e-Getting Your Back

Because this is a legal publication, let's begin with contracts ' literally. Even in a virtual firm, it is often necessary to check the terms of the firm's critical contracts, if they can be found when needed. Sometimes you must check termination dates ' to avoid missing deadlines and automatic rollover renewals or exercise valuable extension options. You may just want to see if the other party is complying. You almost always must provide them to a lender, merger suitor or potential investor in due diligence.

But what if the person who handled the matter ' and in whose e-mail the contract could have been found ' is no longer with the company, or had a hard-drive crash, or simply cleaned out his or her entire Inbox by hitting “delete all”? Electronic assets can be hard to locate if not properly administered, even though contract rights may be a virtual firm's key assets. Firms that practice good contract management should have no problem meeting these needs to supply copies on demand, whether the contracts are stored traditionally in paper files or electronically.

A bricks-and-mortar firm has always faced the same challenge of getting all relevant files into a useful storage location. On paper, the contract could be filed and found, eventually, by diligent effort (unless it had been thrown out). In the virtual firm, the point is not about the medium of storage, but rather that there be a storage system in place, with periodic monitoring for expiration dates, renewals and other digital equivalents of changing a car's oil and rotating its tires. Equally important, a tickler system linked to the contract-management system allows the firm to track all these critical events. A good contract tickler system will even remind you to shop for better terms that may be available in the then-current market as contracts approach expiration dates. It should also prompt you to update the certificates of insurance you have received from vendors, so that the insurance coverage you believe to be in place is actually there.

Don't Get Your Back Up About Backup

Because I mentioned the risks that occur when computers crash, let's turn next to backup services that (one must hope) preserve a copy of the Web site for use following a disaster. Backup was a hot topic 10 years ago, with the fear of what would happen with Y2K. Yet the same risks exist today whenever there is a power outage, or a possible virus or malware infection. The risk of being shut down also still exists whenever a system upgrade goes poorly due to software conflicts, or due to something as simple as a change of vendor to one whose software causes unexpected complications. In those cases, having an accessible, uncorrupted, copy of your Web site ' and data ' is critical to completing a timely return to business. While I do not propose to discuss the technical questions in picking the correct backup device (tape vs. disk vs. online backup, for example, and whether to encrypt data or not), I want to emphasize that a focus on simply having a backup service alone ignores the real legal and business risks to a firm that lives online.

For example, deciding what to back up is itself a tricky ' and potentially costly ' question, especially in firms that do not enforce strict policies against personal use of systems. Steven Henderson, systems administrator at Spector Gadon & Rosen, warns that doing a complete backup could simply amount to paying a third party to save material unrelated to the firm's business, such as personal music files, pictures or e-cards. And whatever is backed up must also be searched whenever a litigation hold is invoked. In other words, the more you save, the more you spend, not only on the backup service itself, but also on the cost of having to access it for reasons other than disaster recovery. (See, “Back Up for Recovery, Archive for Discovery: Accomplishing Two Important Processes with a Single Business-Process System,” in the September 2009 edition of e-Commerce Law & Strategy; www.ljnonline.com/issues/ljn_ecommerce/26_5/news/152684-1.html.)

Separate issues arise for firms in a regulated environment, where strict confidentiality must be maintained at all times for data, with limits on who may have access to it (especially in businesses subject to HIPAA and Sarbanes-Oxley rules). Who hasn't received a warning from a credit-card company that one's data may have been exposed in a security breach? Lawyers, too, must worry about unintended loss of privilege when selecting third-party backup providers. (See, “The Ethics of Online Backup Systems,” www.abanet.org/tech/ltrc/fyidocs/OBSethicsfyi.html, for a summary of state ethics rules concerning virtually backed up data.)

Apart from high-tech losses, business and confidentiality risks from simple physical loss still exist, from the need to remotely disable a laptop that walks away at an airport screening line or gets lost or stolen over a weekend, to one that goes missing from a hotel room. In all these cases, the value of the hardware is likely far less than the cost of having the data on the device fall into the wrong hands, including the steps that must be taken to prevent loss once the problem has been discovered. Even the cost of just getting the employee who lost it back to work can be large (not to mention the time it may take, and the diversion of the IT department's resources).

Check Up on Backup Options

The proliferation of mobile media, whether smartphones or flash drives, also causes system administrators to lose their hair, because all those backup and security issues now travel to ' and are left behind ' wherever a firm's employees take their devices, from the caf' to the pool. The American Bar Association (“ABA”) has posted links to a large collection of resource materials on legal and practical issues involving backup technologies at www.abanet.org/tech/ltrc/fyidocs/OBSethicsfyi.html and www.abanet.org/katrina/lawyerspractice.html. While tailored to the particular backup and disaster-recovery needs of law firms, the advice in the ABA materials really applies to any business storing electronic data that could be affected by a disaster ' which is to say, all firms. (The current infatuation with cloud computing ' off-site data-storage and data-processing ' combines this risk of allowing third parties to have access to your data with the contractual risk of the “software as a service (SAAS)” model: You must negotiate a price, probably at an additional cost, to get your own data back when the service contract ends.)

As an aside, whatever backup medium you choose, be sure to read the boilerplate in the provider's terms of service, and understand the limits of what you are getting. Many add disclaimers that vitiate true backup protection (as I discussed in “I Signed WHAT?!: The Brutish World of e-Commerce Terms and Conditions ' or, Why Goliath Sometimes Loses” and “What Your Terms and Conditions Tell Your Customers (and Do You Mean It?)” in the July and October 2008 editions, respectively, of e-Commerce Law & Strategy, at www.ljnonline.com/issues/ljn_ecommerce/25_3/news/150654-1.html and www.ljnonline.com/issues/ljn_ecommerce/25_6/news/151144-1.html). Boilerplate clauses often further limit the customer's rights by imposing a cap on recovery equal to the purchase price of the service, regardless of the substantially higher cost of recreating data and Web pages. In addition, those in regulated or high-risk businesses must be careful of disclaimers denying the extra liability of protecting such firms, with so-called high-risk clauses, an example of which is:

High Risk Activity. You acknowledge and agree that the (backup vendor's) Products or Services are not intended for use with any high risk or strict liability activity, including, without limitation, air or space travel, technical building or structural design, power plant design or operation, life support or emergency medical operations or uses, and that (backup vendor) makes no warranty and shall have no liability arising from any Use of the (backup vendor's) Products or Services in any high risk or strict liability activities.

Therefore, as with other critical vendors, you should do financial and operational due diligence on your backup provider. Accepting that you will not likely be able to negotiate its boilerplate agreement, you should choose a firm whose track record gives hope that you will not have to challenge it, or that has a history of serving its customers' needs rather than hiding behind the boilerplate.

Can't Always Get What You Need? Try!

Backup protection is only a part of the back-office business challenge, and a small one at that. A real-world retailer that could not open its doors due, for example, to a fire or construction project that closed its access road, would face a crisis ' and these situations would apply even more so to an e-tailer that cannot go back live online immediately after a problem. While I have previously discussed some aspects of hosting risk (“Location, Location, Location,” Id.), I did not address the practical realities of getting back the Web site's contents in a timely fashion, an achievement that essentially boils down to the recovery of your online business.

For help with that question, I turned to an expert, Tom Dugan, president of Recovery Networks Inc. (www.recoverynetworks.com). “Backup is easy,” Dugan says. “Restoration is key ' and expensive.” According to Dugan, a focus solely on backing up data ignores the e-commerce seller's greatest need from backup and restoration vendors: to get back in business as quickly as possible. Here's a take on the issue from Dugan:

Let's face it: The only reason you back up is so that you can recover. If backup is all you ever wanted to do, send me your dollar and start copying data. For those of you who really want “backup with a purpose,” focus not on the backup but on the ability of your provider to actually recover your data.
For example, many of these new backup service providers back up your data off-site. That's great ' but if your company has a 100GB SQL database off-site, you'll never be able to download that over your Internet connection. So is it sufficient to have the vendor cut a disk and FedEx it to you? And, oh, they missed the FedEx shipment today so they'll ship it out tomorrow and you'll get it the following day by 10:00 a.m. By the way, you'll also need to reload the operating system and the applications and all the service packs and patches before you restore your data, because they only back up “data,” not “systems.” Luckily you have all day today ' and tomorrow ' and until 10:00 a.m. the following day to do all of that.

There are a few vendors out there who “get it” ' who understand that it's all about “recovery” and “access to data” as the key to providing the euphoria that comes with simple, complete backup and recovery. Some do this with changing the way we look at “backup,” and some do it with “replication,” but they all provide what you really want and were always afraid to ask for ' recovery. Regardless, before committing to a backup provider, consider the real goal of your “backup” needs ' namely, “recovery.”

Dugan also advocates prioritization of data restoration as a practical compromise to control recovery costs. What do you need to have today to get back in business and serve your customers, versus what you can postpone for a day or two, such as historical records? Dugan's comments highlight well the considerations involved in contracting for backup and restoration services. While good firms will most likely have a non-negotiable form you are required to sign (and if you haven't planned ahead for these needs, you certainly won't be in any position to negotiate while your site is down), you can shop for firms that will commit not only on pricing, but on performance, the speed of recovery and continued operations. You don't want to learn the “limits” of a “limited warranty” when the company delays getting your site back to life after a problem temporarily lays it to rest.

Finessing Integration

Recovery Networks' emphasis on combining complementary technologies to restore a firm's data or Web site leads naturally to the next stop on our tour of the e-commerce back office ' the systems integrator. That firm will put together the different technologies you need, and (you hope) ensure that they all work together to meet your e-commerce goals. For insight on that process, I spoke with Jay Gagne, chief technology officer of Razor Technology LLC (www.razor-tech.com). He emphasizes the “pitfalls of not doing it right the first time.” It is critically important, Gagne says, that the vendor understand each e-commerce seller's particular needs when picking back-office technology, rather than simply selling what will generate the biggest commission at the end of the fiscal quarter, or relying on industry generalizations to guess about the customer's needs. Instead, he devotes time, in advance, to determine the customer's current and future requirements, before buying anything.

Gagne reiterates Dugan's emphasis that these concerns are even more important for companies in regulated businesses, where inflexible laws may drive purchasing decisions far more than price or typical technology-driven requirements. He also warns that, whether regulated or not, the greatest cost of poor purchasing decisions may not be fines or penalties, but harm to a firm's reputation and goodwill if back-office systems cause problems in fulfilling customer orders or render the e-commerce site more difficult to use.

Gagne also advises that in today's difficult times, firms with funds to spend should consider negotiating pricing more aggressively. “Can you buy other than at the end of the quarter and get the same price?” he asks. “Absolutely. Competition is driving pricing today, not the end of a quarter. You can get the same price on Jan. 1 as on March 31.” He also suggests negotiating for bulk purchasing prices, with payment and delivery spread over time, in order to take advantage of quantity or volume discounts for which your firm might not qualify in better times.

But perhaps paradoxically for a chief technology officer, he also recognizes the importance of a human asset, psychology, in determining a firm's back-office needs ' understanding the e-commerce firm's “risk tolerance.” Depending on the competence and size of the company's IT staff, systems that require more “babysitting” may be less successful than they would be at larger firms, whose full-time staff can manage more work in-house, rather than hiring consultants paid by the hour. In addition, e-commerce firms must work with vendors who understand the challenges of constant system availability and maintenance, and can meet their needs for prompt satisfaction of orders. In particular, systems must be “e-commerce ready” out of the box, which may not describe back-office systems sold for less-stressful “enterprise” applications, whose buyers work on a more relaxed timetable.

To accomplish all these goals in selecting and purchasing back-office systems, Razor Technology's Gagne advises clients to look for partners, rather than mere suppliers.

Scrutinizing Supply Chain Issues

Having all your internal back-office software in place won't put inventory on your Web site to sell, however. You still need to establish a supply chain to purchase your saleables ' only when you need them. Buying too early ties up cash or availability on your line of credit, and buying too late leads to lost sales. For that process, many firms purchase software to automate procurement, often written specifically for a particular industry or even a large customer, such as national franchise outlets. Many large customers will specify their supply-chain management software partners to avoid problems that arise from dealing with too many companies and potentially incompatible software. While such systems may once have been licensed for on-site installation, today they are more likely to be licensed for delivery online, in the SAAS subscription model. As a result, there may be little choice in selecting such services and, therefore, little ability to negotiate the terms of the license agreement. Nonetheless, it is important to be certain that you have the latest versions to avoid incompatibilities with the customer's systems, which could lead to a loss of business.

But don't be fooled into assuming that just because a vendor has been “approved” or “recommended” by the end user that its software will always work, or work better than its competitors' products. Particularly when systems tie together multiple types of software, issues may arise that make it critical to protect one's own firm with the back-office resources described in this article (such as backup and recovery systems).

Don't Overlook Insurance Issues

When it all doesn't work together, insurance may be able to help, if the problems cause a loss of sales, or require major expenditures to fix, or both ' but purchasing coverage for an e-commerce firm is not as easy as insuring a building against fire. As Tripp Craig of NSM Insurance Group (www.nsminc.com) warns in this newsletter, buying insurance coverage for e-commerce firms is not only different from buying it for their bricks-and-mortar counterparts, but the amount of coverage available in the market can be quite limited (see, “Fraud, Fraud Everywhere (Nor Any Relief for the Victim): With Online Fraud Still Widespread, an Ounce of Prevention Can Mean a Future for e-Commerce Firms,” in the February 2009 edition of e-Commerce Law & Strategy; www.ljnonline.com/issues/ljn_ecommerce/25_10/news/151619-1.html). In that article, I quote Craig, a sales executive and risk-management consultant with NSM as saying: “Online exposures are very different than traditional brick-and-mortar businesses. It is very important for businesses utilizing e-commerce strategies of any type to work with an insurance broker committed to obtaining a complete understanding of intellectual property infringement, content and advertising, and employee dishonesty and computer fraud risks and exposures.” In addition to policies now available for the unique risks of e-commerce, he also warns that even with proper business-interruption coverage in place, to replace revenue (and income) lost during periods of systemic failure, recoveries will likely be very low ' placing all the more importance on thorough planning to have back-office systems in place to avoid incurring losses and creating insurance claims in the first place.

For that reason, NSM advises clients to buy insurance by considering what the trade calls the “total cost of risk,” all of the different types of losses a business can incur, rather than spending significant time and effort just shopping for the lowest premium quote. Craig lists three major components of that total cost of risk:

1. Preventive costs. Insurance premiums, identity-theft protection, and the data backup and restoration services discussed in this article.
2. Direct costs. Losses paid out in cash without reimbursement because they fall under deductibles or retentions, are uninsured, or are costs of regulatory compliance (such as OSHA or EPA plans).
3. Indirect costs. The harm to a firm's reputation in the marketplace and to employee morale from problems, not to mention the potentially significant administrative costs a firm bears to oversee its insurance program.

Instead, Craig recommends that e-commerce firms' insurance brokers follow the total cost of risk approach. He starts with an analysis of a client's operations to identify the high-impact areas that could affect its business. He then develops a strategic-action plan that prioritizes the steps necessary to minimize the total cost of risk, as so identified.

“The purchase and placement of insurance, and ensuring that the property and casualty insurance premiums a client pays each year are as competitive as possible are important,” Craig says. “Most clients, however, are much better served by engaging in a process with their insurance broker [that] results in a strategic plan designed to address not only the premiums paid but, more importantly, the areas [that] have a major impact on their total cost of risk. Data backup and restoration, supply-chain management and contract management are excellent examples of high-impact areas for many types of businesses. Addressing potential exposure in these areas, and developing a proactive plan before potential losses occur, can have a very positive impact on a client's total cost of risk, including insurance premiums.”

Professional Service Providers

Finally, there is one part of the e-commerce back office that is near and dear to my own firm's managing partner's heart ' the firm's professional-service providers. Being able to rely on counsel and accountants, as well as insurance brokers and other professional-service providers who understand the particular needs of e-commerce firms and the different response times for a business that truly operates in a “24-7 world” should transform dealing with what is by definition a difficult situation (such as a systems failure) into just another example of outsourcing to a qualified vendor and, one would hope, partner.

Conclusion

I opened this article by comparing the e-commerce back office with an iceberg, with most of the critical mass hidden from the view of the online shopper. If those systems are not in place, the iceberg analogy becomes even more apt. An iceberg can sink a ship and kill everyone on board if there aren't enough lifeboats, vests and protection systems in place in advance to save everyone. Without well-planned systems to “get the firm's back,” an e-commerce catastrophe can drown a company as well. The time to purchase that protection and, even more important, to begin thinking about it, is not when a disaster occurs or looms; instead, a solid back office should be part of an e-commerce firm's basic business plan from the firm's beginning.

Science tells us that most of an iceberg is hidden beneath the surface of the ocean. e-Commerce law tells us the same thing about Web-site development: The “Web front” that shoppers see can be dwarfed by the hidden, or invisible, “back office” ' the contracts, negotiations and software that make e-commerce Web sites possible.

Yet it is that back office that can be the difference between a profitable site and one, like a true iceberg, that is merely adrift and fraught with potential hazards. I discussed the nuances of one back-office need, a Web-hosting agreement, in November (see, “Location, Location, Location” in the November 2009 edition of e-Commerce Law & Strategy; www.ljnonline.com/issues/ljn_ecommerce/26_7/news/152929-1.html), but there are many other critical components that must be handled behind the scenes.

Dot the I's Before Signing the Dotted Line

Because this is a legal publication, let's begin with contracts ' literally. Even in a virtual firm, it is often necessary to check the terms of the firm's critical contracts, if they can be found when needed. Sometimes you must check termination dates ' to avoid missing deadlines and automatic rollover renewals or exercise valuable extension options. You may just want to see if the other party is complying. You almost always must provide them to a lender, merger suitor or potential investor in due diligence.

But what if the person who handled the matter ' and in whose e-mail the contract could have been found ' is no longer with the company, or had a hard-drive crash, or simply cleaned out his or her entire Inbox by hitting “delete all”? Electronic assets can be hard to locate if not properly administered, even though contract rights may be a virtual firm's key assets. Firms that practice good contract management should have no problem meeting these needs to supply copies on demand, whether the contracts are stored traditionally in paper files or electronically.

A bricks-and-mortar firm has always faced the same challenge of getting all relevant files into a useful storage location. On paper, the contract could be filed and found, eventually, by diligent effort (unless it had been thrown out). In the virtual firm, the point is not about the medium of storage, but rather that there be a storage system in place, with periodic monitoring for expiration dates, renewals and other digital equivalents of changing a car's oil and rotating its tires. Equally important, a tickler system linked to the contract-management system allows the firm to track all these critical events. A good contract tickler system will even remind you to shop for better terms that may be available in the then-current market as contracts approach expiration dates. It should also prompt you to update the certificates of insurance you have received from vendors, so that the insurance coverage you believe to be in place is actually there.

Don't Get Your Back Up About Backup

Because I mentioned the risks that occur when computers crash, let's turn next to backup services that (one must hope) preserve a copy of the Web site for use following a disaster. Backup was a hot topic 10 years ago, with the fear of what would happen with Y2K. Yet the same risks exist today whenever there is a power outage, or a possible virus or malware infection. The risk of being shut down also still exists whenever a system upgrade goes poorly due to software conflicts, or due to something as simple as a change of vendor to one whose software causes unexpected complications. In those cases, having an accessible, uncorrupted, copy of your Web site ' and data ' is critical to completing a timely return to business. While I do not propose to discuss the technical questions in picking the correct backup device (tape vs. disk vs. online backup, for example, and whether to encrypt data or not), I want to emphasize that a focus on simply having a backup service alone ignores the real legal and business risks to a firm that lives online.

For example, deciding what to back up is itself a tricky ' and potentially costly ' question, especially in firms that do not enforce strict policies against personal use of systems. Steven Henderson, systems administrator at Spector Gadon & Rosen, warns that doing a complete backup could simply amount to paying a third party to save material unrelated to the firm's business, such as personal music files, pictures or e-cards. And whatever is backed up must also be searched whenever a litigation hold is invoked. In other words, the more you save, the more you spend, not only on the backup service itself, but also on the cost of having to access it for reasons other than disaster recovery. (See, “Back Up for Recovery, Archive for Discovery: Accomplishing Two Important Processes with a Single Business-Process System,” in the September 2009 edition of e-Commerce Law & Strategy; www.ljnonline.com/issues/ljn_ecommerce/26_5/news/152684-1.html.)

Separate issues arise for firms in a regulated environment, where strict confidentiality must be maintained at all times for data, with limits on who may have access to it (especially in businesses subject to HIPAA and Sarbanes-Oxley rules). Who hasn't received a warning from a credit-card company that one's data may have been exposed in a security breach? Lawyers, too, must worry about unintended loss of privilege when selecting third-party backup providers. (See, “The Ethics of Online Backup Systems,” www.abanet.org/tech/ltrc/fyidocs/OBSethicsfyi.html, for a summary of state ethics rules concerning virtually backed up data.)

Apart from high-tech losses, business and confidentiality risks from simple physical loss still exist, from the need to remotely disable a laptop that walks away at an airport screening line or gets lost or stolen over a weekend, to one that goes missing from a hotel room. In all these cases, the value of the hardware is likely far less than the cost of having the data on the device fall into the wrong hands, including the steps that must be taken to prevent loss once the problem has been discovered. Even the cost of just getting the employee who lost it back to work can be large (not to mention the time it may take, and the diversion of the IT department's resources).

Check Up on Backup Options

The proliferation of mobile media, whether smartphones or flash drives, also causes system administrators to lose their hair, because all those backup and security issues now travel to ' and are left behind ' wherever a firm's employees take their devices, from the caf' to the pool. The American Bar Association (“ABA”) has posted links to a large collection of resource materials on legal and practical issues involving backup technologies at www.abanet.org/tech/ltrc/fyidocs/OBSethicsfyi.html and www.abanet.org/katrina/lawyerspractice.html. While tailored to the particular backup and disaster-recovery needs of law firms, the advice in the ABA materials really applies to any business storing electronic data that could be affected by a disaster ' which is to say, all firms. (The current infatuation with cloud computing ' off-site data-storage and data-processing ' combines this risk of allowing third parties to have access to your data with the contractual risk of the “software as a service (SAAS)” model: You must negotiate a price, probably at an additional cost, to get your own data back when the service contract ends.)

As an aside, whatever backup medium you choose, be sure to read the boilerplate in the provider's terms of service, and understand the limits of what you are getting. Many add disclaimers that vitiate true backup protection (as I discussed in “I Signed WHAT?!: The Brutish World of e-Commerce Terms and Conditions ' or, Why Goliath Sometimes Loses” and “What Your Terms and Conditions Tell Your Customers (and Do You Mean It?)” in the July and October 2008 editions, respectively, of e-Commerce Law & Strategy, at www.ljnonline.com/issues/ljn_ecommerce/25_3/news/150654-1.html and www.ljnonline.com/issues/ljn_ecommerce/25_6/news/151144-1.html). Boilerplate clauses often further limit the customer's rights by imposing a cap on recovery equal to the purchase price of the service, regardless of the substantially higher cost of recreating data and Web pages. In addition, those in regulated or high-risk businesses must be careful of disclaimers denying the extra liability of protecting such firms, with so-called high-risk clauses, an example of which is:

High Risk Activity. You acknowledge and agree that the (backup vendor's) Products or Services are not intended for use with any high risk or strict liability activity, including, without limitation, air or space travel, technical building or structural design, power plant design or operation, life support or emergency medical operations or uses, and that (backup vendor) makes no warranty and shall have no liability arising from any Use of the (backup vendor's) Products or Services in any high risk or strict liability activities.

Therefore, as with other critical vendors, you should do financial and operational due diligence on your backup provider. Accepting that you will not likely be able to negotiate its boilerplate agreement, you should choose a firm whose track record gives hope that you will not have to challenge it, or that has a history of serving its customers' needs rather than hiding behind the boilerplate.

Can't Always Get What You Need? Try!

Backup protection is only a part of the back-office business challenge, and a small one at that. A real-world retailer that could not open its doors due, for example, to a fire or construction project that closed its access road, would face a crisis ' and these situations would apply even more so to an e-tailer that cannot go back live online immediately after a problem. While I have previously discussed some aspects of hosting risk (“Location, Location, Location,” Id.), I did not address the practical realities of getting back the Web site's contents in a timely fashion, an achievement that essentially boils down to the recovery of your online business.

For help with that question, I turned to an expert, Tom Dugan, president of Recovery Networks Inc. (www.recoverynetworks.com). “Backup is easy,” Dugan says. “Restoration is key ' and expensive.” According to Dugan, a focus solely on backing up data ignores the e-commerce seller's greatest need from backup and restoration vendors: to get back in business as quickly as possible. Here's a take on the issue from Dugan:

Let's face it: The only reason you back up is so that you can recover. If backup is all you ever wanted to do, send me your dollar and start copying data. For those of you who really want “backup with a purpose,” focus not on the backup but on the ability of your provider to actually recover your data.
For example, many of these new backup service providers back up your data off-site. That's great ' but if your company has a 100GB SQL database off-site, you'll never be able to download that over your Internet connection. So is it sufficient to have the vendor cut a disk and FedEx it to you? And, oh, they missed the FedEx shipment today so they'll ship it out tomorrow and you'll get it the following day by 10:00 a.m. By the way, you'll also need to reload the operating system and the applications and all the service packs and patches before you restore your data, because they only back up “data,” not “systems.” Luckily you have all day today ' and tomorrow ' and until 10:00 a.m. the following day to do all of that.

There are a few vendors out there who “get it” ' who understand that it's all about “recovery” and “access to data” as the key to providing the euphoria that comes with simple, complete backup and recovery. Some do this with changing the way we look at “backup,” and some do it with “replication,” but they all provide what you really want and were always afraid to ask for ' recovery. Regardless, before committing to a backup provider, consider the real goal of your “backup” needs ' namely, “recovery.”

Dugan also advocates prioritization of data restoration as a practical compromise to control recovery costs. What do you need to have today to get back in business and serve your customers, versus what you can postpone for a day or two, such as historical records? Dugan's comments highlight well the considerations involved in contracting for backup and restoration services. While good firms will most likely have a non-negotiable form you are required to sign (and if you haven't planned ahead for these needs, you certainly won't be in any position to negotiate while your site is down), you can shop for firms that will commit not only on pricing, but on performance, the speed of recovery and continued operations. You don't want to learn the “limits” of a “limited warranty” when the company delays getting your site back to life after a problem temporarily lays it to rest.

Finessing Integration

Recovery Networks' emphasis on combining complementary technologies to restore a firm's data or Web site leads naturally to the next stop on our tour of the e-commerce back office ' the systems integrator. That firm will put together the different technologies you need, and (you hope) ensure that they all work together to meet your e-commerce goals. For insight on that process, I spoke with Jay Gagne, chief technology officer of Razor Technology LLC (www.razor-tech.com). He emphasizes the “pitfalls of not doing it right the first time.” It is critically important, Gagne says, that the vendor understand each e-commerce seller's particular needs when picking back-office technology, rather than simply selling what will generate the biggest commission at the end of the fiscal quarter, or relying on industry generalizations to guess about the customer's needs. Instead, he devotes time, in advance, to determine the customer's current and future requirements, before buying anything.

Gagne reiterates Dugan's emphasis that these concerns are even more important for companies in regulated businesses, where inflexible laws may drive purchasing decisions far more than price or typical technology-driven requirements. He also warns that, whether regulated or not, the greatest cost of poor purchasing decisions may not be fines or penalties, but harm to a firm's reputation and goodwill if back-office systems cause problems in fulfilling customer orders or render the e-commerce site more difficult to use.

Gagne also advises that in today's difficult times, firms with funds to spend should consider negotiating pricing more aggressively. “Can you buy other than at the end of the quarter and get the same price?” he asks. “Absolutely. Competition is driving pricing today, not the end of a quarter. You can get the same price on Jan. 1 as on March 31.” He also suggests negotiating for bulk purchasing prices, with payment and delivery spread over time, in order to take advantage of quantity or volume discounts for which your firm might not qualify in better times.

But perhaps paradoxically for a chief technology officer, he also recognizes the importance of a human asset, psychology, in determining a firm's back-office needs ' understanding the e-commerce firm's “risk tolerance.” Depending on the competence and size of the company's IT staff, systems that require more “babysitting” may be less successful than they would be at larger firms, whose full-time staff can manage more work in-house, rather than hiring consultants paid by the hour. In addition, e-commerce firms must work with vendors who understand the challenges of constant system availability and maintenance, and can meet their needs for prompt satisfaction of orders. In particular, systems must be “e-commerce ready” out of the box, which may not describe back-office systems sold for less-stressful “enterprise” applications, whose buyers work on a more relaxed timetable.

To accomplish all these goals in selecting and purchasing back-office systems, Razor Technology's Gagne advises clients to look for partners, rather than mere suppliers.

Scrutinizing Supply Chain Issues

Having all your internal back-office software in place won't put inventory on your Web site to sell, however. You still need to establish a supply chain to purchase your saleables ' only when you need them. Buying too early ties up cash or availability on your line of credit, and buying too late leads to lost sales. For that process, many firms purchase software to automate procurement, often written specifically for a particular industry or even a large customer, such as national franchise outlets. Many large customers will specify their supply-chain management software partners to avoid problems that arise from dealing with too many companies and potentially incompatible software. While such systems may once have been licensed for on-site installation, today they are more likely to be licensed for delivery online, in the SAAS subscription model. As a result, there may be little choice in selecting such services and, therefore, little ability to negotiate the terms of the license agreement. Nonetheless, it is important to be certain that you have the latest versions to avoid incompatibilities with the customer's systems, which could lead to a loss of business.

But don't be fooled into assuming that just because a vendor has been “approved” or “recommended” by the end user that its software will always work, or work better than its competitors' products. Particularly when systems tie together multiple types of software, issues may arise that make it critical to protect one's own firm with the back-office resources described in this article (such as backup and recovery systems).

Don't Overlook Insurance Issues

When it all doesn't work together, insurance may be able to help, if the problems cause a loss of sales, or require major expenditures to fix, or both ' but purchasing coverage for an e-commerce firm is not as easy as insuring a building against fire. As Tripp Craig of NSM Insurance Group (www.nsminc.com) warns in this newsletter, buying insurance coverage for e-commerce firms is not only different from buying it for their bricks-and-mortar counterparts, but the amount of coverage available in the market can be quite limited (see, “Fraud, Fraud Everywhere (Nor Any Relief for the Victim): With Online Fraud Still Widespread, an Ounce of Prevention Can Mean a Future for e-Commerce Firms,” in the February 2009 edition of e-Commerce Law & Strategy; www.ljnonline.com/issues/ljn_ecommerce/25_10/news/151619-1.html). In that article, I quote Craig, a sales executive and risk-management consultant with NSM as saying: “Online exposures are very different than traditional brick-and-mortar businesses. It is very important for businesses utilizing e-commerce strategies of any type to work with an insurance broker committed to obtaining a complete understanding of intellectual property infringement, content and advertising, and employee dishonesty and computer fraud risks and exposures.” In addition to policies now available for the unique risks of e-commerce, he also warns that even with proper business-interruption coverage in place, to replace revenue (and income) lost during periods of systemic failure, recoveries will likely be very low ' placing all the more importance on thorough planning to have back-office systems in place to avoid incurring losses and creating insurance claims in the first place.

For that reason, NSM advises clients to buy insurance by considering what the trade calls the “total cost of risk,” all of the different types of losses a business can incur, rather than spending significant time and effort just shopping for the lowest premium quote. Craig lists three major components of that total cost of risk:

1. Preventive costs. Insurance premiums, identity-theft protection, and the data backup and restoration services discussed in this article.
2. Direct costs. Losses paid out in cash without reimbursement because they fall under deductibles or retentions, are uninsured, or are costs of regulatory compliance (such as OSHA or EPA plans).
3. Indirect costs. The harm to a firm's reputation in the marketplace and to employee morale from problems, not to mention the potentially significant administrative costs a firm bears to oversee its insurance program.

Instead, Craig recommends that e-commerce firms' insurance brokers follow the total cost of risk approach. He starts with an analysis of a client's operations to identify the high-impact areas that could affect its business. He then develops a strategic-action plan that prioritizes the steps necessary to minimize the total cost of risk, as so identified.

“The purchase and placement of insurance, and ensuring that the property and casualty insurance premiums a client pays each year are as competitive as possible are important,” Craig says. “Most clients, however, are much better served by engaging in a process with their insurance broker [that] results in a strategic plan designed to address not only the premiums paid but, more importantly, the areas [that] have a major impact on their total cost of risk. Data backup and restoration, supply-chain management and contract management are excellent examples of high-impact areas for many types of businesses. Addressing potential exposure in these areas, and developing a proactive plan before potential losses occur, can have a very positive impact on a client's total cost of risk, including insurance premiums.”

Professional Service Providers

Finally, there is one part of the e-commerce back office that is near and dear to my own firm's managing partner's heart ' the firm's professional-service providers. Being able to rely on counsel and accountants, as well as insurance brokers and other professional-service providers who understand the particular needs of e-commerce firms and the different response times for a business that truly operates in a “24-7 world” should transform dealing with what is by definition a difficult situation (such as a systems failure) into just another example of outsourcing to a qualified vendor and, one would hope, partner.

Conclusion

I opened this article by comparing the e-commerce back office with an iceberg, with most of the critical mass hidden from the view of the online shopper. If those systems are not in place, the iceberg analogy becomes even more apt. An iceberg can sink a ship and kill everyone on board if there aren't enough lifeboats, vests and protection systems in place in advance to save everyone. Without well-planned systems to “get the firm's back,” an e-commerce catastrophe can drown a company as well. The time to purchase that protection and, even more important, to begin thinking about it, is not when a disaster occurs or looms; instead, a solid back office should be part of an e-commerce firm's basic business plan from the firm's beginning.