Search:
Site   Web

SiteProNews

SiteProNews

Article Categories





By Chip Cooper in Featured

You’re offering a SaaS (Software as a Service) solution to the corporate market. You’ve developed your standard form SaaS agreement (sometimes referred to as a “hosted software services agreement”). And you’ve presented your agreement to your corporate prospect’s representative.

Are you prepared for the issues you’re most likely to be confronted with by a SaaS-savvy corporate user – or do you flunk the test?

Two Approaches to SaaS Contracting

There are two basic approaches to SaaS agreements with end-user customers:

* the click-wrapped agreement approach – a “take it or leave it” online agreement that’s presented electronically during your site’s registration process with an “I Agree” button, and;

* the traditional paper-based, signed agreement approach – an agreement that’s presented with the expectation that it will be negotiated and eventually (you hope) accepted and signed by the user.

Since the click-wrapped approach is not subject to negotiation, that’s not the subject of this article. What we’re concerned with here, is whether you’re prepared to negotiate the cutting edge issues of a traditional paper-based, signed agreement with a corporate user – and a SaaS-savvy one at that.

The single, most significant driver of your prospect’s questions and concerns with your traditional paper-based, signed SaaS agreement is the fact that your prospect is considering surrendering its valuable and sensitive data to you – transferring it into the “cloud.” Your prospect will test you with questions and concerns regarding the privacy and security if its data. How you respond will determine, in most transactions, whether you’ll get the business.

Are you ready for the test?

Your Data Center

If you’re typical, you’ve outsourced your data center to an outside hosting service provider, and your prospect knows that. So the prospect is considering a transaction where its data is being outsourced not once, but twice. This raises questions and concerns regarding privacy and security.

Some of the key questions and concerns are:

* Who is your hosting service provider? What’s their reputation in the field and financial viability? Is it permissible to visit the data center for purposes of evaluation?

* Where are the servers located? Will servers be required to be located only in the United States?

* Security audits – does the hosting service provider provide SAS 70 reports periodically (Type 1 or Type 2)?

* Changes to a successor data center – will the prospect insist on approval of any change to another hosting service provider?

* Privacy and security agreements – are satisfactory privacy and security agreements in place between you and the hosting service provider?

* Responsibility – will you be responsible for the acts and omissions of the hosting service provider as if the acts and omissions were yours?

* Disaster recovery – what’s the level of support?

* Redundancy – if there is a problem with the active server, does a mirrored server kick in?

* Backups – what’s the frequency of data backups?

* Access to data – who at the hosting service provider has access to data in the server?

Your Customer’s Access to its Data

Although the data resides in servers located at your hosting service provider’s facility, your customer may have a need to access this data from time to time.

Some of the key questions and concerns are:

* Data requests – how will the customer’s requests for data be handled, including responses to legal discovery (eDiscovery) requests, search warrants, and subpoenas?

* Return of data – when the SaaS relationship ends, how will the data be returned and will the hosting service provider retain data, such as in its backup system?

Are You an Insurer for Data Security Breach?

Do you give an indemnity for any and all security breaches that affect your customer’s data? This is a key question. If you do, you need to be sure that you’ve added an additional fee to your pricing to cover this significant risk.

Think about it. It’s a fact that there’s no system currently known to man that is guaranteed to be absolutely safe and secure from outside hacks. So, if you guarantee data security with a general indemnity, you’re providing a guarantee over which you have no control and which you’ll be expected to honor financially in the future with some of your customers. Count on it. In essence, you’ll be providing an insurance policy, and you had better be charging an insurance “premium” to cover the risk.

One way to deal with the issue is to agree to a standard for data security that you’ll be responsible to satisfy. The standard may be general in nature, such as compliance with reasonable data security measures that are generally followed in the industry. Or, the standard may be more specific, such as standards set by the EU Safe Harbor or the Gramm-Leach-Bliley Act, or a very specific negotiated standard. In any case, once the standard is agreed upon, you might agree to be responsible for a security breach only if it’s enabled by your failure to comply with the standard. If the breach is not enabled by your breach of the standard, you’re not responsible.

One of the issues regarding your scope of responsibility for a data breach is who is responsible (or the extent that the responsibility may be shared) for notifying the persons affected by the data breach as required by the patchwork quilt of state laws dealing with breach notification.

Conclusion

Did you pass the test?

If you’re not prepared to discuss these questions and concerns competently, then you’ve flunked the test.

If you’re not sure about how to handle these issues, you’re advised to seek competent legal counsel who’s familiar with them.

The ultimate questions are whether you:

* understand and adequately provide for the risk allocation inherent in your SaaS agreement, and;

* provide a satisfactory response to your prospects’ questions and concerns regarding privacy and security.

Leading Internet, IP and software lawyer Chip Cooper has automated drafting your SaaS Agreement www.digicontracts.com/saas.aspx with his DigiContracts.com SaaS Agreement Form Generator. Use his free online tool — Website Documents Determinator — to determine which documents your website really needs. Discover how quick, easy, and cost-effective it is to draft your website legal forms at DigiContracts.com.

By Chip Cooper in Featured

In June, 2010, the Federal Trade Commission (FTC) settled charges that Twitter’s micro-blogging site had engaged in lax security practices that amounted to “unfair and deceptive trade practices”.

While previous cases brought by the FTC for lax security procedures focused on lax electronic controls, the Twitter case focused on lax administrative controls. Webmasters of SaaS and ecommerce sites who fail to learn and apply the critical lessons of the Twitter case do so at their peril.

Twitter Case Facts – Two Hacks

The FTC’s complaint against Twitter alleged that lax administrative controls for data security permitted at least two hackers to acquire administrative control of Twitter resulting in access to private personal information of users, private tweets, and most surprising – the ability to send out phony tweets.

Here’s how the hackers got access to Twitter. According to the FTC, hacker no. 1 was able to hack in by using an automated password guessing tool that sent thousands of guesses to Twitter’s login form. The hacker found an administrative password that was a weak, lowercase, common dictionary word, and with it the hacker was able to reset several user passwords which the hacker posted on a website that others could access and use to send phony tweets.

Hacker no. 2 compromised the personal email account of a Twitter employee and learned of the employee’s passwords that were stored in plain text. With these passwords, the hacker was then able to guess the similar Twitter administrative passwords of the same employee. Once into Twitter, the hacker reset a user’s password and was able to access the user information and tweets for any Twitter user.

Twitter Settlement Lessons

The FTC noted that Twitter’s website privacy policy promised: “We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”

Focusing on Twitter’s administrative controls (more accurately on the lack thereof), the FTC alleged that Twitter failed to take reasonable steps to:

  • require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks; * prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;
  • suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
  • provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
  • enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;
  • restrict access to administrative controls to employees whose jobs required it; and impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.
  • The FTC settlement included (among other things) the requirement that Twitter set up and manage a comprehensive data security policy that will be reviewed by an independent auditor periodically for ten years.

Conclusion

The FTC represents consumer interests to prevent fraudulent, deceptive, and unfair business practices. Privacy and data security have been high-priority issues for the FTC, as evidenced by the 30 cases brought over the last few years for lax data security practices.

In its investigations of data security cases, the FTC looks at 2 standards:

  • what the FTC considers as “standard, reasonable” security procedures, and
  • what a website’s privacy policy promises to consumers regarding data security.

If the website’s actual data security practices do not measure up to either of these standards (a worst-case scenario would be the failure to measure up to both), the FTC concludes that the website has engaged in lax security practices that amount to “unfair and deceptive trade practices”. A complaint and costly lawsuit may follow.

The reason that the FTC publishes the results of its settlements is to provide lessons to others regarding what the FTC regards as an “unfair and deceptive trade practice”.

Do you know if your site measures up to the two standards?

Leading Internet, IP and software lawyer Chip Cooper has automated the process of drafting DigiContracts.com Website Legal Forms for website legal compliance. Use his free online tool — Website Documents Determinator — to determine which documents your website really needs for website legal compliance. Discover how quick, easy, and cost-effective it is to draft your website legal forms at DigiContracts.com.

By Chip Cooper in Featured

The new behavioral ad icon will begin to appear on website ads soon. Whether or not it satisfies the concerns of online consumers and governmental regulators should matter a great deal to all webmasters.

The Interactive Advertising Bureau (IAB), acting with several other organizations, recently announced the release of an icon to appear in online ads and Web pages. The new icon – a blue square with a lowercase “i” in a circle – is intended to be placed within ads employing behavioral data and targeting (so-called behavioral ads), as well as on websites running behavioral ads. The icon will also have accompanying text that will read “Why did I get this ad”, Interest Based Ad”, and/or “Ad Choice”.

The ostensible purpose is to notify consumers regarding the use of behavioral ads. The real purpose is to satisfy government regulators and lawmakers that the additional, potentially harmful governmental regulation is unnecessary. But will it work? A lot is riding on the outcome.

Behavioral Ads and Proposed Legislation

Behavioral ads use technology that tracks a user’s surfing behavior on the Internet. Key data includes clickstream data such as searches made, content read, site-visit times, and websites visited. With this key data about a specific user, advertisers can create a behavioral pattern that can be linked to a specific online demographic, which becomes the basis for ads that target the specific demographic.

Behavioral ad proponents argue that behavioral ads pose no privacy threat because the key data collected is “anonymous”. They argue that it’s not tied to “personally identifiable information” (such as name, address, email address, etc.) so that privacy is maintained.

Consumers continue to be wary of websites that track their every move on the Web. They, along with their consumer advocates, argue that distinguishing between “anonymous” data and “personally identifiable information” is meaningless because some people have been identified by allegedly “anonymous” information. In addition, consumers argue that even if a person’s name is not compromised, the level of information that may be compiled about a specific person is downright creepy. For example, a frequent traveler can be tracked to different locations through geographically different IP addresses, and then by combining this information with cookie data, an advertiser can draw a clear picture of the person’s travel habits – destinations, length of stay, travel frequency, preferred airlines – plus much more.

Behavioral ads are now in the cross hairs of Congressman Rick Boucher (D-VA), chairman of the House Energy and Commerce Subcommittee on Technology and the Internet. In early May, Boucher co-sponsored proposed legislation that would place significant restrictions on behavioral ad marketers. If passed, advertising websites would be burdened with new regulations, and users would be inundated with disclosure notices, opt-in requests, and user information licenses when they visit websites that use behavioral ads.

Will The Behavioral Ad Icon Stop the Drumbeat for New Governmental Regs?

Under current practice, websites use privacy policies to notify visitors about the site’s collection, use, and sharing of online information, including both clickstream and personally identifiable information.

The growing consensus among government regulators and lawmakers is that current privacy policies are failing to inform online consumers. Privacy policies are viewed as too lengthy and confusing to effectively communicate key information.

The growing consensus among leading Web marketers is that consumer fears about behavioral ads – heightened by the prospect of new government regulation – is holding back significant economic investment and use of behavioral ads. A new study of ninety online marketers released in May, 2010 by the Ponemon Institute indicated that despite an acknowledged return on investment from behavioral ads, hundreds of millions of dollars are being held back from online behavioral ads due to privacy concerns.

The objective of IAB and Internet advertisers is to convince government regulators and lawmakers – and ultimately online consumers – that industry self-regulation through the use of the new icon is sufficient to adequately inform consumers regarding behavioral ads without the necessity of intervention by new governmental regulations.

Conclusion

Resolving the current distrust and uncertainty regarding behavioral ads is critical to the future growth of responsible use of behavioral ads and their potential benefit to both advertisers and consumers. And ditto for the yet untapped substantial investment in behavioral ad technology and use.

How to resolve the current distrust and uncertainty is the real question facing the online advertising industry. Should the government step in, or should the industry self-regulate?

Online advertisers overwhelmingly fear that new government regulations will only exacerbate the problem. That’s why the new behavioral ad icon should matter to all webmasters.

Leading Internet, IP and software lawyer Chip Cooper has automated the process of drafting DigiContracts Website Legal Forms with his website legal forms generator. Use his free online tool — Website Documents Determinator — to determine which documents your website really needs for website legal compliance. Discover how quick, easy, and cost-effective it is to draft your website legal forms at DigiContracts.com.

By Chip Cooper in Featured

I talk to a lot of owners of small websites — entrepreneurs getting started with new businesses or re-doing existing sites on the Web — and most of them have a profound lack of understanding regarding the scope of legal regulation they face.

What’s worse, most don’t have any idea of their exposure to legal liability.

Why Aren’t Website Owners Aware of Website Legal Compliance Requirements?

I believe the lack of awareness and understanding is due to several factors:

  • most small website owners don’t have an Internet attorney; most don’t even feel the need for one, and the ones who do, don’t know how to find one they can trust;
  • most website developers don’t inform their clients of the need for website legal compliance;
  • website regulation developed without fanfare; to date, there is no federal privacy statute of general application that would have been highly publicized at the time of passage;
  • privacy and data security regulation has developed in piecemeal fashion in the form of state statutes (with California leading the way); federal jurisdiction was not created by any Internet-specific statute – the Federal Trade Commission (FTC) assumed jurisdiction for enforcement of privacy and data security violations by claiming jurisdiction (successfully) resulting from its authority to regulate false and misleading claims under Section 5 of the FTC Act; and
  • despite press releases by the FTC regarding claims filed against websites, the message is just not getting through to entrepreneurs; for example, in the last 3 years, the FTC has settled with fourteen businesses over inadequate data security for personal information with substantial fines levied in some cases, and the FTC’s aggressive enforcement has continued into 2009 with two new actions filed in the first two months of 2009.

So, given the factors listed above, it’s understandable why most entrepreneurial website owners aren’t aware of the need for website legal compliance. However, website owners won’t be able to plead ignorance. The cliche you’ve heard before is true – “ignorance is no excuse”.

16 High Risk Activities That Indicate The Need For Website Legal Compliance

There are certain website activities that are now very high risk – and indicate the need for legal compliance measures. They include:

  1. collection of any single element of personal information; for example, if you collect merely an email address for a sign-up form for product information, a newsletter, or a downloadable report, you have entered an area that is highly regulated – and which presents a very significant exposure to legal liability;
  2. collection of credit card information;
  3. failure to operate a secure server that stores personal information;
  4. failure to identify and assess internal and external risks to the security of personal information;
  5. failure to monitor the effectiveness of security of personal information and update security measures as indicated by changes in website operations;
  6. offering monthly subscription or membership payment models, or any payment scheme where payment is made over time after the delivery of the product or service;
  7. sharing of personal information with others for purposes of direct marketing;
  8. permitting third party service providers such as website maintenance and SEO service providers or hosting service providers to have access to the internals of your server;
  9. transmission of personal information outside the website’s secure system or across public networks; Nevada and Massachusetts both have statutes regulating these activities;
  10. operation of a blog or forum that permits users to upload text or files;
  11. operating a website that targets children or at least by virtue of graphics, text, and products or services would be attractive to children under 13;
  12. serving third party cookies (e.g. Google Analytics);
  13. serving behavioral ads (e.g. Google’s AdSense);
  14. appointment of online resellers or affiliates;
  15. use of a competitor’s trademark in keyword-triggered ads; and
  16. “borrowing” someone else’s privacy policy without detailed analysis of how it fits your own specific business and marketing practices.

Make Website Legal Compliance a Top Priority

If your website engages in any of the risk factors listed above, website legal compliance measures are required — and compliance should become a top priority ASAP.

The legal liability for failure to comply can be significant.

Leading Internet, IP and software lawyer Chip Cooper has automated the process of drafting website documents for small websites with his MyLegalFirewall website documents drafting service. Discover how quick, easy, and cost-effective it is to determine which legal compliance documents you need and to draft them online, and claim your FREE Special Report, Determine Which Legal Documents Your Website Really Needs, at ==> http://digicontracts.com/

By Chip Cooper in Featured

se-optimizationSafire’s New Political Dictionary defines “hot-button” as follows: word or issue that ignites anger, fear, enthusiasm, or other passionate response.

Safire’s definition fits two Internet advertising issues – behavioral and keyword ads – perfectly. Two developments in the first few months of 2009 show how these hot-button issues are developing, and how they may ultimately impact Internet advertising in a fundamental way.

Subscribe to SiteProNews Articles

Receive New Articles As They are Posted


Webmaster Headlines

Amazon Axes Cloud Storage Prices

Microsoft, 24/7 Want To Better Serve Your Customers

Trendnet security cam flaw exposes video feeds on net

Apple supplier employee describes working conditions

Google Chrome Is Now Available For Android (And It's Fantastic)

SEO and Social: It Isn't One or the Other

How to Create Marketing Offers That Don't Fall Flat

9 Free Tools For Link Discovery & Content Creation

7 Must Have Search Related Chrome Extensions for 2012

8 Quick Tips for Writing Bullet Points People Actually Want to Read

Recent SiteProNews Articles

RecentSiteProNews Articles

7 Things NOT to Waste Your Time On When Doing SEO – A SEO-News Exclusive Article

How To Write An SEO-Friendly Article

Guru Kool-Aid: Are You Drinking It? – A SPN Exclusive Article

How to Generate Leads With Linkedin

Technology Solutions: Cloud Computing

9 Common Title Tag Mistakes and How to Avoid Them

SiteProNews Blog News

Google Celebrates Art Clokey’s Birthday
Not many people will recognize the name Art Clokey. But a lot more people will recognize the green c...
more >

Reader Rescue : Should My Meta Description Tags Just Duplicate My Title Tags?
Hi Everyone From early days learning SEO, I went ahead and did all my meta descriptions with a bi...
more >

Death of Steve Jobs Fails to Break Twitter Record
We all heard the sad news yesterday that Steve Jobs, founder and visionary at Apple, had died at...
more >

Recommended Links


   Get Facebook Fans

   Submit Express - SEO Services

Wordpress 3.3.1