UK: A Practical Guide To Disaster Recovery Agreements

In a recent survey of London market insurers, the International Underwriting Association (IUA) found that more than 50 per cent of insurers suffered computer failures. However, the insurance industry is not unique in its vulnerability and these statistics are a warning to any business sector which relies heavily upon IT for the running of its operations.

All prudently-run businesses should ensure that they have appropriate disaster recovery plans in place, with services provided either in-house or by third party contractors. This article focuses on the second option. What should a business consider when negotiating disaster recovery services with a third party supplier? Avoid wasting time and money negotiating with suppliers who are either financially unstable or likely to be affected by the same disaster. Check the financial track record of the supplier and the location from which services will be provided. If the supplier’s disaster recovery premises are next door, they are too close.

Consider a supplier who has more than one physical location from which it can provide the services. A sole computer location could be the weak link in a disaster recovery plan where one disaster could affect a wide area, impacting on both customer and supplier at the same time.

Further, when performing due diligence regarding a prospective supplier, ask how many customers will be serviced from any given location. If all those customers suffer a disaster at the same time and the supplier’s computer services are at full capacity, what is the likelihood of your business receiving priority or, indeed, any service at all?

Contractual commitments to provide disaster recovery services when required are always important and can provide for a contractual remedy if breached. However, the ability to claim damages may be of secondary importance if your business has crashed. Check that access to services will not be restricted by the supplier ‘overselling’ its capacity.

Check the definition of ‘force majeure’ in the supplier’s agreement. A contract for disaster recovery services could be useless if the supplier can rely on an event of force majeure to relieve it from its contractual obligations.

Suppliers should be required to limit force majeure events to acts or occurrences affecting businesses on a national basis, for example, an event of war, terrorist activity or catastrophic incident. On the other hand, a narrower definition stipulating that force majeure consists of anything outside the reasonable control of either party (strikes, power cuts, fuel shortages and so on) may only affect a local area, thus providing the supplier with a greater scope to avoid its obligations.

A supplier of disaster recovery services should be obliged to perform its services when other businesses are affected by catastrophic events. Unfortunately, this is often overlooked by customers, both when considering the locations from which the services will be provided and when reviewing the contract.

Other factors to be addressed include the following:

• Testing - disaster recovery agreements normally include a number of tests each year enabling the customer to access the disaster recovery facilities and check their adequacy for its purposes. Customers should insist on at least one test per year within the service fee.
• Definition of ‘disaster’ - customers should insist that they will be able to declare a disaster at any time when it is reasonable for the customer to do so, rather than seek to define what a disaster could be and face the possibility of having to debate whether a disaster has actually occurred with the supplier. This approach provides the customer with greater flexibility. Further, in the event that a disaster is declared, the customer should ensure that it has the right to use any shared computer facilities over and above other customers who are using the facilities to perform their annual tests.
• Licences/rights to use - customers should ensure that licences to all their third party software contain rights allowing that software to be used both on different computer equipment and by the disaster recovery supplier in the event of a disaster. Some licences are machine specific and so trying to remove software and reinstall on different machines may attract copyright infringement and breach of licence claims from the licensor of the software. Similarly, most licences are specific to the licensee and therefore allowing a third party to run such software may be a breach of the customer’s licence.
• Security - as the supplier is unlikely to have dedicated equipment or facilities for any one customer, the customer should ensure that the supplier is aware of its physical and logical security obligations. Customer equipment should be held in secure locations and from a logical perspective, the customer’s data and the software that it utilises should be held on secure systems or partitions which prevent data from being corrupted or stolen or viruses being inserted into the customer’s computer network.
• Data protection - the Data Protection Act 1998 ("the Act") sets out certain requirements for Data Controllers who hold Personal Data (both defined in the Act). Data Controllers cannot ‘contract out’ their responsibilities to third parties (such as disaster recovery service providers) and are, therefore, strongly advised to ensure that requirements placed upon them by the Act are mirrored in contractual obligations imposed upon the supplier. Further, customers thinking of transferring data to off-shore disaster recovery centres may encounter obstacles in UK and European data protection law. (To read more about the impact of data protection requirements on outsourcing, see pages 8-9).
• Remedies - if, rather than meeting its obligations, the supplier seeks to rely on a limitation clause which restricts its liability to a sum of money, then customers should beware. Money may not provide adequate compensation for loss of access to IT. In order to force suppliers to perform all their obligations, customers should retain the equitable right to specific performance as an expressly stated remedy within the contract (a provision that is often excluded by suppliers).
• Scope of work - each company’s computer system is unique so customers must specify their disaster recovery requirements fully and accurately. Such specification should include comprehensive hardware and software lists and precise details of the support and monitoring services required.

Disaster recovery agreements require careful thought as to what is required and how it will be provided. They should be regularly reviewed during the course of each year and the suitability of the provisions assessed on a regular basis.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.