Welcome

ANALYSIS: Moving to the Cloud? Know Who’s Got Your Backup.

May 5, 2021, 9:01 AM

As more businesses begin to realize the cost savings and efficiency that can come with migrating data and operations from on-premises servers to the cloud, standard contractual terms used by major cloud services providers are proving to contain shortcomings. What’s the remedy for that? Often it’s not contractual: Instead, plan to keep an array of backup options handy. Companies that rely entirely on a single cloud infrastructure vendor as the foundation of their business continuity and disaster recovery strategy may be surprised to learn that, when it comes to averting an actual crisis, their contract does not promise all that much.

The Promise and Threat of Cloud Migration

After more than a year of rapid acceleration toward digital business transformation and remote work technology spurred by Covid-19, the trend of organizations moving their workloads and IT budgets to the cloud will likely not end any time soon. In fact, a Bloomberg Intelligence report published late last year cited the overall pattern of cloud migration as a reason to expect continued growth in the $60 billion cloud infrastructure software industry for the next few years, even as in-person office restrictions are gradually eased.

However, as the relatively smooth transition of operations and services to a cloud-based environment continues to progress, the U.S. power grid that the cloud relies upon faces an increasingly likely threat of sophisticated cyberattacks that could harm both the physical and informational security of businesses and consumers alike. Even with the recent introduction of bipartisan grid protection legislation and a call to action by the Biden administration to improve collaboration between government agencies and private electrical utilities, experts believe that any significant upgrades to national grid security are likely still years away.

Although advancements in cybersecurity for data centers and corporate IT systems are miles ahead of those needed for grid security, even the most experienced cloud service providers cannot guarantee their users’ protection from a widespread power outage or other catastrophic utility failure.

The risks become even more apparent when closely examining the standard contractual terms of market-leading U.S. cloud companies—namely, Amazon, Microsoft, Google, IBM, and Oracle.

The Downside of ‘Guaranteed’ Uptime

When a business runs on the cloud, even a small percentage of downtime could have a devastating ripple effect across a company’s vast network of vendors, customers, and business partners, potentially affecting millions of crucial processes and transactions. This is why cloud service providers ordinarily guarantee a minimum monthly uptime of around 99.9%, with such terms commonly referred to as service level agreements (SLAs) and posted in a product-specific attachment to the main contract.

However, while seemingly generous on their face, SLAs are not without their share of drawbacks. Service providers typically state that the customer’s sole and exclusive remedy in the event of an uptime failure is the receipt of a service credit, the amount of which would depend on the percentage of overall downtime. Moreover, SLAs generally do not apply to any downtime that results from causes beyond the provider’s reasonable control, which would inherently include a systemic power failure or other cataclysmic event.

Similarly, in the main body of cloud service contracts, it is standard practice for service providers to broadly disclaim any express or implied warranties that service will be free of error or without interruption. On top of that, standard limitation-of-liability clauses in such contracts prohibit customers from claiming any damages for the loss of business, profits, or even data entrusted to the care of the provider, regardless of any negligence on the provider’s behalf.

The Business Continuity and Disaster Recovery Dilemma

Despite the numerous limitations, exclusions, and disclaimers to uptime guarantees contained in the average cloud computing agreement, leading cloud service providers do offer a glimmer of hope—in the form of business continuity and disaster recovery plans. Ideally, these plans outline what steps a provider would take to restore crucial processes and keep core operations running in the event of an emergency disruption. The problems, however, lie in the way such plans are incorporated into the actual contract language, the extent to which they apply to the customer’s data, and the issue of whether they apply at all in the event of an unforeseeable catastrophe.

In many forms of transactions that involve IT systems, parties will often represent that they maintain business continuity and disaster recovery plans that adhere to industry standards. Although cloud service providers generally incorporate similar language into data security attachments, the brevity and lack of customer specificity with which such provisions tend to be drafted might give pause to businesses that are contemplating whether sole reliance on one provider is the right decision.

Indeed, some of the largest and most trusted providers have clauses labeled as “business continuity” that consist of merely one or two sentences. Such common practices could leave customers with significant unanswered questions, such as whether operations restored on an alternate server in another jurisdiction would remain in compliance with applicable laws or whether the customer is allowed to participate in the provider’s testing of backup procedures.

Adding to this confusion, a service provider may also place the responsibilities of backing up and routinely archiving customer data squarely on the business customer itself. Given the relative bargaining power of the biggest cloud computing companies, negotiating modifications to such standard template terms could turn out to be no small feat.

Wanting More Out of Force Majeure

All of this leads us to what is perhaps the most worrying trend in cloud transactions: force majeure clauses that do not address the applicability of business continuity or disaster recovery plans whatsoever.

Such clauses are similar to the uptime exclusions found in SLAs, but broadly excuse any failure to perform under the entire contract that results from an occurrence beyond the service provider’s reasonable control. Providers often expressly include categories such as power outages, utility failures, natural disasters, and cyber terrorism—all of which have become more closely intertwined over the last couple of decades. It is quite rare, though not unheard of, to encounter a cloud service contract that carves out obligations to observe disaster recovery protocols from the blanket excuse of nonperformance during a force majeure event.

Considering the comparative shortcomings of the standard contracts of leading cloud service providers, businesses would be wise to maintain a wide range of solutions for keeping their critical cloud-based operations and processes up while connectivity is down, whether during a prolonged blackout or a more short-lived, but nonetheless costly, unanticipated disaster.

Bloomberg Law subscribers can find related content on our Practical Guidance: Information Technology resource.

If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.

To read more articles log in.

Learn more about a Bloomberg Law subscription.