A potent combination

Taylor: Risk analysis must be conducted from the start

Enterprise mash-ups are developed by integrating data from internal and external sources or by integrating internal applications. They are relatively easy to develop, have low capital development costs and can be used to present information in an innovative and user-focused way. For example, customer information mashed together with Google Maps can support a delivery schedule application by mapping customer addresses and creating routes.

Developers have seized on the benefits of these applications, and according to Forrester Research this market is set to grow rapidly, reaching nearly $700m (£393m) by 2013.

Businesses that want to develop enterprise mash-ups using external sources should consider legal issues at an early stage in the project. As the technology is relatively new, there are some grey areas, but if a business gets the legal issues wrong ­ – or ignores them completely – ­ it exposes itself to some serious risks. Third parties could sue for unauthorised data use; mash-up data may be corrupted or out of date; access to data might stop altogether; security may be compromised, and the business may fall foul of data protection legislation.

One of the first and most important decisions is which data sources to meld. Without a licence, mash-up development using third-party data or content is likely to involve an infringement of copyright ­ – for example, if data is obtained by screen scraping. It may also breach the third party’s web site terms, infringe database rights, and possibly infringe trademarks or software patents. So unless a business is prepared to risk possible litigation, it will first need to select application programming interfaces (APIs) and data sources that are available under licence.

Service providers have contributed to the growth of mash-ups by permitting access to APIs and data. Big players such as Google, Yahoo, Microsoft, eBay and Amazon have made APIs publicly available to make it easier for developers to ob tain their data ­ – either for free or at a cost. They will, however, usually impose licence terms, and those considering a mash-up development should review these carefully to check whether they permit the proposed use of the API and data, what restrictions apply to that use and whether or not there is a licence fee.

Licences tend not to guarantee data accuracy or the continued availability of the API or data, so the supply will, to an extent, rely on the supplier’s continued goodwill and desire to protect their own brand.

Providers may also receive third-party data or services from others, so they may in turn be affected by those parties’ terms of service. This could pose a particular risk for business-critical enterprise mash-ups.

Similarly, third-party providers may not support or update the data, so developers will need to factor this into their support plans if stability is important. Service-level agreements with the third-party providers may be a way of minimising the risk of inadequate service, but this will come at a price and will depend on the co-operation of the third parties.

Security, privacy and data integrity risks have been highlighted as a potential problem with mash-ups, and they should not be dealt with as an afterthought. Without appropriate security measures in place, there is a risk that third-party data could come from hackers or other unknown sources, and the business’s data and servers could be compromised. IT leaders must weigh the value of particular data sources or functionality against these security risks.

If any personal data is transmitted to the mash-up from a data source, or is collected directly by a mash-up developer (for example, during the login process), data protection legislation will apply. Businesses should bear in mind that the UK’s Information Commissioner is likely to have enhanced powers before the end of the year, and a failure to process personal data lawfully or implement appropriate security measures could result in substantial fines and ot her penalties. The mash-up sources will also have privacy policies that the mash-up developer must adhere to.

While the benefits of enterprise mash-ups are becoming more widely appreciated, IT chiefs must be aware of the risks to ensure that their mash-up development strategy factors them in at an early stage. Licence terms, data quality, data integrity, performance, security and privacy should all be part of this mash-up risk analysis.

Louise Taylor is a senior associate at law firm Taylor Wessing, where she specialises in IT law.