The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Presenting a live 90-minute webinar with interactive Q&A
SaaS, PaaS and IaaS: Evaluating Cloud Service
Agreement Models, Negotiating Key Terms,
and Minimizing Contract Disputes
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
WEDNESDAY, MARCH 9, 2016
Megan Smith Demicco, Kilpatrick Townsend & Stockton, Atlanta
Monique McNeill, Commercial Counsel, Novelis, Atlanta
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-961-8499 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
© 2016 Kilpatrick Townsend
Negotiating the Cloud: Best Practices in Cloud Agreement Negotiations
Agenda
Negotiating the Cloud
Service Levels and Credits
Security & Confidentiality
Indemnities
Limitation of Liability
Access to Data & Return after Termination
Intellectual Property
Insurance as Risk Mitigation
Other considerations
6
What is Cloud Computing?
7
What is Cloud Computing?
• Private Cloud
– Single tenant, may be hosted internally
or externally by a third party; allows a
greater degree of control of data and
systems
• Hybrid Cloud
– Use of public cloud, while keeping
other IT-resources on-premise or in a
private cloud
• Public Cloud
– For use by the general public, not a
specific entity
– Multi-tenant, massive scale, pay for
use, multi-datacenter redundancy
8
Common Service Delivery Models
SaaS: Software as
Service
PaaS: Platform as
Service
IaaS: Infrastructure
as a Service
Consumer uses
provider’s applications
running on provider's
cloud infrastructure.
Consumer can create
custom applications
using programming tools
supported by the
provider and deploy
them onto the provider's
cloud infrastructure.
Consumer can provision
computing resources
within provider's
infrastructure upon
which they can deploy
and run arbitrary
software, including OS
and applications. Allows
for dynamic scaling.
Google Docs, Google
Gmail, Salesforce CRM,
Facebook, Groupon,
Oracle
Microsoft Azure, Spring
Source, Google App
Engine
Amazon Web Services,
RackSpace, IBM,
VMware
9
Common Service Delivery Models
10
Negotiating the Cloud:
Service Levels and Credits
11
• How critical is the cloud service?
• How confidential is the data?
• What service levels are being offered?
• Can the provider meet your company’s expectations?
• What are the economics of the transaction?
• What is the relative bargaining position of the parties?
• Are other alternatives available?
Informed Tradeoffs
12
Medium
High
Transaction Risk Profile
“Nice to have”
business tool
Mission critical
application
Serv
ice c
riticalit
y/d
ata
sensitiv
ity
Risk
13
• Definition of “Services” should permit customer the
full use of the services and avoid surprise charges
• Interoperability & configuration, not customization – Cloud providers generally limit customizations so Provider can
more efficiently manage Services and provide scalable solution
– Identify upfront if any customizations will be needed
Service Definition & Quality of Service
14
• Ability to update service specifications
– “The Service descriptions are available at www.example.com. Vendor may
change or otherwise update the Service descriptions at its discretion
(including, without limitation, to reflect changes in technology, industry
practices, patterns of system use, and availability of third party content).”
– “The Service descriptions are available at www.example.com attached to
the applicable order document. Provider may change or otherwise update
the Service descriptions at its discretion (including, without limitation, to
reflect changes in technology, industry practices, patterns of system use,
and availability of third party content); provided, however, that any such
changes or updates will not result in a [material] reduction in the level of
functionality, performance, security or availability of the Service.”
Service Definition & Quality of Service
15
• Why have SLAs?
• What to measure?
• When to measure?
• Where to measure?
• How to measure actual performance?
• Who will measure/report?
Service Levels in the Cloud
16
SLA Description SLA
Metric
Measurement
Window
SLA Credit
(% of Monthly
Charges)
Availability 99.999% Daily/Monthly 10%
Severity 1 Incident
Resolution within 2
hours
99.000% Monthly 10%
SLA Metrics
• Availability • Scalability • Response times • Problem escalation/resolution • Carve-outs • Monitoring/root cause analysis • Disaster recovery – RTOs / RPOs
17
• SLA Credits
– At risk amount
– Credited towards next month’s invoice
– Right to set off against fees
– Sole remedy
• Right to Terminate
– For repeated failures of the same or different SLAs
– No termination fee
– No waiting or cure period
SLA Default – Remedies
18
Securing the Cloud:
Security and Confidentiality
19
Stormy Times in Cloud & Data Security
20
• All systems are vulnerable, most systems are
infected. - Jon Neiditz, Security / Privacy / Big Data
Specialist (and partner at Kilpatrick Townsend).
• If your contract still requires a SAS 70, you need
to update your contract!
News Flash
21
Will your data be secure?
1. Agreement should address security practices for
data;
2. Compliance with security laws (e.g., Massachusetts’
security regulations, 201 CMR 17.00-17.05) and
private standards (PCI DSS), if applicable;
3. Company-specific, independent security standards
are preferable to “industry standards”; and
4. Require that security practices be regularly updated
and audited (e.g., SOC 2, Type II, SSAE 16, ISO
27001).
Data Security – Third Party Service Provider Contracts
22
Agreement should cover:
1. Requirement to maintain all legal technical,
physical and procedural requirements of
applicable privacy laws;
2. Identity Theft/State and Federal Security Breach
Notice Laws;
3. Address user privacy and provider’s rights to
retain and use data; and
4. Notice of requests for data (e.g., subpoenas,
government inquiries).
Information Privacy
23
• Include a security breach provision that requires from
the provider: – Immediate (no more than 5 business days) notification of a breach
(and ideally a suspected or attempted security breach)
– Cooperation with the investigation including providing access to
auditors / forensic investigators (especially if it’s a credit card
breach or your regulator needs access)
– Full, uncapped (if possible) liability for all costs arising from a
security breach including the costs of providing notice, credit
monitoring services, identity restoration services, fraud insurance,
the establishment of a call center to respond to customer inquiries,
forensic investigations and attorneys’ fees. For credit card
breaches, should also include costs relating to reissuance of credit
cards, charges for operating expenses of the card brands, fraud
recovery costs assessed by the card brands, fines and penalties
imposed by the card brands under the PCI Data Security Standards
– Customer control over content and timing of notifications
Include a Security Breach Provision
24
• SSAE 16 – SOC 1 (Type 1 or Type 2): reports on
controls over financial reporting for Sarbanes-Oxley
compliance, or a SOC 2 on security, privacy, availability,
processing integrity and confidentiality.
• ISO 27001: int’l standard - certification for management
frameworks for security. (ISO 27017 is new cloud-specific
standard)
• PCI-DSS (most current version): Security of payment
networks.
Security Audits – Get them if you can
25
Indemnities in the Cloud
26
• Indemnity: current practice treats
it as a special remedy that should
be reserved for special risks, such
as IP infringement and security
violations.
– Provider typically indemnifies if its technology
infringes third party IP rights
– Customer typically indemnifies if it loads infringing
content onto provider’s systems or uses provider’s
systems to violates privacy rights
Indemnification Struggles
27
Limitations of Liability in the Cloud
28
• Using the business model (one to many) as
justification, cloud agreements typically offer very
limited liability for the provider.
• Providers are less likely to agree to exceptions to the
cap for breaches of confidentiality and security due to
the increasing costs of security breaches.
• Liability for security breaches will typically be limited
to provider’s breach of its security obligations or a
breach solely caused by provider.
• Customer instead should push to have the provider
liable for all security breaches unless the Customer
has caused the breach.
Cloud is a Battleground: Limitations & Exceptions
29
• If possible, ask for unlimited liability for the following:
– Indemnification
– Breaches of confidentiality and/or security
– Violation of law
– Gross negligence, willful / intentional misconduct
and/or fraud
• If the provider won’t agree to unlimited liability, propose
tiered caps (lower cap of the greater of $X or 12 to 24
months of fees for most claims, higher cap of $5X for
confidentiality / security breaches). Include a reasonable
“floor” for damages.
• Another way to mitigate risk is to choose a cloud provider
with a good track record and a strong reputation to
protect.
Exceptions to Request
30
Access to Data & Return After
Termination
31
Contracting in the Cloud
32
• Definition of “Customer Data”
• “means any content, materials, data and information that Customer or
its Authorized Users enter into the Service”
• “means all data and/or information provided or submitted by or on
behalf of Customer, all data and/or information stored, recorded,
processed, created, derived or generated by the Vendor as a result of
and/or as part of the Service, regardless of whether considered
Confidential Information”
Cloud Data – Ownership & Use
33
• Data Access, Storage and Return
– Who can access your data?
– How and where is it stored?
– How do I get my data back and for how long?
– What happens if the cloud vendor goes out of business or
files for bankruptcy?
– How do I ensure compliance with our record retention
policy?
Data in the Cloud
34
• Termination – Customer ability to terminate
– Provider ability to suspend or interrupt services
– Escrow of cloud application
– Termination charges
• Termination Assistance – Scope of termination assistance
– Post-termination rights
– Time frame to retrieve data
– Price protection
Exit Strategy in the Cloud
35
Intellectual Property in the Cloud
36
• No “IP infringement” rep and warranty
• Indemnity for 3rd party IP infringement claims
• Exclusions to IP infringement indemnity
• Provider may seek customer indemnity for customer
data/content
• Shifting liability depending on how much the cloud is
“customized” for a customer
Risk of IP Infringement
37
Risk of loss of trade secret status
•Trade secrets must be subject to “reasonable
efforts” to maintain secrecy
•Heightened risk of unauthorized or inadvertent
disclosure
•Subcontracting
•Use of aggregated data
38
Work Product – Ownership & Use
•Unless specific, unique deliverable / innovation
developed for customer, cloud provider typically
retains ownership of all IP
•Who should own custom work product?
•In joint developments, ownership can be tricky
•Ownership of Customer feedback
39
Insurance as Risk Mitigation in the Cloud
40
• You and your providers are most likely underinsured
when it comes to data breach / cyber coverage under
traditional liability policies.
• Due to growing concerns about the magnitude &
frequency of breaches, your CGL policy will likely no
longer cover data-related losses, because carriers
are now adopting standard-form endorsements
written by the Insurance Services Office (ISO) in May
2014.
• The new endorsements issued by ISO exclude
coverage for compromised data itself, but also for the
costs of responding to and remediating the data
breach or violation.
Cyber Insurance Coverage – NEWS FLASH
41
Specialty Cyber Insurance Should Cover All
Types of Cyber Risk, But May Not
The “Oops” The “Hacker” The “Ghost in
the Machine”
The
“Blogger”
• Now carriers issue specialty “cyber” coverage, but
there is no “standard” – examine your policies
closely to see if all risks are covered.
42
Cyber Insurance - Top Ten Questions
1. Do you have concurrency/gaps
between your cyber policy, your crime
policies, and/or other policies?
2. Are your first-party loss sub-limits
reasonable in light of your size/risk?
3. Does your policy cover third party
provider systems/negligence?
4. Does your policy cover all potential
first-party losses, or is it “opt-in”?
5. Is there an “acts of foreign
governments” exclusion?
6. Is there an exclusion for claims
alleging violations of consumer
protection laws?
43
Cyber Insurance - Top Ten Questions
7. Is there an exclusion for “any malfunction or error in
programming or error or omission in processing” or for
losses arising from “mechanical failure,” “error in design,”
or “gradual deterioration of a computer system”?
8. Is there an exclusion for an insured’s failure to follow
minimum required practices, such as the failure of the
insured to continuously implement the procedures and risk
controls identified in the application for insurance and
related materials?
9. To what extent does the policy cover regulatory risks?
10.Does the carrier mandate its choice of counsel, forensic
experts, and crisis management firms?
44
Other Contracting Considerations
45
Other Contracting Considerations
Warranties
Performance
Personnel
No disabling devices
46
Other Considerations
Testing
• Ensure the service works in accordance with its
specifications
• Ensure the system is properly implemented and
integrates with other systems
• Testing of updates
• Test environment
47
Other Considerations
Right to Suspend
• Prohibit the cloud provider’s right to suspend, or restrict it to
failure to pay
• Require prior notice and opportunity to cure
• Require that provider restore services within a certain number of
days after payment
Assignment
• Consider the risks associated with another entity obtaining control
of your cloud provider
Subcontracting
• Are there any restrictions to the provider’s ability to subcontract?
• Ensure the cloud provider is fully liable for the performance of its
subcontractors 48
Are You Ready?
49
Questions?
Megan Demicco
Kilpatrick Townsend
(404) 532-6969
Atlanta, GA
Monique McNeill
Novelis Inc.
[email protected] 404-760-6492
Atlanta, GA
Biographies
51
Megan Demicco
Megan Demicco focuses her practice in the areas of outsourcing agreements, technology licensing, and other complex commercial transactions.
Ms. Demicco regularly assists customers with domestic and offshore technology and business process outsourcing arrangements, and advises on and negotiates transactions relating to software licensing and support, cloud computing “as a service” transactions (SaaS, IaaS, PaaS), electronic commerce arrangements, and other similar complex commercial transactions.
Prior to joining Kilpatrick Townsend, Ms. Demicco was Assistant General Counsel at the Texas Department of Information Resources, where she served as the primary state attorney for Texas.gov, the state’s eGovernment portal, a public-private partnership offering more than 1,000 online services.
Associate [email protected]
Atlanta
(404) 532-6969
52
Monique McNeill
Monique McNeill joined Novelis in May 2011 as Commercial Counsel.
Ms. McNeill negotiates a wide range of commercial and IT agreements including customer supply agreements, procurement contracts, technology licensing, and professional services agreements. She also regularly provides legal counsel, advice and guidance on complex commercial arrangements, global technology transactions, general corporate matters and strategic initiatives.
Prior to joining Novelis, Ms. McNeill served as Associate Counsel at Aflac Incorporated where she focused on the negotiation of a variety of IT commercial and corporate transactions.
53