2019 Edition - LawPracticeCLE · 2019-03-22 · 11161 E State Road 70 #110-213 Lakewood Ranch,...
Transcript of 2019 Edition - LawPracticeCLE · 2019-03-22 · 11161 E State Road 70 #110-213 Lakewood Ranch,...
SaaS Agreements: Drafting and Negotiating
2019 Edition
11161 E State Road 70 #110-213Lakewood Ranch, Florida 34202
www.lawpracticecle.com941-584-9833
LawPracticeCLE is a national continuing legal education company designed to provide education on current, trending issues in the legal world to judges, attorneys, paralegals and other interested business professionals. New to the playing field, LawPracticeCLE is a major contender with its offerings of Live Webinars, On-Demand Videos, and In-person Seminars. LawPracticeCLE believes in quali-ty education, exceptional customer service, long-lasting relationships and networking beyond the classroom. We cater to the needs
of three divisions within the legal realm: Pre-Law and Law Students, Paralegals and other support staff, and Attorneys.
At LawPracticeCLE, we partner with experienced attorneys and legal professionals from all over the country to bring hot topics and current content that are relevant in legal practice. We are always looking to welcome dynamic and accomplished lawyers to share their knowledge!
As a LawPracticeCLE Speaker, you receive a variety of benefits. In addition to CLE teaching credit attorneys earn for presenting, our presenters also receive complimentary tuition on LawPracticeCLE’s entire library of webinars and self-study courses.
LawPracticeCLE also affords expert professors unparalleled exposure on a national stage in addition to being featured in our Speakers catalog with your name, headshot, biography and link back to your personal website. Many of our courses accrue thousands of views, giving our speakers the chance to network with attorneys across the country. We also offer a host of ways for our team of speakers to promote their programs, including highlight clips, emails, and much more!
1. A Course Description2. 3-4 Learning Objectives or Key Topics3. A Detailed Agenda4. A Comprehensive PowerPoint Presentation
LawPracticeCLE The Law in Review
LAWPRACTICECLE UNLIMITED
LawPracticeCLE Unlimited is an elite program allowing Attorneys and Legal Professionals unlimited access to all LawPracticeCLE live and on-demand courses for an entire year.
LawPracticeCLE provides 20 new continuing legal education courses each month that will not only appeal to your liking, but also meet your State Bar Requirements.
Top Attorneys and Judges from all over the country partner with us to provide a wide variety of course topics from basic to advanced. Whether you are a paralegal or an experienced attorney, you can expect to grow from the wealth of knowledge our speakers provide.
A View From The BenchAnimal LawBankruptcy Law Business Law Cannabis Law Construction Law Criminal Law Cybersecurity LawEducation LawEmployment Law Entertainment Law
COURSE CATEGORIES
Estate Planning Ethics, Bias, and Professionalism Family Law Federal Law Food and Beverage Law Gun Law Health Law Immigration LawIntellectual Property LawInsurance Law Nonprofit Law
ACCREDITATION
Paralegal Studies Personal Injury Law Practice Management & Trial Prep Real Estate Law Religious LawSocial Security Law Specialized Topics Tax Law Technology LawTransportation LawTribal Law
More Coming Soon ...
LawPracticeCLE will seek approval of any CLE program where the registering attorney is primarily licensed and a single alternate state. The application is submitted at the time an attorney registers for a course, therefore approval may not be received at the time of broadcasting. In the event a course is denied credit, a full refund or credit for another LawPracticeCLE course will be provided.
LawPracticeCLE does not seek approval in Illinois or Virginia, however the necessary documentation to seek CLE credit in such states will be provided to the registrant upon request.
ADVERTISING WITH LAWPRACTICECLE
At LawPracticeCLE, we not only believe in quality education, but providing as many tools as possible to increase success. LawPracticeCLE has several advertising options to meet your needs. For advertising and co-sponsorship information, please contact the Director of Operations, Jennifer L. Hamm, [email protected].
CHECK US OUT ON SOCIAL MEDIA
� Facebook: https://www.facebook.com/LawPracticeCLE
fin Linkedln: https://www.linkedin.com/company/lawpracticecle
@ lnstagram: https://www.instagram.com/lawpracticecle
0 Twitter: https://twitter.com/LawPracticeCLE
1
SAVANNAH 912.236.0261
BRUNSWICK 912.262.5996
H U N T E R M A C L E A N . C O M
Negotiating
SaaS
Agreements
22
Some Recent & Continuing Trends
Cloud computing is becoming a utility• Expectation of continuous, secure, affordable access
Mobile and wireless devices• User access from anywhere, through any device
The Internet of Things• Ever-increasing numbers of “smart” devices
Interconnectivity and integration• Connectivity between systems (APIs, apps, etc.)
Importance and value of data
2
33
3
Key Concept: Miles’ Law
Where you stand
depends on where you sit
• Role in negotiations (customer vs. vendor)
• Organizational culture / risk tolerance
• Leverage
▪ At least understand
the risks, even if
little or no leverage
44
Overview
Due diligence
Contractual provisions
• Basic drafting issues
• Issues/risks in SaaS contracts
Service level agreements
Data-related issues
• Increasingly important
Legal and regulatory concerns
• Ever-changing and increasingly complex
4
55
Due Diligence
Identify prospective SaaS vendors• Review and compare
▪ Product offerings/functionality
▪ Potential leverage
▪ Pricing and costs➢ Including implementation, set-up & configuration
▪ Reputation/customer experiences & feedback➢Online searches (including litigation searches)
➢User groups/conferences
▪ Historical performance information
▪ Form agreements/standard terms
5
66
Contractual Provisions
Basic drafting issues
• Each party needs firm commitments
from the other – but often different ones
• Absolute commitments (shall, will, must, etc.)
▪ Vs. something less (goals, targets, objectives, will strive
or endeavor to, etc.)
• Defined levels of efforts
▪ Best efforts, commercially reasonable efforts, etc.
• Can a stranger understand/interpret the contract?
6
77
Contractual Provisions (cont’d)
Description of SaaS services
• Products/services purchased
▪ Identification, functionalities, capabilities, etc.
➢For each applicable user type
• Basis of pricing/fees
▪ Usage parameters, limitations, restrictions
➢Numbers and types of permitted users
➢Any other parameters
» Storage space, API calls, data transmitted, etc.
7
88
Contractual Provisions (cont’d)
Scope of permitted use• Employees
• Corporate affiliates▪ Majority interest
▪ Minority interest with right to manage/control
• Other third parties▪ Business partners (customers, vendors, etc.)
➢Counted as users / subject to additional fees?
▪ Contractors and consultants in performing services
• Geographic locations
• Other applicable parameters
8
99
Contractual Provisions (cont’d)
Scope of implementation, set-up,and configuration work
• Separate professional services engagement?▪ Statement of Work
➢Each party’s responsibilities
➢Timeline/schedule for performance
➢Loading of historical data from legacy systems?
➢ Interfaces
▪ Additional fees?➢Method of calculation
» Time-and-materials, not-to-exceed, fixed fee, etc.
» Applicable rates
9
1010
Contractual Provisions (cont’d)
Invoicing and payment terms
• Frequency
▪ Monthly, quarterly, annually, etc.
• Timing
▪ In advance vs. in arrears
• Payment terms / due date
• Notice/cure period for non-payment
▪ Vendor right to suspend?
• Taxes
10
1111
Contractual Provisions (cont’d)
Price protection• Initial term pricing
▪ Additional users
▪ Any other additional charge parameters➢ Storage space, API calls, data transmitted, etc.
• Periodic increases▪ Frequency - at will, annually, renewal terms, etc.
▪ Caps on price increases➢Fixed percentage
➢CPI, ECI, or other index
➢Duration of price protection
11
1212
Contractual Provisions (cont’d)
Term
• Initial term
▪ Pricing tied to duration?
• Renewal terms
▪ Duration
▪ Auto-renewals?
▪ Notice periods for:
➢Price increases
➢Non-renewal - customer vs. vendor
12
1313
Contractual Provisions (cont’d)
Termination rights
• For convenience
▪ After initial term or specified period?
➢With decreasing exit/termination fee?
• For cause
• Force majeure
• Change of control
• Chronic/recurring service level failures
13
1414
Contractual Provisions (cont’d)
Post-termination obligations
• Limited extension of term by customer?
▪ Specific percentage increase in fees?
• Return of customer data/content
▪ Format
▪ Process and timing
▪ Additional charges?
• Deletion of data/confidential information
▪ Exceptions for backups/archival copies, legal and regulatory obligations, etc.?
14
1515
Contractual Provisions (cont’d)
Warranties• SaaS products/services
▪ Exclusions/exceptions?
▪ Sole and exclusive remedies?
• No viruses/disabling or malicious code
• Intellectual property (IP)/third-party rights
• Sunsetting
▪ Duration/advance notice
▪ Moving functionality to new/alternative product?
15
1616
Contractual Provisions (cont’d)
Indemnities
• IP and other third-party rights
▪ By vendor
➢SaaS products/services, deliverables, etc.
▪ By customer
➢Customer data/content
• Violations of law and regulations
• Data security breaches
16
1717
Contractual Provisions (cont’d)
Limitations of liability• Mutual vs. unilateral
• Exclusion of indirect damages
▪ Specific exclusions/examples?
• Cap/limit on recoverable damages
▪ Total fees (or multiple of total fees) paid during:
➢Most recent 12 months vs. entire term
▪ Fixed dollar amount
▪ Specified minimum/floor?
17
1818
Contractual Provisions (cont’d)
Exceptions to limitations of liability
• Applicable to both exclusion of indirect
damages and cap on damages?
▪ Indemnities
▪ Willful repudiation or abandonment by vendor
▪ Gross negligence and willful misconduct
▪ Violations of law/regulations
▪ Breaches of confidentiality and security breaches
18
1919
Contractual Provisions (cont’d)
Alternative caps on liability• Breaches of confidentiality
and security breaches▪ Specified dollar amount
▪ Specified multiple of fees paid (or of standard cap)
▪ Limit of insurance (cyber-liability) coverage
➢Vs. extent to which insurance actually pays out on customer’s claims as insurable events
▪ List of typically resulting items/damagesthat are not capped
19
2020
Contractual Provisions (cont’d)
Required insurance coverage
• Workers’ comp./employers’ liability
• Commercial general liability
• Professional liability/errors & omissions
• Umbrella/excess liability
• Cyber-liability/technical errors & omissions
▪ Many SaaS vendors now carry
▪ Scope of coverage may vary
20
2121
Contractual Provisions (cont’d)
Cyber-liability insurance coverage examples:• Liabilities, claims, regulatory fines, penalties, punitive damages, costs
of forensic investigations, and expenses arising from data breach
• Loss, disclosure, alteration, extortion, and theft of data
• Defamation and identity theft
• Internet advertising, media and content rights infringement/liability
• Network and system security failures, denial of service attacks, DNS spoofing, transmission of malicious code, unauthorized access/use
• Costs of notifying individuals and authorities of security/data breach
• Cost of credit monitoring services
• Other causally-related crisis management expenses
21
2222
Contractual Provisions (cont’d)
Confidentiality• Definition
• Meaningful obligations
▪ Downstream obligations
➢Employees, subcontractors, etc.
• Permitted uses/disclosures
• Compelled/required disclosures
▪ Notification and cooperation
• Return or destruction
22
2323
Contractual Provisions (cont’d)
Other general provisions• Assignment
• Governing law
• Choice of forum/venue▪ Waiver of jury trial?
• Dispute resolution▪ Informal process
▪ Mediation?
▪ Arbitration?
• Time limitations on actions
• Audit rights
23
2424
Service Level Agreements
In general
• Most SaaS vendors have form
service level agreements
▪ Customer may need to request
• Most SaaS vendors will resist
substantive changes to their form
service level agreements
• Consider relative value of remedies
24
2525
Service Level Agreements (cont’d)
Common SaaS service levels
• Problem response and resolution (support)
▪ Severity levels
▪ Hours of coverage (and time zones)
➢By severity level
➢Staffed vs. on-call
▪ Absolute commitments vs. something less
▪ Escalation process
25
2626
Service Level Agreements (cont’d)
Common SaaS service levels
• Availability/uptime
▪ Hours of coverage
▪ Metrics and calculation
▪ Frequency of assessment
➢Monthly, quarterly, ad hoc, etc.
▪ Required uptime percentage
▪ Exceptions
26
2727
Service Level Agreements (cont’d)
Service level process/remedies• Automated reporting/credit issuance
▪ Or only upon request?
• Service credits
▪ Percentage of fees
▪ Fixed amounts
▪ Added days of service
▪ Sole and exclusive remedies
➢Termination right for chronic/recurring failures
27
2828
Data-Related Issues
Privacy and security
• Some of the primary risks of SaaS
• Customer gives up control of data
▪ But still responsible/liable to third parties
• Vendor processing/storing/transferring data
▪ But possibly more expertise, personnel, resources
▪ May be directly liable to third parties in some
cases
28
2929
Data-Related Issues (cont’d)
Assess data risks• What data will be processed/stored?
▪ Any personal data?➢ Individuals from what countries/states?
▪ Will data be encrypted?➢ At rest/in transit
• Where will data be processed/stored/transferred?▪ Can locations be specified/limited?
• Who may access data?▪ Encrypted/unencrypted
• Who will have what rights to data?
• When/how will data be returned or destroyed?
29
3030
Data-Related Issues (cont’d)
Other issues
• Data retention
• Data backups
▪ Near real-time or less frequently?
▪ Backup storage location(s)
• Disaster recovery
▪ RPO – extent of data loss (in terms of time)
▪ RTO – recovery time
30
3131
Data-Related Issues (cont’d)
Standards/audits
• Service Organization Control (SOC) reports
▪ SOC 1 – SSAE 18 – financial controls
▪ SOC 2 and SOC 3 – trust services principles
➢Security, availability, processing integrity,
confidentiality, privacy
▪ Report types
➢Type I – design of controls
➢Type II – design + effectiveness
31
3232
Data-Related Issues (cont’d)
Other industry standards/certifications
• ISO 9000➢Quality management systems
• ISO 27001➢ Information security management
• ISO 3402➢ International version of SSAE 16 / SSAE 18
• Cloud Security Alliance (CSA) STAR
• HITRUST
32
3333
Data-Related Issues (cont’d)
Basic data rights• Customer must obtain third-party authorizations
and consents necessary to provide data and content to vendor
• Customer retains all rights to data/content▪ Data provided, received, or created
▪ All derivative data➢ Summaries, extracts, metadata, etc.
• Vendor may only access/process customer data and content as necessary to fulfill contractual obligations during contract term
33
3434
Data-Related Issues (cont’d)
Expanded data rights
• Vendors increasingly provide right to create and freely use and distribute aggregated or summarized data and statistics
▪ De-identification – data should not identify or provide reasonable basis for identification of individuals
▪ Limitations on uses/purposes?
▪ Consider whether legally permissible, whether have necessary consents/authorizations, and potential exposure
34
3535
Data-Related Issues (cont’d)
Data analytics/big data• Increasing awareness of value of data
• More data being collected, processed, generated
+ More points of data generation and collection(e.g., mobile devices, Internet-enabled “things,” etc.)
+ More integration and interoperation of systems
+ More combining/aggregation of data
+ More data analytical capabilities
+ More pressure (and potential opportunities)tomonetize data
= More potential risk and exposure?
35
3636
Data-Related Issues (cont’d)
Data and security breaches
• More frequent and more publicized
▪ Lasting reputational damage?
• Risks to consumers include:
▪ Identity theft/identity fraud
▪ Financial damage – theft, fraudulent charges
▪ Reputational damage – credit history, medical history, etc.
• Increasingly complex legal/regulatory environment
36
3737
Legal and Regulatory Concerns
Different regulatory approaches/regimes
• United States
▪ Patchwork of federal and state laws/regulations
▪ Often focus on specific industries
• European Union and other jurisdictions
▪ Broader, more comprehensive approach
▪ Focus on rights/freedoms of individuals
37
3838
Legal and Regulatory Concerns
U.S. federal regulatory regimes/concerns
• Gramm-Leach-Bliley
▪ Financial institutions and service providers
• HIPAA/HITECH
▪ Covered entities and business associates
➢Business associate addendums
• Sarbanes Oxley
▪ U.S. public companies
38
3939
Legal and Regulatory Concerns
U.S. federal regulatory regimes/concerns
• FTC enforcement actions
▪ Unfair or deceptive trade practices
➢Website privacy policies/terms of use
• Telecommunications CPNI rules
• Export control regulations
• Government contracting regulations
▪ FedRAMP certification
39
4040
Legal and Regulatory Concerns
U.S. state regulatory regimes/concerns
• Data privacy/breach notification laws
▪ Nearly every state
▪ Continuously evolving
➢Often becoming more comprehensive, strict
• Confidentiality and other laws relating to
specific professions/industries/activities
➢Healthcare
40
4141
Legal and Regulatory Concerns
European Union (EU)• General Data Protection Regulation (GDPR)
▪ Became effective May 25, 2018
▪ Comprehensive scope/broadly defined terms➢Applies to “processing” of “personal data”
» regardless of whether processing takes place in the EU
» includes processing related to the offering of goods or services to data subjects in the EU (regardless of whether payment by data subject is required), by a controller or processor not established in the EU
41
4242
Legal and Regulatory Concerns
GDPR Definitions• ‘Personal data’ means any information relating to an identified or
identifiable natural person (i.e., one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person)
• ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
42
4343
Legal and Regulatory Concerns
GDPR Definitions
• ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
▪ Typically, the SaaS customer
• ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
▪ Typically, the SaaS vendor
43
4444
Legal and Regulatory Concerns
GDPR
• EU Privacy Shield
▪ Self-certification program for U.S. companies
▪ Replaces Safe Harborunder EU Data Protection Directive
• Data Processing Addendum (DPA)
▪ Typically includes Standard Contractual Clauses
▪ Addresses SaaS vendor’s processing of personal data
➢ Including use of subprocessors, security controls, incident management/notification, etc.
44
4545
Legal and Regulatory Concerns
Legally required/compelled disclosures
• SaaS vendor should be obligated to:
▪ Provide prompt notice, unless prohibited by law
▪ Cooperate and assist in efforts to prevent or protect disclosure
➢Additional costs?
▪ Provide data, or access to data, to SaaS customer upon request
▪ Retain and preserve data
45
4646
Legal and Regulatory Concerns
eDiscovery/Litigation holds
• Legally required provision of copies of data,
or retention and preservation of data
▪ Required regardless of industry
▪ Failures to comply may be severe
▪ Especially applicable to emails, document
collaboration, etc.
• Best if addressed in SaaS contracts
46
4747
Questions
Milton L. PetersenPartner – Information Technology Practice Group
Hunter, Maclean, Exley & Dunn, P.C.
200 East Saint Julian Street
Savannah, Georgia 31401
Direct (912) 238-2629
Cell (912) 414-1263
www.huntermaclean.com
47