Hostage Crisis in the Cloud: Can You Rescue Your Data?
Outsourcing contracts typically include termination and transition assistance provisions that outline the IT service provider's responsibilities regarding returning data. IT buyers are surprised to find out that their cloud computing contracts contain no such provisions.
Sun, May 06, 2012
CIO — In traditional outsourcing dealsin which the service provider hosts massive amounts of customer datathe issue of returning that data to the customer is now largely settled.
Outsourcing contracts typically include detailed termination and transition assistance provisions that outline the provider's responsibilities regarding data return. Indeed, in many outsourcing contracts, the vendor agrees to provide the data promptly whenever the customer ask for it in the format that the customer requests-and the provider often covers the cost of doing so.
So many IT buyers are surprised to find out that their cloud computing contracts contain no such provisions. "Cloud service providers don't have an incentive to address how and in what format the customer's data will be returned," says Todd Fisher, partner in the outsourcing practice of law firm K&L Gates. "If the contract is silent on this issue, the cloud service provider will return the data in its then-current format and at a time convenient for the cloud service provider."
It's not malicious, but it can be costly for the customer, says Fisher, whose client was eager to switch to a new cloud vendor when its current provider began dragging its feet returning the data. "The contract didn't have any specifics about the timing of when the data needed to be returned, or in what format. On top of that, the provider returned the data in a file format that required a fair amount of time and effort on our client's part to convert it to the format needed by the new provider. These types of delays can have a real impact on a company's business."
Some of the more mature cloud computing providers are beginning to address the issue of data return in their boilerplate agreements, but the terms may not be customer friendly-preventing the customer from requesting the data in a certain format or medium, for example. Over the course of the contract, the provider may have converted the data to a format incompatible with the customer's systems. Or the vendor may be creating data for the customer over the course of the deal that requires certain applications to access. Or the data may be encrypted and require a key.
An increasingly common compromise is a provision requiring the service provider s to return the data upon expiration or termination in a format "reasonably usable by the customer" at no additional cost or in a format "a commonly used in the industry". But such language can lead to disagreements of the definitions of "reasonable" and "commonly used" "The hope is that common sense will prevail," says Fisher. "If the data is critical, however, the customer might not want to leave this open to interpretation.