It’s your worst nightmare. All of your most important and sensitive data, the thing your business values most, the thing your company cannot operate without, the thing your regulators require you to protect, has been taken hostage. Your business grinds to a halt. Your customers and business partners are livid. Your regulators are demanding an explanation as to how something like this could happen.
Ransomware? Insidious hacking attack? No, it’s your cloud services provider. That business partner you relied upon has turned out to be a greater threat than any hacker.
It starts in the most mundane way. You have a dispute with your cloud provider over the amount of an invoice or your cloud provider simply decides it wants to renegotiate the contract terms and manufactures a reason to take action. But, how can a cloud provider take your data hostage?
To answer that question, we must look back to a very popular contract provision found in technology contracts from 20-30 years ago. Some called it a “self-help” clause. Others called it “leverage.” The language looked innocuous. Likely it was buried in the contract fine print. It said something about the vendor being able to suspend performance or, in the event of termination, a right to withhold your data until all fees are paid and, potentially, all disputes resolved. The language cropped up in old data center and service bureau engagements.
That language from years past fell out of favor and was seldom seen in more recent times. That is, until the advent of cloud services when a resurgence in broad suspension rights has become the norm in almost all contracts. Worse yet, once thought long dead, the right to withhold customer data is also seeing a reappearance in some cloud agreements.
Let’s look at each …