Cloud solutions: The danger of 'floating' contracts

25 May 2017 CSO Publication
Authors: Michael R. Overly

Key contract provisions or the entire contract can be changed at any time by the vendor, frequently without notice to the customer.

In most cloud engagements these days, it is not only the customer’s data that is in the cloud, but also many key parts of the vendor contract as well. That is, the average cloud vendor today generally places several key areas of the contract in the cloud (e.g., service level standards, security measures, support obligations, service descriptions, etc.). In some instances, the entire contract is in the cloud. What this means is that these key contract provisions or the entire contract “floats” in the cloud and can be changed at any time by the vendor, frequently without notice to the customer. Even if the customer is given notice, in many cases, the customer has no right to object to the changes.

Think of it this way: the customer is being asked to irrevocably commit to purchase a service, but most of the key factors defining the usefulness and value of that service are not fixed. The customer is bound by the contract, but the vendor is not.

It used to be that a contract consisted of a base agreement (i.e., the terms and conditions) and one or more exhibits. Sadly, those days are long gone. Today, more and more agreements are comprised of some brief general terms and conditions that reference various online terms provided through URLs, which can change at any time. The trend started in the telecom industry many years ago and quickly spread to almost every form of vendor agreement. It is a particularly common phenomenon in the cloud services industry.

The challenges of these types of “floating” contracts are numerous:

  • They are presented on a more or less as-is basis, suggesting they are not susceptible to negotiation.
  • Key terms (support obligations, service levels, service descriptions, performance standards, etc.) can change at any time, generally without affirmative notice.
  • The customer has no ability to rely on having key functionality and performance available to it during the term of the contract.
  • Contractual protections, including service levels, generally provide only very basic protection, affording the customer little real protection.
  • The customer has little ability to terminate the agreement, even if key terms change to their disadvantage.

The trend is alarming. Unless businesses are vigilant and aggressively push-back on these types of agreements, they will be placing themselves at considerable risk. Negotiating these agreements can be extremely difficult. There are three basic approaches to mitigating risk (listed in decreasing order of protection for the customer):

  1.  Require the “floating” terms to be reduced to writing and attached to the agreement as actual, fixed exhibits. In this way, the terms cannot change without a formal amendment to the contract.
  2.  If the terms cannot be fixed and attached to the contract, include language that the vendor cannot materially decrease the overall levels of performance and functionality reflected in the floating terms as of the date the contract is signed. In this approach, the vendor is free to change the terms as it deems appropriate, but those changes cannot result in materially less performance or functionality during the term of the agreement.
  3.  If neither of the above approaches can be achieved, the customer must focus on clear termination rights for, at minimum, the following:
    1. Objective failure to achieve service levels. Since service level credits will likely be minimal and virtually impossible to get, the approach should be to limit risk by negotiating objective termination rights (e.g., failure to achieve required service levels twice in any four month period or having availability in any single month of less than 98%).
    2. If the overall terms of the engagement change because the content of one or more of the online portions of the agreement changes, the customer should have a clear termination right.
    3. Changes in the vendor’s financial wherewithal or ownership.
    4. Changes in applicable law or regulation (e.g., a new data security law requires vendors to maintain certain minimum security levels, but the vendor is unable to do so).

Of course, termination is not a panacea. If the contract involves substantial transition time or start-up costs (e.g., implementation fees), termination rights could mean forfeiture of the customer’s investment in going live with the service. In such cases, it may be possible to negotiate some form of prorated refund of start-up costs if the customer exercises its termination rights because a key element of the service has changed.

Long term contracts should also be avoided. Rather, the use of shorter initial terms with the right to renew for additional one year periods is generally preferred.

The point is to be cautious. We frequently refer to these types of engagements as “career enders” for the business or technical manager who champions the contract only to find out services are largely as-is and can change at any time.

This article was written by Partner Mike Overly and was originally published on his blog, Crossroads of Cybersecurity and the Law, which is hosted by CSO. CSO, from IDG, provides news, analysis and research on a range of security and risk management topics. Areas of focus include information security, data protection, social media security, social engineering, security awareness, business continuity and more.

Read this specific article on Mike’s CSO blog here.

Related Services