The Top 5 SaaS Data Security and Privacy Compliance Risks
SaaS Platforms: Part 2
Navigating the maze of government regulations and customer expectations surrounding data security and privacy can be a challenge for SaaS providers but is essential in order to avoid penalties and/or loss of customers.
Here are the top five categories that SaaS providers must take into consideration.
- Understanding U.S. State and Federal Regulations
There are multiple state and federal laws and regulations addressing data security and privacy focusing on various industries, types of individuals and types of information such as sensitive personal information, health information, financial data, and so forth. All states and the federal government have requirements around how specific types of data and information must be managed, how it can be used and individuals’ rights concerning their information. California has recently enacted the California Consumer Privacy Act (CCPA) establishing strict requirements to protect the data privacy rights of citizens living in California.
All states in the U.S., the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands also have enacted data breach notification laws. Although state laws vary on when and how notifications must be made, generally if a data breach results in the unauthorized or unintentional disclosure of an individual’s personally identifiable information, the data controller and/or its service providers will be responsible for notifying everyone affected, as well as various government authorities. This process can be complex, time consuming and expensive and how it will be managed is often the subject of contract negotiation.
It is very important for SaaS providers to understand the types of data they will be processing and storing so they can identify and establish processes and procedures to comply with all the laws and regulations that apply. All businesses must have a written privacy policy that accurately describes how it uses personal information and its data security and privacy procedures. These should include how the provider complies with any specific U.S. and international data privacy regulations that apply to its business.
2. Complying with International Law
U.S. based companies that have facilities or personnel in the EU, that process individual data of persons in the EU related to the offering of goods or services (more than internet access), or that monitor the behavior of individuals in the EU are subject to EU data privacy regulations such as the recently enacted General Data Protection Regulation (GDPR). SaaS providers established solely in the U.S. should not assume they are exempt from the GDPR. Such providers must know what type of data they are processing and assess which laws and regulations apply.
Under the GDPR, among other things, data controllers and SaaS providers must ensure that personal data of EU persons has been gathered legally and under strict conditions (with appropriate notices and consents), is being used lawfully, and those who collect and process it must protect it from misuse and exploitation and be accountable to the EU individuals.
Although interpretation and enforcement of the GDPR is still evolving, severe financial penalties may result for companies that fail to comply. Many countries around the world have their own data security and privacy requirements, often more stringent than the U.S., and if a SaaS provider has international reach it must understand and comply in every country where it does business or stores or processes personal data of persons residing in that country.
3. Security Best Practices
SaaS providers must establish and follow security standards that are appropriate for their services and the type of data they will be processing and storing. Many choose to follow best practices established by the U.S. National Institute of Standards and Technology (NIST).
Oftentimes SaaS customers prefer that SaaS providers employ best-practice security standards such as ISO/IEC 27001, which formally specifies an Information Security Management System — a suite of activities concerning the management of information risks — and lays out an overarching management framework to identify, analyze and address these risks.
Whatever standards a SaaS provider elects to follow, it should document the processes and procedures well and establish a schedule to review and audit them regularly to keep them current and effective.
4. Specialized Industries and Information
Some laws or industry regulations apply specifically to the services provided and the type of data processed or stored. Two examples are the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS). There are also laws specific to the collection and use of children’s information such as the Children’s Online Privacy Protection Rule (“COPPA”).
HIPAA provides privacy and security provisions to protect individuals’ health data and SaaS providers need to have a variety of safeguards in place to comply. PCI DSS began as a payment card industry standard and has become the law in some states. It applies to anyone that stores, processes, or transmits payment card data, and lays out multiple requirements for compliance. These are just two examples, with the common theme being that SaaS providers must know what type of data they are storing or processing and what specific requirements may apply. Because there are substantial penalties for infractions, SaaS providers that operate in certain spaces should obtain expert counsel on the requirements and how to ensure regulatory compliance.
5. Protecting Yours and Theirs: Intellectual Property
The SaaS provider must protect its own intellectual property from misuse or infringement as well as provide security for its customers’ proprietary data and information. Customer IP liability risk primarily relates to unauthorized access or use of the Customer’s proprietary information, data, or other property stored in the cloud either by the SaaS provider or a third party. It is important for SaaS providers to put adequate security procedures in place but also limit liability through their services agreements to lower the risk of large pay-outs.
The good news is that SaaS models are well suited to protecting a provider’s software and business processes from infringement because software, algorithms, processing technologies and provider data are kept behind the scenes in the provider’s control and not accessed by customers. This differs from a traditional software license where the software code is provided to the licensee for installation and use on their hardware or platform which makes it vulnerable to copying, modification or other misuse.
Fortis Law Partners is here to help you make informed decisions about complex SaaS data security and privacy compliance regulations. To seek counsel about any of the risks outlined above and avoid costly mistakes, contact Christine Amrhein.
An overview of the benefits of SaaS platforms can be found in part one of our series, The Ins and Outs of SaasS Platforms, and advice on putting together an airtight SaaS service contract can be found in part three, Nailing Down a SaaS Service Contract.
