Are you sure you want to outsource IT? Yes/No. Check this box to accept Ts&Cs
Er, and you might wish to READ them too
Migrating to an outsourced IT service including cloud is a great opportunity to outsource responsibility for IT and employees while simultaneously increasing efficiency and decreasing cost. At least, that’s the theory. The reality can be a lot more sobering.
The SSP outage should serve as a reminder that while cloud can be great for your business, it can be horribly wrong if you don’t plan ahead. “If you fail to plan, you plan to fail”, as they say.
When you moved into cloud, did you read the terms or did you just click the Accept button? Some providers will give compensation if the cloud fails. The cloud providers I act for point out that, in offering a low-margin, commoditised cloud, they will never make enough profit to offset the costs to a customer’s business that an outage could cause. That means that you may be faced with a contract term like this.
“Service Credits are your sole and exclusive remedy for any performance or availability issues for any service under the agreement and this SLA. You may not unilaterally offset your applicable monthly service fees for any performance or availability issues.”
Not one single cloud customer I act for has told me that they are happy that service credits will provide them with adequate recompense in case of cloud performance issues. I have acted for a number of customers who have sought to delete the service credit calculation, as this takes away managerial time trying to calculate the credit when the credit itself is of little value. Of course, the better approach is to simply make sure you have built redundancy into your cloud with live failover or some other DR/BC functionality.
Even this seems generous compared to another large US public cloud provider which has this in its terms:
“The service offerings are provided 'as is'. We … make no … warranties of any kind, whether express, implied, statutory or otherwise regarding the service offerings.”
This approach is commonly used by US providers. In a litigious country, providers will understandably seek to avoid claims where possible. But it’s important to remember that US law and English law are different. Are you comfortable that the service provider is charging you for a service but will not make any promises about that service? The same provider includes a pretty comprehensive exclusion of liability too:
“We will not be liable to you for any direct, indirect, incidental, special, consequential or exemplary damages (including damages for loss of profits, goodwill, use, or data) … Further, [we will not] be responsible for any compensation, reimbursement, or damages arising in connection with … any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of your content or other data.”
Now, the provider points out it is an infrastructure provider. It makes available resources to you, the customer, and it is up to you to make sure it is fit for your purpose and to make sure you adopt measures to keep your data safe. That’s fair enough. Don’t forget, as the customer, you are the “controller” under data protection law and you are responsible for looking after the data. You are the one buying into a multi-tenanted, commoditised service and, unless you have the buying power of the US government, you are unlikely to ever be able to renegotiate standard terms. But are you aware that you are still responsible for all of this and have you implemented your cloud accordingly?
One of the benefits of cloud is the flexibility. When you want to move cloud, you can. But you will probably want to take your data with you. So you better make sure you check that the provider will assist you to migrate on the way out. This is what another large provider says in its contract:
“Upon request by you made within 30 days after the effective date of termination or expiration of this agreement, we will make your data available to you for export or download as provided in the documentation.
After such 30-day period, we will have no obligation to maintain or provide any of your data, and as provided in the documentation will thereafter delete or destroy all copies of your data in our systems or otherwise in our possession or control, unless legally prohibited.”
Naturally, you will be thinking about data migration long before your relationship with the provider expires. But what about data held in shadow-IT, where the monthly cost has been put on someone’s credit card?
Do your IT, procurement, legal or compliance teams know about this data? If the bill payer leaves the company or the credit card is cancelled and the cloud service stops, you must actively ask the provider for your data back and you have no more than 30 days after expiry of the cloud to get all your data back before it is deleted.
Of course, it’s not all bad. Gamestation played an April Fool’s Day prank back in 2010 to prove that customers don’t read terms and conditions before clicking on the accept button.
"By placing an order via this website on the first day of the fourth month of the year 2010 Anno Domini, you agree to grant us a non-transferable option to claim, for now and for ever more, your immortal soul."
Then there was the report from February 2016 about Amazon's Lumberyard:
“[T]his restriction will not apply in the event of the occurrence (certified by the United States Centers for Disease Control or successor body) of a widespread viral infection transmitted via bites or contact with bodily fluids that causes human corpses to reanimate and seek to consume living human flesh, blood, brain or nerve tissue and is likely to result in the fall of organized civilization.”
Of course, the US CDC might not certify a zombie apocalypse in the UK in which you’re no better off. But in that situation you will probably have other things to worry about…
Joking aside, the UK Competition and Markets Authority conducted its own Cloud Consumer law review and found some cloud terms lacking. It listed a number of areas of concern, including, for example, the inclusion of a term allowing the “providers too much discretion to unilaterally vary the price, service or contract and without giving consumers adequate notice or an opportunity to cancel the contract without penalty”.
It also criticised the ability for the provider to terminate or suspend services, particularly without giving adequate notice to the consumer. Then there is the auto-renewal of contracts, locking unsuspecting consumers in to another year of service and payments. And of course, the concern that contract terms are not written or structured in a way that makes it easy for consumers to understand their rights and obligations under the contract.
The European Commission is trying to steer a path here, and funded the SLALOM project to produce model clauses and SLAs for cloud which the UK Cloud Industry Forum got involved in (disclosure: I chair their Code of Practice Board). This is a good initiative and it published its findings in June 2016. We wait to see whether this will take off, since no cloud providers were involved in the project and my discussions with cloud providers on this topic have been lukewarm at best. Still, it’s early days yet so it may take off in time. Unless Brexit means the UK ignores everything the Commission is involved in.
The bottom line is, you need to understand what you’re getting into. That is as true now as it ever was. If you are moving into or between public cloud, you should reconcile yourself to the fact that the terms are not necessarily customer-friendly and you will have no control over them. Equally, if you want a bespoke cloud with a bespoke service, you have to be prepared to pay more for a private or hybrid cloud and negotiate the contract and the SLA to get the best deal.
After all, you get what you pay for. Whatever you do, please, please, please read the terms before you click on the Accept button or sign on the dotted line. But, as a cloud lawyer, I would say that… ®
Sponsored: Becoming a Pragmatic Security Leader