(This column originally appeared in Forbes)
Recently, one of the providers of a CRM platform that we sell issued an update to their terms of service. Here’s what it said:
You agree that (the software company) shall, in no event, be liable for any consequential, incidental, indirect, special, punitive, or other loss or damage whatsoever or for loss of business profits, business interruption, computer failure, loss of business information, or other loss arising out of or caused by your use of or inability to use the service, even if (the software company) has been advised of the possibility of such damage. in no event shall (the software company’s) entire liability to you in respect of any service, whether direct or indirect, exceed one thousand dollars ($1000) or the fees paid by you during the twelve (12) months prior to the first event giving rise to such liability, whichever is higher. You agree to indemnify and hold harmless (the software company), its officers, directors, employees, suppliers, and affiliates, from and against any losses, damages, fines and expenses (including attorney’s fees and costs) arising out of or relating to any claims that you have used the Services in violation of another party’s rights, in violation of any law, in violations of any provisions of the Agreement, or any other claim related to your use of the Services, except where such use is authorized by (the software).
Translation: the software company assumes zero responsibility for anything that happens to your data, regardless of whether or not it’s their fault. That includes a data breach, a loss of data, a down server…whatever. And you, like me, probably just merrily clicked on the “accept” button — or in this case did nothing at all — which still legally binds you to the agreement. Feeling comfy? Yeah, I thought not.
Can a software company get away with this? Sure. They all do. Why? Because they can. That’s one of the biggest problems with the cloud. The cost of switching from any of these cloud-based services, particularly after going through the pain and agony of implementing them is just too significant. And who are we going to switch to? Another platform with the same terms and conditions?
The big question is: what does your business do? It’s not realistic to reject these terms and you don’t have the attorneys to fight it. Your cloud data strategy — like all of your business strategies — should be about measuring your risks and preparing for the worst.
In this situation, when it comes to risks, there are really just three. The first is that your data gets hacked or breached or subject to malware or ransomware. The second risk is that your data simply disappears or becomes inaccessible. The third risk is that your software company disappears, along with your data.
The good news is that the risk of any of this happening is remote. Why? Because CRM software providers, like any cloud platforms, have built their business models around delivering data to their customers. They invest millions — billions altogether — in the best security resources and people who are likely much smarter than the typical IT firm that’s servicing your business.
Many of these platforms are already hosted by Amazon Web Services, Google or Microsoft Azure, where the data and security controls are even more advanced. CRM cloud providers — like all good companies — avoid public relations disasters and know that if they can’t provide the data their customers need in a secure manner they’ll be out of business. The reality is that security and data integrity is more important to these firms than the actual features of the software.
So the risks are relatively low. But that doesn’t mean you’re data is completely safe. So you have to prepare.
You can back up your database. Most CRM platforms will provide their users with backup data and usually for an additional fee. Once you get that data you can then back it up to a separate resource using online backup software like Carbonite or Barracuda. Usually, this data is in a format that can be imported to another system, although it won’t be easy, fun or inexpensive.
You can make sure your employees — particularly your work from home employees — are trained, have security software installed, are connecting to secure routers and are using the most recent operating systems. To do this you’ll likely have to employ an outside IT firm to monitor their activities and make sure they’re setup the right way. It’s a cost, but it will help minimize your risks and this is now a reality is today’s post-pandemic remote working world.
Cyber Insurance won’t stop any of this from happening. But it will provide funds if your business is interrupted because of a breach. Liability insurance could cover you if your customers sue you because your data got breached. Talk to your insurance provider and make sure you have the appropriate coverage to minimize your financial risks.
Unfortunately, if your CRM provider goes down and you can’t access your data you’re going to have twiddle your thumbs until their systems are restored. This is happened to my firm and our clients on numerous occasions. It’s maddening, but usually gets resolved in a few hours. Regardless, make sure you’re prepared for this potential problem by having manual procedures in place.
And what if your CRM provider goes out of business or disappears into the night? I wouldn’t worry too much about that. Unless you’re using a very obscure system, your CRM vendor wouldn’t likely just shut its doors. They’d sell to a bigger company or a competitor. Which means that your data will be inherited by someone else with the intention of keeping things going, albeit you may be facing a migration to a new system in the future.
So is your CRM data safe? Yes. No. Pretty much. Know your risks and prepare for the worst.