Until you fully understand what the risks and liabilities are that are associated with using SaaS Software Applications and Products you should not enter into any contracts with SaaS providers or vendors. SaaS lawyer Andrew S. Bosin located in New Jersey outside of New York City provides legal advice and represents clients in the United States, globally, internationally, US, New Jersey, New York City, Brooklyn, Boston, Rhode Island, Buffalo, Syracuse, Albany, Long Island, Connecticut, Chicago, Illinois, Maryland, Delaware, Miami, Orlando, Jacksonville, Sarasota, St. Petersburg, Ft. Lauderdale, Florida, Dallas, Austin, Houston, Texas, Los Angeles, San Diego, Seattle, Silicon Valley, Orange County, Sacramento, San Francisco, California, Phoenix, Salt Lake City, St. Louis, Nashville, Kansas City, Minneapolis, Washington DC, Indianapolis, Charlotte, Raleigh, North Carolina, Alaska, Hawaii, Atlanta, Philadelphia, Idaho, Canada, Toronto, Edmonton, Calgary, Vancouver, EU, Europe, London, UK, England, Berlin, Hamburg, Munich, Germany, Amsterdam, France, Italy, Sweden, Denmark, Finland, Ukraine, Czech Republic, Hungary, Dublin, Ireland, Glascow, Edinborough, Scotland, Island, Tel Aviv, Israel, India, Melbourne, Sydney, Australia, Singapore, Tokyo, Japan, and Hong Kong, Shanghai, China.
Evaluating Service, Security, Capabilities & Vulnerabilities of SaaS Software Cloud Service Providers. What should SaaS Software Cloud Services Vendors do to take security seriously and put controls, processes and procedures in place to protect sensitive customer data and manage liabilities and risk? Are you a SaaS Application Provider entering into contracts and agreements with customers and end-users but have failed to put in place an effective data security privacy protection policy, plan, procedures or guidelines? Are you a customer doing your due diligence and making sure that your company’s confidential information and data will be adequately protected by a certain SaaS vendor? What are your capabilities as a SaaS vendor for protecting confidential highly sensitive customer data and information?
Failing to ensure that the appropriate security protection is in effect and in place when using cloud services could ultimately cause higher business and insurance costs and the potential loss of business. In furtherance of using a SaaS cloud computing service, customers must understand clearly what the possible security benefits and risks are that come with using a certain cloud computing application, and have a firm grasp of what security protections or plans if any, their cloud provider has put in place to protect their confidential data and/or information. For each different type of service, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) there might be different security requirements and responsibilities.
SaaS service providers whether they serve and host the application or outsource it to a third party managed cloud provider should do a host of things to make sure that whatever data or sensitive information is being gathered and stored in the cloud for their clients is secure.
- If you are outsourcing the hosting and serving of your company’s SaaS Cloud Application to a third party managed cloud provider you need to carefully read and analyze the agreement you will execute with the cloud provider to see what type of liability the managed cloud provider will accept and how much it will pay in damages in the event the cloud provider causes a breach which results in a loss or compromise of client data and in turn the client sues your company for negligence.
- Internally, your company should limit access to your cloud application to authorized personnel only. I would classify employees that have access to the provider’s application as “authorized employees.” These are employees who have a need to know or otherwise can access customer data or personally identifiable information (PII) to allow the SaaS Service Provider Vendor to perform its obligations under this Agreement. These individuals should also sign non-disclosure agreements prohibiting the unauthorized transfer and sale of customer user data and (PII). PII could have a broad meaning to both vendor and customer so its a good idea to list or define the types of PII that should be protected from disclosure to unauthorized employees and third parties.
- You should perform criminal background checks if legal in your state before employees are exposed to sensitive customer data or financial information.
- You should provide Corporate Security Awareness Training to employees so everyone has a heightened sense of purpose regarding customer data protection and security.
- I would put together a Security and Risk Management Team of highly qualified individuals to manage security risk.
- Incident Response Plan – What if there is a data breach or a cyber-attack? Your company should have a plan in place which details what actions you are going to take in the event disaster strikes. To this effect, how are you going to notify customers of a data breach or disaster?
- Data Recovery and/or Disaster Plan – Do you or your managed cloud provider have a disaster plan in place? Do you or your SaaS managed cloud provider utilize redundant and fault tolerant systems to ensure maximum up time and recover quickly from disasters. Customers are going to want to know how long it will take to retrieve their data and if it has been lost or compromised.
- Your company should have an effective Information Security Policy in place which needs to be assessed and updated if need be annually.
- Does your company perform web application testing to determine if there are any security issues or vulnerabilities that need to be fixed?
- Employees should be required to sign a document acknowledging they have received a copy of the company’s Security Policy.
- You should think about putting in place a Change Control Process to make sure that changes to the software and hardware IT infrastructure don’t severely impact production systems.
- Are the vendors certified that will be managing your cloud services? Certification means that the vendor takes security seriously.
- Are your customers’ users required to enter a password that is authenticated before permitting a user to gain access to the SaaS application and/or services.
- Does your managed cloud provider offer or use encryption for the data that is being stored?
- Who has access to sensitive customer data and how is it being stored? This sensitive information should be stored in a secure, redundant, highly available database system with access restricted to employees and personnel that are members of a contained group.
- If you are the SaaS vendor who in your company has access to sensitive client/customer information? You want to make sure your company can access the files but not view them. Make sure that only a select few number of employees can have access to and view sensitive customer data.
- You should become familiar with how hard drives which are old and no longer functional are destroyed. You should ask your managed cloud provider if old disk drives are destroyed on premises by a third party vendor.
- Are you offering customers any type of encryption for data transfers?
- Are customer files or data being backed up to a second storage system in the event disaster strikes?
This above list is not dispositive or everything a SaaS vendor should do to take security seriously and put controls, processes and procedures in place to protect sensitive customer data. With that said, do yourself a favor and hire an outside vendor a company that is an expert in determining your company’s capabilities or vulnerabilities in managing data security and what needs to be done.
Please call Andrew S. Bosin, Esq. for a free legal SaaS Cloud Computing legal consultation at 201-446-9643.
www.njbusiness-attorney.com | email@example.com
SaaS Attorney Andrew S. Bosin is located in New Jersey just outside of New York City and has a nationwide SaaS Software as a Service Law Firm serving clients in New Jersey, New York, Buffalo, Queens, Manhattan, New York City, Westchester County, Islip, Oyster Bay, Rochester, Utica, New Rochelle, Tonawanda, White Plains, Binghamton, Saratoga Springs, Rockland County, Brooklyn, Long Island, Albany, Syracuse, Suffolk County, Nassau County, Bronx, Staten Island, Allentown, Scranton, Lancaster, Harrisburg, State College, College Station, Boston, Hartford, Providence, Connecticut, Atlanta, Chicago, Washington D.C., Dallas, Florida, Ohio, California, Austin, Texas, Maryland, North Carolina, Massachusetts, Colorado, Utah, Oregon, San Antonio, Austin, San Diego, Los Angeles, Silicon Valley, San Francisco, Houston, Salt Lake City, Toledo, Akron, Dayton, Provo, Portland, San Jose, Miami, Tampa, St. Petersburg, Ft. Lauderdale, West Palm Beach, Broward County, Dade County, Newark, Delaware, College Park, MD, Cook County, Phoenix, Denver, Boulder, Ft. Collins, Nashville, Memphis, Kansas City, Raleigh, Charlotte, Indianapolis, Boise, Eugene, Manchester, Burlington, Philadelphia, Pittsburgh, Pennsylvania, Vermont, Rhode Island, Boca Raton, Arlington, Virginia, Alexandria, Virginia, Reston, McLean, Cambridge, Quincy, Riverside, San Bernadino, Minneapolis, St. Louis, Cleveland, Columbus, Baltimore, Sacramento, Cincinnati, Orlando, Las Vegas, Round Rock, San Marcos, Louisville, Richmond, Tempe, Southbend, Bloomington, Knoxville, Oxford, Tuscon, Long Beach, Ames, Ft. Collins, Lawrence, Blacksburg, Charlottesville, Champaign, Oklahoma City, Birmingham, Salt Lake City, Baltimore, Mobile, Alabama, Utah, Washington, Seattle, Oregon, Portland, Eugene, Sacramento, Pittsburgh, Wake County, King County, Redmond, Kirkland, Bellevue, San Mateo County, Contra Costa County, Cupertino, Los Gatos, Sunnyvale, Mecklenburg County, Jacksonville, Gainesville, Boynton Beach, Orange County, Palo Alto, Harris County, Waco, Columbia, Missouri, Tarrant County, Bucks County, Lehigh County, Bethlehem, Pennsylvania, Burlington, Portland, Maine, Manchester, Concord, Nashua, Cambridge, London, Paris, UK, England, Dublin, Scotland, Edinborough, Amsterdam, Germany, Munich, Berlin, Madrid, EU, European Union, Spain, Austria, Vienna, Geneva.