Upload
lisa-abe-oldenburg-bcomm-jd
View
63
Download
0
Tags:
Embed Size (px)
Citation preview
NEGOTIATING SUCCESSFUL IT CONTRACTSIN THE MINING INDUSTRY
Lisa Abe-Oldenburg
November 6, 20143rd Global Mining IT & Communication Summit 2014
Introduction
• Software Licensing Top 10 Tips• Cloud Computing risks and how to avoid them• IT outsourcing best practices• Protecting confidential IT and data
Software Licensing Top 10 Tips
1. Do Your Due Diligence• Reps and warranties are a tool to manage risk
after due diligence2. Be clear about what rights are being licensed
and to whom
• Beware of the word "use"
3. Know the Difference Between Exclusive, Sole and Non-Exclusive
• Competition and duties
4. Do Sweat The Small Stuff in the License Grant
perpetual, non-transferable, non-sublicensable, grant-backs
5. Don’t Blindly Agree to Restrictions on Licensing
• Be careful with limitations on scope, location, copying, confidentiality
6. Beware of Reps & Warranties that look good from afar, but are far from good• E.g. Licensor ownership, third party qualifications,
licensor's rights, non-infringement not tied to exercise of license rights, security
7. Do structure compensation strategically Create the right incentives for royalties, e.g.
minimums, de-escalating, calculation variables, tax exemptions, R&D credits
8. Do Consider Bankruptcy and Insolvency• Source code and other escrow, survival of
license terms beyond termination, security interest, keep services separate, FMV option to purchase
9. Don’t Underestimate the Term & Termination• Start date, conditions, different, early, causes,
remedies, renewals, transitioning, survival
10. Be Choosey About Choice of Law
Governing, forum, location, dispute resolution, IP rights, import/export controls, currency exchange
Cloud Computing Risks and How to Avoid Them
• Overview of cloud computing
• Cloud delivery, service and deployment models
• Issue identification
• Risk mitigation
Overview of Cloud Computing• National Institute of Standards and Technology (NIST) v. 15• Cloud computing is a model for enabling convenient, on-demand
network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
• “Surge computing” analogous to electricity providers, where players intra cloud (or in cloud stacks) or inter-cloud, are essentially trading processing and storage capacity. Data, software and servers are able to be moved instantaneously to available computation resources
• Rearden LLC v. Rearden Commerce, Inc., 597 F.Supp. 2d 1006 (N.D. Cal. Jan. 27, 2009) – “Cloud Computing” defined as a software as a service platform for the online delivery of products and services
Cloud Delivery/Service Models• Software as a Service (SaaS)
• cloud provider supplies the software• user can set limited configuration of the software
• Platform as a Service (PaaS) • cloud provider supplies the programming language and tools• user selects and controls applications and hosting environments
• Infrastructure as a Service (IaaS)• cloud provider manages and controls underlying cloud infrastructure• user selects and configures operating systems, storage, applications,
networking components (e.g. firewalls, load balancers)
• Cloud service integrators bundle multiple services into a single offering, to appear as a seamless consolidated application• E.g. customer relationship and reservations system, e-signature/e-
commerce app, payment processing, billing platform, etc.
Deployment Models• Private cloud. The cloud infrastructure is operated solely for an
organization. It may be managed by the organization or a third party and may exist on premise or off premise.
• Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.
• Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
• Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
Issue Identification• Where is the Cloud and which jurisdictions
laws apply? • Governing law of the contract governs
contractual terms, but still subject to local laws and regulations – cannot contract out of them
• Ownership, control, preservation and return or destruction of data, especially in the cloud – cross-border transfer , eDiscovery and data retention issues
• Risk of asset/data loss, security and privacy breaches more serious in the Cloud
• How and where can you access your data? For compliance, correction, deletion, at end of service, if disaster or insolvency of cloud provider occurs, or for litigation purposes
Issue Identification• Where is the data??? Both data at rest
and data in motion. Cloud is flexible and data (and software) can move easily across borders if network is big enough - moved around to where storage or processing is more cost effective, efficient or available
• Provider may not have standards, controls or notification process that meet regulatory compliance and guidance requirements applicable to your business
• Watch out for freezing of accounts and no access to data upon termination or breach – data could be deleted (hijacked until fees paid or dispute resolved)
Issue Identification• Backup and disaster recovery issues –
risk and cost shifts customer• Risk of Copyright infringement if
software or systems being migrated to the cloud - creation of virtual servers or applications could be making a “copy” and require additional license rights and payment of fees
• Ownership complications if cloud used for any development – need to examine applicable copyright law and cloud service agreement
Issue Identification• Limits on provider's liability may be too low -
disclaimers, exclusions, short limitation periods; risk of liability shifts to customer
• What is your recourse if provider is in breach? There is a service interruption/outage, errors, damages, loss, disclosure ?
• Cloud providers providing public services will not give indemnities and will ask for broad indemnities from the customer – must renegotiate
• Contracts or services in foreign jurisdictions could have problems with local laws, storage, handling of disputes, exports
• Cross-referenced terms must be agreed to in advance of procurement
• Watch out for terms that could be unilaterally amended by service provider, deemed accepted by use
Mitigating Issues with Cloud Computing Agreements
• Due diligence – insist on transparency• Scope of services, location, data management, logical
partitioning• SLAs – minimums, measurement, periods, frequency, downtimes,
connectivity, uptime percentage calculations, review and assessment, reporting, audit, exclusions (customer, 3rd party, etc.)
• Customer responsibilities – data, licenses, compliance, users• Data issues- cleansing, storage, retrieval, transitioning• Termination implications, business continuity• Confidentiality and Security terms, audits – financial, physical,
technical, security, controls and standards, compliance• Liability and disclaimer clauses to be negotiated
Risk Mitigation
• Maintain control over critical data or services and access to them
• Consider choosing a private cloud or community cloud with services within the province
• Revise employee technology policies to ensure BYOD doesn't translate into BYOC – ensure employees are trained on the risks of cloud computing and not using publicly available free services for work related matters, e.g. conference calls, gmail, contact list management, slide sharing, web-based presentations
IT Outsourcing Best Practices• In-scope, out of scope, critical operations, SLAs, dependencies
• Hardware, software, data, infrastructure, websites, R&D, testing, maintenance, backup, disaster recovery, business continuity, transitioning
• Change management – regulatory, business operations, disputes• Governance – committees (Executive, Project), key persons,
reporting, meeting, voting, dispute resolution• Ownership of IT, IP, prior and new, data and licensing• Remedies for default, minor vs. material• Representations, warranties and indemnities• Term and termination, survival of obligations and rights• Renewal terms – automatic or not, notice periods, term, COLA
clauses
Allocating Risk and Minimizing Liability
• Defining "Losses" becomes important• All damages including internal costs• Just those resulting from third party claims• Legal fees and disbursements• Costs of investigation, audit
• Security breaches, third party hacking, theft• Standards of care and responsibilities• Representations and warranties as to compliance and security• Breach disclosure obligations – to parties, regulators, public?• Caps on liability and exclusions, e.g. for privacy, confidentiality
and security breaches• Who is best able to mitigate risk?
Revenue Structures
• Basis for calculating fees and payment terms• For services, products, data transfer, backup, disaster
recovery, updates and upgrades, licenses (royalties)• Fees and rates
• fixed• variable• unit of measure (time, output/input)
• Transition services• Pass-through costs• Set-offs (e.g. credits, third party fees)• Timing of payments – deliverables, testing,
deployment
Revenue Structures
• Adjustments, e.g. cost-of-living and inflation escalators, consumer price indices
• Credits (remedies for breaches or failures in performance) – Sole and exclusive remedy? Liquidated damages? Triggers? Caps? Applied against specific service/SOW or entire agreement?
• Taxes• Invoicing – frequency, interest, currency• Reporting, officers' certificates (MFN) and audit –
restrictions
Protecting Confidential IT and Data
• Prevention of competition, leakage of trade-secrets, ideas and know how• non-competition covenants• non-solicitation covenants• Employment and subcontractor contracts• NDAs
• Which way does the confidential information flow?• Define "Confidential Information" - scope of protection• Exclusion examples:
• Information independently developed• Information licensed from third parties• Publicly available information without breach
Protecting Confidential IT and Data• obligations:
• non-disclosure - other party’s confidential info • security/retention• technologically isolate customer data and records at all
times• location of records and data storage• return/destruction• exclusions, e.g. permitted disclosures• notification and mitigation of breaches (potential or actual)
• term for each obligation• liability for losses if security breach• injunctive remedies
Practical Tips• Limit disclosure only to those persons who have a
“need to know”, establish "clean rooms"• Disclosure of confidential information to any third
party, e.g. an outsourced service provider, may be prohibited under certain software licenses
• Security standards, controls, audits – SOX, technical, systems and compliance
• Confidentiality obligations to survive for so long as information remains confidential or trade secret
Questions?
Lisa K. Abe- Oldenburg, B.Comm., J.D.
Tel.: 1-416-777-7475
www.bennettjones.com
• This presentation contains statements of generalprinciples and not legal opinions and should notbe acted upon without first consulting a lawyerwho will provide analysis and advice on a specificmatter.