• United States



Offshoring in Cloud Engagements Presents New Risks

Mar 21, 20122 mins
Cloud SecurityPrivacy

This week a note caution regarding an unusual trend in some cloud engagements.  In several recent transactions, I have seen provisions that put the customer on notice that the provider has one or more offshore affiliates who may assist in performing the agreement.  This, in and of itself, is not unusual.  What is unusual is that in these transactions, the provider has taken the position that (i) it cannot tell which of its affiliates will be involved, (ii) it cannot provide a definitive list of the relevant jurisdictions involved, and (iii) even though use of the affiliates is for the convenience of the provider, compliance with all applicable laws, including local laws in the relevant jurisdictions, with regard to cross-border transfers of the personal data is the responsibility of the customer.  It is this last item that causes the most concern.  

The customer has no control over where its data will be sent, how often it will be moved, or, even, the specific jurisdictions involved.  Yet, the customer is somehow to assume the obligation of ensuring compliance with the myriad of potentially applicable privacy and other consumer protection laws everywhere in the world, including, apparently, adjusting its privacy policy and obtaining consents from consumers to comply with those laws.  I suggest that is a tall, if not impossible, order to fulfill and one no customer should be forced to assume.  

In one of the transactions, the vendor was asked if the customer could encrypt its data so as to minimize the security and compliance issues presented by this type of undefined offshoring.  The relevant vendor said that the customer could encrypt its data, but in at least some jurisdictions (e.g., China), the customer would have to supply the decryption key – rendering the protection sought illusory.

The foregoing points up the need for customers to push back and push back hard on unrealistic and unreasonable provisions in cloud agreements and for vendors to take a reality check on what they are requiring from their “valued” customers in their contracts.  


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author