A safety net.

Look at almost anyone’s workstation these days and you’re sure to see their computer connected to a battery backup, or UPS (uninterruptible power supply).  The concept is simple: maintaining continuity directly after an unexpected and unavoidable event.  With a UPS, the idea is that in the event of a power outage, the user would have enough time to save their work and safely power down their system, so once power is restored, they can resume from right where they left off, without having to redo or recreate lost work.  Think of how a similar concept could play out in the context of disaster planning in connection with a Florida condo association’s official records, with these two hypothetical examples:

Example 1: The property manager for our hypothetical association works out of a small room in the security guardhouse on the property.  A hurricane hits and completely destroys the guardhouse, along with all of the documents stored there.  Among the lost documents are all of the association’s official records required by statute.  Among the damaged property is the single computer system that the property manager worked from, along with all of the association’s data.  All of the association’s official records are lost, along with financial information needed to see which homeowners have delinquent assessment balances, vendor contracts, invoices, and much more.  The effects are both devastating and embarrassing.  To the extent possible, the association tries to obtain records from third parties (such as bank statements, etc.) to begin rebuilding what it lost, but it is unlikely that many of the association’s internal records will be recoverable.  Essentially, the association has to start from scratch; something that would severely impair the operations of an established association with outstanding receivables, open contracts, and the like.

Example 2: Same association.  Same property manager.  Same office.  Same hurricane.  This time, however, the association’s records were scanned into electronic files and were backed up in the ‘cloud’ (more on that term later).  Once the hurricane passes and normal association operations resume, the property manager downloads all of the lost records from the association’s online document repository, gets them printed out, and the association is back in business.  All of the data on the property manager’s computer is likewise restored from the online backup, and the association is up and running again, as if nothing had ever happened, in a matter of days.  Sound impossible?  Read on.

What is cloud computing?

Generally, ‘cloud computing’ (sometimes used in conjunction with the term ‘hosting’) is a service where one party entrusts the storage and provision of its data to a third-party provider. In some instances, the data resides on servers controlled, operated and maintained by the third-party provider. In others, the provider itself may outsource some or all of those functions. The core concept with a cloud-based or hosted service is that the end user can simply access its data without having to worry about maintaining the underlying infrastructure.  Hosting comes in several forms, such as storage hosting (like an online disk where users can upload and access their data), and application hosting (where an application is delivered online via a web browser, and the application and the data is stored with the provider).  This latter form of hosting is commonly referred to as Software-as-a-Service (SaaS). There are other forms of hosting as well, including platform and infrastructure hosting, both of which are beyond the scope of this post.  Consumer end user are primarily focused on storage hosting (online disks) and SaaS.

Selecting a hosting provider.

There are many factors to consider in selecting a hosting provider.  Selecting a provider is in many ways like selecting a bank (except you don’t get the added protection of the FDIC). Usually you are trusting critical business assets with the provider, and it is important to select a provider that is financially stable, reliable, and able to deliver the service and support that you need. Service providers should be willing to answer questions about their company’s strength, and provide information about their storage and security practices. Providers should also be willing to allow customers (and potential customers) to tour their facilities, so end users can see exactly where their data will be housed. If you get a bad vibe about a specific provider, ask questions until you are satisfied. If you don’t feel comfortable with a specific candidate, move along.

The hosting agreement.

A hosting agreement (or the terms of service) is the written contract that governs your relationship with the provider. Much like any other agreement, this is where the terms of the relationship are set out. Since many providers offer online sign-up, the hosting agreement may be presented to you online, and the provider may ask you to agree to them before setting up your account. In almost all instances I have seen where sign-up is online, the provider will not process your order unless you acknowledge your agreement to their terms and conditions. Don’t just click “Accept.” Read the terms of service thoroughly and familiarize yourself with them completely. If you don’t agree to something (or something isn’t clear), call or email the provider and see if the terms are negotiable. If not, you may have to go elsewhere. As when entering into any other agreement, consultation with an attorney is strongly encouraged.

Service level agreements.

A service level agreement (SLA) is an agreement pertaining to how often the service will be available to the end user. An SLA is sometimes referred to as an uptime agreement. It may be either a standalone agreement, or incorporated into the hosting agreement. It is important to make sure that the SLA is consistent with the provider’s marketing. For example, make sure that if a provider markets itself as providing 99.99%, 99.999%, or even 100% uptime, those terms are clearly outlined in the SLA. Check to see how downtime is measured, if there is a cure period that would allow a provider to repeatedly violate the SLA over the course of small periods of downtime, and what end users are entitled to if downtime exceeds agreed-upon thresholds. This language is one of the most important areas to review. Review it closely and carefully.  This is especially important if an association plans to provide online access to its data, as when fulfilling certain requests under, for example, Section 718.111 of the Florida Statutes.  Again, consultation with an attorney is strongly encouraged.  Keep in mind that there will always be planned service interruptions (a.k.a. planned maintenance), which are intentional periods of downtime which are necessary to provide periodic maintenance to the provider’s infrastructure. It may include anything from an operating system or application upgrade, to physical plant maintenance which requires that systems be brought offline. Check with the provider to see if planned service interruptions are included in the SLA, or if those are separate. If separate, your SLA might not reflect true system availability.

Where is my data stored?

The hosting agreement should outline where your data will be stored. If the provider is going to outsource this function, it should clearly be disclosed in the hosting agreement, and your provider’s provider should be clearly identified. Keep in mind that if your provider outsources this function, it likely has a separate hosting agreement with its provider, and those terms may ultimately affect you. Also keep in mind that where your data is stored may implicate data, privacy, and other laws of both yours and different jurisdictions.  This post only applies to official record backups — not to the online storage of official records in lieu of keeping paper records altogether.

Data protection and confidentiality.

The hosting agreement should outline how your data will be protected (in some detail, but not enough as to compromise security), and should place on the provider certain responsibilities with respect to data security, access control, and antivirus measures.  The hosting agreement should also outline confidentiality of your data. Some agreements might simply restrict the provider’s ability to disclose your data to third-parties (except in cases where necessary to provide the service or as required by law). However, consider looking or asking for an agreement which restricts the provider’s right to view the data itself (while the provider will likely except from this technical support requests, this is a reasonable request). Overall, look for the language which best protects your data from being viewed and disclosed.

Unattended access to data at any time.  Proprietary formats.

Having unattended access to your data is very important. It will allow you to keep an updated copy of the data in-house, should it ever be needed and unavailable from the provider. Being allowed access to your data only upon request to the provider is very different from having unfettered FTP or web-based download access (e.g., imagine having a bank account without ATM access; see the difference?).  Mainly an issue with application hosting (but may also be implicated with traditional data hosting and online backup providers), consider that many applications store data in proprietary formats, which render the data inaccessible unless being read by that specific application. Make sure that not only is your data accessible, but that it is in a readable format even without the application. If the raw data is proprietary, make sure that it can be exported and made available in a non-proprietary, readable format, such as CSV or XML. After all, having access to your data is meaningless if you can’t do anything with it.

Data escrow.

Data escrow is relatively simple, and works essentially the way you would expect any other escrow arrangement to work. With data escrow, the hosting provider is typically required to mirror the data you store with it (at an agreed-upon frequency) with yet another third party, the data escrow agent. The data escrow agent then holds a copy of the data, should access to it ever be necessary. Both the agreement with your hosting provider and the escrow agreement with the data escrow agent should address in detail who can access the data, when, and under what terms. It is important to make sure that the agreements allow you immediate access to your data upon request to the data escrow agent. Language that requires both parties to agree before the data is released may seem fair, but when disputes arise, it may also mean a long delay before you are actually able to get your data. Be careful with data escrow companies that are affiliated with or are operated by the same company as the hosting provider, as this does not offer a true escrow.  If your provider will not cooperate or work with an escrow provider, be careful.

Service cancellations.

Make sure that the hosting agreement expressly covers this, and clearly addresses who can terminate, when, under what conditions, at what cost, and how the data is returned to you. Make sure you are comfortable with the language, and always make sure the agreement provides that your data is returned to you in a timely fashion, and in a readable format.  Some providers may actually facilitate a move to another provider in the event you discontinue your service. Check with them in advance if this is something that is important to you. Make sure whatever you are told is ultimately incorporated into the hosting agreement.  As with anything else that is agreed to, get it in writing by someone who is authorized to act on behalf of the provider.

Used properly, cloud computing can be an important tool in the association disaster planning and preparedness toolkit — and can have a profound impact on business continuity after a catastrophic data loss (whether by hurricane, fire, theft, or otherwise).