While most of the focus has been on the impact it has placed on Nirvanix’s customers to scramble to find an alternate cloud storage provider, and whether there is enough time to replicate the data from Nirvanix to the new provider, less (if any) attention has been given to the collateral considerations such as the governance, risk, compliance and legal impact on the customers.
Neuralytix has been a fervent advocate of legal reviews of cloud storage provider agreements. In it, we discuss ideas such as legal ownership of data in flight and at rest; we have discussed on numerous panels the implications regarding rights after a customer decides to leave a cloud storage provider; and we have counseled many on the advantages and disadvantage of leaving backup, archive and recovery to the cloud storage provider.
For most enterprises, these discussions often seem far-fetched and peripheral – that is until, situations like Nirvanix’s sudden shutdown occur.
Neuralytix believes that cloud storage provider closings will not be as surprising post Nirvanix. In fact, Neuralytix believes that over the next three to five years, there will be active consolidation as well as outright closings, bankruptcies and just simple terminations of service among the smaller and less popular cloud storage providers. In our opinion, funding for a cloud storage provider is secondary. Nirvanix was a well-funded startup.
So now, who owns what?
The major question that Nirvanix customers must face is who owns what? Some customers will be able to recover their data from the Nirvanix cloud. Some customers may not have enough time. And, still others may simply choose to abandon the data that they have on the Nirvanix cloud.
First of all, there is the question of who owns the data? Neuralytix believes that the intellectual property represented by the 1’s and 0’s is undoubtedly the property of the customer. But what about the physical 1’s and 0’s? The infrastructure is likely to be owned or leased by Nirvanix. On October 1st, 2013, when the service is supposedly no longer available, data that was once the property of the customers are likely to still remain on the Nirvanix cloud infrastructure. To that end, who owns the data then? If Nirvanix is shutting down due to financial reasons, will there be enough resources to scrub the infrastructure of the data? Or, upon liquidation, the bankruptcy trustee take ownership?
Who owns the keys that may have secured the data? If the keys were in trust with Nirvanix, will the trust be transferred to a new owner? Was there a master key server? If that were the case, is there anyone responsible for the total destruction of that data? Even worse, as Neuralytix recently experienced first-hand, will the disposition of the assets leave behind enough traces of customer data that it can be restored or reconstructed? Could someone recover or reconstruct keys and sell that on a secondary or black market?
In an even more remote, but nonetheless potential situation, what will happen in the event of illegal use of this data? What if the data is part of an eventual legal discovery? Will the infrastructure be subject to seizure?
These questions and many more would pose an absolute field day for jurists in the months and years to come. Obviously we hope that none of these questions will need to be tested!
What about shadow data?
Apart from the immediate questions on the data itself, there are further questions related to what Neuralytix calls “shadow data”. This data includes backups, snapshots, and archives, not controlled by the customer, but controlled by the service provider.
A typical example is when a customer signs up for a cloud storage provider, and as part of the service, the cloud storage provider agrees to make backups of the data on the customer’s behalf. These backups may be in the form of replicas, offline and/or off-site backups, and/or snapshots.
Since this shadow data is created on behalf of the customer, does the customer have any rights to it? How would the customer know whether or not this data is truly destroyed? What if multiple customers have multiple destruction policies? What if the data is regulated, will the regulation still apply, and who is now responsible for the compliance of that regulation?
Neuralytix has always been very cautious about our advice on cloud storage. While the opportunities are enormous, and many opportunities unexplored, what is happening to Nirvanix will not be isolated. In these instances, air-tight legal contracts and agreements may be insufficient to breach regulatory and corporate compliance.
It is absolutely critical to customers looking at cloud storage, that it understands that using cloud storage does not, IN ANY WAY, shift the liability of data management or data governance to a third party. CIO’s cannot go to their Boards and say, “well, it wasn’t my fault, the cloud storage provider lost my data”. That’s the net equivalent to the proverbial “my dog ate my homework”. CIO’s should still be held accountable.
It is always a sad day to see the passing of an innovator like Nirvanix. The lesson that we, as an IT industry, must take away is that we are in unchartered territory – both in terms of the technology aspect, as well as the corporate/legal aspect.
While Neuralytix is generally a “glass half full” company, we strongly advise our Clients and all the IT industry to think carefully about the balance between outsourced and in-sourced storage. As we mentioned earlier, we do not believe that the Nirvanix situation is unique. We believe that this will only be the start of a string of cloud storage providers that will face financial and/or operational challenges. But each enterprise customer will have its own unique tolerances. In some cases, the flexibility will overweigh the potential concerns associated with cloud storage. In others, the chase for lower operational costs will triumph. Whatever the situation, Neuralytix reiterates our advice to all, engage a legal professional with respect to your cloud storage contracts; and lest we forget that we can shift the operations, but never the responsibility of ensuring the governance and compliance of our enterprises’ digital assets.
 By no means does Neuralytix even pretend to offer legal advice on this matter. We are expressing an opinion, purely speculating based on reasonable and logical deductions of this situation.