The data business: What SaaS companies need to know about the risks

Data monetization is the key to long-term success for many companies, not just software companies but also commercial firms such as manufacturers, retailers, banks, and insurance companies. The philosophy towards data used to be, "Keep only what you need for as long as you need it" to avoid data-related liabilities.  Now the philosophy is "Collect and keep as much as you can for as long as you can" in case you can find a way to monetize it.

Building large repositories of third-party data opens a company to new risks.  Even though data breaches, system hacks, and cloud security issues are almost becoming the "new normal," if your cloud-based technology or solution falls victim to any of the above, life for your company will quickly become anything but normal.

Layer on top of those risks the many regulations now being imposed by governments throughout the world, and suddenly offering cloud solutions gets really complicated.

Here's what you need to know.

Cyber liability insurance

Cyber liability insurance is becoming a business necessity for companies whose SaaS applications store personal and financial information. According to the Ponemon Institute, the direct costs of fixing each record, such as notifying a client, issuing new credit cards, and penalties is about $200 per record and about $3.5 million per breach. If you add in the lost revenues from bad publicity, the costs can be many times higher.

Hosting your application with a service such as Azure or AWS doesn't eliminate or reduce your risk. If it is your application and your log-in security, it is your responsibility.

Insurance companies now offer policies to protect against the costs associated with a privacy breach. The policies can be expensive – but then the cost of a breach could put you out of business.

Privacy: European legislation

Europeans are very concerned about their privacy and what happens to personal information. As a general rule, it is illegal for a non-European company to store personal information about a European national outside Europe. This means that if you are a non-European company and you are running your SaaS application on a server in the U.S., and you are storing personal information on your European clients, you may be in violation of European law.

The EU has finalized its new General Data Protection Regulations (GDPR), which took effect in 2018, and California is developing legislation that will be as comprehensive.  The key elements include:

• The right to data correction: Simple enough yet giving subjects a chance to change any previously provided information and make adjustments if necessary.
• Tighter consent requisitions: Data subjects must be informed and consulted on anything related to the processing of their personal data, or ways in which that data might be used.
• The right to be forgotten: Giving subjects the chance to erase all stored information relating to them.
• Notification on data endangerment and current state: During the whole data handling process subjects must be informed on what is happening to their personal data and if it is at risk.
• Privacy by default: Once an agreement has been made between the subject and the other data entities, divergence from the terms is only possible once an additional agreement has been made by the parties.

The laws apply to all companies, regardless of whether they are based in Europe or not, if they are collecting data from an EU citizen.  This means that if you are an American ISV with customers in the U.S. that are European citizens, you need to be GDPR compliant.  And non-compliance can trigger a substantial fine, equal to 4 percent of a company's global revenues.  For example, an ISV with $10,000,000 in revenues, regardless of where those revenues are generated, could be fined $400,000.