The data business: What SaaS companies need to know about the risks

April 22 2019

Data monetization is the key to long-term success for many companies, not just software companies but also commercial firms such as manufacturers, retailers, banks, and insurance companies. The philosophy towards data used to be, "Keep only what you need for as long as you need it" to avoid data-related liabilities.  Now the philosophy is "Collect and keep as much as you can for as long as you can" in case you can find a way to monetize it.

Building large repositories of third-party data opens a company to new risks.  Even though data breaches, system hacks, and cloud security issues are almost becoming the "new normal," if your cloud-based technology or solution falls victim to any of the above, life for your company will quickly become anything but normal.

Layer on top of those risks the many regulations now being imposed by governments throughout the world, and suddenly offering cloud solutions gets really complicated.

Here's what you need to know.

Cyber liability insurance

Cyber liability insurance is becoming a business necessity for companies whose SaaS applications store personal and financial information. According to the Ponemon Institute, the direct costs of fixing each record, such as notifying a client, issuing new credit cards, and penalties is about $200 per record and about $3.5 million per breach. If you add in the lost revenues from bad publicity, the costs can be many times higher.

Hosting your application with a service such as Azure or AWS doesn't eliminate or reduce your risk. If it is your application and your log-in security, it is your responsibility.

Insurance companies now offer policies to protect against the costs associated with a privacy breach. The policies can be expensive – but then the cost of a breach could put you out of business.

Privacy: European legislation

Europeans are very concerned about their privacy and what happens to personal information. As a general rule, it is illegal for a non-European company to store personal information about a European national outside Europe. This means that if you are a non-European company and you are running your SaaS application on a server in the U.S., and you are storing personal information on your European clients, you may be in violation of European law.

The EU has finalized its new General Data Protection Regulations (GDPR), which took effect in 2018, and California is developing legislation that will be as comprehensive.  The key elements include:

  • The right to data correction: Simple enough yet giving subjects a chance to change any previously provided information and make adjustments if necessary.
  • Tighter consent requisitions: Data subjects must be informed and consulted on anything related to the processing of their personal data, or ways in which that data might be used.
  • The right to be forgotten: Giving subjects the chance to erase all stored information relating to them.
  • Notification on data endangerment and current state: During the whole data handling process subjects must be informed on what is happening to their personal data and if it is at risk.
  • Privacy by default: Once an agreement has been made between the subject and the other data entities, divergence from the terms is only possible once an additional agreement has been made by the parties.

The laws apply to all companies, regardless of whether they are based in Europe or not, if they are collecting data from an EU citizen.  This means that if you are an American ISV with customers in the U.S. that are European citizens, you need to be GDPR compliant.  And non-compliance can trigger a substantial fine, equal to 4 percent of a company's global revenues.  For example, an ISV with $10,000,000 in revenues, regardless of where those revenues are generated, could be fined $400,000.

About Harald Horgen

Harald Horgen is an acknowledged expert in the field of helping software companies expand into new markets, and with 25 years of global experience he has learned what it takes to build successful business models. 

As the President and founder of The York Group, an international business development organization with offices and partners in 25 countries, Harald speaks from experience.  The lessons learned from hundreds of client engagements involving most technology platforms (mainframes, client/server, open source and SaaS) have been analyzed and documented, resulting in an extensive set of best practices. 

Focused exclusively on enterprise software vendors since 1993, he works with clients to extend or transform their business models in three primary areas:

  1. SaaS business model transformation – from overall strategy to adapting current roles and functions (e.g., sales organization and compensation, customer support, marketing, etc.) to work more effectively in an IP subscription-based model;
  1. Big data, data analytics and IoT – helping clients develop a comprehensive view of the data in their world, providing them with the knowledge and understanding they need to monetize the data they are collecting while maintaining compliance;
  1. Channel programs – from creating the right channel program using a comprehensive, fully-document methodology to actually recruiting partners worldwide through a network of partners in almost 30 countries.

Clients range from emerging firms to established players such as Microsoft, HP, CA, Symantec, Schneider Electric, Ericsson, ABB, Lufthansa, Sage, Schlumberger and GE Healthcare.

More about Harald Horgen