Trust is important. Eli Lilly was burned publicly once before by an accidental release of the email addresses for nearly 700 subscribers to its Prozac.com email alert. The company certainly doesn't want a repeat performance of that, and no company wants to be left holding the bag in the event of a data breach because of the negligence of a cloud provider.
So, what can you, as a corporate officer, do about this? Tanya Forsheit, founding partner at the Info Law Group has some advice. First, Forsheit told me, you should be aware that "many providers of cloud services tends to offer one-size-fits-all contracts. You shouldn't just sign up for them. You need to negotiate."
In fact, Forsheit thinks you should start looking at the legal aspects of any cloud deal long before you get around to talking about the contract. "You should ask questions about data security and privacy during the preliminary stages, even before you get to the contract. You should ask them what kind of privacy and security controls they have, whether they'll let you audit their security, and what they will agree to in regards to liability. These are all places where there's room to compromise. On your side, you need to know what level of risk you're ready to take. If a provider won't agree to even consider negotiating, that's a big red flag, You need to be ready to walk away from the deal."
Many companies, Forsheit said, find walking away hard to do. "Companies get excited about a solution or provider because they think the service is great or the cost is great, but they need to look at the business and legal concerns. Far too often, legal issues aren't looked at until it's too late, or not at all."
On the other side, Forsheit noted that cloud providers' legal policies and security and software audit standards vary. For example, Salesforce, the CRM (customer relationship management) power, will let customers audit their operations and is compliant with SAS (Statement on Auditing Standards) 70, a service auditing standard. Others aren't.
"At the end of the day, the provider wants you to agree to their terms. Many won't accept reliability and liability terms. Or, for example, they'll want to limit their liability to what you paid them for their services," said Forsheit. This could easily end up being mere pennies on hundreds of thousands of dollars in damages.
So, is moving to the cloud still worth it for your company? It may very well be, but before making the jump, you need to have your in-house counsel, as well as your IT staff, go over the package. And, Forsheit added, "If you don't have the expertise internally, find outside counsel to go over each proposed deal with you."
Or, as I'd sum it up, when it comes to cloud computing, it's better to be safe than sorry regarding both the legal and technical issues. Good luck.
Steven J. Vaughan-Nichols has been writing about technology and the business of technology since CP/M-80 was cutting-edge and 300bit/sec. was a fast Internet connection -- and we liked it! He can be reached at email@example.com.
Read more about management and careers in Computerworld's Management and Careers Topic Center.