involves some processing of personal data, the service will need to meet the requirements of the EU Data Protection Directive (as implemented in local member states) if the customer is established or the data is processed in an EU member state.
The Directive requires that appropriate technical and organisational measures are taken to protect personal data. Where a third party (a data processor) is appointed to process data, the data controller must select a supplier who can offer appropriate guarantees of security, document the arrangements in a written contract and take reasonable measures to ensure compliance.
In most member states, data controllers or processors may determine themselves what constitute appropriate technical and organisational measures. However, some countries have prescriptive requirements for security set out in their legislation with which the customer would need to comply.
The Directive also prohibits the transfer of personal data to non-EEA countries that do not offer adequate protection. There are a limited number of exceptions to this rule, including the transfer of personal data to approved countries, transfers governed by the US – EU Safe Harbor programme and the use of approved data export agreements (known as the standard contractual clauses) to govern the data transfer.
Despite having several potential work-arounds to enable the customer to utilise cloud services without breaching data protection laws, there are no quick fixes to the issue of protecting personal data, and complying with the relevant legislation will invariably come at a cost.
The financial services sector is a good example of the customer being required by legislation to undertake certain levels of due diligence. The EU Markets in Financial Instruments Directive was implemented in the UK primarily through amendments to the Financial Services Authority Handbook of rules and guidance. If a financial services customer outsources critical functions, it must take reasonable steps to avoid undue operational risk, and must not impair materially the quality of its internal control and the FSA's ability to monitor the customer's compliance with the regulatory regime. FSA-authorised firms must exercise due skill, care and diligence when entering into, managing or terminating any outsourcing arrangements. This would include conducting appropriate due diligence of a supplier's financial stability and expertise.
In the US, the Sarbanes-Oxley Act also aims to increase transparency within the investment industry; however, its focus is on reforming internal control processes and the manner in which these are audited.
Performing due diligence on the supplier's viability if it is new to the market is more difficult than with an established supplier. The customer should understand the supplier's financial stability, and where the supplier contracting entity fits within the supplier's corporate structure. Does the customer have visibility as to the potential subcontractors and third parties who support the supplier's cloud services, and their respective viability? What contingency plans does the supplier have in place?
The customer should minimise exit and transfer risk, including by requiring the supplier to place a copy of the source code and object code of relevant software with an escrow agent, ensuring that its data is backed up elsewhere and ensuring that it understands how its data will be returned. Even if open data transfer standards can be agreed, it is usually still a sizeable and risky task to transfer large data sets, so a methodical, safe plan must be put in place.
Contracting on Supplier Standard Terms
As mentioned, suppliers look to contract on their standard terms. In the UK, standard terms (particularly exclusions or limits of liability) are subject to the Unfair Contract Terms Act 1977, and therefore must be reasonable. Despite this, the customer should ensure that the supplier contract addresses the concerns already raised, and also offers the following protections:
· where the services allow the customer access to or the use of software, to the extent that the supplier does not own the intellectual property rights in the software, it will need to arrange for the right to sublicense the software to the customer in all jurisdictions in which the customer operates;
· IPR indemnities for the customer's benefit for claims by third parties that use of the services by the customer infringes that third party's IPR - the IPR indemnity needs to be sufficiently broad to protect the customer in all jurisdictions in which the software will be used or services accessed;
· an obligation on the supplier to notify the customer of any intended deletion or move of data or material, and an indemnity for any loss suffered as a result of material being unnecessarily deleted or moved;
· confidentiality provisions which include customer data within the definition of 'confidential information', and which provide adequate caps on liability and limited exclusions to ensure that the supplier is required to compensate the customer for breaches of confidentiality;
· the customer's consent required for any assignment of the contract (at the very least , the customer must be notified of any assignment prior to it occurring);
· the customer to have termination rights for change of control of supplier;
· the customer to have audit rights to ensure compliance with the agreement and any other certifications or standards - at the very least, require the supplier to provide a SOC 2 report on a regular basis;
· the supplier to notify the customer of any security breaches;
· the customer's liability should be capped, with certain liabilities excluded (eg indirect or consequential loss);
· the supplier's right to suspend or terminate the services limited, and are exercisable subject to prior notice to the customer.
Conclusions – Moving to and Managing the Cloud
The cloud offers significant advantages to business through the speed and flexibility of development and delivery of IT, the ability to contain costs, and scalability. These expected rewards must be weighed up against the potential legal, reputational and operational risks of cloud computing. Another factor for the customer to consider is the cost (and risk) of putting in place mitigation strategies to circumvent deficiencies in the cloud service offering or the associated contract terms.
Contractual due diligence should not be limited to the period leading up to contract signature. Changes to the customer's business or the services provided should also trigger reviews of existing contracts to ensure that the protections and risk profile the customer sought remains unchanged.