Fallen SMBs still responsible for customer cloud data

Small and midsize businesses (SMBs) which use third-party cloud services to store and access customer data must lay out steps that need to be taken in the event they close shop, to protect user privacy and ensure proper handling of this information.

The best way to handle such data is to first ensure data and privacy user policies are clearly established, said Douglas Gan, CEO and co-founder of Singapore-based Web site Vanity Trove. Doing so means customers understand what happens to their information not only when the SMB is operational, but also when a specific service or unit of the business closes down, Gan explained.

If a company decides to fold, all customer data should be erased to maintain the privacy of the customer's information. He noted that what happens to customer data is an obligation that rests on the SMB, and not the concern of the third-party cloud service provider.

Therefore, it is important SMBs have clarity with their cloud provider regarding data storage, such as terms governing service and data privacy, he said.

Rather than spell out what could be an endless list of possible scenarios within which how information would be handled, the user policy or clause should be focused on data protection principles, advised Shaun Lee, co-founder of daily deals site MilkADeal.com in Malaysia. He also runs e-tailer sites White.my and HiShop.my.

Lee said confidential customer data collected by an SMB for a specific purpose should not be further processed in any manner by the cloud service provider, if the former ceases operations. This ensures a high level of integrity and security toward the customer information, he added.

Cloud providers also will want to maintain a good reputation to attract new business, he pointed out.

Consumers want to be in the know
David Wee, who is a registered user at e-commerce sites, said regardless of size, companies are responsible for what happens to their customers' data when their business folds. This should remain true even if the data happens to be "stored with somebody else", he said.

From the consumer's perspective, Wee said he preferred to have his data deleted should the company shut down.

If the company is acquired by another entity, and data "custody" has to be transferred, sufficient time should be given for customers to decline to have their details migrated and request for it to be removed, said the Singapore-based business development manager.

"As a consumer, what matters to me is that we are kept informed and have choices on what to do from there," Wee noted. "No company wants to think about the day they go bust, but if they value their users' data privacy, these are all steps that should be taken as prior preparation and part of due diligence."

Lawyers ZDNet Asia spoke to agreed, noting that while cloud service providers have to comply with existing data protection laws and ensure data they hold is secured, SMBs are ultimately responsible for how the data is handled and protected.

Rosemary Lee, counsel for technology media telecommunications group at Pinsent Masons MPillay, stated this is the case in countries with any kind of data protection or privacy regime, even if there may be a lack of standards specifically addressing agreements where customer data is stored in third-party clouds.

When the SMB shuts down, how its customer data should be handled would be governed by the terms and conditions agreed upon in the contract between the SMB and cloud service provider, Lee said.

"Insolvency is a common termination ground in contracts. In that event of termination, cloud service providers have the option to return all the data from the cloud back to the SMB, or to delete the data shortly after termination of the cloud service," she explained.

Winnie Chang, partner in corporate advisory and TMT practice groups at Colin Ng & Partners, said contracts should always contain provisions which expressly set out each party's obligations in the event of termination for any reason, including insolvency.

In practice, Chang noted it is prudent for companies to be clear about these obligations, such as returning data to customers and having any remaining copies of data destroyed when a specific post-termination period ends.