Presented by: Will Dickinson, Williams Mullen & Jeff Gilleran, Miles Consulting

MITIGATING RISK IN VENDOR

TECHNOLOGY CONTRACTS

MARCH 7, 2017

Presented by Will Dickinson and Jeff GilleranMarch 7, 2017

MITIGATING RISK IN VENDOR TECHNOLOGY

CONTRACTS

222

PRESENTERS TODAY

Will DickinsonWilliams Mullen

Jeff GilleranMiles Consulting

333

COMMON ISSUES FROM CUSTOMER’S PERSPECTIVE

> Defined Terms and Specifications> Intellectual Property and Data Ownership> Note Regarding Copyright Law> Data Integrity, Security and Privacy Issues> Services and Support Warrantees > Unbalanced or Uncapped Liabilities> Term, Termination and Conversion> Trademark Issues> Dispute Provisions

Ability to negotiate these issues will depend upon relative leverage among parties, monetary value of contract and criticality of system or data.

444

ON PREMISE VS. SAAS

> On-Premise Software– Traditionally downloaded or installed software at

customer’s facility– Software itself is licensed to customer– Customer may have license to modify software– Data remains with customer

> Software-as-a-Service (SaaS/Cloud)– Customer granted access to software running on servers

located outside of customer’s facility– Data transmitted to off-site server– Customer need not maintain software or data

555

DEFINED TERMS

> Defined Terms Are Critical– May be multi-layered and technical definitions– Likely flow into services, licenses, warranties,

indemnities, limitations of liability, terminationand other core terms

– Seek assistance from technical side of business to bridge gap

666

SPECIFICATIONS

> Specifications Drive Other Risks– Services, software, technology and other definitions may

incorporate specifications.– Warranties, indemnification, SLAs and other core terms

typically rely on specifications. – Identifies what type of data will be used and how it will be

used.– Lean on technical side of business for understanding– Ensure decision makers and technical side of business both

• have read and understand the specification documents;• are comfortable that entirety of what will be received is

within the four corners of specifications.

777

INTELLECTUAL PROPERTY AND DATA OWNERSHIP

> Software & Technology– Usually owned by vendor and licensed to customer– Ensure all necessary entities receive license and/or

customer can sublicense to necessary affiliates– Consider cataloging software/verification technology

to track licenses > End User/Customer Data

– Usually owned by customer, but vendor could have interest in using data depending upon subject matter.

– Potential to limit vendor’s ability to use and distribute beyond what is necessary to provide services

– Alternatively, potential to mitigate risk by allowing aggregated, anonymous data that cannot be used to identify customer or end users without extraordinary effort

– Cross reference with termination, conversion, security and warranties

888

IMPORTANT NOTE REGARDING COPYRIGHT LAW

> Ownership of underlying copyrights (such as software code and designs) remain with the author (e.g., independent contractor) unless transferred via written assignment, or if it is a work “made for hire.”

> A work cannot be “made for hire” through contract alone.> The following are the only circumstances in which a work is

“made for hire”:– “(1) a work prepared by an employee within the scope of his or her employment; or– (2) a work specially ordered or commissioned for use as a contribution to a

collective work, as a part of a motion picture or other audiovisual work, as a translation, as a supplementary work, as a compilation, as an instructional text, as a test, as answer material for a test, or as an atlas, if the parties expressly agree in a written instrument signed by them that the work shall be considered a work made for hire ….” 17 U.S.C. § 101

999

DATA INTEGRITY, SECURITY, AND COMPLIANCE

> Need for data provisions will vary with type and purpose of licensed technology.

> Considerations– Confidentiality– Data loss and backup– Geographic location of data/servers– Warranties that vendor will comply with

GLB, HIPAA, COPPA, SOX or other applicable laws– Warranties of certain security standards– Data breach notification procedures

(compliance with Va. Code 18.2-186.6)• Note that every state has different data breach

notification procedures, definitions of personal identifiable information.

– Customer assurances through outside audits (e.g., SOC 2 report, SOC 1 aka SSAE 16, ISO 27001)

101010

WARRANTEES AND SERVICE LEVEL AGREEMENTS

> Software & Support Warranties– Perform services in a professional and workmanlike manner– Aim for highest standards of skill and care in the industry– Software/Technology shall substantially conform with

documentation– If no intellectual property infringement warranty, seek

protection through indemnification• Vendor may refuse to give both to avoid

indemnifying customer and then being sued by customer for same issue

– Cybersecurity warranties becoming increasingly important

111111

SERVICE LEVEL AGREEMENTS (SLAs)

> Service Level Agreements– Ensure that the SLAs meet business needs

of technical team– Aim for enforceable response levels, not

aspirational goals– Responses and penalties should tie with

criticality of service to business

121212

UNBALANCED OR UNCAPPED LIABILITIES

> Limited Vendor Liability– Vendors do not see themselves as insurers.– Generally exclude consequential, indirect, special,

incidental or punitive damages. – Vendor’s liability generally capped. Amount of cap

usually determined by monetary value of contract, length of term, ease of termination, and relative leverage of parties.

– Data breach liability versus direct liability.– Potential for two-way limitation of damages.

131313

UNBALANCED OR UNCAPPED LIABILITIES

> Indemnification– Indemnification obligations shift with relative ability to

mitigate risks– One-way or mutual indemnity depending upon

respective responsibilities of parties and ability to mitigate

– “Indemnify, defend, and hold harmless”– Check for cap on indemnification through limitation of

liability provision– Intellectual property infringement indemnity –

Mitigating patent-troll and other IP risks– Indemnification for data breaches– Check for exceptions that swallow the rule (e.g.,

technology combinations)

141414

TERM

> Term– Vendors typically favor longer terms,

shorter window for notice of nonrenewal– Customers typically favor shorter terms,

longer window for notice of nonrenewal– Considerations for term length include:

• Potential for locking in favorable pricing or other negotiated items with longer terms

• Business need for reliance on technology• Pace of technology changes• Terms of related technology licenses• Relative ease of termination• Transition and implementation time periods for new

vendor

151515

TERMINATION

> Termination– For cause

• Usually “material breach”• Cross reference “material breach” with SLAs to

negotiate when SLA remedies are insufficient– Without cause (Termination for Convenience)

• Ease of customer termination can mitigate against other potentially risky or unfavorable terms

• May involve a fee, especially for early termination– Ensure that amount of termination notice matches

business team’s timetable for finding replacement– Seek opportunity to cure for nonpayment– Risk with lengthy cure provisions for services

161616

TERMINATION VS. SUSPENSION

> Caution with Suspension Clause Similar to Following:– “Licensor shall have the right to deny or suspend access

to the Software or Service in the event Licensor is not paid any amount due in connection with the Service or Licensee breaches the Agreement.”

– Creates potential for abuse, damage to licensee’s business and/or imbalanced leverage during term.

– Different than temporary suspension for emergency response, criminal activity, government order or cyber attack.

171717

TERMINATION AND CONVERSION RISKS

> Termination Consequences– Ensure that End User/Customer Data or similar

information will be timely returned in a format that is usable to customer

– Unless otherwise agreed, upon termination, further use of software or technology could risk infringement issues

– Ensure critical terms survive termination (e.g., IP ownership provisions, confidentiality, limitation of liability, indemnification)

> Conversion– Understand whether conversion fees exist and,

if so, what customer would be expected to pay

181818

TRADEMARK RISKS

> Vendors may want to use customer’s trademark in advertising.

> Without care, customer could inadvertently weaken their core brands through such a provision.

> Trademark law requires control over licensed use of trademarks by owner

– Ensure “goodwill inures to the benefit of customer.”– Ensure limited license and only amount of trademark

that is absolutely necessary.– Ensure ability to terminate license with inappropriate or

unauthorized use or, ideally, at customer’s discretion.– Ideal to have written pre-approval of any use.

191919

DISPUTE PROVISIONS

> Governing law (for Virginia customers)– Virginia preferred, with Delaware or

New York as relatively close alternatives> Jurisdiction

– Risks associated with agreeing to jurisdiction outside of your home state

> Attorneys Fees– Shifting leverage in the event of a dispute

202020

DISPUTE PROVISIONS CONT.

> Alternative Dispute Resolution– Arbitration can potentially be less cost-effective if

customer is unfamiliar with process– Potential alternatives to arbitration are mandatory

mediation or “escalation”• Escalation requires discussions (either phone or face-

to-face) discussions among senior business executives to attempt a resolution prior to litigation or other ADR routes.

212121

QUESTIONS

Will DickinsonWilliams Mullen804.420.6607wdickinson@williamsmullen.com

Jeff GilleranMiles Consulting703.229.3943jeff@miles-consulting.net

222222

APPENDIX

232323

EXAMPLE INDEMNIFICATION CLAUSE

> To the fullest extent not prohibited by Law, the Licensor shall indemnify, defend, and hold harmless the Licensee Indemnitees against and from any Person’s (which term shall not include Licensee or the Licensor) claims for any Losses (except to the extent such Losses are solely caused by the willful misconduct or gross negligence of a Licensee Indemnitee), which any such Licensee Indemnitee may suffer, sustain or become subject to arising directly out of and solely to the extent of the following:

– a. any actual or alleged misconduct, negligence or other culpable act, error or omission of the Licensor or Licensor Personnel in connection with the Services;

– b. any actual or alleged infringement, misappropriation, or violation of any third-party’s patents, copyrights, trade secret rights, trademarks, or other intellectual property or proprietary rights of any nature in any jurisdiction in the world, resulting from Licensee’s, the Licensor’s, and/or the Licensor Personnel’s use of the Services.

• 1. The Licensor has no obligation under this Contract for any claim of infringement arising from a third party claim arising from:

– i. the Licensor’s permitted use of Pre-Existing IP of Licensee or Licensee Intellectual Property in compliance with specific Licensee instructions, if such infringement resulted from such use;

– ii. modifications of or to a Deliverable made by any entity other than the Licensor or Licensor Personnel performing Services under this Contract, if such infringement resulted from such modifications, and unless such modifications were approved in writing or directed by the Licensor or Licensor Personnel;

– iii. use of a Deliverable in connection with products, services or deliverables not supplied by the Licensor or Licensor Personnel under this Contract, if such infringement resulted from such use, and unless such use was approved in writing or directed by theLicensor or Licensor Personnel; or

– iv. use or distribution of a Deliverable by an entity other than the Licensor or Licensor Personnel in a manner which is not authorized by the terms of this Contract, if such infringement resulted from such use or distribution, and unless such use ordistribution was approved in writing or directed by the Licensor or Licensor Personnel;

• 2. If, in the Licensor’s opinion, the Deliverables furnished under this Contract are likely to become, or do become, the subject of a claim of infringement, then without limiting the Licensor’s obligation to satisfy the final award, the Licensor shall at its option, with Licensee’s review and written approval, and at the Licensor’s expense:

– i. procure for Licensee the rights to continue using the Deliverable; or

– ii. replace or modify the alleged infringing Deliverable, or portion thereof, with other equally suitable products or services that are reasonably satisfactory to Licensee, so that they become non-infringing;

– d. any actual or alleged violation of any Law by the Licensor or Licensor Personnel.

242424

TEXT OF VA. CODE 18.2-186.6 REQUIREMENTS

§ 18.2-186.6. Breach of personal information notification> …> B. If unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes,

or the individual or entity reasonably believes has caused or will cause, identity theft or another fraud to any resident of the Commonwealth, an individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General and any affected resident of the Commonwealth without unreasonable delay. Notice required by this section may be reasonably delayed to allow the individual or entity to determine the scope of the breach of the security of the system and restore the reasonable integrity of the system. Notice required by this section may be delayed if, after the individual or entity notifies a law-enforcement agency, the law-enforcement agency determines and advises the individual or entity that the notice will impede a criminal or civil investigation, or homeland or national security. Notice shall be made without unreasonable delay after the law-enforcement agency determines that the notification will no longer impede the investigation or jeopardize national or homeland security.

> C. An individual or entity shall disclose the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form, or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such a breach has caused or will cause identity theft or other fraud to any resident of the Commonwealth.

> D. An individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license shall notify the owner or licensee of the information of any breach of the security of the system without unreasonable delay following discovery of the breach of the security of the system, if the personal information was accessed and acquired by an unauthorized person or the individual or entity reasonably believes the personal information was accessed and acquired by an unauthorized person.

> E. In the event an individual or entity provides notice to more than 1,000 persons at one time pursuant to this section, the individual or entity shall notify, without unreasonable delay, the Office of the Attorney General and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice.

> F. An entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information that are consistent with the timing requirements of this section shall be deemed to be in compliance with the notification requirements of this section if it notifies residents of the Commonwealth in accordance with its procedures in the event of a breach of the security of the system.

> G. An entity that is subject to Title V of the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.) and maintains procedures for notification of a breach of the security of the system in accordance with the provision of that Act and any rules, regulations, or guidelines promulgated thereto shall be deemed to be in compliance with this section.

> H. An entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, or guidelines established by the entity's primary or functional state or federal regulator shall be in compliance with this section…

William P. Dickinson, IIIAttorney Richmond, VAT: 804.420.6607F: 804.420.6507wdickinson@williamsmullen.com

Whether you’re a Fortune 500 company with a large IP portfolio or a mid-sized business with important IP assets, it’s important that your intellectual property rights are protected. Will Dickinson helps companies protect their brands, negotiate software and technology licenses, build their intellectual property portfolio into a valuable asset, and perform IP due diligence for the purchase or sale of a business.

Will has experience in all aspects of general intellectual property matters, such as licensing, litigation, copyright and trademark registration and intellectual property due diligence. He can help guide companies through each stage of IP acquisition,

protection and exploitation, from the initial IP counseling and acquisition, to building value in the IP through trademark, copyright and domain name registration, protecting those assets through enforcement and litigation, and exploitation of IP through the licensing and sale of IP assets.

Will has been named among Virginia’s “Legal Elite” by Virginia Business magazine (2016-present), and he has been named a “Rising Star” by Virginia Super Lawyers magazine (2013-present).

Will earned a Bachelor of Arts degree, magna cum laude, from Wake Forest University, where he graduated Phi Beta Kappa, and a Juris Doctor degree from Wake Forest University School of Law. While in law school, Will served as editor-in-chief of the Wake Forest Law Review. In addition, he was chair of the Wake Forest Law Review Best Practices Committee, a member of the moot court team participating in the Mardi Gras National Sports Law Competition and a solo competitor in the George K. Walker Moot Court Competition, a youth basketball coach and a volunteer for the Innocence Project.

practice areas > Intellectual Property> Copyrights > Intellectual Property Litigation > IP Due Diligence & Opinions > Trademarks > Alcoholic Beverage Control > Unmanned Systems > Community Banks > Trade Secrets, Employee Mobility and Restrictive Covenants

Jeff Gilleran Miles Consulting703.229.3943 jeff@miles-consulting.net

Jeff Gilleran is an attorney in Washington DC with over 25 years of law firm and in-house experience. His work is focused on enterprise-size commercial and public sector service agreements (primarily telecommunications and internet services), internet network and data-center development, channel partner programs, ethics and compliance oversight, and general counsel advice. Most recently, he was Assistant General Counsel at Verizon in Arlington, Virginia. Previously, he was Assistant General Counsel at Cogent Communications in Washington, D.C., and in private practice as Counsel at the law firm of Gibson, Dunn and Crutcher, also in Washington, D.C. He currently provides business development, legal, and strategic advice for technology and telecommunications companies at Miles Consulting LLC.

Mr. Gilleran received his undergraduate degree in 1987 (B.A., High Distinction) and his law degree in 1990 (J.D., cum laude), both from the University of Michigan. He is a member of the District of Columbia and Virginia (in-house) bar associations. He resides in Alexandria, Virginia with his wife Natasha and daughter Simone.

NOTES

NOTES