Here on TechBlog we have mentioned on a couple of occasions that one of the biggest risks arising out of the use of cloud computing/third party hosted services is the concept of “data ransom”.
That is, in the event that the contract terminates or the supplier becomes insolvent the customer is unable to get its hands on its data without handing over a chunk of cash.
According to a story in Computing Weekly last Friday about the insolvency of acquisitive data centre operator 2e2, that risk is no longer a hypothetical one.
Last week, the administrators of 2e2 contacted its customers (including a number of NHS Trusts) and told them that they required its customer base to provide nearly £1m of funding in order for the business to continue providing services. This is presumably in addition to the charges that the customers are obliged to pay.
The joint administrators’ letter to customers states that this funding is required in order to enable 2e2 to continue trading and allow customers to access their data and migrate to another provider:
As you will understand, we have received a number of requests from customers seeking to gain access to their data immediately and to transition services to alternative providers. Unfortunately, the levels of data held in the Companies’ Data Centres are such that this process could take up to 16 weeks and we will need to ensure that the integrity of third party data and security is maintained.
If its customers do not pay then:
We will be unable to maintain the datacentre infrastructure and we will have no alternative, other than to cease all operations without any managed wind-down of those operations.
For “without any managed wind-down” read “we will switch off the service without notice and without any assistance to help you access your data and transition elsewhere.” For any business that depends on the operation of the data centre for its livelihood, that’s a pretty frightening prospect.
In the case of 2e2, it seems that it had been suffering financial problems for some time.
In 2012, it was in court twice following the late payment of debts. It was also revealed that the annual interest payments on its debt were more than £20m a year (as against a turnover of around £40m).
A fortnight before the administrators were actually appointed, Channel Register also reported that 2e2 had breached its banking covenants in December and had reached its credit limits with suppliers.
These should all have acted as warning signs to customers that things weren’t looking good, and that action was required.
Contracting for cloud services
So what can you do?
- First of all, don’t use a traditional IT services contract to contract for critical cloud/hosting services. It will likely be deficient. As will the supplier’s standard terms. It’s also essential that your lawyer understands how the cloud works, terminology, and why the risk profile is different to that for other ICT. If not, then your contract is unlikely to deal with those risks.
- Carry out financial diligence on your supplier (and its parent company). How solvent is it? How much debt is it carrying? Can you get a parent company guarantee? Does the supplier actually own its kit/premises or is it leased? What happens if the supplier defaults on lease payments and the lessor wants its kit back?
- Keep financial diligence under review by carrying out regular checks on the supplier.
- Ensure that the contract allows you to terminate in the event that things look bad. Once a supplier has entered insolvency it will be much harder to transition away from the supplier. If the business isn’t viable as a going concern then the administrator is unlikely to be interested in your problems.
- Ensure that your contract includes exit assistance provisions and that a draft exit plan is actually developed (and maintained) whilst things are going well.
- Ensure that you have internal business continuity plan in place to deal with supplier insolvency. How critical is the supplier? What is your strategy? How do you mitigate the risks? Do you have dual suppliers (potentially expensive)?
- Consider other technical measures. Source code escrow is pretty pointless for cloud (your immediate requirement is the object code and data, not the source code). How about ensuring that you get a regular of the data or a copy of virtual server?
Finally, think about auditing your existing contracts for cloud services. What do they say? Are you comfortable that you can quickly (and safely) transition away from the supplier? If not, now is the time to review them and ensure that you have appropriate provisions in place. Remember – the time to repair a roof is when the sun is shining.
On February 11, 2013