Excerpt From Effective Cloud Negotiations—Tips and Best Practices
By Ted Claypoole* with research assistance by Taylor Ey**
III. Prioritize Needs
After all the stakeholders have spoken, the lawyer for a cloud customer should build a list of the client’s priorities. What are the must-have items? Are there any deal-breaker issues that would cause the client to walk away from the deal despite the effort sunk into negotiations? How much risk is the cloud customer willing to accept, and would a change in the vendor’s price affect the client’s risk tolerance? The lawyer can rank the client’s priorities into tiers, so that some terms may be traded for advantages in more important terms for the client.
What data and business processes will the client be placing in the cloud if the contract is executed? Are these processes vital to the client’s day-to-day operations? How long could the client’s business survive without the data and processes being managed under this cloud agreement? A month? A week? A day? By raising these practical matters, a lawyer can fight past a cloud customer’s short-term thinking and identify its true priorities. If the client’s business could only last a day without the information managed under this cloud agreement, then contingency planning and immediately accessible backup are priorities to be attained, even at great cost.
Is the data managed under the cloud contract sensitive enough that the client is concerned that a competitor may buy the cloud provider to receive a competitive advantage? If so, then the cloud provider should be willing to terminate the agreement without harm to the cloud customer if the cloud provider is purchased or controlled by any company on the customer’s shortlist of competitors. In addition, all cloud contracts should contain restrictions on what the cloud provider can do with the information that it hosts and manages, so that even upon the acquisition of the cloud provider by a competitor of the cloud customer, the cloud customer could sue if its data was used in any manner contrary to the contract.
Unless and until its lawyer asks the right questions and maps the client’s priorities, the cloud customer is not prepared to begin negotiations. The exercise of finding and listing the most important client priorities helps both the client and its lawyer expend their efforts in the right places, push for a better deal, and ultimately feel happier with the deal when the contract is executed.
. . . .
- Focus on the Real Security Risks
For nearly every small- to medium-sized client company, placing data with AWS, Microsoft Azure, or IBM Cloud provides much better protection from hacking attacks than the client’s own data center, which may consist of three servers in a basement. The big cloud providers spend many millions of dollars on data security each year, hire many of the best information protection professionals available, and work closely with governments across the world to anticipate and counter threats large and small. Most companies cannot come close to achieving this level of protection using on-premises storage. So, contrary to what many lawyers and their clients believe, wresting real data security promises from the large providers may not be difficult and extra-contractual language on levels of data security may not be substantially more protective of client information sent into these clouds. Fighting for every inch in this space can be a waste of everyone’s time.
Conversely, a cloud customer may devote insufficient attention to other problems that may arise when important business data leaves the customer’s hands, such as the risk that a cloud service provider may cease business or the risk that the cloud provider holds the customer’s data hostage at the end of a contract term. The cloud provider’s fiscal health is a more important issue than many customers believe. For decades, the adage “Nobody was ever fired for buying IBM” has assumed that the solidity and dominance of the larger technology organizations will serve as a protection against any sort of failure. And while the current solid financial status of a Google, Amazon, Microsoft, or IBM may be foundations not worth questioning, many cloud providers do not boast such robust balance sheets. In addition, technology companies may merge or become acquired, moving a cloud customer’s business into an entirely different structure. Lawyers for cloud customers should at least raise the issue of business security because a failure of the cloud provider could shut down a cloud customer’s business.
More likely to cause trouble would be the end-of-term requirements built into a cloud contract. The cloud customer’s lawyer should insist not only on the safe return of the customer’s cloud-resident data, but that the data is returned in a short time frame, in a format usable by the cloud customer, and all at a reasonable cost. Remember that, generally speaking, when the cloud customer terminates a cloud agreement, the customer is not only repudiating the services of the cloud provider but is likely planning to patronize one of the provider’s rivals. Therefore, at the end of a cloud contract, the provider has no natural reason to accommodate the wishes of a terminating customer, and experience has demonstrated that many such providers chafe at requests for accommodation. The primary time in the relationship when a cloud provider wants to meet the customer’s wishes as much as possible is prior to initial commitment before the provider is holding the customer’s crown jewels on its servers. So a good attorney for a cloud customer will force the cloud provider to address the cloud customer’s termination needs in the initial contract. Otherwise, the cloud customer is left to the questionable mercies of the jilted provider upon termination for recovery of its important business data.
In addition, some cloud customers may perceive a security risk from the possibility of a government gaining access to the cloud customer’s data without notice. Clearly, this risk is unlikely to occur if the customer holds such sensitive data itself. However, when the data passes to a third party, then the data may be vulnerable to access, review, and analysis by a government actor that serves a “silent subpoena” on the cloud provider, forbidding the provider to give notice to its customer. This risk may not be negotiated away in many circumstances, so if the customer holds or creates data that it needs to shield from a government where the customer is resident, the customer may want to avoid placing that particular data in the cloud. Some cloud providers have tried a “passive solution” to address an order to allow government access to a cloud customer’s data without providing notice to the cloud customer. These companies keep a banner up on their websites that states that the provider has not been served with such an access notice and gag order. When served with such a notice, the company plans to remove the website banner, and any customer who checks can assume that the government has served a gag-ordered access request. While not perfect, and possibly not legal, this strategy can give the cloud customer some comfort.
In short, a narrow focus on hacking defenses misses the point of cloud risks to customer data. Several data risks exist in the cloud agreement, and the lawyer should be attuned to all of them.
* Partner, Womble Bond Dickinson
** Associate, Womble Bond Dickinson
To purchase Cloud 3.0: Drafting and Negotiating Cloud Computing Agreements, click here.