September 21, 2020

Last Updated on January 13, 2024

One of the biggest factors impacting how venture capital and private equity funds view a target company is whether it has the right information security and data privacy infrastructure and processes in place to support strong growth and minimize investor risk. Investors want to see their money used to grow the business, not to bring a business up to speed to serve the market.
According to Jesse Nash, a partner at leading VC law firm Reitler Kailas & Rosenblatt LLC and our guest on The Virtual CISO Podcast, this is why…

SaaS firms absolutely must be proactive about addressing compliance with applicable US state and international privacy mandates like CCPA and GDPR.

As Jesse notes, regarding CCPA: “… That can have a massive operational limitation on a B2B SaaS company. So now I need to go identify this particular personal information and be able to delete it and be able to verify that we’ve done so.”
Podcast host John Verry, Pivot Point Security’s CISO and Managing Partner, echoes that point: “It’s a staggering requirement for most organizations because this idea of personal information, in the old days was a privileged identifier—a credit card number, a checking account number, a medical number. Nowadays, personal information is your dog’s name, your sexual orientation, your political party, your IP address, your email address… Everything is personal; anything that can be used to reasonably infer a person or their household.”
John continues: “Technically if you want to get to GDPR or CCPA conformance, you literally need to know all of those individual data elements and sub-elements. You need to know what processing activities act on them. So, during a job interview or the recruiting process or employee onboarding, or a deliverable of client matters, which pieces come in? Which services that you perform as a law firm, for example, actually act on that data? Which one of your assets, whether it’s email, SharePoint, Dropbox, your document management system… where might that data end up? … Proving that you’re doing what you said you were doing with the data and/or delete the data, it’s incredibly difficult.”

“That’s the key point that I think a lot of companies are scrambling to,” Jesse replies. “Back before these data regulation regimes came online, having tons of data was a good thing. A lot of companies were forming whole business models around incidental accumulations of data. … It’s almost like now data is a little bit of a hot potato, right? It’s almost like a ticking time bomb and having more of it on your systems inherently increases your risk.”


Every day businesses are generating more data and accumulating more data, while facing escalating data security and privacy risk. For example, both John and Jesse point out how AI/machine learning systems can create incredibly gnarly privacy issues when it comes to something like a Data Subject Access Request (DSAR).
This is why SaaS companies need a provably robust cybersecurity infrastructure that investors, regulators and clients can all believe in.
If you work for a SaaS provider or are looking to own or invest in a SaaS business, you need to listen to this podcast with Jesse Nash in its entirety. You can find it here.
If you don’t use Apple Podcasts, click here.