Client Alert. Global Information Technology & Communications Privacy, Data Protection and Information Management

Transcription

1 Global Information Technology & Communications Privacy, Data Protection and Information Management Client Alert Umbrellas for Clouds: Risk Mitigation Strategies for SaaS Transactions For further information please contact Lothar Determann Peter George Francesca Gaudino francesca.gaudino@bakermckenzie.com Roberto Grane roberto.grane@bakermckenzie.com Patrick Fair patrick.fair@bakermckenzie.com Sergio Legorreta-Gonzalez sergio.legorreta@bakermckenzie.com Executive Summary From a legal compliance and risk management perspective, outsourcing the act of engaging a third party for a period of time to provide services that had previously been performed internally shares many similarities with software as a service (SaaS) transactions procuring access to software as a service hosted by a third party instead of through more traditional licensing means. The compliance and risk management tools developed for outsourcing, including supplier due diligence, compliance risk assessments and standard contractual terms and conditions, are tools that should be used when considering a SaaS solution. This article seeks to identify the risks that may not be adequately addressed today under traditional procurement processes for software licenses and provides suggestions for addressing those risks using the tools that have evolved in the outsourcing space. Introduction Cost reduction is not a buzz word, it is a business reality. Procuring access to software as a service, as opposed to through the traditional means of licensing software for on premises use, may offer significant opportunities for cost savings. One of the chief attractions in today s economic climate being the avoidance of large, upfront costs in technology infrastructure investments and software licensing fees. Additional drivers include the scalability of SaaS solutions, permitting real time cost reductions based on decreased usage or reduced staffing volumes cost reductions typically not available in the context of perpetual software licenses, and avoidance of costly maintenance and support obligations. Also, hosted solutions from sophisticated providers can offer superior data security protection features that many smaller organizations could not easily replicate internally. For these and other reasons, the cloud constitute an attractive solution to a variety of problems. But, cloud computing and SaaS transaction also raise compliance and risk management issues and some of these are very different from those arising in the context of more traditional software procurement and internal deployment models. Many SaaS and cloud- specific risks are more similar to the risks associated with outsourcing and the tools used to manage these risks in the outsourcing context should be used to manage SaaS risks. What is SaaS? SaaS is many different things. In some contexts SaaS refers to cloud computing, which is essentially a way of leveraging infrastructure investments across many users. In other contexts, SaaS refers to the allocation of platform level resources to users in a virtual manner, based on agreed service level and pricing provisions. In this article, SaaS refers to the remote use of application and platform level resources over the internet or through some

2 2 Umbrellas for Clouds: Risk Mitigation Strategies for SaaS Transactions other network, where the application or platform resources are managed and maintained by a third party provider. Sourcing Risks As sourcing advisors, we are very familiar with the tools used to mitigate the risks raised by outsourcing transactions. These risks can generally be categorized into three main areas (i) governance risk; (ii) operational risk and (iii) compliance risk. Governance risk arises from the sourcing entities transfer of control over delivery of a critical business function to a third party and reliance on that party for the performance of the function. Operational risk is the risk associated with the quality of the day to day delivery of the function. Compliance risk arises from legal, governmental and other third party liability that may not be delegable even when control over the delivery of the outsourced function is transferred to a third party. These risks are also present in the context of SaaS. Governance risks are those risks that are inherent to the loss of control over the management and incentive structure of the party performing the outsourced function. By transferring control over the delivery of a function to a third party, the outsourcing customer becomes reliant on the service provider, but lacks the direct power to manage the third party s performance of the service. In the context of SaaS offerings, where control over delivery of the service resides in the service provider, similar governance risks exist. The customer cannot directly manage the performance of the services, but must rely on the SaaS provider for delivery of those services. Governance risks are addressed in the outsourcing context through provider reputational investments (what is the provider s track record in working well with other customers), relationship management procedures and contractual provisions intended to provide the outsourcing customer with ongoing leverage and influence over the management of the service provider. These contractual provisions include the ability to insource or resource tasks, change control provision, controls over process evolution, convenience termination rights, benchmarking rights, ongoing rights to audit and access data, ownership rights in technology to permit switching and other such provisions. The intent of these structures is to provide the outsourcing entity with some insight into the service provider s behavior, influence over that behavior and leverage to cause the service provider to remain responsive to the outsourcing entities business requirements. Where switching costs for critical functions are high, governance risks must be carefully controlled. Switching costs in the context of SaaS may be lower than in the context of outsourcing, since many SaaS applications are fairly generic and, at least initially, are not heavily customized to any particular customer. In addition, SaaS transactions have typically been for add-on functionality, as opposed to mission critical applications making the governance risks associated with SaaS offerings lower than for more traditional outsourcing arrangements. That initial analysis, however, is probably changing. SaaS solutions are becoming more customized and continue to cover a greater scope of business functionality. As switching costs increase and the critical nature of the services being sourced rises, governance risks will have to be more closely considered with respect to SaaS transactions. There are a myriad of tools to use from the outsourcing context to address governance risks in SaaS offerings. Currently, its very hard to find a commercial SaaS offering that provides benchmarking rights, for example, or even promises for long term price protection. As switching costs increase because SaaS offerings become more customized and as SaaS providers seek to provide comfort to larger customers that governance risk will be

3 3 Umbrellas for Clouds: Risk Mitigation Strategies for SaaS Transactions tempered, such contractual provisions may begin to find there way into SaaS contracts. Likewise, while many SaaS contracts provide for data transfer at the termination or expiration of the agreement, as these offerings become more mission critical those provisions may become augmented by more significant obligations to provide knowledge transfer and support. We are already seeing more pronounced investments by SaaS providers in their reputations, particularly with respect to data privacy, security and scrutiny over unilateral contract changes. Operational Risk Operational risks are those risks related to the performance and delivery of activities that are under the control of a third party provider. In the outsourcing context, these risks are normally addressed through service level agreements, mutually acceptable procedures manuals and performance warranties. SaaS offerings already borrow some aspects of the operational protections of outsourcing. For example, many SaaS offerings provide for different levels of service based on price. This structure is similar to the incentive structure built into many of the service level agreements used in the outsourcing context. Different levels of service attract different pricing or result in varying levels of pricing credits. There are several important distinctions between the use of service level agreements in the typical SaaS context and outsourcing, though. In outsourcing, the credit is intended as leverage to drive a certain behavior on the part of the service provider to delivery certain minimum standards of performance. In the SaaS context, on the other hand, the service level agreement may be used more as a means of allocated resources based on price. Where performance fails to meet a minimum standard in the outsourcing context, the credit is supposed to initiate certain corrective actions on the part of the provider. In contrast, the service level agreement prices a particular level of performance in a SaaS transaction there is not necessarily a corrective action initiated by a particular performance level. This distinction should be considered where a minimum level of performance is a business driver behind the decision to procure a SaaS solution, particularly where paying less for the service may not satisfy a business requirement. Where corrective action is required, the service level agreement should reflect that obligation. Compliance Risk Compliance risks are those risks related to legal, government and other third party liability that may not be delegable even when control over the delivery of the outsourced function is transferred to a third party. These risks often stem from obligations to comply with law which cannot be delegated even though the performance of the task being regulated may be. Familiar examples include maintaining adequate controls over financial systems, even where those systems have been outsourced to a third party, and liability for misreporting withholding tax even where payroll processes have been outsourced to a service provider. These risks also include liability for unauthorized disclosure of personal data that might be processed by a third party. In the outsourcing context, these risks are addressed through the clear allocation of controls to mitigate the risk of violations, audit rights to verify conformance with controls, well articulated procedures, and indemnities intended to reallocate liability from the party that may incur a penalty for breach to the party best positioned to prevent a violation. These provisions both allocate compliance responsibilities and allocate financial obligations for failure to meet compliance requirements. For example, a human resource outsourcing agreement may allocate responsibility for calculating a reporting

4 withholding tax to the service provider. It may provide controls for minimizing the risk of fraudulent reporting and audit rights to detect failures to comply with those controls. It may also include indemnification against fines and penalties that would otherwise accrue against the customer for failure to accurately make such reports. Simply because services are being sourced under a SaaS model, as opposed to an outsourcing structure, customers should not assume that compliance obligations may be dismissed. Regardless the sourcing model, customers will remain responsible for breach of non-delegable compliance obligations. Unfortunately, though, many of the protections provided in the typical outsourcing agreement are absent in the context of SaaS offerings. We would expect that as SaaS models gain greater acceptance, the same controls and processes used to ensure compliance obligations are met in the outsourcing context will be applied to SaaS offerings. Likewise, as SaaS vendors move into more heavily regulated business processes or seek to attract work from publicly traded companies subject to greater regulatory oversight, we expect that compliance obligations will be addressed more comprehensively in SaaS transactions. Providers that can address compliance risks efficiently will likely have an advantage over providers that must address compliance issues on an ad hoc basis. SaaS offerings that are able to apply economies of scale to spread compliance costs across multiple customers may even provide increased savings and risk mitigation opportunities to customers desperate to tighten budgets without increasing compliance risk. From a data privacy and security law perspective, the two most significant challenges brought about by SaaS and cloud computing models are as in many other outsourcing transactions that data is transferred across geographic borders (which triggers specific compliance requirements under data protection laws in Europe and other countries) and that it is more difficult for customers to keep control over the data processing operation. In connection with dynamic cloud computing architectures particularly, data can be on a variety of computers, in various jurisdictions and accessed by numerous service providers, contractors and subcontractors. But, if the customer looses control over the details of the data processing, the customer can no longer rely on the limited exceptions in data privacy laws for data transfers to mere data processing agents, with the effect that the customer may have to obtain consent from data subjects (e.g., employees, consumer customers, individual representatives of corporate customers), which is often impractical and always undesirable. Therefore, it is of particular importance for cloud computing and SaaS arrangements involving personal data to implement detailed and clear agreements that keep the customer in control over all relevant aspects of the data processing (where data is stored, by whom, what technical protection measures are applied, return/deletion of data on request, etc.). Given that SaaS and cloud solutions are usually offered on a standardized and as is basis, the contracting parties have to work out cost compensation questions for situations where the customer wants to exercise its control, and protect the vendors from early termination damages in case the vendor cannot accommodate a customers special request an issue that is also familiar from more traditional outsourcing contract negotiations (change management). 4 Umbrellas for Clouds: Risk Mitigation Strategies for SaaS Transactions

5 Conclusion SaaS offerings are different from outsourcing in fundamental ways. However, the risk profile of both types of transactions share certain similarities. The tools used to mitigate risk in the context of outsourcing transactions are relevant to SaaS and will become increasingly important as SaaS transactions compete for a greater share of the market for services Baker & McKenzie. All rights reserved. Baker & McKenzie LLP is a limited liability partnership registered in England and Wales with registered number OC A list of members names is open to inspection at its registered office and principal place of business, 100 New Bridge Street, London, EC4V 6JA. Baker & McKenzie LLP is a member of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the terminology commonly used in professional service organisations, reference to a partner means a person who is a member, partner, or equivalent, in such a law firm. Similarly, reference to an office means an office of any such law firm. Baker & McKenzie LLP is regulated by the Solicitors Regulation Authority of England and Wales. Further information regarding the regulatory position is available at This may qualify as Attorney Advertising requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome. 5 Umbrellas for Clouds: Risk Mitigation Strategies for SaaS Transactions