Time to Revisit Your Disaster Recovery Plan
Good morning. It’s almost hurricane season again. Do you know where your Disaster Recovery Plan (“DRP”) is? Does your business even have a DRP?
There’s a broad range of disasters, both natural and manmade, that could knock your offline or out of business. Hurricanes, earthquakes, and of course terrorism top the list. But as we’ve seen, disasters come in a variety of forms including wildfires, tsunamis, and floods. The list goes on and on.
The question remains--are you prepared if a disaster hits your business?
Do you have adequate backups of your data? Will you have access to computer systems with the right software? Will you be able to restore your backups? How long will it take to get your company operating again? Will you be able to connect to your cloud computing infrastructures and software?
If you don't think your company is ready for a disaster, I would like to politely suggest that you begin the disaster planning process today. It's never a fun job to assign yourself, but putting it off until tomorrow and then tomorrow after that, isn't a good option either. It's bad business and you could be creating a legal liability for your company and you.
If you have a DRP, it’s probably time to review it and make sure it takes into account the “newer” disasters we’ve seen in the last few years. You need to ensure your company is ready to respond in the event of a terrorist act or tsunami hits your company. Hoping Bruce Willis can blow up the asteroid before it strikes is NOT a good DRP.
Suffering a disaster could be one of those double-whammies. You suffer a disaster, and then somebody sues you as a direct result of you being the victim of a disaster.
Of course, the basis for the lawsuit isn't that you had a disaster gut your building. Rather, the basis would probably be a statute, a contract, or some common law doctrine that required a DRP.
On the statutory side, regulations are mostly aimed at financial institutions. For example, the Federal Reserve, the Office of the Comptroller of the Currency, and the Securities and Exchange Commission issued a white paper describing objectives for disaster recovery and business continuity plans that should be set in place.
Another example would be the Federal Financial Institutions Examination Council guidelines which state a bank's informational security program "shall be designed to…protect against any anticipated threats or hazards to the security or integrity" of customer information.
Breach of contract can also be the basis of liability for your company if a disaster victimizes your company. Don't assume that "Act of God" or "Force Majeure" (what's law without some Latin) will protect you. It may, but it may not. It depends upon things like the precise wording of your "Force Majeure" clause and the facts surrounding your disaster.
To some extent, after a disaster, your liability to a third party because you cannot do whatever it is a contract requires you to do may depend upon the foreseeability of the disaster. If a particular type of disaster is a foreseeable risk and your contract is silent on the risk, a court might rule that as between your company and the other party, your company is the one that assumed the risk of the loss.
Your best defense in that kind of situation might use buzz phrases like "impracticability of performance and frustration of purpose." However, this type of defense to a breach of contract is more likely to carry the day if a meteorite said hello than if a fire damaged your computers. The logic is that a fire may be unlikely, but you should have contingencies to deal with it. As for that meteorite, well, that's just a really bad day and I think a judge is more likely to be sympathetic.
Then, we have good ole common law as a way to create that double-whammy. For example, a poor DRP could be the basis for a suit by your shareholders if they feel that the Board failed to exercise good business judgment in not having or maintaining an adequate DRP.
One thing you should look at both before and after a disaster is your insurance. "Before," it's an exercise in planning. What insurance do you have? What does it cover? What is the maximum under the policy? Does it cover "business interruption?" Does it cover reconstruction of records? Do you need to improve your coverage while you can?
"After," it's a salvage operation. The issue is how much can you collect to help you recover from the disaster? If you did the "before" part right, you will be helped immensely when you collect your insurance proceeds.
If you decide to use a third party disaster recover company to assist you with the preparation of a DRP and then provide you with assistance in case of a disaster, my best suggestion is that you review their proposed agreement carefully. Their "form" is just the starting point in the negotiation. They don't expect sophisticated parties to just sign on the dotted line.
These form agreements are extremely one-sided in favor of the vendor and they're always negotiable. Be sure to obtain the assistance of a lawyer who has real world experience with disaster planning. "After" the next disaster is not the time to find out that your contract is a disaster too.