Hostage Crisis in the Cloud: Can You Rescue Your Data?

In traditional outsourcing deals—in which the service provider hosts massive amounts of customer data—the issue of returning that data to the customer is now largely settled.

Outsourcing contracts typically include detailed termination and transition assistance provisions that outline the provider’s responsibilities regarding data return. Indeed, in many outsourcing contracts, the vendor agrees to provide the data promptly whenever the customer ask for it in the format that the customer requests-and the provider often covers the cost of doing so.

So many IT buyers are surprised to find out that their cloud computing contracts contain no such provisions. “Cloud service providers don’t have an incentive to address how and in what format the customer’s data will be returned,” says Todd Fisher, partner in the outsourcing practice of law firm K&L Gates. “If the contract is silent on this issue, the cloud service provider will return the data in its then-current format and at a time convenient for the cloud service provider.”

More CIO.com Outsourcing Coverage

It’s not malicious, but it can be costly for the customer, says Fisher, whose client was eager to switch to a new cloud vendor when its current provider began dragging its feet returning the data. “The contract didn’t have any specifics about the timing of when the data needed to be returned, or in what format. On top of that, the provider returned the data in a file format that required a fair amount of time and effort on our client’s part to convert it to the format needed by the new provider. These types of delays can have a real impact on a company’s business.”

Some of the more mature cloud computing providers are beginning to address the issue of data return in their boilerplate agreements, but the terms may not be customer friendly-preventing the customer from requesting the data in a certain format or medium, for example. Over the course of the contract, the provider may have converted the data to a format incompatible with the customer’s systems. Or the vendor may be creating data for the customer over the course of the deal that requires certain applications to access. Or the data may be encrypted and require a key.

An increasingly common compromise is a provision requiring the service provider s to return the data upon expiration or termination in a format “reasonably usable by the customer” at no additional cost or in a format “a commonly used in the industry”. But such language can lead to disagreements of the definitions of “reasonable” and “commonly used” “The hope is that common sense will prevail,” says Fisher. “If the data is critical, however, the customer might not want to leave this open to interpretation.

Robert M. Finkel, partner in the law firm Dewey & LeBoeuf, advises clients to fight for specific data return provisions in any IT sourcing contract, whether or not the arrangement involves critical or sensitive data. Just because you’re not doing putting key data in the cloud today doesn’t mean you won’t tomorrow. “You can generally get these provisions into a cloud computing contract,” says Finkel. “It just takes a little more time to sensitize the vendor to these issues.” Ideally, the contract would provide the data within a specified period of time in any format the client wants. But, admits Finkel, “while that’s a simple solution, it can be tough for the vendor because it creates open-ended exposure.” But it’s a good place to start the negotiations, he says.

“Reasonable compromises will depend on the type and importance of the data at issue,” says Finkel. “The ideal situation would be for the parties to clearly specify the exact format in which the data should be returned, and how it should be returned.” For example, the parties could specify that the data be returned in a PST file available either as a download or via a storage device within a specified period of time.

But being too specific has its drawbacks, as well. “In an ideal world, the parties would address data portability and clearly specify the exact format in which the data should be returned; however, that’s not always realistic because most cloud agreements are multi-year agreements with various file formats of data being processed,” says Finkel. “If the parties try to agree on the format at the beginning of the agreement, that format might not be the best option three years down the road.”

Most importantly, says Finkel, “the agreement should allow for flexibility over time and for common sense to prevail.” Bringing up the issue early on gives the cloud services provider time to factor data return into its cost model. “Vendors are in the business of trying to make customers happy,” says Finkel. “The whole reason to address this upfront is so that no one runs into any cost surprises later.”

Stephanie Overby is regular contributor to CIO.com’s IT Outsourcing section. Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.