Disaster Recovery

By Alan Gahtan - October 1, 2001

The events of September 11, 2001 highlight the need for businesses to have a disaster recovery plan in place.  In the past, such plans have primarily focused on dealing with natural disasters such as fires, storms, earthquakes and hurricanes.  In this new millennium, they must now also consider damage or lack of access caused by terrorist actions or cyberspace hackers.

In today's interconnected economy, businesses are more vulnerable than ever to the possibility of technical difficulties disrupting business.  A disaster can affect the availability, integrity, and confidentiality of critical business resources and leave an organization unable to function.  Disaster recovery strategies may include providing for redundant data centers, contracting for the availability of alternate sites (hot, warm, and cold sites), arranging for appropriate insurance and mitigation of potential legal liabilities that may arise from a disaster. 

In addition to the obvious business requirements for disaster recovery planning, in some cases organizations may even be required by law to have drafted, tested and implemented a disaster recovery plan.  A disaster recovery plan may also affect the cost a business pays for certain types of insurance.

In the past, businesses typically contracted with service providers such as I.B.M., Comdisco, E.D.S. or SunGard for standby mainframe capacity.  However, as the World Trade Center disaster illustrates, it may not be a business’ data processing center that is hit but rather its business operations center which typically is more likely to contain servers and desktop computers.  Aside from space mainframe capacity, disaster recovery contracts should include network and application servers, communication circuits and workspace equipped with PCs.

An unfortunate lesson learned from the World Trade Center disaster is that, aside from addressing a possible loss of equipment and premises, a disaster recovery plan must also focus on the loss of key personnel.  This will likely lead to greater cross training for key business functions by staff located in geographically dispersed locations.  Businesses will also need to weigh the efficiency advantages verses the inherent risks of placing entire businesses units or all key executives in one location.

The following are some of the special issues that should be considered in selecting a disaster recovery service provider and negotiating a disaster recovery contract:

• The disaster recovery center should be in a safe area but within a reasonable distance from the location it will service.  Employees may need to visit the center for audit purposes and depending on whether or not workspace is also being acquired, may need to work out of the center.

• The contract should identify any specific resources and services that will be made available.  The availability of specially trained personnel by the service provider may be particular important if a company experiences personnel losses as part of the disaster.

• The contract should contain a restriction on the maximum number of other customers who are located in close proximity to the client that the service provider may agree to service from the same service center.  This is done to reduce the risk that other customers of the service provider may be affected by the same risks as the client and may consequently declare an emergency at the same time as the client.  The contract may also restrict the maximum number of customers that the service provider can contract to service from the same service center.  Ideally the contract should also address how the service provider will allocate resources in the event demand should nevertheless exceed what is available.

• The contract should specify how long a period can elapse from the time a disaster is declared by the client until the service provider must provide the contracted for services and/or resources.

• The contract should set out service level objectives, including applicable incentives and/or penalties.

• The service provider should be subject to confidentiality obligations in respect of the customer data and should agree to abide by the license restrictions applicable to any third party software that will be accessed or operated by the service provider’s staff.

• The service provider should typically be required to maintain minimum bandwidth with redundant connectivity from its service center to key Internet backbones.

• The contract should contain risk management provisions which help align the interests of the service provider with those of the client.

Independent of the disaster recovery contract, the client must also review its license agreements to ensure that it has the legal right to operate any software that will need to be operated from the disaster recovery center and/or by the service provider.  In some cases, licenses agreements may restrict the use of software programs to specific servers and/or specific locations.  Ideally from the client’s perspective, any license agreement should permit use of the software from an alternative site in the event of a disaster and provided that the primary system is not able to process transactions.  Another caveat to look out for are license agreement restrictions that limit access to the software only to the client’s employees.

Related Sources: Canadian Legal Resources | Cyberlaw Encyclopedia | Entrepreneur Resources | Canadian Technology | Precedents | Alan Gahtan

© 2005 Alan M. Gahtan. All Rights Reserved | Use is subject to these Legal Terms
Disclaimer: Not all materials may be applicable in your jurisdiction. Not intended to be a substitute for professional advice. No implied endorsement of, or affiliation with, any linked sites. Path to individual pages may change - please link to home page only.   Linking Info