The document discusses various risks and considerations for negotiating data and technology contracts. It covers indemnification provisions, confidentiality obligations, security requirements, limitations of liability, export controls, open source software risks, and patent licensing issues. The parties should address allocation of risks, third party intellectual property claims, data protection policies, liability caps, exceptions for gross negligence, compliance with export laws, risks to intellectual property and revenue from open source software, and product liability insurance requirements.
1. Navigating Risk In
Data & Technology
Transactions
John C. Yates
March 27 – 28, 2014
Atlanta, Georgia
2. Negotiating Risk Management Terms For
Data & Technology Contracts/Overview
The parties in data and technology transactions typically allocate risks
contractually through:
– Disclaimers and representations and warranties
– Indemnification and limitation of liability provisions
2
3. Indemnities
1. A licensee in data and technology transactions should seek to include an
indemnification right for third-party intellectual property (IP) infringement claims
so long as licensee stays within the scope of its permitted use of a license grant.
2. Alternatively, a licensor should ensure that its obligation to indemnify a licensee
for third-party IP claims is appropriately narrowed to ensure that the licensor is
not responsible for third-party IP claims that result from licensee’s improper
modification or inclusion of IP that creates an infringement.
3
4. Confidentiality
1. Where the data licensee may share its own confidential information with the
licensor, mutual confidentiality obligations may be appropriate.
2. The parties should consider:
a. The time limit on the confidentiality obligations.
b. Whether to include common exceptions from the confidentially requirements for information
that is:
i. Or becomes commonly known;
ii. In the possession of the receiving party before disclosure;
iii. Separately received from a third party; or
iv. Independently developed by the receiving party.
c. Which party has the burden of proof for showing that the confidentiality exception applies.
d. The treatment of legally compelled disclosure, including an obligation by the receiving party
to notify the disclosing party of such a request and the receiving party’s cooperation in
helping the disclosing party obtain a protective order.
4
5. Security
1. Good data protection requires the participation and coordination of
management and staff at all levels of a business. It often falls to the legal
department, working closely with the information technology (IT) function and
with the support of senior executives, to lead the company-wide information
management and protection program.
2. Effective information and data security depends on developing comprehensive
policies and procedures, and applying them consistently. In this regard, it is
especially important to have in place:
a. A uniform confidentiality and proprietary rights agreement that must be signed
by all employees as a condition of employment.
b. An IT and communications systems policy that governs employees' appropriate
use of these company resources, in the interest of protecting confidential
information.
5
6. Security
3. Further, the agreement may specify:
a. The types of controls and data security to be used by the licensee including, for a
service provider, the provider's data center and service network.
b. The obligation to be and remain in compliance with applicable data security laws and
regulations and, if applicable, professional obligations affecting persons with data in
particular industries and professions, such as attorneys, healthcare providers and
securities brokers and dealers.
c. Procedures and obligations for data security breaches and related investigations,
including obligations to notify the licensor of any detected security breaches or
unauthorized access and to provide assistance in investigating security breaches and
obtaining the return of misappropriated data and other appropriate remedies.
d. The parties' data transfer, communications, and encryption protocols.
6
7. Limitations Of Liability
1. Each party is likely to seek limitations on liability in the form of a liability cap (i.e.,
the amount of fees paid to it under the agreement).
2. Each party is also likely to seek an exclusion of damages in connection with lost
data, lost profits, loss of reputation, and any indirect, special, punitive or
consequential damages.
3. Certain exceptions to these limitations may include:
a. Indemnification obligations (particularly for IP infringement); breaches of confidentiality,
privacy or data security; violations of applicable law; damage to tangible property;
personal injury or death; and gross negligence and willful misconduct (for which
damages may not be limited in certain states).
4. A party’s ability to carve-out the foregoing exceptions typically depends on the
parties' relative bargaining power.
7
8. Export
1. The Department of Commerce is authorized to regulate the export or re-export of U.S.-
origin dual-use goods, software, and technology.
2. Perform a risk assessment. Evaluate compliance issues, including the degree to which
the company’s employees conduct business with foreign customers, the company’s
use of third-party agents and intermediaries, the regulatory environment of the regions
where the company operates, and the effects of any recent business developments.
3. Focus on countries of concern. Review your customers and the nature of transactions
with them so you can gain a better understanding of where your company’s compliance
focus should be placed.
4. Identify at-risk business groups. New components of U.S. export controls and
sanctions laws target insurance companies, financial institutions,
IT companies, and other businesses that traditionally have not had
a significant risk exposure to export control issues.
8
9. Open Source
1. Risk to intellectual property – using open source software (“OSS”) may cause
other IP rights in a company’s proprietary software to enter the public domain if
not integrated properly.
2. Risk to future revenue – integration of OSS into a company’s developing
software may dilute the future value of the software.
3. Acquisition risk – without performing adequate due diligence, companies risk
acquiring software that has been diluted by the inclusion of OSS.
4. Competitive risk – incorporating OSS into a company’s proprietary software
and then distributing the software might result in the software becoming part of
the public domain.
9
10. Patent
1. If issues concerning the validity or scope of a patent increase the risk for the licensee, the
licensee can request the following protective measures: (a) reduce royalty or other
payments, (b) obtain a specific indemnification for the issue, or (c) forego the license
altogether.
2. If Licensors are unwilling to provide a warranty for non-infringement in connection with
licensee’s activities, the parties may craft a representation and warranty regarding the
licensor's knowledge of (a) any patent blocking the practice of the licensed patent and (b)
pending or threatened allegation that a licensed product infringes any third-party patent.
3. A licensor often seeks to have the licensee indemnify the licensor for third-party product
liability claims relating to the licensee's commercialization of the licensed patent.
4. To back up the indemnity, the licensor may want to include a provision requiring the
licensee to maintain insurance policies to cover third-party claims arising from defective
licensed products the licensee distributed as well as the licensee's indemnity obligations
regarding any product liability claim.
10