• United States



Data Held Hostage

Jun 25, 20111 min
Data and Information Security

Recently a customer of a cloud service had a rude awakening. At the expiration of its contract, the customer asked the provider for a copy of the customer’s data. The cloud provider readily agreed, but pointed to two provision in their contract. First, the contract stated that data stored in the service would be owned by the cloud provider, not the customer. Second, the customer would be charged to receive a copy of its data. In this case, the charge would be nearly $200,000.

This real-world example points out the need to be very clear in every cloud engagement that (i) the customer owns its data; (ii) the provider receives only a limited license to use the data solely to provide the service to the customer; (iii) the customer may request a copy of its data at any time, including on termination or expiration of the agreement; and (iv) the copies of the data will be provided at a pre-negotiated price so that the customer knows from the outset all fees for obtaining its data.

These simple steps can avoid completely the unfortunate event described above. Providers that refuse to provide this clarity should be scrutinized very closely.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author