Businesses have been urged to double check their cloud computing contracts for unfair terms.
Research by Queen Mary University of London has revealed that a high proportion of cloud computing contracts contain clauses that could leave them liable for failures by their supplier.
In an interview with Computer Weekly, Christopher Millard, professor of privacy and information law, said many clauses were so extreme they would be unenforceable in UK law.
“We have found attempts, usually by American cloud suppliers, to not only deny that they have any liability for any damage that might be caused, but sometimes they even try to shift liability to the customer,” he said.
The university’s cloud legal project, has identified common clauses in a wide range of both off-the-shelf, and negotiated cloud contracts, that should raise red flags for businesses.
Top 5 unfair cloud computing terms
1. Exclusions and limitations of liability
The service provider takes no liability if data is lost, or damaged.
2. Unsuitable Service Levels Agreements
Cloud suppliers offer impressive sounding guarantees for service levels, but in practice service availability levels are not the only consideration. If a failure occurs at most critical time for the business, having a service that is 99.999% reliable is of little consolation.
3. Security and privacy
Cloud services may not comply with European data protection laws, or industry regulations which may require data to be sorted in the European Union. It is not always obvious where data is stored in the cloud.
4. Contract lock-ins
Businesses may be in danger of becoming locked-in to cloud services once they sign-up. Although businesses may be able to retrieve their data, they may not be easily able to recover the surrounding metadata they need to bring the service back in-house. Changing cloud providers can be particularly difficult when could platforms become heavily customised.
5. Changing features
Cloud service providers, often have the right to change service features unilaterally, sometimes without giving businesses notice of the changes.
The most frequent include attempts by suppliers not to take liability for failures, service level agreements that do not match the needs of the business, incompatibility with EU data protection rules, and the right of suppliers to change service features without notice (see box).
Under the radar
Unfair terms frequently slip into contracts un-noticed when departmental managers sign-up to low cost cloud services without going through the normal procurement processes.
“Cloud services get quickly ramped-up, and they start putting live data on it, and then by the time the normal risk control people in the organisation hear about it, they may already be doing stuff that has significant potential consequences,” said Millard.
He advises businesses to put processes in place to monitor the take-up of cloud services, but without introducing so much bureaucracy that businesses lose agility.
“You have to be a bit pragmatic because you don’t want to lose the benefits of cloud in terms of speed of deployment, scalability and price, and so on,” he said.
It is important to ask whether the cloud service provider provides the cloud service directly, or subcontracts to a third party.
Where is your data
Frequently cloud service providers subcontract their services to third parties, who may or may not be able to deliver the service levels promised.
“You have to ask what the arrangements are behind the scenes with the people they depend on,” said Millard.
In the past cloud service providers offered standard contracts on a take it or leave it basis, but a growing number are willing to negotiate individual terms and conditions – particularly for large contracts.
“There has been a sea change,” said Millard.
Negotiate with cloud providers
Download resources and guides on cloud computing from Computer Weekly
More cloud resources here
He advises CIOs to discuss terms and conditions with cloud service providers and to make sure they meet business needs.
“You don’t need to introduce cumbersome processes and delays that characterise typical outsourcing deals, “ he said.
“But you still need to be asking questions about where my data is going to end up, who controls it, can I get it back, and can third parties get access to it,” he said.