I recently spoke at, and attended,
Layered Technologies summit:
LT Pact. In addition to a number of excellent presentations, and a very involved audience, there was a great deal of on topic discussions at networking events after the main programs. I got in a pretty neat discussion about SaaS and privacy with Ravi Agarwal, CEO of SaaS provider
Group Spark, and Nelson Taggart of
Microsoft. Basically both Ravi and Nelson simply asked me: "why aren't you talking about the privacy implications of SaaS?" That's a good question.
In my work with SaaS clients I'm always careful to follow the data into, through, and out of their organization, as I'm sure most lawyers do. But there is a much bigger issue here: who's ultimately going to be on the hook for the data? I can be reasonably sure that most SaaS providers have contracts that limit their liability to the systems they actually control, and data they actually posses. Most have also likely entered into agreements with their vendors that clearly delineate responsibility for data, and any liability that flows from a problem with the data. But is that enough? Honestly, I'm not sure it is. As we discussed at LT Pact, there are a huge number of realistic scenarios in which one link in the SaaS chain mishandles data. Naturally, in many of these scenarios it may be difficult to isolate the one factor that triggered the problem.
What comes immediately to mind are fiber cuts. Fiber to your data center gets cut, you call your bandwidth provider, they say it was the cable company's fault. You call the cable company, they say it was a sub-contractors fault. The sub-contractor claims that it was the utility marking company's fault. The utility marking company blames the bandwidth provider's network diagram. Other than the bandwidth provider and cable company, no one has insurance, and the bandwidth and cable company's insurance carrier is pointing to your agreement with the telco in which your damages are limited to three times your monthly bill. Meanwhile your customers have been down for a significant amount of time, triggering payments under your SLA. Are your customers going to stick around if you relating the facts underlying the outage all the while trying to minimize payments under your SLA? I don't think so.
I can see the same thing happening with privacy in the SaaS context. Addressing privacy issues with the scenario describe above is going to be a tough legal nut to crack. The first place I'd look is to decisions made by the Federal Trade Commission. The FTC has taken the position that with privacy policies, the policy follows the data. It's not a far stretch to the conclusion that each link in the SaaS data chain is responsible for the data they touch as it moves along the chain.
But for SaaS providers, is this fair? Is a hosted exchange provider responsible for a misdirected e-mail that is misdirected by a bandwidth provider who is simply a link in the "Internet cloud?" I'd argue not. However, an individual whose credit card number was contained in the e-mail, is not likely to be as sympathetic, nor to be interested in parsing through the steps that took place during processing of the e-mail.
The second place I'd look is to contract law. I think the fiber cut analogy fits well in a contract analysis. A court may be more likely to look at the links in the chain of contracts, and attempt to isolate which mistakes were caused by what company, and what their contractual liability is. So, it is pretty important that you look at the terms of each of your contracts in an SaaS transaction. It would also be good to get a representation in each of your contracts that upstream and downstream providers will have the same or similar provisions.
