Cloud provider goes TITSUP? Will someone think of the data!

Time to pull out the magnifying glass to swot up on those Ts&Cs


You’ve entrusted your data to a cloud. This has allowed you to sell off (or scrap) your legacy hardware. You’ve got some new, up-to-date software applications. Maybe you have also outsourced all or part of your IT team.

You no longer have to manage and maintain the bulk of your hardware, software and data. You are now enjoying the benefits of cloud, while making someone else responsible for your non-core IT activities, leaving your staff to focus on the business. Cloud has made your IT more efficient and this has brought benefits to your business.

But wait. Are you now exposed to the risk of your cloud provider’s insolvency? Now you have placed your business-critical data in the provider’s cloud, how do you get it back if your provider goes bust?

The first thing that happens when a provider goes bust is that an insolvency practitioner (IP) is appointed. As a general rule, the IP will sack the directors of the provider. If those directors have made any verbal promises to you as the customer, unless those promises were confirmed in writing, they will now not be enforceable.

Protections negotiated into cloud provider terms

The only thing you can rely on is the contract that you signed with the provider. Let’s assume for a minute that you did actually read the terms and conditions to verify that you are comfortable with – and have offset – the risks that the provider was looking to place on you.

Public cloud terms often contain numerous exclusions: for example, that the service is provided “as is” with no liability for non-performance, or that the provider will not be liable for customers' losses. The latter could include data loss, leakage, corruption or even damage to your data. It is difficult for a provider to incur liability to you with those kinds of exclusions in place.

You might argue that a public cloud provider – with standardised, homogenised, vanilla offerings at a lower cost base – is less likely to go bust in the first place. Perhaps there is merit in this view, but you should ensure you read the contract terms and implement business continuity plans to overcome this worst-case situation.

Let’s assume you have enforceable obligations in the contract with your cloud provider. Maybe you have opted for private or hybrid cloud. Even then, it might not be that useful. Consider this: the contract states that the provider will supply you with cloud services in accordance with the SLA which you carefully analysed and agreed. Any failure to comply with these obligations – including any failure to continue to provide service – will put the provider in breach of contract. You may have paid upfront for the services, in which case you are contractually entitled to receive those services.

The provider is not allowed to change the nature of those services or increase the charges without your consent. Any attempt by the provider – through the insolvency practitioner – to renegotiate the provision of the services or the charges would be unenforceable, unless the terms expressly reserve the right for the provider to do so. The customers I advise usually resist this type of provision. After all, where the provider and the customer have negotiated the terms of the services, the customer will not want the provider to be able to change the services and charges at will.

Outside of public cloud, this provision is rare. Moreover, a failure to provide services already contracted and paid for would be a breach of contract by the provider. It looks like your position as a customer is well-protected.

Further, the contract should confirm that you own the data that the provider hosts for you. Let’s assume there was no sneaky assignment of rights in the terms and conditions. The law is on your side as it recognises your ownership of this data. If you take your car to a garage for repair, the garage can exercise a “lien” over the car to refuse to return it to you until you pay. But this doesn’t apply to data.

The UK Court of Appeal ruled last year that a provider can’t exercise a form of lien over your database, even if you haven’t paid the provider’s invoices. This is because databases are intangible assets and liens apply only to tangible assets.

Similar topics


Other stories you might like

  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • HashiCorp tool sniffs out configuration drift
    OK, which of those engineers tweaked the settings? When infrastructure shifts away from state defined by original code

    HashiConf HashiCorp has kicked off its Amsterdam conference with a raft of product announcements, including a worthwhile look into infrastructure drift and a private beta for HCP Waypoint.

    The first, currently in public beta, is called Drift Detection for Terraform Cloud, and is designed to keep an eye on the state of an organization's infrastructure and notify when changes occur.

    Drift Detection is a useful thing, although an organization would be forgiven for thinking that buying into the infrastructure-as-code world of Terraform should mean everything should remain in the state it was when defined.

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading

Biting the hand that feeds IT © 1998–2022