You’ve entrusted your data to a cloud. This has allowed you to sell off (or scrap) your legacy hardware. You’ve got some new, up-to-date software applications. Maybe you have also outsourced all or part of your IT team. You no longer have to manage and maintain the bulk of your hardware, software and data. You are now enjoying the benefits of cloud, while making someone else responsible for your non-core IT activities, leaving your staff to focus on the business. Cloud has made your IT more efficient and this has brought benefits to your business.
But wait. Are you now exposed to the risk of your cloud provider’s insolvency? Now you have placed your business-critical data in the provider’s cloud, how do you get it back if your provider goes bust? The first thing that happens when a provider goes bust is that an insolvency practitioner (IP) is appointed. As a general rule, the IP will sack the directors of the provider. If those directors have made any verbal promises to you as the customer, unless those promises were confirmed in writing, they will now not be enforceable.
Protections negotiated into cloud provider terms
The only thing you can rely on is the contract that you signed with the provider. Let’s assume for a minute that you did actually read the terms and conditions to verify that you are comfortable with – and have offset – the risks that the provider was looking to place on you.
Public cloud terms often contain numerous exclusions: for example, that the service is provided “as is” with no liability for non-performance, or that the provider will not be liable for customers’ losses. The latter could include data loss, leakage, corruption or even damage to your data. It is difficult for a provider to incur liability to you with those kinds of exclusions in place. You might argue that a public cloud provider – with standardised, homogenised, vanilla offerings at a lower cost base – is less likely to go bust in the first place. Perhaps there is merit in this view, but you should ensure you read the contract terms and implement business continuity plans to overcome this worst-case situation.
Let’s assume you have enforceable obligations in the contract with your cloud provider. Maybe you have opted for private or hybrid cloud. Even then, it might not be that useful. Consider this: the contract states that the provider will supply you with cloud services in accordance with the SLA which you carefully analysed and agreed. Any failure to comply with these obligations – including any failure to continue to provide service – will put the provider in breach of contract. You may have paid upfront for the services, in which case you are contractually entitled to receive those services. The provider is not allowed to change the nature of those services or increase the charges without your consent.
Any attempt by the provider – through the insolvency practitioner – to renegotiate the provision of the services or the charges would be unenforceable, unless the terms expressly reserve the right for the provider to do so. The customers I advise usually resist this type of provision. After all, where the provider and the customer have negotiated the terms of the services, the customer will not want the provider to be able to change the services and charges at will. Outside of public cloud, this provision is rare. Moreover, a failure to provide services already contracted and paid for would be a breach of contract by the provider. It looks like your position as a customer is well-protected. Further, the contract should confirm that you own the data that the provider hosts for you.
Let’s assume there was no sneaky assignment of rights in the terms and conditions. The law is on your side as it recognises your ownership of this data. If you take your car to a garage for repair, the garage can exercise a “lien” over the car to refuse to return it to you until you pay. But this doesn’t apply to data. The UK Court of Appeal ruled last year that a provider can’t exercise a form of lien over your database, even if you haven’t paid the provider’s invoices. This is because databases are intangible assets and liens apply only to tangible assets.
The IP will likely ask you to pay up again
Past this point, it all starts to unravel. The IP’s role is to realise as much money from the assets under its control to pay off the debts which gave rise to the insolvency. The IP will need to identify what those assets are. If the provider owns the data centre, then this is likely to be very valuable. However, if the provider is renting racks from, or co-locating hardware in, a data centre owned by a third party, this will be less valuable. Further, there is the danger that a failure by the provider to keep up payments will mean the DC owner will pull the plug. The DC owner might not need to wait until the next bill is payable by the provider, since most contract terms allow for a termination upon the appointment of administrators or insolvency practitioners.
Timely action is now important as, without continuity of service, the IP may have no leverage. The main thing under its control is your assets as the customer – meaning your data. Therefore, the most likely scenario is that the IP will ask you, the customer, to pay up for the services, even if you have already paid upfront, with the threat of discontinuation of the service at short notice if you don’t comply.
If your business relies upon the continued provision of services, any discontinuation of these services could cause your business to fail. In theory, the law is on your side. You’ve agreed an acceptable level of performance under the SLA, have paid upfront and are comfortable that you retain ownership of your data. Any attempt to shut off the service pending action by the IP refusing to honour the contract is likely to be a breach of your contract with the provider. Unless you are able to get an injunction from the court at short notice to prevent the IP from shutting down the service, you are at the mercy of the IP. This is what happened with 2e2 and, while the industry expressed shock at the time of how it played out, the reality is that this is likely to recur each time there is an insolvency.
What can you do to overcome this?
There is no simple solution to this and the key is always to plan ahead before it actually happens. Let’s examine the most likely solutions.
- Step in: One solution often proposed is that the customer can “step into” the shoes of the provider and deal directly with the third-party subcontractor and continue to pay the third party to preserve continuity of service. In reality, this might work for telecoms or maybe co-location but is unlikely to work with a data centre. If the DC owner has sold a block of resource to the provider who has used it to sell to you and 50 other customers, the DC owner will have no interest in dealing direct with you and 50 other customers. It will simply re-designate the resource as available for resale to someone else. For this to work, you need to negotiate with the third-party subcontractor at the same time as you negotiate with the cloud provider.
- Escrow: Traditional source code escrow clearly won’t work in a cloud environment. Placing code into escrow only works if the software is running on-premise in object code format. If you are paying for SaaS and the provider is holding your data, receiving a copy of the source code will not help as, while you are working out what to do with the code and how or where to host it, in the meantime the IP may have turned off the service. It might be possible for a third party to step in and continue paying the DC owner behind the scenes, in which case this form of escrow is more akin to a “step in” referred to above.
- Separate Back-up/DRaaS: A better solution might be to have a third party manage your back-up copy and provide you with disaster recovery as a service. Providing your main provider and your DRaaS provider are not under common ownership, there is reduced likelihood they will both go bust at the same time. If your provider goes bust, you could switch to the DRaaS. You naturally need to check the recovery point and time objectives to ensure you get continuity. You also need to ensure your DRaaS provider can get access to the data on a regular basis to perform the back-ups and this might mean the two providers – who might be competitors – need to co-operate.
In short, cloud provider insolvency remains one of the great unanswered questions in the industry, with no magical or standard formula providing a solution. What do you think? What’s your DR solution if the provider goes bust?
This article was first published by The Channel and generated some good interest.