Published Autumn 2011
As many of you will know, cloud computing is an up-and-coming alternative method of providing access to IT infrastructure and services to clients.
Cloud computing involves the supplier or “cloud provider”, offering IT facilities through the Internet or the “cloud” infrastructure. Such facilities and infrastructure normally includes the provision of remote platforms and/or user/sector specific applications, storage and/or online support services.
If you are considering providing your software, infrastructure or platforms to your clients via the cloud, you should consider our top ten legal issues concerning cloud computing before you proceed on this basis.
Top Ten Legal issues concerning the Cloud
- Minimum requirements
The selling point of the cloud is that it offers flexible IT resources usually on a pay-as-you-use basis with clients only paying for the capacity and services they require as and when they need them. That said, you should consider whether you will require a minimum monthly payment for the provision of your cloud services from clients and/or whether any under-use or over-use will be credited or debited from future invoices on a month-by-month basis.
- Flexible IT resources
Another main advantage with the cloud in the current economic climate is that the IT resources your clients’ businesses require can be increased or decreased immediately according to their business needs, without clients having to predict their future IT requirements months in advance. However, you
should consider how much notice you require if your client wishes to change its requirements and to what extent you should be contractually obliged to meet their new requirements taking into account your processing and storage capacity. You also need to ensure your agreement with your client contains adequate provisions to vary fees and/or services.
- Liability for service failure
Theoretically the cloud should be a robust service but no IT service is ever 100% free from the possibility of there being downtime or service availability issues and the IT infrastructure in the cloud is no exception. Downtime may have a significant impact on your clients’ businesses and the cloud provider could be exposed to significant losses. Therefore cloud providers should consider including a variety of exclusions of liability, in particular in relation to liability to clients disruption to business and loss of profits.
- Service level agreements
Careful consideration needs to be given as to whether you are prepared to offer minimum service levels of up-time and whether any credits will be given if service levels are not met. Although the client may have redress against the cloud provider in such circumstances, i.e. reductions in monthly payments, it should be borne in mind that this may not be adequate or appropriate in light of a client’s business requirement. Do customers need to use the service 24/7 or just in working hours? It is also worth considering whether service levels can be agreed at all, as any amount of downtime may be business critical to your clients. Typically, scheduled downtime perhaps at certain “off peak” times of day is excluded from any service level obligation.
- Clients’ liability
It is common for cloud providers to require IP and data integrity warranties and indemnities from clients on the basis that clients’ data uploaded to the cloud should not breach a third party’s intellectual property or data protection rights. Clients should also be under a strict obligation to keep passwords secure and take steps to avoid any unauthorised access to the cloud.
- Data Protection
The very nature of the cloud raises questions regarding data protection and security. You should consider whether the cloud services being offered involve the transfer and storing of data outside the UK. Any such transferring, processing and storing of personal data must comply with the Data Protection Act 1998, particularly if data is to be transferred to or stored in a country outside the European Economic Area. If data is stored in a different jurisdiction, it may be subject to local laws which can in certain circumstances allow such data to be accessed for reasons of national security.
- Control of Data
Inherent in the use of the cloud is that an element of control over data passes to the cloud provider. Clients may require detailed provisions placing strict limitations on the cloud provider regarding use of and access to such data. Ownership of all data should remain with the client. You need to consider what is to happen to the data if a client wishes to terminate your services and go to an alternative cloud provider. Data should be returned immediately but in reality there may be a delay if, for example, the new provider’s systems are not compatible with yours. Who is to pay for any additional work that may be required to make such data/services compatible? What is to happen if a solution cannot be found and will you provide a run-on service in the interim?
- Delay and Third Party Comms
The benefit of cloud computing and remote access from any computer to services or data may also be its burden as it relies on good communication links and problems with connectivity or networks can cause delays. Therefore, easy access to services and/or data is not always guaranteed due to failures outside the cloud provider’s reasonable control. Such matters should be excluded from the cloud provider’s responsibility so that the cloud provider does not accept liability for such delays and any resulting losses suffered by the client.
If your cloud service relates to your proprietary software, the ownership of such software is important. Where the cloud provider is the owner, then the client will be granted a licence to use such software as part of the cloud service. The scope and restrictions placed in such licences are very important as they will often in themselves define the business model by which a cloud service is deployed. If the software is owned by a third party, then you must ensure you have the right to sublicense and provide the software to the client as part of the cloud services.
- A green service
Cloud computing may enhance a business’s corporate social responsibility as it is seen as environmentally friendly. Cloud computing is a modern development, as are the systems used to provide the services and therefore, through the use of the cloud, a business could reduce its carbon footprint.
Cloud computing is a relatively new concept and is likely to take some time to evolve and develop standard practices. Therefore, if you are considering providing cloud computing services, it is important to have a detailed contract in place with your clients that takes into account the practicalities and realities of providing cloud services.