Archive for September, 2013

SaaS Agreements – Data Protection – IT Security Requirements

In January 2013 Sony was fined 250,000 GBP for failing to take “appropriate technical measures” to protect the security of personal data stored on its PlayStation Network (PSN) in breach of the Data Protection Act (DPA). In light of the lack of guidance currently provided by the Information Commissioner’s Office (ICO) on data protection security SaaS suppliers should be aware that the ICO plans to draw up new guidelines.

Appropriate Technical and Organisational Measures

Under the DPA, SaaS suppliers must take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data and accidental loss, destruction or damage to personal data. However there is currently no legal definition, or guidance from the ICO, on what are “appropriate” organisational and technical measures.

In the past the ICO has stated that personal data should be encrypted, if loss or theft of the data would cause damage or distress to the individuals concerned. More recently in the case of Sony, the ICO found that Sony’s software was not up to date and that passwords were not secure.

However, in light of the lack of any specific guidance on this matter, the ICO seems to determine fines based on the facts of each individual case.

Factors to Consider

Often the following factors are taken into consideration by the ICO:

  • the financial resources of a SaaS supplier;
  • the number of individuals whose data is affected;
  • the harm actually caused to those individuals;
  • how a SaaS supplier responds to a breach;
  • what technology the SaaS supplier uses; and
  • any mitigating factors, such as voluntarily reporting of a breach.

How to Avoid Fines

Regardless of what any future guidelines might say, SaaS suppliers should already have in place their own technical and organisational measures. Not only to avoid the risk of incurring a substantial ICO fine, but moreover to prevent substantial damage to their reputation and financial losses which could result from the publication of internal security system failures and vulnerabilities following an ICO investigation. Sony gave this as one of the reasons why they dropped their appeal against the ICO fine.

Measures to be Taken

Such technical and organisational measures should include:

  • cryptographic controls to protect passwords;
  • ensuring that sub-contractors provide sufficient technical and organisational guarantees in writing;
  • carrying out regular security risk assessments;
  • auditing the compliance of sub-contractors with their contractual obligations.


The ICO is increasingly taking action against companies and imposing large fines for breaches of the DPA. In August penalty notices were issued against the Bank of Scotland, Aberdeen City Council and Islington Borough Council. Statistics on the type of companies being targeted, the nature of breaches occurring and levels of fine are published quarterly on the ICO website and SaaS suppliers should review these to see if they are operating in a particular “risky” area.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles:

SaaS Agreements – Social Media – Ownership of Accounts

Increasingly SaaS suppliers encourage employees to use social media accounts i.e. LinkedIn and Twitter to promote their products and business. However this often results in a conflict arising between claims of misuse of confidential information and “ownership” of accounts and contacts when the employment relationship comes to an end.

The High Court has recently highlighted the need for SaaS suppliers to have a clear policy on the ownership of such social media accounts and contacts when they are used by employees for business purposes.

Whitmar Publication Ltd

The High Court granted an injunction to Whitmar Publication Ltd against 3 ex-employees (and their newly established rival company) to prevent the individuals and the company from using 4 LinkedIn groups. One of the individuals had been responsible for dealing with the LinkedIn groups as part of her responsibilities at Whitmar Publication Ltd.

In a ruling using arguments similar to those used in the decision of the High Court against a former Hays employee in 2008 ordering him to hand over all of his LinkedIn contacts after leaving the company to set up his own consulting business, an injunction was granted on the basis that the individuals had misused confidential information belonging to the company, infringed the company’s database rights and breached duties under their employment contracts.


This will depend upon who set up the account, why it was set up, whether it is also being used for private use and who is paying for and maintaining it.

In the Whitmar injunction the court determined that the following factors were key:

  • the extent to which the account or group was created for the benefit of the employer; and
  • the extent to which the account or group promoted the employer’s business.

Social Media Policy

The above emphasizes the need for SaaS suppliers to have a clear social media policy in place with their employees. This should cover:

  • ownership and use of accounts on termination of employment;
  • access details to accounts;
  • use of information collected through social media accounts.

If a SaaS supplier has a signed social media policy it will restrict what ex-employees can and cannot do with social media accounts and/or contacts after leaving the company.

Employment Contracts

Additionally, SaaS suppliers should include non-solicitation or non-compete clauses in all of their employment contracts which specifically prevent ex-employees from using social media accounts or contacts upon termination of their employment. Employment contracts should also include general clauses preventing employees from using confidential information.


In view of the above, SaaS suppliers need to consider “ownership” of social media accounts and contacts before encouraging employees to use these tools at work. There must be a clear written agreement governing what happens to such data when an individual leaves the company – usually set out in a social media policy and/or employment contracts.

Other measures that SaaS suppliers could consider taking are:

  • simply banning all use of social media accounts such as Facebook, LinkedIn and Twitter; or
  • ensuring that relevant employees add all new social media contacts to the company’s CRM database.

By considering the risks and taking necessary measures to prevent these issues arising SaaS suppliers should be able to avoid costly litigation when employees leave, potentially taking their contacts, accounts and followers with them.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles:

Bodle Law
Assign a menu in the Left Menu options.
Assign a menu in the Right Menu options.

This website uses cookies. You may not use this website, unless you agree to our use of cookies. For further details about the cookies we use please visit our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.