Still, moving to the cloud is not without risk, some but not all of which may be avoidable. For example, a 2012 study published in the Stanford Technology Law Review found that 50 percent of IT managers did not know their organizations were using the cloud, and a similar percentage did not bother to read or attempt to negotiate their cloud services agreements3. Obviously, the risks associated with not reading a contract are avoidable. But, what about those presented when a cloud provider goes out of business, e.g. termination of service, loss of access to data, etc.?4 Short of investing in the cloud provider, there is not much that can be done to keep it operating. So, what else can a user do to protect itself? Though none is a silver bullet and virtually all may increase the cost of going to the cloud, below are 10 steps to reduce risk from a cloud provider’s business failure.5
1 Conduct diligence before selecting a provider. Check to be sure the provider is well established, with sufficient financial and technical resources, and a record for compliance with applicable privacy and data protection laws as well as its own contract terms. Pay particular attention to the provider’s agreements with its suppliers. If the cloud provider licenses software or equipment from a third party critical to your service, confirm that it can continue to use these resources if either the provider or a supplier closes its business.
2 Read the cloud agreement. While it may not be possible to change the terms, there is no substitute for being informed of the terms of service.
3 Make sure the cloud agreement contains language acknowledging your ownership of (and right to access and control) the data being processed/stored by the cloud provider at each step of the cloud provider’s service. Remember, a bankruptcy estate covers the cloud debtor’s property; not yours. So, if you have taken steps to clearly identify ownership/control of the data, you are more likely to get access to it quickly and avoid the possibility that it may end up in the hands of a third party you didn’t choose as a business partner.
4 Require the cloud provider to provide periodic backups of all data and an escrow for critical software applications. At a minimum, require a list of the various programs used to process, store and access the data. In the interim, download and make copies of the data.
5 Develop a migration plan in the event you need to change providers and include provisions in your cloud agreement for transition assistance (financial and technical).
6 Confirm the provider’s policies on the treatment of personally identifiable information that may be included in your data. Once a provider seeks protection, it may attempt to sell access to this information. If it has a policy against doing so, you have a better chance of protecting this information from sale.
7 If the cloud provider is providing a license to software or other intellectual property, take steps to confirm the contract so that you can continue to access your data and the licensed software. This can buy time necessary to find a replacement provider.
8 Include provisions for termination upon bankruptcy and anti-assignment in the cloud agreement. These may not be enforced in a bankruptcy proceeding, but they can provide leverage and protection pre-filing.
9 Monitor performance and be prepared to act quickly if it appears the provider is troubled. And, once the provider files for protection, consolidate as much of your data as possible elsewhere and find a new provider.6
10 Investigate the arrangements between the cloud provider and its suppliers. Often, the obligations mismatch such that there is no back-to-back commitment regarding service, data protection, etc. This should be a red-flag.
The cloud has many advantages. But, it has risks too. And being forewarned is forearmed.
Scott Warner is an attorney with Greg Duff and Company and recently spoke at the Hospitality Upgrade Executive Vendor Summit in March.
(Footnotes)
1 See, http://netmetix.wordpress.com/2011/11/09/top-10-cloud-computing-statistics/
2 See http://www.forbes.com/sites/reuvencohen/2013/04/16/the-cloud-hits-the-mainstream-more-than-half-of-u-s-businesses-now-use-cloud-computing/?ss=cloud-computing
3 W. Kuan Hon, Negotiating Cloud Contracts: Looking at Clouds From Both Sides Now, 16 Stan. Tech. L. Rev. 79 (2012).
4 Similar, though different issues arise when a cloud provider’s services fail to meet contractual requirements. For an interesting discussion of this topic and Glaxosmithkline LLC v Discovery Works Legal, Inc., No. 650210/2013 (N.Y. Sup. Ct., filed Jan. 22, 2013), see Kevin F. Brady, When the Cloud Turns Dark: A Tale of Data Held Hostage?, BNA Privacy Law Watch (March 2013).
5 The nature and degree of risk varies depending on various factors, including the type of cloud service provided (IaaS vs SaaS vs PaaS, etc.), whether the cloud provider seeks liquidation or re-organization, etc. By far the greatest risk is the loss of access to data during the proceeding (or forever). This risk may be mitigated in the future as there are legislative efforts underway to give users a right to recover data from a bankrupt cloud provider.
6 There are limits to what a user is permitted to do when a cloud provider seeks protection under the bankruptcy laws. For example, filing a petition for bankruptcy protection triggers an automatic stay under Section 362(a) of the Bankruptcy Code which generally prohibits third parties from taking action to obtain possession of or exercise control over any of the debtor’s property. For a discussion of bankruptcy and the cloud, see David S. Caplan, Bringing the Cloud Down to Earth, Disclosure Statement Vol. 31, No. 3 May 2010.
©2013 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.