In the Hotel Yearbook 2016 many authors predicted the use of cloud computing shifting to the mainstream. Some of the benefits highlighted were reduced cost and increased flexibility, accessibility, updating, security and guest service.
Before jumping into the cloud, you should however be aware of the associated legal issues. The precise legal risks depend on a number of factors including the type of cloud (e.g. public, private, hybrid), service (e.g. Saas, PaaS), solution (e.g. PMS, CRM), type of data (e.g. guest, employee) and the country (e.g. the location of your hotel and your supplier’s IT systems).
The following are however the Top 5 legal issues that I suggest are considered before implementing a cloud-based solution.
1. Keep an Eye on Your Data!
When hotel guest data is stored on-site, compliance with data protection laws is relatively simple. However, with the transition to cloud solutions, in order to ensure compliance you need to know exactly where your supplier is intending to store, transfer and provide access to the data. In many countries (especially in Europe) there are fairly onerous data protection laws preventing the transfer of data outside of the jurisdiction without the guests’ consent and/or without the assurance that the data is going to a country with adequate levels of protection.
I therefore recommend obtaining sufficient information on the supplier’s system architecture and seeking contractual protection that the supplier will comply with all applicable data protection laws. You cannot however pass all responsibility onto the supplier. You will also need adequate internal data protection policies to ensure that you are complying with the relevant laws when accessing or sharing guest data e.g. with other group hotels. You should also review your guest-facing terms and conditions to ensure they cover the proposed solution and pay particular attention to the use of any sensitive data (e.g. medical history obtained at gyms, spas etc.).
2. Data Security
With the increased accessibility of cloud technology, enabling users to access the data potentially from anywhere in the world, also comes increased data security concerns. If there is a data security breach and guest or credit card information is hacked into, misused or disclosed, the relevant regulator will be knocking on your door and it is your brand that will be impacted. Just this year a number of major hotel chains, including Trump Hotels Collection, were reportedly affected by data breaches relating to credit card information. Cloud systems relating to POS and others holding credit card information are particularly at risk.
Although the supplier should have more up-to-date technology than many hotel systems, you should still carry out due diligence on their systems, processes and disaster recover plans and include adequate contractual protection (e.g. PCI DSS compliance etc.) in this regard.
3. Service Levels and Service Credits
When transitioning to the cloud, it is essential to understand the level of service you will receive. This includes the service description and service level but should also deal with planned maintenance and what happens if the system goes down. Don’t expect the supplier’s standard form agreement to be generous in terms of service credits for failure to meet the service levels or unplanned downtime. Generally the supplier will want these capped at a percentage of the fees and normally they will be expressed as the exclusive remedy for breach of the service levels.
This may or may not be appropriate depending on the circumstances and I suggest the supplier’s standard template should be challenged and amended as necessary.
4. Limitation of Liability
Many cloud solution suppliers (especially SaaS) take a very strict line on the types of liability they will accept so carefully review (and challenge where necessary) the list of exclusions (e.g. loss of data, revenue etc.) and the proposed liability caps. Pay particular attention to whether key warranties and indemnities (especially IP) fall within these caps.
Although many may perceive these clauses as purely legal issues, the commercial impact can be substantial and therefore worthy of detailed consideration by the hotel management team. At the end of the day, you need to achieve a balance of risks equitable for both parties considering the specifics of your cloud project.
You should also consider what happens if it all goes wrong. Firstly, if there is a breach from your side (such as a delay in payment) should the supplier have the right to suspend or terminate the service? If these are revenue-generating cloud solutions then you would want to argue ‘no’ but, at a minimum, you should be provided the opportunity to remedy the breach. On the flip side, you need to be comfortable with your rights to terminate for the suppliers breach and similar scenarios so you are not locked in with an underperforming supplier. You also need adequate provisions dealing with what happens on termination e.g. transfer of data from the cloud solution back to you or an alternative supplier (in a suitable format).
Finally, before signing any cloud agreement, I would strongly suggest you run it past a good technology lawyer!
This article was first published in the Hotel Yearbook 2017 Technology Edition in Nov 2016.