The data centre is bankrupt, how do I get my data?

Outsourcing IT to the cloud or even to a single data centre brings many advantages for companies. Economies of scale can be benefited from, which can lead to better quality and security of the IT infrastructure. At the same time, however, IT outsourcing also brings with it the danger of dependency, and this danger must not go unnoticed when outsourcing. Providers like to emphasise the advantages. The disadvantages, on the other hand, tend to be forgotten a little, but should definitely be taken into account when choosing an IT service provider and the risks should be reduced as much as possible.

Outsourcing risks

One of the biggest disadvantages is that as a customer you become dependent. Ordinary operation (availability, response times or service levels, etc.) is usually checked, discussed and sometimes negotiated when the contract is concluded. Termination and data return are usually less of an issue and extraordinary termination is even less examined in detail. Even an ordinary termination can be fraught with problems if the costs of reversal and the technical modalities (e.g. data format) are not precisely clarified. If the parties cannot subsequently agree on the modalities, this may end up before a judge. A court case is not only expensive, it can also lead to the data being blocked for a long time. For a client, the blocking of his data can have serious economic consequences.

IT service provider in bankruptcy

In most cases, standard contracts with data centres contain a contractual clause that lists various reasons for termination by way of example. In the rarest cases, the handling of an extraordinary termination is regulated in more detail. The result is that although the contract can be terminated and no more costs are incurred, access to the data can still be denied. From an economic point of view, access to one's own data or the functioning of a software is usually much more essential than the continued payment of fees until the ordinary termination date.

A better formulation of the contract is to agree that ownership (even if not legally correct) of the data should remain with the client and that the client can demand the surrender of the data at any time. A court or bankruptcy office will often accept a clear contractual allocation and not deny a claim to this data. However, if the bankruptcy office completely stops the operation of the bankrupt data centre, short-term access is also no longer possible.

A major problem is that the current law only provides for a right of segregation for objects(Art. 242 para. 1 SchKG). From a legal point of view, data does not constitute an object and thus a client of a bankrupt data centre does not have the possibility to file a segregation request for the data. Even if many people see data as the new gold, in many cases no objective asset value can be attributed to the data, which means that it cannot be seized. However, some data may have a value, such as customer files or software codes. Often, however, it will still not be possible to exploit the data because data protection law or copyright law prevents exploitation. There is no clear legal regulation on the handling of data in bankruptcy in debt collection and bankruptcy law.

If a customer wants to have access to his data in bankruptcy, the result is that today one has to rely on the goodwill of the bankruptcy office. There is therefore no entitlement to the continued operation of a data centre in bankruptcy so that the data can be migrated. It may well be that a bankruptcy office shuts down a data centre relatively quickly for cost reasons and thus makes access impossible. This can lead to a situation where access to accounting or the customer base is suddenly no longer possible and the bankruptcy of the IT service provider also brings the majority of the company to a standstill. This is even the case with a company's own software. Although this is still protected by copyright, no direct claim to the data can be derived from it. If the software is hosted externally, even access to the company's own software can be blocked.

Revision of the law

The problem of an unsatisfactory legal situation has been known for some time and has now also been taken up within the framework of the current revision of the law, which is intended to create the legal basis for the legally compliant use of the blockchain. The Federal Council has deemed it appropriate to create a corresponding regulation in bankruptcy law as part of this revision, which applies to all data and not only to the data of a blockchain.

If Parliament approves this innovation, data will also be protected in the event of bankruptcy or can be demanded back from the customer. The risk of losing data as a customer of a bankrupt data centre would be greatly reduced with this innovation. It is a long overdue step, as it is undisputed that access to and control over one's own data is vital for most companies today.

Risk management

The amendment of the law only creates clarity with regard to ownership, but it does not eliminate all risks. Which is why, in the context of business continuity planning (BCP), one should not simply trust that one will automatically get access to one's data without interruption.

The right to access one's own data does not guarantee that in the event of bankruptcy the bankruptcy office must immediately guarantee access to the data. It is therefore quite possible that access to one's own data is nevertheless prevented for a certain period of time. Access to one's own data will take even longer if the claim is disputed: "If the bankruptcy administration considers the claim to be unfounded, it shall set a time limit of 20 days for the third party to file a claim with the court at the place of bankruptcy". (Art. 242b para. 2 E-SchKG)".

A sorting out procedure will therefore take a longer time and thus block access to the data. If access to data at all times is vital for the company, a backup solution with a second provider should still be examined. A simple data backup can be used, if necessary even by delivering the data to a separate external hard drive, or if software is affected, an escrow solution should be examined. In the case of business-critical applications, a solution must be chosen that enables a fast switch and the maintenance of operations.

Many companies are not even aware of how much they depend on data access at all times. Therefore, when outsourcing, an appropriate check should always be carried out beforehand.

Even if a legal or contractual right to the data can be proven without problems and the bankruptcy office grants quick access, this does not mean that operations can continue smoothly. The bankruptcy office will only grant a short period of time for a data migration. A short-term migration will often not be unproblematic, as a migration is usually associated with greater effort and risks. With PaaS or SaaS solutions, a simple transfer to a new provider will hardly be possible. Furthermore, it is also possible that the data is not located at the bankrupt data centre. In the case of a pure hosting provider with its own infrastructure, the data usually remains in its infrastructure. If the provider is a SaaS provider, it will often use an external hosting partner (e.g. AWS or Azure) for data storage, which can further complicate access to the data. It should also be noted that the proposed change in the law will only apply to Switzerland and will not have any extraterritorial effect. Many IT companies today operate internationally, which can lead to the data ultimately no longer being located in Switzerland. If the data is now held by a foreign subsidiary, local law applies and as a customer I may only be able to access the data via the subsidiary.

The bankruptcy of its IT service provider still requires a careful risk analysis even after the planned change in the law and it is recommended that comprehensive business continuity planning continues.

This article was written by RA Yves Gogniat.

Balthasar Wicki will be happy to answer any questions you may have regarding the handling of data in bankruptcy and the reduction of risks.