“Cloud bursts”: Emerging trends in contracting for Cloud services

c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 1 9 6 e1 9 8

Available online at www.sciencedirect.com

ScienceDirect www.compseconline.com/publications/prodclaw.htm

Comment

“Cloud bursts”: Emerging trends in contracting for Cloud services Kit Burden* DLA Piper LLP, London, UK

abstract Keywords:

Contracting for cloud based services might be said to be in its relative infancy, but such

Cloud

contracts as have been promulgated by the major providers have uniformly tended to be

Cloud contracts

extremely restrictive in terms of the rights and means of recourse offered to customers. As

Software as a service

contract values and service complexity “in the cloud” increase, however, more and more of

SaaS

such contracts are subject to review and challenge. This article accordingly considers some of the key points of common contention, and offers thoughts as to the direction of travel for such contracts in the months to come. ª 2014 DLA Piper LLP. Published by Elsevier Ltd. All rights reserved.

Cloud Computing remains at to the top of most organisations’ IT-related agendas. In this regard, there seems to be little in the way of a discernible slowdown in the pace at which organisations are embracing cloud-based services. The twin attractions of utility-style usage flexibility and (often quite dramatic) price reductions would be difficult to resist at the best of times, let alone those when organisations are under intense budget pressure. At the same time, however, the models for contracting for such services have been e at best e immature. A lot has been written in this regard about Cloud Contract provisions, both in academic and private practice circles. To begin with, there was one factor that all agreed upon, namely that for “true” Cloud offerings (i.e. those offered on a one to many basis, utilising shared facilities rather than a bespoke hosted service being extended to a single customer), the contract terms which a user could expect to be asked to sign up to would be very restrictive in terms of the level of contract risk that the supplier would accept. See in this regard the review undertaken by QMUL and Stanford University, following a quite exhaustive analysis of publically accessible (but not exclusively consumer facing) Cloud Contract terms. However,

in recent months there have been demonstrable signs that this position is shifting. Negotiations are beginning to be undertaken on a more frequent basis and changes to the proposed contract terms e previously almost unheard of e are being seen. Before going on to look at the nature of the changes and some of the potential reasons for them, it is perhaps worth recapping the reasons why Cloud Contracts developed in the way that they did in the first place. At the risk therefore of some significant generalisations, for the SaaS model of Cloud Contract at least (e.g. as opposed to PaaS, IaaS etc) there was a tendency for the relevant software suppliers (when first “shifting” software which they had previously licensed customers to use on their own systems/computers) to take their standard licence terms for the underlying software products and to then seek to adapt them for access/use remotely (see for example Microsoft’s approach to its “Azure” suite of service offerings). Such licence terms would generally already have been drafted in a way that was broadly protective of the Supplier’s interests, but would often also have been based on a relatively high initial “reward” for the Supplier, in the form of the (usual) upfront licence payment. In contrast, the Cloud

* DLA Piper LLP, 3 Noble Street, London EC2V 7EE, UK. E-mail address: [email protected]. URL: http://www.dlapiper.com. 0267-3649/$ e see front matter ª 2014 DLA Piper LLP. Published by Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.clsr.2014.01.008

c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 1 9 6 e1 9 8

based offering would typically be “sold” to the customer on the basis of a significantly reduced subscription based fee (not least as part of the selling proposition, i.e. that it is both cheaper and more flexible to procure software-based services via a cloud based offering). As many contract provisions can be said to relate in some way to the risk-reward balance, so it was argued that the level of risk that the Supplier would/ should take on under the related Cloud Services contract should likewise diminish. Put simply, if the supplier is charging less, so in turn it should take on less risk, as part of the typical risk/reward balance which is inherent in most technology-related contract negotiations. Other shifts in contract drafting arose by virtue of the change in the manner in which the Cloud services were provided. For example, when a platform is used in common to provide services to multiple clients as opposed to being dedicated on a more bespoke and individually hosted basis to meet the requirements of an individual customer, it would obviously not be desirable for the supplier to have to seek proactive consents from all its clients prior to making any changes to the underlying systems or software or to the scope or functionality of the service being offered. Indeed, any such requirement might quickly become untenable for the supplier, if it then became unable to quickly react to new legal developments, or perhaps more importantly to new commercial offerings from its competitors, simply because a subset of its customers wanted to maintain the status quo, or were simply slow in confirming their approval of changes. As a result, it has become common for Cloud suppliers to retain often wide-ranging rights to make changes to the Cloud service offering, and often also the policies and even contract terms applicable to it, without requesting any proactive consent from the service recipients (and on the basis that such service recipients effectively pre-consent to the making of such changes, buy signing up to such rights in favour of the Cloud supplier at the outset). In an endeavour to keep administration/client handling costs to a minimum, such changes may not even be directly communicated to clients, but instead be promulgated via changes to terms accessible via hypertext links. As such, it would be for the client itself to “find out” whether changes are being made (albeit that it is common for the contract terms to commit that the changes will not be “materially adverse” in terms of performance or functionality). Still on the topic of costs, I personally recall a conversation with a UK-based General Counsel (GC) of a well-known Cloud services provider (who shall remain nameless!), around 18 months ago; in discussing their approach to contract negotiations, they remarked that with an average deal value of around £250,000 and no in-house legal capacity beyond the GC himself, there was (quite literally) no budget or bandwidth for entering into legal negotiations with customers (no matter how well intentioned or “justified” they might be), and hence the GC’s role had become an exercise in finding polite ways to say “no”, when faced with any proposed variations to their standard terms. One can readily sympathise with such an approach; when the margins are so low, it does not make much sense to impact them still further by expanding a lot of time and effort in contract negotiations (let alone incur much in the way of legal costs!).

197

All of the above factors (and more, including a level of immaturity/ignorance on the customer side as to the nature of Cloud-based solutions) gave rise to a common scenario where Cloud contract terms became set on the basis of what often amounts to a “take it as it is” offer, i.e. whereby there was little if anything by way of a contractual remedy should things go wrong, or should 3rd party claims be made. A typical Cloud services contract might therefore contain some or all of the following provisions:  the ability for the Supplier to unilaterally vary the scope of services and associated policies potentially without even any positive notification that changes have been made;  a right for the Supplier to terminate or suspend the provision of the Services on short notice, especially (but not exclusively) if other customers might be being impacted by the issues (if any) at hand, and usually on the basis of the “sole discretion” of the Supplier as to its interpretation of the circumstances giving rise to a suspension event, in particular. Typical “triggers” might include security breaches or concerns as to virus infection, but examples we have seen extend to any breach by a customer of any contract provision, mot matter how (im)material it may have been;  limited (if any) warranties as to the content of quality of the Cloud services being provided, and usually with the sole remedy for any breach being for the Supplier to use “reasonable endeavours” to fix the issue but with no fixed timeframe for doing so (and often a disclaimer of any loss suffered by the customer, even if they delay in fixing the problem). In more extreme examples, we have seen contracts whereby the Supplier (but not the customer!) can terminate the contract if the Supplier encounters a warranty breach which it cannot readily rectify, on pain of simply than reimbursing the customer for any remaining elements of pre-payments it may have made (i.e. with no compensation then being due to the customer in respect of its own loss!);  similarly, little (if any) coverage for potential IP infringement claims, with any indemnity as may be provided in any event being restricted to final awards/settlements in favour of the relevant third party claimant, and therefore not covering any elements of the customer’s own associated costs or business impacts (which may, in actual fact, form the larger part of the actual loss arising as a result of the relevant infringement, when one considers the impact it may have upon day to day business operations, the need to find a work around and e in a worst case scenario e the need to source an alternative solution/platform);  very low limits of liability allied with comprehensive exclusions of some of the very categories of loss which might e in fact e be considered most likely to result from problems with the services (e.g. loss/corruption of data, and loss of profit/ revenue);  limited service levels, subject to extensive caveats and with no (or very limited) associated service credits, and no associated termination or step in rights. In the more “traditional” software licence, support and hosting world, it is unlikely that too many deals would have been signed up on this basis (and as a minimum, they would

198

c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 1 9 6 e1 9 8

likely have been subject to extensive negotiation). In the Cloud service market, however, different rules and norms came to apply such that it could realistically be argued by Suppliers (if they were challenged at all) that such terms and positions were in line with “market practice” such that refusing to proceed with supplier A on the basis of their approach to such issue would ultimately prove relatively pointless, as suppliers B, C, D etc would be almost certain to adopt the same approach. Certainly, in times past, we have seen Cloud suppliers “stick to their guns” on many if not all of the positions highlighted above, apparently secure in the knowledge that the attractions of the cloud offering from a business and commercial perspective will outweigh any level of contractual concerns. The story, however, has not ended there. As heralded at the beginning of this paper, we have in recent months seen a significant increase in both the numbers of Cloud Services contracts which are being subjected to more intensive negotiation, and also a tangible increase in the scope and nature of the clauses then being amended by agreement between the parties. In a very real sense, the sands are beginning to shift, and the momentum for the resulting changes seems to be ever increasing. One might therefore query why this should be so. Was the basis for the creation of the initial wave of cloud based contracts lawyers suddenly somehow flawed? Or have customerrepresentatives “leapt ahead” in their understanding of the issues? In reality, there is no single overriding cause, but rather a combination of a number of factors, as follows:  Customer knowledge e When Cloud service offerings first began to make inroads into the procurement patterns and spending in the IT market, many customer/buyer-side entities had a relatively low level of appreciation of what contracting for cloud-based services actually entailed. In many cases, therefore, they were excessively quick to accept at first instance the assertion by their relevant service providers as to why certain provisions “had” to be drafted in a particular way, simply by reason of the fact that what was now being offered was something “as a service”, rather than by way of a more traditional licence model, for example. This was exacerbated by the fact that many such deals were lower in total value and so may have “escaped” detailed legal review by customer legal departments or advisors. Now, however, many customers (and their advisors) have become more familiar with what Cloud services entail and are therefore better placed to argue their case as to what should e or should not e be changing just because the relevant service is being provided remotely.  Customer Identity e Early adopters of Cloud services (as was previously the case with open source software, for example) tended not to be the larger, more highly regulated buyers such as those in the public, financial services and pharmaceutical sectors. Inevitably, however, the interest of such “big players” in what is achievable via the Cloud has grown and they have become increasingly enthusiastic adopters of Cloud based solutions. However, such organisations have significant bargaining power and firm expectations as to the kind of contract terms which they expect

their suppliers to expect... which will usually be considerably at odds with what standard form Cloud service contract terms may have offered!  Deal Size/Complexity e Linked to the preceding point, Cloud services have rapidly evolved beyond some of the lower value, more “commodity style” offerings which were often the basis of early Cloud service offerings, and can now encompass quite complex and indeed business critical functions, also involving substantial outlays by the customer in terms of ongoing services fees frequently now measured in the millions of pounds/euros/dollars. This has inevitably placed the customer focus back on the risk/ reward balance, and the related contractual provisions to reflect this. Equally, the growth in deal size has increased the likelihood that the associated contracts terms would need to be cleared by the internal legal team and/or any relevant external legal advisors, so increasing the frequency with which challenges to the reasonableness of limitations and exclusions etc. will be raised.  Competition e There are increasing numbers of providers now active in the Cloud services arena, not just in relation to the promotion of new types of services or offerings, but also competing with some of the longer established players. As completion increases, service providers are inevitably compelled to try to find ways in which to differentiate themselves, and “flexibility” in relation to contract provisions is certainly one of the options to be considered in this regard. In one recent negotiation we were involved with, one of the bidders for a large Cloud deal was substantively undermined in its initial argument that its terms were “absolutely standard” and could not be bettered elsewhere by the fact that the other bidder involved in the bidding process had already indicated root and branch acceptance of the customer’s requested amendments! What conclusions can we therefore take from this? The reality appears to be that the contracting side of Cloud services continues to mature, just as the service offerings themselves continue to do. To be fair to the supply-side of the cloud services equation, there are valid reasons why many of the relevant contract provisions need to be drafted in a manner which may appear odd or even objectionable to someone not familiar with the underlying technical model, but it is equally true that many sets of Cloud contract terms have gone further than necessary in terms of passing risk back to the customer. We believe that the market will “self adjust” in this regard, and reach a more developed appreciation of new market norms in the course of the next 12e18 months. Such market norms will, in all likelihood, continue to respect the practical and technical difference which Cloud based services necessarily entail (and which must in due course then be reflected in the associated contract terms), but which will then also pick up the increased risk which certain providers (at least) are prepared to take on in relation to their underlying technology and service provision, backed no doubt in turn by a willingness of an increasingly well educated insurance community to take on elements of the related commercial/litigation related risk.