Who Controls Your Cloud-Based Data When the Sky Starts Falling?

Posted: May 10, 2012

Cloud-computing has reached the masses. With the advent of websites like MegaUpload and RapidShare, “cyber-locking” is becoming an increasingly popular method for sharing large files. Photo archives, music, and videos can all be shared with friends, without worrying about how much memory you have or exceeding inbox thresholds. MegaUpload, with 150 million registered users and 50 million hits daily, was among one of the largest and most popular cyber-locking (file-sharing) websites in the world before it was abruptly shutdown in January of this year. After a two-year investigation, prosecutors in Virginia filed a 72-page indictment alleging that MegaUpload facilitated massive copyright violations, and the FBI shut down the site.

Before the shutdown, MegaUpload paid Carpathia Hosting, Inc. to store its users’ data. Nearly five months after the shutdown, the site remains defunct, and its enormous cache of data remains inaccessible to its users, many of whom used the site for legitimate purposes. Even worse, there is a possibility that Carpathia could delete it. Prosecutors no longer need to preserve the data for purposes of the criminal prosecution, and Carpathia is unwilling to pay the cost of preserving the data, which could ultimately be tens of millions of dollars. MegaUpload is willing to purchase the servers for $1.2 million, but certain parties object to allowing MegaUpload access allegedly copyright-infringing material. The parties were ordered to meet and confer before a magistrate judge or a special master to resolve the issue of access. Users’ eventual access to their data may hinge on a plan by the government and other interested parties to allow users to file affidavits and claim legitimate data.

This is a very real world example of some of the risks associated with outsourcing your data storage, whether you’re a business or an individual. The terms of service between you and your vendor are very important, as we previously counseled (Cloud Computing: Protecting Your Company’s Data Against a Rainy Day). In particular, be focused on terms that could act as important safeguards against your risk that your vendor may lose control or your data:

• Consider whether your vendor has insurance and whether it is the right kind of insurance;

• Consider whether your vendor agreement includes terms that contemplate what will happen to your data in the event of a government investigation; and

• Consider whether your vendor has a disaster recovery plan.

And perhaps most important if your data storage is business-critical, it is very important to always conduct due diligence to determine the viability of your vendor before entering a vendor agreement and giving away control of your data. Consider such factors as reputation, transparency, previous allegations of wrongdoing, and independent third-party assessments. In the end, the adage remains true – “be careful who you do business with.” Your vendor’s ability to stand behind its contractual obligations is sometimes dependent on circumstances beyond your control, like whether federal agents show up with search warrants.

For more information, please contact Lindsey Mann.