can't we all agree? clickwrap agreements
DESCRIPTION
Presentation at UNC CAUSE 2013 Bill Coker, North Carolina State UniversityTRANSCRIPT
Can’t We All Agree?A Solution for Software Clickwrap
Agreements
Bill CokerManager of Software Licensing Management
Office of Information TechnologyNorth Carolina State University
What is a Clickwrap Agreement?
A clickwrap agreement is a type of contract that is widely used with software licenses and online transactions in which a user must agree to the terms and conditions prior to using the product or service by clicking an “I Agree” or “I Accept” button.
Clickwrap Agreement Challenges
Clickwraps are becoming more prevalent in IT
Clickwraps agreements are typically non-negotiable
Clickwraps creates logistical difficulties and approval issues for the Office of General Counsel and Purchasing
Many users click “I Agree” without reading the terms or having the authority to bind the university
Clickwrap Agreement Strategy
Implement an efficient process for reviewing and approving clickwraps
Create a delegation of authority to approve clickwrap agreements
Educate campus
A Clickwrap Awakening:iOS Developer Agreement
Apple required an iOS developer to bind the university to agreement
Terms of agreement violated State law
Apple would not negotiate terms
A Clickwrap Awakening:iOS Developer Agreement
Written justification showing low risk for each issue
Approvals by Office of General Counsel, Trademarks & Licensing, and Regulatory Compliance
CIO did not have signature authority
I’m Glad That’s Over
“I never want to go through this
process again”
“Hopefully we won’t have any other
clickwrap agreements”
“Surely no enterprise
solutions will employ clickwraps”
Another Clickwrap Awakening:Google Consumer Apps Pilot
Campus wants Google Consumer Apps (Blogger, Maps, Picasa, YouTube, etc.)
Using personal accounts instead of NCSU.EDU accounts
Clickwrap agreement for the Google Apps Trusted Tester Agreement
Every user on campus will be required by Google to click “I Agree”
Looking for a Clickwrap Solution
UNC Greensboro was ahead of the curvehttp://www.uncg.edu/ucn/clickwraps/approved_clickwraps.html
Google Consumer Apps approved by UNC-G’s Chancellor
Could not find solutions at other universities
NCSU’s ApproachOn-going meetings with:
Office of General Counsel
Security Standards and Compliance
Outreach, Consulting and Communications
Software Licensing Management
Reviewed terms for desired Google Consumer Apps
NCSU’s ApproachSeparated Consumer Apps into Four Tiers
Tier 1 Alerts, Feed Burner, Reader
Tier 2 Maps, Map Maker, Picasa, YouTube, Blogger, Google+, Places
Tier 3 Takeout, News, Moderator, Public Groups, Voice
Tier 4 Analytics, Chrome Web Store, Google Chrome Sync
Acceptance of Terms
RISK: Any use of these services constitutes acceptance of the Google Terms of Service
RESPONSE: These products are not made available to NCSU users until they are activated by the NCSU Google administrator. No user can accept the terms until all terms are vetted by the university.
Ensuring Compliance of Terms
RISK: NCSU is responsible for ensuring End Users comply with the applicable Google terms of service for each of the Google Consumer Apps used.
RESPONSE: Students are bound by NCSU Policy 11.35.01 – Code of Student Conduct and Employees are bound by the various Policies, Regulations and Rules
Stapler PrincipleA stapler is safe only when it is used as a stapler, not as a weapon.
Hold Harmless and Indemnify
RISK: Requires the University to hold harmless and indemnify Google if the Service is being used on behalf of the University.
RESPONSE: The fact that the university will effectively enforce compliance from students and employees using the Code of Conduct and Policy, Regulations and Rules, the university should assume minimal risk by indemnifying Google.
Ensuring Compliance with Federal Law
RISK: NCSU agrees that it is solely responsible for compliance with all laws and regulations that apply to these Services, including FERPA
RESPONSE: A FERPA Modular Course Consent and Waiver Form has been created that allows faculty members to customize the consent form to be applicable to the course requirements.
Consent and Waiver Form
Modified form used by DELTA
Allows faculty to customize form based on Google Apps used and the assignment
Other Risks Identified
Limitation of Liability
Governing Law
Storing data outside of the US
Google creates derivative works
Risk Assessment Matrix
Risk Assessment Summary
Using the Risk Assessment Matrix:
Identified the Probability and Impact for each known risk
Assigned a Risk Level and Risk Assessment Level
Summarized the Findings
Risks Assessment Summary
Google Apps Use Cases & Risks“Stapler Principle”
Working with faculty who use personal Google Apps as part of their instruction:
Identified what products are being used
How the products are being used
Identified the Probability and Impact for each known risk
Assigned a Risk Level and Risk Assessment Level
Summarized the Findings
Use Cases & Risks Summary
ResultsCIO provided limited signature authority and delegation authority
Google Apps Trusted Tester Agreement was completed
NCSU was able to approve Tiers 1 & 2 of the Google Consumer Apps
Google Apps made available to campus
We began working on Tiers 3 & 4
Moving the Process Forward
Began discussions to apply the process to other clickwrap agreements
Created new issues since software and agreements vary so much
Other Clickwrap AgreementsIdentified common risks found in general clickwrap agreements
Secure systems will utilize the software, possibly placing secure data at risk
Risk of university data exposure
Includes broad audit rights, permitting the vendor almost unlimited access to the NCSU’s facilities, records, and systems
Contains expansive "feedback" and similar clauses that could result in the licensor gaining ownership of intellectual property or data
Contains confidentiality or non-disclosure clauses
Other Clickwrap AgreementsIdentified common risks found in general clickwrap agreements
Requires the University to "hold harmless“ or "save harmless” or "indemnify" the vendor
Limitation of liability for vendor
No limitation of liability for University
Potential litigation outside of North Carolina
Little to no warranty. Software is provided entirely "as-is"
The software is not widely distributed nor well established in the community
Other Clickwrap AgreementsIdentified common risks found in general clickwrap agreements
Requires all disputes to be submitted to binding arbitration
Permits vendor's agents, contractors and licensors (third parties) to have audit rights
No protection if University is sued for third-party intellectual property infringement
Requires University to reimburse the vendor for all attorney fees and costs
Violates other State laws not already identified
The Solution
Identified risks were categorized into three categories
Category 1: Common Problematic Clauses
Category 2: Unique/Challenging Problematic Clauses
Category 3: Risks arising from the Product Itself and/or End-User Conduct or Misconduct Involving the Product
Category 1Common Problematic Clauses
Limitation of Vendor’s Liability
Indemnification and “Hold Harmless” Clauses
Governing Law
Binding Arbitration
Requirements to reimburse vendor for attorney fees
Category 1Common Problematic Clauses
Clauses are permitted
Office of General Counsel is constrained from “approving” the clauses by the letter of the law
However, they are prepared to defend a business decision to accept these clauses
This business decision is consistent with the actions of many existing users in State government and other schools
The benefits outweigh the risks associated
Category 2Unique/Challenging Problematic Clauses
Broad Audit Rights permitting vendor almost unlimited access to NCSU’s facilities, records and systems
Grants audit rights over NCSU to vendor’s agents, contractors and third parties
Clauses that could result in the licensor gaining ownership of intellectual property or data
Confidentiality or non-disclosure clauses
• Clauses permitting storage of NCSU data outside the US
Category 2Unique/Challenging Problematic Clauses• Clauses are not be permitted without review
• Clauses must be evaluated jointly by the Office of General Counsel and the Office of Information Technology on a case-by-case basis
• A risk assessment using the Risk Matrix must be completed
• If approved, strategies must be determined to reduce risk (educating end-users)
Category 3Risks arising from the Product Itself and/or End-
User Conduct or Misconduct Involving the Product
• NCSU’s secure systems will utilize the product, possibly placing secure data at risk
• Use of product may create risk of NCSU data exposure
• Clauses restricting NCSU’s use of the product
• Agreement contains little to no warranty – provided “as-is”
• Product is not widely distributed nor well established in the community
Category 3Risks arising from the Product Itself and/or End-
User Conduct or Misconduct Involving the Product
• Issues are typically the result of misuse or misconduct (the Stapler Principle)
• Student consent should be obtained using the Consent and Waiver Form when the use of the software raises FERPA concerns
Category 3Risks arising from the Product Itself and/or End-
User Conduct or Misconduct Involving the Product
• NCSU can treat its risks by restricting or eliminating access to users who violate computer use policy
• Behavior violating NCSU policies, state or federal laws can be addressed under existing student, staff and faculty processes dealing with misconduct
Communication• Communicated the clickwrap process to
leadership for feedback and approval
• Office of General Counsel
• Purchasing
• Campus IT Governance committees
• College IT Directors
• Office of Information Technology
The Final Process• Software Licensing Management, with the help of
the Software Manager in the Colleges of Engineering, began reviewing clickwraps agreements
• All issues are identified as Category 1, 2 or 3
• All clickwraps, issues and categories are entered into a master spreadsheet
• A risk assessment is conducted for Category 2 issues (probability/impact) and sent to the Office of General Counsel for review
The Result• When completed, clickwrap agreements are listed
on the Software@NC State web site• http://software.ncsu.edu/clickwraps
• Clickwraps are listed with the following statuses:
• Approved
• Conditionally Approved
• Denied
• Pending
Be Aware• We can not review every clickwrap
• Mobile device apps (iTunes, Google Play, etc.)
• Device drivers
• Not all open source licenses should be approved
• Patent violations
Be Aware• Some free software has restrictions that prevents
use on some campuses
• Overall budget
• Non-commercial home-use only
• Not all software has a clickwrap agreement
• Some software states agreement by downloading or installing
The Response• Campus has embraced the new process and has
submitted new clickwraps for review
• In the first three months, the clickwrap list grew from approximately 100 clickwraps to more than 350
Maintenance• Every six months, the dates and versions of
clickwrap agreements are reviewed to determine if there have been updates
• Updated agreements are reviewed
• New clickwraps are added when submitted
• Outdated clickwraps and retired software are removed