The Legal Risks of SaaSBy Christopher C. Cain and Kenny W. Hoeschen | Posted 06-23-2009
SaaS advantages over traditional software licensing, such as simpler transitions and low to no up-front costs, are well known. However, SaaS also introduces distinct risks related to software availability, data availability, data recovery and data security. Prudent CIOs must weigh the pros and cons of a SaaS offering before rushing into a deployment that may not be appropriate for their organization.
SaaS can provide significant advantages to an organization, particularly in a down economy when IT budgets are tight:
- First, a SaaS often allows a business to transfer primary control of the software from IT to the business unit. This can free up your IT department, giving it more time to spend on other initiatives;
- Second, SaaS typically requires little (if any) customization or configuration of the underlying software. That means the transition to a SaaS offering can be done quickly and without the need for drawn out and costly implementations and testing;
- Third, SaaS often provides on-demand scalability, allowing the business to adjust its processing power and storage to match the peaks and lulls in its load levels.
- Fourth, a SaaS offering typically requires low-to-no costs up front -- no large license fee, no time and no materials. Instead, the business pays a monthly or annual fee for the service.
SaaS also raises many risks for a CIO to evaluate. Because the SaaS vendor will be hosting your business data in its environment, a CIO must consider and examine the considerable risks related to a potential data loss or data breach.
The SaaS vendor's capabilities (and warranties) must be carefully evaluated in each of these areas:
- Disaster recovery and business continuity;
- Protection against physical and electronic security vulnerabilities;
- Data backups and ability to restore data in the event data is lost or corrupted.
CIOs must require their SaaS vendors to regularly report the results of an annual independent security audit (one type of which is a SAS 70 II audit).
Finally, some types of data, such as personally identifiable information (i.e., name, social security numbers, home addresses, birth dates), medical information, or credit card or other financial data may simply not be appropriate to be included in a SaaS delivery model.
So, before you sign off on that next request to purchase a SaaS offering, make sure as the CIO you take the time to do the appropriate investigation on the business solution to be served, the data involved and the costs-all as compared to a traditional software offering.
Many times, the SaaS choice may be the right one, but not always. Make sure you know the difference.
Christopher C. Cain is a partner and Kenny W. Hoeschen is an associate in the Information Technology & Outsourcing practice of law firm Foley & Lardner LLP.