Cloud-Based Outsourcing

By: James E. Meadows , Culhane Meadows PLLC.

Cloud computing is a subscription-based service that offers on-demand network access to a shared pool of configurable computer resources (e.g., networks, applications, servers, storage, etc.) that is usually hosted by the supplier and provided over the Internet. Such services can be rapidly provisioned and released with minimal transition services and management effort. Cloud services are outsourcing without a single dedicated data center. There are varying service models and deployment methods in cloud computing that provide a customer with different levels of control, flexibility, and management.

Cloud Computing Service Models

There are four primary service models in cloud-based outsourcing:

• Software as a Service (SaaS) provides software applications that are hosted by a supplier and made available to customers over the Internet.
• Platform as a Service (PaaS) provides an outsourced platform that is hosted by a supplier and allows customers to develop, test, and manage web applications.
• Infrastructure as a Service (IaaS) provides virtualized computer resources (e.g., servers, storage, and networking) on a pay-per-usage basis over the Internet.
• Desktop as a Service (DaaS) provides virtual desktops that are hosted by a supplier and accessible from anywhere via the Internet.

Cloud-based outsourcing is compelling for information services because it offers greater flexibility and economy. However, such solutions raise unique legal considerations including data privacy, security, and e-discovery issues. Suppliers are able to offer low cost, flexible solutions because they standardize their offerings for multiple customers. Consequently, suppliers are less likely than traditional outsourcing providers to adapt their solutions to the customer’s needs or negotiate contract terms to meet customer requirements.

Cloud Computing Deployment Models

Cloud deployment models represent a specific type of cloud environment distinguished primarily by ownership, size, and access. Each deployment model has varying degrees of data security, risk, and investment.

• Private cloud or on-premises cloud. The private cloud infrastructure provides a dedicated network and equipment that are operated solely for the customer’s business and are managed internally or externally. In a private cloud arrangement, the customer maintains all components of the associated technology, which includes any servers or software required to deploy cloud resources. Private clouds give customers a greater degree of flexibility and control over data security and storage but are also more expensive given the physical space, hardware, and environmental controls required.
• Public cloud. The public cloud is made available to the general public by a supplier who owns, operates, and hosts the cloud infrastructure and offers access to users over the Internet. Because users share the public cloud, this model offers the greatest flexibility (on demand scalability) and cost savings (pay as you go model). However, the public cloud has increased security risks as customers have no visibility or control over where the infrastructure is located, and it offers limited configuration and availability variance.
• Community cloud. The community cloud infrastructure is a multi-tenant cloud service model that is shared among several organizations and is governed, managed, and secured commonly by all the participating organizations or a thirdparty managed service supplier. Community clouds are a hybrid form of private clouds built and operated specifically for a group that shares common goals. With the community cloud, the costs of deployment and access are spread over fewer users than the public cloud, but there are more users than the private cloud.
• Hybrid cloud. The hybrid cloud is composed of two or more clouds (private, public, and/or community clouds) that remain separate but are bound together, offering the advantages of multiple deployment models. A hybrid cloud increases the flexibility of cloud computing as customers can leverage suppliers in either a full or partial manner. There are, however, increased potential risks with accessing multiple cloud platforms.

Selection Considerations

Because each cloud model offers varying degrees of flexibility, efficiency, data security, and cost savings, the customer must select the appropriate model to meet its needs and manage the associated risks. Key considerations include whether the outsourced service is business critical and the sensitivity of the outsourced data. For example, public clouds work better where the outsourced service is not critical to the customer’s business and the outsourced data is not sensitive. Customers should carefully evaluate each of the following in selecting the right cloud computing service, deployment model, and supplier:

• The supplier’s security standards
• The availability and reliability of the service
• Price (i.e., whether the service will provide cost savings and whether it provides flexible, usage-based pricing)
• Data privacy (For example, does the outsourced data include personal data or competitively-sensitive data such as trade secrets)
• Service level agreement performance objectives/guarantees
• Scalability (i.e., whether the service allows the customer to easily increase or decrease usage and resources to accommodate changing business needs)
• Continuity of the service (For example, can the supplier suspend the services for non-compliance? What is the supplier’s business interruption/disaster recovery procedure?)
• Loss of control
• Supplier’s reputation and long term viability (For example, if the supplier is a start-up, the customer should evaluate whether it is well-funded, whether it has a strong vertical industry position, and whether it is innovative/proactive in updating the technology and exploring new services)
• Data location/storage concerns
•  Regulatory issues (For example, is the service compatible with legal requirements imposed by the Gramm-Leach- Bliley Act, 15 U.S.C. § 6801 et seq., Health Insurance Portability and Accountability Act, 42 U.S.C. § 1320det seq., or other applicable laws, and/or with industry requirements such as the Payment Card Industry Data Security Standard (https://www.pcisecuritystandards.org/documents/PCI_ SSC_Getting_Started_with_PCI_DSS.pdf)?)
•  The supplier’s technology lock-in position (This is where the supplier implements a proprietary solution for the customer, making the customer dependent on the supplier’s technology; which, by definition, is not available from another or successor supplier, and is problematic with PaaS solutions and occurs where the platform has limited compatibility with other software, equipment, solutions and/or where the supplier restricts or limits migration (i.e., does not provide termination assistance services and/or does not provide or allow data to be extracted and migrated for continued use).)
• The ability to easily transition upon expiration/termination of the service

Due diligence is essential in the selection process. See Initial  Considerations in Cloud Computing Agreements (Due Diligence of the Cloud Provider.)

Key Legal Issues

There are a number of legal challenges and issues that arise in cloud-based outsourcing agreements that need to be carefully considered and managed in order to mitigate the risks inherent in such transactions.

Ownership/Use of Data

While the customer may assume it owns the data that the cloud service / supplier collects, uses, and processes on its behalf, the contract should detail ownership and data usage rights. Company data should be broadly defined to include all data or information provided by, or accessed or collected from or through, the company and its systems, and all data resulting from the processing, generation, or aggregation of such data or the performance of the services. The contract should also expressly limit the supplier’s right to use such data. For example, it should prohibit the supplier from using company data in aggregated, de-identified form for purposes outside of the contract and from disclosing or selling company data, even in aggregated form, to any third parties.

Data Security

The  security and protection of data is critical in cloud-based outsourcing agreements. The  contractual requirements will  vary based upon the nature and sensitivity of the data outsourced to the cloud solution. The  customer should consider including the following: confidentiality obligations that encompass company data even if such data is not confidential; data encryption requirements, applicable both in transit and in storage; a right to audit security procedures and data centers; immediate notification obligations for  any incidents that may compromise data and security breaches; and audit rights to assess controls and procedures for  storing, handling, and transmitting data. For  more information, see  Privacy and Data  Security in Outsourcing.

Data Storage

Data storage considerations impact privacy and security issues. For  example, if data is accessible from, processed, or stored outside the United States, the location of such services (e.g., China, India, Russia, etc.) may increase the risk of a security breach. Moreover, the location of the data also impacts compliance with data privacy and security laws such as the Gramm-Leach-Bliley Act,   15 U.S.C. § 6801 et seq., Health Insurance Portability and Accountability Act,   42  U.S.C. § 1320d et seq., and the EU Data Protection Directive, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=urise rv:OJ.L_.2016.119.01.0089.01.ENG&toc=OJ:L:2016:119:TOC. Thus, consider specifying limitations on the locations where data can be accessed and stored. For  example, data shall not be accessible from, transferred to, processed, or stored in any location outside the U.S.

Data Access and Portability

Data access and portability, both during the contract term and upon the expiration or termination of the contract, are problematic in cloud computing agreements. An example would be a technology lock-in position where the supplier stores the customer’s data in a proprietary format not available to, or offered by, other vendors, and then either refuses or charges a high rate to convert that data into a format that would be usable by a successor supplier. Thus, the customer should include obligations for the supplier to provide data in a specified format (to ensure it is usable) upon request at any time during the contract, regardless of whether a party is in default or breach under the agreement, and within a specified period of time upon the expiration or termination of the agreement for any reason. This will protect against customer data being held hostage by the supplier in exchange for an additional fee for access. The contract should also address how the supplier will handle customer data in the event of a government subpoena or other legal action.

Service Level Agreements (SLAs)

Most suppliers will contractually limit and restrict SLAs by referring to them as performance goals or objectives rather than contractual requirements. The customer should consider making the SLA a representation and warranty. It should also consider including specific remedies for service interruptions and outages. Such remedies should include credits, the right to conduct a yearly comprehensive review, the right to have a sit down meeting by the parties’ executives for repeated failures, and termination rights for cause if interruptions/outages are chronic or excessive. This last right should expressly excuse payment of any early termination fee and/or entitle the customer to a refund of any prepaid, unused fees. The customer should also ensure that credits are not specified as the sole and exclusive remedy for an outage, which would conflict with any SLA representations and warranties, as well as termination rights for cause. Finally, the customer should ensure that any exceptions to or carve-outs from the SLA are limited, as overbroad exclusions gut the SLA.

Service Interruptions / Business Continuity / Disaster Recovery

The contractual definition of a service interruption should be carefully reviewed, as well as the supplier’s obligations upon an interruption. For example, does a service interruption include a cyberattack or data breach? Does the agreement include a detailed business continuity and/or disaster recovery plan with specified backup procedures and data recovery mechanisms?

It is important to understand the parties’ obligations and responsibilities, including liability, in the event that the customer cannot gain access to its data due to an interruption. The contract should include the parties’ rights and obligations regarding notice of an interruption, mitigation efforts, suspension of payment provisions and/or interruption credits—with reference to SLAs as discussed above—and termination rights if the interruption cannot be cured after a specified period of time.

Warranties

Most suppliers will try to limit warranties, but the customer should carefully consider including warranties regarding conformity to service descriptions and specifications; performance/SLA; compliance with laws; compliance with security requirements and obligations; and the non-use of disabling codes, viruses, and cookies or other tracking technologies.

Wind-Down / Termination Assistance

The contract should include a provision permitting a wind- down period upon termination that allows the customer to continue using the service for a specified period of time, in order for the customer to transition to another provider. Alternatively, it could require the supplier to assist in such a transition to maintain business continuity. These types of provisions usually require the supplier to maintain a specified level of service for a predefined period of time. Such a provision may also require the supplier to assist with data migration. At the end of any wind-down or termination assistance period, the contract should detail the supplier’s obligations to destroy or erase, as applicable, all data from the service and its systems.

Force Majeure Events

Force majeure events should be defined as both beyond the reasonable control of the supplier, as well as unforeseeable and unavoidable. This is an important distinction because while some events might be beyond the supplier’s control, they are not unforeseeable or entirely unavoidable. One example of this is a cyberattack. The  provision should also specify that any force majeure events do not excuse the supplier’s business continuity / disaster recovery obligations. This is crucial to avoid a potential conflict of terms, because performance is generally excused for  force majeure events, but there are continuing obligations under business continuity and disaster recovery plans. It should also be specified that payment obligations are excused during a force majeure event, or for prepaid services, include the right to receive service credits for each day  of service interruption. Finally, the supplier should have a duty to mitigate damages, and the customer should have a right to terminate without liability if the force majeure event continues after a specified period of time. For  example, the customer should be excused from the obligation to pay any early termination fee and/or should have the right to a refund for  any prepaid, unused fees. For  more information, see Business Continuity and Contingency Planning in Outsourcing.

Limitation of Liability

Limitations on liability should be carefully considered and should exclude damages arising from certain obligations such as those arising from the supplier’s negligence, breach of its confidentiality / data security obligations, or failure to comply with applicable privacy and data security laws and regulations. The  contract should also expressly carve out the supplier’s indemnification obligations from any specified limitations on direct damages and exclude indirect damages.

Indemnification

The indemnification provision should expressly include the supplier’s obligation to indemnify, defend, and hold the customer harmless, as some jurisdictions do not include the duty to defend as inherent to the indemnification obligation. The supplier’s indemnification obligations should cover breach of the supplier’s obligations to protect and secure company data, failure to comply with laws, and third-party claims alleging that access to or use of the cloud service infringes any third-party rights. It should also be specified that the contractual limitations of liability do not apply to the supplier’s indemnification obligations.

Export Control

The parties’ responsibility to comply with export control regulations should be addressed in the contract as moving data to the cloud is deemed an export if such data is accessible from another jurisdiction.

Additional Terms and Conditions / Supplier’s Right to Change Terms

Depending on the cloud service and deployment model, the contract may incorporate by reference other supplier terms and conditions—specific policies, for example. Any applicable terms, conditions, and policies should be carefully reviewed so as to ensure that they do not conflict with negotiated provisions, such as remedies for SLA failures. This review should be done even if the agreement contains a provision stating that in the event of a conflict, the agreement’s terms will apply, since some courts have not effectively enforced such provisions. Furthermore, the supplier may have the flexibility to change its terms and conditions without the customer’s approval. Some suppliers will agree to a compromise in this area, such as a requirement that any changes do not degrade the service or weaken the security requirements, or that the supplier will notify the customer in writing of any changes and give the customer the right to terminate if any of the changes adversely affect the customer or the service.

James E. Meadows is a managing partner and chair of the outsourcing practice group at Culhane Meadows PLLC. Mr. Meadows is a nationally recognized leading Outsourcing lawyer focused on representing large corporate clients in a wide range of technology law matters.

To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Corporate Counsel > Outsourcing > Special Issues in Outsourcing > Practice Notes > Special Issues in Outsourcing

Related Content