A SaaS supplier can be liable for the loss of backup tapes, not just under the terms of its SaaS agreement but also the Data Protection Act 1998, the Financial Services Authority regulations or other UK rules or regulations  regardless of whether the SaaS supplier, its data centre or a third party losses  the backups of customer data.

Financial Services Authority – FSA

Zurich Insurance was recently fined £2,275,000 by the FSA after a backup tape containing unencrypted personal details on 46,000 policy holders went missing in transit, because Zurich had inadequate systems and controls in place. In breach of Principle 3 of the FSA rules Zurich failed to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.

Despite the fact that Zurich agreed to settle the claim at an early stage  and thereby received a 30% discounted fine – this is still the highest fine imposed by the FSA on a single company to date.

Data Protection Act 1998

Since April 2010 the Data Commissioner has had the  power to impose a fine of up to £500,000 on a data controller who seriously breaches the data protection principles, if the contravention was of a kind likely to cause substantial damage or substantial distress. The contravention must either have been deliberate or the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.

In a SaaS agreement the customer is the data controller and primarily liable for breaches of the Data Protection Act, however under the terms of the SaaS agreement the supplier will invariably be liable for compensating a customer for any supplier breaches (and those of its agents and sub-contractors, i.e. the data centre, outsourced backup service provider, storage facility) of the Data Protection Act. For example if a backup tape is lost in transit to the storage facility or there is a fire, theft or power loss at the data centre which results in a backup tape being unavailable.

SaaS Contractual Liability

In the SLA of a SaaS agreement, you will undertake to make backups of customer data, usually using sub-contractors, third parties or subsidiaries of the group. Customers will usually require the supplier to be liable for any breaches of the SaaS agreement caused by a sub-contractor, third party or subsidiary of the group who provides any part of the SaaS services, as if the supplier had committed the breach itself. Accordingly, if a backup tape is lost you will be liable to your customer for the loss of the backup tape.

Limiting your Liability

In view of the above, it is imperative that you take precautions to limit your liability in the event of a backup tape being lost. Such protection should be included in the terms of your SaaS agreement and where possible in your agreements with sub-contractors and third parties who supply any part of the services.

In addition you could:

  • obtain insurance cover for loss of backup tapes,
  • carry out due diligence on the security procedures used by your sub-contractors and third parties,
  • audit compliance with the security procedures of sub-contractors and third parties regularly,
  • ensure that all backup tapes are encrypted.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles: