Liability arrangements for cloud and other IT services

As I wrote this legal blog, I was sitting in sunny Bangalore at a technology legal conference. What follows was inspired by a question raised at the conference by an Indian IT vendor regarding the issue of flow-downs.

Flow-downs are the contractual arrangements that an IT supplier will be looking to 'flow down' from its contract with its customer to its subcontractor, in order to provide a 'chain of protection' for the customer. They can cover such things as intellectual property right assignment provisions, security obligations or accreditation requirements.

The question that was raised by the delegate concerned the flow-down of liability in cloud computing arrangements. The vendor was looking to back-to-back its liability in full to its subcontractor, but was having difficulty in doing so.

The issue of flow-downs is obviously not unique to cloud arrangements. The same issue arises in any technology subcontracting arrangement. The reality, though, is that a subcontractor is rarely likely to mirror the liability provisions that are in the prime customer contract, unless the subcontracting arrangement expressly requires the subcontractor to take on the bulk of the service obligations under the prime contract.

Parties therefore need to be realistic, and understand that risk and reward go hand in hand. If a subcontractor is not taking on the lion's share of profit, why should it be exposed to the lion's share of liability?

Businesses therefore need to be alive to the fact that an intact contractual flow-down chain is not something that is realistically possible, and pursuing such an arrangement is usually a waste of time and resources that will only end up straining relationships.

Parties need to identify the key flow-down requirements, but when it comes to liability issues, it is far better for the customer to focus on internal business continuity, disaster recovery, insurance and other internal risk management measures than try to use a contract to completely outsource one's risk.

Jagvinder Kang, Technology Law Alliance