There are many good reasons why companies are increasingly migrating parts of the information technology to cloud service providers (“CSPs”), including lower overhead costs, greater data accessibility and mobility, and more efficient disaster-recovery response. For cybersecurity, cloud solutions offer companies many benefits, such as full-time data security monitoring and data encryption, but they also come with significant risks. Over the past year, several major U.S. companies have discovered that sensitive business and customer information stored in a cloud was publicly accessible due to security misconfigurations. In the first of a two-part blog post, we will discuss ways that lawyers can use the contract negotiation process with CSPs to help maximize the benefits and reduce the risks of cloud migration. In Part 2, we will discuss post-contract monitoring, auditing, and cyber-event issues associated with cloud migration.
Negotiating a contract for cloud services can be tricky. CSPs often insist on using their standard form agreements, which can contain terms that are very favorable to the CSP. But companies should nevertheless carefully consider which provisions they can live with, and which need to be changed. Here are a few key provisions for consideration:
- Termination and effect of termination. CSP agreements often provide the CSP with at-will termination rights (with short notice periods, if any). Depending on the complexity of the data storage arrangement and the portability of the data being stored, these provisions can be problematic if the CSP unilaterally elects to end the relationship and adequate replacement services are difficult to procure on short notice, or migrating the data to a new storage location will take longer than the notice period for termination.
- Assignability/Change of control. Anti-assignment and change of control language may be included as well. Such provisions can impede future internal reorganizations or M&A activity by providing the CSP with a consent right and the ability to terminate the applicable data storage agreement upon the consummation of any such transaction. Although standard CSP services are generally replaceable, issues may nonetheless arise given the time and cost that can be associated with moving data to a new CSP.
- Indemnification and limitations of liability. CSP agreements often subject the user to uncapped indemnities for claims arising out of the data stored by the CSP on the user’s behalf. In order to limit potential exposure under a CSP agreement, a company should push for a liability cap or try to limit the scope of matters subject to the indemnity.
- Security standards, risk allocation and auditing. Attention should be given to the data security representations, warranties, and covenants in a CSP agreement to ensure such provisions are commensurate with the nature of the data being stored, as well as expectations of any applicable regulators, which may include ongoing obligations to provide cybersecurity information. If practicable, lawyers should consider negotiating service-level agreements with the CSP to ensure that appropriate levels of data protection, audit rights, breach notification, and data availability will be provided. While CSPs may have more robust data security measures in place than some local data storage methods, they may also be higher profile targets for third-party attacks given the volume and nature of data they are storing. Although many view cloud storage as safer than local storage as a general matter, in many cases, there may actually be an increased risk to data stored with a CSP. Prior to entering into a CSP agreement, companies should ask for any recent data security audit reports or penetration test results and have them evaluated by knowledgeable security professionals.
- Geographic restrictions. Consider the location where the CSP stores data (as well as any applicable redundant sites) and understand the legal implications associated with storing data there. Data stored outside the United States may result in risks not previously considered, such as additional regulatory obligations or complications of local law. For example, if a CSP stores customer data in a foreign country, the laws and regulations of that country may govern the data. Such laws may provide that the local government can surveil or access data stored in its country, limit what data can be removed from the country, or shut down the applicable data storage center under certain circumstances.
As part of any cloud migration plan, careful consideration should be given to the various risks and how they can be mitigated by contractual terms, and, as we will discuss in Part 2, by regulatory engagement, security audits, penetration testing, and coordinated breach response practices.
The authors gratefully acknowledge the assistance of summer associates Oliver Kaufman and Corey Meyer in preparing this entry.