There is no data showing how many people actually read through click agreements, terms of service (ToS) and privacy policies (collectively “online terms”) before clicking the alluring “accept” button. However, there’s research that indicates fewer than 1 percent of people report taking the time to review online terms. Most folks consider online terms an annoying speed bump and frankly don’t care.
The 99 percent who bypass them likely assume that online terms simply contain provisions or statutory privacy notices generally accepted by courts around the world. They would not, for the most part, be wrong. Courts generally uphold online terms because acceptance of the click agreements confirm that users agree.
Why Cloud Users Should Care
Among a variety of issues, one reason cloud users should care is that cloud providers take no contractual responsibility for cybersecurity incidents. Another important concern is the location of a business’ data, since courts apply the laws of the country where the data is located when applying legal jurisdiction. So, determining where your cloud data will be stored actually is something worth negotiating.
Another critical consideration is the number of online links that may be included in a cloud click agreement. For instance, there may be 20 to 30 embedded online links to any given cloud click agreement, but few businesses take the time to review the online links, let alone negotiate the terms of each.
Recently, our firm negotiated a two-page purchase order concerning online sales tax services. It turned out there were 25 different sets of online terms that we had to review.
Most cloud providers will negotiate important legal provisions in the click agreements and online links, but few businesses take the time to dig into the agreements to think through the potential problem areas.
Internet Jurisdiction in the Cloud
Where data resides in the cloud is very important, because if the data is stored in the European Union, it is likely that the EU General Data Protection Act (GDPR) will control how personal data is managed. However, if the data is that of a U.S. bank, the bank must negotiate with the cloud service provider to ensure its data is housed in the U.S. to comply with U.S. regulations.
Unfortunately, not all businesses consider Internet jurisdiction until they have a problem. So if the location of the company’s data matters to your company, it may be a crucial point to negotiate. Be aware, though, that selecting the location is likely to increase costs.
Cloud Security Is the User’s Responsibility
By way of example, Section 4.3 of Amazon Web Services’ (AWS) Customer Agreement providesthe following:”Your Security and Backup. You are responsible for properly configuring and using the Service Offerings and otherwise taking appropriate action to secure, protect and backup your accounts and Your Content in a manner that will provide appropriate security and protection, which might include use of encryption to protect Your Content from unauthorized access and routinely archiving Your Content.”You should not be surprised to learn that all cloud providers have similar online terms. Cloud providers generally expect their users to shoulder these burdens.
Information technology (IT) leaders including chief information officers (CIOs), chief information security officers (CISOs), chief privacy officers (CPOs) and chief technology officers (CTOs) certainly know and understand it is their burden to provide cloud security measures when their companies use cloud technology.
Other business leaders may not understand, however, and most lawyers are unaware of such obligations.
Service Level Agreement in Online Links
Embedded online links in a click agreement may seem unimportant, but the cloud provider often includes a separate link for service level agreements (SLAs) if nothing else. Of course, all Cloud providers offer a SLA regarding uptime availability and response time with cloud issues. The terms of the SLA are pretty important, but many cloud users do not bother to negotiate uptime, which actually may end up costing more for better service.
For instance, if the SLA for your cloud provider is 95 percent over a 12-month period, this means that the cloud provider could be down 438.3 hours per year (or 18.2625 days). However, if the cloud provider was down for 18.2625 days in a row, that almost certainly would harm the cloud customers.
Negotiating the SLA over a rolling 30-day period could be better for your business.
It might be wise to take the time to review your cloud provider’s online terms, to make sure you are getting the services you need to run your business.