5 KEY ISSUES IN CLOUD COMPUTING CONTRACTS

Defining the Scope of Cloud Services 

This statement may seem so obvious that it wastes precious reader attention, but I will make it nonetheless: SaaS (software-as-a-service) and IaaS (infrastructure-as-a-service) relationships require thinking through different technological, business and legal issues.

Purchasers of SaaS will want to ensure their contracts include detailed documentation on software functionality (a feature matrix is quite useful); scheduling software functionality can have a direct impact on your wallet (vendors can't charge you for "new features" you were already promised), and provide a great ability to enforce legal rights in the event of a dispute. Software-as-a-service is an intangible asset in most ways, and functionality documentation provides the "substance" of what is being purchased.

IaaS contracts must address an increasingly broad array of cloud services ranging from simple storage to elastic computing power to virtualization and more. Service level agreements and related credits for failure to meet on-demand standards may apply.

Intellectual Property Rights

Consumers of SaaS development, infrastructure virtualization and other cloud-deployments must have a strategic approach to ownership of the intellectual property utilized in the cloud offering. Depending on the economics of the relationship, software developers and purchasers  may co-own or otherwise share intellectual property rights. Given the precise and infinite ways in which intellectual property can be carved up, careful attention must always be given to IP ownership rights as they often have a fundamental impact on the a company's product strategy.

Indemnification

The negotiation of indemnification coverage for third party law suits relating to intellectual property infringement, data/privacy breaches and other key items provide important risk allocation mechanisms in a contract. The parties must realistically assess the commercial value of the contract and nature of cloud services in negotiating when, and to what monetary extent, each party will take responsibility for harm caused to third parties whether for breaching IP rights, disclosing personal information or some other unforeseen harm. Given the increasing cost companies face when experiencing a data breach, ensuring appropriate indemnification coverage in a contract has real significant financial consequences.

Information Security

While movement into the cloud by both enterprise and government is inevitable and happening, regulators and consumer advocacy groups will ensure a bright spotlight is shone upon information security.

To that end, in order for company officers to discharge compliance obligations, and to ensure the security of a company's important information assets, organizations deploying cloud solutions must conduct thorough technical due diligence to understand the cloud provider's information security infrastructure and related protocols, and these must be memorialized in the contract.

Consider whether industry standards, like the ISO/IEC 27000 series, are useful. While it may not be realistic to request audit rights, the contract can require cloud providers to produce the results of third party security audits.

Compliance with Laws

In the United States a patchwork of Federal, State and even local laws govern the use of personal information, medical information and other classes of protected information. Add to this an additional layer of complexity when you consider the global presence of many companies.

International data security and privacy standards range from Europe's extremely protective regime, to more open standards in developing countries. Business must navigate this increasingly complex web of regulation.

Shared computing resources, often times bouncing information among data centers in disparate parts of the globe, underscores the brilliance of cloud computing but also its legal complexity; consider that many countries restrict the exportation of personal information outside their borders and the challenge becomes apparents. Separately, sharing of customer personal information may require the cloud provider to agree to comply with the laws of certain jurisdictions.

Making sure that a contract appropriately memorializes each party's legal compliance obligations can serve all well in creating a fruitful working relationship accomplishing all organizational goals.

INAUGURAL & INTRODUCTORY THOUGHTS

With this Cloud Technology Business Law Blog, my goal is to use Google's powerful blogging platform to connect with readers interested in exploring legal and business issues related to the commercialization of cloud computing services and the moneyed parties (think venture capital and angels) that fund development of cloud tech companies.

As a former mergers and acquisitions attorney who four years ago came upon the opportunity to retool my legal skill set to practice in the Information Technology sector of my law firm's Intellectual Property Group, I now have a broad bench of practical experiences which I hope to draw upon in these writings.

The billion dollar software-as-a-service industry, which includes vast networks of computer farms hosting and providing computing power to SaaS, is undeniably having a significant impact on the global economy and the delivery of technology to both consumers and business.

To that end, every day new business partnerships are forged among providers and consumers of cloud computing services, with complex, evolving legal and business issues that have to be reduced to writing in an understandable enforceable contract. Drafting and negotiating contracts for these complex relationships, often-times among multiple parties, has provided a fulfilling challenging legal practice that enables me to leverage a base business attorney proficiency, deep software technology licensing experience and new learnings (Probably the most fun part of my job, learning about new technology, which I try to do as much as any lawyer can).

Why blog? As a lawyer accustomed to engaging in intellectual exercises of vast scope and extreme precision, I now write in no other way. That is to say, a blog cannot be a means to sacrifice the crispness of analysis that legal thinking requires. However, the informal and fluid nature of blogging, and its instantaneous delivery of content over the cloud, is a perfect and necessary medium for a certain type of contribution of thought/analysis on the rapidly-evolving technology that is cloud computing. My hope is that these writings can be of use to a broad audience - the aim is drafting blog posts with elegant simplicity while maintaining intellectual integrity. Sounds quite Job'sian... Also I suspect that if I'm fortunate enough to find a set of readers, that I'll gain more knowledge than I provide.

With that in mind, any and all feedback will be cherished by this author.