Nine Hot-Button Legal Issues in Cloud Contracts

7/29/2019 Nine Hot-Button Legal Issues in Cloud Contracts

1/23

1

Michael L. Whitener

Lead Counsel, Technology and Communications

Clearspire Law Co., PLLC

NINE HOT-BUTTON LEGAL ISSUES

IN CLOUD CONTRACTS

2012 Clearspire Law Co., PLLC

Presentation at SaaS University

Boston, MA

October 25, 2012


2/23

The Backdrop


3/23

Cloud Phobia

NEPHOPHOBIA: Fear of clouds. Symptoms typically include extreme

anxiety, dread and anything associated with panic such as shortness of

breath, rapid breathing, irregular heartbeat, sweating, excessivesweating, nausea, dry mouth, nausea, inability to articulate words or

sentences, dry mouth and shaking.


4/23

Confidential

4

CEO of US$40B Tech Company

Cloud computing is a security

nightmare and it cant be

handled in traditional ways.

John Chambers

CEO Cisco Systems
http://www.purpleopurple.com/biography/CEO-Lessons/john-chambers.jpg


5/23

Confidential

5

Leading US Computer Expert

Cloud computing sounds so

sweet and wonderful and

safe . . . we should just call it

swamp computing.

Ronald Rivest

MIT Computer Science Professor


6/23

Confidential

6

2012 Clearspire Law Co., PLLC

The Darth Vader of EU Data Protection

Using cloud computing to processpersonal data raises legal and technical

questions that have yet to be

adequately addressed.

The core principle of the cloud . . .

cannot meet the demands of modern

data privacy.

US companies cannot achieve the data

privacy level required under EU standards

simply by self-certifying to the SafeHarbor list.

Thilo Weichert

Data Protection Commissioner

State of Schleswig-Holstein, Germany


7/23

Two Core Cloud

Fear Factors TRUST: Will the cloud service provider

keep data secure? Can data be retrieved

(or destroyed) when the relationshipends?

COMPLIANCE: Will the cloud service

provider comply with all applicable legaland regulatory requirements?


8/23


9/23

US: Key Legal Principles

Sector-by-sector rather than comprehensiveapproach to data privacy

Result: alphabet soup of data-specific

laws HIPAA/HITECH Act: health data

GLB Act: financial data

FERPA: student data

COPPA: children data

Nearly every state has data breach laws


10/23

EU: Key Legal Principles

EU Data Protection Directive aimed atpermitting the free flow of data among EU

nations

Transfers of personal data outside the EU

permitted only to jurisdictions with

adequate data protection laws (few

nations qualify)

Exceptions: Safe Harbor (US only)

Model Contractual Clauses

Binding Corporate Rules


11/23

The Combatants


12/23

Gartners IaaS Magic Quadrant


13/23

The Hot-Button Legal Issues


14/23

1. Data Security

Typical CSP Position: CSP will take reasonable securitymeasures.

Possible Customer Pushback:

Satisfy customer security policies

Commit to written security specifications Obtain security certifications or meet security audit

standards

Provide customer audit rights

Have security breach policy

PITFALL: Fort Knox guarantees of absolute data security


15/23

2. Notification of Data Security Breach

Typical CSP Position: Not addressed.


Require CSP to promptly notify customer of any data

security issues

Prohibit CSP from notifying customer end users of security

breach

CSP to pay all costs incurred by customer to provide notice

of any security breach

PITFALL: Contractual commitments regarding giving notice of

data security breaches that conflict with compliance obligations

under applicable data privacy laws


16/23

3. Data Privacy

Typical CSP Position: Customer agrees that CSP may process

customer personal information as required to provide the

services, including transfers to third parties and between

countries.


Require commitment of compliance with all applicable dataprivacy laws (and liability for failure to do so)

No use of customer data except as explicitly authorized

including for analytical purposes

No transfer of customer data overseas

PITFALL: Failure to require customer to obtain end user consents

to the processing of personal information in connection with the

agreement and to indemnify service provider against any liability

for failure to do so


17/23

4. Limitation of Liability

Typical CSP Position: No liability for indirect/consequentialdamages; overall liability limited to fees paid or credit

allowances.


Limitation as multiple of fees paid by customer during aspecified period most commonly, the previous 12 months.

Carve-outs from limitation:

Breach of confidentiality, data security obligations

IP infringement

Indemnity obligations

PITFALL: Carve-out from limitation for data security breaches

perhaps indirectly via confidentiality clause


18/23

5. Warranties

Typical CSP Position: No express or implied warranties; serviceprovided as is.


Make explicit warranties re service/software performance,

non-infringement, data security

No sharing or disclosure of customer data without

customers prior written consent

No suspension or disruption of service, even if customer is

alleged to have breached the agreement by nonpayment or

otherwise

PITFALL: Failure to explicitly exclude any warranty that the

services will be adequate, useful or error-free, or that data will be

kept secure and not lost/damaged


19/23

6. Indemnities

Typical CSP Position: Customer must indemnify CSP for certainthird-party claims e.g., customer data violates

legal/regulatory requirement.


Indemnify customer for claims relating to: CSPs breach of its confidentiality and security

obligations re customer data

IP infringement

No limitation on indemnity liability

PITFALL: No requirement that customer indemnify CSP for third-

party claims relating to failure to meet security obligations,

violation of AUP, violation of end user agreements


20/23

7. Uptime Service Levels

Typical CSP Position: Uptime commitments or targets, subjectto exclusions (e.g., scheduled maintenance).


Require higher uptime commitment even 100%

Require prior written notice of scheduled downtime Define unavailability to include performance degradation

(e.g., slow access to data)

Require CSP to proactively monitor uptime performance and

provide reports

PITFALL: Insufficiently broad exclusions from the uptime

commitment (e.g., emergency maintenance, outages caused by

hackers or viruses)


21/23

8. Remedies for Service Level Failure

Typical CSP Position: Service Availability Credit as a percentage

of the monthly fee, perhaps with a cap.


No percentage limitation on Service Availability Credit

Credits are not exclusive remedy Failure to meet uptime targets as material breach

Response and resolution time commitments and credits for

failure to meet these commitments

PITFALL: Fuzzy definition of credit: is it a rebate, a discount, or

an extension of the service period?


22/23

9. Disaster Recovery/Business Continuity

Typical CSP Position: Not specifically addressed, except

Customer is often made responsible for data storage and backup.


Provide regularly scheduled backup of customer data

Have written disaster recovery and business continuity plan

for customer review Provide assistance with customer migration to another

service provider

Return data to customer in specified format

PITFALL: Open-ended obligation to migrate customer to another

service provider and provide data conversion/transition services

at own expense


23/23

Prepared by:

Michael L. Whitener

Lead Counsel, Technology & Communications

Clearspire Law Co., PLLC

Email: [email protected]

1747 Pennsylvania Avenue, NW

Washington, D.C. 20006

Office: 202-595-9376

Mobile: 202-257-2402

www.clearspire.com

Nine Hot-Button Legal Issues in Cloud Contracts

Documents

Transcript of Nine Hot-Button Legal Issues in Cloud Contracts