In Part I of this series, we introduced the topic of Cloud services contracts and highlighted the challenges being faced by organisations with regards to contract terms and conditions; some of the issues compounded by the lack of adequate industry standards concerning Cloud services contracts. This second part of the series, will look into some key contractual areas that if not addressed adequately, can weaken terms and conditions of Cloud services contracts. Analysis of Cloud services contracts in the market reveals there are considerable gaps in the terms and conditions that suppliers present to clients, including some of the following: Security Many of the Cloud providers have invested in significant improvements in security and some argue that there are clear security advantages with a Cloud environment when compared with some traditional on premise environments. While the technology of Cloud continues to mature in this regard, there remain some fundamental questions that need to be asked by organisations contemplating Cloud services: Will the supplier provide solid guarantees around their security posture and clarify where the boundaries of responsibility for security sit as between the Cloud provider and the client organisation? Does the security clauses use terms like “reasonable” or “appropriate” steps or measures, or does the supplier guarantee adherence to standards such as the relevant ISO standards for security? Whilst the Cloud supplier may be able to demonstrate an environment that meets stringent global standards for security, will the provider guarantee compliance with local compliance standards and regulations? Data breaches While the Australian Government continues to debate the issue, there is a distinct possibility that mandatory data breach notification will eventually become law in Australia; and with it the responsibility of organisations to inform the Australian Information Commissioner whenever there is a breach or misuse of customer data. However, some organisations are already proactive in adopting best practice by informing other key stakeholders including their customers, partners and shareholders about a serious data breach. Although decisions on how to respond to a data breach incident are generally made on a case-by-case basis, recent cases involving Medvet, Sony and Telstra have all demonstrated that best practice requires notification of affected individuals when significant data breaches occur. Therefore organisations contemplating storing sensitive data with any external service provider should be asking questions such as: Does the supplier provide clauses for notification of data breach and how much transparency is built in? Service levels Many of the Cloud services agreements provide for a maximum amount of downtime and should this ever be exceeded during the month then some providers will include provision for the application of ‘service credits’ against the monthly charges as compensation for the downtime. However, these are typically capped – often to a maximum percentage of the total monthly cost for the Cloud service. These conditions will lead to a range of questions that should be asked including: Does the agreement bind the supplier to a maximum amount of downtime and who is responsible for monitoring the length of each downtime and reporting when the maximum aggregate downtime period is exceeded? What types of downtime are excluded, such as ‘scheduled downtime’, what is included in this and what is the maximum amount of scheduled downtime allowable? What are the arrangements around restitution and service credits? Does the agreement provide committed service levels around performance and availability? Organisations will need to consider that compensation for downtime is often limited to service credits, with most service providers refusing to offer any greater compensation arrangements. For example a high-demand e-commerce web site that goes down during a peak period, such as when a ‘sale’ is on, may cost the organisation considerably more than the value of the monthly service charge. Also to be considered by organisations are scenarios where applications are running, but running poorly through issues such as bandwidth overload or latency issues. These periods may not be considered as downtime by the provider but can be equally as disruptive on the business. Data sovereignty and privacy Each country has jurisdiction over the data that is being hosted within its borders, along with the data hosted outside of its borders. This jurisdiction extends to companies that are originally incorporated in a particular country, for example US-based companies like Microsoft and AWS, which means that customer data in their Australian data centres are subject to US laws, including the Patriot Act. The US also has mutual legal assistance (MLA) treaties with many other countries, which make it easier for these governments to gather and exchange information for criminal investigations. This has all sorts of ramifications for Australian organisations who have responsibilities within their own jurisdiction – for example to notify their customers when their data has been accessed by a third party. It further leads to important questions, such as: Does the supplier guarantee any level of compliance to Australian Privacy provisions and is the supplier bound to foreign laws such as the US Patriot Act (and others)? Further considerations and concluding thoughts around Cloud service contracts will be discussed in Part III. Did you miss any of our previous Deloitte Source Point blog posts? Read them here.