De-risking the Cloud

• Citation: Vol. 39 No. 1
• Publication year: 2014
• Author: John Pavolotsky

De-risking the Cloud

John Pavolotsky

Intel Corporation

The shift to the cloud continues. Gartner forecasts that companies will spend $154 billion on public cloud services in 2014, up from $95 billion in 2009.¹ Most likely, your clients are already using cloud services, such as online CRM (computing customer relationship management) applications or online data storage. On-demand, distributed computing is usually a few clicks (or taps) away. Substantively, cloud services agreements (CSAs) and the underlying services raise issues, such as in data protection and security and intellectual property, which require rigorous analysis. In addition, CSAs usually contain a litany of indemnities, which typically favor the cloud services provider (CSP) and result in protracted (and highly contentious) negotiations. This article will explore these provisions (and their respective rationales) and suggest a framework for managing risk in CSAs.

THE INDEMNITY LANDSCAPE

Indemnities in IT agreements, such as software license agreements and technology purchase agreements, are well established. An "[i]ndemnity is a contract by which one engages to save another from a legal consequence of the conduct of one of the parties, or of some other person."² In other words, indemnities can cover first party claims (direct liability) and third party claims,³ and may include legal fees and disbursements and costs of investigation, litigation, settlement, judgment, interest, and penalties which might not otherwise be available.⁴ Indemnities are customarily not subject to liability disclaimers and caps available under an IT agreement. For example, if a customer is sued for patent infringement, arising from the licensing or purchase of technology, the defense costs alone can reach tens of millions of dollars, if not higher; and a properly scoped intellectual property (IP) indemnity will cover that when triggered.⁵ Typically, indemnities are triggered regardless of whether the indemnitor has been negligent or otherwise at fault. For the reasons above, indemnities are powerful and thus contentious.

Indemnities shift risk, ideally to the party best equipped to control or manage it. Consider the IP indemnity. A technology vendor should know its products and services, and the relevant IP landscape, better than the customer or any third party. The vendor is best positioned to determine the provenance of its technology and to secure IP licenses from third parties, where appropriate, to avoid infringement claims. An IP indemnity, in fact, incentivizes the vendor to assess the IP landscape, patent relevant inventions and secure licenses where necessary. Further, if the vendor decides to procure licenses, it should be able to do so more economically than a customer due to its superior bargaining power. Moreover, the vendor can spread the costs of third party licenses among its customers, affecting each customer only incrementally. Indemnities make the most sense in cases where liability is clear; otherwise, one of the parties will be compensating the other for losses that it did not create.

INBOUND INDEMNITIES

CSAs, especially for public cloud services,⁶ shift the indemnity paradigm. Many CSAs lack inbound indemnities, i.e. from the CSP to the customer. In contrast, most software license agreements and technology purchase agreements will contain at least a limited IP indemnity, covering third party copyright and trade secret claims and U.S. patent claims limited to value of the software licensed or technology purchased during the previous twelve months (or other period). This difference is difficult to explain.

Cloud customers are susceptible to IP infringement claims, as are traditional software and hardware customers.⁷ Even in the case of In-frastructure-as-a-Service (laaS), which allows the consumer to "provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications[,]"⁸ the CSP still provides a technology infrastructure, which may read on patents and embody other IP rights not owned or licensed by the CSP. Consider data storage. Even in the case of a physical storage locker, a customer would expect the service provider to own or have sufficient rights to rent the locker. A similar, if not stronger, argument holds for Platform-as-a Service (PaaS), which allows the customer "to deploy onto the cloud infrastructure consumer-created or -acquired applications created using programming languages and tools supported by the provider."⁹ An even stronger argument for an inbound IP indemnity applies for Software-as-a-Service (SaaS), which allows the end customer to "use the provider's applications running on a cloud infrastructure."¹⁰ There, the CSP controls the entire technology "stack,"...