Legal | Feature
6 Pitfalls of Cloud-Service Contracts
Before you sign on the dotted line, make sure your school has sorted out the legal aspects of any cloud-service contract. Here are six areas to consider.
- By Dian Schaffhauser
We've all heard vendors extol the benefits of their cloud services: efficient, easy, cost-effective, and fast. What's not to like? But before your school dives headlong into uncharted waters, be sure your legal team scans for any hazards that may lie beneath the surface.
It's easier said than done. From a legal standpoint, the water is pretty murky. For starters, the laws are still evolving. Much about cloud computing "is new stuff," says Justin Bathon, an assistant professor in the department of Educational Leadership Studies at the University of Kentucky. "In other areas of education law there have been years of litigation, so you have a pretty good base from which to predict how new things will be handled." With cloud services, on the other hand, technology can be way ahead of the law. "It'll take three or four years to finally catch up with the actual technology problems we're having today," he continues.
Complicating matters further is the fact that many colleges and universities are public entities, governed by state codes that are enormous in scope. Yet the number of lawyers available to public institutions is very limited, especially compared to equivalent-sized corporations. The general counsel office at UK, for example, has just four or five people representing a $2 billion organization with tens of thousands of students. As a result, says Bathon, only "a handful of people at any moment are up to speed on the legal issues." Not surprisingly, the crush of legal work can put public institutions at a disadvantage when it comes to tackling the myriad legal aspects of cloud computing.
This pressure makes it all the more important for legal teams to take the time needed to negotiate cloud contracts properly. Get the contract right, and the legal team can move on to more pressing matters. From a legal perspective, dealing with cloud-based service providers is "almost all contractual, frankly,” says attorney Adam Chase of the law firm Dow Lohnes. “Your legal relationship with a vendor is governed by a contract." In fact, Chase likens the use of cloud services to a form of outsourcing: The school is "having someone else do something for it that it used to do itself, and it gives up a bit of control."
Fortunately, outsourcing is something that's been around for a long time, so the legal groundwork has been laid for at least some aspects of cloud contracts. But there are still plenty of issues in legal limbo to keep lawyers up at night. Here, we examine six common contract concerns and how schools might address them.
1) Boilerplate Contracts
A lot of service providers want to use their own contracts. No modifications required--just sign on the dotted line. But should you? Schools need to remember that vendor contracts are designed primarily to protect the vendor rather than the customer, and probably need some modification to serve both parties. As Bathon explains, a good contract should ideally pass on to the cloud-service provider "all the regulatory responsibilities that a public [school] would feel."
Unfortunately, that's often not the case. Given small legal staffs and the inevitable fires that break out on a day-to-day basis, notes Bathon, many schools have little time to "negotiate a contract, so [they] go with whatever terms of service a cloud provider has."
As a result, the school is "taking responsibility that the private company will protect the data." If the data is trifling, this may be OK (think student clicker responses in class). But such an approach is woefully inadequate in situations requiring more stringent security.
"We frequently have contracts with the Department of Defense and NASA where security is really essential," explains Bathon, adding that concerns go well beyond government data. "We're also a healthcare institution. We're in a lot of business categories these days where the cloud is a really important part of what we do. From a CIO standpoint, putting maximum attention on data security is really important."
The only way to achieve the necessary level of security is to push for modifications to a vendor's boilerplate agreement. If you're a big enough customer, even the largest providers--Amazon and Google among them--may agree to contract customizations for certain services. If you're a small school without a lot of clout, smaller vendors are more likely to modify their contracts to win your business. This option comes with a footnote, however: Even if the contract terms are favorable, schools must ensure that the vendor also has the resources to stay on top of security matters.
"If you're a large provider such as Blackboard, you're going to do everything in your power to make it as secure as possible," Bathon notes. "My concerns would be around a startup company being able to go above and beyond." That's not to say schools should avoid smaller companies--far from it. But IT and the legal team must do their due diligence first. "It's something that needs to be addressed before you can move forward," advises Bathon.
2) The Middleman Dilemma
One of the most compelling selling points of cloud services is 24/7 support, especially since many institutions now have global presences with international students working at all hours. Not surprisingly, says Chase, schools want service-level agreements that provide for the maximum amount of uptime. The gold standard of SLAs is known as five-nines, or an uptime of 99.999 percent. Slap that in the contract and you're good to go, right?
Unfortunately, cloud-service providers often act as middlemen. They might contract with a separate company to run the server farm that hosts their services. As a result, vendors might push back against a contract demand for five-nines uptime. For example, a company might say, "Amazon owns the pipes and operates the servers. We'll give you what Amazon gives us, but we can't give you any more than that."
If this sounds like a reasonable response, you're not an attorney. While Amazon is a first-tier provider with a solid reputation, it's not a school's obligation to police a vendor's suppliers. According to Dow Lohnes' Chase, "Our answer to the service provider might be, 'If your vendor is not working, that's your problem. But if your service isn’t living up to the terms of our agreement, we're going to come and look to you to make it right.'" So adding a five-nines clause to the contract just might be good sense.
3) Data Rights
A lot of colleges and universities are weighing whether they can--or should--store sensitive student data in the cloud. If a school decides to move forward, Chase recommends that any contract include a confidentiality provision stating "it's [the university's] data and even though it's technically in your possession, you shall not disclose it without our prior written consent."
Schools may want to go one step farther by also specifying exactly where their data should be stored--an especially important consideration for FERPA and HIPAA-related data. In the early days of cloud services, customers discovered that their data might be stashed anywhere on the globe. Now all the big boys--Amazon, Microsoft, and Google--as well as smaller companies allow customers to specify in what region they want their data stored.
"If you say, 'We want to store data domestically with the vendors our clients have worked with,' they can do that without much heartburn," notes Chase.
4) Data Security
One of the most common arguments for shifting applications to the cloud is security: The largest cloud providers have far more security resources than any individual university, and consequently can provide better protection against the most frequent security ailments. It's unlikely, for example, that these companies are tucking misconfigured networked servers into office closets, or taking customer data home on a laptop or USB device. These were just some of the causes of the data breaches that afflicted 87 institutions of higher ed and university-affiliated health centers or hospitals in 2012, as reported by the Privacy Rights Clearinghouse.
At the same time, don't believe that shifting data storage to the cloud will solve all your security woes. In some ways, it's like jumping from the fat into the fire. Cloud providers are increasingly becoming the target of major hacker and denial of service attacks, simply because that's where the data resides.
Plus, researchers are uncovering the existence of potential vulnerabilities introduced by cloud customers themselves. The Cloud Security Alliance, an organization that promotes best practices to provide security assurance within cloud computing, published a report in February that shares a "notorious nine" list of potential threats. At the top of the heap? Data breaches. Last year, for example, researchers described how a virtual machine could extract private cryptographic keys being used by virtual machines on the same physical server. Likewise, if a multitenant cloud-service database is poorly designed, a flaw in one client's application could be exploited by an attacker to gain access to another client's data.
So don't assume that the cloud is airtight: Legal considerations about data security need to be directly addressed in the contract. The agreement should specify in some detail "how data is encrypted, how data is stored, and how data is transmitted," advises Chase. "You can get very weedy very quickly on that sort of thing."
Not all attorneys have the technical chops to get this language right. Chase recommends that the school attorney reviewing the cloud contract "work in close collaboration with IT and security staff."
In Bathon's view, a good contract is an insurance policy for the inevitable. Data breaches are going to happen, he says, whether the data is maintained on campus or off. From a university's perspective, the important point is "contractually making sure that each party is held responsible for the security, then figuring out where the liability lies" when a security incident occurs.
5) Remedies and Breakups
When a vendor suffers downtime beyond what's allowed under the contract, it typically offers service credits as compensation. "That's the first thing vendors typically propose to remedy a service issue," says Chase. That's fine as far as it goes, but the contract should also allow a school to terminate the agreement if performance continues to be poor. Just be aware that a cloud agreement is a bit like a marriage: It's no fun sticking around if things go south, but "getting out is messy too," according to Chase.
Schools often need transition help to get disentangled from the first vendor and moved over to a replacement. For that reason, Chase recommends including transitional covenants into cloud agreements. "It's sort of like talking about a divorce before you get married," he explains. "OK, if this doesn't work out, let's talk about what we're going to do."
Typically, a transition provision lays out at a fairly high level what the data formatting will be, and how and when the data will be returned to the customer or to the new service provider.
6) Rogue Agreements
The beauty of the cloud--its simplicity--can also be one of the biggest burdens for IT: Faculty or staff decide it's easier to work directly with a cloud-service provider than with campus IT. It can happen with everything from learning management systems to data storage for research projects. And all too often the agreements signed with outside providers give little or no consideration to the contract.
The problem is particularly acute among faculty, says Bathon. "The transition to cloud-based learning is really happening classroom by classroom, based on however the instructor deals with it."
He cites an online quiz as a classic example. "There are lots of ways I could give an online quiz as an instructor--many of the most efficient ones are in the cloud. I can run that online quiz through SurveyMonkey or Google Forms. From an instructional standpoint, Google Forms is wonderful. But as an instructor, I don't know how secure that data is." Plus, he adds, it's simple to lose control of the data "because forms are shareable." Once a form is shared with one person, such as a co-instructor, he "might share with the whole world. It's tough to maintain a lid on security in these types of spaces."
Banning the use of unapproved cloud services is not a good idea, though. What's required instead is education. CIOs need to speak to faculty, researchers, and business managers to help them understand the risks of single-handedly choosing cloud services. "All universities want instructors to be innovative, use the latest tools, and teach in the best way they know how," Bathon points out. "Very few of our universities are talking to instructors about data security and protecting students in the cloud. It's a really difficult challenge going forward."
7 Keys to a Successful Cloud Contract
A college attorney explains seven legal issues that institutions need to consider before signing a cloud-computing contract.
How to Negotiate Cloud Contracts for Your School
For schools considering cloud-based services, vendors' boilerplate contracts are seldom sufficient. CT seeks legal advice on how to negotiate a contract that works for your school.
Lawyers identify the six biggest legal issues facing IT today, and how CIOs can avoid a run-in with the law.
Contracting for Cloud Services on a Massive Scale
Many schools don't have the resources or the expertise to identify the right cloud provider or to negotiate an ironclad contract. For schools in the MHEC and WICHE consortia, though, the story is very different.