Cloud service agreement considerations are many but few are addressed when cloud subscription services are sought. In previous posts on this subject, the emphasis was on having an exit strategy and embracing the possible regulatory requirements. A business’ or an institutions’ data could be at the mercy of the cloud service provider (CSP). The growth of sales and lease-back programs by cloud providers seeking to raise capital for future IT asset infrastructure improvements and of the sale and lease-back cloud service business models becoming vogue should cause a subscriber of cloud service to go through the taxonomy of potential legal and business factors integral to its compliance profile.
Cloud computing services under the auspices of enterprise integrations and data management services offered, for instance, by IBM, Microsoft, & Oracle, are provided by licensed resellers of sanctioned services. These cloud service resellers provide segments of units with embedded services that are unique to the sanctioning enterprise service levels engaged. Critical to all aspects of any agreement is its eventful termination, if ever. Terminations engender a host of factors that slip the eye of subscribers delighted with the possibility of cost savings.
Factors to consider vary across the spectrum of business operations and service to be delivered by use of the cloud. However, there are points common to all that are inevitable. A factor worth considering is the handling of the data once the subscriber decides to terminate the cloud service agreement (CSA). This change of processing and retrieval is highly important considering the sensitive nature of the cloud managed data. The thought that gets most is the need to address the remnant digital copies of the subscribers’ business data remaining with the cloud service company. That extinguishing of the data must somehow be verified in order for a subscriber to remain compliant, for instance, with the Health Insurance Portability and Accountability Act (HIPAA), Fair and Accurate Credit Transactions Act (FACTA), or the Family Educational Rights and Privacy Act (FERPA). The time allowed for retrieval of the data and confirmation is also pivotal for the subscriber of cloud services.
Levels of service provided by the CSP require description especially as they are postulated as ‘enterprise’ modules. The unknown is the measurement of the level and the confirmation that the actual level of service is being met for the subscriber. With every service level, there are benchmarks for services and for determining the performance of the said service within that level. As level are assessed so are subscriber ‘points’ or ‘credits’ issued for service glitches. The subscriber should address the credit or point remuneration if you will if the glitch in cloud service affected its state or federal regulatory compliance.
Some attention should be given to the operations of the CSP and how it delegates it functions, especially if its services are contingent on the delivery of services of unidentified third-party service providers (TPSP). If there are TPSPs, what access restrictions will be established should as well be part of the equation. Along with the restrictions spelled out, there should be established training and standards set by the CSP spelled out to the subscriber of the access restrictions on TPSPs.
This latter point raises the issues limitation of liability, data security, and the required notification. While a CSP’s operation is compromised state and federal regulations hold the subscriber to the cloud service the one with the duty to notify its patients, clients, members, students, and or its constituents of the data breach. The cloud service CSA must spell out the time period that is imposed on the subscriber and the CSP must be aware of them for the subscriber’s compliance sake. More specifically, the CSA should address the CSP’s timing and method of reporting data incident to its service subscribers. This notification requirement is critical to the subscriber and should be spelled out in detail. Any indemnities and limitation of liabilities arising from third-party claims outside of breach of CSA terms and service will need to be addressed covering theft, fraud, intentional misconduct, etc. As such the considerations to engage a CSP is not one to be taken lightly and at a whim for cost savings. The decision itself if not cognizant of the factor involved could end up costing more than imagined.