When it comes to incorporating cloud computing into outsourcing relationships, it looks to be a matter of when, not if — at least if one believes surveys from industry experts like the Everest Group. So outsourcing buyers need to educate themselves on the best way to add cloud to their existing outsourcing agreements. Fortunately, Kenneth A. Adler , chair of the Technology and Outsourcing Practice at the Loeb & Loeb LLP law firm was willing to offer his advice.
Cloud computing has expanded beyond standalone offerings, and is becoming part of the delivery strategies in existing outsourcing relationships, whether to reduce costs or take advantage of new delivery models.
However, most outsourcing contracts did not anticipate the addition of cloud computing. Here are some of the most critical issues that should be reviewed when adding cloud computing to an existing outsourcing agreement:
Know Your Data: It is critical to understand the types of data involved in order to assess the risks of processing and storing data in the cloud. Is the data subject to regulation? Examples include personally identifiable information (PII) and protected health information (PHI). Knowing the types of data involved will help the parties address compliance with applicable regulatory requirements and laws.
Additionally, the outsourcing agreement may have provisions addressing the locations from which services are provided. These contract requirements may need to change (depending on the particular cloud services involved) if the customer needs to know where certain data is transmitted, processed and stored, including provisions regarding future relocations of the service locations.
Data Security Requirements: Once the type of data involved is determined, the data security requirements for data processed and stored in the cloud can be addressed. Depending on the underlying outsourcing relationship, the data security risks may require revisions to the data security policies and procedures that the supplier will follow, and may impact the obligations of the parties in the event of a data security breach, including responsibility for related costs.
Change in Relationship: Will the cloud services be provided by the existing supplier or is it a third-party offering? It is important for the parties to understand the specifics of any material subcontracting, and to confirm whether the terms of the agreement support this model for services delivery. For example, customers will still want one overall supplier with responsibility for the services (i.e., “one throat to choke”). For suppliers, there may be provisions in a cloud service provider subcontract that need to “flow down” to the customer.
Service Level Applicability: The parties should confirm whether the service levels and related methodology still make sense for the cloud-based services. In particular, the demarcations of responsibility and measurement methodologies may differ for cloud-based services.
Allocation of Risk: The risk profile established in the outsourcing agreement may not match or apply to cloud-based services. An analysis should be completed of the risk-related provisions of the outsourcing agreement, including limits of liability, indemnities, force majeure and excused performance provisions to ensure the risk profile is set appropriately.
Service Continuity: Cloud services may have their own disaster recovery and business continuity attributes (particularly if provided by a subcontractor), which can be quite different than the service continuity provisions and requirements in an existing outsourcing relationship. Commodity cloud service offerings may not have robust service components to address service continuity, particularly for a customer in a regulated industry. Understanding what service continuity services are included, and what may be optionally available, is important so both parties have a clear understanding of the customer’s requirements and supplier’s capabilities.
Clearly, both customers and suppliers need to re-think existing outsourcing contract structures to ensure that the terms make sense when cloud services are added to the mix. This review should be performed early in the process to identify the specifics of the cloud services and data involved, and changes which may be required to the agreement, including the impact on both the customer and the supplier. Otherwise, the “silver lining” in adopting cloud computing may bring unintended consequences.
Kenneth A. Adler is chair of the Technology and Outsourcing Practice at Loeb & Loeb LLP. He specializes in complex global and domestic outsourcing and technology transactions. With over 20 years of experience, his practice includes drafting and negotiating all types of outsourcing and technology agreements, including business process and information technology outsourcings. He has significant experience addressing the creation of, and strategies relating to, multi-sourced environments, as well as renegotiation and termination of existing outsourcing agreements.