Enterprises that store data with cloud providers may no longer have physical control over it, but they're still on the hook legally for its protection and security.
Knowing what goes into a SaaS contract -- and the risks associated with what's not included -- can mean the difference between a costly lawsuit or a successful partnership, according to technology attorney Milton Petersen.
[ Get all the cloud security info you need with InfoWorld's "Cloud Security Deep Dive," and stay on top of the cloud with InfoWorld's "Cloud Computing Deep Dive" special report. | From Amazon to Windows Azure, see how the elite 8 public clouds compare in InfoWorld Test Center's review. | For the latest news and happenings, subscribe to the Cloud Computing Report newsletter. ]
Petersen, a partner in the information technology practice group at the law firm of Hunter, Maclean, Exley & Dunn in Savannah, GA, spoke at SNW in Orlando this week.
The two most important words to look for in a vendor contract are "vendor shall," Peterson said. Terms like "we'll strive to," "our goals," "targets," and "objectives" should raise red flags for users as they offer no concrete guarantees and give the vendor legal wiggle room.
Cloud computing contracts also tend to be more commoditized today, compared with big outsourcing deals that once involved heavy negotiations carried out over days.
"It used to be that a customer could negotiate a lot of protections in," Petersen said. "To some extent ... [now], you have to take contract terms they're offering."
Questions to ask
Users should be aware of a cloud provider's implementation process -- how your company's data will be ingested into their cloud infrastructure. Things to consider include whether there will be a lot of work converting your data into their format, or whether they're simply starting with fresh data at the point the contract is signed. Will the data be encrypted? If not, are there data breach notification laws in the state or country where it will be stored?
Users should be aware of a cloud provider's implementation process -- how your company's data will be ingested into their cloud infrastructure. Things to consider include whether there will be a lot of work converting your data into their format, or whether they're simply starting with fresh data at the point the contract is signed. Will the data be encrypted? If not, are there data breach notification laws in the state or country where it will be stored?
Most states now have such laws, Petersen said.
It's also better if you have time to check out a vendor and see how the technology works and whether it does what it's supposed to, Petersen said.
Among the more important nuances of a cloud contract is how your company will end the pact and transition data out of the cloud, either back into a private data center to a new cloud provider.
If your data is no longer in a format your company natively uses, you'll want to be sure it's in some type of industry standard format that will make it easy to convert or use.
"Make sure you're not held hostage where they charge you an exorbitant fee for getting your data back," Petersen said. "Also, look for some kind of cooperation and assistance from the vendor in getting your data out. [And] make sure there's an agreement around what they can or cannot destroy."
It's particularly important to know whether a vendor plans to destroy data after a certain time, particularly if that data has the potential to be used in litigation with a client and might be placed into a legal hold status.
