The Legal Issues Are Somewhat Cloudy in the Cloud: A Primer for Lawyers on Cloud Computing

By Roy E. Hadley, Jr. and John L. Watkins [1. Roy E. Hadley, Jr. and John L. Watkins are both Partners in the Atlanta office of Barnes & Thornburg, LLP and co-lead the Firm’s Cloud Computing and Cyber-Security Team. Hadley practices in the Business Department and advises clients regarding data security, data breach and privacy issues. Watkins practices in the Litigation Department, and handles cases involving trade secrets and confidential information, as well as insurance coverage. Watkins also advises business clients on contracts and terms and conditions.]

"Cloud computing" has become a very hot topic. For the uninitiated, "cloud computing" generally refers to providing access to computer software through an Internet browser, with the software and data stored at a remote location at a "data center" or "server farm," instead of on the computer's hard drive or on a server located on the user's premises. This is also sometimes referred to "software as a service."

Proponents of this approach claim many benefits, including lower costs, less need for on-site support and "scalability." "Scalability" means that the number of licenses and available resources can easily be adjusted as the need increases. Access can typically be provided to any computer with a browser and an Internet connection, but can be controlled through password protection and other measures. Proponents also argue that the cloud makes it easier to manage and push down software upgrades. Software as a service is usually provided on a fee for service approach that may result in cost savings compared to the traditional local area network. Think of it as somewhat like renting as opposed to owning.

The Cloud is Here Now

Cloud computing is not a technology of the future, but is here today. Google, for example, uses this approach to provide its suite of business applications intended to compete with Microsoft Office. Google applications are provided free or at very little cost. Salesforce.com is one of the best known providers, providing customer relationship management ("CRM") software to a growing list of companies. IBM, Microsoft and Amazon, among many others, are also entering the playing field.

There appears to be little doubt that cloud computing is here to stay, and that it may indeed represent the future of information technology. There are many advantages and potential advantages to the cloud computing model.  For example, software is managed and upgraded off-site. Hardware costs are lower because all that is needed to access the system is an Internet connection and browser.  Buying and constantly upgrading servers and other hardware is said to be unnecessary.  The need for a large IT staff is diminished. Cloud providers also represent that they provide higher levels of security and uptime than typical networks. In short, it is argued that cloud computing provides the next generation of IT resources through a platform that is cheaper, scalable and more easily managed than local networks.

The Technical Side of the Cloud

That said, from a technical and legal perspective, cloud computing raises a host of issues. As a lawyer advising clients on cloud computing issues, an understanding of these issues is essential to being able to provide meaningful advice and counsel.  Perhaps foremost on most clients’ mind is the question "What happens if they lose my data?" The answers provided by many cloud vendors focus on technical concerns (such as the back-up procedures) and not legal issues.

Technical issues are important, and there are certainly technical safeguards that a client might want to consider, such as maintaining a back-up on site, or a back-up through a separate vendor. These approaches might provide some real practical protection in the event of a catastrophic failure or bankruptcy at the primary provider.  On the other hand, if a client adopts such procedures, the costs may rise. Clients will carefully need to weigh the costs and benefits of whatever solutions they implement.

Other technical issues might focus on what happens when the relationship ends, whether happily or not. Is there another vendor that can provide the software and host the data? Will data have to be converted to a different format? If the customer decides to switch back to a local area network, will the terminals that have been used for cloud computing (which usually can be very basic "low powered" machines) be of any use, or will a completely new network need to be installed?

Clouds Come in Many Different Shapes and Sizes

When clients ask you to help them with a “cloud computing” issue, the first thing you need to understand is what type of “cloud computing’ is the client talking about. Generally speaking, there are three basic types of cloud computing structures, each with different issues and considerations.

The first type of structure is cloud software as a service, which is usually referred to as SaaS.  Under this model, the client would use the vendor’s applications running on a cloud infrastructure.  These services are usually interfaced through a “thin client” such as a web browser. The end user has little control over the software’s parameters other than some minor configuration settings.

The second type of structure is cloud platform as a service, or PaaS.  Here, the client has the capability to deploy onto the cloud infrastructure client-created or otherwise acquired applications.  These applications are usually developed using tools or programming languages that are supported by the infrastructure vendor. The client has control over the applications and potentially some configuration control.  Generally, under both SaaS and PaaS models, the client has no control over the network, servers, storage or operating systems.

The third main structure is cloud infrastructure as a service, or IaaS.  Under this scenario, the underlying computing and network infrastructure is provided to the client.  The client usually controls applications, processing, storage, networks and other resources.  The client can often run software and applications of its choosing.

Generally speaking, based upon which structure is being considered by clients, the technical and legal issues will be specific to that structure. However, with that said, a core group of considerations will have to be addressed by you and your client when considering implementation of a cloud computing solution.

Legal Issues Begin to Rain Down from the Cloud

Clients usually look into cloud computing solutions to trim costs and expenses and gain efficiencies.  However, the reality is that these benefits may not materialize or other issues may arise that essentially take away any cost savings or efficiencies. It is important for clients to remember that “things happen” and no matter how carefully worded a contract may be, unforeseen issues may arise.

From a legal standpoint, cloud computing appears to raise a host of essentially contractual issues to be addressed by the parties' contract or licensing arrangements. There are also potential regulatory issues (ranging from privacy to export control issues), e-discovery issues, and certainly other issues that have not been thought of yet due to the still relatively recent, if widespread, adoption of cloud computing initiatives by businesses.

As businesses and their lawyers become more experienced with cloud computing platforms and issues, it is likely that a consensus will emerge about how cloud computing issues will be addressed. Hopefully, purveyors of cloud computing services will be flexible and reasonable in addressing legitimate business concerns. However, given the prevalence of "standard" licensing in the software field (often on a shrink-wrap or click-wrap basis) and efforts to limit liability under any circumstances, there is some cause for pessimism.

There is also the practical reality that the ability to obtain meaningful modification to a provider’s standard terms and conditions depends on what type of cloud services or infrastructure the client desires to implement. If, for example, a small client wishes to switch to Google’s free or low cost suite of office applications, the client is almost surely going to have to accept Google’s standard terms. If, on the other hand, a client is going to spend millions of dollars with a cloud provider, then it should be possible to negotiate the contractual provisions.

It is also important to consider the client’s industry and risk profile. For example, clients in the healthcare and financial services industries are subject to regulatory requirements and risks that must be considered in utilizing any kind of cloud-based architecture. Such issues are beyond the scope of this general article, but will represent one of the great challenges as clients in these industries move to the cloud. Companies with high-risk profiles and that are regularly involved in litigation also need to consider how adopting cloud architecture could affect access to information.

Regardless of whether the model is SaaS, PaaS, or IaaS, the following are some basic issues that you should consider when advising clients with respect to cloud computing arrangements:

  • What contractual obligations will the vendor assume with respect to protecting data? This could include reference to particular steps and procedures, including back-up obligations. The contract or license may specify a standard of care that the provider must meet.
  • What contractual obligations will the vendor assume regarding uptime, if any? Will the vendor provide any type of uptime warranty? Even if such a warranty is subject to a limited remedy, it would provide some incentive for the provider to limit downtime.
  • Most providers seem savvy enough to disclaim any interest in your data and will freely say -- in a sales setting anyway -- that "your data is your data." Well, that's good, but how does a client physically get their data back at the end of the contract period or if the vendor goes bankrupt? Of course, this issue may be affected (and mitigated) by the back-up procedures adopted.
  • What remedy limitations, if any, are in the vendor’s terms and conditions? Are consequential damages excluded? Are total damages capped (such as to a return of fees paid)? Even if contractual obligations are assumed, if remedies are severely limited, the provider may be shielded from liability.
  • Where is the client’s data going to be stored? Is the vendor willing to agree that all of the client’s data will be kept in this location under specified conditions and at agreed security levels? This could be important for regulatory reasons, but also for reasons associated with meeting general customer confidentiality obligations or complying with privacy policies.
  • Is there a forum selection clause in the terms and conditions? Many providers want to insist on litigating on their home turf (which often, it seems, is a state other than where the client is located), but that is rarely a happy instance for the client.
  • How does the client get out of this arrangement if the vendor does not perform and what is the client’s exit strategy? What rights does the client have upon termination? What obligations does the vendor have to assist in transitioning to a new vendor or back to a self-managed platform?

Don’t Forget About Data Security

Additionally, inherent in the adoption of any arrangement where a company’s data is entrusted to someone else is the issue of data security.  Whether it is malware, hacking, insider malfeasance, espionage, viruses and trojans, data breaches, or the ignorance of the many threats, all companies’ data is increasingly at risk and under attack.  While all threats and risks cannot be eliminated, they can be mitigated through proper policies, procedures and legal diligence.

One of the stated benefits of cloud computing by vendors is the ability to eliminate many of the above-mentioned risks because the vendor will be able to respond to issues and attacks in a real-time manner, either through updates or intervention.  From a legal prospective, however, you will need to contractually ascertain what the vendor will actually be providing and whether that will be sufficient given the client’s circumstances and business.

Don’t Forget About Trade Secrets

Many clients protect their most important intellectual property as trade secrets, instead of managing an extensive patent portfolio. Many types of information can potentially qualify for trade secret protection, including customer lists, business plans, technical specifications, financial information, programs and secret formulas. Under Georgia law, to qualify as a trade secret, the information must have actual or potential economic value and must not be generally known or readily ascertainable by others who can obtain economic value from it. In addition, the information must be subject to reasonable efforts to maintain its secrecy.

If a client is considering storing trade secret information in the cloud, it should consider the potential risks of doing so. Although it is difficult to predict how courts will react to trade secret claims based on information stored in cloud-based systems, a key factor will likely be the steps taken to maintain the secrecy of the information. Courts will likely inquire into whether the cloud provider has access to the data and whether it is bound to maintain the secrecy of such data. Other inquiries will focus on who from the client is permitted to have access to the information, password protection, and other security measures, much as in cases involving information stored on local networks.

It is possible that a cloud based provider may be able to demonstrate a higher level of security than that used in a client’s local area network. Much of the inquiry will focus on the particular architecture used. Nevertheless, because cloud-based technology is relatively new, clients with trade secret information should pay careful attention to documenting the security of the system before moving such important information to a cloud-based application.

Don’t Forget About E-Discovery

In 2006, the Federal Rules of Civil Procedure were amended to provide specific provisions for electronically-stored information (“ESI”).  Although discovery of ESI was permitted before the 2006 Amendments, the Amendments focused attention on e-discovery. Volumes have been written about e-discovery, and comprehensive review of e-discovery issues is beyond the scope of this article.  It is important to note, however, that the adoption of cloud-based technologies may raise new e-discovery issues.

In general, Federal Rule of Civil Procedure 26(b)(2)(B) distinguishes between ESI that is reasonably accessible and ESI that is not.  ESI that is not reasonably accessible does not have to be produced initially, but may be ordered to be produced on a showing of good cause. If a court orders the discovery of ESI that is not reasonably accessible, it may also order the party seeking the information to pay for some or all of the cost of obtaining it.

Courts have reached somewhat differing conclusions regarding the production of ESI. In general, however, courts will order the production of relevant information that is within a party’s possession, custody or control. It is difficult to predict how courts will react to the discovery of ESI that is in the possession of a cloud vendor and arguments about whether some or all of that information is (or is not) reasonably accessible. Of course, each case will largely depend upon the particular circumstances. Companies should not assume, however, that, because they have chosen to use a cloud-based vendor, their information will not be subject to discovery.

Clients, particularly those that face litigation on a routine basis, will want to consider adding provisions to their cloud services contract regarding discovery of ESI. Such provisions should govern access to the data and assistance from the vendor in the event of discovery requests.

Clients who adopt cloud-based technologies but are unable to respond to e-discovery requests, or unable to do so in a timely manner, run the risk of sanctions in litigation. Some courts have imposed substantial sanctions, so the risk is real.

Into the Cloud We Fly

As stated earlier, cloud computing is here to stay – at least until whatever new computing innovations may succeed it.  As more and more clients hear the siren song of cloud computing, namely lower costs and greater efficiencies, you will be increasingly called upon to provide advice and counsel in this multi-dimensional area. If you have clients that are considering going to the cloud, you should attempt to educate them early in the process regarding the potential risks and related mitigation strategies that the client might employ.

From the practitioner’s standpoint, you should stay abreast of the latest developments in cloud computing as many issues have yet to be identified. As matters begin to be litigated and as the case law develops, hopefully, the legal issues should begin to become more clear and settled.  Until then, lawyers need to begin considering these issues, because cloud computing is not likely to be going away anytime soon. Enjoy the flight!

Trends in Outsourcing Emerging From the Great Recession

By Diana J.P. McKenzie and Matthew C. Henderson [1. Diana J.P. McKenzie, Partner and Chair, Information Technology and Outsourcing Practice Group, Hunter, Maclean, Exley, and Dunn, P.C.,  dmckenzie@huntermaclean.com; and Matthew C. Henderson, Counsel, Information Technology and Outsourcing Practice Group, Hunter, Maclean, Exley, and Dunn, P.C., mhenderson@huntermaclean.com.] Approximately ninety percent of companies cut costs in 2009.[2. Pricewaterhouse Coopers 13th Annual Global CEO Survey] In the midst of a global recession, who could blame them?  In many cases, it was the cost of survival.  Outsourcing providers hoped for a surge.  In their view, what better way to cut costs than to outsource non-core business functions?  Outsourcing providers were disappointed.  Instead of a surge, many companies put outsourcing plans on hold and re-negotiated existing contracts with outsourcing providers at lower prices, in exchange for contract extensions and other trade-offs, such as adjustments to service levels.

Increased Contract Renegotiations

Over half of the companies in the outsourcing market saw increased contract renegotiations in 2009, primarily caused by the recession.[3. A dozen danger signs that your outsourcing contract is on the rocks] Information technology outsourcing (ITO) started the year slowly, but finished strong, with $56 billion in total contract value, and the strongest fourth quarter since 2003.[4. The TPI Index: An Informed View of the State of the Global Commercial Outsourcing Market Fourth Quarter and Full-year of 2009] Business process outsourcing (BPO), however, ended the year with a total contract value of $18.5 billion, the lowest since 2001.[Id.] Most industry commentators attribute the disparity between ITO and BPO in 2009 to the traditional ability to cut costs more quickly through ITO than BPO.  Despite the dismal performance of BPO in 2009, industry consultant Technology Partners International (“TPI”) reports that the market hit bottom and turned up in the second half of 2009.[Id.]

Other sources seem to support TPI’s conclusion.  A survey by consultant Gartner found that over 85 % of companies plan to maintain or increase their spending with outsourcing providers, with the vast majority of those surveyed believing the economy has recovered or will do so in 2010.[7. Gartner Survey Shows 85 Percent of Organizations Anticipate Spending on External Service Providers Will Increase or Stay the Same When Economy Recovers] Also, though cost-cutting remains a top-five priority, companies are shifting their focus from cost cutting to revenue growth.[8 Mark Raskino and Jorge Lopes, Early Findings From the 2010 Gartner CEO and Business Executive Survey (Dec. 9, 2010), available at  http://www.gartner.com/DisplayDocument?id=1250218.] Many outsourcing providers hope that outsourcing plans put on hold the last couple of years will come to fruition in 2010 and 2011, especially with regard to BPO.  In addition, approximately 422 outsourcing contracts worth a total of $15 billion will be up for renewal this year, which is 40% higher than 2009.[9. TPI, The TPI Index: An Informed View of the State of the Global Commercial Outsourcing Market Fourth Quarter and Full-year of 2009] Many of those are large contracts that will likely be broken up into smaller deals.  The trend in 2010 seems to be toward a higher volume of contracts for smaller contract values, with shorter turn-around times.  Also, with signs of an improving economy, buyers that have not renegotiated existing contracts may be racing to do so, as the window may be closing on opportunities to renegotiate existing contracts for better pricing.

Lessons Learned

So what have we learned from this recession?  How has it impacted existing outsourcing arrangements and how will it impact future outsourcing arrangements?

Buyers have been trending toward reasonably-priced service providers that specialize in providing specific services.  In some cases, this has led to multisourcing.  Of course, larger providers have reacted by increasing their menu of available services, by either developing expertise in-house or, more commonly, by purchasing smaller companies that have already developed the requisite expertise.  With larger providers, buyers tend to enter a master agreement with schedules for the various specific outsourced services.

Buyers are also entering into negotiations with a better understanding of the potential that an outsourcing arrangement could fail.  In 2000, Dun & Bradstreet reported that twenty-five percent (25%) of outsourcing arrangements failed after two years, and fifty percent (50%) of them failed after five years.[10. Dun & Bradstreet Survey Finds 50 Percent of Outsourcing Relationships Worldwide Fail Within Five Years; Principal Cause is Poor Planning for New and Evolving Business Process, Business Wire (Feb. 24, 2000), available at http://findarticles.com/p/articles/mi_m0EIN/is_2000_Feb_24/ai_59591405.] The flip side of the realization of the likelihood that an arrangement may fail is the realization of the effort it takes to make an arrangement succeed.  Therefore, contracts are changing to require more substantive meetings and information exchange before bidding, during negotiations, during transition and implementation, and post-implementation.

In addition, buyers are planning for the potential that different regions of the world may emerge from the recession at different rates.  With the erosion of India’s dominance in the outsourcing industry over the last few years, buyers have more options in outsourcing destinations.  China, as many predicted, has been increasing its share of the outsourcing market through 2009 and into 2010.[11. Paige Holden and Dave Miranda, Competition and Government Regulation Challenge Tech Sector Funding, According to BDO CFO Survey (Feb. 16, 2010), available at http://www.bdo.com/news/pr/1269.] Likely supported by the rise of “nearshoring” in the United States, Latin America’s share is also increasing significantly.[12. Id.] The Philippines is rapidly gaining on India in the BPO market.[13. Living Smartly, Indian BPO Sector Loosing Market Share (Jan. 7, 2010), available at http://living-smartly.com/2010/01/indian-bpo-sector-loosing-market-share/]

The prevailing view on global economic recovery is probably that popularized by Sir Martin Sorrell of WPP, which holds that the world will emerge from the recession in a L-U-V-shaped recovery, with Europe rumbling along near the bottom of the recession for a little while, the United States emerging in a faster U-shaped curve, and Brazil, Russia, India, and China (and other less-developed nations) emerging in an even faster V-shaped curve.

Outsourcing Contract Clauses

The fact that economic recovery is so unpredictable and likely to be variable throughout the world requires contracts that can adjust to the circumstances.  Currency fluctuations alone could drastically affect outsourcing costs.  Contracts with multi-national vendors should include provisions allowing the buyer to transition its work to one of the provider’s offices in another nation at little or no cost.  Contracts should also contain carefully considered disentanglement and termination clauses.  Disentanglement clauses typically require providers to assist buyers in transitioning the outsourced functions in-house or to another provider.  Termination clauses typically allow either party to terminate for breach, and the buyer to terminate for convenience, with varying negotiated consequences.  Termination clauses also will usually include provisions that allow for termination in the event of a change in control, something that is particularly relevant given the recent consolidation and acquisition activity in the outsourcing industry, such as Xerox’s purchase of Affiliated Computer Services, Inc., Aon Corporation’s acquisition of Hewitt Associates, Inc., and PricewaterhouseCoopers, LLP’s purchase of Diamond Management & Technology Consultants, Inc.

Outsourcing contracts are also trending toward fewer service levels with more flexibility.  One popular trend is to allow buyers to re-distribute the financial weight allocated to each service level on an annual basis.  So, for example, an agreement with three service levels may have the following distribution in Year 1: Service Level 1 - 20%, Service Level 2 - 30%, and Service Level 3 - 50%.  At the end of the year, if the buyer decides it would be more prudent to focus on Service Levels 1 and 2, it may have the following distribution in Year 2:  Service Level 1 - 40%, Service Level 2 - 40%, and Service Level 3 - 20%.  Flexible contract clauses, such as those described above, allow buyers to adjust priorities for improved returns on their investments with providers.

A final item that is becoming more prevalent in the United States (and arguably throughout the world) that significantly impacts outsourcing contracts is increased regulation.  Who bears the risk of new laws and regulations implemented during the term of the outsourcing agreement?  Buyers should study the trends in their industries and carefully consider the potential for new laws and regulations that may affect their outsourcing contracts, then negotiate the allocation of risk for the cost of compliance in their agreements.

In sum, all indications point toward more outsourcing contracts in 2010 and 2011.  Hopefully, buyers and providers will enter these contracts with better perspectives gained through difficult economic struggles.  As the old proverb says, a smooth sea never made a skillful mariner.