5 Reasons Why Cloud Contracts Should Scare You

5 Reasons Why Cloud Contracts Should Scare You

5 Reasons Why Cloud Contracts Should Scare You

Marketing Hype ≠ Cloud Contract. Accepting the terms and conditions on a cloud provider’s website can be dangerous, and often the user doesn’t have the option of negotiation. And face it, nobody reads those click thru agreements anyway (except lawyers). So, what do they say and why should they scare you?  Here are my top 5 typical terms:

  • We Don’t Do Security.

Confidential or sensitive data should not be transmitted over the Internet or stored on computers connected to the Internet,” warns a cloud contract. Perhaps this is sage advice, but how many computers aren’t connected to the Internet? And where is your financial, health, tax, personal and proprietary data? In a closet behind your old shoes?

Cloud services contracts also directly state that the provider is not responsible for any type of security breach or disclosure of data. The contract may acknowledge that the customer’s data is confidential, yet still disclaim liability for disclosure. Good bye trade secrets.

Even when the company provides security services, boasting on their home page that they will “Make your business secure and HIPAA and PCI compliant,” they don’t do security. Here is another typical clause:

Company is not responsible and has no liability for any data that you post to the Service or send over the Service.

THE ALL CAPS DISCLAIMERS AND LIMITATIONS OF LIABILITY GO ON FOR PAGES. In meticulous detail, the agreements clarify that the provider is not liable for any unauthorized access to their servers, errors, inaccuracies of content, and much, much more. I’ve even seen companies who advertise their HIPAA compliance capabilities that have contract terms requiring the user to warrant that they will NOT put personal health information on their service.  Feeling warm and fuzzy yet? Let’s continue.

  • What Do You Get?

You may spend a lot of time researching the way the cloud service works and how it will meet your needs. But don’t look for any of that description in the contract. Much of the time, the description of the “Services” reads something like this:

“CloudCo.net provides the CloudCo.net service (the “Service”) through the CloudCo.net website.

That’s it. The “Service” could be cat photos or finance services. But that shouldn’t worry you because the contract also states that they can change the “Service” and how they deliver it at any time, so what does it matter what the “Service” means today? You might draw a certain amount of comfort from the concept that the market will keep a provider from doing anything too stupid, but the provider’s plans and yours may not converge.

  • The SLA Scam

Our commitment is to maintain availability of the network 99.99% percent of the time.” Sounds good, eh? I challenge you to keep reading the rest of the paragraph after being dazzled by that 99.99% (or 100%!) in the first line. Then, do the math. If you aren’t owed a credit until the service has been out for a full hour each month, the promised uptime percentage is really in the neighborhood of 99.8%, not 99.99% or 100%. Then, check the measurement scope. Is the SLA specific to your service or only applicable to the network or data center as a whole or to outages experienced by multiple customers? And remember this is just an up/down measurement. Quality doesn’t count.

Ten-twelve years ago data centers competed with each other to deliver 99.999% (called “five nines”) reliability. No more. It was impossible – even with all the exclusions to calculations that providers always give themselves. The exclusions are numerous and unlimited, including things like “maintenance activities” and “equipment and service failures on systems we don’t own.”  So, the provider can shut down the system for maintenance at any time for any length of time (maybe because it’s about to fail?) and still meet the SLA.

Second news flash, many SaaS vendors don’t own the infrastructure they use. They use third party data centers and hosting providers. Even data centers can lease equipment and use other third party providers. So that exclusion for “equipment and systems we don’t own” eliminates a huge chunk of the delivery services.

The reality is that SLAs are not always offered, although they are the only warranty-like term ever tendered. And your remedy for failure is a tiny credit off your bill, but only if you request it in writing during a specific (short) time period.

  • So if you don’t like it, just move on, right?

A common myth is that cloud services are über flexible. If you don’t like them, cancel and move on. The truth is that many require a lot of time and money to implement, may tie you into proprietary data structures and formats that are not easily transferable when you’re ready to leave, AND HAVE EARLY CANCELLATION PENALTIES.

Most people are surprised when I tell them that unless the contract contains a right to terminate for failure to deliver the service, you cannot. Your legal recourse in that situation is to sue the provider for breach of contract, not stop payment. Even if the vendor fails on its SLAs every single month, they haven’t breached the contract and that doesn’t give you a right to terminate or hold them responsible for the pain that’s caused you. Say thank you for that credit of 1% off your bill and keep paying.

On the flip side, most cloud contracts also say the provider can terminate the whole service at any time at their option. The assumption is that they would give notice and terminate everyone else too. But that’s rarely stated and really isn’t helpful anyway. If you’re terminated, you’re terminated. That could leave you in a serious bind. The contract may also state that they will delete all information related to your account 30 days after termination. But when your access has been terminated it may be impossible to get back (without a fight). Or, you may only get back partial data or data in an unusable format.

Oh, and they can change the terms of the agreement unilaterally at any time too, so even if the contract has friendly data return terms or notice periods before termination, those can disappear.

  • Lost Data, Backup, Disasters and Such

Many customers move their data to the cloud because they think they can stop managing anything related to that data and process. Yet, cloud contracts always disclaim liability for lost data, state it’s the customer’s obligation to back up anything stored on their site, and say that they don’t have to perform if they experience a disaster such as a power failure, fire, flood, etc.

The lack of backup can take a bite from the savings a customer is hoping to get from moving to the cloud. But, it’s just common sense to have a backup solution that is unconnected to the cloud provider. What if the provider goes bankrupt and closes its doors, or the data center loses its lease or the building is foreclosed? What if they lose your data?  It happened to 40% of the companies in a recent Symantec survey. And what’s worse is that two thirds of those companies’ data recovery options failed. Would you ever pass an audit of a disaster recovery plan that says your failover is on the server to the left of the one with the production system? Don’t expect too much of a cloud provider.

What if the provider has a disaster (or a roof leak?) and the servers are toast? Data centers boast about their redundant power supplies, divergent internet connectivity, robust physical security systems and facilities which are built to withstand wild weather, fires and floods. Yet their contracts still include a “force majeure” clause which gives them a pass for all the things they brag they’ve protected themselves against. True that no one can be expected to continue performing when there is a real catastrophe, but why do cloud providers expect a pass for power failures or cable cuts?  Those may be the result of a natural disaster or act of war, but the mundane construction errors shouldn’t shut them down.

The lessons are: you need to be prepared for the cloud provider to simply disappear and to lose your data. It happens.

The cloud is a wonderful tool, but it’s still in the Wild West. I hope I’ve convinced you to at least read (if not consult a lawyer about) your terms of service before putting any thing in the cloud that:

  • You need to access frequently

  • You don’t want the world to see

  • Is subject to privacy laws

  • Is mission critical to your business

  • You’d hate to lose.

By Cindy Wolf,

cindy_wolf

 

Cindy Wolf is a Colorado lawyer with more than 25 years experience representing large and small domestic and multinational companies. Her expertise is in helping companies enter the cloud safely, either as providers or users. She also practices in the areas of corporate law and commercial contracting, with an emphasis on international issues. She can be reached at: cindy@cindywolf.com.

(*This publication is provided for informational purposes only. It does not constitute legal advice. There is no implicit guarantee that this information is correct, complete, or up to date. This publication is not intended to and does not create an attorney-client relationship between you and the author.)

About CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in connected technology information and services.

We embrace and instill thought leadership insights, relevant and timely news related stories, unbiased benchmark reporting as well as offer green/cleantech learning and consultive services around the world.

Our vision is to create awareness and to help find innovative ways to connect our planet in a positive eco-friendly manner.

In the meantime, you may connect with CloudTweaks by following and sharing our resources.

View All Articles

3 Responses to 5 Reasons Why Cloud Contracts Should Scare You

  1. One would ask then… should you ever use the cloud at all?  Based on the above… unless you have some names of providers that don’t have all the legal jargon… there would be no cloud company you would recommend using.

  2. Hey Cindy Wolf, I really appreciated for this blog, but why cloud contracts scare on Security. Because mostly cloud sites are indicates the term security in their service. I just fed up on this point. Can you send me some good and best resources regarding Cloud Security.

  3. The key to working with cloud providers for mission critical or sensitive data processing is to do your own security assessment – or hire a cyber security company to do it for you if you don’t have the internal resources. http://www.Denvercybersecurity.com and http://www.coalfire.com are two of them. Second, negotiate with the provider. Some will negotiate if you ask. But you have to know what to ask for. If they have various third party certifications regarding their security and privacy management practices, that helps, but make sure you actually review that SAE-16 SOC 1 and 2 and have the right to do your own assessments.

Comic
Investing In The Future With The Introduction of Sage Cloud

Investing In The Future With The Introduction of Sage Cloud

CHICAGO, IL–(Marketwired – Jul 26, 2016) – Sage, a market leader in cloud accounting software, announced today at Sage Summit 2016 its strong commitment to future technologies, with a focus on new and existing partnerships that power business growth. Revealed during CEO Stephen Kelly’s keynote address, which opened the world’s largest gathering of entrepreneurs and…

2016 Tour de France: Racing With Big Data

2016 Tour de France: Racing With Big Data

2016 Tour de France The 2016 Tour de France has just concluded, with Chris Froome (SKY) taking his third overall win. Not the kind of event we often focus on here at CloudTweaks, but Dimension Data has put its analytics technology to use tracking the journeys of each rider across all 21 stages, and their…

Ransomware: A Digital Pandemic – Is There A Cure?

Ransomware: A Digital Pandemic – Is There A Cure?

The Rise Of Ransomware You can imagine the scene: you’ve just completed that business plan and a set of accounts. Finally, it’s done and saved, ready for a final read through and to be sent out to your contact list. And right when you’re ready to click “Send”, the next thing you see on the…

Martech In A Content Crazed World

Martech In A Content Crazed World

Content Crazed World Everywhere you look there are pop-up ads and offers, at times it can feel like overload. What used to be a few online ads on websites has now grown into a wild world of offers that consume your every device. These advancements in marketing technology can not only be overwhelming to the…

Hubgets – Advanced Collaboration, Enriched Communication

Hubgets – Advanced Collaboration, Enriched Communication

Advanced Collaboration Tool Sponsored series provided in collaboration with Hubgets Collaboration tools have advanced leaps and bounds with the advent of cloud technology, and the services available are only getting better. Promising features such as sophisticated group communication, productive management of tasks and meetings, and the ultimate dream, working remotely from some gorgeous island destination, innovative collaboration…

Are CEO’s Missing Out On Big Data’s Big Picture?

Are CEO’s Missing Out On Big Data’s Big Picture?

Big Data’s Big Picture Big data allows marketing and production strategists to see where their efforts are succeeding and where they need some work. With big data analytics, every move you make for your company can be backed by data and analytics. While every business venture involves some level of risk, with big data, that risk…

Are Cloud Solutions Secure Enough Out-of-the-box?

Are Cloud Solutions Secure Enough Out-of-the-box?

Out-of-the-box Cloud Solutions Although people may argue that data is not safe in the Cloud because using cloud infrastructure requires trusting another party to look after mission critical data, cloud services actually are more secure than legacy systems. In fact, a recent study on the state of cloud security in the enterprise market revealed that…

Digital Transformation: Not Just For Large Enterprises Anymore

Digital Transformation: Not Just For Large Enterprises Anymore

Digital Transformation Digital transformation is the acceleration of business activities, processes, and operational models to fully embrace the changes and opportunities of digital technologies. The concept is not new; we’ve been talking about it in one way or another for decades: paperless office, BYOD, user experience, consumerization of IT – all of these were stepping…

Multi-Cloud Integration Has Arrived

Multi-Cloud Integration Has Arrived

Multi-Cloud Integration Speed, flexibility, and innovation require multiple cloud services As businesses seek new paths to innovation, racing to market with new features and products, cloud services continue to grow in popularity. According to Gartner, 88% of total compute will be cloud-based by 2020, leaving just 12% on premise. Flexibility remains a key consideration, and…

Ending The Great Enterprise Disconnect

Ending The Great Enterprise Disconnect

Five Requirements for Supporting a Connected Workforce It used to be that enterprises dictated how workers spent their day: stuck in a cubicle, tied to an enterprise-mandated computer, an enterprise-mandated desk phone with mysterious buttons, and perhaps an enterprise-mandated mobile phone if they traveled. All that is history. Today, a modern workforce is dictating how…

Cost of the Cloud: Is It Really Worth It?

Cost of the Cloud: Is It Really Worth It?

Cost of the Cloud Cloud computing is more than just another storage tier. Imagine if you’re able to scale up 10x just to handle seasonal volumes or rely on a true disaster-recovery solution without upfront capital. Although the pay-as-you-go pricing model of cloud computing makes it a noticeable expense, it’s the only solution for many…

The Storytelling Machine: Big Content and Big Data

The Storytelling Machine: Big Content and Big Data

Bridging The Gap Between Big Content and Big Data Advances in cloud computing, along with the big data movement, have transformed the business IT landscape. Leveraging the cloud, companies are now afforded on demand capacity and mobile accessibility to their business-critical systems and information. At the same time, the amount of structured and unstructured data…

Using Big Data To Analyze Venture Capitalists’ Ability To Recognize Potential

Using Big Data To Analyze Venture Capitalists’ Ability To Recognize Potential

Big Data To Analyze Using Big Data to Analyze Venture Capitalists’ Ability To Recognize Potential For those who are regularly involved with SMEs, venture capital, and company valuations, it is common knowledge that start-ups that exit for more than $1 billion dollars are extremely rare – often termed ‘unicorn’ companies. Despite their rarity, it should…

The Future of M2M Technology & Opportunities

The Future of M2M Technology & Opportunities

The Future Of The Emerging M2M Here at CloudTweaks, most of our coverage is centered around the growing number of exciting and interconnected emerging markets. Wearable, IoT, M2M, Mobile and Cloud computing to name a few. Over the past couple of weeks we’ve talked about Machine to Machine (M2M) such as the differences between IoT and…

Business Analytics Vs Data Science

Business Analytics Vs Data Science

Big Data Continues To Grow Big Data continues to be a much discussed topic of interest and for good reason.  According to a recent report from International Data Corporation (IDC), “worldwide revenues for big data and business analytics will grow from nearly $122 billion in 2015 to more than $187 billion in 2019, an increase…

The Business of Security: Avoiding Risks

The Business of Security: Avoiding Risks

The Business of Security Security is one of those IT concerns that aren’t problematic until disaster strikes. It might be tomorrow, it could be next week or next year. The fact is that poor security leaves businesses wide open for data loss and theft. News outlets just skim the surface, but hackers cost business up…