legal & commercial, issues of a cloud service

Legal and Commercial Issues of a Cloud Service

Alex Kirkhope / Dominic Higham

11 October 2011

Introductions and themes

Service specification and service levels

Rights, liabilities and remedies

Standard terms

Data protection issues

Dispute readiness

11 October 2011Cloud Computing - BCS 2


Defining Cloud Computing

“a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. "

National Institution Standards and Technology (NIST)

Software as a Service

Infrastructure as a Service

Platform as a Service


The business drivers

• cost effective

• scalable / dealing with spikes

• easy to install

• standard service offering

• integrated maintenance

• avoids supplier lock in (?)


Legal Issues

Service specification and levels Contractual rights, remedies and liabilities Control over data Data privacy

Service specification / service levels

As with any outsourcing arrangements... be clear about what you are getting basic service features

application features

business continuity

availability / response times / downtime

helpdesk support

charging structure utility based? fixed fee?

performance monitoring recompense if 'below par'?


Rights, remedies and liabilities

Terms almost always 'non-negotiable' supplier unwilling to take on risk

liability capped at very low levels and 'direct loss' tightly defined

rare to see service credit regime

service provided 'as is'

if you don't like it simply walk away

As customer you will be expected to pay on time

sign & indemnify the 'acceptable user policy'

understand limited commitments around the service



Screen shots - GoogleApps

Standard –v- negotiated terms

Standard terms low liability limits

reduced rights in case of data loss, downtime, etc.

Typically, more keenly priced

Customer loss –v- provider's business

Negotiated terms chance to gain better protection subject to bargaining position


Limitations of Liability - AWS

11. Limitations of Liability

WE AND OUR AFFILIATES OR LICENSORS WILL NOT BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES (INCLUDING DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, OR DATA), EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHER, NEITHER WE NOR ANY OF OUR AFFILIATES OR LICENSORS WILL BE RESPONSIBLE FOR ANY COMPENSATION, REIMBURSEMENT, OR DAMAGES ARISING IN CONNECTION WITH: (A) YOUR INABILITY TO USE THE SERVICES, INCLUDING AS A RESULT OF ANY (I) TERMINATION OR SUSPENSION OF THIS AGREEMENT OR YOUR USE OF OR ACCESS TO THE SERVICE OFFERINGS, (II) OUR DISCONTINUATION OF ANY OR ALL OF THE SERVICE OFFERINGS, OR, (III) WITHOUT LIMITING ANY OBLIGATIONS UNDER THE SLAS, ANY UNANTICIPATED OR UNSCHEDULED DOWNTIME OF ALL OR A PORTION OF THE SERVICES FOR ANY REASON, INCLUDING AS A RESULT OF POWER OUTAGES, SYSTEM FAILURES OR OTHER INTERRUPTIONS; (B) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; (c) ANY INVESTMENTS, EXPENDITURES, OR COMMITMENTS BY YOU IN CONNECTION WITH THIS AGREEMENT OR YOUR USE OF OR ACCESS TO THE SERVICE OFFERINGS; OR (D) ANY UNAUTHORIZED ACCESS TO, ALTERATION OF, OR THE DELETION, DESTRUCTION, DAMAGE, LOSS OR FAILURE TO STORE ANY OF YOUR CONTENT OR OTHER DATA. IN ANY CASE, OUR AND OUR AFFILIATES’ AND LICENSORS’ AGGREGATE LIABILITY UNDER THIS AGREEMENT WILL BE LIMITED TO THE AMOUNT YOU ACTUALLY PAY US UNDER THIS AGREEMENT FOR THE SERVICE THAT GAVE RISE TO THE CLAIM DURING THE 12 MONTHS PRECEDING THE CLAIM.


Challenging the standard terms

What is the Unfair Contract Terms Act 1977?

UCTA - Guidelines for Application of Reasonableness Test include:

(a) the strength of the bargaining positions of the parties relative to each other, taking into account (among other things) alternative means by which the customer’s requirements could have been met;

(b) whether the customer … had an opportunity of entering into a similar contract with other persons, but without having a similar term;


Case law

St Albans v ICL

Watford Electronics v Sanderson, 2001 Where experienced businessmen representing substantial

companies of equal bargaining power negotiate an agreement, they may be taken to have had regard to the matters known to them. They should, in my view be taken to be the best judge of the commercial fairness of the agreement which they have made; including the fairness of each of the terms in that agreement. They should be taken to be the best judge on the question whether the terms of the agreement are reasonable. The court should not assume that either is likely to commit his company to an agreement which he thinks is unfair, or which he thinks includes unreasonable terms. Unless satisfied that one party has, in effect, taken unfair advantage of the other – or that a term is so unreasonable that it cannot properly have been understood or considered - the court should not interfere.


Termination for breach/cause

More important in longer terms arrangements

Termination for Cause by Either Party

Either party may terminate this Agreement for cause upon [30/10/7] days advance notice to the other party if there is any material default or breach of this Agreement by the other party, unless the defaulting party has cured the material default or breach within the ## day notice period.



Material Breach?

There is no commonly accepted definition of "material breach". Where a contract is expressed to be terminable for material breach and no definition is included the courts will look at all the surrounding circumstances. Key points include:

the intention of the parties. Did they intend to give the non breaching party the right to terminate?;

the nature of the contract and the obligations involved;

what the breach consists of and how it impacts on the innocent party;

the circumstances in which the breach arises including any explanation given;

was the breach accidental or intentional?; and

the consequences for the breaching party if the breach is material. This is less important than the impact of the breach on the non breaching party.

Contrast termination for repudiatory breach

What is the effect of this contractual position?

Data ownership

If you put data in the Cloud understand: who may be able to access it : strength of confidentiality / security

undertakings offered

commitments provided on exit / transition : how easy would it be to transfer to another provider

would you be prepared to put your crown jewels there?


Data privacy

Data Protection Act 1998 if you put personal data in the cloud you have responsibility as a

data controller…

to be satisfied that adequate measures in place to protect confidentiality and security of data against unauthorised loss, damage, destruction, etc

to prevent the data from being processed outside Europe unless further legal protections are in place

it is not good enough to simply rely on the 'good word' of a supplier

ICO (and FSA if you are FSA regulated) take a strict approach to enforcement Zurich fined £2.4m for failing to undertake adequate due diligence

when allowing customer data to be outsourced to South Africa.


Data loss

Data loss remains high profile – NHS, HMRC, Deloitte, MoD, banks and financial institutions

Consequences fines

criminal sanction

undertakings

reputation

claims

management time and money dealing with claims


ICO

What will the ICO look at? circumstances of breach

the response to the loss

steps to mitigate

adequacy of procedures, standards, encryption

Steps to take: investigate, assess, contain

inform regulators and/or public – deal with publicity

prevent recurrence and remedy underlying issues

Personal Information Online Code of Practice pragmatic approach but will want to see risk analysis done.

Cloud and outsourcing are not the only source of data loss risk



Contract management and dispute readiness

material breach and repudiatory breach

dispute approach contract management – service of notices etc.

discussions – open and without prejudice

escalation procedures

documents

witnesses

business continuity - exit and transition and future provision of services


Conclusions

Cloud computing is growing rapidly

Attractive as a commercial / business proposition

There are risks : understand before proceeding

Go in 'eyes wide open'


Any questions or comments?

[email protected]

[email protected]

mailto:[email protected]

mailto:[email protected]