Software-as-a-service can be a legal minefield and businesses
should ensure they are aware of the risks before rushing in, say IT
lawyers.
The potential pitfalls were laid bare at a conference on the
software-as-a-service (SaaS) business model in London
yesterday.
The conference was organised by IT industry
association
Intellect, advocacy group Grid Computing Now and software
anti-piracy organisation Fast.
Businesses need to understand all elements of a service contract
to make an accurate risk analysis, said Andrew Hartshorn, partner
at law firm Shakespeare Putsman.
Organisation should pay particular attention to contract
exclusions as SaaS providers typically seek to limit their
liability, he said.
According to Hartshorn, these can include responsibility for
accuracy of data, loss of data, availability of service and
infection by malware through the service.
Some contracts also place limitations on usage of the service
and storage, so organisation need to be aware of the risk of
additional charges, he said.
Businesses considering SaaS must also understand exactly how
their data is transmitted, store and secured, said Dai Davis,
partner at law firm Brooke North.
This is particularly important for organisations that need to
comply with the Data Protection Act (DPA), such as those in the
financial services sector, he said.
These organisations could be liable for prosecution if they
trust their data to SaaS providers that do not comply with DPA
requirements.
These include taking adequate steps to protect data and ensuring
that it is not stored or transmitted outside the European Union,
said Davis.
Businesses should sign up with SaaS suppliers only if they
comfortable with all aspects of the contracts after a full risk
analysis, both lawyers said.