Competing Interests: Data Ownership at the Crossroads of SaaS Stakeholders and Regulation

Shabbi Khan, Mead Misic
Foley & Lardner LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Foley & Lardner LLPClear Skies Through the Clouds: Article 1

Kicking off our series on topics concerning Software-as-a Service (SaaS) technology, it is important to lay a framework around the data managed by SaaS applications and issues that arise out of complex relationships among various stakeholders in the SaaS environment.

Valuations of companies are tied to revenue and growth projections,1 and a significant portion of the value attributed to SaaS companies in particular is based on the data they handle and maintain.2 This is typically equated as a combination of services provided and expected revenue growth from the value of the data itself. For example, using search engine advertising revenue as a proxy for the value of personal data, over the last 20 years advertising revenue on a per user basis has increased by 1,800%.3 This underscores the relationship between the amount of data that SaaS companies handle and corresponding valuations.

As a result, understanding the issues surrounding data management and various aspects of data ownership in the context of the SaaS environment has become all the more important.

Overview of SaaS Stakeholders

In a typical SaaS platform, various stakeholders are involved at different levels of data processing, each having their own unique roles and ownership claims with respect to at least some aspect of data that they store or process. Each of these stakeholders may access, own, consume, store, process, or otherwise interact with the user data at various layers of the data stack.

The number of stakeholders can vary greatly based on the complexity of the SaaS platform. For instance, a SaaS platform might include data from end users (e.g., personal, financial, or medical data) as well as confidential data from enterprises (e.g., employee, technical, or business confidential information). The SaaS service provider can further store the received confidential data on company systems or cloud service providers, where it is further processed using proprietary or open source software solutions. Alternatively, the processing and software solutions could be provided or handled by third party service provider(s) with access to the data on the company systems and the cloud service providers.

Geographic and Data-Specific Concerns With SaaS Platforms

The complexities of how enterprises and other entities interact with the data used by SaaS companies are amplified by geography. For example, stakeholders could be located in various geographic regions and subject to different jurisdictional laws, regulations, and expectations with respect to data ownership and management. Consequently, many issues can arise with respect to how obligations for complying with these considerations are allocated amongst stakeholders. In addition, different stakeholders can have competing interests and various obligations in relation to other parties indirectly involved in the SaaS process, affecting commercial relationships further downstream from the immediate ownership or management of the data.

Moreover, depending on the nature of the type of data, additional factors may have to be considered, such as privacy,4 regulatory compliance,5 data security,6 and data access and use.7 For example, a SaaS company dealing with EMR (electronic medical records) will have additional legal responsibilities when handling particular types of data, such as personal health information (PHI) of patients at a medical institution.8 Such EMR data can be subject to its own unique jurisdiction-based regulations, all of which depend on the geographical locations of the company itself plus those of the stakeholders involved. These issues are especially of concern in recent years given the significant increase in data breach activity and regulations (e.g., personal health information data or data relating to children).

Conclusion

Future articles will discuss these and other potential issues concerning ownership and management of SaaS cloud-based data, and suggest strategies and practices for SaaS companies to employ to protect their interests, innovations, and interests of their customers.

1 SaaS Academy, SaaS Valuation: How to Value a SaaS Company in 2022 (Accessed October 24, 2022)

2 EQVISTA, SaaS Valuation: How Do You Value A SaaS Company? (Accessed October 24, 2022)

4 SaaSholic, Why Data Protection Is So Important for SaaS (Accessed October 24, 2022)

5 Dachowitz, Juliet, What Every SaaS Business Should Know About Compliance (April 7, 2021)

6 Bhuvaneswaran, Shivasankari, 7 SaaS security risks that every business should address (October 1, 2021)

7 Dziuba, Anna, SaaS User Management and Access Control: Best Practices from Relevant (Accessed October 24, 2022)

8 U.S. Department of Health and Human Services, Guidance on HIPAA & Cloud Computing (April 15, 2022)

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley & Lardner LLP | Attorney Advertising

Written by:

Foley & Lardner LLP
Foley & Lardner LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Foley & Lardner LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide