Industry surveys suggest that nearly four in five companies plan to increase spending on software as a service, or SaaS, with cloud-based services expected to account for over 20 percent of software expenditures by 2019. Along with increased use of SaaS comes an increased sharing of personal, confidential or commercially sensitive information between customers and providers.
Some concerns identified by security executives around cloud-based services include a lack of visibility into who is accessing data, a lack of confidence in security capabilities, an unclear liability in case of a cyberattack or loss of data, the potential for access by competitors, and an increased risk given the potentially huge payoffs to malicious actors.
To address such concerns, companies seeking to transition to cloud-based services should start by considering the following steps.
Identify and assess risks. Risk should be categorized as high, medium or low based on the nature and sensitivity of data to be put in the cloud. Other considerations include whether the data is subject to confidentiality obligations by law or contract, the nature of the SaaS application (is it mission critical?) and reputational and financial exposure should a data breach occur.
Conduct vendor due diligence. The level of vendor due diligence will depend on the risk categorization. Appropriate due diligence may include evaluations of the vendor’s security measures, personnel, financial stability, length of time in business, customer referrals and similar factors.
Negotiate data-security provisions. Provider form contracts tend to be written by and in favor of the provider, and, unsurprisingly, routinely seek to disclaim or limit responsibility and liability for data breaches. The customer should seek to appropriately include provisions relating to confidentiality protections for customer data and ownership of customer data, as well as data integrity and security measures that spell out the obligations of the parties.
Negotiate data-breach provisions. Data breaches are costly, not to mention embarrassing. Additionally, the customer cannot delegate the obligation to comply with privacy and data security laws to the provider. As a customer, you should seek to include appropriate indemnities and redress from the provider in the event of a data breach, including provisions requiring the provider to insure against data losses.
Kennedy K. Luvai, a former software developer, is a shareholder attorney at Parsons Behle & Latimer in Boise. (208) 562-4892. This column appears in the February 15-March 14, 2017, edition of the Idaho Statesman’s Business Insider magazine as part of a special section on technology. Click here for the Statesman’s e-edition, which includes Business Insider (subscription required).