We've noticed that your computer is viewing this page in Internet Explorer 6 or earlier. Please upgrade to one of the following free internet browser applications for an optimal viewing experience: Internet Explorer (latest version) Firefox Safari

  1. T: 0845 351 9090
  2. E: .(JavaScript must be enabled to view this email address)

Resources

Latest IT law, outsourcing and e-commerce legal updates

Return to view all Resources

Cloud Computing - Legal & Business Issues (Part 2)

Posted 21st April 2011 by Jagvinder Kang, Director

Introduction

In the previous edition of the Technology Column, we started the focus on some of the business and legal issues associated with Cloud computing arrangements. We will be continuing the theme in this second instalment on the topic by focussing on:

  • service levels, service credits and liability arrangements;
  • business continuity and disaster recovery measures; and
  • term and termination rights of the respective contract.
Service Levels, Service Credits and Liability Arrangements

Service levels are usually a key requirement in a Cloud computing arrangement, as after all, if there is an outage in service provision, then that severe service disruption for the customer is more likely to have adverse business consequences in view of the nature of the Cloud model.

So it is important that appropriate service levels are put in place to ensure that both the service provider is capable of performing them, whilst the customer is comfortable that they meet its requirements. However, this in itself does not provide the full picture, as it is important to consider any caveats to the service levels (such as force majeure or planned outages for maintenance).

It is important to ensure that any caveats to service levels are commercially acceptable to both parties as well, so that from the service provider's perspective, it has the ability to maintain its systems and have some scope for guarding against outages from its third parties who may be involved in the service delivery, and from a customer's perspective, that the service is not far below the levels which it requires for its business purposes.

The service level arrangements also need to be measurable, taking into account the various interdependencies involved in the service delivery, with a large part of the communications' infrastructure being outside the ownership and control of the service provider. It will therefore be necessary to ensure that service levels can be measured in a meaningful and reliable manner (with the customer accepting that the service levels which the customer will actually experience will be lower, due to the third party communications' infrastructure and the customer's own infrastructure, both of which will have an impact on the receipt of the services).

Service levels 'without teeth' though, are of questionable value, as except in the most severe cases, parties are unlikely to get involved in litigation for breach of service levels. Therefore, liquidated damages by way of service credits, are another factor which must be considered and incorporated as felt appropriate by the parties, taking into account considerations of whether such remedies are sole and exclusive remedies or in addition to a customer's additional rights and remedies — the particular circumstances will obviously dictate which arrangements are most appropriate in each case.

This therefore neatly brings us to the issue of liability. The scope and level of liability that a service provider is willing to accept is going to be linked again to the model of Cloud computing which is being used — a bespoke Private Cloud model is more likely to yield a higher scope and level than a vanilla Public Cloud offering. This will again need to feed into the business considerations when contemplating the Cloud computing arrangements.

Business Continuity and Disaster Recovery Measures

Related to service levels, is the issue of business continuity and disaster recovery ("BC & DR"). Most service providers will be willing to share information with the customer in respect of the comfort which they can provide in this regard.

Depending upon the particular application of the Cloud computing model to a business, will normally dictate the level of due diligence that a customer will be seeking in this regard. For a particularly business critical arrangement, a customer may want the comfort of knowing that there are scheduled BC & DR tests for example, and may wish to participate in such tests or at the very least be notified of the results and actions arising from such tests. The Private Cloud —v- Public Cloud arrangements will again impact the visibility and input which a customer is likely to be afforded in respect of this.

However, irrespective of which model of Cloud computing is used, it is important to ensure that from a customer's perspective, the force majeure provisions in a contract do not undermine the comfort provided by the BC & DR, nor that the interaction between the contract's force majeure provisions and BC & DR provisions extend a supplier's obligations in respect of BC & DR wider than those arrangements which it has in place. Careful consideration is therefore required in respect of this.

Term and Termination Rights of the Respective Contract

Readers of the previous Technology Columns in respect of Cloud Computing will be aware that the term and termination rights in a contract will also be strongly influenced by the Cloud model — again a Public Cloud model, using shared infrastructure in a non-tailored manner amongst multiple clients, can have more flexibility from a contract duration and termination perspective, as the model will be more commoditised. However, move to a Private Cloud, and a Cloud service provider will wish to ensure that the term with the particular customer allows it to recoup its customer specific investment costs and margin.
So a Private Cloud arrangement is likely to have a longer term with more restricted termination rights, unless the service provider can obtain comfort through termination fees to provide it with adequate compensation to address a shorter term than was originally envisaged.

The consequences of termination also need to be considered, for example, from the perspective of data migration if the data is stored exclusively within the Cloud. This clearly will need to be addressed both by the contract, as well as by consideration of the actual migration process and data formats.

Final Thoughts

This and the previous Technology Column have provided some details in respect of some of the legal and business issues involved in Cloud arrangements, but they clearly are not exhaustive, as there will be other issues such as choice of law and jurisdiction, price fluctuations, TUPE, etc. However, the Technology Columns should give a flavour of some of the more Cloud specific issues from a business and legal perspective that need to be factored into the commercial and contractual discussions.

However, what should be evident from these Cloud themed Technology Columns, is that without an understanding of the underlying different Cloud models, parties are unlikely to have a smooth contract negotiation, as the constraints associated with the different models will have a corresponding effect on the contractual and business arrangements, which both parties must keep in mind. It is therefore important, that there are either: (1) appropriate compromises to reflect such constraints; or (2) comfort arrangements provided in another manner (eg termination costs, as has been discussed above) from a legal perspective, when the provisions being proposed are 'going against the grain' of the particular Cloud model.