Software-as-a-service (SaaS) is attractive to IT departments
because of
low upfront costbenefits, but it can be a legal minefield if
businesses fail to
conduct a proper risk analysis.
SaaSenables IT directors to transfer software costs to
operational budgets to reduce pressure on capital expenses. Ithelps
reduce software support costs and can be deployed quickly to meet
business needs. But these benefits should not blind businesses to
legal pitfalls.
Andrew Hartshorn, partner at law firm Shakespeare Putsman, warns
that businesses run the risk that SaaS will not meet specific needs
if they fail to understand all elements of a SaaS contract.
SaaS providers can use contracts to attempt to escape
responsibility for accuracy of data, loss of data, availability of
the service and even
infections by malware through the service, says Hartshorn.
"If the software is being used for critical transactions,
businesses need to be clear who is responsible for any potential
downtime," says Mark Lewis, partner at law firm Berwin Leighton
Paisner.
IT departments must know upfront what service levels the SaaS
provider is committing to, especially if transmission times and
reliability are critical.
Some SaaS contracts Hartshorn has seen have gone so far as
allowing service providers to confiscate customer data if they
terminate the contract early or fail to pay for the service.
Businesses often forget regulatory requirements for data
protection, confidentiality and privacy. This can expose businesses
using SaaS to unnecessary risk of prosecution or fines says Andrew
Scott, partner at law firm Dickinson Dees.
Businesses considering SaaS must understand exactly how their
data will be transmitted and secured, says Dai Davis, partner at
law firm Brooke North.
The
Data Protection Act (DPA) requires organisations to ensure
strict control over the way personal data is handled, even by third
party outsourcers.
This is particularly important for
organisations that fall under the
Financial Services Authority (FSA),
which has assiduously enforced data protection rules.
Unlike the Information Commissioner's Office (ICO),the FSA has
taken
strong punitive action against
transgressors, says Davis.
This includes those flouting the DPA requirement for information
to be stored and transmitted only within the European Union.
Nigel Hartnell, executive director FFastFill, a SaaS provider to
the financial sector, says getting the contracts right in terms of
the DPA took a lot of hard work.
All security and compliance policies are spelled out in the
contract, says Hartnell, to provide assurances that our business
practices meet sector requirements.
FFastFill also allows customers to specify where they would like
to store company data, which is kept separately from the electronic
trading software service, he says.
SaaS contracts require the same amount of care as traditional
outsourcing agreements when it comes to regulatory compliance, says
Scott.
The SaaS model does not work in every context, he says, and IT
directors have to select services carefully, with legal and
regulatory requirements in mind.
"Businesses must ensure they select only SaaS services that
enable them to avoid key business-specific risks, or at least
manage themto a reasonable level," says Scott.
SaaS demands careful risk analysis, and businesses would do well
to balance this risk against the benefits before rushing into
anything in pursuit of quick cost savings.