The use of cloud service providers has become increasingly common for many businesses, with a significant rise in usage since COVID-19 and the proliferation of employees working remotely. Use of these platforms ensures that data is safely and regularly backed up, and that your team has access to the most current information and documents, no matter where they are located.
Using cloud storage does, however, require businesses to consider factors such as privacy, security, data ownership and use rights, insurance, intellectual property, liability, and service availability and service levels.
This article will discuss cloud computing generally, and briefly discuss a few of the key risks and important considerations when negotiating and entering into cloud service agreements and other technology contracts.
What is Cloud Computing?
“Cloud computing” simply refers to data and programs being stored on servers located remotely and accessed through the Internet, instead of on an individual computer’s hard drive. It allows individuals to access information and applications from their personal computers, but also from other devices from various locations worldwide.
Most people are already using cloud software or remote data storage facilities if they have a cell phone. Common cloud programs include iCloud, Google Drive, or Dropbox as well as other industry-specific practice management software.
Cloud computing is an attractive and efficient tool used by organizations all over the world as it offers several distinct advantages to businesses and customers, such as cost savings, increased productivity, accessibility, speed and efficiency, and performance.
Types of Cloud Computing
Generally, Cloud computing is divided into three broad service categories: infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).
Risks of Cloud Computing
Cloud computing is not without risks.
Security has always been a significant concern. If the data stored with the cloud service provider is not encrypted, others may have access to it. Further, cloud providers are often servicing multiple customers simultaneously. Despite extensive security measures, this may raise the scale of exposure to possible breaches, both accidental and deliberate. Servers may also fall victim to internal bugs and power outages that cause the services to crash. Such service outages can cause significant disruption to a business’ operations. These are only a few examples of the inherent risks that come with the use of cloud computing.
Key Contractual Considerations
Businesses should be mindful that if they collect personal information from an individual, they remain accountable for how the information is processed, even when it is outsourced. A business looking to use a third-party cloud service should therefore ensure that the cloud service agreements entered into will allow it to comply with its obligations under privacy legislation. Comparatively, privacy legislation in Canada is more stringent than U.S. privacy laws. Thus, Canadian Users will want to ensure data is stored in Canadian data centers versus in the U.S. to avoid being inadvertently offside Canadian privacy laws. Additionally, often there are other strategic needs or other contractual and professional obligations that the User will be subject to, and it will be important that the third-party cloud service can meet those requirements.
Typically, cloud service providers present standard form contracts that do not leave much room for negotiation for their customers. The following are some of the key contractual considerations that businesses should turn their minds to:
Service Availability and Service Levels: Businesses will want to be able to always access their information and data. However, it is inevitable that there will be some kind of outage, failure, or breach which may result in limited or no access to the provider’s services and/or the business’ data stored on the provider’s systems.
The service level agreements (“SLA”) negotiated between businesses and the service provider should outline minimum service level commitments to ensure that service availability and responsiveness are aligned with the business’ expectations. An SLA should also address the remedies, such as service credits, available to the business when the provider fails to meet the agreed upon service levels.
Some of the most common service level issues that should be addressed include uptime, simultaneous visitors, and issue identification, updates, and response and resolution times.
SLAs are especially important in the event of complete inoperability of critical business functions which can expose the business to liabilities as a result of delays in providing services to its customers.
Moreover, businesses will want ample notice if the provider shuts down or elects to discontinue some or all its services as well as clear timelines for data retention following expiration or termination of an SLA.
Data Security and Privacy: Data security and privacy are a major concern where there is highly sensitive information, and where strict data protection regulations exist, such as in Canada. Businesses should be mindful of ensuring ownership of its data, addressing the provider’s use and access to such data, location of storage of the data and safeguarding the security and confidentiality of that data. It is important to have reasonable provisions within an agreement that contemplate the provider’s policies and procedures relating to data backups, and protection against vulnerabilities. The degree of cloud security should align with the data’s sensitivity levels. If a breach of security or confidentiality occurs, an agreement should stipulate what the notification requirements are, how and when that breach may be remedied and potential indemnification obligations of the provider if the business is sued in the event of a breach and where the provider is at fault.
Intellectual Property: It is crucial to understand the impacts of intellectual property on your business when engaging with a service provider. Where products are customized, uncertainty may arise in relation to ownership of the intellectual property incorporated into the resulting work product depending on the degree of integration between a business’ intellectual property and that of the service provider. A business should consider obtaining ownership of all intellectual property that becomes incorporated with its own, as well as a broad license to use any of the provider’s intellectual property so as to retain direction and control of its business.
Additionally, agreements may be silent on who owns the rights to applications developed or deployed by businesses, or who owns the rights to proprietary information, webpage configurations, service improvements arising from a business user’s suggestions, or bug fixes. These issues may need to be negotiated with the cloud service provider where the business actively contributes to development of products or services.
Termination: Given that data is effectively controlled by the service provider, such control may create difficulties upon expiration or termination of the cloud service agreement. For example, unless the contract provides for the return of customer data upon termination or expiration, some providers may refuse to return or delete information. Another factor to consider is the migration of data to a new provider if such a transfer occurs. Agreements should clearly address timelines, additional costs, and the provider’s involvement in data transfer, such as the provider making available an application for data transfer. It is therefore critical for businesses to consider their ownership and control of data throughout the term of the agreement, including upon expiration or termination.
As outlined above, there are several considerations in a business’ decision to move, or not to move, their information to any specific cloud service provider. If you have questions or need assistance in reviewing and negotiating a cloud service agreement, please contact our Corporate Commercial Law team for assistance.