Leaving or switching a software provider is a complicated task in itself. Yet,  despite the inordinate number of quandaries and conundrums, one incredibly important consideration is often overlooked; what happens to your data when you leave your ‘software as a service’ or ‘SaaS’ provider?

This is a question that is all too frequently left untouched, despite its significance. Indeed, for legal practices and law firms, the answer to this question is even more crucial. With a variety of confidential and sensitive data points to consider, from employee and financial data – through to information pertaining to current, former and potential clients the scope for data loss, leakage and even theft is exceedingly troubling. 

But how might this trifecta of undesirable consequences materialise from leaving a SaaS provider, such as a legal software system vendor?

While there are some exceptions, the vast majority of SaaS providers run on a cloud-based model, meaning their services, and by extension your data, are kept on their servers. This means all your confidential information is physically based outside of your office and inside another company’s premises. Therefore the level of skill, security and redundancy they employ, both physically and digitally, is the same level that ultimately protects your valuable data. While in most cases, SaaS providers take good care of your confidential information, there are notable exceptions where data breaches have caused a swath of clients’ data to be lost or appropriated. 

This potentiality becomes more of an issue when you leave your data provider – now that you have stopped paying them, will they continue to protect and store your data?

This question is a difficult one to answer, at least in a general sense. Usually, the consequences for your data on the legal cloud network of your provider are contained in the specific contract you have with them. For example, a SaaS provider supplying you with a legal email management system might provide in your contract that, should your services conclude, all your firm’s emails contained on their system will be transferred to you over a series of data dumps. This is not as straightforward as it sounds, however. A firm with 500 lawyers is estimated to require 1 terabyte (1000 gigabytes) of storage for all of its data, which would be required before receipt of any data amount of this size, though this figure is likely very conservative. Terabyte size hard drives do, however, exist and are affordable, but this is only half the problem; the other issue is compatibility. 

Emails and other methods of data communication are not identical and often utilise different formatting instructions, metadata and may even be tainted by the daemons that regulate them. In essence, transferring a data heap of emails from one SaaS provider’s platform to another’s, or even to your own can be more complicated than simply porting them over. While this may not always be an issue, by virtue of integrated email hosting platforms, or MUAs, this issue becomes even more tricky in instances of specific or native data-types (something your SaaS provider has made themselves rather than a ubiquitous data source like email). Take, for example, professional services crm software; even the best client management software is unlikely to be able to easily swap specific data between providers. Switching client management software inefficiently could lead to overheads and deteriorating customer service, as retained data on clients and the status of their claims is lost through incompatibility. 

Consequently, even if your provider is obligated or makes the effort to transfer your data back to you, it is still possible to lose data or, in the event of a mistake in the process transference, have a high quantity data leak. This is before considering that some SaaS providers do not bother with the extensive process of collating and returning your data and so purposefully leave the particulars as to your data unclear, a practice that has received criticism. In some extreme cases, they may even delete all your stored data without asking.

This is no small issue, either, as 51% of respondents to a Pondemon report indicated that they lost data due to the failure, incompetence or disinterest of a third party software provider. Such loss/leakage can damage both your firm’s reputation and functionality. Clients will not acquire the services of a firm for their divorce, for example, even if it uses the best cloud-based matrimonial lawyer software, if it has a history of data loss and might expose their personal information to unwanted viewers. Moreover, the practice of law relies on organisational efficiency and secure document management. With data loss, these are undermined and, consequently, so is the firm’s effective performance.

There are also legal ramifications for data loss, especially that of third parties, such as clients. Since the Data Protection Act 2018, general data protection regulation or ‘GDPR’ has served to both enforce data protection and punish loss, destruction or damage. Strikingly, firms, as the ‘controllers’ of sensitive data, are liable for data losses that occur from a third party ‘processor’ that they have contracted, such as a SaaS provider. As a result, any losses of third party data, whether employee or client, that occur from switching or leaving your SaaS provider could result in legal liability. When data loss occurs, this is a likely possibility, as the GDPR Enforcement Tracker illustrates.

Yet this is no reason to reject the paperless document storage model. Instead, software for law offices, as well as the accompanying supplier, should be chosen carefully, so as to avoid these negative outcomes. Therefore, it is advisable to have a thorough talk with your potential provider about the scope and depth of the service they will provide you with, as well as their security measures. Ensure that your contract details, exhaustively, what will happen to your stored data in the event of contract termination or frustration. It may even be wise to seek an indemnity for data breaches that might cushion some of these losses or pass on a GDPR related fine.

References:

[1] Russell Richardson, ‘How can Law Firms Protect Confidential Documents?’, Archiving & Document Storage Advice at https://blog.learnsignal.com/blog/7-ways-digital-is-changing-accounting#:~:text=It’s%20much%20more%20efficient%20to,work%20on%20more%20important%2

0tasks.  

[2] Information Commissioner’s Office, ‘Controllers and Processors – Guide to GDPR’ at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/controllers-and-processors/ 

[3] Debbie Stephenson, ‘5 Tips for Choosing the Right SaaS provider’, at https://www.firmex.com/resources/uncategorized/5-tips-for-choosing-the-right-saas-provider/

[4] Matt Burgess, ‘What is GDPR? The summary guide to GDPR compliance in the UK’, at https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018

[5] Information Commissioner’s Office, ‘Your Right of Access’ at https://ico.org.uk/your-data-matters/your-right-to-get-copies-of-your-data/

[6] ‘What is SaaS – Software as a Service’, Microsoft Azure at https://chacc.co.uk/small-business-advice/cash-flow-forecast/ 

[7] ‘Saas Implementation Challenges and Pitfalls’, SaaSholic at https://www.saasholic.com/saas-implementation-challenges-and-pitfalls/ 

[8] Patrick Campbell, ‘SaaS Security Best Practices: Is Your SaaS Solution Protecting Data?’, Profitwell at https://www.profitwell.com/recur/all/saas-security/

[9] Brian Turner, ‘What is SaaS? Everything you need to know about Software as a service’, Techradar at https://lawfirmambition.co.uk/topics/compliance/gdpr-law-firms

[10] ‘GDPR for Law Firms’, Law Firm Ambition at https://lawfirmambition.co.uk/topics/compliance/gdpr-law-firms