Cloud provider goes TITSUP? Will someone think of the data!
Time to pull out the magnifying glass to swot up on those Ts&Cs
You’ve entrusted your data to a cloud. This has allowed you to sell off (or scrap) your legacy hardware. You’ve got some new, up-to-date software applications. Maybe you have also outsourced all or part of your IT team.
You no longer have to manage and maintain the bulk of your hardware, software and data. You are now enjoying the benefits of cloud, while making someone else responsible for your non-core IT activities, leaving your staff to focus on the business. Cloud has made your IT more efficient and this has brought benefits to your business.
But wait. Are you now exposed to the risk of your cloud provider’s insolvency? Now you have placed your business-critical data in the provider’s cloud, how do you get it back if your provider goes bust?
The first thing that happens when a provider goes bust is that an insolvency practitioner (IP) is appointed. As a general rule, the IP will sack the directors of the provider. If those directors have made any verbal promises to you as the customer, unless those promises were confirmed in writing, they will now not be enforceable.
Protections negotiated into cloud provider terms
The only thing you can rely on is the contract that you signed with the provider. Let’s assume for a minute that you did actually read the terms and conditions to verify that you are comfortable with – and have offset – the risks that the provider was looking to place on you.
Public cloud terms often contain numerous exclusions: for example, that the service is provided “as is” with no liability for non-performance, or that the provider will not be liable for customers' losses. The latter could include data loss, leakage, corruption or even damage to your data. It is difficult for a provider to incur liability to you with those kinds of exclusions in place.
You might argue that a public cloud provider – with standardised, homogenised, vanilla offerings at a lower cost base – is less likely to go bust in the first place. Perhaps there is merit in this view, but you should ensure you read the contract terms and implement business continuity plans to overcome this worst-case situation.
Let’s assume you have enforceable obligations in the contract with your cloud provider. Maybe you have opted for private or hybrid cloud. Even then, it might not be that useful. Consider this: the contract states that the provider will supply you with cloud services in accordance with the SLA which you carefully analysed and agreed. Any failure to comply with these obligations – including any failure to continue to provide service – will put the provider in breach of contract. You may have paid upfront for the services, in which case you are contractually entitled to receive those services.
The provider is not allowed to change the nature of those services or increase the charges without your consent. Any attempt by the provider – through the insolvency practitioner – to renegotiate the provision of the services or the charges would be unenforceable, unless the terms expressly reserve the right for the provider to do so. The customers I advise usually resist this type of provision. After all, where the provider and the customer have negotiated the terms of the services, the customer will not want the provider to be able to change the services and charges at will.
Outside of public cloud, this provision is rare. Moreover, a failure to provide services already contracted and paid for would be a breach of contract by the provider. It looks like your position as a customer is well-protected.
Further, the contract should confirm that you own the data that the provider hosts for you. Let’s assume there was no sneaky assignment of rights in the terms and conditions. The law is on your side as it recognises your ownership of this data. If you take your car to a garage for repair, the garage can exercise a “lien” over the car to refuse to return it to you until you pay. But this doesn’t apply to data.
The UK Court of Appeal ruled last year that a provider can’t exercise a form of lien over your database, even if you haven’t paid the provider’s invoices. This is because databases are intangible assets and liens apply only to tangible assets.