Making Your Cloud Agreement Work for You

Order a reprint of this story
Close (X)

ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

October 01, 2013
Legal Corner
Richard Sheinis - rsheinis@hallboothsmith.com

When it comes to using the cloud, the question is not if, but when. As you accumulate more and more data, as well as back up data in your possession, the cost of maintaining the infrastructure for this data will outweigh the cost and any risk of turning over your data to a cloud provider.

Once you near that tipping point, if you have not already, start shopping. Not all cloud providers are created equal. Look for a cloud vendor that specializes in handling the type of data you will be sending them. If the cloud provider specializes in handling data for hospitals, they are probably not for you. The privacy and security rules that apply to medical records are different than the Payment Card Industry Data Security Standards (PCI DSS) that are important to hoteliers.

While there are several other factors to be considered when selecting a cloud provider, let's jump ahead to the point where you have selected a cloud vendor, and it is time to agree on a written contract for services.

The normal course of events is that the vendor presents you with a contract. They expect you to sign it before they start providing services. Ask yourself a question, who prepared the contract? The cloud vendor's lawyer prepared it.  Who paid the lawyer?  The answer to this is also the cloud vendor. It reasons to point out that the lawyer is protecting interests, but not yours.  Don't just sign whatever paper is put in front of you.  Not that the cloud vendor or its lawyers are not fair-minded, but you can bet that in most cases the agreement will favor the vendor.

Will the cloud vendor agree to change the agreement?  It may depend on how badly they want your business. If the terms are so one-sided, and they refuse to make any changes, you may need to walk away and find a new cloud provider. If the cloud vendor wants your business, and is willing to make some changes, there are several provisions you should make sure are included.

Your biggest concern is that your data will be lost or stolen through the cloud. Believe it or not, some cloud vendor agreements do not even address what will happen if a security breach occurs. They don't even state what a data breach is, so if a data breach occurs everyone points fingers at each other and runs around like chickens with their heads cut off. The agreement should state how a security breach will be handled, including what will be done, and who has responsibility for which tasks.

When you store or receive electronic data, depending on the type of data, you might have to meet certain security standards. For example, if you receive credit card information, you have to comply with PCI DSS requirements, but does the cloud provider?  No, not unless you make them. Make sure that the agreement requires the cloud vendor to meet and comply with any data security and privacy requirements with which you must comply.  This includes the laws of any country in which you receive or obtain data that is going to the cloud.

If data is lost, who pays?  Everyone will look at you. Your guests will look at you because they gave their information to you. If a government compliance agency is involved, they will look at you. You received the data, you are responsible for keeping it secure. Sometimes the loss of data is no one's fault. Hackers get through despite all the appropriate security measures in place.

New scenario: what if the security breach was the fault of the cloud vendor? If data is lost through the cloud because the vendor failed to have the proper security in place it will be in violation of your agreement. A little provision called an indemnity clause in the agreement can really help save your bacon. An indemnity clause will require the cloud vendor to indemnify or reimburse you for losses caused by their negligence.

Oftentimes the initial agreement proposal only calls for you to indemnify the cloud provider if you cause them to suffer any damages, but not the other way around.  Make sure the indemnity provision goes both ways.  After all, turn about is fair play.   

Subcontractors 
When is your cloud provider, not really your cloud provider? When your cloud provider subcontracts out the services they are providing to you, you don't know anything about the subcontractor. You have not performed any due diligence on them, and they do not have any contractual obligations to you. It is not a comfortable feeling to know that the data for which you are responsible is in the hands of an unknown. Protect against this scenario by inserting a provision in the agreement that prohibits the cloud vendor from using subcontractors, or at least requires that you be advised of the use and identity of any subcontractors.  If you don't like the subcontractor, you should be able to get out of the agreement without penalty.

Do you know where you data is?  It may not be where you think it is.
 
The cloud vendor's office might be in the same town as you, but the servers that house your data could be in another town, another state or even another country. The data is subject to the laws in the jurisdiction in which it is located.  If the cloud vendor has servers in the United Kingdom, you could be subject to the security and privacy laws of the U.K., without even knowing it.

You can prevent this situation by using the agreement to require that the vendor keep your data on servers in a particular location or jurisdiction. While you are at it, don't let the cloud vendor comingle your data with the data of their other customers. Use the agreement to require the vendor to keep your data segregated from their own data, and the data of others.

Lastly, nothing gives you piece of mind like a good, hefty insurance policy. In this case, not your insurance, but the cloud vendor's insurance. The agreement should require the vendor to maintain a certain level of insurance. Push to have your property named as an additional insured on the policy. This way if something happens and the cloud vendor cannot cover the fall out, you might get some protection under the policy.

Cloud vendor agreements are far from boilerplate. It is worth taking the time to make sure certain provisions are included to make the agreement work to your benefit.

Richard Sheinis is a partner in the data security and privacy group at Hall Booth Smith, PC in Atlanta. He is a certified international privacy professional (CIPP-US), and can be reached at (404) 954-6954 or rsheinis@hallboothsmith.com. Follow him on Twitter: @SheinisCyberLaw.

Click here to view this article in the digital edition of Hospitality Upgrade .

©2013 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.



Related Articles
want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.