When you put your data in the cloud, hoping for the best isn’t a good strategy. You add a new level of risk to your business. Technology attorney, Mark D Grossman discusses cloud contracts and what businesses large and small must consider to prevent disruption. You’ll also learn about contract negotiations and important business legal concepts.
Music: The Lachy Doley Group, Gonna Make it Up
from the album Conviction | Used with permission
Like the music? Get a free 7-track EP of The Lachy Doley Group
Engineering, editing, post production: Mark S A Smith
© ℗ 2017 The Bija Company, LLC All rights reserved
“PipeDrive drives my sales pipeline!” – Mark S A Smith
Special Selling Disruption Show Offer
Get a no-risk 45-day free trial, that’s an extra 15 free days when you use our link.
Executive Strategy Summit
Discover the insights, tools, and workshopping you need to be a confident, enthusiastic, efficient, and effective executive leader. Next event: Denver, January 19-20, 2018 Early Bird Special available now.
View Show Transcript
Cloud Computing Contracts
Mark S A Smith: My guest today is Mark Grossman, who I met over a decade ago, when we shared the platform at an industry event for the world of technology. I was talking about the future of cloud, he was talking about the future of what happens to your data if you put it in the cloud and then they go out of business, and I was hooked on his insights on how to protect your critical information. Mark authored Technology Law: What Every Business and Business-Minded Person Needs to Know, now in its second edition, he has written hundreds of columns for PC World magazine and other publications. The best lawyers in America named Mark lawyer of the year for technology law in New York City for 2016, he’s appeared on the best lawyers in America list since 2003, he’s an expert on technology, outsourcing, and negotiation, welcome Mark to the Selling Disruption Show.
Mark Grossman: Thank you, nice to be here.
Mark S A Smith: I’m so delighted to have you here, Mark, and the reason why is because recently, Information Age published an article that predicts that 40% of the Fortune 500 aren’t going to make it in the next decade because of the digital disruption, do you think that’s a true figure, or do you think they’re wrong, what do you think?
Mark Grossman: I have to say hard to predict, because it really comes down to the issue of how each individual company of those Fortune 500 deal with that disruption, and I think that’s very difficult to predict, in the sense that that goes to the individual leadership of the company and its ability to adapt. Disruption in the biggest sense is not new, companies have been disrupted longer than cars eliminated horse and buggies.
Mark S A Smith: Absolutely true.
Mark Grossman: It certainly goes back farther than that.
Mark S A Smith: The printing press disrupted all those monks writing books.
Mark Grossman: Absolutely, think about the old companies that are still out there, General Electric, GE, right? I mean, there was a ton of disruption along the way, they survived. IBM, going back to old mainframes and business machines before that, and they successfully navigated a lot of disruption due to intelligent and thoughtful management over the years. I can’t agree with that statistic, and I don’t know how you could possibly make a prediction like that. It really comes down to individual leadership and figuring out what to do next.
Mark S A Smith: I think part of it is just how people are managing data. Mark Heard also predicts that 80% of the data centers on the planet are going to go away between now and 2025. I think a big part of this prediction is based on people moving control of their data from themselves, where they used to have and still have data on site, to where they have data in the cloud, where they’ve theoretically lost control. I know that’s your area of expertise.
Mark Grossman: Yes it is.
Mark S A Smith: How can people retain control of their data? For example, if a cloud provider of software or storage or infrastructure fails, what happens to your data?
Mark Grossman: A couple of different questions there, so the last one you asked, what happens if they go out of business, disappear, fail to perform? It’s all about contingency planning before this all begins, the nightmare begins. You have to have local backups of your data, that’s really fundamental and the easy part, but then it’s contracting for a contingency plan that will work, tested and will work. For example, you have companies out there that will set up the environment for you, because cloud is not as easy as click “I accept” and dropping it on your hard drive, there’s a whole complex environment there. There’s the SAAS software running, there’s the availability of a current version of your data, and the issue of how exactly do we move that data from a backup to a new location, but the key is developing a contingency plan before there’s a problem, developing a contingency plan at the beginning of the relationship and contracting for that contingency plan, which requires your vendor to cooperate.
If you can’t develop a meaningful contingency plan for them, the ability to pick up and run without them, if it’s a mission critical system, I’d say you have a major flaw in your setup, and you might want to reconsider your decision, find a new vendor, because if there’s no contingency plan in place, yeah, that’s an unmitigated risk, and a huge one.
Mark S A Smith: Indeed it is, and I think you made a couple of key points I want our listener to really nail down. The way that most people buy cloud services is, “I’ve got a problem, I need to fix it, oh here’s a company that’ll do it, and I’ll pull out my credit card, and we trust that they’re going to be there,” and they don’t put together a contingency plan, they don’t put together a backup download plan, they don’t put together a strategy to have all these things happen, they just hope it’s going to work. I see this as being a serious problem and a massive cause of disruption for a lot of great businesses. Essentially it’s the same thing as somebody stealing your computers on site and running away with them, and you can’t get it back if you don’t have some sort of a plan.
Mark Grossman: You know Mark, we’re focused on a narrow issue right now, which is contingency planning and prayer that it’ll all be good. There’s actually bigger issue where this is a tiny subset, and the bigger issue is the contract with the vendor and everything that’s in it. Typical scenario, even in the enterprise world, I mean really the world I live in, a mom and pop doesn’t need me to help them with their subscription to Gmail or whatever, even in the enterprise world, even at the Fortune 500 level where I do a lot of work, it’s vendor provides a form, a template that fell off somebody’s hard drive based on the last deal, it’s more often than not even with millions of dollars at stake in this deal, more often than not it’s a salesperson-driven process.
Salesperson is only interested in the check, and that contract is completely unimportant to the person who’s driving it from the vendor. Then the scenario continues with everybody signs this, the scenario continues with, “This is our standard form.” All too often, even at the enterprise level, I say this because I get a lot of engagements that consist of, “Hey Mark, pick out the land mines.”
Mark S A Smith: Yeah, right.
Mark Grossman: What does that mean? It’s a 100-page agreement, so how many land mines you want? Let’s make up an arbitrary number, you want me to pick out what I think are the top 12, the top 50, the top 100? Hey, the client wants me to do what they want me to do, and they want land mine picking. When a client is more comprehensive, says, “Mark, review the agreement comprehensively, let me know what you think,” so when I do that, I will typically rate my comments for internal use, one being mission critical comments, twos are like, “Well, we can work with this and we’ll negotiate this with the vendor,” and threes are giveaways.
When I hear “do land mines”, that’s half my ones typically, because just using round numbers, let’s say the 100-page agreement, which is pretty typical in the enterprise world on a complex technology agreement, my observation is I have five to 10 comments per page, that’s something between 500 and 1,000 things to discuss. Now, not all comments are created equally, some are like, “Oops, they misspelled this word,” right? I mean, it’s a comment, and some are, “If our PII of our customers, personal identifiable information, ends up on the internet, no, the limitation of liability that gives us three months of fees as the most we can recover from you, that’s not okay.” Yet, “Well, it’s a standard form.”
There’s so much work to be done in these typical enterprise level cloud, SAAS, or technology agreements generally, so then full circle back to your question about contingency planning, that’s one of 100 issues more that need to be nailed down. The one thing I can promise, and lawyers don’t promise much, but the one thing I can promise is that your vendor’s form, the one that everybody signs, does not properly address your contingency planning issues. You’re going to need to dig in, you’re going to need to discuss it. Why do we enter into contracts? We enter into contracts to foster our communication process. A mature negotiation process in any world, but we’re talking about technology, is about saying, “Hey vendor, I need a meaningful contingency plan, I’m not seeing it here, so what do you think we could do?”, and let the discussion begin.
Mark S A Smith: The thought of a 100-page plan with 500 comments just gives me the heebie-jeebies.
Mark Grossman: Of course.
Mark S A Smith: It seems to me as though that we could never even get this plan done, and it seems to me it would be scaring some people off, but then again we’re talking enterprise, where this happens on a regular basis. From the sales standpoint, that would just be a horror show, because we just extended the sales cycle by another, I don’t know, three months.
Mark Grossman: Absolutely.
Mark S A Smith: What do we look at, what do you see as being, let’s say the top four or five land mines that you see when people buy cloud services or software as a service?
Mark Grossman: First thing I already mentioned, and this is in the nature of what’s called the legal terms and conditions rather than the technology part, number one, limitation of liability. People assume, “Eh, not enforceable, unconscionable,” wrong, this is business to business, any of those concepts about unconscionability, those are consumer-related transactions. When your agreement provides three months of fees as the maximum you can recover under your agreement, that’s absurd, and yet that’s often the first answer. Indemnity provisions, so many things can go wrong in the cloud, and you end up sued. Let’s say failure to perform for your customers, plus your system is down, you get sued, you’re an innocent third party to this because it’s the vendor’s fault.
Typically you see very weak indemnity provisions from vendors. I just in the last few weeks had a call from a client, and a patent troll is chasing them over some functionality in their software, except it’s a SAAS solution. This now goes to who’s responsible, and you have to look to the indemnity provision, and the type of thing you would like in a perfect world is a specific intellectual property indemnity provision. “We’re not giving you that,” well let me get this right, vendor. Your rogue employee steals code, I get sued and I pay for it? Tell me how that works.
Mark S A Smith: Yeah, right.
Mark Grossman: Indemnity is another huge provision, but then we also get down to service levels. You’ve got to have a meaningful service level agreement with teeth, so what does that look like? There are different philosophies on service level agreements, some people like measuring 100 different things and getting monthly reports, then looking at how actual performance compares to the service level agreement, and then credits for the failures. I’m generally not a big fan of that type of 100 measurement, it’s ponderous, it’s usually not worth it. I usually counsel, and it depends a little bit on the situation, it’s like, “Let’s take that 100 and how about we reduce it to the key 20, because you know let’s just measure focus on these, and these are not going to be okay and the other 80 not, they’re all intertwined. Let’s narrow the focus on this.”
Then the subsidiary issue with, let’s say, service level agreements, are the credits you receive for failure to meet the requirements of a service level agreement. Typical remedy is credits, so next month’s bill, if you missed it on four metrics, 2% each on the fee so that you get an 8% credit the next month. Now here’s what’s interesting though, you never get 100% credit under these agreements, there’s no such thing as right or wrong here, but there are industry norms. You try to exceed industry norms, but usually you can’t, so the industry norm is to put 10 to 20% at risk each month, meaning the most you get, no matter how many failures, is 20%.
That’s sort of kind of an industry norm. Have I gotten more? Yes, have I gotten less than 10? Yes, it’s a negotiation, depends on how much negotiating power you have. Those are a few of the issues that come to mind.
Mark S A Smith: Interesting. As I see more and more companies, especially startups, doing everything in the cloud, they don’t buy IT, they buy IP, intellectual property, and as more and more companies are going to the cloud, and I expect for many, many companies to be completely cloud-focused, in fact today I’m hearing from even enterprise clients that, “We’re going cloud first, if we can’t put it in the cloud, then we’ll consider it on site versus the other way around.” What’s going to be the impact do you think on the industry of this massive focus on cloud-based services?
Mark Grossman: You mentioned startups and them starting up in the cloud, and that causes me to want to make the following point: A lot of what I’ve talked about so far are large enterprise deals, where it’s Oracle and a Fortune 500, or AWS, Amazon Web Services and a Fortune 500, but now let’s shift the conversation a little bit to Amazon Web Services, AWS, and a startup. Startup doesn’t have any negotiating power, they may someday when they grow up, but they don’t today. Let’s be practical, unless you’re providing a large vendor meaningful revenue, unless your material to them in some way, it’s pretty hard to get them to budge, so you end up having to shop it around based on what’s provided to you, what the agreement says, what the services are.
There is a bit of a wing and a prayer on that, because if you try to negotiate it, you’re more than likely not going to get very far. Now, couple of caveats to that. One, could do business with a smaller vendor, where you have some negotiating leverage because they’re small too, that’s a possibility.
Mark S A Smith: Yeah, that’s good.
Mark Grossman: Also I would point out I’m a negotiator, and when you get right down to it, it’s always like, “What’s the angle, what’s the strategy, how do we get there?”, as negotiators. Well, you know AWS is a monster, Google is a monster, but your salesperson, he or she just wants their check for this month, and they’re not a monster. Sometimes the strategy becomes ignore the entity and focus on the human being in front of you.
Mark S A Smith: That’s good.
Mark Grossman: Because they have the ability to take it up the chain and obtain concessions, because guess what? Your interests are aligned to the extent that that individual salesperson wants to wrap a deal with you before the end of the quarter, to hit their numbers and get a nice commission check.
Mark S A Smith: Every organization has a certain level of wiggle room that you can go push on, everybody does.
Mark Grossman: Everybody does, even AWS, which is the absolute worst company in the universe to negotiate with. I’ve had them all on the other side at some point or another, and someone’s got to be the winner, and it’s AWS. Basically, their position is, “Take it or leave it,” even when I’m negotiating for a $15 billion company, it’s take it or leave it. It’s an amazing thing, it’s the last vendor I ever had who said, “We’re not sending you a Word version, it’s a pdf, we don’t edit it, so don’t even bother to convert it.”
Mark S A Smith: Wow, what incredible walkaway power they have.
Mark Grossman: Yes, they do. I’m thinking very specifically, obviously I can’t mention the client’s name, we had a meeting on this like, “Hey guys, they’re not moving.” Microsoft moves, Google moves, everyone moves, you said that and you’re right, my client’s position ended up becoming, “Depending on what we could get in the way of data security and indemnities and these other core provisions, that’ll just go to the use cases. If we can’t get what we need on, let’s say data security as an important example, if they won’t give us contractually what we need, we’ll just use this for non-mission critical systems where the data is not really confidential.” There’s always a use case for it, and the pricing is good and that’s exactly what they did, but AWS lost 80% of what they might have had, had they been slightly flexible.
If AWS was on this podcast with me, they would say, “We’re AWS, trust us, we are in the security business.” Okay, that’s a business decision. You might choose to trust them, but then when it blows up, and last time I checked, everybody’s had a breach-
Mark S A Smith: Everybody.
Mark Grossman: When it all blows up and it turns out that it was their fault, well the trust led to, “Hey Mark, what’s our remedy?” Read the agreement, it’s like you have no remedy, it’s really clear, you signed it away, there’s no magic here. Contract is a private law of your deal, your contract is as enforceable as a statute when you think about it, it’s the law of your deal. A court will enforce it like the legislature passed it for your deal. It says you have no remedy, guess what? You have no remedy.
Mark S A Smith: Very important, I think that’s really important for small business owners to understand, is that a business to business contract is the law of your deal, and you can’t go pleading ignorance, or you can’t go pleading, “This isn’t conscionable.”
Mark Grossman: Correct, very important point, I can’t tell you how many sophisticated business people have looked at a one-sided limitation liability provision, which basically says, “No matter what we do and no matter how bad it is, you get nothing and we get your firstborn,” I can’t tell you how many business people have looked at that and said, “Well, that’s not enforceable.” It’s like, yes, it is, it really is. As one-sided as it is, you are not a pathetic creature that can beg the court for mercy, doesn’t work that way.
Mark S A Smith: That’s right. As one of my lawyer friends said, “Mark, the judge is not your mama.”
Mark Grossman: Well said. In fact, let me know who that was, so I can ask him if I can steal his line, it’s a great line.
Mark S A Smith: You can certainly steal his line, his name is Harry Miller, and I went to high school with Harry.
Mark Grossman: Okay, I’ll give him attribution when I steal it.
Mark S A Smith: Yeah, you bet, but it’s just perfect, the smile he has on his face when he says that is always just perfect.
Mark Grossman: I love that line, it’s in the repertoire officially.
Mark S A Smith: All right Harry, we’re making you famous once again, my friend. I love it. What advice do you have as a business goes into looking at software as a service or cloud services, what are the things you suggest that they consider and be aware of, what else do we need to consider?
Mark Grossman: A contract in the big picture, it’s not particular provisions, it’s not what I said about limitation of liability and indemnity and service levels, it’s not just that, it’s an entire relationship governed by the documents that are signed. The sales literature doesn’t count, the brochures don’t count, the emails promising you whatever don’t count, and if you’re, starting at the middle market and up, I’m not sure this advice applies to small businesses because it is almost a take it or leave it, but for the middle market and up, you’re dealing with a highly negotiable situation. Every technology deal is highly negotiable.
At the extreme, Fortune 500 deal, if it’s a material deal to the enterprise, it is typical to have a three to six-month negotiation process. Now I mean that’s just the norm, everyone expects it, three months is like, “Wow, that was aggressive, that was great.” Take it back to the middle market, it’s not going to take three to six months because things aren’t as negotiable, you have to be practical in your ask, because you don’t have as much negotiating power, but even at that level, the point is, contract needs thorough review, none of it is standard, none of it is protected by law. Everything is what’s in that agreement, and all too often it’s just not accomplished properly.
A generalist as a lawyer does it, for example, would not understand the industry norms, just a little thing like I mentioned earlier about 10 to 20% of the spend being at risk as a norm for credits. It’s like, “Well, that’s the sort of thing you want to know, what are the norms in all these provisions?” It’s helpful to do that. Beyond that on a more technical level, technical due diligence, go see where they’re running their operation, go eyeball it all. No enterprise deal is done without an on-site, and it’s important, you don’t know what you don’t know, and until you’ve eyeballed it, you’re just hoping for the best. It’s due diligence, it’s contracting, it’s understanding the technology architecture, it’s understanding fundamentals, like for example, single 10 in architecture versus multi 10 in architecture in the cloud, power issues with the vendor, do they have multiple power sources, what’s their disaster recovery plan or business continuity plan, do they test it, do you require testing in your agreement, do you require the ability to watch the testing, do they have basic reports, SAE16 and these basic kind of certifications and reports available, where there’s been a third party look at the controls, the infrastructure, the security?
In a world where everyone will be hacked, it’s not if, it’s when.
Mark S A Smith: That’s right, yeah.
Mark Grossman: In that world, you have to do everything possible, including contracting for it, to ensure that all best practices are in place, because best practices is the best you can do, because there’s no such thing in the tech world, certainly from a security level, there’s no such thing as perfect practices, impenetrable practices, doesn’t exist, never will.
Mark S A Smith: What that means is that you as a business owner, listener, have to understand how to have mitigation of risks, multiple points of technology, and insurance to help you cover those particular issues, right.
Mark Grossman: Absolutely.
Mark S A Smith: That’s the cleanup.
Mark Grossman: Got to insure what you can’t afford to lose.
Mark S A Smith: That’s it.
Mark Grossman: Philosophically, I’m sort of opposed to small insurance policies, but you insure what you can’t afford to lose. You might be able to afford your iPhone, but losing it is ugly, it’s sad, but it’s not going to break the bank. The loss of a chunk of data permanently, that’s a risk you might want to consider insuring.
Mark S A Smith: That’s right, really, really good. This has been a great conversation, Mark, with a lot of interesting insights, even for me. Being in this world of technology for a long time, I think it’s really been important for our listener to get some of these insights about working in the cloud, also some of the legal aspects of the business that could seriously disrupt their business if they don’t have them covered. What should the listener do if they want to learn more about you, or get in contact with you?
Mark Grossman: I do have a newsletter that I send out weekly, I’ve been writing it, believe it or not, since the early 90s.
Mark S A Smith: Wow.
Mark Grossman: Yeah, I’ve written hundreds of articles over the years, so they can subscribe to the newsletter as easily as sending me an email, so I’m going to do this slowly. My name is Mark David Grossman, so mdg@mark, M-A-R-K, dgrossman.com, email@example.com, ask for my newsletter, happy to add you to the subscription list. I do have a book called Technology Law: What Every Business and Business-Minded Person Needs to Know, go on Amazon, just put “Technology Law Mark Grossman”, it’ll pop right up, don’t even need the title, and always happy to speak to people with questions. Mark, did you know I’m also a professional speaker-
Mark S A Smith: That’s right.
Mark Grossman: And speak on these issues and deal negotiation generally, always looking for opportunities there.
Mark S A Smith: You bet. We’ll get you on the show page, there’ll be links to subscribe to the newsletter, a link to the book at Amazon.
Mark Grossman: Thank you.
Mark S A Smith: Of course, and friends, if you want to hire Mark to come to your organization to talk about negotiation, about technology, about technology law, he’s a great speaker, I’ve seen him, shared the platform with him, I recommend him as a very interesting and well-versed person who can save you a lot of time, hassle, and money. Mark, it’s been an absolute delight, thank you so much for sharing your insights and wisdom.
Mark Grossman: Thank you very much for the opportunity.