Cloud Computing | Feature
How to Negotiate Cloud Contracts for Your School
For schools considering cloud-based services, vendors' boilerplate contracts are seldom sufficient. CT seeks legal advice on how to negotiate a contract that works for your school.
- By Alicia Brazington
Until recently, most university tech departments dealt primarily with licensing agreements. Now, as more schools sign on with cloud service providers, IT staff and legal counsel are having to shift their focus, zeroing in on new provisions in cloud-computing contracts. Getting these agreements right requires several crucial steps. Without them, data could be compromised--or mined, analyzed, and shared without a school's consent.
"When exploring cloud service providers, a lot of people make the mistake of looking almost exclusively at the technology," said Pete Sanborn, an associate in the Boston office of Foley & Lardner who specializes in IT and outsourcing. "They select a solution, but don't look at the contract and its associated risks until the train is pretty far down the tracks. That puts them in a bad position. Looking at the contract early in the game will save everyone a lot of grief."
Sanborn believes that people tend to minimize potential hazards: Because the cloud is so easy to use, they feel the agreement should be just as simple. Unfortunately, this is not the case. To make sure all the bases are covered, Sanborn urges the involvement of knowledgeable in-house legal counsel, on-site IT staff skilled in security issues, or outside attorneys with cloud-computing expertise.
For starters, it's unlikely that a vendor's boilerplate contract is going to safeguard a school's interests adequately--the point of such contracts is to protect the vendor. Several areas of these contracts require close scrutiny and should be strengthened with further specifications. These areas include service availability, performance, service levels, data security, and control. Additionally, more traditional provisions--insurance, indemnity, intellectual-property ownership, limitations of liability, and warranties--also merit attention.
The question on everyone's mind these days is whether a cloud service provider will mine the school's data. Sanborn doesn't believe many cloud providers try to obtain information within clients' data itself: "For most vendors, that crosses a line--at least right now." Nevertheless, to ensure that the information stored in the cloud remains yours, it's important to define in the contract what constitutes your data.
"Cloud providers should have no rights to your data--that should be clear," emphasized Sanborn. "The only reason they can access data is strictly to provide the service to you. There shouldn't be anything in the agreement that gives cloud providers the right monetize it, use it, or access it."
Additionally, Sanborn says, the contract should clearly restrict the vendor's right to access your data to the terms of the agreement. If there is a confidentiality provision in the contract, for example, it should reflect that your data falls within its scope. If and when the relationship ends, the vendor should have to delete or return your data, although--for regulatory reasons--it might need to keep some portion of your data for a period of time. Make sure you understand what data will be retained, for how long, and why, and draft the corresponding contract provision as narrowly as possible.
Some free cloud-based solutions utilize software that allows them to tie advertising to the content that appears on the screen, including content that you have stored with them. "It's not necessarily a form of mining as much as tailored advertising," explained Sanborn. "It's different from a cloud provider going through your data and selling it. Nonetheless, be careful about an arrangement that permits the cloud provider to tailor advertising based on the content you add or access."
If you're paying for a cloud service, this question shouldn't even come up: A vendor shouldn't need to monetize your data. "It's a bright red flag if a for-payment vendor proposes to do so," noted Sanborn.
Increasingly, vendors are requesting the right collect information on how organizations use their cloud services. For instance, a provider may wish to use anonymized university data, aggregated along with other clients' data, to improve the application or provide data analysis to industry groups or marketers. This arrangement carries clear commercial benefit to the provider. If a vendor wants to analyze your data, said Sanborn, be sure to include a provision in the contract that addresses the collection of aggregated data. At the very least, the arrangement should not unfairly favor the vendor or compromise the integrity of your information--or your users' trust.
To determine the risk associated with a provider analyzing your data, carefully assess what information you plan to move to the cloud. Sanborn calls this pre‐agreement diligence. Campuses should be able to categorize their data into three distinct segments:
- High Risk: mission-critical processes that utilize highly sensitive data (e.g., medical records, student or alumni records, and propriety research)
- Medium Risk: generally available data and non‐confidential enterprise data that require high service levels (e.g.. course-enrollment processes and information, or benefits-administration information)
- Low Risk: non-mission-critical and generally available data that can accept outages and variable performance (e.g., event scheduling, course syllabi)
"If you are looking to move benign, basic stuff to the cloud, you still don't want it exposed, of course, but the liability is much lower," explained Sanborn. "In this case, an off-the-shelf agreement with no negotiating room might work. But if it's critical information, you're going to need greater protections."
Understanding the protections provided under any agreement is vital. If they are inadequate, you need to negotiate new language, or walk away. How willing are vendors to alter the terms of the contract? It depends on the scale of the solution and the economics of the transaction, said Sanborn. With the biggest vendors, it's less likely that you will be able to negotiate a contract that reflects your organization's specific concerns. Smaller vendors, on the other hand, are usually more willing to negotiate, but they may not be prepared to alter their contracts if your revisions significantly increase their costs or expand their liability.
Sanborn stresses the need for compromise. "There's a lot of middle ground to work through to make both parties comfortable," he noted. Indeed, he encourages university negotiators to take the time to understand the vendor's concerns, and then figure out realistic solutions. A typical sticking point, for example, is data security. Many vendors won't take full responsibility for data security, because the university has the power to give out logins and passwords to numerous people. This makes the data less secure through no fault of the vendor.
"Clients can't absolve themselves of responsibility that falls within their control," explained Sanborn. At the same time, the vendor should be responsible for the security of the application and the infrastructure used to host it. In this case and many others, figuring out where the vendor can take responsibility will be a key area of negotiation. "In the end," summarized Sanborn, "you really want to understand your contract, feel comfortable with the terms, and sign a deal that is appropriate for both parties."