The increasing use of cloud-based IT services means that critical business data is increasingly being stored 'out of house' with cloud service providers in data centres. The risks attached to externalising control of business data are often not fully appreciated by businesses.
Identifying potential areas of exposure
The risks relating to data broadly split into the following:
- Compliance and audit
- Business continuity
Quite rightly, businesses and their legal advisors often focus on the legal compliance issues relating to data protection laws in negotiating the hosting contract. However, what is often not scrutinised is the business continuity risk which may arise from an insolvency or failure of the cloud service provider and the resulting difficulties and costs associated with getting their data back.
On an insolvency, administrators are likely not to have funding available to continue the data centre operations. As a result, once appointed they will inevitably take rapid decisions on scaling down the business or potentially even closing it down. Administrators may explore short-term funding options where they consider this to be the best solution for ensuring that the company's business survives through the process of its sale.
Lessons learned from 2e2
On 8 February 2013, Computer Weekly reported that the administrators of service provider 2e2 are asking the customers of 2e2 for £1 million of funding to keep their data centre services running. The administrators wrote to the customers threatening to cut off services on Friday 15 February at 5pm if that funding was not forthcoming.
Understandably, the customers were expecting to migrate their data to a new provider but the administrators said this process would take 16 weeks and required funding, in the meantime, to pay lease and staff costs. 2e2's customer base includes some major enterprise and public sector clients, but also a large number of smaller businesses. The administrators were counting on the larger customers meeting those overheads, having failed to sell the business as a going concern.
This story reveals the 'laws of the jungle' that can apply if a data centre supplier goes into administration. It is critical that customers include in their pre-contract review a thorough analysis of the following:
- Whether the supplier's contract allows them to terminate the contract and retrieve their data if the cloud service provider goes into a form of insolvency? Does it state who bears the costs of data retrieval and what this process entails?
- The full supply chain involved - Is the legal entity you are contracting with the actual provider of the cloud services, or is that sub-contracted to another entity? A clear and thorough understanding of the full operations and services sitting behind the data centre supplier. For example, does the supplier have a leasehold interest in the data centre? If so, can the customer's contract with the cloud service provider be structured as a lease, with the attendant self-help remedies or step-in rights?
- Which jurisdiction is the data centre in and what will be the position on insolvency in that jurisdiction?
- A full credit and financial analysis of the data centre provider. As the data centre industry grows, there are increasing numbers of new entrants backed by debt and private equity funding.
- Whether you can negotiate a right to terminate and retrieve data if the financial position of the supplier deteriorates. This will be hard to negotiate, as the supplier will be reluctant to allow customers a walk away right for anything less than insolvency.
- A full technical understanding of how the data will be retrieved.
As the 2e2 story shows, even if the contract allows for termination and data retrieval by the customer on insolvency, if the administrators' options for funding and finding an exit for the business are constrained, they may hold the customers to ransom for their data. Customers will be in a much better position on this negotiation if they have addressed the business continuity issues upfront and have a costed plan in place to retrieve their data.