Info Tech Law: Balancing opportunities and risks

By Alan S. Wernick
FSB Legal Counsel

Most businesses today rely on information technology to help run their operations. The spectrum of IT sophistication runs the gamut from a business that uses one personal computer running off-the-shelf word processing and accounting software packages to a business using multiple mainframe computers running complex customized software in multiple geographic locations.

When the core competency of the business is not IT (and, in some cases, even when IT is the core competency of the business), the business often will look to cost-effective alternatives to fulfill its IT needs.

Outsourcing the IT function is one path taken by many companies. However, for a number of business and legal reasons, outsourcing the IT function is typically a path pursued only by very large companies.

For instance, in my private practice I’ve been involved in assisting some large companies in outsourcing everything from specific business critical operations processes to outsourcing an entire IT department.

In my work as an arbitrator/mediator, I’ve seen some very large companies grapple with disputes over business-critical outsourcing projects.

One of the many important differences in outsourcing for information technology services is that it involves a highly technical multidisciplinary undertaking concerning not only multiple business constructs and technologies, but also multidisciplinary legal issues.

As an alternative to traditional outsourcing of the IT function, the evolving technology provides businesses today with an option known as “cloud computing.” Cloud computing allows the user to transfer many (if not all) of the business’s computing functions, and the business’s data, to a location maintained by the cloud computing service provider and accessible by the business through high-speed connections.

In this context the “cloud” is a metaphor for the Internet, but within that cloud is a complex web of technology and virtualization infrastructures and significant legal rights, obligations and risks.

Because cloud computing is massively scalable, it gives mid-market and smaller companies affordable alternatives to have IT business needs met. Cloud computing can significantly reduce IT costs and complexities while improving workload optimization and delivery of various IT services.

Cloud computing involves multiple business considerations and technologies, as well as consideration of multiple levels of legal analysis and legal relationships that, in aggregate, are unique to a cloud-computing transaction.

The allocation of risk algorithm differs in cloud computing transactions from traditional outsourcing transactions. There are a number of factors involved in allocating risks, both in traditional outsourcing transactions and in cloud computing transactions. For example, in many, but certainly not all, outsourcing transactions, the user may rely on one vendor to fulfill all of the business’s outsourced IT functionality needs.

However, in a cloud-computing transaction, the user may be dealing with multiple layers of vendors, each playing a significant part in delivering the IT functionality to the business. For instance, there are a number of large companies (salesforce.com, Amazon EC2, IBM Cloud, etc.) whose business model is solely to provide the cloud computing platform, and no specific business application software (although they may offer business application software through other business divisions or related companies).

Some key differences between outsourcing and cloud computing include:

• Term: Because of the size of the investment, traditional IT outsourcing agreements often run for many years (five- and 10-year terms are not unusual). Cloud computing agreements may presently run for fewer years, but as the technology evolves with greater access speeds and storage costs drop, the lengths of the term will increase.

• Integration: Traditional IT outsourcing agreements often are between the user and one vendor that undertakes to fulfill all of the outsourced IT functions. Presently many cloud computing transactions involve multiple providers (for example, various software application providers and a platform provider). Various vertical market providers are moving their deliverables into a cloud computing environment to offer their clients a full suite of software functionality. We already see this in certain areas such as with our health-care clients.

• Deliverables: Service level agreements need to match the technologies to the business needs. SLAs that work in a traditional outsourcing transaction may not work in a cloud computing transaction. Nuances of deliverables via a cloud computing model will require SLAs appropriate to that model.

The above is by no means an exhaustive list of the differences between traditional IT outsourcing transactions and cloud computing transactions. Businesses, and their legal advisers, need to be mindful of the differences between these IT transactions.

©2010 Alan S. Wernick