Disaster Planning

2 May 2002

Experts estimate that every year American businesses lose $4 billion to computer downtime. Catastrophes like Hurricane Andrew and 9-11 should have taught us how quickly an average day can go bad. Have you ever thought about how your business would recover if you lost your entire information technology infrastructure to a catastrophe?

Have you ever stopped to consider all the different ways your computer systems could be destroyed or brought down for an extended time?

The list is endless and just starts with freak stuff, stupid stuff, and Hollywood couldn't have written the script stuff. It could be sabotage, terrorism, weather, fire, a power company problem and who knows what else.

The point isn't even how it happened. The point is that all your computers are dead, your company is bleeding out like a trauma victim, your eyes are glazed over with that deer in the headlights look and you're frozen wondering what do you do now.

Here's the deal. If you're looking at the rubble and that's the first time you considered disaster recovery, let's just say you missed the party. It's conceivable that your business may never recover from what you lost.

While a mom-and-pop operation may be able to get away with a disaster recovery plan that's based on a tape back-up kept at a geographically remote site, that's not going to cut it for a large or even medium sized business and certainly not an e-business.

Often, it's best to outsource your IT recovery planning to companies that specialize in providing these services. Presumable, it's not your core competency and it rarely makes sense to hire an employee with that narrow expertise. While your best in-house IT person may be a good choice to manage this outsourcing project, this person probably isn't really an expert in this extremely important area.

Moreover, even if you had a disaster recovery expert in-house, you still need to outsource because in a disaster, you'll need access to somebody else's computers quickly while you recover your own operation.

You need to look closely at disaster recovery services offered by companies like Sungard Recovery Systems (www.recovery.sungard.com) and IBM (www.ibm.com/services/continuity). They'll do things like consult on designing, managing and executing an end-to-end business continuity plan for your business.

They'll help you set up back-up routines and take other appropriate steps to ensure you don't lose data to the unexpected. They have plans that will give you emergency access to their computer centers so that you can temporarily move your IT operations there while you rebuild your own.

With a properly set up plan, you declare an "emergency," and a series of pre-planned and pre-tested steps go into effect. The goal - get you up and running again within a reasonable amount of time.

Probably the severest test ever on the disaster recovery industry was the catastrophe of 9-11. For example, by the end of the week of September 11, Sungard says that it had 30 clients declare an emergency. From everything I've heard about the World Trade Center disaster, it appears that the major disaster recovery companies earned good grades for their performance. They appear to have basically delivered what they promised when the worst happened.

If you decide to outsource your disaster recovery, you should be aware that these companies do have their form agreements ready for you to sign.

In my experience, they're reasonable well written documents that describe the services they'll provide you.

Still, bear in mind that they've paid some lawyer good money to write a contract that's protective of their interests. It's not that the contract will be grossly unfair, but the fact is that experience tells me that it's tilted in their direction, is negotiable and that with some negotiation you can tilt it back to the middle so that it's fairer to you.

While theoretically they could volunteer a completely evenhanded, right down the middle document, the fact is they won't. Maybe it's because they expect sophisticated customers to negotiate the agreement, so they figure they need to tilt it their way so that they have room to negotiate. Maybe it's because they know a certain percentage of less sophisticated customers won't bother to negotiate the deal and from their perspective why not have a contract that's more favorable to them.

Whatever the reason, you should expect a negotiation process with your agreement with a disaster recovery company. You'll often find that the description of services in the proposed contract don't quite match what the sales rep promised. You may find nasty little surprises about unexpected fees or performance standards that don't meet your needs.

Every deal is a bit different and it's impossible to guess where the problems will lie in your agreement, but I've still never seen a first draft that was perfect and ready to sign as delivered. As important as their services could be in saving your business in a disaster, let's just say that the day after the disaster isn't the day to read the contract and discover something unexpected about what you thought you were getting.

If you don't have an adequate disaster plan in place, taking care of this problem just might make a good New Years Resolution.

Mark Grossman's "TechLaw" column appears in numerous publications. Mark Grossman has extensive experience as a speaker as well. If you would like him to speak before your group or corporate meeting, please call (305) 443-8180 for information.

You can find a TechLaw archive at: www.DeWittGrossman.com.

If you have any comments, please send them to MGrossman@DeWittGrossman.com.

Disclaimer: The advice given in the TechLaw column should not be considered legal advice. This newsletter only provides general educational information. You must never rely upon the advice given here. Your individual situation may not fit the generalizations discussed. Only your attorney can evaluate your individual situation and give you advice.

Except as provided below, you may feel free to forward, distribute and copy the TechLaw column if you distribute and copy it without any changes and you include all headers and other identifying information. You may not copy it to a Web site.