Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Drafting Software Hosting Agreements: Service
Availability, Performance, Data Security, and Other
Key Provisions From U.S. and European Perspectives
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.
THURSDAY, JULY 25, 2019
Presenting a live 90-minute webinar with interactive Q&A
Laura Berton, Partner, Fieldfisher, Palo Alto, Calif.
Kristie D. Prinz, Principal, The Prinz Law Office, Palo Alto, Calif.
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-961-8499 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can address
the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 2.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
A US/European perspective on
DRAFTING SOFTWARE HOSTING AGREEMENTS
(Service Availability, Performance, Data Security, Other Key Provisions)
Laura Berton Kristie D. Prinz
Fieldfisher The Prinz Law Office
Silicon Valley, CA Silicon Valley, CA
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
The Prinz Law Office Silicon Valley
6
T: +1 (408) 884-3577E: [email protected]
Kristie Prinz is a California-licensed software, digital health, technologytransactions, and IP attorney in Silicon Valley. For more than 20 years, herpractice has focused on providing technical & IP focused businesstransactions advice to early stage start-ups and mid-market companies inthe software, SaaS, technology, and digital health industries. She regularlyadvises both U.S. based and international companies.
Kristie is the author of the Silicon Valley Software Law Blog and a frequentspeaker on software, SaaS, technology & IP transactions issues. Shegraduated from Vanderbilt Law School and is also licensed to practice law inthe state of Georgia.
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Fieldfisher Silicon Valley
7
Laura Berton is an European IP &Tech transactions lawyer based full-time inSilicon Valley. Over the past 15 years she has represented a wide array ofcompanies in complex business transactions, innovative technology licensingand other technology-related contracts such as outsourcing, Cloud, SaaS,software development, digital, e-commerce and data protection.
She also often works with GCs helping them navigate their move into newjurisdictions, smoothing the expansion process and adaptation to local legalpractices. She has extensive experience of coordinating and managing foreigncounsel and advising on multi-jurisdiction IP and technology projects. Laura isalso the transatlantic "Brexit" lead for Fieldfisher in Silicon Valley advising USclients on the commercial and legal consequences of the exit of the UnitedKingdom from the European Union. Laura has also been named a “rising star”in IP in Super Lawyers.
T: +1 (650) 276 6039E: [email protected]
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
US vs EU – Quick compare and contrast
8
• United States of America
– Federal Republic
– 50 states
– 1 common language (for the most part)
– Federal (US-wide) and state laws
• European Union
– Economic and political union
– 28 member states
– 24 official languages
– Regulations (EU-wide), Directives (EU-wide +
national imp.) and national laws
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
French Law Tips
9
French contract
law reform 2016
Negotiate in good faith
Duty of confidentiality
Behave ethically
Duty to inform
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Software Hosting Models
10
1. Software licensor offers optional in-house hosting as a separate service to
software licensees
2. Software licensor resells or outsources hosting to software licensees
3. Software licensee outsources hosting to third party host
4. SaaS provider includes hosting as part of bundled SaaS service package
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Comparing & Contrasting Hosting Models
11
1. Hosting in case of Software License
a) Customer has procured intellectual property rights in the software,
typically to download, install, and use the software on local hardware
in accordance with the terms of a defined license.
b) Customer has options:
• can self-host the software
• can outsource the hosting of the software
• can procure hosting through the provider and make hosting
changes at any time.
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Comparing & Contrasting Hosting Models
12
2. Hosting in case of SaaS contract:
a) Customer has procured no intellectual property rights in the software itself
but only has procured rights to access and use the software through the
platform.
b) Customer is captive to the platform. If customer is unhappy with hosting,
customer will require an entirely new solution.
c) In Silicon Valley, not unusual to see SaaS providers relying on hosting
relationships where there is either no hosting agreement or a very
inadequate hosting agreement.
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Focus of Presentation
13
1. For the purposes of this presentation, we will assume the scenario of an
outsourced or third party host providing services to a software licensee.
2. However, many of the same issues will exist in the case of:
a) Software licensor offering optional in-house hosting as a separate service
to software licensees.
b) SaaS provider including hosting as part of a bundled service package.
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Contract structure
14
Difference between IT contracts and other contracts: Length and importance of schedules
Main body of the contract:
Scope of services Warranties/obligations Project Management IPR Charges Liability Indemnities Rights and Remedies Term and termination Usual boiler plates
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Contract structure
15
Schedules:
Service Levels
Project plan
Software and specifications
Charges (depending on complexity level)
Change control procedure
Acceptance tests and process
Data Privacy: processing, personal data and data subjects
Host’s network and information systems security
Exit
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Contract structure
16
ServiceDescription
Service Level
Service GuaranteesL
egal rights
/Enfo
rcem
ents
Gove
rnance
Monito
ring &
Contr
ol
Pra
ctic
al R
em
edie
s
Budgeting
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
How to negotiate?
17
What happens when you enter into a contract?
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Negotiating Key Terms - Scope of services
18
In addition to hosting, what services are provided?
Security
What does the supplier offer?
Legal requirements re the content of the data?
Maintenance
Helpdesk
Disaster Recovery
Statistics
Service Levels:
Defined response time and remedy time (in the correct time zone)
Uptime requirements
o Availability
o Scheduled maintenance v Unscheduled maintenance
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Negotiating Key Terms - Implementation
19
1. Discuss and set expectations about the implementation process in order to
avoid future disputes
a) Host and customer responsibilities and deadlines for completion;
b) Interdependencies with other suppliers (and how they should work
together)
and any consequences (impact on costs, timetable etc.) for failure to meet
the defined responsibilities.
c) Implementation schedule with specific dates for each milestone,
and consequences for failure to comply (e.g. Liquidated damages,
termination rights etc.)
Penalties v Liquidated damages
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Negotiating Key Terms - Implementation
20
d) Define successful completion (or acceptance) of each milestone, including
any testing required and testing process;
customer approval process or deemed acceptance after time-lapse;
how acceptance is to be communicated and recorded.
e) Fees due throughout implementation process and during the term of the
agreement.
Some payments may be linked to milestones completion;
Consider early payment and termination
Consider investment costs and when these are recouped (i.e. set up
fees may be waved if customer commits for a minimum term).
Consider additional costs caused by delay, change of laws etc. and
which party should bear those.
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Negotiating Key Terms/Implementation
21
2. Ensuring customer provides:
a) Verification of specific license rights granted to licensee
b) Verification of software licensor’s recommended hardware and operating specifications
c) Verification of technical support service and maintenance services to be provided contractually by licensor to licensee
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Access Rights
22
Require compliance by customer and users with access to the platform with host’s
Acceptable Use Policy (“AUP”)
1. AUP will define a code of conduct and any parameters for use of its host
platform
2. Host will want to carefully define
a) any consequences to the customer or users for violations of the AUP
such as suspension of individual users from platform
b) when a particular violation rises to level of a material breach and if
termination is possible for repeated but non material breaches.
c) Consider that different countries will have different unlawful
practices (e.g. unlawful activities, free speech v incitement to hatred,
data privacy etc.)
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Ownership
23
1. Discuss and set out who owns rights in the software and the data inputted.
2. Discuss and agree IP ownership of any new copyright materials (if applicable)
3. Define and procure customer consent to any potential use of the data if necessary
(i.e. data mining)
4. Ensure that the above reflected appropriately in warranties, assignement, licences
and indemnities.
European copyright laws are not exactly the same as US copyright laws so
spell out what you want and agree rather than relying on implied terms.
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Fees and Payment Terms
24
No “one size fits all” structure:
1. Ensure flexible fee structure that permits billing on:
on a bandwidth basis for hosting (and possibility to increase or decrease
usage); and
hourly rate basis for services like implementation and technical support
(include rate card and expense policy)
2. Discuss and agree what the fees are based on:
time commitment (i.e. length of contract),
minimum spend or growth etc.
if so consider impact of early termination or renewal on price
3. Define clear fee and payment terms (in order to minimize risk of future
disputes) and use worked examples and NOT just a formula if the calculation
is complex (and test the formula yourself).
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Fees and Payment Terms
25
4. Anticipate and define process for implementing future fee increases or discounts
when using new technologies.
5. Define when and how fees will be invoiced and due. For set-up, link fees to
milestone completion.
6. Define consequences of late payments for each type of fee (e.g. interest
charges, suspension of access or termination).
In the UK consider Late Payment Act.
7. Consider if set off (vs service credits or liquidated damages) or withholding
rights are appropriate.
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Warranties
26
Contract terms can be a condition, a warranty or a so-called intermediate term. Each may have a different impact on remedies available to the non-defaulting party for their breach.
Breach of condition: non defaulting party can terminate the contract and claim damages (or affirm the contract) - irrespective of the nature or consequences of the breach, i.e. even with little loss or damage by reason of the breach
Breach of warranty: non defaulting party can only claim damages (cannot terminate the contract)
Breach of intermediate term: remedy will depend on consequences of the breach.
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Warranties
27
1. Agree performance expectations, e.g.
“Host warrants that the services will be performed in a professional,workmanlike manner in accordance with generally accepted industrystandards.”
OR
“Best Industry Practice” defined as “the exercise of that degree ofprofessionalism, skill, diligence, prudence and foresight which wouldreasonably and ordinarily be expected from a highly skilled andexperienced person or an internationally recognized supplier engaged inthe same type of activity under the same or similar circumstances”
2. Ensure that you frame your warranties correctly, i.e. for the Servicesprovided and refrain from agreeing to warranties outside the scope ofhosting services that go to performance of software
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Warranties
28
3. Consider IPR warranties on each side: “[x] warrants that the IPRs in [theservices/software] infringe any third party's IPRs” – and appropriate remedy forbreach of such warranties.
4. Consider whether obligations in relation to servers/hosting are necessary and whatthese should be, e.g. Operate according to documentation (to be reviewed indetail and validated by the IT team) and any other specifications
5. Require customer warranty regarding the performance of obligations undercontract such as the obligation of customer and users to comply with theAcceptable Use Policy
.5. Carefully define remedy in event of any breach of warranty:
Would such remedy be the customer’s sole remedy? E.g. claim for damagesor termination
Would the remedy be to re-perform the service, replace a product (ifapplicable) or pay a refund?
How does it interact with Service Levels?
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Limits on Liability
29
There is no standard limit of liability, consider:
a) Actual risk and potential loss on both sides
b) Who controls and can effectively manage or reduce these risks.
c) The fees paid/payable for the services but also how essential the
software is for your business.
d) Insurance available.
Consider the actual consequences of a breach and your plan B is the various
scenarios (i.e. software unavailable for 1 h, 24h or longer, or if data is lost,
whether it is customer facing, or key software etc.)
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Limits on Liability
30
Often, the host’s liability will be capped at multiple of fees paid or payable
months’ fees paid x [x]
Seek unlimited liability (or super caps) for some violations such as IP
infringement, AUP, Confidentiality and Data Privacy/Data Security.
Consider which losses should be excluded
Specifically set out recoverable losses (to avoid the direct and indirect loss
debate), e.g. replacement provider, management time, procurement costs etc.
List all damages that you would expect and agree to recover.
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
French Law Tips
31
Under French contract law, only damages that are direct and foreseeable at the time of the
conclusion of the contract can be recovered
French Direct damages exclude indirect, special, incidental and
punitive damages
However, it is necessary to expressly exclude loss of
profits, income, revenue etc.
Therefore, in a French contract, there is not need to specifically exclude or limit these damages.
Similarly, they cannot be included in a contract.
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
German Law Tips
32
Forget US limitation of liability language
Liability for gross negligence cannot be excluded or limited, and liability for slight
negligence can only be limited to typical and foreseeable damages in the case of a violation
of material contractual duties
Liability for intent (“Vorsatz”) can never be excluded in a
German contract
A US clause that is void is less than a valid EU clause
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Indemnification Obligations
33
1. Ensure that any indemnifications are specific to what you are able to control,i.e. IP, Data Privacy, Confidentiality, violations of the AUP, misappropriation oftrade secrets but not for all breaches of contract.
2. Consider whether to indemnify only in relation to third party claims or not andalso for claims arising from employee acts and omissions.
“Host agrees to indemnify, defend, and hold harmless customer for any loss,liability, damage, award, judgement, or expense arising from any [third party]claim arising from [an employee act or omission] including reasonable legal costs”
3. Define conditions of the indemnification, whether parties have a duty tomitigate their losses and whether the indemnification is capped.
“[x] shall promptly notify [x] in writing of the existence of the potential claim forindemnification, grant [x] the right to control the defense of all such claims,and shall fully cooperate in the defense.”
4. Limit indemnifications to scope of available insurance coverage
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Insurance
34
1. Anticipate insurance requirements and procure insurance in advance of
commencing negotiations
a) Buy what is affordable and if a customer demands more than is
maintained, require customer to absorb costs of additional insurance.
b) Consider which risks are worth insuring through the host or the customer.
c) Refrain from agreeing to maintain insurance that is not already in place.
2. Ensure insurance is flowed down to any contractor or outsourced service
provider.
3. If a customer insists on additional insurance outside of these parameters that is
agreed to, contemplate in contract the fact that contractors or outsourced
services providers will not already have the additional insurance and seek
exclusion from requirements
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Service Level Agreement (“SLA”)
35
Overview
Parties to agree service levels necessary to meet customer’s needs, since
service level delivery is critical to use of hosted software
Sets expectations regarding the level of service host can provide as a normal
service and possibly what is possible as a “platinum service”
Preserves customer relationship by providing process for compensating
services failures without the necessity of treating them as material breach
Host will usually prefer to refrain from including responsiveness or performance guaranties about service and will want the focus to be only on uptime and technical support, whereas customer will want more thorough service levels.
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Service Level Agreement (“SLA”)
36
1. Distinguish responsiveness from resolution.
2. Agree categorization of problem levels (e.g., critical, important, minor).
3. Performance (speed, bandwidth)
4. Uptime Guaranty
a) Host shall maintain an uptime service level of X% measured monthly
b) Consider what exclusions to uptime guaranty should be negotiated (i.e.
scheduled maintenance, notice periods for maintenance, business hours
in which countries)
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Service Level Agreement (“SLA”)
37
5. Consider if the host can provide this service level on its own or depends on a third
party?
Is the service outsourced to third party host?
If so what does the SLA with the third party host look like? And who is
responsible for failures?
Is the guaranty is realistic (i.e. if outsourced host, does due diligence and
contract with the host ensure that the host can actually meet the terms
proposed?)
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Service Level Agreement (“SLA”)
38
6. Technical Support Responses
a) Consider whether response times should be treated as a goal or a
requirement, or a commitment v an endeavor
b) Set manageable technical support expectations
c) Control the assignment of urgency level
a) Carefully define any First Tier Support/ Second Tier Support Issues to limit
support responsibility only to hosting and not to support issues outside the
scope of hosting services
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Service Level Credits
39
Sample Clause: In the event that Host fails to meet the service level guaranty inany term or applicable renewal period, Customer will be entitled to a credit in theamount of $X applied to the applicable renewal period.
a) Consider whether any service credit provided is clearly defined and easy to
apply
b) Address whether the payment of a service credit is an acknowledgement that
a material breach occurred or the sole remedy if a service failure arises
c) Are there consequences for multiple service credits during a term?
d) In addition to the formula for calculating service credits add an example of the
calculation to make sure that it works
e) Should there be a limit to the amount of service credits payable?
f) Can the service credit be deducted from fees? If so, when can it be
deducted?
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Confidentiality
40
1. Agree to the commencement and end of confidentiality obligations and what constitute
confidential information.
2. Consider exceptions to such confidentiality obligation (i.e. use of any outside
contractors for any service such as hosting, disaster recovery, etc.) and define how
exceptions will be handled.
3. Consider remedies as specific performance (injunction) in case of breach as damages
do not always constitute adequate remedy.
4. If any possibility of personal health information (PHI) being uploaded to host platform,
ensure that it has met obligation under HIPAA to enter into a business associate
agreement with customer.
5. Overlap with Trade Secrets and Data Privacy
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Data Privacy
41
USv
EU
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
US Data Protection
42
• Tech Industry has lobbied in the past year for data privacy legislation to bepassed in Congress, but no action has yet been taken. Proponents of a federalbill seek pre-emption of state privacy laws, specifically the California ConsumerPrivacy Act, which was passed by California in 2018.
• The absence of federal data privacy legislation has not prevented federalregulation on data privacy. The Federal Trade Commission (“FTC”) has beenaggressively regulating software and technology companies on data protectionissues. The FTC has deemed that failure to protect data is an:
• Unfair or deceptive act or practice in or affecting commerce in violation ofSection 5(a) of the Federal Trade Commission Act.
• Violation of Safeguards Rule of Section 509(3)(A) of Gramm-Leach-BlileyAct, 15. U.S.C. Section 6809(3)(A), where company is in the business ofproviding software or software services that include any financial oraccounting functionality.
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
California Privacy Protection
43
• California is first state to pass its own comprehensive data privacy legislation. Atleast 15 other states are currently considering data privacy bills.
• California Consumer Privacy Act (“CCPA”) is set to go into effect on January 1,2020
• The law applies to for-profit entities “doing business” in California that either:a) Have a gross annual revenue in excess of $25 millionb) Annually buy, receive for commercial purposes, sell or share for
commercial purposes, personal information of 50,000 or moreCalifornia consumers, households or devices; or
c) Derive 50% or more of annual revenues from selling Californiaconsumers’ personal information.
• It also applies to any businesses thata) Control, or are controlled by a for-profit entity meeting the above
definition, orb) Share common branding with a for-profit entity meeting the above
definition.
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
California Privacy Principles
44
Principles Recognized by the CCPA:
• The right of Californians to know what personal information is being collected about them.
• The right of Californians to know whether their personal information is sold or disclosed and to whom.
• The right of Californians to say no to the sale of personal information.
• The right of Californians to access their personal information.
• The right of Californians to equal service and price, even if they exercise their privacy rights.
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
European Data Protection Principles
45
Principles from previous law:
Lawful, fair and transparent (tell people how you will use their data)
Purpose limitation (only use data for specified purposes)
Data minimisation (only collect the data you need for specific purposes)
Accuracy (keep data accurate and up to date)
Storage limitation (only keep data for as long as you need it for the specified
purpose)
Integrity and confidentiality (keep it secure)
New principles of accountability, privacy by design & privacy by default
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
What is data processing?
46
Processing of personal data means:
Any operation or set of operations which is performed upon personal data
Whether or not by automatic means
Including: collection, recording, organization, storage, adaptation or alteration,
retrieval, consultation, use, disclosure by transmission, dissemination or otherwise
making available, alignment or combination, blocking, erasure or destruction
Any use of personal data is potentially considered a processing operation.
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
What is personal data?
47
What is Personal data?
• Any information relating to a directly or indirectly identifiable individual (the “data
subject”)
• Includes obviously personal data – e.g. name, contact details, identification number,
etc.
• Also less obviously personal data – e.g. IP addresses, cookies etc. and generally any
information specific to a person’s physical, physiological, mental, economic, cultural
or social identity.
• It is a subjective test and therefore the definition of personal data is very broad
• Differs from Personally Identifiable Information (PII) in the US which only deals
with data that actually identifies a person as compared with data that is
identifiable, e.g. in Europe location data or online identifiers like web tracking tools
would be classified as Personal Data, whereas in the US such information is not
considered personal information.
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
What is personal data?
48
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Security
49
Implement “appropriate” technical and organizational security measures and set
expectations about:
Physical security of the hardware and storage of data
Level and type of encryption
State of the art security measures
Costs of implementation
Risk (vulnerabilities, to data subjects etc.)
Include obligations to report breaches immediately, comply with applicable state data
breach laws
Consider whether customer audit rights are appropriate, necessary and appropriate
(depending on platform and infrastructure)
Consider asking (beyond the contractual warranties) for the host’s CEO to each year
warrant the security of the system.
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Security
50
Set customer expectations about the purging of data after relationship ends
Agree a plan in case of security breach or attempted security breach
Back up and Disaster Recovery
Set customer expectations about standard backup and storage
practices and procedures
Reassure customer that host has a well-defined and sufficient disaster
recovery plan in place that will allow fast recovery in a disaster
Establish timetable for the recovery implementation
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
US Data Security
51
• In U.S., SOC 2 compliance has become minimum industry requirement for a service provider
• SOC 2 certification was developed by the American Institute of CPAs (AICPA) and established criteria for managing customer data based on five “trust service principles”
1. Security: Network/application firewalls, Two-factor Authentication, Intrusion detection
2. Availability: Performance monitoring, Disaster recovery, Security incident handling
3. Processing Integrity: Quality assurance, Processing monitoring4. Confidentiality: Encryption, Access Controls, Network application
firewalls5. Privacy: Access control, Two-factor authentication, Encryption
• SOC 2 certification issued by outside auditors. Assessment of service provider’s degree of compliance with trust service principles
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
US Data Security
52
• At the federal level, the FTC has articulated through a series of enforcementactions a set of minimum data security requirements to comply with Section 5(a) ofthe Federal Trade Commission Act; also published guide for businesses: Startwith Security: Lessons Learned from FTC Cases
• Protection of Electronic Personal Health Information (“PHI”) is subject to thenational data security standards established by the HIPAA Security Rule located at45 CFR Part 160 and Subparts A and C of Part 164• HIPAA Security Risk Assessment Tool has been developed jointly by the
Office of the National Coordinator for Health Information Technology (“ONC”)and the U.S. Department of Health & Human Services (“HHS”) Office for CivilRights (“OCR”)
• National Institute of Standards and Technology (“NIST”) HIPAA Security RuleToolkit
• Protection of customer information by business deemed to be “financial institution” is subject to the national data security standards established by Safeguards Rule located at 16 CFR Part 314
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
European Data Security
53
The NIS Directive has potential impact on:
any operator of essential services (“OES”) in businesses that rely on IT systems in the following sectors: energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, digital infrastructure; and
on certain providers of online marketplaces, online search engines and cloud computing services (Digital Service Providers (“DSPs”)).
EU customers who are OESs or DSPs must ensure that their host complies with security and incident-reporting obligations under national legislation.
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Term and Termination
54
1. Term and Termination
Consider set up length v. commitment for the BAU services
Longer term v automatic renewal (impact on pricing)
Suspension Define reasons why customer would be suspended and the
process for suspension
Define process for resuming services
If customer decides to transition of platform during a
suspension, define how that will work
Set customer expectations for how long after suspension data
will be purged from host platform
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Term and Termination
55
Termination: Who can terminate and why?
Termination for which breaches Is the host allow to terminate for convenience When would the customer be allowed to terminate for
convenience and will early termination payment be necessary. Length of notice required.
Event of Business Closure or Bankruptcy of Host
Set customer expectations about notification of any changewith business and the continued availability of transitioningservices
Define process for cessation of hosting services and timetablefor purging of data
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Consequences of Termination
56
2. Consequences of Termination
Deletion of data or transfer of data? In what format will thetransitioned data be provided?
Are transitioning services made available, and if so, for how longafter termination.
Scope and fees of transitioning services available to customer.
Will a new provider need to be involved in the process and whatrequirements will be made on new provider? and on the exitingprovider?
© 2018-9 The Prinz Law Office and Fieldfisher LLP.
Thank you and questions
57