Tuesday, June 12, 2012

Cloud Contracts – Data Protection

On the LinkedIn contracts group that I moderate (Contracts Questions and Answers) someone asked about liability for customer data in a cloud hosting agreement.

As a customer there are primarily several concerns about their data. One is their own potential damages if the data was disclosed. A second concern is what is their potential liability to third parties would be for information entrusted to the purchaser of the cloud service. E.g. Personal Data, Confidential Information. A third concern is where the data will be held as laws protecting the data are very different around the world.

The difficulty the cloud host has is they don't know, and won't try to identify the nature of the data being hosted. A similar type of problem exists when computer disk drives are returned as defective. There a disk manufacturer disclaims any liability for the data on the disk and requires that the disk come to them erased and the first step in their process is to further erase the disk. Unfortunately a cloud hosting business can't do that.

I think that:
1) The host service needs to make the customer responsible to identify the type of data involved as that could require hosting it on different servers with different levels of security. While you are simply holding it, customers will consider you responsible for managing its security.
2) You need to make it clear where it will be held so customers can determine if they will accept risks associated with having data stored in those locations. The simple fact is not all locations provide the same protection.

When it comes to liability of the cloud host I would argue that there is a precedence that is established for a similar activity that is escrow agent services. There the Custodian is liable only for willful failure to comply with the terms of the agreement, for negligence, misconduct or fraud in performance of its duties. This would require that the agreement describe how the cloud data will be managed and protected. Then as long as you don't willfully fail to comply with those commitments and you are not negligent, and have not committed fraud or misconduct you wouldn't be liable for the data. Where the cloud host could still be potentially liable is if you made specific service level commitments for the hosting activity and failed to meet them.

I read a good article called Five Secrets your cloud provider won't tell you about multi-tenancy. The URL is:

Using Deductibles or Thresholds In Contracts

In negotiations of terms that have a cost or liability impact, the party that is being asked to assume the cost, risk or liability may resist having those start at the first indication of a problem one. Contracts are not black or white, there are a lot of shades of grey in between. Nothing has to be all or none. Things that make sense for one period may not need to remain intact for the duration of the contract. Deductibles or thresholds are tools that can be used to trigger actions to apply the rights of the party to change. Here are a few examples:

With insurance and indemnity a party may want you to provide a waiver of subrogation rights so you or your insurance company cannot make a claim against them for their negligence. You could use an deductible or threshold to modify the waiver of subrogation commitment. For example, “the waiver of subrogation shall apply only for claims that are less than One Million Dollars.If the claim exceeds that amount, the waiver of subrogation no longer applies.

In negotiation of epidemic defect liability where you want to recover more of your costs than just having the item be repaired or replaced under warranty, you may need to agree upon a threshold that must be met before the defects are considered “epidemic”. The threshold could be a percentage of the total quantity, a minimum quantity amount. or a mix of both percentage and quantity that must be met such as 2% and a minimum or a hundred units so both thresholds must be met. When you negotiate a threshold that is creating a deductible to the other party’s liability.

Band-width currency provision may be used for payments made to a supplier in a foreign currency. Band width provisions have both upper and lower thresholds. As long as exchange rate stays between the lower and upper threshold the price remains the same.

If you make a commitment to purchase a specific quantity you cold have a deductible or threshold provide relief from that commitment. For example, if you placed orders for quantities and the supplier could not deliver and you needed to purchase your needs from another supplier, your language in the commitment could have those quantities be counted toward meeting that commitment.

In negotiations when you are at an impasse, unless you absolutely can’t change and are prepared to walk away from the deal, always think about whether you can use a deductible or threshold. As a Rolling Stones lyric once said “you can’t always get what you want, but if you try sometimes you might find you get what you need.” Many times less is better than nothing.