Microsoft’s cloud offering, Windows Azure, is a cloud services platform designed for software development, hosting and web service management. The platform includes a cloud-based operating system with pre-configured developer tools and other options available. The license agreements are available online here and here. So, how does the Microsoft cloud licensing model stack up to our concerns regarding cloud computing?
The basic Azure agreement consists of two parts: a service level agreement (“SLA”); and an online subscription agreement (“OSA”). The SLAs are written in clear, layperson-friendly language, but may not adequately protect the customer from certain types of service outages. Also, the responsibility to monitor service levels and report outages remains wholly on the customer (something many cloud customers may want to try to avoid). The OSA provides some protections against third-party intellectual property infringement claims, but it also severely limits recovery on claims arising from any legal action, including breach-of-contract and negligence claims. These service and liability limitations are typical in low-transaction-cost offerings, and they are likely unavoidable for a product sold online and across such a broad user base.
Of greater concern, however, is the fact that neither agreement addresses compliance or liability arising from federal and state privacy and data security statutes, (such as HIPAA and the new Massachusetts Standards for the Protection of Personal Information). HIPAA, in particular, imposes significant responsibility on third party vendors (“business associates”, under the language of the statute), that may house or transmit protected health information (“PHI”). A company storing PHI on Microsoft Azure servers without an agreement contemplating that type of data storage could be in violation of the law and subject to liability.
Further, there are no provisions concerning ownership, use, or transfer of customer-owned data upon termination of the agreement. As is evident by the low cost of cloud-based solutions, the platform is the commodity and the only real value is in the data. Without specific language identifying data ownership and transfer upon termination, a company may be risking too much relative to any perceived cost or operational benefits.
Microsoft likely will have to address these concerns as the legal issues associated with cloud computing become better understood. In the meantime, careful analysis of intellectual property and data security compliance risks should be undertaken to avoid the unforeseen liabilities and hidden costs present in many cloud computing agreements.