CIOs must strongly represent the interests of their company to external cloud providers. Otherwise they will be liable themselves. […]
For cloud projects, CIOs should consistently question the conditions and secure themselves as comprehensively as possible by contract. Even market-strong providers are willing to negotiate and make reasonable compromises with suitable contract volumes.
Cloud hyperscalers such as Amazon Web Services or Microsoft Azure are trying to enforce conditions that would only cause astonishment in conventional stores. Standardization and “the cloud” should require that the customer continues to pay a large part of the fees and bear the damage himself, even if the provider has failed.
This is a problem for the CIO function: it has due diligence and fiduciary duties towards its company. These also apply when contracts are negotiated and concluded. If it violates these obligations intentionally or negligently, it is personally liable to the company for any resulting damages. The fault is presumed by the law, it is up to the CIO to refute it.
A CIO can be personally prosecuted for violating his board duties if he does not represent the interests of the company with sufficient emphasis in negotiations with cloud providers.
“Close your eyes and go through” is a particularly dangerous strategy, because it can often be legally translated as a conditionally intentional breach of duty by the CIO. This has particularly sharp legal consequences to the detriment of the CIO. These include dismissal, extraordinary termination of the employment contract, loss of remuneration and compensation. Directors-and-Officers (D&O) insurance policies that companies take out for senior executives do not protect against intent.
The example of an internationally active service group shows what is possible in negotiations: The cloud conditions of a US provider, initially transmitted as an immutable standard, were initially defended by referring to Group rules, required board approvals and US booking rules. However, in response to more concrete proposals, claims for damages by the customer could be negotiated, for example, if third parties assert claims against the customer again due to failures of cloud services.
As part of this compromise, the maximum liability of the cloud provider for simple negligence was limited to the amount of the annual sales volume agreed for the cloud contract. This does not affect the technical cloud standardization, which is often argued by cloud providers against contract adjustments. The compromise had no effect on how the cloud services were technically performed.
Nevertheless, negotiations on the cloud contract remain the exception so far. In most cases, customers accept unfavourable contractual conditions with a view to the strong position of the providers and moods in the market (“everyone does it like that”). This is a problem, because those responsible are not protected from personal liability if cloud services are disrupted or fail. To avoid this, CIOs must at least strive for comprehensive information and weigh the advantages and disadvantages of the cloud solution before concluding the contract.
A CIO should therefore carefully weigh the pros and cons of outsourcing. The cornerstones of the entrepreneurial decision must always be documented in writing (demonstrably no “eyes closed and through”). In addition, the company should at least anchor some particularly important principles in the contract. These include, in particular, the following points:
- The IT service provider is obliged to actually provide the service required and promised in the company. Defects in performance may not be in accordance with the contract if they cause existential damage to the company. That sounds obvious. In some cases, however, cloud contracts lead to a de facto comprehensive goodwill service via shifts of responsibility and exclusions of liability, for example via formulations in the service level agreement.
- Breaches of duty by the IT service provider should at least have motivating legal consequences that allow the provider to be controlled. These include liability, compensation and exit. Obligations without legal consequences are in fact empty. This is also unacceptable for questions about privacy and data protection.
- The rules for termination and transfer of the provision of services to the company or a successor service provider must ensure that the (business-critical) IT services can be used continuously and securely. Otherwise, there is a risk of high additional costs in the “divorce”. Even in the case of intolerable breaches of duty, the outsourcing company cannot then exercise its rights to extraordinary termination.
- In order to prepare for an orderly change of provider, the outsourcing company must be able to obtain the information about “its” services required for a tender at any time. Otherwise, due to the lack of realistic competition, the company faces serious commercial disadvantages in future negotiations on contract extensions.
CIOs must be able to answer the question of whether a contract offers sufficient advantages for the company, even if it is concluded unchanged and potentially endangers the existence in the event of disputes with the IT service provider. At the very least, every CIO should be able to prove the information and alternatives relevant to his decision if necessary.
According to the so-called Business Judgment Rule, the legislator excludes liability for entrepreneurial and forward-looking decisions under uncertainty if the decision was made on the basis of appropriate information.
The prerequisites for this are as follows:
- The CIO must determine all the information available with reasonable effort and use it as the basis for his decision. Therefore, a CIO should have at least tried to negotiate the contract with an external IT service provider before agreeing to enter into a cloud contract that is unfavorable for the company. In addition, it is the task of the CIO function to obtain comparison offers in advance.
It is necessary to determine what specific disadvantages threaten the company if the contract is not concluded. Of course, it does not do justice to the situation of the decision-maker and the perspective that is possible for him if it is subsequently worked up. Therefore, the essential elements of the assessment should be documented in such a way that they can be used in a later court case.
- The CIO must not have been influenced in his decision by extraneous considerations, such as personal benefits.
- Finally, the CIO must be reasonably allowed to assume to act for the benefit of society. This is the case when, after weighing all the risks and opportunities, he comes to the conclusion that IT outsourcing strengthens the company. According to case law, this is not the case if the risk associated with the decision has been misjudged in a completely irresponsible way.
Especially with this prerequisite, there is a risk of a “hindsight bias”: then a court concludes in retrospect that the CIO has underweighted the risks associated with his decision or has assessed the associated opportunities too optimistically.
In the case of other important business decisions, such as company takeovers, it is now common for management to additionally secure decisions with a lawyer’s legal opinion. This can also be offered in the context of IT outsourcing.
*Gerrit Forst is a partner of the law firm Kümmerlein Rechtsanwälte und Notare in Essen. He advises domestic and foreign companies, their corporate bodies and shareholders on all issues of corporate law, in particular on corporate governance issues and in cases of corporate liability.
**Kay Diedrich is a partner of the law firm Kümmerlein Rechtsanwälte und Notare in Essen. His work focuses on complex IT projects (e.g. software development, outsourcing), data protection and international technology cooperation.