The Legal Risks of SaaS

Even in this economic downturn, software-as-a-service continues to grow. IDC recently raised its 2009 projected growth rate for
SaaS from 36 percent to 40.5 percent.

SaaS advantages over traditional
software licensing, such as simpler transitions and low to no up-front
costs, are well known. However, SaaS also introduces distinct risks related to software
availability, data availability, data recovery and data security. Prudent
CIOs must weigh the pros and cons of a SaaS offering before rushing into a deployment that may not be appropriate for their organization.

SaaS can provide significant advantages to an organization, particularly in
a down economy when IT budgets are tight:

– First, a SaaS often allows a business to transfer primary control of the
software from IT to the business unit. This can free up your IT department,
giving it more time to spend on other initiatives;

– Second, SaaS typically requires little (if any) customization or
configuration of the underlying software. That means the transition to a
SaaS offering can be done quickly and without the need for drawn out and
costly implementations and testing;

– Third, SaaS often provides on-demand scalability, allowing the business
to adjust its processing power and storage to match the peaks and lulls in
its load levels.

– Fourth, a SaaS offering typically requires low-to-no costs up front — no
large license fee, no time and no materials. Instead, the business pays a
monthly or annual fee for the service.

SaaS also raises many risks for a CIO to evaluate. Because the SaaS vendor
will be hosting your business data in its environment, a CIO must consider
and examine the considerable risks related to a potential data loss or data
breach.

The SaaS vendor’s capabilities (and warranties) must be carefully evaluated
in each of these areas:

– Disaster recovery and business continuity;

– Protection against physical and electronic security vulnerabilities; 
– Data backups and ability to restore data in the event data is lost or
corrupted.

CIOs must require their SaaS vendors to regularly report the results of an
annual independent security audit (one type of which is a SAS 70 II audit).

Finally, some types of data, such as personally identifiable information
(i.e., name, social security numbers, home addresses, birth dates), medical
information, or credit card or other financial data may simply not be
appropriate to be included in a SaaS delivery model.

So, before you sign off on that next request to purchase a SaaS offering,
make sure as the CIO you take the time to do the appropriate investigation
on the business solution to be served, the data involved and the costs-all
as compared to a traditional software offering.

Many times, the SaaS choice may be the right one, but not always. Make sure
you know the difference.

Christopher C. Cain is a partner and Kenny W. Hoeschen is an associate in
the Information Technology & Outsourcing practice of law firm Foley &
Lardner LLP.

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.

Latest Articles