5 Reasons Why Cloud Contracts Should Scare You

5 Reasons Why Cloud Contracts Should Scare You

5 Reasons Why Cloud Contracts Should Scare You

Marketing Hype ≠ Cloud Contract. Accepting the terms and conditions on a cloud provider’s website can be dangerous, and often the user doesn’t have the option of negotiation. And face it, nobody reads those click thru agreements anyway (except lawyers). So, what do they say and why should they scare you?  Here are my top 5 typical terms:

  • We Don’t Do Security.

Confidential or sensitive data should not be transmitted over the Internet or stored on computers connected to the Internet,” warns a cloud contract. Perhaps this is sage advice, but how many computers aren’t connected to the Internet? And where is your financial, health, tax, personal and proprietary data? In a closet behind your old shoes?

Cloud services contracts also directly state that the provider is not responsible for any type of security breach or disclosure of data. The contract may acknowledge that the customer’s data is confidential, yet still disclaim liability for disclosure. Good bye trade secrets.

Even when the company provides security services, boasting on their home page that they will “Make your business secure and HIPAA and PCI compliant,” they don’t do security. Here is another typical clause:

Company is not responsible and has no liability for any data that you post to the Service or send over the Service.

THE ALL CAPS DISCLAIMERS AND LIMITATIONS OF LIABILITY GO ON FOR PAGES. In meticulous detail, the agreements clarify that the provider is not liable for any unauthorized access to their servers, errors, inaccuracies of content, and much, much more. I’ve even seen companies who advertise their HIPAA compliance capabilities that have contract terms requiring the user to warrant that they will NOT put personal health information on their service.  Feeling warm and fuzzy yet? Let’s continue.

  • What Do You Get?

You may spend a lot of time researching the way the cloud service works and how it will meet your needs. But don’t look for any of that description in the contract. Much of the time, the description of the “Services” reads something like this:

“CloudCo.net provides the CloudCo.net service (the “Service”) through the CloudCo.net website.

That’s it. The “Service” could be cat photos or finance services. But that shouldn’t worry you because the contract also states that they can change the “Service” and how they deliver it at any time, so what does it matter what the “Service” means today? You might draw a certain amount of comfort from the concept that the market will keep a provider from doing anything too stupid, but the provider’s plans and yours may not converge.

  • The SLA Scam

Our commitment is to maintain availability of the network 99.99% percent of the time.” Sounds good, eh? I challenge you to keep reading the rest of the paragraph after being dazzled by that 99.99% (or 100%!) in the first line. Then, do the math. If you aren’t owed a credit until the service has been out for a full hour each month, the promised uptime percentage is really in the neighborhood of 99.8%, not 99.99% or 100%. Then, check the measurement scope. Is the SLA specific to your service or only applicable to the network or data center as a whole or to outages experienced by multiple customers? And remember this is just an up/down measurement. Quality doesn’t count.

Ten-twelve years ago data centers competed with each other to deliver 99.999% (called “five nines”) reliability. No more. It was impossible – even with all the exclusions to calculations that providers always give themselves. The exclusions are numerous and unlimited, including things like “maintenance activities” and “equipment and service failures on systems we don’t own.”  So, the provider can shut down the system for maintenance at any time for any length of time (maybe because it’s about to fail?) and still meet the SLA.

Second news flash, many SaaS vendors don’t own the infrastructure they use. They use third party data centers and hosting providers. Even data centers can lease equipment and use other third party providers. So that exclusion for “equipment and systems we don’t own” eliminates a huge chunk of the delivery services.

The reality is that SLAs are not always offered, although they are the only warranty-like term ever tendered. And your remedy for failure is a tiny credit off your bill, but only if you request it in writing during a specific (short) time period.

  • So if you don’t like it, just move on, right?

A common myth is that cloud services are über flexible. If you don’t like them, cancel and move on. The truth is that many require a lot of time and money to implement, may tie you into proprietary data structures and formats that are not easily transferable when you’re ready to leave, AND HAVE EARLY CANCELLATION PENALTIES.

Most people are surprised when I tell them that unless the contract contains a right to terminate for failure to deliver the service, you cannot. Your legal recourse in that situation is to sue the provider for breach of contract, not stop payment. Even if the vendor fails on its SLAs every single month, they haven’t breached the contract and that doesn’t give you a right to terminate or hold them responsible for the pain that’s caused you. Say thank you for that credit of 1% off your bill and keep paying.

On the flip side, most cloud contracts also say the provider can terminate the whole service at any time at their option. The assumption is that they would give notice and terminate everyone else too. But that’s rarely stated and really isn’t helpful anyway. If you’re terminated, you’re terminated. That could leave you in a serious bind. The contract may also state that they will delete all information related to your account 30 days after termination. But when your access has been terminated it may be impossible to get back (without a fight). Or, you may only get back partial data or data in an unusable format.

Oh, and they can change the terms of the agreement unilaterally at any time too, so even if the contract has friendly data return terms or notice periods before termination, those can disappear.

  • Lost Data, Backup, Disasters and Such

Many customers move their data to the cloud because they think they can stop managing anything related to that data and process. Yet, cloud contracts always disclaim liability for lost data, state it’s the customer’s obligation to back up anything stored on their site, and say that they don’t have to perform if they experience a disaster such as a power failure, fire, flood, etc.

The lack of backup can take a bite from the savings a customer is hoping to get from moving to the cloud. But, it’s just common sense to have a backup solution that is unconnected to the cloud provider. What if the provider goes bankrupt and closes its doors, or the data center loses its lease or the building is foreclosed? What if they lose your data?  It happened to 40% of the companies in a recent Symantec survey. And what’s worse is that two thirds of those companies’ data recovery options failed. Would you ever pass an audit of a disaster recovery plan that says your failover is on the server to the left of the one with the production system? Don’t expect too much of a cloud provider.

What if the provider has a disaster (or a roof leak?) and the servers are toast? Data centers boast about their redundant power supplies, divergent internet connectivity, robust physical security systems and facilities which are built to withstand wild weather, fires and floods. Yet their contracts still include a “force majeure” clause which gives them a pass for all the things they brag they’ve protected themselves against. True that no one can be expected to continue performing when there is a real catastrophe, but why do cloud providers expect a pass for power failures or cable cuts?  Those may be the result of a natural disaster or act of war, but the mundane construction errors shouldn’t shut them down.

The lessons are: you need to be prepared for the cloud provider to simply disappear and to lose your data. It happens.

The cloud is a wonderful tool, but it’s still in the Wild West. I hope I’ve convinced you to at least read (if not consult a lawyer about) your terms of service before putting any thing in the cloud that:

  • You need to access frequently

  • You don’t want the world to see

  • Is subject to privacy laws

  • Is mission critical to your business

  • You’d hate to lose.

By Cindy Wolf,

cindy_wolf

 

Cindy Wolf is a Colorado lawyer with more than 25 years experience representing large and small domestic and multinational companies. Her expertise is in helping companies enter the cloud safely, either as providers or users. She also practices in the areas of corporate law and commercial contracting, with an emphasis on international issues. She can be reached at: cindy@cindywolf.com.

(*This publication is provided for informational purposes only. It does not constitute legal advice. There is no implicit guarantee that this information is correct, complete, or up to date. This publication is not intended to and does not create an attorney-client relationship between you and the author.)

Follow Us!

CloudTweaks

Established in 2009, CloudTweaks.com is recognized as one of the leading authorities in cloud computing information. Most of the excellent CloudTweaks articles are provided by our own paid writers, with a small percentage provided by guest authors from around the globe, including CEOs, CIOs, Technology bloggers and Cloud enthusiasts. Our goal is to continue to build a growing community offering the best in-depth articles, interviews, event listings, whitepapers, infographics and much more...
Follow Us!

3 Responses to 5 Reasons Why Cloud Contracts Should Scare You

  1. One would ask then… should you ever use the cloud at all?  Based on the above… unless you have some names of providers that don’t have all the legal jargon… there would be no cloud company you would recommend using.

  2. Hey Cindy Wolf, I really appreciated for this blog, but why cloud contracts scare on Security. Because mostly cloud sites are indicates the term security in their service. I just fed up on this point. Can you send me some good and best resources regarding Cloud Security.

  3. The key to working with cloud providers for mission critical or sensitive data processing is to do your own security assessment – or hire a cyber security company to do it for you if you don’t have the internal resources. http://www.Denvercybersecurity.com and http://www.coalfire.com are two of them. Second, negotiate with the provider. Some will negotiate if you ask. But you have to know what to ask for. If they have various third party certifications regarding their security and privacy management practices, that helps, but make sure you actually review that SAE-16 SOC 1 and 2 and have the right to do your own assessments.

Comics

At CloudTweaks, we're plugged into the cloud, the internet of things and all that the web has to offer. From wearable technology, to mobile computing, cloud computing and big data, CloudTweaks is your source for updates and news on the most innovative technology.

Popular

Top Viral Impact

2014 Future Of Cloud Computing Survey Results

2014 Future Of Cloud Computing Survey Results

Engine Yard Joins North Bridge Venture Partners, Gigaom Research and Industry Collaborators to Unveil 2014 Future of Cloud Computing Survey Results SAN FRANCISCO, CA–(Marketwired – Jun 25, 2014) – Engine Yard, the leading cloud application management platform, today announced its role as a collaborator in releasing the results of the fourth annual Future of Cloud Computing Survey,…

Cloud Infographic: The Education Of Tomorrow

Cloud Infographic: The Education Of Tomorrow

Cloud Infographic: The Education Of Tomorrow  Online Education is a very exciting topic for many as it opens up many new doors and opportunities. We’ve touched on areas such as Massive Open Online Sources (MOOC) which provides tremendous levels of cloud based interconnectivity. We’ve taken a look into higher education,  the increased demand for online courses as well as…

Cloud Computing Offers Key Benefits For Small, Medium Businesses

Cloud Computing Offers Key Benefits For Small, Medium Businesses

A growing number of small and medium businesses in the United States rely on as a means of deploying mission-critical software products. Prior to the advent of cloud-based products — software solutions delivered over the Internet – companies were often forced to invest in servers and other products to run software and store data. The…

Monetization of the Internet of Things – Q&A With Brendan O’Brien

Monetization of the Internet of Things – Q&A With Brendan O’Brien

Q&A With Brendan O’Brien, Co-Founder of Aria Systems (Part 1) Monetization of the internet of things (IoT) is one of the most exciting and challenging issues facing the industry today, so we spoke with Brendan O’Brien to learn more. Brendan is the Co-Founder of Aria Systems, who are one of the leading innovators in recurring…

Featured Sponsors

Salesforce Service Cloud: Air Traffic Control For Your Customer

Salesforce Service Cloud: Air Traffic Control For Your Customer

Salesforce Service Cloud One of the greatest benefits of the increasingly reliable and ubiquitous state of cloud technology is the removal of business silos and the consolidation of information flow, both in-house and on the road. This is of particular importance to the many different types of professionals whose work involves customer relationship management (CRM).…

Sponsors

Cloud ERP Starter’s Guide: When QuickBooks Is Not Enough

Cloud ERP Starter’s Guide: When QuickBooks Is Not Enough

Cloud ERP Starter’s Guide: When QuickBooks Is Not Enough You’ve been running your small business on QuickBooks, or a product like it, to automate your accounting function and produce basic financial reports. So, what’s wrong? Things just don’t seem to be working well. It takes too long to get a “picture” of how your business…

Placement Opportunities - Find Out!

Established in 2009, CloudTweaks is recognized as one of the leading influencers in cloud computing, big data and internet of things (IoT) information. Our goal is to continue to build our growing information portal, by providing the best in-depth articles, interviews, event listings, whitepapers, infographics and much more.

You can help continue to support our community by social sharing, sponsoring, partnering or contributing to this great educational resource.

Contact

CloudTweaks Media
Phone: 1 (212) 763-0021

Join Our Newsletter