The cloud has some unique legal considerations and even risks that are important and often overlooked. It’s a mysterious business for non-lawyers with its own terminology. We talk some about legal issues in Learning Tree’s Cloud Security Essentials course.
Let’s start with representations and warranties. A representation is a statement of fact about the past or present. A warranty is a promise about the future. A breach of warranty — that is, a failure to fulfill a promise in the service level agreement or SLA — may lead to a remedy whose value is limited by the SLA terms. This remedy is typically a service credit. What about your SLA? Is the credit just a token amount, or is it significant enough to deter the cloud provider from breaching the SLA promise?
An indemnity is when one party is contractually obligated to compensate the other party for a loss. It goes beyond simple compensation or reparation, its broader legal meaning is that the other party must be “made whole again” if that contractually-specified event occurs.
Here’s where it starts getting scary.
We know that “cloud sprawl” or “shadow IT” is happening. This is what happens when management makes an end-run around the IT department and purchases cloud services on their own. Corporate or agency data moves to the cloud, and not only is it outside the control of IT and corporate information assurance groups, but it is completely below their radar. Your data is silently leaking into the cloud, where it very likely is not being protected as it should be.
To whom is the warranty promised in this situation, and to whom would the indemnification be made?
It gets worse.
The SLA will address suspension and termination of service. What happens when that shadow IT renegade fails to pay the bill, perhaps through simple oversight or misrouting of notices? Who does the cloud vendor notify, and how, when this breach of the agreement is violated? Under the terms of the agreement, are they given an opportunity to remedy the violation? For example, is there a grace period in which your data is still accessible while they scramble to make up for missed payment, or is your data locked down? If your data is effectively seized until back payment is made, how can the corporation or agency step in and make things right and get the data back, and how long will this take?
When you move data to the cloud the right way, you are getting your legal department involved along with the information assurance people. You are verifying that this is the right legal and business approach in addition to ensuring that the data will be protected. Cloud sprawl or shadow IT happens when reckless decisions are driven by the attractively low costs and immediate gratification of cloud services.
We information technology people aren’t lawyers, but sometimes we need their help!