At this point, almost every business operates some of its information technology (“IT”) assets in the cloud. Cloud‑based IT resources may be infrastructure (supplementing or replacing on‑site data centers and communications systems), platforms, or applications. Also, essential, enterprise‑level applications are now commonly licensed as subscription services maintained by third parties. Many of these third-party services also operate on IT infrastructure sourced from a cloud provider.
Moves to the cloud are multifaceted and multidisciplinary. Lawyers have an important role advising their clients about the legal rights and obligations in the tangle of licensing arrangements inherent in cloud computing. Determining the sources of those rights and obligations can, itself, be a challenge.
This project focuses on the essential steps for determining the legal rights and obligations attendant to operating in the cloud and provides practical tools to assist business lawyers. The project’s contributors are members of the Business Law Section’s Cyberspace Law Committee.
The initial toolkit includes six tools:
- One tool, using one significant cloud service provider as an example, assists lawyers navigating the first step in analyzing legal rights and obligations for cloud environments—that is, finding the applicable legal terms for review and discussion.
- A matrix illustrates “shared responsibility” as that concept appears in provisions of cloud service agreements from two major providers.
- A brief Business Law Today article by our Committee colleague, Lisa Lifshitz, offers Seven Tips for Better Technology Services Agreements.
- The toolkit also offers a checklist of issues to consider when an organization licenses data and a data life cycle checklist to assist with data management strategy.
- A glossary rounds out the initial work product. The glossary is intended to be an open and continuing work in progress. We welcome reader contributions.
The toolkit will also include a resource focusing on the substance of cloud licensing. The forthcoming tool describes contract terms typical for software and cloud services, highlighting, in particular, subject matter that might be prioritized for attention when opportunities for negotiation are limited.
The Lawyer’s Role: More Counselor than Drafter
A lawyer representing the purchaser/licensee in a cloud transaction will almost always be reviewing vendor contracts, not drafting or modifying purchaser/licensee forms. Opportunities for negotiation are limited by bargaining power, the cadence of business operations and IT development, and the volume of material and services that may be necessary or useful to complete the client’s IT effort. In this circumstance, lawyers add value by issue-spotting and helping the business team assess and contextualize risk reflected in the vendor’s legal terms and service descriptions.
Coordination of Relevant Stakeholders
Lawyers are also often well positioned to identify the right decision makers—or at least the appropriate subject matter domains—and facilitate work across stakeholder groups to understand and manage rights and obligations buried in the fine print of cloud contracts.[1] Establishing and managing online environments and services involve information security (a discipline not entirely the focus of IT architects, engineers, and developers), budget and finance, procurement, compliance and risk, and data management and privacy—each doing its part to support a business team’s advancement of the client organization’s objectives.
The dynamic of coordinating stakeholder input is not new, of course. But lawyers should understand whether processes and controls that the client has in place to bring relevant stakeholders together will operate effectively when technology and services are procured through cloud service providers. Cloud marketplaces make shopping easier and more accessible to more people in an organization. Enabling more people to source material in an online store speeds access to technology components and solutions. Absent proper controls, however, solutions delivered on time with the right functionality may come without adequate attention to budget, security, and other risk considerations.
The following is a rudimentary example: Assume a developer is deploying a new application in an existing cloud environment. The developer enables logging functionality consistent with the organization’s security and operations policies for logging. The logging function can be enabled for no charge, but storage fees will accrue for keeping the log files. The project budget, focused on development and deployment, includes the initial application cost and subscription fees for a term. The budget does not anticipate the incremental cost of storage as log files are retained. What does the organization do when the storage fees begin to accumulate? Turn off logging? (Not likely.) Revise its budget for the ongoing cost?
How could the lawyer have helped the client organization in this illustration? First, the lawyer would have sought out and read the applicable contract. In doing so, the lawyer would probably have found references in the documentation saying that storage is separate. Or, more generally, the lawyer could have reminded the technology team to include colleagues whose role in the design and procurement process is to calculate the cost of ongoing operations and maintenance consistent with security policies and business requirements.
A lawyer engaged early in a project or business process development can work with the organization’s IT department to build review of product documentation into the design process. With proper guidance, a nonlawyer on the project team could be tasked to review documentation for key details—technical, operational, budget, legal red flags—and facilitate communication among relevant stakeholders.
Not a full-time technology lawyer? Business and commercial lawyers with the occasional technology matter in their portfolio add value when they spot issues and raise questions for the technology and business teams to consider. “What’s going on here?” can be a useful flag and does not require the lawyer to be a technology expert. Business lawyers understand that terms drafted by the other side have a thumb on the scale favoring the drafter. (And technology licenses sometimes read like the drafter put an elephant on the scale in the drafter’s favor.) Even when there is no practical likelihood that the organization will be able to negotiate more favorable terms, “What’s going on here?” gives the organization a prompt to consider potential risks, strategies to mitigate risk, and the feasibility of taking a different approach to avoid the risk.
Contracting through a Marketplace Feature
Incorporating cloud-based procurement into an organization’s operations requires a basic understanding of how software, services, and content may be procured from cloud service providers through their “marketplace” features. Organizations need to understand each marketplace through which they source products, material, and services and take appropriate steps to bring marketplace transactions into controls for procurement, contracting, security, and other risk management. Cloud providers have developed account management tools and access controls. It is up to client organizations to take appropriate steps to configure those tools, actively monitor customer portals and notices (and respond as appropriate), and keep account structures and access controls current.
The legal terms for cloud marketplaces and the products, material, and services offered in them are long, winding, and overlapping. They are also subject to provider-instituted changes that can affect ongoing services. Navigating cloud services and the marketplace tries the patience of the most diligent and patient lawyer. Lawyers should anticipate spending some time learning to navigate the legal terms of their clients’ cloud providers. The toolkit includes one paper illustrating contract navigation for the cloud marketplace of one significant service provider.
Lawyers should also keep in mind that cloud marketplaces are not the only channel to acquire software, services, or content for cloud-based systems. Cloud-based information technology may be procured under enterprise agreements with infrastructure or platform providers. Organizations may also engage third parties to manage their information technology. Those managed service providers may build out systems, including applications and storage, in cloud environments or using cloud-based platforms. Many enterprise-wide applications are now provided as a service, for example, office applications like Microsoft 365® and relationship management systems like Salesforce. Organizations may also bring their own software and content to a cloud environment. Managing proprietary and personal information has to be a consideration in reviewing the legal terms for any cloud-based arrangement.
A comprehensive review of procuring software, services, and content for cloud-based systems is beyond the current scope of this project. To start, we aim to contribute some basics that generalist business lawyers will find useful.
The Toolkit: A Dynamic Project
We expect each of the initial tools to evolve over time with feedback from readers and future collaborators. We also recognize opportunities to expand the toolkit with pieces highlighting sector‑specific issues, for example, education, health care, financial services, and service features (such as artificial intelligence components). We welcome volunteers and contributors to the project.
To offer feedback or contact the Toolkit Project coordinators, please email the project’s virtual mailbox at [email protected].
This project does not purport to be a comprehensive study of cloud computing for lawyers. For additional background about cloud computing, refer to these other ABA publications: Cloud 3.0: Drafting and Negotiating Cloud Computing Agreements (Lisa R. Lifshitz & John A. Rothchild eds., 2019); and H. Ward Classen, The Practical Guide to Software Licensing and Cloud Computing (7th ed. 2020). ↑