What can my cloud provider do with my data?

Take a moment from your day and pull out the last three or four cloud services agreements your company has entered into. Now, highlight the provisions in those agreements that specifically define how the vendor may use your data. You may be very surprised at the results.

Lack of specificity regarding cloud vendors’ rights to use customer data presents a significant risk in the majority of cloud services agreements.

Some of the agreements may not even include language clearly defining what the vendor can and, more importantly, cannot do with your data. Likely, however, what you will see is language that grants the vendor broad rights to use your data for purposes other than simply performing the services for your company’s benefit.

Lack of specificity regarding the vendor’s rights to use customer data presents a significant risk in the majority of cloud services agreements. The following discusses two of the most critical issues presented by this risk and potential solutions:

Lack of definition regarding data usage rights

Many cloud agreements are silent as to limits on the vendor’s use of customer data. Some may say the vendor will use the data to provide the services. All too frequently, however, the agreements grant the vendor vague rights to use customer data for purposes other than providing the services (e.g., to improve the services, to enhance functionality, or, cryptically, to create new products and services).

We recommend always wording data usage in terms of an express license along the following lines:

During the term of this Agreement, Customer grants Vendor a non-transferable, non-exclusive, terminable at-will license to use the Customer Data solely for purposes of performing the Services for Customer’s benefit.

There are several advantages to approaching data use with a license of this kind. First, it makes clear the license is non-transferable (i.e., it cannot be assigned to a third party without the customer’s consent). Second, it is “terminable at-will.” This means the customer can revoke the license at any time. For example, if the data contains highly confidential information (e.g., consumer information or trade secrets), the customer may want to the right to revoke the license if the vendor suffers an attack on its security that could place data at risk. All too often, cloud agreements are written such that the customer cannot readily terminate or suspend access to their data. The inclusion of this right is important for protection. Finally, the license makes clear the vendor has one, and only one, right to use the data: solely for purposes of performing the services for the customer’s benefit. Any other use would constitute a breach of contract.

Extremely broad and undefined “aggregated data” rights

Most cloud agreements include the right for the vendor to use aggregated data. While this may be entirely acceptable to many customers, the problem is that the term “aggregated” is seldom defined or, at best, it includes a vague reference to not identifying the customer. If aggregated data rights are to be granted, the contract should make clear the aggregated data will not be identifiable to or capable of re-identification to any entity or individual. If the customer’s data contains regulated information of individuals (e.g., healthcare data or financial data), then there are specific legal standards for de-identification and aggregation the vendor must follow. If applicable, the contract should specifically require the vendor to de-identify and aggregate the data in compliance with those laws.

In addition to making clear what aggregated data is, we also recommend customers disclaim all liability for that data. That is, the contract should state that the customer is making no warranties with regard to use of its data in connection with data aggregation and that all such use is entirely as-is, without warranties of any kind.

Finally, consider including language that places all liability and risk of using aggregated data, including failure to properly de-identify the data, on the vendor.

In negotiating future cloud agreements, customers should bear these issues in mind and, where relevant, insist on revisions to provide greater specificity and protection. In a perfect world, cloud providers should have these issues addressed in their form agreements. Unfortunately, the world of cloud computing is not perfect.

**Note** Previously published on CSO Online by Michael R. Overly. See original article here.

Michael R. Overly

Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law. Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices.

Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

Recognition

In 2010 – 2015, The Legal 500 recognized Mr. Overly for his information technology work in the U.S. In 2005, he was selected for inclusion in the Southern California Super Lawyers® list and also was honored by Los Angeles Magazine for this recognition. In addition, Mr. Overly was recognized by Chambers USA for his IT & outsourcing work (2013 – 2016).

Education

Mr. Overly is a graduate of Loyola Law School (J.D., 1989), where he was articles editor of the Loyola Law Review and elected to Order of the Coif, and Texas A&M University (M.S., electrical engineering, 1984; B.S., 1982). He was admitted to the California Bar in 1989.

Professional Memberships

Mr. Overly is chair of the Legal Working Group for the Cloud Standards Customer Council, an end user advocacy group dedicated to accelerating cloud’s successful adoption, and drilling down into the standards, security and interoperability issues surrounding the transition to the cloud. He is also a member of the Computer Security Institute, the Information Systems Security Association, the Computer Law Association, and the International Technology Law Association.

Thought Leadership

Mr. Overly’s numerous articles and books have been published in the United States, Europe, Korea, and Japan. He has been interviewed by a wide variety of print and broadcast media (e.g., the New York TimesLos Angeles TimesBusiness 2.0NewsweekABCNEWS.com, CNN, and MSNBC) as a nationally recognized expert on technology and security related matters. In addition to conducting seminars in the United States, Norway, Japan, and Malaysia, Mr. Overly has testified before the U.S. Congress regarding online issues.

Selected Publications

  • A Guide to IT Contracting: Checklists, Tools and Techniques (CRC Press; December 2012)
  • The Executive MBA in Information Security (CRC Press 2009)
  • Negotiating Telecommunication Agreements Line-by-Line (Aspatore Press 2005)
  • Software Agreements Line-by-Line (Aspatore Press 2004)
  • The Open Source Handbook (Pike & Fisher 2003)
  • Overly on Electronic Evidence (West Publishing 1998)
  • E-Policy: How to Develop Computer, E-Mail, and Internet Guidelines to Protect Your Company and Its Assets (American Management Association 1998)
  • Document Retention in The Electronic Workplace (Pike & Fisher 2001)

[Disclaimer: The information on this blog or article is provided without any warranty or guarantee, does not provide legal advice to the reader, and does not create an attorney-client relationship with the reader. Any opinions expressed in this blog or article are those only of the author and do not necessarily reflect the views of the author’s law firm or any of the author’s or the law firm’s clients. In some jurisdictions, the contents of this blog or article may be considered Attorney Advertising.]

2018-05-14T12:52:07+00:00