Legal and Commercial Issues of a Cloud Service
Alex Kirkhope / Dominic Higham
11 October 2011
Introductions and themes
Service specification and service levels
Rights, liabilities and remedies
Standard terms
Data protection issues
Dispute readiness
11 October 2011Cloud Computing - BCS 2
11 October 2011Cloud Computing - BCS 3
Defining Cloud Computing
“a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. "
National Institution Standards and Technology (NIST)
Software as a Service
Infrastructure as a Service
Platform as a Service
11 October 2011Cloud Computing - BCS 4
The business drivers
• cost effective
• scalable / dealing with spikes
• easy to install
• standard service offering
• integrated maintenance
• avoids supplier lock in (?)
11 October 2011Cloud Computing - BCS 5
Legal Issues
Service specification and levels Contractual rights, remedies and liabilities Control over data Data privacy
Service specification / service levels
As with any outsourcing arrangements... be clear about what you are getting basic service features
application features
business continuity
availability / response times / downtime
helpdesk support
charging structure utility based? fixed fee?
performance monitoring recompense if 'below par'?
11 October 2011Cloud Computing - BCS 6
Rights, remedies and liabilities
Terms almost always 'non-negotiable' supplier unwilling to take on risk
liability capped at very low levels and 'direct loss' tightly defined
rare to see service credit regime
service provided 'as is'
if you don't like it simply walk away
As customer you will be expected to pay on time
sign & indemnify the 'acceptable user policy'
understand limited commitments around the service
11 October 2011Cloud Computing - BCS 7
11 October 2011Cloud Computing - BCS 8
Screen shots - GoogleApps
Standard –v- negotiated terms
Standard terms low liability limits
reduced rights in case of data loss, downtime, etc.
Typically, more keenly priced
Customer loss –v- provider's business
Negotiated terms chance to gain better protection subject to bargaining position
11 October 2011Cloud Computing - BCS 9
Limitations of Liability - AWS
11. Limitations of Liability
WE AND OUR AFFILIATES OR LICENSORS WILL NOT BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES (INCLUDING DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, OR DATA), EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHER, NEITHER WE NOR ANY OF OUR AFFILIATES OR LICENSORS WILL BE RESPONSIBLE FOR ANY COMPENSATION, REIMBURSEMENT, OR DAMAGES ARISING IN CONNECTION WITH: (A) YOUR INABILITY TO USE THE SERVICES, INCLUDING AS A RESULT OF ANY (I) TERMINATION OR SUSPENSION OF THIS AGREEMENT OR YOUR USE OF OR ACCESS TO THE SERVICE OFFERINGS, (II) OUR DISCONTINUATION OF ANY OR ALL OF THE SERVICE OFFERINGS, OR, (III) WITHOUT LIMITING ANY OBLIGATIONS UNDER THE SLAS, ANY UNANTICIPATED OR UNSCHEDULED DOWNTIME OF ALL OR A PORTION OF THE SERVICES FOR ANY REASON, INCLUDING AS A RESULT OF POWER OUTAGES, SYSTEM FAILURES OR OTHER INTERRUPTIONS; (B) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; (c) ANY INVESTMENTS, EXPENDITURES, OR COMMITMENTS BY YOU IN CONNECTION WITH THIS AGREEMENT OR YOUR USE OF OR ACCESS TO THE SERVICE OFFERINGS; OR (D) ANY UNAUTHORIZED ACCESS TO, ALTERATION OF, OR THE DELETION, DESTRUCTION, DAMAGE, LOSS OR FAILURE TO STORE ANY OF YOUR CONTENT OR OTHER DATA. IN ANY CASE, OUR AND OUR AFFILIATES’ AND LICENSORS’ AGGREGATE LIABILITY UNDER THIS AGREEMENT WILL BE LIMITED TO THE AMOUNT YOU ACTUALLY PAY US UNDER THIS AGREEMENT FOR THE SERVICE THAT GAVE RISE TO THE CLAIM DURING THE 12 MONTHS PRECEDING THE CLAIM.
11 October 2011Cloud Computing - BCS 10
Challenging the standard terms
What is the Unfair Contract Terms Act 1977?
UCTA - Guidelines for Application of Reasonableness Test include:
(a) the strength of the bargaining positions of the parties relative to each other, taking into account (among other things) alternative means by which the customer’s requirements could have been met;
(b) whether the customer … had an opportunity of entering into a similar contract with other persons, but without having a similar term;
11 October 2011Cloud Computing - BCS 11
Case law
St Albans v ICL
Watford Electronics v Sanderson, 2001 Where experienced businessmen representing substantial
companies of equal bargaining power negotiate an agreement, they may be taken to have had regard to the matters known to them. They should, in my view be taken to be the best judge of the commercial fairness of the agreement which they have made; including the fairness of each of the terms in that agreement. They should be taken to be the best judge on the question whether the terms of the agreement are reasonable. The court should not assume that either is likely to commit his company to an agreement which he thinks is unfair, or which he thinks includes unreasonable terms. Unless satisfied that one party has, in effect, taken unfair advantage of the other – or that a term is so unreasonable that it cannot properly have been understood or considered - the court should not interfere.
11 October 2011Cloud Computing - BCS 12
Termination for breach/cause
More important in longer terms arrangements
Termination for Cause by Either Party
Either party may terminate this Agreement for cause upon [30/10/7] days advance notice to the other party if there is any material default or breach of this Agreement by the other party, unless the defaulting party has cured the material default or breach within the ## day notice period.
11 October 2011Cloud Computing - BCS 13
11 October 2011Cloud Computing - BCS 14
Material Breach?
There is no commonly accepted definition of "material breach". Where a contract is expressed to be terminable for material breach and no definition is included the courts will look at all the surrounding circumstances. Key points include:
the intention of the parties. Did they intend to give the non breaching party the right to terminate?;
the nature of the contract and the obligations involved;
what the breach consists of and how it impacts on the innocent party;
the circumstances in which the breach arises including any explanation given;
was the breach accidental or intentional?; and
the consequences for the breaching party if the breach is material. This is less important than the impact of the breach on the non breaching party.
Contrast termination for repudiatory breach
What is the effect of this contractual position?
Data ownership
If you put data in the Cloud understand: who may be able to access it : strength of confidentiality / security
undertakings offered
commitments provided on exit / transition : how easy would it be to transfer to another provider
would you be prepared to put your crown jewels there?
11 October 2011Cloud Computing - BCS 15
Data privacy
Data Protection Act 1998 if you put personal data in the cloud you have responsibility as a
data controller…
to be satisfied that adequate measures in place to protect confidentiality and security of data against unauthorised loss, damage, destruction, etc
to prevent the data from being processed outside Europe unless further legal protections are in place
it is not good enough to simply rely on the 'good word' of a supplier
ICO (and FSA if you are FSA regulated) take a strict approach to enforcement Zurich fined £2.4m for failing to undertake adequate due diligence
when allowing customer data to be outsourced to South Africa.
11 October 2011Cloud Computing - BCS 16
Data loss
Data loss remains high profile – NHS, HMRC, Deloitte, MoD, banks and financial institutions
Consequences fines
criminal sanction
undertakings
reputation
claims
management time and money dealing with claims
11 October 2011Cloud Computing - BCS 17
ICO
What will the ICO look at? circumstances of breach
the response to the loss
steps to mitigate
adequacy of procedures, standards, encryption
Steps to take: investigate, assess, contain
inform regulators and/or public – deal with publicity
prevent recurrence and remedy underlying issues
Personal Information Online Code of Practice pragmatic approach but will want to see risk analysis done.
Cloud and outsourcing are not the only source of data loss risk
11 October 2011Cloud Computing - BCS 18
11 October 2011Cloud Computing - BCS 19
Contract management and dispute readiness
material breach and repudiatory breach
dispute approach contract management – service of notices etc.
discussions – open and without prejudice
escalation procedures
documents
witnesses
business continuity - exit and transition and future provision of services
11 October 2011Cloud Computing - BCS 20
Conclusions
Cloud computing is growing rapidly
Attractive as a commercial / business proposition
There are risks : understand before proceeding
Go in 'eyes wide open'
11 October 2011Cloud Computing - BCS 21
Any questions or comments?