Clicky

Header graphic for print
InfoLawGroup privacy. security. technology. media. advertising. intellectual property.

Cloud Providers Competing on Data Security & Privacy Contract Terms

Posted in Cloud Computing

I ran across an interesting article in PC World the other day concerning a head-to-head competition between Google Apps (Google’s SaaS offering) and Microsoft’s Office to provide certain day-to-day applications to the City of Los Angeles.  The end result of this competition is that Google will be providing Google Apps (SaaS) to the City of Los Angeles (including at a minimum Gmail, Google Calendar, Google Talk, Google Docs, etc.).  LA predicts that 60-80% of its staff will be able to use utilize those apps (LA reportedly is not forcing its staff to abandon Microsoft Office, but will not buy any new Office licenses) 

However, interesting from a legal and business point of view is the apparent importance of Google’s contract terms in the City’s decision to choose Google’s Cloud over Microsoft’s Office.

On that issue the PC World article reported the following:

Google moved early to make this a contest over which company offers the best contract terms and legal protections in cloud environments. The city of Los Angeles, which may be Google’s marquee government user, has been frank in disclosing details of its agreement. By the end of June, Los Angeles expects to complete a transition of some 30,000 employees to Google Apps.

In a sense, Kevin Crawford, Los Angeles assistant director of IT, is Google’s de facto public sector evangelist. He doesn’t market Google directly, but he answers questions from many other local government and state officials who want specifics about the city’s deal with Google. Indeed, at the SaaScon conference on cloud computing and software as a service here this week, Crawford has been peppered with questions about the contract terms.

Los Angeles has been frank about the contract, which includes unlimited damages for a data breach, provisions allowing audits, guarantees that the data remain in the contiguous 48 states, and penalties if Google’s services are unavailable for any longer than five minutes a month.

The contract also gives the city the right to cancel its contract with Google "for convenience," Crawford said.

Moreover, the contract reportedly includes specific data security and privacy controls and requirements and "unlimited damages" if Google breaches confidentiality obligations:

Los Angeles spent months negotiating a contract with Google that includes a provision providing the city with unlimited damages if its nondisclosure agreement (NDA) is breached by Google, said Kevin Crawford, the assistant general manager of IT for Los Angeles and the person who is managing the transition. That clause aims to protect the city from a third party claim if personal data is release, said Crawford.

Crawford said the most important clause in the contract requires that Google to encrypt the city’s data and break it into pieces when it is at rest so that no one can get their hands on a full file. If hacker somehow accesses a file, he will only see "a whole bunch of gibberish," Crawford said. The contract also bars Google from viewing any data without permission from the city.

Los Angeles data will be administered from inside LA’s firewall by city staffers through an administrative console built by Google, said Crawford. "We have control of our portion of the data," he said.

Moreover, the data must remain on systems within the continental U.S. That can be verified via auditing by the city, Crawford added.

"We’re going to have a more secure system then we have today," said Crawford, noting that Google personnel does more work on security "than we could ever afford to do."

The Information Law Group has previously discussed the importance of data security, privacy and compliance in the Cloud context.  This situation seems to validate the premise that Cloud providers are going to (and willing to) compete on these issues and the contract terms that relate to them. 

From the InfoLawGroup’s own recent experience, data security and privacy terms (and associated indemnities and shifting of risk of loss) have become much more important in IT outsourcing arrangements (whether Cloud or "traditional").  Lately it seems that right after price and service description/promises, significant time, effort and expense are being expended drafting and negotiating data security and privacy terms.  In fact, because of the complexity of security and privacy, and associated laws, in InfoLawGroup’s recent experience, these terms can take more time to settle out then more "basic" contract terms.  Overall, the key reality at this juncture is that there is significant financial risk associated with poor data security and privacy and related regulatory requirements.  In many cases, in terms of pure dollar amount this risk can dwarf the value of the contract (or the savings of the contract) if favorable contract terms are not negotiated.

One thing to note, having reviewed the Google contract (and the related Computer Science Corporation contract), which can be found at the end of this report, the scope of Google’s contractual promises may not be quite as clear cut as described by LA officials (a breakdown of the Google data security and privacy contract terms will be the subject of a second post on this issue).

What does this mean for customers entering into Cloud (or other outsourcing) contracts?

So what does this all mean to companies looking to go into the Cloud and hoping for contract arrangements that offer protection?  A lot.  Organizations are giving up a great deal of control when they outsource into the Cloud, and only good contract terms can compensate for that loss of control.  Unfortunately, many companies are focused on basic contract terms like price and often find themselves in a "take it or leave it" position when it comes to data security and privacy terms.  In terms of timing, lawyers working on these contracts often find that the service provider is more or less "locked in" at the point where data security and privacy contract terms are first addressed.  Oftentimes competitors have been eliminated and are no longer in the picture, and as a result the customer has little leverage to negotiate more favorable terms.

To be in a better position to negotiate favorable data security and privacy terms the current leverage dynamic needs to change.  This LA-Google situation is a very favorable sign that service providers, if handled properly, are willing to negotiate on these terms in order to win a contract.  However, customers must realize that most service providers are not going to approach a contract this way unless the customer creates an environment that provides it with leverage.  To achieve this customers looking to enter into IT outsourcing arrangements (Cloud or otherwise) should consider the following:

  • Approach multiple vendors.  In many cases the only viable threat a customer has is to walk away to a competitor.  If no competitors are in the picture then there is not realistic threat and no leverage exists.  The problem is that many companies are attracted to a specific vendor, or other vendors don’t quite have the same service offering as the preferred vendor.  Nonetheless, rather than becoming blindly enamored with a particular vendor, organizations would be well-served to find and look at competing offerings (at least to get some negotiating leverage against the primary vendor).
  • Address these issues at the "Request for Proposal" phase.  Price and service offering description are the key components that go into a RFP, but considering the material financial risk posed by data security and privacy, why shouldn’t those terms be highlighted in an RFP as well?  Rather than getting locked-in to a service provider after the RFP phase, it is better to lock the service provider into the data security and privacy terms you desire at the outset.  This is the time where the providers will be hungry and more willing to concede on issues.  The RFP should include the specific security and privacy requirements the organization desires, as well as specific contract language that should be included in the contract.  For companies that do a lot of IT outsourcing, these documents can be standardized and simply plugged into the RFP (which also has the benefit of creating consistency across the organization).  If you don’t have an RFP process, then you should.  Adding data security and privacy requirements (and contract language) ♠changes the dynamic and makes the service provider compete on all aspects of the transaction.
  • Keep competitors around.  Rather than eliminating alternatives at the outset, keep other competitors around (even if their offering may not be 100% ideal).  Again, the longer you can maintain your threat to walk away to a competitor, the stronger your position will be to achieve concessions.  Moreover, the "less than ideal" competitors can start to look more attractive when your "ideal" service provider refuses to accept any responsibility for your data security or privacy.
  • Pre-establish your positions and your fall-backs.  It is important to predetermine your positions regarding data security and privacy risk and the contract terms your organization is willing to accept.  Organizations that routinely enter into contracts implicating these issues should develop a security and privacy schedule that indicates specific controls that are required.  The legal team should develop primary and secondary positions for confidentiality obligations, indemnification, limitations of liability, consequential damages disclaimers, compliance with privacy and security laws, and other related contractual requirements.  These back-end contract terms can be folded into and made part of the RFP.  They also provide for consistency across the organization and let the company understand and manage its exposure when using third parties to store, transmit or process data.

Conclusion

From the customer perspective, it is very encouraging to see a major Cloud provider willing to negotiate on data security and privacy contract terms in order to win business.  However, it is likely that the result in this case was very much due to how Los Angeles handled the negotiation. Organizations that are concerned about these risks when they enter into the Cloud need to position their organization and the transaction in a manner that changes the leverage dynamic in their favor. Otherwise, they may find themselves at the end of a contract negotiation taking on enormous risk with little actual control over the risk.

  • http://enterprise20.squarespace.com Saqib Ali

    This seems a departure from Google’s philosophy of One Cloud, One Storage.
    I kinda like the One Cloud, One Storage philosophy. It is a cloud, not a hosted service. Take it or leave it.
    I am not sure how Google is planning to restrict the within the boundaries of the 48 states. Do they have provisions for meta-tagging content, such that it doesn’t leave certain boundaries?

  • http://www.lyndon-group.com Eric Nelson

    Great article! Companies have been outsourcing their data to a shared environment for years, but privacy concerns have certainly brought Cloud security to the forefront.

  • http://www.davedyk.com Dave Dyk

    David – One thing that I’m surprised hasn’t been discussed in these cloud outsourcing contracts is the requirement for a SAS70 audit. Sure the City theoretically *could* audit Google to make sure that data has appropriate security controls and is stored in an encrypted format within the US. But that is completely impractical. It would be much more practical for google to have one of the big 4 accounting firms do a fairly comprehensive SAS70 audit of their data security practices, and provide that to clients as assurance that the controls are adequate and operating effectively. Have you seen any discussion of SAS70, systrust, webtrust, defined procedures, or that sort of audit arrangement being written into a cloud computing contract?

  • http://www.perspecsys.com Jeff Campbell

    I read this post with keen interest and appreciate the balanced view taken. I look forward to the subsequent post with the contract terms explored more fully.
    In my business I deal with clients who wish to use the cloud but cannot give up control of the critical data. This is sometimes a legislated issue as is the case with ITAR, a regulated issue as in certain verticals like Financial Services or Health Care or a policy issue governing competitive or other proprietary data. In most of the cases I deal with, not even contractual clauses will suffice as measures to enable the enterprise to adopt the cloud application.
    We offer a solution to these corporations by enabling them to keep the critical data resident behind their own firewall within control while use SaaS or public cloud applications. Their user’s experience is un-affected since our technology preserves the functionality of the application.
    In my experience there is a very large portion of the overall software market that is maintaining on-premise applicatons because they must retain control of the data and cannot or will not accept contractual control. The growth of private clouds is an expensive example of how enterprises are dealing with data control.
    I see this scenario, cloud providers competing with contractual terms, quickly evolving to cloud providers offering technology solutions to this issue. These technology solutions must preserve the functionality of the application without adding significant incremental cost.

  • D. MacSteaphan

    Don’t become enamored with SAS70 audits. Take a close look at how they are performed:
    1. Company hires auditor
    2. Auditor asks company, what controls do you have in place?
    3. Company tells auditor what controls
    4. The auditor checks for the controls and makes certain they are operating
    5. Auditor reports back “yes, you have controls and they are running”
    For that you pay $50,000 or more.