Negotiating Liability Limits in the Cloud

CIOs and cloud providers must work together to meet legal requirements.

Pricing, disaster recovery capabilities and service-level agreements are a few of the issues CIOs consider when negotiating cloud contracts.

They are also navigating how to set acceptable limits on the amount and type of damages local governments and state agencies can recoup from vendors in the event of a data breach or other harmful incident. As an IT executive, “you have to understand what you really need from a legal perspective,” said Tony Encinias, Pennsylvania’s deputy secretary for information technology and CIO.

The nuances of limitation of liability were a hot topic at the NASCIO 2014 Midyear Conference in Baltimore. Encinias was one of several CIOs who shared his contracting journey to the cloud. One takeaway from the discussions is that CIOs should be able to locate or at least know the language that governs limitation of liability in their states.

“In Delaware, we have this folklore of limitation of liability,” said the state’s CIO Jim Sills. Sills said he recently asked the state’s deputy attorney general and procurement official to show him the code or section in the state’s constitution about limitation of liability. They couldn’t find the language, Sills said.

In light of that revelation, the state is updating one of its terms and conditions to provide more flexibility for vendors, he said.

“Going to a cloud strategy from an infrastructure standpoint, whether you go to Azure or you go to Amazon, negotiation with those vendors is very difficult,” Encinias said. He recalled a cloud contract valued at nearly $1 billion that took the state more than a month to negotiate.

“In Pennsylvania, [limitation of liability is] traditionally two times the cost of the contract,” he said. “When you’re talking about a $1 billion contract, there is no company in the world that can sign up for that risk. So, you have to really give and take.”

That’s the argument Tanya Forsheit, a founding partner of InfoLawGroup LLP in Los Angeles, made in a 2010 article from SearchCIO.com. Yes, four years ago CIOs were grappling with the same challenges.

“You have to come up with ways to adjust limitations of liability that may be acceptable to the cloud provider," Forsheit said.

For cloud customers, "the liability must be a deterrent to failure," Julio Gómez, co-founder of Innovation Councils LLC in Concord, Mass., said in the article. His organization brings together CIOs from various industries to strategize.

Limitation of liability is one of many issues CIOs should consider before awarding cloud contracts. Governing provides a good checklist of other issues to address when contracting for cloud computing services.

<p>Eszter Szepessy/ThinkStock</p>
May 27 2014