Cloud Providers Competing on Data Security & Privacy Contract Terms

I ran across an interesting article in PC World the other day concerning a head-to-head competition between Google Apps (Google's SaaS offering) and Microsoft's Office to provide certain day-to-day applications to the City of Los Angeles.  The end result of this competition is that Google will be providing Google Apps (SaaS) to the City of Los Angeles (including at a minimum Gmail, Google Calendar, Google Talk, Google Docs, etc.).  LA predicts that 60-80% of its staff will be able to use utilize those apps (LA reportedly is not forcing its staff to abandon Microsoft Office, but will not buy any new Office licenses) 

However, interesting from a legal and business point of view is the apparent importance of Google's contract terms in the City's decision to choose Google's Cloud over Microsoft's Office.

On that issue the PC World article reported the following:

Google moved early to make this a contest over which company offers the best contract terms and legal protections in cloud environments. The city of Los Angeles, which may be Google's marquee government user, has been frank in disclosing details of its agreement. By the end of June, Los Angeles expects to complete a transition of some 30,000 employees to Google Apps.

In a sense, Kevin Crawford, Los Angeles assistant director of IT, is Google's de facto public sector evangelist. He doesn't market Google directly, but he answers questions from many other local government and state officials who want specifics about the city's deal with Google. Indeed, at the SaaScon conference on cloud computing and software as a service here this week, Crawford has been peppered with questions about the contract terms.

Los Angeles has been frank about the contract, which includes unlimited damages for a data breach, provisions allowing audits, guarantees that the data remain in the contiguous 48 states, and penalties if Google's services are unavailable for any longer than five minutes a month.

The contract also gives the city the right to cancel its contract with Google "for convenience," Crawford said.

Moreover, the contract reportedly includes specific data security and privacy controls and requirements and "unlimited damages" if Google breaches confidentiality obligations:

Los Angeles spent months negotiating a contract with Google that includes a provision providing the city with unlimited damages if its nondisclosure agreement (NDA) is breached by Google, said Kevin Crawford, the assistant general manager of IT for Los Angeles and the person who is managing the transition. That clause aims to protect the city from a third party claim if personal data is release, said Crawford.

Crawford said the most important clause in the contract requires that Google to encrypt the city's data and break it into pieces when it is at rest so that no one can get their hands on a full file. If hacker somehow accesses a file, he will only see "a whole bunch of gibberish," Crawford said. The contract also bars Google from viewing any data without permission from the city.

Los Angeles data will be administered from inside LA's firewall by city staffers through an administrative console built by Google, said Crawford. "We have control of our portion of the data," he said.

Moreover, the data must remain on systems within the continental U.S. That can be verified via auditing by the city, Crawford added.

"We're going to have a more secure system then we have today," said Crawford, noting that Google personnel does more work on security "than we could ever afford to do."

The Information Law Group has previously discussed the importance of data security, privacy and compliance in the Cloud context.  This situation seems to validate the premise that Cloud providers are going to (and willing to) compete on these issues and the contract terms that relate to them. 

From the InfoLawGroup's own recent experience, data security and privacy terms (and associated indemnities and shifting of risk of loss) have become much more important in IT outsourcing arrangements (whether Cloud or "traditional").  Lately it seems that right after price and service description/promises, significant time, effort and expense are being expended drafting and negotiating data security and privacy terms.  In fact, because of the complexity of security and privacy, and associated laws, in InfoLawGroup's recent experience, these terms can take more time to settle out then more "basic" contract terms.  Overall, the key reality at this juncture is that there is significant financial risk associated with poor data security and privacy and related regulatory requirements.  In many cases, in terms of pure dollar amount this risk can dwarf the value of the contract (or the savings of the contract) if favorable contract terms are not negotiated.

One thing to note, having reviewed the Google contract (and the related Computer Science Corporation contract), which can be found at the end of this report, the scope of Google's contractual promises may not be quite as clear cut as described by LA officials (a breakdown of the Google data security and privacy contract terms will be the subject of a second post on this issue).

What does this mean for customers entering into Cloud (or other outsourcing) contracts?

So what does this all mean to companies looking to go into the Cloud and hoping for contract arrangements that offer protection?  A lot.  Organizations are giving up a great deal of control when they outsource into the Cloud, and only good contract terms can compensate for that loss of control.  Unfortunately, many companies are focused on basic contract terms like price and often find themselves in a "take it or leave it" position when it comes to data security and privacy terms.  In terms of timing, lawyers working on these contracts often find that the service provider is more or less "locked in" at the point where data security and privacy contract terms are first addressed.  Oftentimes competitors have been eliminated and are no longer in the picture, and as a result the customer has little leverage to negotiate more favorable terms.

To be in a better position to negotiate favorable data security and privacy terms the current leverage dynamic needs to change.  This LA-Google situation is a very favorable sign that service providers, if handled properly, are willing to negotiate on these terms in order to win a contract.  However, customers must realize that most service providers are not going to approach a contract this way unless the customer creates an environment that provides it with leverage.  To achieve this customers looking to enter into IT outsourcing arrangements (Cloud or otherwise) should consider the following:

• Approach multiple vendors.  In many cases the only viable threat a customer has is to walk away to a competitor.  If no competitors are in the picture then there is not realistic threat and no leverage exists.  The problem is that many companies are attracted to a specific vendor, or other vendors don't quite have the same service offering as the preferred vendor.  Nonetheless, rather than becoming blindly enamored with a particular vendor, organizations would be well-served to find and look at competing offerings (at least to get some negotiating leverage against the primary vendor).

• Address these issues at the "Request for Proposal" phase.  Price and service offering description are the key components that go into a RFP, but considering the material financial risk posed by data security and privacy, why shouldn't those terms be highlighted in an RFP as well?  Rather than getting locked-in to a service provider after the RFP phase, it is better to lock the service provider into the data security and privacy terms you desire at the outset.  This is the time where the providers will be hungry and more willing to concede on issues.  The RFP should include the specific security and privacy requirements the organization desires, as well as specific contract language that should be included in the contract.  For companies that do a lot of IT outsourcing, these documents can be standardized and simply plugged into the RFP (which also has the benefit of creating consistency across the organization).  If you don't have an RFP process, then you should.  Adding data security and privacy requirements (and contract language) ♠changes the dynamic and makes the service provider compete on all aspects of the transaction.

• Keep competitors around.  Rather than eliminating alternatives at the outset, keep other competitors around (even if their offering may not be 100% ideal).  Again, the longer you can maintain your threat to walk away to a competitor, the stronger your position will be to achieve concessions.  Moreover, the "less than ideal" competitors can start to look more attractive when your "ideal" service provider refuses to accept any responsibility for your data security or privacy.

• Pre-establish your positions and your fall-backs.  It is important to predetermine your positions regarding data security and privacy risk and the contract terms your organization is willing to accept.  Organizations that routinely enter into contracts implicating these issues should develop a security and privacy schedule that indicates specific controls that are required.  The legal team should develop primary and secondary positions for confidentiality obligations, indemnification, limitations of liability, consequential damages disclaimers, compliance with privacy and security laws, and other related contractual requirements.  These back-end contract terms can be folded into and made part of the RFP.  They also provide for consistency across the organization and let the company understand and manage its exposure when using third parties to store, transmit or process data.

Conclusion

From the customer perspective, it is very encouraging to see a major Cloud provider willing to negotiate on data security and privacy contract terms in order to win business.  However, it is likely that the result in this case was very much due to how Los Angeles handled the negotiation. Organizations that are concerned about these risks when they enter into the Cloud need to position their organization and the transaction in a manner that changes the leverage dynamic in their favor. Otherwise, they may find themselves at the end of a contract negotiation taking on enormous risk with little actual control over the risk.