Contracting for cloud computing services is not new—since 1964 businesses have relied on remote computing. Of course, 50 years ago the services were on mainframes and over telephone lines; today the cloud services are on servers across the Internet.
All kinds of businesses depend on cloud services, but departments often sign the cloud agreements without bothering to consult the organization's IT department, much less management. As a result, management may not realize the importance of the cloud contracts until the contract ends and the customer cannot get its data, or get the data in the format it expects.
To learn more about what to expect, I asked John Ansbach, general counsel of GDT (General Datatech)
Peter Vogel: Cloud services offer service level agreements, but this is somewhat confusing because the cloud contract is an agreement between the customer and provider. Can you explain what SLA means?
John Ansbach: Service level agreements are specific provisions set out in a master cloud contract between a cloud service provider and a customer that detail what will be provided, and the levels or metrics the CSP is required to attain when providing those services.
For instance, a commonly requested (but expensive) requirement is for a cloud availability level of 99.9 percent from 7 a.m to 7 p.m. during regular business days over any 30 day period. Some service level examples include turn-around time (which relates to how quickly your CSP responds to an issue), and recovery time objective (most commonly used with disaster recovery and data storage).
RTO relates to how quickly your CSP can get your environment back up and running. SLAs within a cloud contract will typically set out exactly what is required of the CSP, as well as what happens in the event the metrics are not met.
PV: Can customers pay a premium to get more frequent data backup or any higher levels of service?
JA: They certainly can, but the question is, “Should they?” Not every customer needs the most frequent data backup or the absolute highest level of any cloud specific performance metric.
When customers want cloud data backup, what they are really looking for is to minimize risk and provide for disaster recovery. To make that happen, vendors typically will work with clients to analyze their specific needs related to data security, cost competitiveness, and performance availability.
It is important for customers to know that options for fast and frequent backup certainly exist. Some CSPs offer low-cost storage—but with restricted access that can result in unexpected overall operational costs or even higher restore times. The most important thing to remember when considering whether to pay a premium for any higher level of cloud service is to work with someone who understands your specific needs and business, and can properly structure a contract and SLA that meets those needs within a cost-effective environment.
PV: If a customer migrates to another cloud provider, can the customer use the same software applications?
JA: At the risk of giving the typical attorney answer, the most accurate answer here is, “It depends.” Migration from one cloud to another, or from on-premise to a cloud, can be technically complex. If you are an attorney representing a client, it is essential to catalog or inventory what applications your client needs to ensure transfer over when they are selecting the new cloud provider. You will also need to get commitments up front from that the new provider and the migration service (if different) to be sure they can and will deliver the promised migration, including those apps (software applications). This is an important conversation that must take place early on in the process. Typically, it will be set out with specificity in a "Statement of Work" to provide your client with a measure of comfort. This also will help lawyers simplify the process for their clients.
PV: What kind of data security is available? Particularly for privacy requirements, such as the Health Insurance Portability and Accountability Act of 1996, and the Health Information Technology for Economic and Clinical Health Act, for medical customers?
JA: Generally speaking, there are four tiers of data center design that allow for varying levels and degree of security. Tier 1 provides clients with site infrastructure that guarantees 99.671 percent availability and, among other things, includes components of non-redundant capacity.
On the other end of the spectrum, Tier 4 security provides everything that Tiers 1 to 3 provides to a client, as well as fault-tolerant site infrastructure with electrical power storage and distribution facilities that guarantee 99.995 percent availability and cooling equipment that is independently dual powered.
Because of HIPAA and HITECH, medical cloud customers generally are looking for the best, most cost-effective data security they can obtain, while also ensuring compliance. Currently there is no HIPAA and HITECH compliance "certification" available, but there is plenty of guidance available to enable and document compliance by following the principles of the mandates.
Lawyers should suggest that their clients look for vendors that meet their data security needs and are compliant with HIPPA and HITECH requirements. They should offer established administrative procedures, physical safeguards and technical safeguards that follow the HIPAA Final Security rule. This will help your clients meet the requirements to keep everyone's protected health information safe.
Cloud contract provisions should require the CSP to meet or exceed applicable regulatory requirements such as HIPAA and HITECH, and should further specifically require the CSP to indemnify the customer for failures to meet SLAs.
PV: Is attorney client privilege at risk on the cloud?
JA: It can be, but so far courts have not adopted a standard waiving the privilege for cloud-based communications, for example, cloud-based email services such as Gmail and Yahoo! Mail. Rather, where courts have examined the issue they seem to apply the same analysis as they would elsewhere asking whether or not the client could reasonably expect the communication to remain private.
There typically is no expectation of privacy and hence any privilege would be waived if the communications take place in the cloud using social media such as Facebook, or LinkedIn. However, the privilege may well remain intact if a Gmail private email account based in the cloud was password protected and maintained in a manner otherwise consistent with applicable policies (such as an employer’s email policy).
PV: Any advice about what team or personnel should collaborate on cloud contracts?
JA: Attorneys and technical folks must work closely together so that everyone is on the same page about what the client wants and expects from the CSP, especially in terms of service and support. Explore whether the providers' legal team works closely with technical specialists—including the product architects who specialize in software as a Service—and other hardware and system people to ensure that contracts are not only legally sound, but also technically correct and accurate. Clients should be sure that their lawyers understand and are comfortable with cloud technology, technology experts, and representatives of finance and management.
Peter Vogel is a partner at Gardere Wynne Sewell, based in Dallas. Email: pvogel@gardere.com.John Ansbach is general counsel of General Datatech, based in Dallas, Texas. Email: jansbach@gdt.com.
No comments:
Post a Comment