View
8
Download
0
Category
Preview:
Citation preview
Negotiating SaaS Agreements: Key Contract
Provisions and Protections
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.
TUESDAY, NOVEMBER 6, 2018
Presenting a live 90-minute webinar with interactive Q&A
Beth A. Fulkerson, Partner, Culhane Meadows Haughian & Walsh, Chicago
Nathan Leong, Lead Counsel, U.S. Health & Life Sciences Legal, Microsoft, Chicago
David W. Tollen, Founder, Tech Contracts Academy, San Francisco
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-961-8499 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail sound@straffordpub.com immediately so we can address
the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 2.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
David W. Tollen
Training on drafting and negotiating IT agreements – for lawyers and
businesspeople
david@TechContracts.com
www.TechContracts.com
415-278-0950 x1
San Francisco
IT contracts and privacy; expert witness services
david@SycamoreLegal.com
www.SycamoreLegal.com
415-278-0950 x1
San Francisco
Additional Resources
▪ Tech Contracts Academy™: training on drafting & negotiating IT contracts, TechContracts.com
▪ The Tech Contracts Handbook: easy, simple, comprehensive
▪ TechContracts.com: free resources – sample language, articles, etc.
▪ Sycamore Legal, P.C.: legal services re IT contracts, expert witness servicesSycamoreLegal.com
6
OutlineDATA TERMS IN IT CONTRACTS
1. Data “Ownership” and its Limits
2. Data Control
3. Data Security
4. A Few Customer Concerns re Data Breach Indemnities
7
Data “Ownership”The problem: you can’t really own data
What to do about ownership?
• Ownership Acknowledgement – or assignment if applicable
• IP-Related “Confirmations”
❑ Valuable property
❑ Trade secrets
❑ Original compilation under copyright
❑ Substantial resources collecting, managing, compiling – under copyright
Plus ownership of derived data & derivative works …
TRADESECRET!
8
Data Control Issue #1:Restrictions on Use
▪ Solely to serve customer
▪ For vendor purposes too
❑Analysis & reporting
❑Improving products/services
❑Publication and sale
• Restrictions on marketing w/ data
• Aggregate data
❑De-Identified: all PII removed
❑Truly Anonymized: PII removed an no key/code available to recreate it
9
Data Control Issue #2:Restrictions on Use
• Subcontractor & employee access
• Customer access
• Moving data
• Termination and deletion of data
• Compliance w/ applicable law
❑GDPR
❑Other privacy laws: GLBA, HIPAA, FCRA, etc.
10
Data Control Issue #3:E-Discovery
• E-Discovery
❑ Making sure the vendor doesn’t get you in trouble by deleting relevant data
❑ Making sure your opponent in litigation can’t subpoena the vendor This is you, in trouble with
the court over e-discovery. (Not really, but
it isn’t pretty.)
11
Data Security
• Technical Security: big kahuna
• Audits & Testing: SOC-1/SSAE-16, SOC-2, SOC-3, ISO 270001 –outside CPA professionals
• Background Checks: for employees and contractors
• Data Breach Response
12
Data Breach Indemnity and theFault Problem
When the breach happens, and possibly through much of the litigation, no one knows who’s at fault. Is the vendor indemnifying the customer’s negligence?
• Clunky fault-based indemnity?
• Clunky indemnity based on whose computersheld data?
• Indemnity w/ limit of liability?
• Customer as indemnitor?
• No indemnity?
13
© 2018Tech Contracts Academy™
LLC
Graphics courtesy of Pixabay: www.Pixabay.com
14
Cloud Contracts, Industry Trends
linkedin.com/in/nathanleong
Cloud Contract Topics
linkedin.com/in/nathanleong
16
Customers expect
• Control over who has access to their data.
• Provider’s access to data to require customer’s authorization.
• Their data to be permanently deleted or taken with them at the end of the subscription.
What Cloud Providers should offer• Choice and transparency on where customer data is stored.
• Understandable and strict policies of what we will – and will NOT – use customer data for.
• To defend customer’s rights and privacy – ensuring due process is followed – when responding to law
enforcement requests.
• A variety of tools to extract customer data and for litigation hold / eDiscovery needs.
• To delete customer data after the service is terminated or expired.
Privacy & Controllinkedin.com/in/nathanleong
17
Use of Customer Data
“Customer Data will be used only to provide Customer
the Online Services including purposes compatible with
providing those services. Microsoft will not use Customer
Data or derive information from it for any advertising or
similar commercial purposes. As between the parties,
Customer retains all right, title and interest in and to
Customer Data. Microsoft acquires no rights in Customer
Data, other than the rights Customer grants to Microsoft
to provide the Online Services to Customer. This
paragraph does not affect Microsoft’s rights in software or
services Microsoft licenses to Customer.”
http://www.microsoftvolumelicensing.com
linkedin.com/in/nathanleong
18
Disclosure of Customer Data
Microsoft will not disclose Customer Data outside of
Microsoft or its controlled subsidiaries and affiliates except
(1) as Customer directs, (2) as described in the OST, or
(3) as required by law.
Microsoft will not provide any third party: (a) direct, indirect,
blanket or unfettered access to Customer Data; (b) platform
encryption keys used to secure Customer Data or the
ability to break such encryption; or (c) access to Customer
Data if Microsoft is aware that the data is to be used for
purposes other than those stated in the third party’s
request.
http://www.microsoftvolumelicensing.com
linkedin.com/in/nathanleong
19
What Cloud Providers should offer
• State-of-the-art physical security measures.
• Data encryption across all communications stages.
• Incident response team to mitigate threats and attacks available 24/7.
• Built-in data protection tools and encryption capabilities e.g. bring/manage your own keys.
• Third party security certifications and attestations e.g. SOC, ISO, HITRUST.
Customers expect
• Customer data to be safeguarded using state-of-the-art security technology and processes.
• Customer data to be encrypted in transit and at rest.
Securitylinkedin.com/in/nathanleong
20
What Cloud Providers should offer
• Comply with laws applicable to the cloud service provider; shared responsibility mapping.
• Industry leadership in pursuing compliance with the latest data privacy and security standards.
• Global infrastructure that enables customers to meet their compliance requirements.
• Independent audits to certify compliance with international, local, and industry standards e.g. SOC,
ISO, HITRUST, PCI, .
Customers expect
• Compliance with applicable laws
• Cloud services that comply with international standards and applicable regulatory requirements.
• Access to certifications for each of their provider’s cloud services.
Compliancelinkedin.com/in/nathanleong
21
HIPAA / HITECH Act FERPA
FedRAMP
Moderate
ITAR2
GxP
21 CFR Part 11
Section 508 VPAT
SOC 1
Type 2
CSA STAR
Self-Assessment
Singapore
MTCS
UK
G-Cloud
Australia
IRAP/CCSL
Japan
FISC
China
DJCP1New Zealand
GCIO
China
GB 180301
EU
Model Clauses
EU
ENISA IAFArgentina PDPA Japan
CS Mark Gold
SP 800-1712
Japan
My Number Act
FIPS 140-2
GLBA
Spain
ENS
FFIEC
China
TRUCS1
SOC 2
Type 2
Canada
Privacy Laws
EU-US
Privacy Shield
CJIS2DoD DISA
SRG Level 22DoD DISA
SRG Level 42IRS 10752
HITRUST
CSF
GLO
BA
L
ISO 27001 ISO 27017ISO 27018
WCAG 2.0
AA
DoD DISA
SRG Level 52DFARS2
CIS Benchmark
Netherlands
NEN 7510
Germany
IDW PS 951
EU
GDPR
EU EN
301 549
Netherlands
BIR 2012
CSA CCM ISO 20000-11
US
GO
VIN
DU
ST
RY
REG
ION
AL
NIST CSF
Compliance Certifications and Attestations
linkedin.com/in/nathanleong
22
Software-as-a-Service Agreements:
Warranties, Indemnities, Limitations of
Liability and SLAs
Beth Fulkerson, Partner
bfulkerson@culhanemeadows.com
Hybrid IP plus service provider
Be prepared to argue about caps
and understand data breach insurance
Support, uptime, penalties
Transition services, escrow
Outline
Warranties
Indemnities and LoL
Service Level Agreements
Other important provisions
24
Warranties
Mutual: standard good standing and authority clauses
Mutual: compliance with applicable laws
Provider: all necessary rights
Provider: will disclose any necessary third party licenses
Provider: all necessary expertise to perform services
Provider: *Services will conform to specs in Documentation*
Provider: Services will not introduce viruses
Provider: no disabling mechanisms
25
WarrantiesProvider: compliance with specific statutes, if applicable, i.e., HIPAA
Provider: data security
Subscriber: has all necessary rights to data
26
Covenants / Responsibilities
Subscriber: is the data controller
Subscriber: oversees the project which is facilitated by the Services
Subscriber: authorized users and passwords
Subscriber: will not create derivative works of Services
Subscriber: grants limited license to process data
27
Indemnities and Limitation of Liability
INDEMNITIES:
Provider: breach of warranty, breach of agreement, with carveout for claims resulting from acts or omissions of Subscriber
Provider: infringement
Subscriber: breach of warranty, breach of agreement, Subscrib – focus on data and misrepresentations to data subjects
LIMITATION OF LIABILITY:
Mutual: No consequential damages except for indemnification or gross negligence or willful misconduct. Direct damages capped at fees (multiple and time period TBD) except for indemnification, gross negligence, willful misconduct or breach of confidentiality
Some providers try to cap indemnity exposure
28
Insurance
Each Party agrees to maintain, at its sole cost and expense, policies of insurance providing coverage for its general and professional liability (and any other coverage as may be applicable) throughout the Term of this Agreement.
29
Insurance
Service Provider shall, at its own expense, procure and maintain in full force and effect during the term of this Agreement, policies of insurance, of the types and in the minimum amounts as follows, with responsible insurance carriers duly qualified in those states (locations) where the Services are to be performed, covering the operations of Service Provider, pursuant to this Agreement: commercial general liability (CHF 1’000’000 per occurrence, CHF 2’000’000 aggregate); workers’ compensation (statutory limits) and employers’ liability (CHF 500’000 per accident); and, professional liability (CHF 1’000’000 per occurrence, CHF 1’000’000 aggregate). Subscriber shall be named as an additional insured in such policies. The liability policy shall be primary without right of contribution from any insurance by Subscriber. Such policies shall require that Subscriber be given no less than thirty (30) calendar days prior written notice of any cancellation thereof or material change therein. Subscriber shall have the right to request an adjustment of the limits of liability for commercial general liability and professional liability insurance as Service Provider’s exposure to Subscriber increases. Service Provider shall provide Subscriber with certificates of insurance evidencing all of the above coverage, including all special requirements specifically noted above, and shall provide Subscriber with certificates of insurance evidencing renewal or substitution of such insurance thirty (30) calendar days prior to the effective date of such renewal or substitution.
30
Service Level Agreement (SLA)
Storage / bandwidth / transactions units
Fees per unit, usually tiered
Availability / uptime / maintenance
Server response time
Technical support
Severity levels and response time
Training
Credits / penalties / liquidated damages
31
Transition
Transition services, if provided, are provided on a time and materials basis.
Escrow – software and related material placed into escrow for Subscriber in the event Service Provider is unable to fulfill obligations
Step-in Rights – Subscriber has right to perform Services itself (or have Services performed by a third party) if Provider is at least temporarily unable to
32
33
What Cloud Providers should offer
• Enterprise-grade, financially-backed uptime commitment.
• Adherence to industry standards, best practices and certifications.
• Robust disaster recovery, backup and archiving, and monitoring and management tools.
• Service health information, including planned maintenance.
Customers expect
• Data and services to be available when they need them.
• Tools to build and manage their critical business applications and data.
Reliability, SLAs, Warrantieslinkedin.com/in/nathanleong
34
What Cloud Providers should offer
• Uncapped IP defend and protection obligation for third party claims, inclusive of CSP’s IP and
IP used to deliver the cloud service.
• Similar customer obligation for customer data and third-party IP hosted on the cloud.
• Reasonable mutual liability cap, rationally related to subscription spend.
• Transparency about insurance and risk management program, financial stability.
Customers expect
• Financial responsibility for customer data.
• Often heightened concern about post-breach liability apportionment between parties.
• Insurance commitments by cloud provider.
Liabilitylinkedin.com/in/nathanleong
35
Resources
http://www.microsoftvolumelicensing.com
http://www.microsoft.com/trustcenter/
http://www.microsoftcloudassurance.com/
http://aka.ms/transparencyhub
http://enterprise.microsoft.com/en-us/customer-stories/
36
Recommended