June 13, 2024

Last Updated on June 28, 2024

Against a news backdrop of ongoing massive privacy violations, it is perhaps surprising that only 60% of Americans recently surveyed believe companies routinely misuse their personal data. From tech giants’ “privacy washing” practices to retail hyper-personalization trends to carmakers recording your behind-the-wheel details, consumer data is ripe for monetization on an unfathomable scale. And privacy laws are only just starting to catch up.

But is data privacy any better in the B2B world? Can companies trust their SaaS vendors to refrain from monetizing or leveraging the customer data they have access to, even if contracts don’t explicitly prohibit this?

This article explores these often-unasked questions and associated vendor due diligence issues.


SaaS data exploitation risks

Trusting SaaS vendors (or anyone else who can access your data) is a gamble. Data is “the new oil,” to be mined and refined in the greatest quantities possible. AI and machine learning (ML) innovation, now a business imperative for many SaaS providers, demand large data volumes, potentially including customers’ databases. Analyzing all kinds of customer usage data for revenue-boosting business insights and value-added services is also commonplace among SaaS firms.

If a SaaS provider faces an internal conflict of interest between its customer promises/policy and strong financial incentives to manipulate customer data, IT, security, legal, and marketing priorities may not all align or favor the customer.

Under relentless growth pressure, executives individually and collectively don’t always put ethics first. For example, some SaaS companies whose privacy and data security policies had prohibited monetizing customer data for AI programs have surreptitiously downgraded the terms of these agreements despite legal risks.

Regarding what he terms “the Faustian bargain of SaaS,” William Eshagh notes, “Unless strong, independently validated technical means are deployed to secure customer information held by third parties… it is foolish to believe that vendors are not reviewing customer data for every advantage that information may afford the business in its own growth ambitions.”

Further, if a vendor has access to the data you keep in their SaaS application, so do their individual employees and their third-party vendors. Besides inviting data misuse for monetization or upselling purposes, this increases the customer’s attack surface for insider and supply chain threats.


Making privacy the default

SaaS offers multiple compelling advantages over traditional software delivery methods, such as reduced time to value, lower upfront costs, on-demand scalability, and ubiquitous access. But these advantages shouldn’t be offset by vendor-created privacy concerns.

Many SaaS application architectures store the data from all their users in a centralized repository. This approach creates a tantalizing target for cybercriminals or malicious insiders, while increasing the risk associated with misconfigurations and other vulnerabilities. Overall, data leaks are the number one risk associated with SaaS.

When breaches occur, customers are usually forced to depend on the vendor for incident response and recovery. Many SaaS businesses are small and perhaps not that outstanding at defending your data. Yet they may be increasing your data privacy risk by automatically analyzing your data to deliver “relevant product features” or other revenue-generating opportunities. Often this the default in the terms of service, from which you can hopefully opt out.

SaaS designers and developers need to take the lead on putting privacy ethics first, such as by using end-to-end encryption and customer managed encryption keys (CMEK) and/or storing data on customer local devices.


Won’t data anonymization protect us?

Even in regulated industries like healthcare and financial services, many business leaders believe that data masking, randomization, or anonymization will keep their customers’ data safe.

But just because no data is stored as plain text doesn’t mean nothing can be tied back to individuals. Thanks to today’s advanced analytics, such as re-identification neural networks, big data sets can be anonymized in compliance with regulations and still yield personally identifiable information (PII) to skilled data scientists and hackers.

SaaS users are advised to get expert data privacy guidance on their anonymization, masking, and/or encryption approach before moving big data to the cloud. It is also beneficial to know your rights and your vendors’ compliance requirements under prevailing privacy laws like GDPR.

This information can help you evaluate vendors’ privacy ethics. For example, do they offer sufficient opt-out choices? How long before they stop processing your data if you withdraw consent? Have they made investments in privacy compliance technology, such as a consent management system? Are they transparent and forthcoming around data privacy practices?


What to look for in a privacy-focused SaaS vendor

Vendor due diligence is essential to protect sensitive data and reduce privacy risk. Best practices to look for in a privacy-conscious SaaS vendor include:

  • Robust encryption for sensitive data wherever it is stored or transmitted, including in databases
  • The ability to choose customer managed encryption keys (CMEK)
  • Roles-based access controls and strong identity management
  • Multifactor authentication
  • Data loss prevention (DLP) technology
  • A best-practice patch management program for SaaS infrastructure
  • Regular vulnerability assessments and penetration testing
  • A zero trust network access (ZTNA) solution and architecture
  • A privacy awareness program for employees
  • A vendor risk management program to protect SaaS customers from “fourth party” risk
  • Detailed incident response management policies that prioritize customer data protection
  • Customer-centric data ownership policies
  • Privacy-centric data retention/deletion policies
  • A continuous privacy compliance program


What’s next?

For more guidance on this topic, listen to Episode 138 of The Virtual CISO Podcast with guest William Eshagh, co-founder and CEO at Bowtie.