Legal Issues in the Cloud: Exploring Business Continuity, Liability and SLA-related Issues

As for the vendors, they need to develop a process for dealing with e-discovery requests and should provide notice to their customers promptly (within hours, not days) of any subpoena or other legal process seeking access to the customer’s data. Vendors may also need to provide the customer with access to its logs and reports to verify the security, integrity and chain of custody of the customer’s data.

Service Level Agreements and Business Continuity Issues
There may be little room to negotiate service level agreements (SLAs) with cloud service providers. Of course, a cloud customer wants high service levels, but the cloud customer also needs to pay attention to the definition of uptime and a service level breach, and any exceptions to the measurement of uptime. For example, in a recent cloud services agreement I negotiated, the contract included certain typical exceptions to uptime measurement, such as planned maintenance, but the cloud service vendor also tried to include a general exception for 150 minutes of downtime per week.

Vendors typically try to make credits the sole and exclusive remedy for failures to meet agreed-upon service levels. It is sometimes difficult to get vendor to move on this, so cloud customers should try to negotiate the right to terminate the agreement if some level of severe or repeated service level breaches is reached.

The cloud-computing environment raises business continuity issues in that the more dependent a company is on cloud services and the more mission critical systems are in the cloud, the more vulnerable the company is to business interruption issues. In a well-publicized incident earlier this year, Amazon’s cloud services were out for two days, causing problems for many companies using its services. Also, in the past few months, both Google and Microsoft 365 reported suffering outages. Cloud customers should do diligence on and be familiar with the cloud vendor’s disaster recovery or business continuity plan (BCP).

Many non-cloud contracts contain a force majeure clause, which provides that a party will not be liable for a default under the contract for acts of “God.” However, these clauses require new attention in the cloud environment. For example, Google Apps Premier Online Agreement provides that Google will not be liable for “inadequate performance to the extent caused by a condition (for example, natural disaster, act of war or terrorism, riot, labor condition, governmental action, and Internet disturbance) that was beyond the party’s reasonable control.” One of the reasons, though, that many cloud customers go to the cloud is to reduce their vulnerability to such disasters. Cloud customers should review force majeure clauses carefully, particularly the list of possible force majeure events, to be sure they are appropriate for the cloud environment. The customer should also be sure that the force majeure clause only applies if the vendor has followed its BCP.

Liability Issues
Many cloud services contracts limits the vendor’s liability; however, the damages disclaimed by vendors (e.g., loss of content or damages due to inability to use the services) are often precisely the types of damages a cloud customer is likely to incur if there is a problem with the service. It is very difficult to get a cloud vendor to change these provisions, though a cloud customer might be able to get the vendor to increase the cap on direct damages. The customer could also try to remove certain types of damages from the exclusions, such as loss of data, which is particularly important when the cloud vendor has complete control over the data and its backup.

Subcontractor Issues
Many cloud vendors subcontract with other entities. For example, in the SaaS environment, a third party often hosts the software vendor’s programs. The issues discussed above are complicated by the cloud vendor’s use of subcontractors. Will the subcontractor allow access to the customer’s data? Can the subcontractor comply with a litigation hold? For jurisdictional issues, where is the subcontractor located?

If there is a dispute between the customer and the cloud vendor, the vendor may try to shift liability to the subcontractor and the customer may not have the right to bring an action directly against the subcontractor. Some customers try entering into direct contractual relationships with the subcontractor. For instance, in the SaaS scenario, the customer might enter into an agreement with the SaaS vendor and also with the hosting service used by the SaaS vendor.

Cloud customers should conduct diligence to confirm that, if the cloud vendor uses subcontractors, what those subcontractors provide. Then, the customer must perform the same diligence on the subcontractor as discussed above. The customer should also review the contract with the cloud vendor to be sure that the customer can have access to and control over its data held by a subcontractor, and that the vendor remains liable for acts or omissions of a subcontractor. If a vendor has the right to change subcontractors, it could be difficult to get the vendor to agree to give the customer the right to approve of such changes, but, again, it might be possible to get the vendor to provide the customer with notice of the change and the right to terminate if the customer objects to the new subcontractor.

The cloud-computing environment provides many advantages; however, it also presents new and complicated legal issues. Cloud service providers need to consider not only the laws and regulations that apply to it, but also those that apply to its customers. Cloud customers, in turn, need to conduct appropriate diligence on potential cloud services providers and they should carefully review with their legal counsel the contracts to provide cloud services.