Cybersecurity professionals at every level tend to shy away from involvement in the legal contract review process. For those of us that did not attend Harvard Law School, reviewing a written warranty when renting a vehicle can be enough to induce nose bleeds.
We also know information security must be integrated at every level of the business process, a reality that can force us into uncomfortable corners. When we are asked to review a 40-page service level agreement with a new cloud service provider, what are Information Security personnel supposed to do?
Answer: Realize that missing a wedding anniversary is scarier than reading a piece of paper.
The best way to avoid arguments in a business relationship is to write down the parties’ expectations ahead of time. Contracts become a boundary marker (like a fence) that explain where the responsibilities of the parties begins and ends.
Contracts are not designed for the purpose of winning lawsuits at a later date, nor are they a result of a lack of trust between the parties. Negotiating contracts can reveal mismatched expectations and sort out details prior to formalizing a relationship. Good contracts actually attempt to prevent disputes and keep the involved parties out of court.
That is the good news. The bad news is that there may be some “traps” that get overlooked by the non-technical C-Suite that we need to spot in order to avoid commonly-occurring “misunderstandings.”
Trap #01: Believing Guaranteed Uptime = Guaranteed Uptime
Most providers claim to be operational 99.999% (The Five 9’s) of the time, but downtime can mean more than just inaccessible service. Unreliable and/or unusable service is rarely addressed, service performance degradation tends to be noticeably absent, and scheduled maintenance isn’t considered to be part of the downtime equation.
SOLUTION: Address these issues in advance and secure a written guarantee that the provider uses iterative (incremental) maintenance plans.
Trap #02: Believing Contracts Will Scale With the Business
This is a common misunderstanding between cloud customers and the providers that can have serious impacts on the organization. The service contract and SLA are designed to meet the need of the organization at the time they are negotiated and signed, and they do not typically take any future expansion or contraction into consideration.
SOLUTION: Outline contract review intervals, agree negotiations will begin when scales begin to change, and secure a guarantee that these meetings will happen in person whenever possible.
Trap #03: Believing Changing Service Providers is Easy
The costs for a customer to change cloud providers can be cost prohibitive and fraught with challenges. Transition clauses are typically included in the “Term and Termination” section of the cloud contract to avoid overlapping transition costs for the customer, and costly lawsuits for the provider. However, the fine print usually disproportionately benefits the provider, not the customer.
SOLUTION: Ensure the transition clause activates at the time of contract termination. In so doing, if your company is allocated “X” amount of data each month and the contract ends in month 11, your company won’t have to pay “11 x X” for the data transfer in the final month.
Trap #04: Believing Providers Should Choose the Metrics
Most providers are inclined to request measurements in their strong performance areas, while at the same time not revealing their shortcomings to customers. It is your company’s responsibility, not the provider, to determine what performance metrics will be measured in service level agreements tied to cloud service contracts.
SOLUTION: Set measurable and specific benchmarks, avoid ambiguous numbers and language, and demand / enforce penalties to “inspire” the highest levels of performance from the provider.
On a final note, it pains me to inform my colleagues that despite its accomplishments, Google did not pass your states’ bar exam. If you have questions regarding legal issues, always consult legal counsel. Hiring professionals is always less costly than damage control caused by “lowest bidders.”