Data Centers

Ethics: Web host neglected its duties, so consultant told host's clients

When a Web hosting service was endangering the data of its clients, a consultant took it upon himself to let the host's clients know, even though he could have jeopardized his relationships with other clients. What would you have done?


When a consultant whose company runs an online backup service learned that a client’s Web hosting service wasn’t performing data backups, it was just one example of the problems he would encounter with “CarelessWebHost.”

The host’s negligence was alarming, but even worse was the fact that two nonprofit organizations were using the host’s services, leaving both agencies open to ruin if disaster struck. Here’s the consultant's story and what he chose to do. What would you have done?

My dealings with CarelessWebHost
As part of our online backup service, we install software on the client's computer and set up which files they want backed up and when. Once it’s set up, the backup is automatic and goes out over the Internet in secure packets to our server.

We finally landed a major client, MyClient, which we had been courting for more than a year. MyClient asked me to work closely with a Web development firm, CarelessWebHost, which it had hired to revamp its Web site and oversee and maintain its intranet.

While I was in the CarelessWebHost server room, which it shares with two nonprofit organizations in the same building (we’ll call them Tape1 and Tape2), I noticed that all three companies—MyClient, Tape1, and Tape2—had their backup tapes sitting on the server out in the open. The tapes in the drives were from at least two days prior. To make matters worse, the tapes were neither being rotated nor taken out of the server room or off-site (in case of a fire or some other disaster at the Web host site), even though these duties were part of CarelessWebHost’s contract with all three companies.

I noticed this during several visits to CarelessWebHost and even took a photograph as an example of what not to do with backup tapes.

Potential for problems
The server room was open to anyone who entered the building. Plus, the tapes were directly below a fire sprinkler. There was no doubt that Tape1 and Tape2 were at risk of losing their data. If the disaster was bad enough, these two companies could easily go out of business.

To complicate matters, I had to go through CarelessWebHost to get our service approved for MyClient. The CarelessWebHost contact dragged his feet on everything, and I had to find ways to work around his roadblocks without having to go over his head.

We finally got the online backup addressed by forcing the issue. However, it didn't stop there. I made several calls on our new client to install our service and found out that I couldn't because of problems that CarelessWebHost hadn’t corrected. This was after I had reported these problems to CarelessWebHost, which had assured me that the issues had been resolved.

Because I couldn't get CarelessWebHost to resolve the issues that prevented me from installing our frontline software, I decided to go it alone and install our second-line backup software on MyClient's server. My company got MyClient backing up automatically over the Internet to our server, despite CarelessWebHost and its unwillingness or inability to resolve even the simplest of network issues.

The dilemma
My dilemma was this: Should I tell the two nonprofits what was going on with their backups? If I did, it could possibly jeopardize my relationship with MyClient and CarelessWebHost, which I would need to land Tape1 and Tape2 as clients.

If I did nothing and there was a significant data loss for Tape1 or Tape2 or both, the results would be devastating for the two cash-strapped nonprofits.

To resolve the situation, I pitched our services to Tape1 by e-mail and to Tape2 over the phone. Tape1 responded by e-mail that it was “covered” with its contract with CarelessWebHost.

On the phone with Tape2, I mentioned that we were backing up MyClient and described how we were doing so. Tape2 gave me the same response as Tape1: “We’re covered.” I then told Tape2 about CarelessWebHost’s negligence.

I finished by telling the woman at Tape2 that the tape I last saw in its server tape drive was from at least two days before and that the same was true of Tape1.

She became very agitated and asked me if I had made this known to Tape1, to which I responded, "I have talked to them on several occasions about their backups, to which they have always told me 'We're covered.'" She said she would discuss it with Tape1.

Had I not told the nonprofits that the backup service wasn’t being performed, I doubt anyone would have been aware of my knowledge of the situation in the server room. But my conscience would have bothered me, knowing that I may have been able to prevent a disaster and did nothing.

That is where I left it. I had fulfilled my obligation to offer my knowledge to protect these companies from financial harm, possibly even bankruptcy. What they do with the information, which will probably be nothing, is up to them.

Editor's Picks