In most cloud engagements these days, it is not only the customer’s data that is in the cloud, but also many key parts of the vendor contract as well. That is, the average cloud vendor today generally places several key areas of the contract in the cloud (e.g., service level standards, security measures, support obligations, service descriptions, etc.). In some instances, the entire contract is in the cloud. What this means is that these key contract provisions or the entire contract “floats” in the cloud and can be changed at any time by the vendor, frequently without notice to the customer. Even if the customer is given notice, in many cases, the customer has no right to object to the changes.
Think of it this way: the customer is being asked to irrevocably commit to purchase a service, but most of the key factors defining the usefulness and value of that service are not fixed. The customer is bound by the contract, but the vendor is not.
It used to be that a contract consisted of a base agreement (i.e., the terms and conditions) and one or more exhibits. Sadly, those days are long gone. Today, more and more agreements are comprised of some brief general terms and conditions that reference various online terms provided through URLs, which can change at any time. The trend started in the telecom industry many years ago and quickly spread to almost every form of vendor agreement. It is a particularly common phenomenon in the cloud services industry.
The challenges of these types of “floating” contracts are numerous:
The trend is alarming. Unless businesses are vigilant and aggressively push-back on these types of agreements, they will be placing themselves at considerable risk. Negotiating these agreements can be extremely difficult. There are three basic approaches to mitigating risk (listed in decreasing order of protection for the customer):
Of course, termination is not a panacea. If the contract involves substantial transition time or start-up costs (e.g., implementation fees), termination rights could mean forfeiture of the customer’s investment in going live with the service. In such cases, it may be possible to negotiate some form of prorated refund of start-up costs if the customer exercises its termination rights because a key element of the service has changed.
Long term contracts should also be avoided. Rather, the use of shorter initial terms with the right to renew for additional one year periods is generally preferred.
The point is to be cautious. We frequently refer to these types of engagements as “career enders” for the business or technical manager who champions the contract only to find out services are largely as-is and can change at any time.
This article was written by Partner Mike Overly and was originally published on his blog, Crossroads of Cybersecurity and the Law, which is hosted by CSO. CSO, from IDG, provides news, analysis and research on a range of security and risk management topics. Areas of focus include information security, data protection, social media security, social engineering, security awareness, business continuity and more.
Read this specific article on Mike’s CSO blog here.