Disaster Recovery legal Issues

The Christchurch earthquakes and disasters in Japan are reminders to businesses to examine their preparedness for handling such events. This article looks at some legal issues surrounding disaster recovery.

With digital information being the lifeblood of many businesses, protecting digital assets should be accorded high priority. Besides the obvious practical and commercial consequences, legal consequences can arise from failing to do so.

In a recent incident in the US reported by Computerworld, an ISP is being sued by a TV production company for losing an entire season of the show “Zodiac Island”, and being unable to recover from backup. Whether the ISP is liable to its customer will turn on whether it had a duty (contractual or otherwise) to properly safeguard the data in its possession. Hosting contracts commonly exclude liability, so the ISP in this case may avoid liability.

In turn, the TV production company whose data was lost may face liability to its customers who had bought or licensed the show.

While the data loss in that case was caused by a disgruntled ex-employee who accessed the ISP’s system and deleted 300GB of files, the same situation could arise if a server hosting third-party data was physically destroyed, and no back-up existed. Again, the legal question would be what duties (if any) did the firm hosting the data have to its clients.

The loss may not be simply “the data” – which might have little intrinsic value – but the lost work or contractual services that a firm is required to deliver. For example, a firm that has been paid to produce certain work for a client may be liable to reproduce that work, or compensate its customer if the work has been lost.

Contractual risk management is very important, but it is not possible to exclude all liability by contract. For example, liability under the Fair Trading Act 1986 and liability to third parties cannot usually be excluded.

Firms may also be subject to statutory duties to prevent certain types of data loss. For example:

  • Tax law requires some accounting and tax records to be retained for seven years or longer; and
  • The Privacy Act 1993 requires organisations holding personal information to take “reasonable measures” to prevent loss (usually in the context of improper disclosure, but destruction of information can also be a relevant loss).

A recent law change imposing a “long-stop” 15 year limitation period for some types of claims (the Limitations Act 2010) also highlights the importance of protecting relevant records, which might be important if a dispute arises years later. For example, construction disputes often arise years after completion of a project. A firm could be at considerable disadvantage if a dispute arises and it has lost (or did not retain in the first place) relevant records.

Practical questions for business owners to consider include:

  • Does my firm hold data on behalf of other parties?
  • If so, what are our duties in respect of that data (contractual, statutory and otherwise), and what liability could arise if that data is lost?
  • What liabilities could arise if we cannot access our own data?
  • Have these risks been legally managed in contracts and disclaimers?
  • Are our digital assets covered by insurance?

Digital assets in the cloud

Offsite data hosting is an increasingly popular option. As seen in the Christchurch earthquake, firms with cloud-based systems or high-availability disaster recovery (HA-DR) technology were able to recover relatively quickly.

However, before moving valuable data offsite to an external host (as in cloud computing), it is important not to overlook the terms and conditions under which the data will be held. As noted above, it is common for online services to exclude most if not all possible liability for any loss of data. For service providers this is usually prudent, but it means in practical terms that a firm’s critically valuable data is being held by a third party on an “all care, no responsibility” basis, with the likely result that a firm has little or no recourse in the event it is lost.

There is also the risk of the party hosting the data becoming insolvent, or otherwise being unable to carry on business, resulting in data being lost or unavailable, again with little or no recourse for the owner.

While the parties could negotiate to retain contractual liability or damages for data loss, the solutions to these scenarios are more likely to be practical: backups, business interruption insurance, and data loss insurance should be considered.

Contract frustration & “force majeure”

As was recently seen in Christchurch, the effect of a major disaster on businesses can vary significantly, ranging from those completely shut-down to others being largely unaffected. In some cases, a firm may not be able to carry out its contractual obligations, or only be able to do so in a limited, delayed or more costly manner.

For contractual matters, the so-called “doctrine of frustration” can provide relief in some cases. A contract can be held to be frustrated (and the parties excused from having to perform) if a supervening event occurs that would make performance of the contract a “radically different” obligation from what was undertaken.

Each situation is considered on its merits, but previous examples of supervening events resulting in frustration of a contract have included:

  • Destruction of property;
  • Cancellation of events;
  • The unavailability of persons;
  • False accusations by a third party; and
  • Government interventions.

However, the threshold is relatively high, and the fact that a natural disaster or other unexpected event has “merely” made a contract more costly or time-consuming to perform is often insufficient. In other words, a party is generally unable to avoid liability for failing to perform a contract on the grounds that an unintended event (such as a natural disaster) made it more costly, time-consuming or complicated.

For that reason, it is good practice to consider including a “force majeure” clause in contracts. A typical clause provides that a party will not be liable for any failure or delay caused by something beyond its reasonable control, including natural disasters, terrorism, labour strikes, transport stoppages, etc. If other specific risks are anticipated, they should also be included. Such a clause can provide relief against a wider range of events than the doctrine of frustration, and provides more certainty as to when it applies.

It is also a good idea to consider the potential impact of business interruptions on service level agreements and other key arrangements. Frustration and force majeure clauses are properly seen as “fall-back” remedies where a contract does not contain a more specific provision addressing a situation.

Backups of key systems

For the ever-increasing number of IT-dependant businesses, the Christchurch earthquake highlights not just the importance of backups, but of being able to rapidly restore key systems in the event of a disaster. This includes the ability to restore systems remotely, when existing premises cannot be accessed or are destroyed.

For firms hosting their own servers (or providing hosted services to clients), the ability to maintain an offsite replica backup system can be critical to ensuring high availability. This will usually require the operating system and other software to be cloned.

This raises the question whether is it legal to clone a server for use as a backup, or whether new licenses must be bought.

Section 80 of the Copyright Act 1994 permits allows a user to make a backup copy of their computer programs for the purpose of being used:

  • In place of the original in order to preserve the original copy; or
  • If the original is “lost, destroyed, or rendered unusable”.

Importantly, this right is subject to any express direction to the contrary on behalf of the copyright owner, at or before the time of purchase, so users should check whether they are able to make backups.

The provision does not expressly state that an entire installed system can be cloned to create a replica backup system, but in 2009 an Australian court (applying similar copyright laws to New Zealand) ruled that a firm did not infringe copyright by cloning a system for use as an off-site emergency backup system.

An important factor in that decision was that the replica system was a “cold site” – data was regularly copied to the offsite location, but the system would only be used (besides occasional testing) if the original system became unusable. The backup rights under the Copyright Act do not extend to copying software to create a live duplicate system for simultaneous use with the primary system.

Guy is a lawyer specialising in commercial and IT law at Clendons barristers and solicitors, Auckland. He can be reached at guy.burgess@clendons.co.nz

This article provides general information and does not constitute advice. Professional advice should be sought on specific matters.