After an outage that hit Air Canada, National Bank and others, a lawyer and security expert offer tips on what to look for in cloud service agreements

Lawyer: tread carefully in the cloud
In January, an IBM server cluster went down due to a power failure, leaving several of its high-profile tenants — Air Canada, National Bank, Equifax and Laurentian Bank — in digital darkness for a brief while.
 
The episode may have raised a question in the minds of some of the companies relying on cloud providers to safeguard their data: when disaster strikes, how much can we trust them to do the right thing?
 
Trust starts with the ink on your contract, says Graham Thompson, president of Ottawa-based Intrinsec Security Technologies Inc., a company that specializes in cloud security. Read your service agreement very, very carefully before signing it, he says. Don’t assume that if something goes wrong, your priorities will be the same as those of your  cloud provider. Caveat emptor.
 
“For example, if there’s a virus outbreak,” he says. “Well, the provider, your cloud provider or your traditional IT provider, their perspective of it is going to be, we need to a) keep this out of the press;  b) make sure nobody else is impacted; and then c) get this one client back up and running. Whereas, of course, the client, their priority is to get back up and running. You can see how there’s a bit of a mismatch there.”
 
So, how do you avoid choosing a provider who isn’t on your wavelength? And more to the point, what should you look for in a contract?
 
For starters, he says, the contract should spell out “real, enforceable penalties” for breaches by the providers. Buyers should also make sure they understand the level of technical support they are entitled to (some plans offer support only Monday to Friday during business hours, for example).
Another thing cloud customers tend to overlook in managed services agreements is whether or not there is a provision for the fate of their data once the contract is terminated, adds Véronique Wattiez-Larose, a partner at McCarthy Tétrault in Montreal.
 
“What people often forget about is when you actually end the relationship with that provider, you actually have to recuperate your data. So, how are you going to do that [and] in what format is it going to be delivered to you? Just sort of walking through the entire process — that’s not necessarily covered by the more standard-form agreements.”
Wattiez-Larose adds that if you aren’t a National Bank or Air Canada, you have all the more reason to take the time to make sure the contract is kosher. “For the bigger players, on both sides of the table, that is, the cloud agreements are probably not that much different from any classic outsourcing agreement,” she says.
“But as you get smaller then obviously your leverage gets smaller as well. And because of that change in the business model, then, you may not have as much protection in those agreements as the bigger guys.”
Steven Rodin, CEO of Toronto-based Storagepipe Solutions Inc., wrote in an e-mail message that as a cloud provider, his organization strictly adheres to the agreements it makes with its customers, which “spell out both our responsibilities and customer responsibilities for data protection.” 

“We stand behind those responsibilities and commitments,” he wrote.

A power outage, which wouldn’t fall under his company’s responsibilities, would nonetheless be a very unlikely accident at Storagepipe, Rodin wrote.

“We have both Uninterrupted Power Supplies (UPS) and backup diesel generators that feed power to our data centre.  The building also has four environmentally-compliant diesel fuel storage facilities which can house up to 44,000 gallons of fuel for the generators. The data centre also features fully redundant underground power connections and can be switched on seamlessly via an automatic protection and control mechanism. 

“In other words, a power outage on our end should be the least of your worries.”

Wattiez-Larose says there are bound to be many more disputes between providers and customers in the future, but most of them of them won’t be made public.
 
“At least for the larger businesses,” she says, “most of these contracts have arbitration provisions, so that disputes won’t actually go to court. They’re going to go to private arbitration, which obviously provides the advantage of confidentially.”
Related Download
Stock exchange lowers latency and increases availability with HP Sponsor: HP
Stock exchange lowers latency and increases availability with HP
This case study provides an overview of why the National Stock Exchange turned to HP to meet specific needs for a next-generation server and storage infrastructure with high availability and ultra-low latency to support online transaction processing and data warehouse solutions.
Register Now
Share on LinkedIn Share with Google+ Comment on this article