Business needs to balance SaaS benefit and risk

Software-as-a-service (SaaS) is attractive to IT departments

Software-as-a-service (SaaS) is attractive to IT departments because of low upfront costbenefits, but it can be a legal minefield if businesses fail to conduct a proper risk analysis.

SaaSenables IT directors to transfer software costs to operational budgets to reduce pressure on capital expenses. Ithelps reduce software support costs and can be deployed quickly to meet business needs. But these benefits should not blind businesses to legal pitfalls.

Andrew Hartshorn, partner at law firm Shakespeare Putsman, warns that businesses run the risk that SaaS will not meet specific needs if they fail to understand all elements of a SaaS contract.

SaaS providers can use contracts to attempt to escape responsibility for accuracy of data, loss of data, availability of the service and even infections by malware through the service, says Hartshorn.

"If the software is being used for critical transactions, businesses need to be clear who is responsible for any potential downtime," says Mark Lewis, partner at law firm Berwin Leighton Paisner.

IT departments must know upfront what service levels the SaaS provider is committing to, especially if transmission times and reliability are critical.

Some SaaS contracts Hartshorn has seen have gone so far as allowing service providers to confiscate customer data if they terminate the contract early or fail to pay for the service.

Businesses often forget regulatory requirements for data protection, confidentiality and privacy. This can expose businesses using SaaS to unnecessary risk of prosecution or fines says Andrew Scott, partner at law firm Dickinson Dees.

Businesses considering SaaS must understand exactly how their data will be transmitted and secured, says Dai Davis, partner at law firm Brooke North.

The Data Protection Act (DPA) requires organisations to ensure strict control over the way personal data is handled, even by third party outsourcers.

This is particularly important for organisations that fall under the Financial Services Authority (FSA), which has assiduously enforced data protection rules.

Unlike the Information Commissioner's Office (ICO),the FSA has taken strong punitive action against transgressors, says Davis.

This includes those flouting the DPA requirement for information to be stored and transmitted only within the European Union.

Nigel Hartnell, executive director FFastFill, a SaaS provider to the financial sector, says getting the contracts right in terms of the DPA took a lot of hard work.

All security and compliance policies are spelled out in the contract, says Hartnell, to provide assurances that our business practices meet sector requirements.

FFastFill also allows customers to specify where they would like to store company data, which is kept separately from the electronic trading software service, he says.

SaaS contracts require the same amount of care as traditional outsourcing agreements when it comes to regulatory compliance, says Scott.

The SaaS model does not work in every context, he says, and IT directors have to select services carefully, with legal and regulatory requirements in mind.

"Businesses must ensure they select only SaaS services that enable them to avoid key business-specific risks, or at least manage themto a reasonable level," says Scott.

SaaS demands careful risk analysis, and businesses would do well to balance this risk against the benefits before rushing into anything in pursuit of quick cost savings.

Read more on IT risk management