Cloud computing has become an increasingly popular option for businesses to cheaply and efficiently manage their data systems. Businesses interested in utilizing these services should be cautious, however, when entering into agreements to use these services. Just like with any corporate transaction, the contracts and agreements for cloud services must be drafted effectively so as to mitigate business risks to the greatest extent possible.
In Part I of our cloud-computing blog series we addressed privacy and security concerns for business engaged in cloud computing. Part II of the series examined jurisdictional issues and subscriber data ownership issues that may arise in cloud-computing agreements.
Now in our third and final installment of this blog series we will address how subscribers should structure the termination of a cloud computing agreement to ensure “ to the greatest extent possible “ that their data are safely returned and/or disposed by the cloud service provider. We will also address some miscellaneous issues that may arise with respect to the transfer or termination of ownership by the cloud provider.
At the end of a transaction or upon the termination or expiry of an agreement, in traditional corporate contract settings, there are usually standard provisions calling for the return of data by the party that was using the data, or the destruction of that data and a certification to that effect. In a cloud computing arrangement, however, the parties to the corporate contract are not is possession of that data “ the cloud service provider is.
Many would argue that the contract party cannot be held responsible, therefore, for the return or destruction of the data. Nothing could be further from the truth.
Upon the conclusion of a cloud computing agreement, a procedure should be in place for the cloud-computing service provider to return all data to their subscriber, or to destroy the data and certify as to its destruction. Most businesses seeking a cloud service provider likely already have internal policies and procedures in place for retaining, backing up, and disposing of data. It is crucial that subscribers inquire into their prospective cloud-service provider’s data retention and destruction policies to ensure that the policies of the subscriber can be adhered to in their cloud provider’s environment.
For example, the cloud service agreement can call for the service provider to return all data to the subscriber or, upon the request of the subscriber, destroy all data and certify as to its destruction. Then, in the corporate contract, appropriate language can be added to allow for the cloud service provider to return or destroy the data. A sample agreement provision might read:
Upon the expiration or termination of this Agreement, the Receiving Company immediately shall delete or order the deletion of all proprietary data and information from any on-demand computer network access storage location (i.e., cloud computing service) and provide the Providing Company with (a) written notice, certified by an appropriate officer of the Receiving Company, of such actions, and (b) written certification(s) from such on-demand computer network access storage location service provider(s) that the deletion has taken place.
Contract provisions of this type will help ensure that your data is not left floating in the Cloud at the end of an agreement or transaction.
Along the lines of termination, use of a cloud service provider raises additional questions. What happens if the cloud service provider changes? Situations such as the sale of the cloud service, sale of the cloud company, merger, or government seizure can all have tremendous effects on the subscriber’s serviced data Comingling of personal information, jurisdictional issues, and sharing of a subscriber’s business data could all prospectively result from these situations.
Awareness and prior planning are key features to mitigating these business risks. Subscribers need discuss these issues with their prospective cloud service provider prior to entering into an agreement. In many situations, specific clauses can be drafted into the cloud service agreement to allow for the safe return or destruction of a subscriber’s data before any change in the dominion or control over that data can take place.
At a minimum, to protect their data from ending up in the hands of unforeseen third parties, subscribers should require their cloud service provider inform them of any situation in which their data may be accessed by, or transferred to, an unrelated third party. While similarly worded “assignment” clauses are ubiquitous in business contracts, our recent review of several cloud service agreements found these clauses to be altogether lacking. To protect your valuable data, subscribers must reserve the right to terminate the cloud service agreement for cause “ and demand return or destruction of the data “ in events such as these.
3. Additional Issues
There are many other ways in which operating in the cloud computing environment must be considering by all businesses. While far from exhaustive, some of the most critical areas to consider are:
Segregation of Subscriber Data. In your local, server-based systems, confidential data, proprietary data, and sensitive financial data (to name a few), can be segregated from other business data and protected appropriately. Very often businesses certify to customers and business partners that their data will receive this special treatment. Is your cloud service provider also guaranteeing this segregation and an appropriate level of safeguarding?
Authentication of Data. Does your cloud service provider have the technical processes and control procedures in place to guarantee that your data will not be (inadvertently or otherwise) changed over time? Think of the ramification to your business if credit approvals, account receivable limits, or termination dates on contracts were changed while in the cloud.
Responding to Litigation. In the world of e-discovery in litigation, being able to preserve subscriber data and provide copies of that data in a timely and complete fashion are critical. Can your cloud service provider respond to your needs in the event of litigation. Moreover, what if the service provider itself is the target of litigation. Is your data safe from unwarranted disclosure or disclosure without prior notice to the subscriber?
It goes without saying that the contractual nuances arising in the cloud computing environment could easily fill several volumes. Our goal in this blog series is to educate business as to how operating in the Cloud requires you to rethink even the most fundamental aspects of the business agreements you currently use.
Cloud computing can provide significant business advantages in efficiency and cost savings. In the age of transparency it will be key for businesses to maintain sensitive intellectual property, customer, and confidential data in such as way as to ensure that they preserve their competitive advantage and avoid any issues regarding unauthorized use of data. As such, businesses must carefully negotiate and draft not only their cloud service agreements, but all of their commercial contracts and agreements to insulate themselves from liability and protect their invaluable data.