This article was written by Alison Bird, my partner at Clearview Privacy Consulting LLC.
These days, more and more IT departments are choosing to move data hosting to the cloud. This decision makes a lot of sense. Cloud storage relieves the company of the operational burden of maintaining systems and moves critical data to locations that are more secure than your office basement. However, as you engage with a hosting company, it is important to look closely at the terms of your agreement. Frequently, marketing materials boast about cutting edge security practices, however, the fine print of the agreement does not enable your company to rely on those promises. The following are the top thirteen items to think about as you negotiate these agreements:
- Ongoing Security and Confidentiality Obligations. Your hosting company should be committed to keeping pace with cutting edge security procedures over time. These obligations should be within the agreement (not just the marketing materials). Negotiate for provisions that allow you to conduct due diligence on an ongoing basis. These provisions may include a right to inspect, to audit, and to receive reports from their auditors.
- Redundancy Services. Even the best security procedures and uptime practices can fail due to human error, bad actors, and natural disaster. In case data is compromised, redundancy is critical. Look for commitments to restore data rapidly. In addition, independent backups should go back for at least six months, if not longer, to ensure a copy of uncorrupted data in the event of historical malware infiltration.
- Location of Servers. If you are counting on your data being hosted in a particular state or country, you’ll want to make sure the location of servers (including backup servers) is specifically addressed in your agreement. Consider negotiating advance notification with a right to terminate without penalty if server location is changed.
- Limitation (or elimination) of Right to Suspend Service. Frequently, hosting agreements provide the hosting company with the right to suspend service for contract violations, including late payment. While it may not be reasonable to expect your hosting company to host your data for free indefinitely, it is important to ensure that (i) if there is a legitimate disagreement regarding the payment of fees, service will continue while that dispute is being resolved; and (ii) there is ample notification prior to suspension to avoid inadvertent missed payments.
- Data Breach Procedures. If your hosting company is breached, you’ll likely have notification obligations to customers and, to the extent applicable, individuals whose PII was lost or destroyed. For this reason, your company should have the right to be notified promptly of data compromise and your hosting company should be required to provide assistance as necessary to enable you to make disclosures to affected parties and law enforcement as necessary.
- Termination Right for Poor Service. Beware of clauses in the agreement that limit your remedy for failure to maintain uptime to service level credits. The right to more bad service is not much of a remedy. If your hosting company is unable to maintain the access to data that you need or that matches their SLA, the right to move to a new hosting company without penalty will be a valuable win in your negotiations.
- Parties to the Agreement. If you have subsidiaries or affiliates whose data will be hosted, make sure the Agreement gives all of these parties the right to use the hosting services as well as any other rights negotiated under the agreement.
- Disclosure of Third Party Service Providers. If your hosting company uses third party service providers, these entities should be disclosed as you may want to do your own due diligence on them. At a minimum, you’ll want to ensure that these third parties are bound by security and confidentiality obligations similar to those set out in the agreement. You may additionally want notification of changes to this third party vendor list with an opportunity to terminate the contract without penalty should the new vendor be objectionable.
- Notification and Right to Terminate Upon Assignment. It’s possible that your hosting company will be bought by another entity, merge, with another entity, etc. That new entity may or may not have the security profile that attracted you to your partner in the first place. You’ll want the opportunity to review the track record of the new company before agreeing to have them host your data.
- Appropriate Warranty Disclaimers. Buried in the disclaimer section of a hosting agreement is often language which absolves your hosting company from responsibilities that one would assume would be inherent to their role, such as maintaining data free from virus, keeping data secure or accessible, etc. As boring as this section may be, read it carefully. To the extent possible, strike any disclaimer of duties that should be the responsibility of your hosting company.
- Indemnification. If data is lost or exposed by the hosting company, your company as well as any affiliates who use the services will be subject to suits from clients and individuals whose data was impacted. You may also be subject to regulatory scrutiny which could result in legal costs and regulatory penalties. To the extent possible, negotiate a full indemnification of third party claims arising out of the hosting services.
- Limitation of Liability. This may be the single most important section of your hosting agreement. Your hosting company may make a lot of promises in the agreement. However, if their liability under the agreement is significantly capped, you won’t receive the monetary compensation necessary to make up for hosting company’s acts and omissions that damage the company. Negotiations for a higher cap will translate into real dollars in the event of a security incident.
- Insurance. You can negotiate the perfect contract but unless your hosting company has a deep pocket, it may not have sufficient capital to make good on contractual obligations in the event of a breach or data loss situation, especially one affecting many of its customers. Consider adding language into the agreement which requires your hosting company to maintain insurance (with your company as a named insured) covering data breach and inability to access data.
Hosting agreements are often cumbersome and time consuming to negotiate. If you don’t have much leverage, the task becomes even more difficult. Regardless, for most businesses, there is little that is more critical than access to and protections of systems and data. For this reason, before signing your agreement, it’s important to understand where the risks lie and, to the extent possible, negotiate better outcomes for your company.