Issuing Refunds to Accounts Terminated for Abuse

SenseiSteve

HD Moderator
Staff member
Read a thread elsewhere where the OP was complaining about being denied a refund after their account was terminated for abuse. I'm simply curious how other web hosting providers would react to a request for a refund given this circumstance?
 
Read a thread elsewhere where the OP was complaining about being denied a refund after their account was terminated for abuse. I'm simply curious how other web hosting providers would react to a request for a refund given this circumstance?
Terms of Service should have this particular incident clearly outlined.

For us, we terminated and did not issue a refund, but quoted our TOS in a response/notice to the client.

I did have some incidents where we terminated the relationship due to abuse of staff in which I issued a partial or full refund and provided the ZIP files for their site. But those were very isolated cases.

The TOS should cover nearly every possible scenario, and incidents of abuse should be documented and saved should there be any litigation or disputes with legal teams or credit card companies.
 
Agreed. It's a sad reality that the vast majority of small hosting providers don't dedicate nearly enough time or attention to getting their TOS right.
yes, some I see are just basic copied TOS with little details, and have even seen TOS where they have not even bothered to change the name of where they copied them from.

I asked one of my M8s who was a manager of the local trading standards office (UK) about a point i wanted to add to my TOS, he asked me to send him a full copy of my TOS and he would have one of the staff to go through it.
When it come back it was like me having to do a full rewrite as the number of bits they removed, bits added, and bits changed, but I knew it complied with current legislation.

But going back to the original question.

If i terminated an account for abuse, they got no refund, no matter what terms they had, so if they paid 12 mths and abused after a couple of weeks then tough, no refund, they should not have abused the server.

Regarding site files, this depends on the content, if just a normal website then I would give them 7 days to contact me regarding getting a copy of their files. if the site had abusive content, the files would be removed without them getting a copy
 
We provide no refunds to customers that have received abuse reports or have uploaded malicious content on our servers. We also do not provide them with any backups of the files if the abuse was related to phishing or scam. It's stated in our Terms under what conditions we offer refunds. We don't encourage such activities :)
 
In this scenario, it is important to have a strong and robust Terms of Service which covers this subject, in my case, I have this line:

"We reserve the right to refuse a refund request if we believe the request is fraudulent or violates our terms of service. We may also refuse a refund request if we believe the customer is abusing our refund policy."

That right there covers me in this scenario, and uses the keyword "believe" so no proof is required to send to the client... Although, it is certainly useful to retain any proof of violations just in case later.
 
For me, the best way to handle this case is:
1. Send a mail to the client about the abuse, in most instances it can be solved by contacting the client, allowing sometimes to resolve the abuse
2. If no response from the client, then suspending the account after certain hours of standard time.
3. But if the abuse involves child pornography, phishing, harmful attacks, illegal activity then termination can be done by providing 3-12 hours notice beforehand. But, there maybe some possibility that the website might be hacked or compromised, so I do a full account backup before proceeding with termination in extreme cases.

In conclusion, I always recommend to backup the account before termination and then the backup file to the client.
 
For me, the best way to handle this case is:
1. Send a mail to the client about the abuse, in most instances it can be solved by contacting the client, allowing sometimes to resolve the abuse
2. If no response from the client, then suspending the account after certain hours of standard time.
3. But if the abuse involves child pornography, phishing, harmful attacks, illegal activity then termination can be done by providing 3-12 hours notice beforehand. But, there maybe some possibility that the website might be hacked or compromised, so I do a full account backup before proceeding with termination in extreme cases.

In conclusion, I always recommend to backup the account before termination and then the backup file to the client.
If it involves child pornography, phishing, harmful attacks, illegal activity then a backup will be done and this will be handed to the relevant law enforcement agency along with the clients details (no breach of data protection as it is being handed to law enforcement) and the account will be terminated with immediate effect and the client will not get any refund or backup of the files as why hand them a backup of their child pornography, phishing, harmful attacks, illegal activity files, so they can just set up with another host. Also if it is child pornography, phishing, harmful attacks, illegal activity and you had them a backup of these files then you can also get charged with aiding them.
 
As everybody said you have to have a proper TOS setup for these scenarios.

We particularly like most here do not offer a refund in the case of abuse.

In fact with most of our services from hosting to design or consultation work as soon as you breach the contract by the client we have the right to terminate with no refund.

It is something that causes damage to us, our reputation and/or loss of time and planning and we need to be compensated for that.

You are actively and knowingly risking damaging our business directly or indirectly.

So while we will make an assessment of what to do we ensure we have the right to take it as far as we can.

In terms of their content, it's their responsibility to get it before the termination, they are informed except in the case of illegal activities.

I think most web hosting companies do it in this manner more or less.
 
Make it crystal clear in the ToS that abusing your web hosting platform will get the site terminated without a refund.
People should not be abusing web hosting platforms, especially if it's a small hosting platform. They are the weakest.
Also, make sure to send an email out to the client and tell them that abusing your platform will get the site terminated. I tend to send emails out with a few hours notice (usually 24 hours notice).
Good luck!
 
I tend to send emails out with a few hours notice (usually 24 hours notice).
WHY!
If they abused your services etc. then it should be a case of immediate termination no refund and no files.

Think if they used your server to send out phishing emails to scam people, you just emailed them and gave them 24 hrs to get their files off your server so they can upload the files to a server elsewhere and continue their scam.

Just terminate the account so they dont get the files to upload elsewhere.

A scammer will not contact you asking for the files as they know by termination they have been found out.
 
WHY!
If they abused your services etc. then it should be a case of immediate termination no refund and no files.

Think if they used your server to send out phishing emails to scam people, you just emailed them and gave them 24 hrs to get their files off your server so they can upload the files to a server elsewhere and continue their scam.

Just terminate the account so they dont get the files to upload elsewhere.

A scammer will not contact you asking for the files as they know by termination they have been found out.
It's a good practice to send emails before termination. It isn't always 24 hours though, sometimes it's even 1-3. I just say in the email that it's 'up to 24 hours'.
Just terminate the account
This worries me though. 'Just' terminating accounts can have a serious impact if it is done by mistake. I always create backups before terminating in case it's done by mistake. If it is something like a scam (in this case), I copy it and hand all of the information over to law enforcement.
 
It's a good practice to send emails before termination. It isn't always 24 hours though, sometimes it's even 1-3. I just say in the email that it's 'up to 24 hours'.

This worries me though. 'Just' terminating accounts can have a serious impact if it is done by mistake. I always create backups before terminating in case it's done by mistake. If it is something like a scam (in this case), I copy it and hand all of the information over to law enforcement.
You can tell if a mistake or not. If someone is sending phishing emails you can look at their files and see the landing page file. In cases like this its an immediate termination as why give them warning. A good host will do regular backups of their servers for their use. So why allow the fraudsters 24hrs to send out more emails to rob people and take copies of their files. Terminate to stop their fraud, they wont contact you regarding this, hand details to law enforcement, but 9/10 they gave false name and address and a free gmail account so if these get closed they just set up a new one.
If you suspect a mistake then suspend account so they cannot use it then inform client they have 24 hrs to contact you otherwise it will be terminated to protect server.
 
You can tell if a mistake or not. If someone is sending phishing emails you can look at their files and see the landing page file. In cases like this its an immediate termination as why give them warning.
Good point. Well noted.
So why allow the fraudsters 24hrs to send out more emails to rob people and take copies of their files.
The reason I said 24 hours was because I was mentioning the maximum time I give until I suspend accounts. For scams I would allow 1-3 hours.
A good host will do regular backups of their servers for their use.
And yes, we do take weekly backups.
If you suspect a mistake then suspend account so they cannot use it then inform client they have 24 hrs to contact you otherwise it will be terminated to protect server.
This would be a better solution, and I will stick to doing this in the future.
Thanks for your replies! Appreciate it.
 
Good point. Well noted.

The reason I said 24 hours was because I was mentioning the maximum time I give until I suspend accounts. For scams I would allow 1-3 hours.

And yes, we do take weekly backups.

This would be a better solution, and I will stick to doing this in the future.
Thanks for your replies! Appreciate it.
You have to think if you have a VPS with 50+ websites and you have 1 suspected phishing site then the 1st point is suspend account, inform client and then check through the sites files, if its deff a phishing site then terminate. If you suspect its been hacked then keep suspended inform client and ask them for a clean copy of the files, then inform the client you will be removing all the files from the site to protect others on the server as a rouge file on 1 account could give hackers access to the whole server and if you do nothing then your upstream provider can close down your server to protect their DC
 
Good point. Well noted.

The reason I said 24 hours was because I was mentioning the maximum time I give until I suspend accounts. For scams I would allow 1-3 hours.

And yes, we do take weekly backups.

This would be a better solution, and I will stick to doing this in the future.
Thanks for your replies! Appreciate it.
Actualy, weekly backups are usually not part of a good data protection policy. You should think about at least daily backups, if not hourly for the databases. And the retention should be as much as possible, to be able to look back in the past, to a point there were no issues.
 
Actualy, weekly backups are usually not part of a good data protection policy.
Are you sure?
It works fine with us. We have had no issues so far.
You should think about at least daily backups, if not hourly for the databases.
We cannot afford the storage space. Especially if we are going hourly for the databases.
And the retention should be as much as possible
We keep data every 4 weeks and then it gets deleted.
Thanks for letting me know.
 
We cannot afford the storage space. Especially if we are going hourly for the databases.

We keep data every 4 weeks and then it gets deleted.
Thanks for letting me know.
Get a cheap vps (no need for paid os) then something like jetbackup and do daily incremental backups. This way you have daily backups in a diff dc to your servers.
Simple scenario
You backup every mon., so you have a client who is working on his website and done a load of work on it from mon to wed. Then wed he does something that messes his website up, so contacts you to reinstall using latest backup, but you only have mon one, so customer lost 2 days work, you wont be in customers good books. I know we all tell customers to take own backups, but most dont
 
Actualy, weekly backups are usually not part of a good data protection policy. You should think about at least daily backups, if not hourly for the databases. And the retention should be as much as possible, to be able to look back in the past, to a point there were no issues.

This entirely depends on the type of clients you're hosting.

If you have an e-commerce site or a membership site where things change daily or hourly, then yes, hourly backups are a good thing (depending if they have people that can determine what hour the issue occurred).

However, most websites are fairly static sites. As such, changes don't happen daily, heck, most times they don't even happen monthly! So files and database may not need to be on such a stringent backup schedule.

I'm not talking about emails, I'm strictly talking about the files and database of a site.

I've also found that asking the simple question of "how often do you need backups" as part of the signup process, you'll find people selecting weekly or monthly versus hourly. You can then set your SLA for that user to be under "monthly" backups, and save money when it comes to making, storing, and transferring backups to other machines for storage. Everything costs money, including bandwidth.
 
Back
Top