Be clear on cloud computing
contracts: know how vendors
handle key details before entering
By Zielinski, Dave
Date: Sunday, November 1 2009
Cloud computing, particularly the subset known as software-as-a-service
(SaaS), has made life easier in multiple ways for Karen Sones, senior vice
president and human resources strategic project director for First Horizon
National Bank in Memphis, Tenn.
Sones has used Ultimate Software's SaaS offerings to store and access
payroll, benefits enrollment, recruitment and other HR data for seven years.
As is characteristic of SaaS arrangements, software resides on the
vendor's servers running on the Internet, or "in the cloud," rather than on
the bank's computers, and the bank's employees access HR data via an
The benefits: Information technology (IT) maintenance is handled by the
vendor's staff, software upgrades are less hassle, and self-service and
automated reporting features enable Sones and her staff to focus more on
strategic rather than tactical issues. In addition, instead of purchasing
expensive new hardware, the bank pays only for software that it uses.
The success of the arrangement is partly attributable to Sones'
determination in seeking answers upfront about how key concerns such as
data security, data privacy and contract renewal would be handled. For
example, what legal responsibility would the vendor have in the event of a
security breach? What would become of sensitive data when the contract
HR professionals considering SaaS would do well to follow Sones'
inquisitive lead--and with HR SaaS offerings expanding in number and use,
it's likely that more and more employers will enter into these outsourcing
deals in coming years. In fact, Gartner Inc., an IT research and advisory
firm, predicts that SaaS use will grow at roughly double the pace of on-
premises HR software in the near future, forecasting an annual growth rate
of 22 percent through 2011 for all enterprise application software markets.
While cloud computing has become more secure and reliable as the
technology has evolved, it can be easy to overlook the potential pitfalls of
using cloud applications while focusing on the considerable cost savings
and ease of use.
"People need to go into third-party cloud computing arrangements with their
eyes wide open," says R. Jason Straight, senior managing director of
computer forensics for Kroll Ontrack, an Eden Prairie, Minn.-based
technology services firm. "The cost savings and efficiencies gained from
cloud computing and SaaS are compelling, but there are hidden costs that
can emerge in case of security breaches or lawsuits tied to running afoul of
state employment laws or data privacy restrictions."
Experts identify the following as areas where it pays to get detailed
answers before inking contracts with SaaS vendors.
Using HR cloud vendors means ceding control of personally identifiable
data to third parties, a concept that continues to make plenty of human
resource leaders nervous. Recent security breaches and shutdowns have
stoked these concerns.
In a series of incidents beginning in 2007, cloud storage provider Carbonite
Inc. lost data it housed for 7,500 customers, who were provided apologies
and credits as compensation. The company recently filed a lawsuit against
the provider of its data storage hardware, Promise Technology, alleging
that it sold defective products to Carbonite that led to the data losses.
And in July, users of Apple's web-based MobileMe service were left without
access to service for several days. MobileMe stores information such as e-
mail, calendars and contacts in the cloud. The same month, Amazon.com's
popular S3 cloud storage service experienced an eight-hour outage.
While not catastrophic, these losses represent the risks of cloud computing.
Liability is also a concern. Should data that you store in the cloud be
breached--if, for example, Health Insurance Portability and Accountability
Act information or compensation data is hacked or compromised--your
organization, not the vendor, may be on the legal hook.
Straight suggests collaborating with IT staff to ask prospective cloud
* Whether they have full-time staff dedicated to data security.
* How well they've documented their security infrastructure.
* What kind of audit logs they keep.
* Whether they have incident protection and detection software in place.
You'll also want some sense of how cooperative a vendor might be in the
event of a breach. "Will the vendor allow you and the IT experts you work
with access to their facility?" asks Straight. The first 72 hours after a breach
are critical. Failure to act quickly can mean key audit log data will be lost or
overwritten--data essential to determine the scope of a breach.
Thomas Otter, a research director with Gartner Inc., suggests seeking out
vendors that meet the security requirements of an internationally accepted
framework. For example, a vendor certified in ISO/IEC 27002 has met
certain standards for having a secure, sophisticated IT infrastructure.
It also pays to know what level of data encryption a SaaS vendor uses to
protect your information. In the United States, "data encryption is moving
from a best practice to a legal requirement," explains Christine Lyon, a
partner with the law firm of Morrison and Foerster in Palo Alto, Calif. A
newly enacted law in Nevada, for example, requires that personally
identifiable HR data be encrypted in both Internet storage and transit.
Lyon also suggests negotiating an indemnification clause in contracts to
provide protection against loss or liability from breaches that happen on a
cloud vendor's watch.
Lyon recalls "cases where the employer gets sued because of a breach of
human resource data that was the vendor's fault. But if there is no
indemnification clause, the customer, not the vendor, can be left holding
the bag." Sones of First Horizon Bank insisted on such a clause.
Many countries, including those in the European Union (EU), have more-
restrictive data privacy regulations than the United States. That means, for
example, if your SaaS vendor stores your data on servers located outside
the United States, the potential exists for unknowingly violating another
country's privacy laws.
"The EU has strict rules forbidding that personal employee data be
accessed or shared outside of its countries because it views other
countries as not having adequate privacy protections," Lyon says.
If your organization operates across international borders, Otter suggests
asking a SaaS provider if it segregates, or tags, employee data from
different countries. For example, can the vendor segment data by country
so information on employees in EU countries isn't inadvertently accessed
by U.S. employees?
And, with regard to SaaS e-recruitment modules, do job candidates have
an option of deleting data from the system--or requesting that data be
deleted? "Candidates might decide they don't want their personal
information on an e-recruitment module anymore," and they have a right
under laws in various countries to access it and delete it, Otter says.
Kristin Ferrara, associate director of human resource management systems
for Inverness Medical Innovations, a medical diagnostic products company
in San Diego, uses Workday's SaaS offerings for core HR processes,
including benefits and compensation systems tracking. The SaaS option
appealed to her because of the ability to get newly acquired companies up
and running on the global HR system quickly.
But Ferrara says her IT staff was careful to put Workday's security and data
privacy protections under the microscope before inking a contract, seeking
assurances about industry-standard data encryption and guarantees that
Inverness employees would only have access to select domains, or data
segments, in the system.
State Law Compliance
Some states have laws requiring certain employee records be kept at the
employer's place of business for specified periods. In Connecticut, for
example, employers are required to keep time and wage data on-site for
each employee for three years. Storing such data in the cloud may violate
that requirement. Know the vagaries of your state's employment laws,
Otherwise, "the cost savings realized from going to cloud applications can
be eaten up in legal fees later," warns Daniel Schwartz, a partner with the
law firm Pullman and Comley in Hartford, Conn.
Internal IT'S Role
Employing SaaS solutions, thereby shifting IT support from your internal
department to external vendors, has advantages and complications. If
employees experience a problem using a self-service SaaS feature, for
example, they may contact internal support--and not receive help. For that
reason, some HR executives suggest establishing service-level
agreements with both vendors and the internal IT team.
"Our IT help desk didn't feel that it was within its scope of duties to support
the SaaS application," explains Lisa Hellmann-Rhodes, senior director of
organization development for Gen-Probe, a biotechnology company in San
Diego, who uses SaaS performance and talent management modules from
SuccessFactors. To ensure that employees get technical help, work out
service support responsibilities upfront, she says.
When the Contract Ends
Think about the end of the contract before you agree to a deal. Many
companies enter into SaaS contracts with little or no price protection on the
renewal of agreements, Otter says. He suggests addressing price caps, or
"not to exceed" price increases, early in negotiations.
Seek "provisions that state vendor prices cannot increase by more than an
inflationary index like the Consumer Price Index, at least for the initial three
to five years," Otter adds. Given the subscription nature of SaaS services,
companies may not be able to access the vendor's software application if
renewal fees aren't paid.
Also, ask vendors if they'll allow cost reductions if the number of system
users decreases at certain points in a contract cycle. Given layoffs resulting
from the recession, Otter says, many organizations have fewer SaaS users
now than when they signed their deals. Typically, if you purchase more
volume than you use, there are no money-back credits. But Gartner's
research has found that, in light of the economic climate, some vendors are
allowing customers to reduce the initial number of users by 10 percent to
15 percent without raising the per-user price.
You'll also want to know what will happen to your data if the contract is not
renewed. "You should insist that your HR data, along with any proprietary
code needed to read it, is backed up somewhere and that the cloud vendor
is contractually obligated to return it to you by a certain period," says
Ownership of HR data post-relationship was an issue for Hellmann-Rhodes
when she was negotiating with Success-Factors. If "we elected to go to
another vendor or to bring the SaaS application in-house, we wanted to
ensure we'd have access to all of our historical data," she says.
For more information on cloud computing, see the online version of this
article at www.shrm.org/hrmagazine.
The author is a freelance writer and editor in Minneapolis.