Executive Summary:Many of the legal compliance and operational risks raised by cloud computing – procuring access to information technology resources that are made available pursuant to a service level agreement (as opposed to direct ownership and control of dedicated IT assets) - are similar to the legal compliance and operational risks that are raised by traditional information technology outsourcing. Therefore, buyers and sellers looking to manage these risks in the context of cloud computing should consider the risk management tools employed in the outsourcing context.
The legal risks related to outsourcing can generally be categorized into three main areas (i) governance risk (ii) operational risk and (iii) compliance risk. These risks are also present in the context of cloud computing, where access to technical resources are procured from a third party that retains ownership or control over the technical resources being supplied on an as needed and as available basis. For purposes of this brief article, we’ll focus on certain operational and compliance risks and the tools from outsourcing that may be useful in managing these risks in the context of cloud computing. For a more detailed white paper on these risks, including governance risks, please contact the authors.
In the outsourcing context, operational risks are often addressed through service level agreements, mutually acceptable procedures manuals, performance warranties and termination protections. Cloud computing solutions already borrow some aspects of the operational risk mitigation tools used in the outsourcing context. For example, cloud computing solutions may provide for different levels of service based on price. This structure is similar to the incentive structure built into many of the service level agreements used in the outsourcing context. Different levels of service attract different pricing or result in varying levels of pricing credits.
There are distinctions between the general use of service level agreements in the context of cloud computing and outsourcing, though. In outsourcing, service credits are often used as leverage to drive certain behaviors on the part of the service provider. Where performance fails to meet a minimum standard in the outsourcing context, a service credit may be imposed on the provider and corrective actions may be triggered. In the context of cloud computing, on the other hand, service level agreements may be used more as a way to allocate resources than to set a minimum performance threshold. There may not necessarily be a corrective action triggered by a particular performance level. This distinction should be considered where a buyer requires a minimum level of performance even when procuring resources from a cloud provider. In that case, buyers may want to consider requiring a service agreement more like those used in outsourcing.
Likewise, parties should consider whether other outsourcing tools, like vendor due diligence, mutually acceptable procedures and regular reporting obligations are appropriate to help mitigate operational risk in the context of cloud computing. Buyers should also preserve rights to terminate in the event of operational failures and ensure adequate wind down procedures are in place in order to retain control over and the return of any data or applications placed into the cloud.
Compliance risks are those risks related to legal, government and other third party liability that may not be delegable even when control over the delivery of a function is transferred to a third party. These risks often stem from obligations to comply with law which cannot be delegated even though the performance of the task being regulated may be. Familiar examples include maintaining adequate controls over financial systems, even where delivery of those systems has been outsourced to a third party. These risks also include liability for unauthorized disclosure or transfer of personal data that might be processed by a third party.
In the outsourcing context, these risks are addressed through the clear allocation of controls to mitigate the risk of violations, audit rights to verify conformance with controls and indemnities that reallocate liability from the party that may incur a penalty for a breach to the party best positioned to prevent a violation. Compliance risks are also addressed through the adoption of regulatory compliance measures applicable to the particular service being procured (e.g., the use of business associate agreements to protect personally identifiable information).
When technical resources are being sourced in a cloud computing environment, buyers should not assume that compliance obligations may be dismissed. Regardless the sourcing model, customers will remain responsible for breach of non-delegable compliance obligations – including compliance obligations related to controls over technology resources. Today, while these protections are typically included in an outsourcing agreement, many of the protections are absent from cloud computing contracts. As cloud computing solutions become more established, we would expect those solutions to adopt many of the tools used in the outsourcing context to address compliance risks.