... businesses need to ensure that they are able to continue 'business as usual.'
What is a 'disaster'?
Many commercial contracts include specific definitions of what a 'disaster' is. Generally speaking, however, in a contractual context a 'disaster' refers to an unplanned interruption of, or inaccessibility to, a service, product or system. For example, the most frequent disasters are component failure, human errors and longer term data centre electrical failures.
Organisations should analyse and manage the risk applicable to its business in the event of a disaster. A commonly used preventative and reactive management technique is the inclusion of a business continuity disaster recovery (BCDR) plan as part of the organisation's risk strategy and within its key commercial contracts.
What is a BCDR plan?
A BCDR plan is a plan for an emergency response and/or back-up procedures that apply in the event of a 'disaster'.
The aim of a BCDR plan is to maintain business operations at an acceptable, predefined level. Every organisation should have a BCDR plan and, when procuring services (in particular concerning IT infrastructure and other core services), should ensure that, where appropriate, each of its service providers has an adequate BCDR plan in place.
In October 2012, Hurricane Sandy resulted in significant disruption for businesses in the North Eastern United States. In particular, data centres and IT service providers in New York were affected.
Organisations with appropriate and adequate BCDR plans in place were able to continue providing services to customers, whereas others - in some cases in the same building and with similar, but inadequate, BCDR provisions - were not.
How to obtain an efficient BCDR plan?
When developing its internal BCDR plan or reviewing a supplier's BCDR plan, an organisation should consider:
- the potential risks and their likely or possible effects and what is 'critical' or 'nice to have'; for example, is fuel required for back up generators? Which services should be given priority in the event of a disaster?
- the cost of obtaining disaster recovery services from a third party - should these form part of the services already provided and be included in any applicable price?
- the location of the back-up services/servers - could the disaster affect a wide geographic area?
- where the contact details of management, personnel, suppliers and customers are kept; for example, are copies to be kept off-site in hard copy and what provision has been made to ensure that such personal information is processed in accordance with the Data Protection Act 1998?
- how the supplier and/or any applicable personnel will be informed and kept updated as to their role and responsibilities under the BCDR plan - consider use of an online forum or email/text alerts
- how the BCDR plan will be tested from time to time and amended where appropriate
- the interaction of the BCDR plan with any force majeure provisions within its contract with the relevant service provider. A force majeure event is likely to trigger the implementation of the BCDR plan - the service provider should not therefore be relieved of liability if it fails to comply with its BCDR obligations
- are there any restrictions in existing contracts, for example in software licences in respect of the number or location of software copies that need to be addressed? Who will pick up the costs of any fees payable to remove the restriction/obtain additional software licences?
What should be in a BCDR plan?
Organisations should incorporate the following into its and, where applicable, its service provider's BCDR plans:
- provisions for back-up servers/networks/remote access/power supplies
- where the service provider will be storing or processing data, appropriate data processing provisions taking account of the nature and/or location of the data
- if the information that will be involved includes personal data, provisions to ensure that it is at all times processed in accordance with the Act even in the event of a disaster. By way of example, if personal data is to be stored or processed outside of the EEA, steps must be taken to ensure that 'adequate protection' is in place as required by Principle 8 of the Act
- clear provisions setting out who is responsible for monitoring, testing and implementing the BCDR plan
- procedures for communication (i.e. with personnel, suppliers, customers and, if necessary, the public and the media) - as mentioned above, an online forum or text/email alerts may be appropriate
What does this mean?
The risks of a disaster affecting an organisation's business and, ultimately, its reputation will depend on its ability to plan for such an eventuality. As such, it is imperative that organisations consider their risk areas and ensure their commercial contracts include appropriate protection.
Shoosmiths can provide expert advice on how an organisation should contractually protect its risk profile in case of a disaster. Should you have any queries in relation to the content of this article or the issues raised in it, please do not hesitate to contact Magdalena Konig.