FeaturesOutsourcingData management

In the second half of this two-part series—"Worst case scenario of cloud computing" (click here to view Part I)—Managing Director of Duff & Phelps LLC Erik Laykin continues to discuss the potential problems of data retrieval from a cloud computing facility when a service provider unfortunately goes bankrupt or gets acquired.

Laykin is the managing director and practice chair of the global e-discovery investigations practice at Duff and Phelps (D&P), a 75-year-old US-based international consulting firm serving Fortune 100 customers, and with 21 offices in Europe, US, and Asia, including Tokyo, Beijing, Shanghai and Hong Kong.

As a business, apart from defending its rights to data ownership in a service level agreement, what are the existing legal provisions in place to protect against malicious data center hacking and accidental data leakage at cloud computing facilities? Are these facilities potential targets of cyber crime attacks? What then is a 'National Cyber Corp'? How would they be able to fight against cyber crime? Read below for suggestions.

Asia Cloud Forum: What are the problems of data recovery if a cloud computing vendor 1) Goes bankrupt; 2) Gets acquired by another company?

Erik Laykin: In an ordinary bankruptcy or in a Reorganization Bankruptcy under Chapter 11 of the United States Bankruptcy Code, the cloud computing provider that is going out of business would be reorganized and would be able to continue to function as a business. There would be ample notice given to the owners of the data, so that they would be able to transition the data to a new system through which the data may be preserved. Or, as a result of the reorganization, the cloud computing provider may continue to operate it’s systems in a normal fashion and under the supervision of the administer or trustee of the bankruptcy.

But in more severe cases—the Chapter 7—where the business ceases to function and goes into liquidation, one faces several interesting questions. For example, how will a company be able to provide assurances that the data that they are hosting will not be deleted, erased, destroyed, moved, transferred, or otherwise made inaccessible? Will the system that is housing the data become entangled in litigation, seized, locked down or made inaccessible because there are no employees to maintain the system? The data may still be there, but there is nobody there to access the system. There is a wide variety of scenarios where the owner of the data may all of a sudden lose access to his or her data. 

In that case, one must question the adequacy of backups and ask whether or not there is a secondary, off-site location where a mirrored copy of the data is kept. This is part of disaster recovery (DR) contingency planning. 

Today, DR must involve the company as well as third party providers that are providing infrastructure to run the business—and today that infrastructure often involves cloud computing. 

A business that is leveraging cloud computing infrastructure to support that business should have a contingency policy. This policy allows another “alternative” provider to step in and handle cloud computing systems, should the original provider go out of business. 

Insurance companies will start to write policies to cover these types of failures. In this case, if there is a third-party cloud computing provider that goes out of business, insurance coverage may include “cyber coverage” that allows the company to maintain another third party system. Hopefully your Contingency Policy will have already identified whom the new providers will be and they will have been endorsed by your insurance carrier.