A Legal Guide To TECHNOLOGY TRANSACTIONS A COVID-19 Update
2020
A Collaborative Effort
Minnesota Department of Employment and Economic Development
Lathrop GPM
A Legal Guide To TECHNOLOGY TRANSACTIONS
A COVID-19 Update 2020 is available for viewing and download from the Minnesota Department of Employment and Economic Development (DEED), Small Business Assistance Office.
Office address: 180 East 5th Street, 12th Floor St. Paul, MN 55101-1678.
Telephone: 651-556-8425 or 800-310-8323 Fax: 651-296-5287 | Email: deed.mnsbao@state.mn.us Website: Small Business Assistance Office This guide is also available from Lathrop GPM, 500 IDS Center, 80 South Eighth Street, Minneapolis, MN 55402 Telephone: 612-632-3000 Website: Lathrop GPM
Upon request, this publication can be made available in alternative formats by contacting 651-259-7476.
The Minnesota Department of Employment and Economic Development (DEED) is an equal opportunity employer and service provider.
A Legal Guide To TECHNOLOGY TRANSACTIONS A COVID-19 Update
2020
Primary Author: Michael R. Cohen CIPP/US, CIPP/E
A CollaborativeEffort
Minnesota Department of Employment and Economic Development Lathrop GPM
Copyright © 2020 Minnesota Department of Employment and Economic Development and Gray Plant Mooty
ISBN 1-888404-82-4
TABLE OF CONTENTS
Preface ........................................................................................... iii Disclaimer ............................................................................... iv Introduction ………………………………………………………………………….. v Case Study: An ERP System Gone Bad …… . ………………………………….. 1 Use Detailed Specifications and RFP/ Proposal for Vendor Selection …………………………………………………… 2 Perform Acceptance Testing ……………………………………………………….. 4 Include Appropriate Express Warranties …………………………………… .. 6 Negotiate RelevantDelivery Schedules/Milestone …………………… .. 9 Negotiate Progressive Payment Schedule ……………………………….. . 10 Be Cautious with First to Try-Alpha/Beta Test ……………………… .. … .. 13 Consider Responsibilities for System Replacement and Conversion …………………………………………………………………………….. 15 Define Disaster Recovery Process, Policy,and Procedures …… ..... 16 Identify Key Personnel ……………………………………………………… . …….. . 19 Understand Use of Hosting, Subscription Services, Application Service Provider (ASP), Software As A Service (SAAS) and the Cloud ……................................................................................... 21 The Internet of Things (IOT) and Artificial Intelligence (AI).......... 24 Consider Issues of Confidentiality/Data Privacy/Security .............30 Blockchain Technology and Cryptocurrency .................................32
i
Assure Sufficiency of Scope of Use................................................34 Cover Intellectual Property Rights, Ownership, and Protection....36 Allocate Risks Through Indemnification........................................38 Assure Sufficiency of Use of Third Party Software and Open Source ………………………………………………………………………… 39 Understand the Impact of Bankruptcy on Source Code ............40 Negotiate Remedies......................................................................42 Specify Term and Termination .........................................................45 Determine Limitation of Liabilities ..............................................46 Be Aware of Export Control ...........................................................47 Identify Jurisdiction and Venue .......................................................4 8 Consider Taxes ...................................................................................... 50 Determine Whether to Lease or Purchase .....................................52 Review Insurance ..........................................................................54 Comply with the Uniform Computer Information Transactions Act ........................................................................55 Negotiate Maintenance and Support ...........................................56 Consider Unique Issues for Franchised or Fragmented Business Systems .......................................................................................58 Comply with Laws and Regulations - Special Considerations for Healthcare Related Businesses .................................................. 59 Recognize the Types of Technology Related Agreements .............61 Don’t Treat the Contract as an Afterthought .................................63
ii
PREFACE
The acquisition of information technology is a major event for any business since it affects operations, management, and ultimate profitability throughout the business’ supply chains and production processes. The issues associated with such an acquisition can be complicated and complex and should not be left to chance but instead addressed directly in any contracting for the information technology. Lathrop GPM and the Small Business Assistance Office are pleased to present this brief primer on the subject to better enable businesses considering information technology acquisition to frame up their questions and issues for their own staff, for technology suppliers, and for consultants and attorneys who will be involved in the contracting, acquisition, and use of the technology.
A special note of thanks to Lathrop GPM lawyer Michael Cohen for preparing these materials.
Charles A. Schaffer Director, Small Business Assistance Office Minnesota Department of Employment & Economic Development
2020
iii
DISCLAIMER
This Guide is designed to alert businesses to legal issues which commonly arise when acquiring technology. It should only be used as a guide and not as a definitive source to answer your legal or business questions. The materials in this Guide are intended to provide general information and should not be relied upon for specific legal advice. Legal and other professional counsel should be consulted. Lathrop GPM and the Small Business Assistance Office cannot and do not assume responsibility for decisions based upon the information provided in this Guide.
iv
INTRODUCTION
The Coronavirus (COVID-19) outbreak has required businesses to develop contingency plans to handle the disruptions it has caused and will continue to cause. The devastating impact of the COVID-19 pandemic has included a profound movement of businesses to create flexible digital workplaces, remote working, and e-commerce platforms to help employees better serve customers, distribute products, and ensure business continuity. Maintaining supply chain resilience has become vital to business success. Businesses would be wise to leverage platforms that offer applied analytics, artificial intelligence and machine learning to maximize efficiency and still ensure end-to-end transparency. Cybersecurity and privacy, new regulatory obligations, business continuity planning, and related issues must now be a focus of any technology transaction. While businesses move quickly to adapt to the structural changes brought on by the pandemic they must still consider how such changes will be implemented and remain in effect once the virus has been defeated. The expansion of remote workplaces may also increase potential vulnerabilities to cyber-attacks such as phishing and other efforts by hackers to access valuable information. Businesses must establish clear rules and guidance for those working remotely, using a virtual private network (VPN) for network access,
v
multi-factor authentication (MFA), mobile device management for connected devices, encryption as possible and feasible, regular patching of software, and limiting access to a need-to-know basis. When looking at various technology solutions, a business should remain mindful of the legal issues that are common in technology related agreements. While many of the suggestions in this Guide assume time to plan and test is available we recognize that the COVID-19 pandemic has forced some prompt decision-making without the luxury of time or planning. Hopefully this Guide will still offer tips and guidance to those looking at the requisite technology agreements.
In the words of Aristotle -
“How many disputes could have been deflated into a single paragraph if the disputants had dared to define their terms?”
Information Technology -A Key Asset
Few businesses or organizations can survive today without efficient and effective information technology, and a business disruption caused by a pandemic, failed system or a data breach can be devastating. From basic word processing to sales force automation and electronic health records, financial reporting, product manufacturing and delivery, the use of technology to receive, store, manage, record and transmit information has become essential to virtually every business and organizational activity. The increasing use of mobile applications, cloud based technologies, connected devices and the internet of things, artificial intelligence, and the rapidly increasing data breach rates have added new issues to consider when managing personal and business information.
vi
The use of blockchain and cryptocurrency in sales and supply channels has added new benefits and complexities to the use of technology in contracting. So- called “smart contracts” allow computers to buy, sell, and supply products between two parties without any human intervention. Whether a hospital or clinic providing mission critical patient care, a franchisor or franchisee operating sub shops, or a designer, importer and distributor of giftware, your business could not likely survive without the software applications and processes used for supply chain management, inventory control, human resources, financial management, accounting, e-commerce, legal compliance and other key business functions. When the technology works everyone is happy. When the system crashes a business or organization can easily become crippled and the following questions will soon be asked:
• How quickly will the problem be fixed?
• Who is responsible and how will we get the system back in operation?
• What alternatives are available?
• What remedies or recourse do we have under our agreements?
• What costs or damages are we likely to incur?
• How can we avoid this happening again?
If you are the CFO, CEO, or other person responsible for selecting the technology or systems used to run your business or organization, your ability to sleep well at night may depend on whether your systems or technology will meet all of your business or organization’s functional needs and requirements. To access your company ’s technology investments, you may wonder:
vii
• Will management and shareholders feel confident that the expenditure was a wise investment?
• Will your business or organization be at risk for any failure to comply with federal or state laws because the computer system or technology is inadequate to meet fundamental recording and reporting requirements? • Is the system going to mitigate or increase potential risk and liability? The purpose of this Guide is to identify some of the key issues and concerns that any business or organization should consider when acquiring computer systems or related technology. It should help you to more efficiently plan for the procurement of technology and the use of appropriate contracts and agreements that can help avoid some of the painful lessons learned by others who have experienced failed systems or technology projects. While a well drafted written agreement is no substitute for a fully functional and secure system, the agreement itself can serve as a useful management tool to document the needs and obligations of both parties. We hope that this Guide will allow anyone involved in technology transactions to form a basic understanding of what issues are important and merit further discussion with legal and other professional counsel.
viii
To facilitate revisions or updates of this Guide, this publication is available on Lathrop GPM ’s website at https://www.lathropgpm.com/ as well as the website of the Minnesota Department of Employment and Economic Development at https://mn.gov/deed/. If you are looking for the most current version of the Guide, please check the above websites to see if an update has been completed. It is our sincere hope that you will find the following Guide helpful as you seek to achieve agreements that are a “win win” for both parties.
Michael R. Cohen, CIPP/US, CIPP/E Lathrop GPM
ix
CASE STUDY: AN ERP SYSTEM GONE BAD
The following is a true story. A designer, importer, and distributor of collectible giftware with annual revenues of $250 million hired a consulting firm to oversee the selection and implementation of an Enterprise Resource Planning (ERP) computer system. When the new system was being installed, the consulting firm estimated the cost to implement the system at $3 million. The cost after implementation was over $12 million. When the new system was finally put into operation, the business was so totally disrupted that it was virtually destroyed. Orders could not be taken, or if taken, were irretrievably lost. Orders were not properly filled and shipments went out with no billing. The business spent millions of dollars in an attempt to remedy the problems and in the process lost significant goodwill and continued patronage of a great number of its customers.
Many lessons can be learned from this failed implementation.
1
USE DETAILED SPECIFICATIONS AND RFP/PROPOSAL FOR VENDOR SELECTION
Why is this system being purchased, what components are sufficient, and what service levels are necessary?
It is important to first analyze the particular needs of your business, the capabilities and capacities required of the contemplated system, and the ability of a proposed system to fulfill those needs. Take time to prepare a detailed written statement of the functions and performance you expect from the new system. These requirements and specifications can be written either by your own staff or by an independent consultant. Once you have documented your specific needs you can prepare a Request for Proposal (RFP) withsufficient detail to solicit vendors. These requirements and specifications can then be made part of any final written agreement. You might assume in acquiring technology that it will perform just as it was demonstrated or tested. You might also assume that it will certainly meet your specific needs. Do not count on the technology vendor to guarantee such performance. Forget about all those wonderful statements, whether oral or in writing, made by the sales representatives and others who are anxious for you to acquire their system or the latest and greatest technology solution. In fact, the vendor’s standard contract will most likely specifically disclaim any warranties and state that any promises or assurances made by the sales representatives or others, even in writing, are not valid or enforceable.
2
The following is a merger or integration clause that typically appears near the end of most agreements:
“This agreement sets forth the entire understanding between the parties and supersedes any prior representations, statements, proposals, negotiations, discussions, understandings, or agreements regarding the same subject matter.” Because this clause knocks out all previous agreements or understandings between the parties, it is essential to incorporate by reference in any final agreement the RFP, the vendor’s proposal and response to the RFP, as well as any other significant and relevant documentation that you relied upon to acquire the technology or system. If you are relying upon any verbal assurances, make sure that they are memorialized in writing and identified as part of the final agreement. Even when you are creating the initial RFP for the purpose of soliciting vendors you should be thinking about what express warranties should be included in the final agreement with the selected vendor. You might even ask the vendors to submit their proposed agreement so that you can review it as part of the selection process.
3
PERFORM ACCEPTANCE TESTING
Even if the system you are installing or the technology solution you are considering has been around for years and is primarily off the shelf software, or proprietary technology that is not highly customized, you should still have a process that allows you to test the functions and features of the system or technology within a reasonable period of time necessary to determine whether or not it is acceptable. This test should be performed using real data in your environment and completed before you go live with full scale implementation of the system. The only way to assure successful implementation of a system is to clearly set forth an evaluation and testing process that is mutually agreed upon by both parties. By using mutually agreed upon functional requirements you can establish acceptance criteria that will prove beneficial to both parties. Through this evaluation and testing process you will be able to determine that the system performs in accordance with your requirements. This process will also allow the vendor to identify and understand what it needs to accomplish to achieve delivery and acceptance of a satisfactory system or technology. This way there will be no surprises and both parties will understand their obligations.
4 2
The acceptance testing provisions should cover (1) pre-live and post live testing, (2) duration of the test and any retests, (3) rejection of the system if necessary, and (4) remedies for failure to meet acceptance testing criteria and milestones. In some cases payments can be tied to successful completion of acceptance testing. Purchasing technology to run a business is not the same as buying furniture or other large scale purchases where the buyer can usually determine at the time of delivery whether or not the items purchased were what they ordered. Acceptance testing is one of the unique features of information technology agreements and may be appropriate for your transaction.
5
INCLUDE APPROPRIATE EXPRESS WARANTIES
Standard vendor agreements will likely disclaim all implied warranties, including any warranty that the technology or system will be suitable for any particular purpose. Vendors will not want to assume such open ended risk and liability. These disclaimers of implied warranties are permitted under the Uniform Commercial Code and appear in virtually every software related agreement. It is unlikely that you will be able to negotiate these standard disclaimers out of the agreement. It is essential, therefore, to have relevant and appropriate express warranties stated in the agreement. For example, the vendor should expressly warrant that the system or technology will conform to and perform in accordance with the functional requirements and specifications set forth in an exhibit to the agreement or as contained in the RFP and the vendor’s proposal. If possible you should also review any relevant specifications and documentation referred to in the agreement to make sure it is appropriate and sufficient. Additional warranties set forth in the agreement might require a prompt response time, limited down time, sufficient capacity or other performance features. If the system must generate timely reports, you should make sure that these requirements are clearly identified. If your business is concerned about compliance with certain federal and state laws and other special needs, you should make sure that you identify appropriate warranties of performance as part of the agreement.
6
The process of negotiating express warranties can prove invaluable in analyzing potential risks and concerns. If these issues are identified early in the procurement process, they can be more easily and less expensively resolved. The vendors’ reluctance to provide reasonable warranty protection might also be an indicator of the vendor’s own lack of confidence in the technology as a solution to the needs of the business. Appropriate system testing coupled with express warranties of performance prepared in accordance with mutually agreed upon specifications would be protective of both the buyer and the purchaser and may help avoid arguments over failed systems and any resulting litigation. Here are examples of express warranties to consider if appropriate for your transaction: Ownership . Warranty that licensor is the owner of or has the right to grant a license to use the system without violating any third party rights. Performance. Warranty that system will conform to and perform in accordance with specifications. Response Time. Warranty that system will have sufficient response times for transactions and sufficient response time to any technological failure of the system. Capacity. Warranty regarding the bandwidth of the system for maintaining records, files, and other data and achieving any agreed upon service levels or response times. Compatibility. Warranty that system acquired will be fully compatible and integrated with the user’s hardware and software environment.
7
No Viruses. Warranty that the system contains no undocumented features, viruses, or drop dead devices. Documentation. Warranty that documentation is adequate and is sufficiently detailed, complete, and accurate. Current. Warranty that the software will be updated and kept current as necessary to comply with any changes in federal or state laws and regulations. Complete. Warranty that the system includes all necessary hardware and software necessary to conform and perform in accordance with specifications and no additional hardware or software is required.
8
NEGOTIATE RELEVANT DELIVERY SCHEDULES/MILESTONES
You can quickly lose control over the costs of a large-scale system implementation project, especially if the work is paid for on a time and materials basis and not a fixed bid project. Performance milestones can help establish checkpoints to ensure progress towards a successful implementation and allow both parties to monitor progress and address problems early in the implementation. It is important to maintain a good relationship between the technology vendor and the information technology personnel who are employees of the business or organization acquiring the technology. It is however also important to make sure that the vendor personnel are held accountable for their performance and those managing the project can assert relevant controls. The business should be willing and able to continuously question the performance or resulting deliverable and not wait until too many problems escalate and too much money is spent. Letting problems and issues remain and escalate in a software implementation is a recipe for disaster and litigation. Finally, it may be helpful to consider how the contract will be used as a tool to manage activities after it has been signed. The agreement can be more than just a means to enforce specific remedies or pursue litigation.
9
NEGOTIATE PROGRESSIVE PAYMENT SCHEDULE
As payment terms often dictate deliverables and provide a chance for parties to evaluate their progress, setting out these terms clearly can save hassle and side-step unmet expectations. Some important questions to consider:
• How are payments made, and when?
• Fixed lump sum?
• Fixed periodic fee?
• Time and materials or other variable?
• Is payment based on performance?
• Upon execution of contract?
• Upon delivery or installation?
• Completion of training?
• Upon completion of acceptance testing?
• Upon productive use or when system goes live?
• Specified number of days after any one of the preceding events?
10
What is included in the fees paid?
It is critical to specify what is included such as hardware, software (including third party software), custom modifications, updates, enhancements, new releases, documentation, delivery, installation, training, support, maintenance, technical assistance, disaster recovery, warranty, taxes, travel and other expenses. When listing deliverables it is important to be precise in what you are getting for the fee paid. For example, if you are paying for support that includes “upgrades” or “enhancements,” how are they distinguished from new products that are sold for additional license fees is an important component in evaluating pricing. Vendors will expect to be paid an amount that at a minimum can cover their personnel costs, especially if extensive services are necessary to implement the project. Starving a vendor of cash will not guarantee quality performance. People need to and expect to get paid. The purchaser or licensee will most likely seek some form of acceptance testing that can be linked to a payment schedule. They may, however, find resistance from a vendor that is a public company and is required to follow accounting rules concerning revenue recognition. While being sensitive to revenue recognition rules and the vendor desire for early payments, it is still appropriate for any business buying technology to use payment as a motivation for performance and completion of the system. By withholding a portion of the fees until final completion or linking payments to the achievement of critical milestones, the purchaser can provide a strong incentive for the vendor to complete the performance in a timely fashion and in accordance with the customer’s requirements.
11
A reasonable amount of the purchase price or license fee might be withheld until after the system is fully operational, tested and accepted to assure that it meets all of the customer’s functional needs and requirements. Progressive payment schedules can be tied to critical events with the length and degree of acceptance testing negotiated with the vendor so that it is fair to both parties. This approach allows the buyer to have some comfort that all critical business functions are met before a final payment is made. It also removes any doubt for the vendor that it is on track to complete the project without any disputes or challenges from the customer.
12
BE CAUTIOUS WITH FIRST TO TRY-ALPHA/BETA TEST
Your business or organization might benefit from being the first to try a new technology or system, and being the first might provide a competitive advantage. There might also be a steep discount available for being the first business to try some untested technology. The vendor may be looking for a business willing to take some risk and be the pioneer. By testing the new technology or system through an alpha or beta test you will provide important data to the vendor so that they can improve upon the application or correct any defects or problems with the technology. In exchange for sharing this information and acting as a “guinea pig” you might receive a reduced license fee or other consideration. Your business might even benefit by having the technology developed with your specific needs and requirements in mind. There are, however, obvious drawbacks to being the first or early adopter and user of any technology. Reliance upon a technology that has not yet been fully tested and proven to work in your business can result in unforeseen problems and delays in implementation. Most businesses do not have the luxury to risk their key business operations to such experimentation. For that reason, you should make sure that any significant system implementation or technology acquisition has been fully tested before it is used in your real operations using real data for a significant period of time and for a significant number of customers. References of similarly situated customers should of course always be checked to assure vendor credibility. If you are participating in such an alpha or beta test you will likely be asked to sign an agreement that requires you to keep
13
the results of the test confidential and imposes other requirements on your participation. It would be appropriate to include the form of consideration you receive for such participation, including any free or reduced licensed fees. The vendor might also limit your use for non-productive testing purposes unless and until a fully tested version is complete and ready for commercial distribution.
14
CONSIDER RESPONSIBILITIES FOR SYSTEM REPLACEMENT AND CONVERSION
Is the conversion process from the old system to the new one your responsibility or the responsibility of the vendor?
If a legacy system is being replaced there may be additional time and effort necessary to maintain the legacy system for a period of time until a cut over to the new system is appropriate. This cut over and transition from one system to another should be considered in the agreement. The feasibility of how, and specific manner in which your existing procedures and information will be transferred from manual or automated systems to any new replacement system and at what cost are important considerations. You should have a clear understanding of precisely how and when this conversion will be done and by whom. The time and expense involved in a conversion process to new technology is frequently overlooked and should be considered when preparing the key milestones to include in the final agreement. It might be appropriate for example to have parallel systems operating for a limited period of time or at least until the new system proves that it can operate successfully.
15
DEFINE DISASTER RECOVERY PROCESS, POLICY, AND PROCEDURES
Disaster recovery includes the process, policies, and procedures a business has in place for the recovery or continuation of the technology infrastructure necessary for the ongoing operation of the business. Every business should have a disaster recovery plan and be sure that the agreements in place with technology vendors supports the plan. When working with any new vendor, it is important to understand what backup systems or disaster recovery options are available and at what additional cost. If appropriate, these options should be covered in the agreement. Disaster recovery services usually offer a type of temporary working environment if yours is disrupted. Applications and data might be hosted in an alternative data center, which is connected to your network, and made available during the disaster. Note that it is not uncommon for vendors to subcontract out disaster recovery obligations, and many other third parties are often involved (the provider of the alternative data center, the provider of the original data center, a network service provider). Typical disaster recovery provisions include representations that the vendor will maintain (or cause to be maintained) backups of certain content, and employ disaster avoidance and recovery procedures in accordance with “standard industry practices.” Instead of invoking so-called standard industry practices you might request more details as to what practices the vendor actually allows and what other third-parties the vendor may subcontract with in
16
the event recovery efforts are extensive. You should consider what access rights you have to any facility used for disaster recovery and the ability to do a test of the disaster recovery in action. You might also allow for periodic testing, and the maintenance by vendor of certain levels of power supply and equipment.
What constitutes a “disaster” for purposes of triggering the disaster recovery services provided by the vendor?
When defining the term and triggering events make sure that it is not too limited. Would a pandemic like COVID-19 be covered? If a list of disasters are identified you might consider adding the statement “including but not limited to.” A vendor might also want to have the disaster recovery services limited in duration. It is critical however that the “alternative system” remain available until your disrupted system is once again live and capable of running the key business functions. While you are not likely to invoke such a disaster recovery plan unless absolutely necessary you need the assurance that when invoked you will not be arguing with a vendor over whether or not a “disaster” has occurred. Common issues in negotiating disaster recovery include response times (between when the determination a “disaster” has occurred is made and when the back-up plan is working), service levels during the disaster period (are you comfortable with these being reduced during the disaster?), and any force majeure provisions (these need to be considered carefully since the occurrence of an event beyond the parties’ control is precisely what disaster recovery plans are meant to cover).
17
Does the vendor use the cloud as a back-up or disaster recovery tool?
The cloud (see discussion below) has become an increasingly popular method of providing disaster recovery services. When considering the cloud as an option make sure that you consider issues such as data privacy and security and other issues related to doing business in the cloud. Whether using the cloud or a remote facility for disaster recovery, make sure that the technology agreements that you have in place with various vendors allows for such outsourcing. You do not want to find that your disaster recovery plan when implemented results in a breach of one of your license agreements with a software provider that had limited your use to “one copy installed on one specific server.” This may require a review and possible revision of licenses to clarify such use for disaster recovery purposes.
18
IDENTIFY KEY PERSONNEL
Have you met the vendor employees assigned to manage your account once the agreement is in place?
When considering a technology solution or vendor, the buyer is typically persuaded not just by the technology itself but the people who they meet during the sales process. Vendors are most attentive and responsive before the agreement is signed and the deal consummated. During this courtship period, the vendor introduces their best and brightest employees. While these individuals may primarily be sales people, it may be appropriate to interview the specific employees who may play a key role in the system implementation or any related consulting services. This is especially true if these individuals will be working at the business location or have substantial interaction with your staff. If there are any vendor employees that are particularly critical to the success of the project, the business might consider including a key personnel provision in the agreement identifying such individuals. Simply because you meet a remarkable and talented person during the sales and vendor selection process there is no assurance that you will ever see or hear from them again after the agreement is signed unless they are identified as a key person in the agreement. From the vendor’s perspective they will want some assurance that they can assign and staff the project as appropriate and use their “star” employees for multiple projects.
19
Vendors may also be concerned about losing employees that they have invested significant time and money to train and will add a non-solicitation/no-hire provision in their agreements. Make sure that this proviso is reasonable and reciprocal so that you do not lose any key information technology employees to the vendor.
20
UNDERSTAND USE OF HOSTING, SUBSCRIPTIONS SERVICES, APPLICATION SERVICE PROVIDER (ASP), SOFTWARE AS A SERVICE (SAAS), AND THECLOUD
Information technology is available in a number of different forms so that businesses now have a variety of options to consider. One of the fastest growing areas of technology licensing and acquisition for businesses is the use of hosting, subscription services, ASP, SAAS, and the so-called cloud. Today, almost any IT resource can be delivered to a business as a cloud service, from proprietary databases and software applications to networkconfiguration. Remote workplaces and the use of e-commerce will likely remain a more common way of doing business following the massive and widespread transition to these workspaces and platforms resulting from the COVID-19 pandemic. Many businesses have already come to rely on these remote access computing services to run business applications without a large investment in new servers or other hardware. These cost saving measures can be attractive but require special scrutiny as new legal issues arise as a result of these new methods of technology delivery. As noted above, the cloud has become a popular and economical way to provide disaster recovery services. Given that cloud service providers use the internet or a private network to deliver their services, businesses are exposed to data loss and services outages. One way to minimize risk of network failure is to engage with multiple cloud service providers. However, businesses may find a multiple vendor solution impractical because of a lack of interoperability between cloud service providers.
21
Businesses can also mitigate the risk of system outages and data loss by carefully reviewing a cloud service provider’s infrastructure, with a focus on their business continuity procedures (BCP). A cloud service provider should attach a written BCP to any agreement to render services. To further minimize risk, a customer should require a contractual right to review and approve changes to the BCP. Another key issue to address is whether the vendor is sub- contracting any of its services and/or placing any restrictions on its own liability for system failures (for example, a vendor may state in its agreement that they “own or license” the services they provide). Many cloud customers may be surprised that cloud service vendors frequently use sub-contractors to expand their own clouds. You should make sure that any sub-contractors involved have the same quality of service as the vendor, and that the vendor does not remove itself from liability for acts or omissions of its sub- contractors. You may also want to address the transferability of these services from one provider to another, should you wish to transition to a different vendor. Make sure that your data is not held hostage by a vendor and can be easily transitioned to another vendor. Provisions for maintaining the data in certain formats and time lines in the case of a requested transfer should be established. How to track and audit data stored in the “ cloud ” also presents a legal and regulatory issue. A services agreement should stipulate that the vendor is able to keep track of the information it holds in a manner sufficient for your needs (e.g. if litigation is anticipated, it may be necessary to perform “record holds” or establish an audit trail).
22
Does the cloud arrangement address data privacy and security issues? One of the major concerns when using the cloud or other outsourcing is data privacy and security. Customers desire not only to protect their company’s most valuable information, but to comply with the multitude of state, federal, and even international laws that apply to businesses that store any type of “personally identifiable information.” These laws can require the encryption of, restriction of access to, and deletion after certain time periods of data, the notification of a breach to customers whose data privacy is compromised, and even the explicit use of contractual provisions with service providers surrounding privacy and security safeguards. It is important to recognize which laws apply to you (for example, certain laws apply only to specific industries such as health care or banking; other laws are particularly strict in certain geographic areas, such as California, Massachusetts, and the European Union). When reviewing the vendor agreement, consider what physical and information security is employed by the vendor. The jurisdiction in which the data is stored may implicate certain laws so you should either identify and limit where the servers can be located or make sure that you understand and can comply with the necessary laws. You should carefully review the vendor’s security measures and contractual commitments. Since vendors store data from multiple customers, you should consider conditions on their use of your data for aggregation or cross-tabulation purposes. For example, you might include provisions prohibiting the vendor’s use of your data for purposes other than providing direct services and defining such data as your “confidential information”. You should also make sure that any use of data that involves personally identifiable information not only complies with all relevant federal and state privacy laws and regulations but is also consistent with your own privacy policies and data security procedures.
23
THE INTERNET OF THINGS (IOT) AND ARTIFICIAL INTELLIGENCE (AI)
One of the fastest growing areas of new technology is known as the Internet of Things (IoT). The IoT is the expanding network of interconnected “smart” consumer products, ranging from Amazon’s Echo to “smart home” products that control temperature, lighting, and even home security. While IoT devices can streamline a business’s functions in a myriad of ways, there are several key issues to keep in mind when considering acquiring IoT technology. We live in a world where phones, cars, clocks, kitchen devices, appliances, and other household products monitor consumer behavior and communicate with us and each other via the internet. The collection of data by these devices presents enormous opportunities for businesses to gain efficiency, improve quality, decrease costs, and improve performance in products and services. IoT encompasses the ability of such devices and systems to connect wirelessly and the increasing number of products created and sold that allow for such connectivity. These internet connected devices are enabled by small embedded computer processors and software. In the narrowest definition the IoT involves connecting electronic devices to the public Internet. Just as there is no widely accepted definition of IoT there are likewise no uniformly recognized IoT standards for communication or security protocols. It is estimated that the number of internet connected devices is well over 17 billion, more than 2 per person on the planet, and will likely double in number by 2025. IoT applications are projected to produce over a trillion dollars in value for businesses.
24
While such connectivity offers enhanced efficiency there is concern that with the fast growing IoT market, little attention has been given by manufacturers to data security which is often treated as an afterthought to innovation and other features for the so- called “smart” technology. IoT devices may therefore be delivered to consumers with well- known security vulnerabilities that could have been corrected in product development and prior to shipment. With the proliferation of these smart devices come legal concerns. Automobiles, medical devices, including pacemakers and insulin pumps may be vulnerable to cyber-attacks. When these devices are hacked they can be converted into a massive network of remotely controlled machines known as a botnet with severe consequences to hundreds of thousands of consumers. As more and more personal information is collected and stored by these devices they are becoming an increasingly popular target for hackers. Businesses that manufacture and sell IoT devices, as well as owners of networks, and consumers must consider what roles they play in mitigating the risks and liability of these new devices. Who is responsible for any cybersecurity weaknesses? What is an appropriate contract or disclaimer notice that can be attached to such a device? What insurance is available to cover such risks? What are best practices for cybersecurity and product development to assure data privacy and security for consumers? We are now also talking about how artificial intelligence or AI which allows systems to emulate human tasks without human intervention and that are connected with IoT devices. AI combined with IoT allows devices or systems to collect and exchange data without any human involvement.
25
One key issue to remain aware of is that it is often unclear whether IoT technology is a product, a service, or a mix of both. IoT technology could be subject to traditional product liability standards, so it is possible that either the software developer or the product manufacturer could be held liable in the event of damages caused by amalfunction. Assigning legal liability is particularly unclear if the IoT device utilizes Artificial Intelligence (AI). Currently, no laws address injuries caused by AI. Given how uncertain liability in relation to IoT devices is in the law, delineate liability as explicitly as possible in your contracts. Many IoT devices use AI technology to function. AI is not a single technology, but rather a broad term for computer technology with the ability to simulate human intelligence. This simulated intelligence can take many forms: analyzing data and drawing conclusions about it, learning from data to perform tasks better over time, identifying patterns, predicting future outcomes, optimizing practices, and/or automating repetitive functions. AI can be very useful for businesses, which may use AI for anything from compliance monitoring to industrial robotics. If you are acquiring a business that uses AI, carefully review the representations and warranties made by the vendor and ensure they adequately address the business impact of a system failure or malfunction. Additionally, you should be sure to scrutinize the non- infringement warranty. AI systems may produce infringing code when performing its functions without direction by the operator, and the issue of intellectual property infringement liability by AI systems is still unclear. Make sure the representations and warranties made by the vendor adequately allocate liability in the event that the AI system produces infringing code. You should also seek indemnification from a vendor to reduce liability in the event that an AI system’s decision-making process results in a liability.
26
California became the first state to enact a law covering cybersecurity related to ‘smart devices” SB 327(2018). Effective January 1, 2020 any manufacturer of a device that connects “ directly or indirectly” to the internet must equip the device with “reasonable” security features designed to prevent unauthorized access, modification, or information disclosure. If the device can be accessed outside a local area network with a password, it must come with a unique password for each device, or force users to set their own password the first time they connect. There can be no generic default credentials that might be discovered by a hacker. The law covers any device makers who sell products in California. As a result this California law will likely be followed by most IoT device manufacturers as they will not want to give up the California market. Oregon followed California’s lead and also passed a law to require manufacturers of internet “connected devices” that make, sell or offer to sell the devices in the state to equip the device with “reasonable security features” . According to the Oregon law, “[R]easonable security features” means methods to protect a connected device – and any information the connected device stores – from unauthorized access, destruction, use, modification or disclosure that are appropriate for the nature and function of the connected device and for the type of information the connected device may collect, store or transmit.
27
Privacy and IoT
The volume and variety of personal data collected by IoT devices results in obvious privacy concerns. Fitness trackers and medical devices may collect data about a person’s medical condition , location, and daily routines. Smart televisions can compile viewing history, preferences, habits, and other personal data. Cars may generate information on driving habits, movements, personal associations, locations, doctor visits, strip club visits etc. The pervasive monitoring of personal activities through IoT devices may not be what the individual expected or wanted. A person may not realize that voice activation technology embedded in a smart device in their living room such as a smart television may be monitoring or recording private conversations. The use of IoT devices with artificial intelligence and mobile computing has increased the concerns regarding privacy and how such rights can be protected. As discussed in the A Legal Guide to Privacy and Data Security 2024 the United States does not have a single comprehensive federal law that regulates privacy and instead has a patchwork of federal and state laws based on sectors and industries along with some common law principles and limited constitutional authority. IoT devices that utilize GPS for tracking may be closely scrutinized in any Fourth Amendment legal analysis. Did the individual know of the IoT product with the tracking technology? Did they have a choice? Was location of tracking private or public? Did the person have a reasonable expectation of privacy? The scope of this “ reasonable expectation “ of privacy legal theory will continue to be challenged in this new era of IoT devices.
28
As noted above the use of IoT devices span multiple industries including, medicine, health, transportation, and recreation. The FTC may be deemed the primary regulator of Io T devices due to it’s broad mandate and authority to regulate consumer protection. Other agencies may get involved if the device falls within its purview such as the FDA for medical devices or the National Highway Traffic Safety Administration (NHTSA) for connected vehicles. In any event the patchwork of federal, state, and global laws governing privacy and data security as covered in the A Legal Guide to Privacy and Data Security 202 4 will have to be considered where IoT devices are used to capture, store, or transmit personal information.
29
CONSIDER ISSUES OF CONFIDENTIALITY/DATA PRIVACY/ SECURITY
The legal landscape of data privacy and security law in our ever- changing technological landscape is unpredictable. It is important to stay up to date with federal and local legislation relative to data privacy and security law. Recent sweeping changes have taken place in Europe and California. In May 2018, the European Union General Data Protection Regulation (GDPR) became effective. The GDPR had a significant impact on how businesses collect, process, and store personal information. The California Consumer Privacy Act (CCPA) became effective January 1, 2020. Businesses that collect any data from California residents must educate themselves about the requirements of the CCPA and create a compliance plan. It is important to maintain a secure system with safeguards in place to limit your potential risk and exposure to any violations of data privacy rules and regulations. The most noteworthy aspect of the CCPA is the private right of action allowed in the event of a data breach. This statutory remedy will likely lead to many class action lawsuits. Agreements with vendors who process your data must be reviewed to make sure they fully comply with the CCPA and all other data privacy and security laws. It is equally important that your information and data is maintained as confidential, particularly personal information of individuals that is protected from disclosure as a matter of law. The vendor agreement will likely include restrictions on use and disclosure related to vendor proprietary information. Review any restrictions on use of vendor information to make sure that the restrictions are not unreasonable and provide you with sufficient
30
Page i Page ii Page iii Page iv Page v Page vi Page vii Page viii Page ix Page x Page xi Page xii Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page 47 Page 48 Page 49 Page 50 Page 51 Page 52 Page 53 Page 54 Page 55 Page 56 Page 57 Page 58 Page 59 Page 60 Page 61 Page 62 Page 63Made with FlippingBook - Online Brochure Maker