Disaster recovery and business continuity planning are terms which are very familiar to IT lawyers, as the importance of having adequate back up arrangements has become ever clearer in our wired-up, technology dependent world. However, DR and BCP is not about simply ticking a box to confirm that a suitable service provider has been identified. If the actual arrangements themselves are not appropriate, the organisation which is relying upon them may only discover its mistake “in extremis”, when the feared disaster event has occurred and the need for the relevant service is at its most urgent. What then should a purchaser of such services look for?
Hot or Cold?
The first point to consider is the extent or type of the services required. A distinction is often drawn here between a ‘hot’ site (eg a DR/BCP facility which is kitted out in advance to the customer’s specifications, with hardware, telecoms, power and office systems all pre-installed and with sufficient office space to house at least key personnel) and a ‘cold’ site (eg where the service provider is primarily providing a physical location of a certain size, and which is capable of being formatted to the customer’s requirements in quick order, but where no customer-specific equipment or systems are pre-installed). Not surprisingly, the provision of a ‘hot’ site is considerably more expensive as it precludes the service provider from offering the same space to any of its other customers (a point which is returned to below), but it may be necessary in the event of there being business critical systems or online trading systems which – if offline for any appreciable length of time – could cost the customer millions of pounds in lost revenues.
Space or Services?
Following on from the decisions as to the type of DR/BCP service will be the question of the ancillary services which the service provider is to perform. At a minimum, these will include the maintenance of physical security and access control at the DR facility itself so as to ensure that any of the customer’s equipment and/or data which may be housed there cannot be accessed or tampered with in any way. It should be remembered in this regard that an organisation’s obligations in relation to the maintenance of ‘appropriate technical and organisational measures’ to protect personal data from unauthorised disclosure or tampering (under the Data Protection Act 1998) will apply just as much to data processed at such a DR facility as it will to the organisation’s normal systems and infrastructure.
Other services will also need to be considered. For example:
(a) will the service provider carry out any support or maintenance functions in relation to the hardware or software housed at the DR site? – if so, what is the extent of their obligations in this regard (eg will there be a formal service level agreement?)
(b) will the service provider be required to provide assistance in connection with the installation of any customer equipment or software, either at the outset or upon the invocation of a disaster event?
(c) will the provision of telecoms links be the responsibility of the service provider or the customer?
All Mod Cons?
Even if the service provider is supplying little in the way of additional services, the customer will need to specify the required details for the physical space which it will need to occupy. Where the customer’s own equipment is to be housed at the DR site, this will probably include minimum environmental conditions in terms of heat, humidity etc, and will in any event need to include uninterruptible power supplies, telephones, office equipment, and specified minimum floorspace, with secure cages/cabinets to prevent unauthorised access.
Tried and Tested?
Clearly, one would not want to be putting DR/BCP arrangements to the test for the first time when an actual disaster has occurred, and when the consequences of any identified failing or defect in the arrangements could be catastrophic. The contract must accordingly provide a right for the customer to conduct at least an annual test of the DR facilities (ideally as part of the overall contract price), and an obligation upon the service provider promptly to correct any issues which such tests might reveal. For its part, the service provider will probably want a right to curtail the tests if an actual disaster occurs, and the facility is required for the provision of services to some other client.
The One and Only?
When offering a ‘cold’ site (and sometimes even when offering a ‘hot’ site), DR service providers will usually reserve the right to offer the facilities in question to multiple clients, in which event the services will not be guaranteed to be available if some other client has already had to invoke its right to occupy them. Whilst at first blush this may seem unreasonable, the reality is that the service provider needs to do this if it is to be able to offer its services at a competitive rate (and in particular at a cost which is less then it would cost the customer to simply set up its own DR facility). In such circumstances, the provision of the facility may be expressed to be provided on a ‘first come, first served’ basis, as between all of the various organisations who have a DR contract relating to them.
If a customer finds itself facing such a situation, it will need to consider the following.
1. The service provider should specify the maximum number of clients to whom the same facility could be assigned as being available for DR purposes, and then commit in the contract not to exceed this number, so as to minimise the risk of the facility not being available when the customer needs it most.
2. In the same vein, the service provider should agree not to assign the same DR facility to cover the operations of another client which is physically close to those of the customer itself. One can readily see the logic for this – if there is a disaster event, it is highly likely to affect multiple organisations in close proximity to each other!
3. If, notwithstanding the above, the customer finds that it cannot access the DR facilities when it needs to, it should be entitled to its money back. Whilst this is not likely to recompense it for the impact on its business, the threat of having to reimburse such sums may help to keep the service provider “honest” in terms of its efforts to maintain a reasonable degree of capacity for the provision of the DR/BCP services.
Conclusion
DR/BCP contracts may appear deceptively simple and, because the annual cost associated with many of the more straightforward services may be relatively low, the temptation may be not to treat them with the degree of rigour they deserve. However, it will be an ill-advised company that waits until beyond the 11th hour to then find out that its contract provides for less “recovery” and “continuity” than it might have expected!
Kit Burden is a Partner in the TMC Department at DLA Piper Rudnick Gray Cary.
