Have you considered what happens to your data if an IT supplier or a supplier's subcontractor (hosting supplier) goes bankrupt?
Problem statement
In the event of an IT supplier's (hereafter "supplier") bankruptcy, there is a risk that you as the data owner/data controller (hereafter "data owner") cannot get your own data returned from the supplier or that return can only be realized after an unacceptable time period.
If the consequence of the lack of availability of data, including business data and personal data, is high, it should therefore be assessed whether measures should be established that can reduce the likelihood of. That it happens.
Below is a review of the challenges that can arise in the event of a supplier's bankruptcy, as well as which measures can be implemented to reduce the risk of losing data.
The rules of the Bankruptcy Act[1]
Section 82. "Whatever belongs to a third party or for other reasons cannot be included in the bankruptcy estate, is handed over to the entitled person."
– i.e. that a data owner has the right to have data that belongs to him returned.
Section 84. "If the right to an object in the estate's possession is uncertain, the owner does not dispose of the object within a reasonable time after being called upon to do so, or the estate has not been able to contact the owner despite reasonable efforts, the object can be sold if the estate does not, without disproportionately large costs or inconvenience to the estate's treatment may continue to provide for it. If the item is subject to rapid deterioration, it should be sold. If a sale cannot take place, the estate is entitled to dispose of the object. Prior to sale or disposal, as far as possible notification should be given to the person or persons possibly entitled."
– i.e. the object must be sufficiently individualized for the bankruptcy estate to hand it over.
Section 128. "In the bankruptcy order, cf. § 109, the bankruptcy court must invite anyone who has a claim or other claim against the debtor to report this to the receiver within 4 weeks. [..]”
– i.e. the probate court typically writes thus in the decree i State Gazette: "Anyone who has a claim or other claim against the debtor is encouraged to report their claim calculated as per xx.xx.xxxx. The report should be accompanied by documentation for the claim.”
Bankruptcy proceedings in practice
Preliminary consideration: The curator does not come on his own initiative with the hard drive in hand and return data to the data owner, unless the curator considers that the data is sufficiently individualized. The following is therefore considered to be conditions for the data owner to have data returned after dialogue with the curator.
Notification requirement
The bankruptcy court publishes the bankruptcy decree in the Statstidende, after which the trustee addresses identified creditors via Digital Post. The creditor must then register his claim in the bankruptcy estate. In other words, the curator must be made aware that you, as the data owner, have a third-party right according to § 82. The notification must, as a rule, be made within a period of 4 weeks from the curator's inquiry.
This is where the first risk arises if the data owner does not register his claim within the deadline.
Identification of third-party object (in this case data)
It is then a condition that the trustee can identify the object belonging to a third party. The item must therefore be sufficiently individualized to be handed over by the bankruptcy estate. If it is a physical object, it can e.g. be that the owner's name is affixed to the item, or that it is in an area that clearly signals that it belongs to a third party.
Such individualization of data at a supplier cannot be expected without prior active steps that ensure that data can be easily identified at the bankrupt supplier. In this connection, it should be noted that the supplier's employees, who have knowledge of the supplier's technical setup and data storage method, cannot be expected to participate in the bankruptcy proceedings, as they cannot necessarily receive a salary for this.
Another risk therefore arises here if data cannot be identified as belonging to the data owner, and the trustee cannot therefore hand it over from the bankruptcy estate.
Extraction of data in practice
If it is possible to identify the relevant data, data must then be moved out of the supplier's hosting environment and onto a new one. In that process, there are generally many variables that can make extraction and relocation complicated. In this connection, it cannot be expected that the bankruptcy estate will pay for the resources to be used for the task, including necessary technical equipment and professionals. The data owner must therefore have such resources available.
If the supplier uses a sub-supplier for hosting data, the data owner must also be aware of how long the hosting supplier can be expected to store data if the supplier is not paid for the service during bankruptcy.
Beneficiary third party clause in data processor agreement
In cases where the processing concerns personal data, a data processing agreement must be entered into. In the data processing agreement between the supplier (data processor) and the hosting supplier (sub-data processor), a clause can be inserted that places the data owner as a beneficiary third party in the event of the supplier's bankruptcy. Datatilsynets standard template for concluding data processing agreements[2] until recently contained a mandatory clause requiring the supplier to enter into such a clause with subcontractors. Datatilsynet however, has recently chosen to make this clause optional. It thus sends a clear signal that the clause has not been and will not be used on a large scale going forward.
If the clause exists in the data processing agreement between the supplier and the subcontractor, it has a certain value for the data owner, if the data owner manages to instruct the subcontractor to return data before the subcontractor closes the supply of its service to the supplier and sells the storage space on to a new customer.
It is noted that a data processing agreement only concerns personal data. Thus, as a clear starting point, it will not help in relation to business data, unless there is overlap.
During bankruptcy proceedings, a state of the "wild west" arises, as many actions and transactions must take place in a short period of time. There are likely to be a number of creditors pushing to have their claims met. There is therefore a significant risk that the data owner's rights under the Bankruptcy Act risk becoming illusory.
NIS 2, DORA, GDPR, general Information Security
The above is relevant for compliance with NIS 2[3], DORA[4] and GDPR[5], just as it is relevant in connection with general information security.
A risk assessment of an activity where the consequence for lack of availability of data is high, or for the data subject (GDPR), the business continuity of the entity (NIS 2/DORA) or the business basis of the company (general Information Security) should take into account the mentioned risks. Considerations and concrete measures should be part of a contingency plan - more precisely in a Business Continuity Plan.
Possible measures that can reduce the risks described are presented below.
Possible measures
Third-party backup solution
Establishing a backupSolution with a third party that is independent of the supplier makes it possible to make data available at any time. When establishing the backup solution, a decision must be made as to what must be included in the backup, how often the backup must copy data, and how quickly the backup must be able to be restored.
The disadvantage is that there is a fixed cost associated with this.
Thorough due diligence
Before entering into a contract with a supplier of a "critical" system, a thorough due diligence of the supplier and the IT contract should be carried out, including with regard to financial robustness and the likelihood of significant incidents at the supplier that could lead to large losses and customer flight. Inspiration for the work can be found in, among others, the Danish Agency for Digitalisation risk map and termination provisions.
If the supplier uses a sub-supplier for data storage, assessment of relevant conditions at the sub-supplier should also be examined, just as relevant contractual conditions between the supplier and the sub-supplier in relation to the return of data in the event of the sub-supplier's bankruptcy must be examined.
Private cloud
Some suppliers offer a so-called private cloud solution. With a private cloud solution, data that is left to the supplier is processed in cloud infrastructure (servers/storage media) dedicated to the individual customer/organization. In a public cloud solution, several customers share the same cloud infrastructure.
There is thus a significantly higher probability that the owner of data in a private cloud solution can be identified by the curator.
There are several costs associated with a private cloud solution, just as not all suppliers offer it.
Requirements for supplier prepayment to hosting supplier
In cases where the supplier uses a hosting supplier (sub-supplier), the supplier may be required to pay the hosting supplier in advance, e.g. 6 months, in connection with an agreement that the hosting supplier takes over the operation of the supplier's system/data in the event of the supplier's bankruptcy.
Not all hosting providers, despite prepayment, can or will undertake this obligation.
Subcontractor goes bankrupt (data hosted by subcontractor)
The previous comments relate only to the supplier's bankruptcy. In the event that the supplier uses a hosting supplier (subsupplier), it is essential that the same considerations are included in relation to the supplier's ability to have data returned if the subsupplier goes bankrupt.
It should therefore be included as part of the data owner's IT contract with the supplier that the supplier must provide the necessary security so that the supplier, on behalf of the data owner, can ensure the availability of data in the event of the sub-supplier's bankruptcy in the same way as the supplier must for the data owner.
[1] Bankruptcy Act (retsinformation.dk)
[2] Datatilsynet_template-for-data-processing-agreement-danish.docx (live.com)
[3] Publications Office (europa.eu)
[4] Publications Office (europa.eu)
[5] REGULATION (EU) 2016/ 679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL - of 27 April 2016 - on the protection of natural persons with regard to the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/ 46/ EC (General Regulation on data protection)