Most people are by now familiar with the concept of 'cloud computing'. In simple terms, cloud computing is scalable computing power (software, platform, or infrastructure) as-a-service over the internet, deployed over the 'public cloud', a 'private cloud, or somewhere in between ('hybrid cloud'). However, we are currently seeing an uptake of cloud services in both the public and private sectors as never seen before. Organisations across the world are increasingly looking into the cloud as a means of mitigating the time, cost and risk of purchasing, supporting and maintaining IT solutions. This may take the form of using cloud-based Infrastructure-as-a-Service as a cheaper alternative to their in-house data storage infrastructure, or moving from on-premise software licences to a cloud-based Software-as-a-Service for key applications. Higher education institutions in Australia are no exception.
There are many advantages to using the cloud, but the main attraction to a prospective customer is the reduced capital expenditure which would otherwise be payable, and the ability to shift responsibility for the administration and management of the relevant software, function or storage requirements to the provider. However, there are a raft of factors that a customer should consider so that the ascent into the cloud is as smooth, and more importantly, as secure as possible.
Using the cloud for data storage, software applications or other IT needs can be both cost effective and can alleviate the burden of running the technology in-house. However, there are risks associated with this. A key consideration in determining whether the cloud is appropriate will be the nature of the customer's data that may be stored in the cloud or processed by the cloud provider or its software. There is often no guarantee that the provider will use data centres in Australia, so data may well go off-shore. In certain cases, moving to the cloud may not be appropriate, and could expose the customer to risks in terms of the security and privacy of that data, especially if the information is classified as personal or sensitive and subject to Australian privacy legislation. Customers should be aware of the types of data they are dealing with in order to make an assessment as to whether the cloud is the best place for it.
Before any agreement for cloud services is entered into, a customer (including, ideally, its legal counsel, management and risk management team) should conduct due diligence into the provider to determine whether, in light of the types of data the customer holds, and which will be stored in the cloud, the provider is suitable. This should include an investigation of the provider's:
Due to cloud services being a highly commoditised offering, which relies on high volumes of customers in order to provide relatively low-cost services, a customer's ability to negotiate the terms of their contract with a provider can be limited. Depending on the provider, contracts may be standard-form, which will be heavily provider-biased. Accordingly, customers should be conscious of this and ensure that they employ stringent contract review procedures to assess their risks and vulnerabilities under the contract. In particular, customers should scrutinise the service descriptions and service levels described in a contract, in order to be comfortable with what is actually being provided, and to what degree.
A contract for cloud services will describe service levels which specify the provider's 'commitments' regarding service availability and potentially other performance measures (such as problem resolution time). These service levels are used to measure the provider's performance of the cloud services, and will usually also provide for a process for the notification and resolution of service outages and disruptions. Crucially, in many instances, service levels will be expressed as 'targets', or the provider will have no more than a reasonable endeavours obligation to meet service levels, meaning, in either case, that the customer is unlikely to have any real remedy for service level failures. However, it is worth noting that many of the big cloud providers do have excellent performance records in terms of service availability.
Customers should also pay attention to the exceptions to these service levels, as well as the circumstances which will excuse the provider from performing its obligations. If service level provisions can be negotiated, these circumstances should be limited to things that are entirely out of the provider's control. In addition, customers should know their rights under the contract in relation to eligibility for service credits in the event of a service level default. Often, service credits will, if paid or accrued to the customer (which is not usually automatic – customers may have to 'claim' service credits) be stated to be the customer's sole remedy for the service level failure. This should only be a sole financial remedy: it is important that customers consider the worst case scenario – service availability so bad that the cloud service is effectively useless – and bake into the contract termination where service availability falls below a certain level repeatedly or for an extended period.
Whether or not the liability position in a contract can be negotiated, which will often depend on the bargaining strength of the customer and the size of the deal, it should be understood by the customer so that an informed decision can be made going into the relationship. Key considerations are:
It is also important for the customer to try and determine whether or not the provider is insured sufficiently to compensate for any liabilities it has under a contract. Whilst this should not be an issue when contracting with the global, established cloud players, for local or start-up cloud providers, insurance obligations should, wherever possible, be included in the contract.
Being subject to Australian privacy legislation, higher education institutions must ensure that they continue to be compliant with privacy laws notwithstanding moving personal information into the cloud, especially if the provider plans to host the customer's data offshore. In this, due diligence is key, and the customer needs to ask pertinent questions such as: Where will my data be sent and processed? Can the movement of data be controlled? Can the data in the cloud be encrypted? How will my data be stored and backed up? Who has access to that data in the cloud – only the provider, or also the provider's sub-contractors or any third parties?
It is crucial that customers make every effort to secure amendments to a provider's standard terms if these do not offer adequate protection. Importantly, if it is not already present as a contractual term, customers should include in the agreement with the provider an obligation for the provider to comply with Australian privacy laws. Restrictions must also be imposed over how and for what purposes the provider can access and use the customer data. Further, if data is to go offshore, whilst there is no blanket prohibition on transborder data flows under privacy laws, there are a number of requirements that must be met for this to be acceptable.
Finally, for proposed cloud projects or engagements which will involve a significant amount of personal or sensitive information (for example, health-related information) it may be necessary for the customer to conduct a privacy impact assessment at a very early stage to formulate solutions as to how all privacy concerns can be addressed and risks mitigated.
Australia finally looks set to have a new national mandatory notification laws for data breaches. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was introduced to the House of Representatives by the Federal Attorney-General on 19 October 2016 and read for the second time. It can be expected that the Bill will progress to the Senate, and the passage of this Bill does seem more certain in the current environment and the rationale persuasive. In any case, regardless of mandatory notification obligations under law, once a customer's data is moved to the cloud, the customer will want to be informed, and quickly, of any actual or potential data breach affecting the provider's systems.
Consequently, the customer should ensure that its contract for cloud services provides for clear and unequivocal obligations on the provider to notify the customer of any data breach within a short period of time after it occurs so that the customer can take appropriate measures. We have seen a huge variation between providers as to what is offered in this space, and this is often a difficult point for negotiation. However, given the long-lasting and critical damage, including reputational, an organisation can suffer from a data breach, it is certainly a battle worth fighting with the provider.
Implicit in engaging a provider to store a customer's data, is the fact that the customer will relinquish a degree of control over that data. Therefore, it is important to understand the terms on which the provider is able to access or use the customer's data. As noted above, this should only be for very limited purposes (eg. as necessary for support and maintenance of the cloud offering), and not for any other purpose except as expressly authorised by the customer.
Moreover, if a provider engages third parties to carry out its obligations under a contract, for example, as a 'data processor', then customers should be aware of the access rights, and the obligations and prohibitions to which those third parties are subject (which should ideally be no less stringent that those to which the provider is subject under the contract).
Customer should also review whether there are any security obligations in the contract with the provider. In reality, an established cloud provider's data security measures (both physical and logical) will likely be far more sophisticated than those of the customer when the relevant data was stored in-house. However, appropriate contractual provisions should be included. Further, if the provider, as part of its 'sales pitch', has provided details of its security accreditations (for example, Australian Signals Directorate (ASD) accreditation under its "IRAP" scheme), then an obligation should be included on the provider to maintain this accreditation throughout the term.
Under a cloud service contract, the provider is the custodian of the customer's data, but customers should ensure that the contract does not provide for any transfer of ownership of that data or any intellectual property rights in it. This should not usually prove controversial, but when contracting on the provider's standard terms, it is worth checking that the provider acquires no ownership of, or interest in, the customer's data.
Other than in respect of data, IP issues usually take a 'back seat' on cloud contracts. There will not usually be any bespoke services or developments for the customer, and the provider will seek to retain ownership in its products and services. However, if the service also includes the provision of third party-owned IP (for example, additional third party software), then this will often be subject to separate terms, which should always be reviewed (if not negotiated) by the customer.
It is important that the contract contemplates the termination of the relationship and sets out the termination rights of both parties. In scalable, flexible cloud offerings (for example, some services offered by AWS), the customer will usually be able to terminate for convenience at relatively short notice. But this can be a double edged sword, with the provider having, at least on paper – it may never be exercised, an equivalent right. Most cloud agreements will contain some rights for the customer to terminate for cause, but, again, these will be a matter for negotiation if they are overly restrictive or do not provide adequate means of getting out of the contract if the provider's performance or breach of the contract merits it.
In any case, the customer should resist any form of immediate termination by the provider, and insist upon termination rights which contain a notice period sufficient to allow the customer to arrange for alternative provision of cloud services by another provider.
Although the provisions of the contract as to how the cloud services will be provided are extremely important, so too is what happens at the end of the relationship. A customer must understand what the process is for the return of its data, or for the transition of that data to another provider, on the termination or expiry of the contract.
Customers should not assume that providers will be as keen to help them move their data back, as they were to take the data in the first place. Parties should mitigate this risk by agreeing an exit process which deals with this specifically. This process should include consideration of the parties' obligations at the end of the relationship, timing for the return of the data – ideally it should be retained and be available for export for a short period following termination or expiry, format of that data, and whether or not there will be compatibility issues with the return of data, in circumstances where the customer's storage infrastructure or applications have become obsolete since the data was moved to the cloud.
If the data is being migrated to another provider instead of being returned to the customer, then the provider should be obliged to help the customer achieve this in order to maintain business continuity, even if, as is likely in most cases, the provider would seek to charge for that assistance.