Software Licensing Featured Articles

Cloud Services Raise New Legal Issues

While the exploding popularity of cloud computing is making the technology more conventional, historically it is still an unconventional service.

As a result, much of the standard language that appears in contracts between a business and the vendors it deals with is not applicable. Protecting the interests of businesses that use cloud services requires a new kind of contract.

According to Foley Hoag LLP, a Waltham, Mass.-based law firm that deals with technology issues, several components of conventional contracts designed to work with ‘real world’ vendors are not pertinent to cloud services and in fact, may have gaping holes that leave companies information unprotected. 


Image via Shutterstock

Many service contracts specify locations when and where products and services are to be delivered. Maintenance and cleaning services, for example, cannot be performed anywhere other than on the business’ premises. Typically their work is done after normal business hours to avoid disrupting employees.

Cloud computing services don’t work that way. Barring occasional downtime, the service is available 24/7. The service originates from the vendor’s facilities and is accessed remotely.

The standard contract often addresses how a vendor’s employees are to operate while working on the customer’s premises. Workman’s comp, vehicle insurance and commercial general liability protection are common issues in such contracts. There are provisions to ensure that there is no misrepresentations that would make it appear that the vendor’s employees were the business’ employees. 

Since the cloud vendor’s employees work at the cloud vendor’s facilities, many of these issues don’t apply. 

Conventional contracts that deal with tangible goods and property are usually silent on the matter of data, which confidentiality agreements are usually insufficient to protect.

A contract better geared towards cloud computing would do the following:

- Clearly describe what the vendor owns and what the customer owns.
- Define parameters for reliability and allow termination of the contract when the cloud system fails to meet them. 
- Allow the customer to verify that the cloud vendor has adopted best practices for protecting data 
- Provide for the customer to receive their data when the contract with the provider ends and ensure that all copies of data on the vendor’s servers are deleted.

One particular case shows how current laws are behind technology in addressing security in the cloud. In 2011 Cloudflare was the hosting site for the LulzSec hacking group, which later became defunct. So far Cloudflare has avoided any government action in spite of many complaints. The San Francisco-based provider made the argument that LulzSec used a free account, which required a minimal amount of credentialing and that the authorities have never asked it to shut any accounts down. This is somewhat shocking, given how Lavabit was easily forced to shut down, allegedly as a result of influence from NSA.

One of the disadvantages of cloud computing is that it became popular so quickly. As a result, the legal system has not caught up enough to address many of its underlying issues. Customers should resist the urge to go the cheap route by using boilerplate contracts designed for conventional vendors and instead use more modern contracts that address the technology better.

Edited by Blaise McNamee