Document 43021

 Presentation to Association of Corporate Counsel Small Law Department Committee Cloud Computing/Software as a Service (SaaS) Agreements Ȃ 15 Minutes On Key Issues and Šƒ–—›‡”ǯ•Legal Counsel Needs to Know Eric S. Freibrun LAW OFFICES OF ERIC S. FREIBRUN, LTD. 500 Skokie Boulevard, Suite 325 Northbrook, Illinois 60062-­‐2887 USA T: 847-­‐562-­‐0099 F: 847-­‐562-­‐0033 E: [email protected] W: www.freibrun.com LinkedIn: www.linkedin.com/in/ericfreibrun Legal practice focused on I.T./software/cloud/Internet transactions and intellectual property protection ʹ representing software and SaaS vendors and corporate user licensees. Over 26 years software and I.T. transactional experience; former in-­‐house I.P. and transactional counsel for Andersen Consulting (now Accenture). In private practice since 1992. 1 © 2013 Law Offices of Eric S. Freibrun, Ltd. All rights reserved. All recommendations and advice provided herein is purely informational and does not constitute legal advice. What ‹•DzŽ‘—†‘’—–‹‰ǡdzƒȀȀƒ Dz‘ˆ–™ƒ”‡ƒ•ƒ‡”˜‹…‡dzȋƒƒȌǫ * ͞ůŽƵĚŽŵƉƵƚŝŶŐ͖͟͞^ŽĨƚǁĂƌĞĂƐĂ^ĞƌǀŝĐĞ͖͟͞^ĂĂ^͟ʹ these are essentially synonymous terms. ‡ ƵƚŚŽƌ͛ƐĚĞĨŝŶŝƚŝŽŶ͗ůŽƵĚĐŽŵƉƵƚŝŶŐͬ^ĂĂ^ƌĞĨĞƌƐƚŽƚŚĞƵƐĞŽĨƐŽĨƚǁĂƌĞŚŽƐƚĞĚƌĞŵŽƚĞůLJ͞ŝŶƚŚĞ
ĐůŽƵĚ͟ďLJĂǀĞŶĚŽƌ;ƐĞƌǀŝĐĞƉƌŽǀŝĚĞƌͿŵĂĚĞĂǀĂŝůĂďůĞƚŽƚŚĞƵƐĞƌǀŝĂƚŚĞ/ŶƚĞƌŶĞƚ;ŽƌŽƚŚĞƌŶĞƚǁŽƌŬ
ĐŽŶŶĞĐƚŝŽŶͿŝŶǀŽůǀŝŶŐƚŚĞƌĞŵŽƚĞƉƌŽĐĞƐƐŝŶŐĂŶĚƐƚŽƌĂŐĞŽĨƚŚĞƵƐĞƌ͛ƐĚĂƚĂďLJƚŚĞƐŽĨƚǁĂƌĞŽŶƚŚĞ
ǀĞŶĚŽƌ͛Ɛ;ŽƌŝƚƐƐƵďĐŽŶƚƌĂĐƚŽƌƐ͛ͿŵĂĐŚŝŶĞƐʹ and which does not require the installation of software ŽƌƚŚĞƉƌŽĐĞƐƐŝŶŐŽƌƐƚŽƌĂŐĞŽĨĚĂƚĂŽŶŵĂĐŚŝŶĞƐǁŝƚŚŝŶƚŚĞƵƐĞƌ͛ƐŽǁŶĐŽŵƉƵƚŝŶŐĞŶǀŝƌŽŶŵĞŶƚ͘ ‡ More definitions: ‡ ĞĨ͗͘͞ůŽƵĚcomputing is the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet). The name comes from the common use of a cloud-­‐shaped symbol as an abstraction for the complex infrastructure it contains in system diagrams.* Cloud computing entrusts remote services with a user's data, software and computation. End users access cloud-­‐based applications through ĂǁĞďďƌŽǁƐĞƌ͙
or mobile app while the business software [i.e., application] and user's data are stored on servers at a remote ůŽĐĂƚŝŽŶ͘͟^ŽƵƌĐĞ: Wikipedia, http://en.wikipedia.org/wiki/Cloud_computing. ‡ ĞĨ͗͘͞dŚĞterm "cloud computing" refers to the on-­‐demand delivery of IT resources via the Internet with pay-­‐as-­‐you-­‐go pricing͘͟^ŽƵƌĐĞ͗Amazon Web Services, http://aws.amazon.com/what-­‐is-­‐cloud-­‐computing/͘͟ *Cloud computing image file is licensed under the Creative Commons Attribution-­‐Share Alike 3.0 Unported license. © 2013 Law Offices of Eric S. Freibrun, Ltd. www.freibrun.com; 847-­‐562-­‐0099; [email protected] 2 Examples of Cloud Computing/SaaS Applications ‡ ŽŵŵŽŶĐůŽƵĚͬ^ĂĂ^ĂƉƉůŝĐĂƚŝŽŶƐŽƌ͞ƐĞƌǀŝĐĞƐ͟ŝŶĐůƵĚĞŵĂŶLJĐŽŶƐƵŵĞƌĂŶĚďƵƐŝŶĞƐƐĂƉƉůŝĐĂƚŝŽŶƐLJŽƵ͛ƌĞ
familiar with: ‡ Microsoft Hotmail (now Outlook) ʹ email (https://login.live.com) ‡ Microsoft Office 365 ʹ familiar Microsoft Office applications to produce documents, spreadsheets, presentations (http://office.microsoft.com/en-­‐us/) ‡ Gmail ʹ email (https://accounts.google.com/) ‡ Google Docs ʹ applications to produce documents, spreadsheets, presentations (http://docs.google.com) ‡ Flickr ʹ photo, video storage (http://www.flickr.com/) ‡ Instagram ʹ photo, video storage (http://instagram.com/#) ‡ And many complex and costly enterprise-­‐level business applications you may not be familiar with, but ǁŚŝĐŚLJŽƵƌĐŽŵƉĂŶLJ͛ƐŵĂŶĂŐĞŵĞŶƚĂŶĚ/dƐƚĂĨĨǁŝůůŬŶŽǁĂďŽƵƚŽƌŶĞĞĚ͗ ‡ Salesforce ʹ sales, customer relationship management (CRM) (http://www.salesforce.com) ‡ Oracle Application Services ʹ enterprise resource planning (ERP), planning and budgeting, human capital management (HR), talent management, i.e., recruiting, compensation (http://www.oracle.com/us/solutions/cloud/overview/index.html) ‡ SAP ʹ enterprise-­‐level business analytics, sales, customer service, social collaboration, business management, business intelligence (http://www54.sap.com/solutions/tech/cloud.html) ‡ SpringCM ʹ enterprise content management (ECM) (http://www.springcm.com/) ‡ EtQ ʹ enterprise quality management, FDA compliance and environmental health and safety (http://www.etq.com/) 3 © 2013 Law Offices of Eric S. Freibrun, Ltd. www.freibrun.com; 847-­‐562-­‐0099; [email protected] Why SaaS? Potentially Significant Benefits Ȃ The Corporate Computing Paradigm Has Shifted. ‡ Benefits of Cloud/Saas Applications for the User* ‡
‡
‡
‡
‡
‡
‡
ZĞĚƵĐĞƐƚŚĞƵƐĞƌ͛ƐŶĞĞĚĨŽƌĚĞĚŝĐĂƚĞĚ͕ŝŶƚĞƌŶĂů/dƌĞƐŽƵƌĐĞƐʹ personnel and hardware. ͞Historically, companies were required to buy, build, and maintain their own IT infrastructure despite exponential costs. SaaS gives companies an alternative. Now, they can plug in and subscribe to services built on shared infrastructure via the /ŶƚĞƌŶĞƚ͘͟Source: Salesforce, Benefits of SaaS, http://www.salesforce.com/saas/benefits-­‐of-­‐saas/. Relatively quick deployment. dŚĞƌĞŝƐŶŽŝŶƐƚĂůůĂƚŝŽŶŽĨƐŽĨƚǁĂƌĞŝŶƚŚĞƵƐĞƌ͛ƐŽŶ-­‐site computing environment. Lower initial acquisition costs. The user does not need to pay a large up-­‐front license fee for a traditional ͞ƉĞƌƉĞƚƵĂů, non-­‐exclusive, non-­‐ƚƌĂŶƐĨĞƌĂďůĞůŝĐĞŶƐĞ͟ƚŽƚŚĞƐŽĨƚǁĂƌĞ͘^ĂĂ^ĂƉƉůŝĐĂƚŝŽŶƐĂƌĞƚLJƉŝĐĂůůLJůŝĐĞŶƐĞĚŽŶĂ
subscription basis with an annual subscription/license fee. Over time, however, subscription costs may exceed the up-­‐front license fee required in a traditional installed software model. (This is why vendors like SaaS.) EŽŵĂŝŶƚĞŶĂŶĐĞƌĞůĞĂƐĞƐŽƌ͞ƉĂƚĐŚĞƐ͟ƚŽŝŶƐƚĂůů. Updates, upgrades, enhancements, bug fixes, etc., are made across the entire code base hosted by the vendor and apply to all users. Often the subscription license fee ŝŶĐůƵĚĞƐ͞ŵĂŝŶƚĞŶĂŶĐĞ͕͟ƚŚĞƐĞƌǀŝĐĞǁŚŝĐŚƉƌŽǀŝĚĞƐƚŚĞĂďŽǀĞĨŝdžĞƐĂŶĚŝŵƉƌŽǀĞŵĞŶƚƐ͘,ŽǁĞǀĞƌ͕ƚĞĐŚŶŝĐĂů
support services will frequently require an additional charge. In the traditional installed software model, combined maintenance and technical support typically costs between 15-­‐20% of the aggregate software license fee annually. Scalability. There is no need to purchase additional hardware ĂƐƚŚĞƵƐĞƌ͛ƐŶĞĞĚƐŐƌŽǁ͕ďƵƚƚŚĞƵƐĞƌŵĂLJŶĞĞĚƚŽ
purchase additional bandwidth and storage capacity from the SaaS vendor. Reliability. ^ĂĂ^ǀĞŶĚŽƌƐƚLJƉŝĐĂůůLJǁŝůůĐŽŵŵŝƚƚŽĂ͞ƐĞƌǀŝĐĞůĞǀĞůĂŐƌĞĞŵĞŶƚ͟ƉƌŽǀŝĚŝŶŐĂƚůĞĂƐƚϵϵ͘ϱĂŶĚ
frequently 99.9% uptime/availability (subject to force majeure, including Internet outage) and other exceptions. Data security. 'ŝǀĞŶƚŚĞŝŵƉŽƌƚĂŶĐĞŽĨƵƐĞƌƐ͛ĐŽŶĐĞƌŶƐƌĞŐĂƌĚŝŶŐƚŚĞƐĞĐƵƌŝƚLJŽĨƚŚĞŝƌĚĂƚĂǁŚĞŶŝƚƌĞƐŝĚĞƐŽĨĨ-­‐site ;ŶŽƚƚŽŵĞŶƚŝŽŶƵƐĞƌƐ͛ůĞŐĂůŽďůŝŐĂƚŝŽŶƐǁŝƚŚƌĞƐƉĞĐƚƚŽĐŽŶĨŝĚĞŶƚŝĂůŝŶĨŽƌŵĂƚŝŽŶ͕ƉĞƌƐŽŶĂůůLJŝĚĞŶƚŝĨŝĂďůĞ
information (PII) and protected health information (PHI) under HIPAA, reputable SaaS vendors will frequently provide potentially more robust data security than the user would itself ʹ this is particularly the case where the user is a smaller company without deep IT resources, staff, controls or expertise. *See, generally, Salesforce, Benefits of SaaS, http://www.salesforce.com/saas/benefits-­‐of-­‐saas/; EtQ, Benefits of EtQ OnDemand SaaS, http://www.etq.com/etq-­‐ondemand-­‐saas/͘͞hƐĞƌ͟ŵĞĂŶƐƚŚĞĐŽƌƉŽƌĂƚĞůŝĐĞŶƐĞĞĞŶƚŝƚLJ͘ © 2013 Law Offices of Eric S. Freibrun, Ltd. www.freibrun.com; 847-­‐562-­‐0099; [email protected] 4 Why not SaaS? The Risks Ȃ No Gain Without Risk of Pain, and How to Address It. ‡ Business/Legal Risks of Cloud/Saas Applications for the User, Cont. ‡
Data Security and Privacy. ‡ While not limited to SaaS vendors, data breaches resulting from malicious or criminal activity (hacking or insider data theft) or negligence (employee or contractor mistakes) seem to occur with alarming frequency. See, e.g., Equifax, Other Credit Bureaus Acknowledge Data Breach, March, 13, 2013, CRN, http://www.crn.com/news/security/240150683/equifax-­‐other-­‐credit-­‐bureaus-­‐acknowledge-­‐data-­‐breach.htm. In 2011, the average organizational cost of a data breach was $5.5 million. Source: 2011 Cost of Data Breach Study, United States, Ponemon Institute LLC, Report: March 2012, http://www.symantec.com/content/en/us/about/media/pdfs/b-­‐ponemon-­‐2011-­‐cost-­‐of-­‐data-­‐breach-­‐us.en-­‐
us.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2012Mar_worldwide__CODB_US. See In Defense of Data, Data Breach Trends and Stats, http://www.indefenseofdata.com/data-­‐breach-­‐trends-­‐stats/. ‡ Recommendation: Consider the following regarding what steps a SaaS vendor takes to protect the security, privacy and confidentiality of ƵƐĞƌƐ͛ĚĂƚĂ͗ ‡ tŚĂƚĚŽĞƐƚŚĞǀĞŶĚŽƌ͛Ɛpublicly posted Privacy Policy say? Frequently this will address only how the vendor handles W//͕ďƵƚŵĂŶLJƵƐĞƌƐ͛ĐŽƌƉŽƌĂƚĞĚĂƚĂŵĂLJĐŽŶƚĂŝŶW//͘ǀĞŶĚŽƌ͛ƐĨĂŝůƵƌĞƚŽĐŽŵƉůLJǁŝƚŚŝƚƐ
posted Privacy Policy is regarded by the FTC as a deceptive trade practice and is actionable under the FTC Act ʹ the FTC does bring enforcement actions. See FTC website at http://business.ftc.gov/privacy-­‐and-­‐
security and http://business.ftc.gov/legal-­‐resources/29/35. ‡ Are the ǀĞŶĚŽƌ͛ƐĚĂƚĂƉƌŝǀĂĐLJƉƌĂĐƚŝĐĞƐĂƌĞĐĞƌƚŝĨŝĞĚďLJĂƚƌƵƐƚĞĚƚŚŝƌĚƉĂƌƚLJ͍ See, e.g., TRUSTe Cloud Privacy Certification, http://www.truste.com/products-­‐and-­‐services/enterprise-­‐privacy/TRUSTed-­‐cloud. ‡ Is the U.S.-­‐based SaaS vendor is U.S.-­‐EU Safe Harbor compliant with respect to PII relating to citizens of the EU? ^ĞĞh͘^ĞƉ͛ƚ͘ŽĨCommerce Export.gov site, http://export.gov/safeharbor/eu/eg_main_018476.asp. ‡ What does the vendor publicly claim regarding its data security practices, e.g., disaster recovery practices? Has it been audited and determined to be Statement on Standards for Attestation Engagements (SSAE) No. 16 (successor to SAS 70) and Service Organization Control (SOC) (Type 2) compliant? See, e.g., AICPA, Service Organization Control (SOC) Reports, http://ssae16.com/. Many vendors will advertise this on their websites. © 2013 Law Offices of Eric S. Freibrun, Ltd. www.freibrun.com; 847-­‐562-­‐0099; [email protected] 5 Why not SaaS? The Risks Ȃ No Gain Without Risk of Pain, and How to Address It. ‡ Business/Legal Risks of Cloud/SaaS Applications for the User, cont. ‡
Data Security and Privacy, cont. ‡ Recommendation: Consider the following regarding what steps a SaaS vendor takes to protect the security and ƉƌŝǀĂĐLJŽĨƵƐĞƌƐ͛data, cont.: ‡ tŚŽŝƐƚŚĞ^ĂĂ^ǀĞŶĚŽƌ͛ƐƚŚŝƌĚƉĂƌƚLJŚŽƐƚŝŶŐƉƌŽǀŝĚĞƌ͍What security commitments does the hosting provider make? Is it a big player such as Amazon Web Services (AWS) with reams of published information regarding its security practices (http://aws.amazon.com/security/), Equinix (http://www.equinix.com/) or Rackspace (http://go.rackspace.com/CloudPlatforms.htmlͿ͍KƌǁŝůůLJŽƵƌĐŽŵƉĂŶLJ͛ƐĚĂƚĂ͕W,/ŽƌW//ƌĞƐŝĚĞŽŶ
ĂƐĞƌǀĞƌŝŶƚŚĞďĂƐĞŵĞŶƚŽĨƚŚĞŚŽƵƐĞŽĨƚŚĞ^ĂĂ^ǀĞŶĚŽƌ͛ƐƉƌĞƐŝĚĞŶƚ͍;/ŬŶŽǁŽĨƐƵĐŚĂƐŝƚƵĂƚŝŽŶ͘Ϳ ‡ Will LJŽƵƌĐŽŵƉĂŶLJ͛ƐĚĂƚĂďĞƉƌŽĐĞƐƐĞĚŽŶůLJŝŶƚŚĞU.S? If not, why not? Where? ‡ Will your data be encrypted at-­‐rest or only during transmission? At-­‐rest is better. ‡ What physical premises security measures do the SaaS vendor and its third party hosting provider employ? Your data is only as safe as the weakest link in the processing chain. ‡ Contractual Impediments to Addressing the Risk of Data Loss in the SaaS Model, and Recommendations ‡ 'ŝǀĞŶƚŚĞƉŽƚĞŶƚŝĂůƌŝƐŬŽĨŝŶƚƌƵƐŝŽŶ͕ĚŝƐĐůŽƐƵƌĞ͕ůŽƐƐŽƌĚĂŵĂŐĞƚŽLJŽƵƌĐŽŵƉĂŶLJ͛ƐĐƌŝƚŝĐĂůĚĂƚĂ͕LJŽƵ͛ůůǁĂŶƚƚŽ
try to hold the SaaS vendor contractually liable for consequential damages if the worst happens ʹ your data has been hacked or disclosed and you must notify individuals whose PII was compromised, or your ĐŽŵƉĂŶLJ͛ƐĚĂƚĂhas simply vanished or been corrupted. SaaS vendors will not agree to accept liability for consequential damages for this risk. (Would you?) dŚĞLJǁĞƌĞŶ͛ƚƐƵďũĞĐƚƚŽŝƚƵŶĚĞƌthe traditional software ůŝĐĞŶƐŝŶŐŵŽĚĞů͕ĂŶĚƚŚĞLJǁŽŶ͛ƚĂĐĐĞƉƚŝƚƵŶĚĞƌƚŚĞ^ĂĂ^ŵŽĚĞůƐŝŵƉůLJďĞĐĂƵƐĞƚŚĞLJŶŽǁŚŽůĚƚŚĞŝƌƵƐĞƌƐ͛
data ʹ especially when the user is reaping significant up-­‐front cost savings by moving to the SaaS model. ‡ Recommendation: Try to ensure that your data falls within the contractual definition of confidential information in the contract and attempt to carve out an exception from the consequential damages disclaimer for at least grossly negligent or intentional unauthorized disclosure of confidential information. ‡ ,ŽǁƚŽƉƌŽƚĞĐƚLJŽƵƌĐŽŵƉĂŶLJ͛ƐĚĂƚĂ͍ ‡ Recommendation: Ensure that the contract provides for: ‡ Readily accessible and regular data backups; ‡ At-­‐rest encryption of data and secure encrypted transmission of data (the latter should be a given); ‡ The right to receive a copy of all of your data in an agreed upon format upon termination and upon request. © 2013 Law Offices of Eric S. Freibrun, Ltd. www.freibrun.com; 847-­‐562-­‐0099; [email protected] 6 Why not SaaS? The Risks Ȃ No Gain Without Risk of Pain, and How to Address It. ‡ Business/Legal Risks of Cloud/Saas Applications for the User, Cont. ‡
Availability KĨdŚĞ,ŽƐƚĞĚƉƉůŝĐĂƚŝŽŶ;͞hƉƚŝŵĞ͟ŽŵŵŝƚŵĞŶƚͿ ‡ /ĨĂĐƌŝƚŝĐĂů^ĂĂ^ĂƉƉůŝĐĂƚŝŽŶŝƐƵŶĂǀĂŝůĂďůĞ͕LJŽƵƌĐŽŵƉĂŶLJ͛ƐŽƉĞƌĂƚŝŽŶƐĐĂŶďĞŝŵƉĂŝƌĞĚ͘dŚĞ^ĂĂ^
vendor should agree and warrant to make the application available and accessible at least 99.5% of the time 24x7x365, and most do. Expect this commitment to be subject to routine maintenance outages (only during non-­‐peak usage hours) and ĞǀĞŶƚƐŽƵƚƐŝĚĞƚŚĞǀĞŶĚŽƌ͛ƐĐŽŶƚƌŽů͘dŚĞĐŽŶƚƌĂĐƚƐŚŽƵůĚ
obligate the vendor to provide fee credits in the event of failures to meet this commitment. Include a ͞ĚĞĂƚŚďLJĂƚŚŽƵƐĂŶĚĐƵƚƐ͟ƚĞƌŵŝŶĂƚŝŽŶƌŝŐŚƚŝŶƚŚĞĐŽŶƚĂĐƚʹ e.g., if the vendor fails to meet the availability commitment on three separate occasions during a two month period, this should constitute a material breach and entitle the user to terminate and receive at least a prorated refund of the unused fees paid in advance. ‡ Examples: ‡ Salesforce Master Subscription Agreement (http://www.sfdcstatic.com/assets/pdf/misc/salesforce_MSA.pdf) ͞4.1. Our Responsibilities. We shall: (i) provide Our basic support for the Purchased Services to You at no additional charge, and/or upgraded support if purchased separately, (ii) use commercially reasonable efforts to make the Purchased Services available 24 hours a day, 7 ĚĂLJƐĂǁĞĞŬ͕ĞdžĐĞƉƚĨŽƌ͙͗΀ƉůĂŶŶĞĚĚŽǁŶƚŝŵĞĂŶĚĐŝƌĐƵŵƐƚĂŶĐĞƐďĞLJŽŶĚŝƚƐƌĞĂƐŽŶĂďůĞ
control, including force majeure΁͘͟ ‡ SAP General Terms and Conditions for Cloud Services (US, English) v.8-­‐2012 (http://www.sap.com/corporate-­‐en/our-­‐company/agreements/north-­‐america/agreements.epx) ͞3.3 SAP warrants at least ninety-­‐nine percent (99%) System Availability over any calendar month. Should SAP fail to achieve ninety-­‐nine percent (99%) System Availability over a calendar month, Customer shall have the right to receive a credit equal to two percent (2%) of its subscription fees for the Service for that month, for each one percent (1%) (or portion thereof) by which SAP fails to achieve such level, up to one hundred percent (100%) of the ĨĞĞƐĨŽƌƐƵĐŚŵŽŶƚŚ͘dŚŝƐŝƐƵƐƚŽŵĞƌ͛ƐƐŽůĞĂŶĚĞdžĐůƵƐŝǀĞƌĞŵĞĚLJĨŽƌĂŶLJďƌĞĂĐŚŽĨƚŚŝƐ
service level warranty͖͙͘ © 2013 Law Offices of Eric S. Freibrun, Ltd. www.freibrun.com; 847-­‐562-­‐0099; [email protected] 7 Why not SaaS? The Risks Ȃ No Gain Without Risk of Pain, and How to Address It. ‡
Business/Legal Risks of Cloud/Saas Applications for the User, Cont. Note: The availability commitment is separate from the hosted software application (or service) performance warranty. ‡ Application Performance Warranty; Limitation of Liability ‡ SaaS hosted applications are typically warranted to perform in all material respects in accordance with their applicable specifications or documentation, sometimes without limitation as to time. However, the remedy for breach will typically be quite limited ʹ the user can terminate the agreement if application performance does not meet the warranty and the vendor cannot correct it, entitling the user to receive a prorated refund of the unused portion of the subscription license fee for the remainder of the (typically annual) term or service period. dŚĞ^ĂĂ^ǀĞŶĚŽƌ͛ƐŽǀĞƌĂůůůŝĂďŝůŝƚLJǁŝůůƚLJƉŝĐĂůůLJďĞůŝŵŝƚĞĚƚŽƚŚĞĂŵŽƵŶƚŽĨĨĞĞƐƉĂŝĚƚŽŝƚĚƵƌŝŶŐƚŚĞϭϮ
month period preceding the event giving rise to the claim. See, e.g., Oracle Cloud Services Agreement, http://www.oracle.com/us/corporate/contracts/saas-­‐online-­‐csa-­‐us-­‐1894130.pdf. ‡ Recommendation͗hƐĞƌƐƐŚŽƵůĚƚƌLJƚŽŽďƚĂŝŶĂƌĞĨƵŶĚƌŝŐŚƚƚŽĂƚůĞĂƐƚƚŚĞĞŶƚŝƌĞƐĞƌǀŝĐĞƉĞƌŝŽĚ͛ƐĨĞĞƐ͕ŝĨŶŽƚ
more, given the hardship and expense associated with researching and selecting an alternative vendor. In ĂĚĚŝƚŝŽŶ͕ƵƐĞƌƐƐŚŽƵůĚƐĞĞŬƚŽĞdžƉĂŶĚƚŚĞǀĞŶĚŽƌ͛ƐŽǀĞƌĂůůŵĂdžŝŵƵŵůŝĂďŝůŝƚLJƚŽƚŚĞƚŽƚĂůĂŵŽƵŶƚƌĞĐĞŝǀĞĚ
from the user over the period of the contract, as is frequently the case in a traditional installed software license agreement. ‡ Technical Support ‡ SaaS vendors will typically offer robust technical support at an additional charge. ‡ Recommendation: DĂŬĞƐƵƌĞƚŚĞ͞^ĞǀĞƌŝƚLJ>ĞǀĞů͟Žƌ͞ƌƌŽƌ>ĞǀĞů͟ŽĨĂƉƉůŝĐĂƚŝŽŶĨĂŝůƵƌĞƐŽƌƉƌŽďůĞŵƐĂŶĚ
associated required response and resolution times become part of the agreement. Example: See, e.g., Oracle Software as a Service Support Policies, page 3, http://www.oracle.com/us/support/library/saas-­‐
support-­‐policies-­‐069195.pdf. Oracle will use reasonable efforts to respond to Severity 1 problems, i.e., those involving data corruption, unavailability of critical functionality, unacceptable or indefinite delays in system response or system crashes, within 1 hour. However, they make no response time commitment ǁŝƚŚƌĞƐƉĞĐƚƚŽ^ĞǀĞƌŝƚLJϮƉƌŽďůĞŵƐŝŶǀŽůǀŝŶŐ͞ƐĞǀĞƌĞůŽƐƐŽĨƐĞƌǀŝĐĞ͘͟ © 2013 Law Offices of Eric S. Freibrun, Ltd. www.freibrun.com; 847-­‐562-­‐0099; er[email protected] 8 SaaS is the new Software Delivery Model ‡ Conclusion ‡ You will encounter SaaS Agreements and be expected to address data security and privacy issues* and ƚŚĞƌŝƐŬƐĂƐƐŽĐŝĂƚĞĚǁŝƚŚŚĂǀŝŶŐLJŽƵƌĐŽŵƉĂŶLJ͛ƐĐƌŝƚŝĐĂůĚĂƚĂ
processed and stored remotely. ‡ You will not be able to shift all of those risks to the SaaS vendor (of course, the extent to ǁŚŝĐŚLJŽƵĐĂŶǁŝůůĚĞƉĞŶĚŽŶƚŚĞƉĂƌƚŝĞƐ͛ƌĞƐƉĞĐƚŝǀĞďĂƌŐĂŝŶŝŶŐƉŽǁĞƌͿ͘ ‡ Cyber risk insurance will be available to both parties to cover risks they are not able to allocate contractually to the other side. See, e.g., Data Breach Insurance offered by The Hartford, http://www.thehartford.com/data-­‐breach-­‐insurance/. ‡ A clear understanding of the technology involved in SaaS transactions is necessary to properly address the risks contractually. ‡ Seek the assistance of legal counsel with experience in this area who knows the issues ĨƌŽŵďŽƚŚƚŚĞƵƐĞƌ͛ƐĂŶĚǀĞŶĚŽƌ͛ƐƉĞƌƐƉĞĐƚŝǀĞĂŶĚǁŚŽŬŶŽǁƐƚŚĞƌĂŶŐĞŽĨreasonable compromises typically made by both parties in order to reach agreement. *More stringent regulations protecting PII are coming, both in the U.S. and the EU. If your company is in healthcare and handles protected health information (PHI), new revisions to HIPAA and the HITECH Act recently published have a compliance deadline of 9/23/13. Thank you. 9 © 2013 Law Offices of Eric S. Freibrun, Ltd. www.freibrun.com; 847-­‐562-­‐0099; [email protected]