Cloud Computing and the risk of Data Ransom

There have been lots of articles about cloud computing by lawyers. Most of them: i) have a dodgy pun in the title; and ii) bang on about data protection and the risk that your data is outside Europe.

That is not what I am going to write about. Partly because it’s been done to death, and partly because I think DP law is dull (sorry Grant and other data law lovers).

I am going to talk about data ransom in a cloud or hosted environment. That is the risk that your supplier goes bust and you have to buy your data from an administrator/receiver, or that you get into a commercial dispute with your supplier and they either turn off your service or ransom your data.  Both are possible scenarios.

Remember that administrators are legally bound recover as much money as possible for the creditors. They are also not too bothered what your contract with the insolvent company says.  These facts can make them quite interesting to deal with!

On the commercial dispute side it is traditional for purchasers to manage suppliers by withholding payment on invoices or similar. But with cloud or hosted apps the power has shifted – if the purchaser withholds payment then the supplier can probably turn off the service. Gulp!  Worse imagine you have decided not to renew the contract, and your supplier starts being “sticky” about handing over your data to the new supplier. Remember “sticky” could include giving the new supplier all your data, but in an incomprehensible format.

So what do you do ?

Contractually

  • Have an obligation to get a weekly or daily back-up of your data delivered to you in a format you could decode.
  • In fact why not take advantage of virtualisation technology and get a virtual copy of “your environment” and related rights to run it on your servers. (I have been putting this in contract for about a year – so far I have not seen anyone else do this).
  • Have strong exit management provisions (preventing the supplier mucking you around on exit).
  • Have a source code escrow agreement.  Note from a “self-help” basis these are probably useless (partly) because you may not have the object code; but having the right to get the source code will give you bargaining position against an administrator/receiver *.

Practically

  • Actually Enforce any of the contractual rights described above (it is probably too late to start enforcing them once the “ransom” starts).
  • Make sure your lawyer really understands concepts such as cloud, source code and virtualisation (this is an undercover sales pitch).

Not one dodgy pun!

*  I find a lot of lawyers still ask for source code escrow in a hosted app environment (where the client doesn’t even have the object code) not because of the reasons I have outlined but simply because the turnkey contract they are using as a style has an escrow clause in it. This strikes me as fairly dumb. Rant over.

5 Responses to “Cloud Computing and the risk of Data Ransom”


  1. 1 David Irvine June 22, 2011 at 3:39 pm

    why not have a virtualised copy of the complete build environment plus the source code? That way recreating the ‘cloud’ (it’s not a cloud anyway) is easy as typing make, or clicking build all.

    Even better if the build environment is tested and easily updated to latest code (escrow copies of several releases back are potentially useless anyway). That way you may have a chance of recovery.

    Access to an API that will allow secured data extraction for a period of X days after contract termination by either party should also be considered, plus guarantees that all copies are removed after that date.

    I think these extra small steps are logical and if you are an info driven business (like a bank, lawyer or accountant etc.) I would imagine they are essential.

    Another area is accidental or leaked info disclosure (your IP or potential IP or trade secrets, could sink your business) it’s a serious and often overlooked component of handing the responsibility over to a stranger, the accountability of such events stays with the customer and is not transferred with any certainty.

    As a cheeky aside (of course there has to be)
    As for your surreptitiously sneaky sales pitch (which I liked BTW) I would love anyone to actually define cloud it’s akin to the ‘breach of the peace’ or legal correspondence fees, :-)

    Seriously though, great article !


  1. 1 Cloud computing and “data ransom” – it’s not a myth « Brodies TechBlog Trackback on February 11, 2013 at 11:50 am
  2. 2 Using e-signatures to sign contracts – what are the legal issues? « TechBlog Trackback on July 19, 2011 at 1:04 pm
  3. 3 Data protection – it’s not just about encyrpting laptops and the cloud « TechBlog Trackback on June 8, 2011 at 3:00 pm
  4. 4 links for 2011-05-30 :: Blog :: Headshift Trackback on May 30, 2011 at 5:03 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




Twitter: @BrodiesTechBlog feed

May 2011
M T W T F S S
« Apr   Jun »
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

%d bloggers like this: