customer-provider agreements : elemental cloud computing

The Information Law Group has an excellent 4-part series on the legal implications of cloud computing. The series is written for lawyers, but the issues addressed — Privacy, Relationships, E-Discovery and Digital Evidence — are important for anyone considering cloud computing.

Series Context:

“Bottom line: this is not your father’s outsourcing relationship, and trying to protect clients with contracts may be very difficult or impossible unless the cloud computing community begins to build standards and processes to create trust. This post is not for my tech/security friends, it is for the attorneys out there, especially the general counsel and transactional attorneys who draft terms for tech contracts (e.g. outsourcing contracts, ASP contracts, software licenses, etc.).

…One final note to the attorneys out there: there is going to be incredible financial pressure on organizations to take advantage of the pricing and efficiency of cloud computing and if attorneys fail to understand the issues ahead of time there is a serious risk of getting "bulldozed" into cloud computing arrangements without time or resources to address some serious legal issues that are implicated.”

Legal Issues:

“Transborder Data Flow Triggering Legal Obligations in Multiple Jurisdictions. This sharing and transfer of data within the cloud, the inability for anybody to easily say where the data is or has been, is the key problem that creates legal issues. An obvious problem is transborder data flow. For example under the EU Data Protection Directive, unless they take certain steps, organizations are prohibited from transferring personal information to countries that do not provide the same level of protection with respect to personal information of EU residents (the United States is one such country). A company that does its processing in the cloud may be violating EU law if data goes to servers outside of the EU to prohibited countries. Unfortunately, contracts may not be too helpful because cloud providers will not be in any position to make any contractual promises to their clients because in many cases they cannot say which countries data will be transferred to or from. So how can companies seeking the efficiency and cost savings of the cloud utilize it if, by its very nature, it leads to potential legal compliance nightmares?

"Reasonable Security" Under the Law. Then there is the issue of "reasonable security" in the cloud computing context, and potential liability arising out of security breaches in the cloud. Generally speaking if a company outsources the handling of personal information to another company they may have some responsibility to make sure the outsourcer has some level of reasonable security to protect personal and confidential information. What happens when the could is utilized? Service providers using the cloud platform essentially rely on the security of each of the cloud participants receiving personal information. That could be name brand companies like Google who are likely to have some level of adequate security, but it could also be lesser players trying to engage in business as cheaply as possible and not implementing rigorous controls. The bottom line again is that the organization seeking to do business in the cloud has no way to even perform a due diligence of "the cloud" to ensure that adequate security is in place. Moreover, cloud companies and service providers that contract directly with such companies are not likely to make any contractual promises around security since they ultimately don’t control it (or even know how good or bad it is within the cloud). Ultimately, the legal question is, what liability does a company face when there has been a security breach in the cloud that has resulted in the theft or harm of valuable or protected data?

Electronic evidence/e-discovery. Utilizing the cloud can be problematic in the litigation context. First off, when litigation ensues and a litigation hold is initiated, the organization will have to deal with a third party cloud provider in order to get at the information relevant to the litigation. It may not be easy for that provider to actually preserve the data that is needed for several reasons. For example, an organization may be using a third party software provider that itself utilizes the a cloud platform. The data subject to the litigation hold therefore may actually reside in the cloud and may not be readily accessible/preserved by the software provider. This could complicate gathering electronic evidence and responding to e-Discovery requests. Moreover, it could lead to spoliation of evidence. In addition, considering that multiple copies of data may be created, stored, recompiled, dispersed, reassembled and reused, the idea of what constitutes a "record" or a "document" for evidentiary purposes may be difficult to grapple with in the cloud.”

Series Posts:

Legal Implications of Cloud Computing — Part One (the Basics and Framing the Issues)

Privacy and the Cloud

Relationships in the Cloud

E-Discovery & Electronic Evidence

Tagged as: contracts, e-discovery, InformationLawGroup, legal, privacy, security

Posted by brenda michelson at 2:48 pm in adoption, assurance, Cloud Watch, customer-provider agreements, legal | Permalink | Comments(0)
| Trackback URL

Bessemer Venture Partners published a winter release of their 10 Laws of Cloud Computing and SaaS. These laws are written for cloud computing providers – potential investees. However, the laws are also interesting to anyone interested in the cloud computing marketplace.

As I was reading the full whitepaper (pdf), I found one law to be pertinent for potential cloud computing customers. Law #8: Leverage and Monetize the data asset. (emphasis is mine)

“BESSEMER CLOUD COMPUTING LAW #8: Leverage and monetize the data asset. While Cloud Computing is about providing a subscription service to your customers, one of the happy consequences is that you end up hosting their data. This becomes a critical asset that you can monetize by increasing the value of your offering; by leveraging it across your customer base in the form of benchmarks; or for specific businesses, by using the data to generate leads (within the contracted obligations). In these difficult economic times, where prices are under pressure and customers are tightening their budgets, data can be a difference maker.

As a Cloud Computing service, your company captures a lot of business information on each individual customer, information that is typically peripheral to the delivery of your service, but could be very interesting for your customer’s executives. This information can generally be packaged and synthesized into a set of management dashboards that you can provide to your customers, potentially for an incremental subscription fee, or as a way to expand usage and increase product stickiness. Within our own portfolio, successful examples include the “CMO dashboard” (Eloqua), “Merchandising Dashboard” (Retail Solutions), “CFO Dashboard” (Intacct), and “HR Dashboard” (Cornerstone OnDemand) .

A second way to monetize your data is to identify the key performance indicators that you can derive from them – typically the ones that you have identified for your executive dashboards – and develop benchmarks across your customer base. These benchmarks can be customized along several dimensions (e.g., by company size, sector, geography) and be provided separately to your customers and even included in the executive dashboard. One of the early companies to sell benchmarks was Concur, the leading public company in the expense management space. With Concur reports, customers can compare their travel costs and business expenses against their peer group and track the evolution over time. We believe this “data-as-a-service” model has a lot of potential and will become more prominent as companies mature and need to find additional revenue streams.

Finally, another way to take advantage of your data is to use it to generate leads. While we recognize that this may not be possible for many of the B2B businesses for obvious reasons, this practice has proven to be successful for the lower end of the market, including small businesses and consumers. A company like Mint for example (now part of Intuit), even based its business model around it. Mint launched a SaaS financial application for consumers, competing against Quicken, but while the Quicken and Quicken Online business models used a license or a subscription fee, Mint was free and generated revenue by using its consumer insights to generate leads that were sold to service providers. For example, if Mint identified that your savings account had a 2% rate, it would notify you by email that another bank could offer you 2.5% and sell your click (or whatever action you would perform if interested) to a provider. Mint was so successful in this customer acquisition model that it ended up being acquired by Intuit in 2009 and will now replace the Quicken Online product.”

Certainly, there is no malice or wrongdoing here, as the above Law explicitly states “within the contracted obligation”. And, there can be great value to your organization to receive benchmark, trend, lead or other aggregated data. However, the use of your hosted data must correspond with your organization’s privacy and IP practices. Therefore, it’s critical to understand, and if necessary, negotiate any data usage components of your service contracts.

Tagged as: Bessemer, data

Posted by brenda michelson at 6:15 pm in Cloud Watch, compliance, customer-provider agreements, SaaS | Permalink | Comments(0)
| Trackback URL