By: Matt Neely & Greg Stein
Partner, SecureState

Recently, while working with a client on an assessment, we ran into an issue with their cloud provider. The client requested an annual Penetration Test on their environment that is hosted with a large cloud provider. SecureState has routinely provided this report for our client; however, this year, the cloud provider changed their Terms of Service agreement. The hosting provider no longer allowed outside vendors to scan the environment. Instead, they offered a vendor of their choosing to preform penetration tests and would provide you the report.

Changes within terms of service are becoming more prevalent. As with any agreement, it is important to understand what your rights are. SecureState works with experts in the area and contacted Greg Stein, an attorney in the Intellectual Property Group of Ulmer & Berne LLP. Greg focuses his practice on counseling clients on data privacy and security laws and negotiating technology transactions. We asked Greg to explain the importance of contracts with cloud providers. Below is his response:

A cloud environment is an extension of a company's internal infrastructure. Although companies are outsourcing capabilities to cloud providers, that does not necessarily shift responsibility for liability from the customer to the provider for the management of the stored data. Accordingly, a company that uses a cloud service provider must seek to assess the service in the same way that it would analyze its own internal structure because it needs to be confident that a cloud service provider can adequately protect its data.

The contract between the cloud provider and a customer establishes the terms of the relationship.  For this reason, it is critical to read the contract before signing it. Do not assume that the contract includes some protection that you discussed with a sales representative or that it includes features mentioned on the corporate website.  For example, a contract may be silent about whether a third-party can perform an assessment of the cloud facilities. If the contract does not expressly provide that a customer has a right to perform a third-party assessment of the facilities, a provider may refuse to permit such an assessment.

Below are a few of the issues you want to consider when reviewing an agreement with a cloud provider:

  • Limitation of Liability - Determine whether there is a cap on the cloud provider's liability and assess whether it is reasonable. Are there are exceptions to that cap? Think about the potential damage that can arise from a relationship with a cloud provider. The risks vary depending on the type of cloud service and the data that is being stored. Storing a database with protected health information involves different levels of risk than storing a database with users’ favorite colors.
  • Indemnification and Defense - There are often provisions that require one party to indemnify (i.e., compensate the other party) for a loss and defend that party in litigation. Under the contract, is one party indemnifying and defending the other party? In what circumstances? It is important to understand these provisions and whether they are reasonable because they affect the parties' total risk in the relationship.
  • Security Protections -  If a customer wants the ability for a third-party to perform a security assessment or  to review documentation related to a security breach, those provisions should be included in the terms of a contract. In the absence of negotiating those rights up front, a cloud provider may push back on these issues down the road when the issues arise.
  • Representations and Warranties - If there is an important aspect of the cloud service provider's offering, it should be included in the contract. If the provider uses a certain type of encryption and that was an important part of the reason that a customer chose the particular provider or service, the contract should require the provider to continue to use that type of encryption.

Not all cloud service provider agreements will be negotiable. It will depend on the circumstances. When a customer is not able to negotiate a cloud agreement, understanding the terms of the agreement are equally important because it will allow a customer to mitigate the risk to the extent possible. If a cloud service provider is only liable for $100 of damages no matter what happens, a customer may buy insurance to cover the risk, only store the least sensitive types of data, or opt to find a different provider. The key is that by reading a contract a customer will understand the customer's potential risk of using a cloud service and will not be caught off guard with unexpected surprises.