Archive for October, 2016

SaaS Agreements – Data Protection – Cyber Insurance

Currently most SaaS suppliers and SaaS customers do not take out specific cyber insurance and rely upon the provisions of a general insurance policy to cover liabilities in the event of a claim for a cyber incident or a data breach. This is partly due to the fact that few insurers offer adequate cyber insurance policies and SaaS customers and SaaS suppliers often fail to consider the need for a specialist policy of insurance to ensure that they are covered in the event of a claim being denied under a general insurance policy.

General Insurance

Many insurers may not have anticipated providing cover against cyber risks under their general insurance policies and it is likely that disputes will arise as to whether or not a cyber claim is covered when a SaaS supplier or SaaS customer makes a claim. Taking out cyber insurance could reduce this risk.

Professional Indemnity Insurance

Commonly PI insurance covers directors insurance, property risk and some limited cyber cover. However as cyber risks are becoming more common for SaaS suppliers and SaaS customers there is an increasing need to specifically protect against cyber risks i.e. hacking, DNS attacks, phishing etc.

Future Need for Cyber Insurance

Cyber insurance is often seen as too expensive by SaaS suppliers and SaaS customers and they actively chose not to purchase such additional insurance cover.

From the 25th of May 2018, when the new Data Protection Regulation (GDPR) comes into effect there will be a substantial increase in the risk of a cyber claim for a data breach. It is important to be aware that the GDPR applies to all SaaS customers and SaaS suppliers in the EU and any non-EU located SaaS customers and SaaS suppliers offering goods or services in the EU or who monitor the behaviour of EU data subjects. Accordingly the GDPR will apply to UK SaaS customers and SaaS suppliers regardless of if, and when, there is a “Brexit”.

GDPR Fines

The GDPR imposes more onerous obligations on both data processors and data controllers. In particular, the fines which can be applied by any EU data protection authority for breach of the GDPR will increase substantially. Fines of up to €20 million or 4% of global annual turnover for the preceding financial year can be imposed.

Summary

SaaS suppliers and SaaS customers need to consider now the need to increase existing insurance cover to encompass the above changes to data protection law, and when doing so, it could be prudent to consider taking out specialist cyber insurance.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Data Protection – Privacy Shield Update

The Privacy Shield now replaces the Safe Harbor scheme. The rules under the Privacy Shield are similar to the rules under the Safe Harbor scheme, in that SaaS customers and SaaS suppliers need to self-certify their compliance with the principles of the Privacy Shield.

The following core principles must be adhered to.

Core Principles

  • Notice must be given to data subjects about specific issues;
  • Choice to opt out of disclosure of personal data to third parties;
  • Accountability for onward transfer of personal data to third parties;
  • Implement reasonable and appropriate security measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction;
  • Personal data must be reliable, accurate, complete and up to date;
  • Individuals must be able to access personal data and have it corrected, amended or deleted;
  • Independent mechanisms for dealing with complaints free of charge must be in place.

Applying for Certification

  • Draft a privacy statement which complies with the notice requirements;
  • Maintain appropriate documentation to demonstrate their compliance with the above Privacy Shield principles;
  • Amend existing agreements that involve personal data transfers to ensure compliance with the principles;
  • Train staff and introduce internal guidelines and processes to ensure compliance with the principles.
  • Ensure on-going compliance with the principles of the Privacy Shield.

Validity of the Privacy Shield

It is very likely that in the near future there will be challenges to the adequacy of the Privacy Shield (on a similar basis to the challenges that lead to the invalidity of Safe Harbor) either :

  • By a German Data Protection Authority; or
  • An individual at the European Union Court of Justice (CJEU).

SaaS suppliers and SaaS customers should be aware of the limitations of the Privacy Shield in the long term when considering investing substantial resources and time in complying with and applying for registration under the Privacy Shield.

Alternatives

When deciding whether or not to apply for certification under the Privacy Shield SaaS customers and SaaS suppliers should consider alternative options, which are currently the use of EU Model Clauses or binding corporate rules (BCRs).

EU Model Clauses

EU model clauses are standard data processing agreements that have been approved by the EU Commission as providing adequate protection. There are currently two sets of standard contractual clauses for transfers of personal data between data controllers and one set for transfers between a data controller and a data processor. EU model clauses must be used unamended (other than where specific details may be added, as set out in the notes to the clauses).

Where personal data is transferred from:

  • A data controller in the EU (SaaS customer) to a data processor outside of the EEA (SaaS supplier); or
  • A SaaS supplier within the EU to a sub-processor located outside of the EEA;

the SaaS supplier will need to enter into EU model clauses with the SaaS customer or SaaS sub-processor, as applicable.

BCRs

BCRs are a set of rules adopted within a particular company or corporate group that set out legally binding obligations in relation to data processing within a company or group which cover global data transfers of personal data. BCRs include amongst other matters, details of:

  • Data protection policies;
  • Commitments to data protection training;
  • Data protection audits.

BCRs must be approved by a lead national data protection authority (DPA), typically determined by the location of the European headquarters of a SaaS supplier. Once the lead national DPA approves the BCRs they are then responsible for coordinating approval of the BCRs with all other DPAs across Europe.

Summary

When deciding which option to use to facilitate the lawful transfer of personal data from the EU to the USA, SaaS suppliers and SaaS customers need to take into account their specific circumstances in order to determine the best method to use, as use of the Privacy Shield may not be the right long term solution for many SaaS suppliers and SaaS customers who previously relied upon Safe Harbor.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

  
Bodle Law
Assign a menu in the Left Menu options.
Assign a menu in the Right Menu options.

This website uses cookies. You may not use this website, unless you agree to our use of cookies. For further details about the cookies we use please visit our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close