Cloud services offer many innovative solutions to business problems, yet business cloud adoption is hindered by unacceptable terms and conditions (T&Cs). For example, inspector generals at 19 agencies recently evaluated the government's cloud computing efforts and reported that all 77 cloud contracts reviewed lacked the detailed specifications recommended in federal cloud computing guidelines and best practices documentation. Lawyers can help speed adoption of business cloud services if they “just say no” to unacceptable T&Cs in order to encourage cloud service providers (CSPs) to develop standard T&Cs that fairly address the business and legal needs of both the CSP and cloud customer.
Let's start with some of the “show-stoppers” for cloud customers contained in many current cloud T&Cs, such as failure to adequately address data privacy, security, indemnity, warranty and third-party supply chain issues. Lawyers: Don't accept T&C provisions that grant the CSP a right to use the customer's data for purposes unrelated to the cloud services (such as mining the customer's data for the CSP's own benefit or that of third parties). Rather, require the CSP restrict use of customer data and keep it private.
Also, address the big issue of cybersecurity. With everyone from the president to virtually every state focused on data protection and cybersecurity, insist that CSPs migrate from T&Cs that include simplistic and vague assurances about using “reasonable security” or “industry standard” security practices to specific independent security standards. If working with business clients in areas such as education, healthcare or finance, require T&Cs that specifically address industry-specific regulations. CSPs can help expedite T&C negotiations by incorporating regularly requested security provisions with customer access to the audit results and notice of any security or data breaches.
CSPs rarely include indemnification provisions benefitting the customer. Such protections are essential in several areas, including infringement of third-party IP rights, data breaches and unauthorized data disclosure. These matters are generally within the CSP's exclusive control and are costly to defend and remedy. CSPs are unfairly shifting risks that the CSPs control to customers and are effectively making their customers act as their insurance companies. CSPs can further cloud adoption by developing standard T&Cs with appropriately scoped indemnities.
Business customers often select cloud services based on marketing materials and sales presentations. However, most T&Cs do not include the specifications and performance assurances described in the marketing materials, but instead include unreasonably broad disclaimers of warranties, effectively negating the sales presentation materials in some cases. At a minimum, T&Cs should include standard warranties stating that the cloud services do not infringe on third party IP rights and that the services will perform in accordance with the advertised specifications (which themselves should be attached to the T&Cs). Without these warranties, customers lack an enforceable assurance that the cloud service will perform as advertised or that the CSP even has a right to provide such services.
CSPs need to be transparent about their cloud supply chain. Cloud customers are often surprised to learn that many CSPs rely on third parties for all or a part of the CSP's cloud services. Currently, many T&Cs grant CSPs broad subcontracting rights and often seek to absolve CSPs from or transfer liability to the third party, an entity with whom the customer has no privity of contract. Lawyers should insist on T&Cs that hold CSPs responsible for the actions of their third party subcontractors.
The T&C provisions described above are not intended as an exhaustive list of cloud contract issues but highlight how CSPs could expedite deployment of cloud services by adopting standard T&Cs that reasonably address the needs of their customers. If lawyers and their business clients stand together to advocate for legally sufficient cloud T&Cs, lawyers can help speed adoption of cloud services.