While it's important that the CIO and corporate counsel have a good relationship, it's even more important that they bring together a team to pore over the agreement and ensure that all issues are covered, says Thomas Trappler, a Computerworld columnist who teaches a cloud computing course at the UCLA Extension school. Admittedly, this may seem counterproductive, because one of the benefits of the cloud is to make IT deployments quicker and easier, but it's worth the time, Trappler insists.
After IT and legal work on a few cloud contracts together and get some experience hammering out terms, the process should get easier -- in theory.
Trappler says that one of the things he stresses in his classes is the importance of team building -- where the team includes the business process owner (the one who needs the cloud service), legal counsel, representatives of IT and people involved in procurement, risk management, vendor management and security. WellStar's Fisher concurs: "When IT and the attorney and someone from compliance all sit down and go through a contract, with give and take about what's best for the organization, you get a lot of goodness out of it."
Industry watchers say it's all a question of due diligence, of knowing what the risks are. There are risks in everything, even in managing data on your own premises. The biggest question is, How do you mitigate the risk? How do you protect yourself as best you can without stifling the business?
"David Wells" (a pseudonym for a Fortune 500 corporate counsel who requested anonymity) agrees that getting subject-matter experts into one room promotes understanding. Each person can address facets of the deal with his own expertise, which helps the group identify which issues are worth worrying about and which aren't. "Otherwise, you can have lawyers spinning scenarios and creating fear, uncertainty and doubt. If you can't get past FUD because people don't understand it, you'll either crater the deal or, worse, do a bad one."
How do CIOs and counsel start collaborating? By asking questions. Ideally, the CIO should know the questions to ask before the attorney even requests the answers, but that doesn't always happen. "That's why I ask the same questions over and over," says Wells. "My people finally know not to come to me without the answers to my questions."
Beyond that, lawyers suggest CIOs ask what clauses in the contract really mean. Wells says that service-level agreements drive him especially crazy. He sees contracts promising restitution for downtime, but the amount of payback is minimal. "If your lawyer's not paying attention, your remedy for downtime is actually pennies on the dollar, and you give up your right to sue for breach of contract by accepting it," he says. "If you have a service provider [whose systems are] chronically down, the lawyer should insist on the right to terminate for breach of contract."
E-discovery is another issue that lawyers tend to focus on more than CIOs do. Murphy notes that there are companies like Nextpoint and X1 Discovery that specialize in discovery in the cloud, but the issue is more complex than it appears at first glance.
Forsheit agrees. "In the cloud, data is being replicated, so it creates more data for discovery, including metadata," she warns. Federal rules require that you must know where the data is and ensure that e-discovery will find it. "But if there's a server in the cloud that nobody thought about," she says, "people can get sanctioned or jailed, and lawyers can be disbarred."
In the end, legal experts say, getting IT and legal to agree on cloud contracts comes down to a matter of careful communication. "They have to speak each other's languages," Forsheit says. "Counsel needs to understand IT and vice versa. Doing it another way is not an option."