Fallen SMBs still responsible for customer cloud data

Fallen SMBs still responsible for customer cloud data

Summary: Should small and midsize businesses fold, the onus is still on them to be prudent and take steps to ensure customer data stored on third-party clouds is properly handled.


Small and midsize businesses (SMBs) which use third-party cloud services to store and access customer data must lay out steps that need to be taken in the event they close shop, to protect user privacy and ensure proper handling of this information.

The best way to handle such data is to first ensure data and privacy user policies are clearly established, said Douglas Gan, CEO and co-founder of Singapore-based Web site Vanity Trove. Doing so means customers understand what happens to their information not only when the SMB is operational, but also when a specific service or unit of the business closes down, Gan explained.

If a company decides to fold, all customer data should be erased to maintain the privacy of the customer's information. He noted that what happens to customer data is an obligation that rests on the SMB, and not the concern of the third-party cloud service provider.

Therefore, it is important SMBs have clarity with their cloud provider regarding data storage, such as terms governing service and data privacy, he said.

Rather than spell out what could be an endless list of possible scenarios within which how information would be handled, the user policy or clause should be focused on data protection principles, advised Shaun Lee, co-founder of daily deals site MilkADeal.com in Malaysia. He also runs e-tailer sites White.my and HiShop.my.

Lee said confidential customer data collected by an SMB for a specific purpose should not be further processed in any manner by the cloud service provider, if the former ceases operations. This ensures a high level of integrity and security toward the customer information, he added.

Cloud providers also will want to maintain a good reputation to attract new business, he pointed out.

Consumers want to be in the know
David Wee, who is a registered user at e-commerce sites, said regardless of size, companies are responsible for what happens to their customers' data when their business folds. This should remain true even if the data happens to be "stored with somebody else", he said.

From the consumer's perspective, Wee said he preferred to have his data deleted should the company shut down.

If the company is acquired by another entity, and data "custody" has to be transferred, sufficient time should be given for customers to decline to have their details migrated and request for it to be removed, said the Singapore-based business development manager.

"As a consumer, what matters to me is that we are kept informed and have choices on what to do from there," Wee noted. "No company wants to think about the day they go bust, but if they value their users' data privacy, these are all steps that should be taken as prior preparation and part of due diligence."

Lawyers ZDNet Asia spoke to agreed, noting that while cloud service providers have to comply with existing data protection laws and ensure data they hold is secured, SMBs are ultimately responsible for how the data is handled and protected.

Rosemary Lee, counsel for technology media telecommunications group at Pinsent Masons MPillay, stated this is the case in countries with any kind of data protection or privacy regime, even if there may be a lack of standards specifically addressing agreements where customer data is stored in third-party clouds.

When the SMB shuts down, how its customer data should be handled would be governed by the terms and conditions agreed upon in the contract between the SMB and cloud service provider, Lee said.

"Insolvency is a common termination ground in contracts. In that event of termination, cloud service providers have the option to return all the data from the cloud back to the SMB, or to delete the data shortly after termination of the cloud service," she explained.

Winnie Chang, partner in corporate advisory and TMT practice groups at Colin Ng & Partners, said contracts should always contain provisions which expressly set out each party's obligations in the event of termination for any reason, including insolvency.

In practice, Chang noted it is prudent for companies to be clear about these obligations, such as returning data to customers and having any remaining copies of data destroyed when a specific post-termination period ends.

Topics: Cloud, Data Management, SMBs

Jamie Yap

About Jamie Yap

Jamie writes about technology, business and the most obvious intersection of the two that is software. Other variegated topics include--in one form or other--cloud, Web 2.0, apps, data, analytics, mobile, services, and the three Es: enterprises, executives and entrepreneurs. In a previous life, she was a writer covering a different but equally serious business called show business.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Not so fast

    "When the SMB shuts down, how its customer data should be handled would be governed by the terms and conditions agreed upon in the contract between the SMB and cloud service provider, Lee said. "

    In the US if a company goes into bankruptcy the courts may get to decide what to do with the data. After all it could be considered an asset to used to pay back creditors. I know there have been cases in the US in the past where mailing lists were sold even though the original company stated they never would be given to anyone else for any reason outside of law enforcement.

    Careful of promises about your data if the company goes bust (insolvent). Those promises may be worthless.