5 Reasons Why Cloud Contracts Should Scare You
Marketing Hype ≠ Cloud Contract. Accepting the terms and conditions on a cloud provider’s website can be dangerous, and often the user doesn't have the option of negotiation. And face it, nobody reads those click thru agreements anyway (except lawyers). So, what do they say and why should they scare you? Here are my top 5 typical terms:
We Don’t Do Security.
“Confidential or sensitive data should not be transmitted over the Internet or stored on computers connected to the Internet,” warns a cloud contract. Perhaps this is sage advice, but how many computers aren't connected to the Internet? And where is your financial, health, tax, personal and proprietary data? In a closet behind your old shoes?
Cloud services contracts also directly state that the provider is not responsible for any type of security breach or disclosure of data. The contract may acknowledge that the customer’s data is confidential, yet still disclaim liability for disclosure. Good bye trade secrets.
Even when the company provides security services, boasting on their home page that they will “Make your business secure and HIPAA and PCI compliant,” they don’t do security. Here is another typical clause:
“Company is not responsible and has no liability for any data that you post to the Service or send over the Service.”
THE ALL CAPS DISCLAIMERS AND LIMITATIONS OF LIABILITY GO ON FOR PAGES. In meticulous detail, the agreements clarify that the provider is not liable for any unauthorized access to their servers, errors, inaccuracies of content, and much, much more. I've even seen companies who advertise their HIPAA compliance capabilities that have contract terms requiring the user to warrant that they will NOT put personal health information on their service. Feeling warm and fuzzy yet? Let’s continue.
What Do You Get?
You may spend a lot of time researching the way the cloud service works and how it will meet your needs. But don’t look for any of that description in the contract. Much of the time, the description of the “Services” reads something like this:
“CloudCo.net provides the CloudCo.net service (the “Service”) through the CloudCo.net website.
That’s it. The “Service” could be cat photos or finance services. But that shouldn't worry you because the contract also states that they can change the “Service” and how they deliver it at any time, so what does it matter what the “Service” means today? You might draw a certain amount of comfort from the concept that the market will keep a provider from doing anything too stupid, but the provider’s plans and yours may not converge.
The SLA Scam
“Our commitment is to maintain availability of the network 99.99% percent of the time.” Sounds good, eh? I challenge you to keep reading the rest of the paragraph after being dazzled by that 99.99% (or 100%!) in the first line. Then, do the math. If you aren't owed a credit until the service has been out for a full hour each month, the promised uptime percentage is really in the neighborhood of 99.8%, not 99.99% or 100%. Then, check the measurement scope. Is the SLA specific to your service or only applicable to the network or data center as a whole or to outages experienced by multiple customers? And remember this is just an up/down measurement. Quality doesn't count.
Ten-twelve years ago data centers competed with each other to deliver 99.999% (called “five nines”) reliability. No more. It was impossible – even with all the exclusions to calculations that providers always give themselves. The exclusions are numerous and unlimited, including things like “maintenance activities” and “equipment and service failures on systems we don’t own.” So, the provider can shut down the system for maintenance at any time for any length of time (maybe because it’s about to fail?) and still meet the SLA.
Second news flash, many SaaS vendors don’t own the infrastructure they use. They use third party data centers and hosting providers. Even data centers can lease equipment and use other third party providers. So that exclusion for “equipment and systems we don’t own” eliminates a huge chunk of the delivery services.
The reality is that SLAs are not always offered, although they are the only warranty-like term ever tendered. And your remedy for failure is a tiny credit off your bill, but only if you request it in writing during a specific (short) time period.
So if you don’t like it, just move on, right?
A common myth is that cloud services are über flexible. If you don’t like them, cancel and move on. The truth is that many require a lot of time and money to implement, may tie you into proprietary data structures and formats that are not easily transferable when you’re ready to leave, AND HAVE EARLY CANCELLATION PENALTIES.
Most people are surprised when I tell them that unless the contract contains a right to terminate for failure to deliver the service, you cannot. Your legal recourse in that situation is to sue the provider for breach of contract, not stop payment. Even if the vendor fails on its SLAs every single month, they haven’t breached the contract and that doesn't give you a right to terminate or hold them responsible for the pain that’s caused you. Say thank you for that credit of 1% off your bill and keep paying.
On the flip side, most cloud contracts also say the provider can terminate the whole service at any time at their option. The assumption is that they would give notice and terminate everyone else too. But that’s rarely stated and really isn't helpful anyway. If you’re terminated, you’re terminated. That could leave you in a serious bind. The contract may also state that they will delete all information related to your account 30 days after termination. But when your access has been terminated it may be impossible to get back (without a fight). Or, you may only get back partial data or data in an unusable format.
Oh, and they can change the terms of the agreement unilaterally at any time too, so even if the contract has friendly data return terms or notice periods before termination, those can disappear.
Lost Data, Backup, Disasters and Such
Many customers move their data to the cloud because they think they can stop managing anything related to that data and process. Yet, cloud contracts always disclaim liability for lost data, state it’s the customer’s obligation to back up anything stored on their site, and say that they don’t have to perform if they experience a disaster such as a power failure, fire, flood, etc.
The lack of backup can take a bite from the savings a customer is hoping to get from moving to the cloud. But, it’s just common sense to have a backup solution that is unconnected to the cloud provider. What if the provider goes bankrupt and closes its doors, or the data center loses its lease or the building is foreclosed? What if they lose your data? It happened to 40% of the companies in a recent Symantec survey. And what’s worse is that two thirds of those companies’ data recovery options failed. Would you ever pass an audit of a disaster recovery plan that says your failover is on the server to the left of the one with the production system? Don’t expect too much of a cloud provider.
What if the provider has a disaster (or a roof leak?) and the servers are toast? Data centers boast about their redundant power supplies, divergent internet connectivity, robust physical security systems and facilities which are built to withstand wild weather, fires and floods. Yet their contracts still include a “force majeure” clause which gives them a pass for all the things they brag they’ve protected themselves against. True that no one can be expected to continue performing when there is a real catastrophe, but why do cloud providers expect a pass for power failures or cable cuts? Those may be the result of a natural disaster or act of war, but the mundane construction errors shouldn't shut them down.
The lessons are: you need to be prepared for the cloud provider to simply disappear and to lose your data. It happens.
The cloud is a wonderful tool, but it’s still in the Wild West. I hope I've convinced you to at least read (if not consult a lawyer about) your terms of service before putting any thing in the cloud that:
You need to access frequently
You don’t want the world to see
Is subject to privacy laws
Is mission critical to your business
You’d hate to lose.
By Cindy Wolf,
Cindy Wolf is a Colorado lawyer with more than 25 years experience representing large and small domestic and multinational companies. Her expertise is in helping companies enter the cloud safely, either as providers or users. She also practices in the areas of corporate law and commercial contracting, with an emphasis on international issues. She can be reached at: email@example.com.
(*This publication is provided for informational purposes only. It does not constitute legal advice. There is no implicit guarantee that this information is correct, complete, or up to date. This publication is not intended to and does not create an attorney-client relationship between you and the author.)