Information technology equipment and services are rapidly becoming critical to every aspect of a public entity’s daily operation, from providing free Wi-Fi in downtown areas to upgrading a police department’s dispatch system, as well as creating large scale systems for public records data retention and enhancing a city’s fiber-optic network to provide ultra-high speed internet use for businesses.
Public scrutiny of an agency’s purchase and implementation of IT equipment and services is very high because of the costs and public interest, and members of the community often directly use the equipment and services (such as on-line communications with municipal entities) or it directly affects their health and safety (such as in-vehicle communications systems for fire protection services).
This presentation is designed to help public entities avoid the potential pitfalls in IT agreements and incorporate best practices when negotiating and managing IT contracts. Meyers Nave Principal Richard Pio Roda provides real-life examples of a variety of IT equipment and services agreements that he has negotiated on behalf of cities and special districts. He explains the primary areas of contractual risk and share advice on best practices for addressing each one. Topics he covers include:
- Key contractual differences and risks between purchasing, leasing and licensing
- Special considerations for Software as a Service (SaaS) and Infrastructure as a Service (IaaS)
- Long-term service agreements – performance guarantees, prolonged start-up risks, warranties vs. scheduled maintenance vs. extra work, termination damages
- New terms and conditions in software procurement and computer system integration services contracts that improve the security and protection of the public entity
2. 2
• Why California public agencies should care
• Cloud Computing primer
• Key contract negotiating points
Overview
3. 3
California Civil Code sec. 1798.29
•Breach disclosure requirements
– “Notice of Data Breach”
– “What Happened”
– “What Information Was Involved”
– “What We Are Doing”
– “What You Can Do”
– “For More Information”
Why California Public Agencies Should Care
Over 500
Californians,
notify Attorney
General
$2,500 LDs
in addition to
damages,
injunctions
4. 4
• Personal Information
– SSNs
– CDLs
– Credit or Debit card numbers
– Medical information
– Health Insurance information
What Kinds of Data are you Holding?
5. 5
• Do you accept credit or
debit cards for bill payments?
Let’s Break it Down Even More
• Are you vetting cannabis operators?
– Are you auditing cannabis dispensary
finances and operations
to insure tax payments?
• Did you create an app for code
enforcement complaints?
7. 7
• Software as a Service (SaaS) = End Users
– CRM, Social Media, Email, Virtual Desktop
• Platform as a Service (PaaS) = App Developers
– Web Servers, Databases, Development Tools
• Infrastructure as a Service (IaaS) = Networking
– Storage, Virtual Machines, Servers
SaaS … PaaS … IaaS
8. 8
Your SaaS Vendor Manages …
• Applications
• Data
• Runtime
• Middleware
• Servers
• Storage
• Networking
• OS
9. 9
Private Cloud Computing
Hosted at a Service Provider Site
Supports One Client/Customer
Does Not Utilize Shared Infrastructure
Connectivity Over Private Network/Fiber/Internet
Provides High Level of Security
10. 10
Hosted at a Service Provider Site
Supports Multiple Clients
Often Utilizes Shared Infrastructure
Supports Info Exchange Over Internet
Well Suited for information that is not sensitive
Less Expensive than Private Cloud
Public Cloud Computing
11. 11
• Custom built solutions
• Designed to meet customer
specific requirements
• Highly negotiated contracts
• Long diligence and
negotiation lifecycle
Traditional IT outsourcing – Old Ways
• Each transaction has unique:
– Responsibility allocation
– Scope and deliverables
– Service Levels
– Financials (e.g., pricing,
profitability, costs,
investments, etc.)
– Transfer of assets
12. 12
Standardized solutions based on predefined platforms
and applications, characterized by:
– On-demand self service
– Broad network access
• Resource pooling
• Rapid elasticity
– Standard offerings
not negotiable
Cloud Services
– Offerings are designed to
maintain currency with latest
industry technology, but not
to individual customer
requirements
– Standard contract
documentation for the service
offerings
13. 13
• No infrastructure
management
• Reduced operational
management
• Rapid implementation
and deployment
• Lower upfront and
total costs
• Elastic / Scalable
Why is your IT migrating this way?
• Reduced IT complexity
• Use of industry-leading
technology and innovation
• Security “by default”
• Manage and mine “Big Data”
• Emergence of BYOD
– Leverages ubiquity
of mobile devices
14. 14
• Contract scope is usually:
– Based on standardized solutions
– Reflected in standard service
documents and contracts
– Includes standard and
optional capabilities, features
and functions
Scope of the SaaS Contract
IMPORTANT NOTES:
“Service description” or
“services specification”
rather than a statement
of work
Service Level Agreement
15. 15
• Service scope is described in a single
document through “policies”
– Service Level Objective
– Change Management
– Support
– Termination
– System Resiliency and
Disaster Recovery Service
– Security Policy
– Privacy Policy
This Probably Looks Familiar …
• Service descriptions may define:
— Management processes
(capacity planning)
— Quantity of system resources
— Customer Obligations
16. 16
• Application features may be described in separate product
documentation
• Professional services may be required to set up and configure
the service, via a separate Statement of Work (SOW)
• Cloud policies are subject to change, and services are subject
to modification
– To reflect changes to infrastructure, security, technical
configurations, application features
– Changes generally should not result in a material reduction in
the level of performance or availability of the service
Other Terms, Documents or Policies you’ll see
17. 17
• Duration of cloud services
– Based on a defined (and finite) term
– Not a perpetual license
• Month-to-Month for certain services
• Minimum Period for more complex cloud services
(e.g., one year, three years)
• Note: Auto-renewal may apply
Term of the Agreement
18. 18
Responsibility for security and privacy
related compliance cannot be outsourced
to a service provider
Conduct appropriate due diligence
and selection of service providers
Ensure that security standards are reflected
in contractual clauses
Monitor performance of service
providers to the security standards
Let’s Talk (Data) Security (First)
A contract
is not
a substitute
for appropriate
due diligence
of the cloud
provider!
19. 19
Your Scope of Services should include a framework
of security and describe applicable security practices:
– Description of the technical, organizational and
administrative controls used by the service
provider to deliver the services
– Data center operations may align to ISO/IEC
27002, ITIL or CMM standards
Security Standards
20. 20
Service providers can demonstrate
adequacy of controls and safeguards
for hosting and processing of customer
data through recognized auditing
standards:
•Statement on Standards for Attestation
Engagements (SSAE) 16
•International Standard on Assurance
Engagements (ISAE) 3402
Security Standards
Statement on Auditing
Standards No. 70 is
no longer a current
auditing standard.
BUT
NOT
SAS70!
21. 21
Physical controls;
logical controls
Encryption, masking,
data anonymization
Account access, authentication,
and access controls
Passwords
Network security and
intrusion detection
Data Security Best Practices
Data retention, backup
and recovery
Incident response
Production vs. Non-Production
instances
Use of subcontractors
by cloud provider
Security certifications
Audits
22. 22
• Recognize that Data Privacy Laws Do Not
Allocate Commercial Responsibility or Liability
– Data Breach
– Indemnification
– Limit of Liability
– Comparative Negligence
More Best Practices
23. 23
SaaS vendors will generally not accept
consequential damages liability
•Consequential damages = foreseeable financial damages arising
from the breach which may greatly exceed the amount the
customer paid and the vendor received
– Example: customer’s lost business or profit and the significant cost of
notifying those affected by the data breach
Limitations of Liability
WHY? If a SaaS vendor accepted full consequential damages liability, a single data
breach affecting a single SaaS customer could put them out of business.
24. 24
Persuade SaaS vendor to accept
liability for direct damages from
a data breach:
•Up to an agreed upon limit
•Based on overall value of the
contract or a multiple thereof
•e.g., 1.5x or 2x the amount the
vendor is expected to be paid
over an agreed upon time period
What should you negotiate?
• TIP #1: It is not unreasonable to expect
that the SaaS vendor accept some
consequential damages liability when the
data breach results from the vendor’s
gross negligence or intentional
misconduct.
• TIP #2: Cyber-liability insurance is
available to protect against those risks
which a party is unable to contractually
allocate to the other side.
25. 25
• Remember to focus on third party claims
• Risks may be different
– Depending on the SaaS contract or service
• Should the indemnity be narrowed?
• Focus on the allegation, not who is at fault
– “Caused by” v. “related to” or “arising out of”
Indemnification
26. 26
• You have a reasonable expectation
that the SaaS application should be
available and usable to the same
degree it would be if installed in
on-premises computing environment.
• SaaS vendor should agree to make
the application available and
accessible at least 99.5% of the time
24x7x365 in the SLA
UpTime Commitment
Customers should expect this
commitment to be subject to:
•Routine maintenance outages
(only during non-peak usage hours)
•Events outside the vendor’s
control, such as general Internet
outages and equipment failures
not within the SaaS vendor’s
environment.
27. 27
• Obligate the vendor to provide fee credits in the event of
failures to meet the availability commitment.
– Include in the contract a “three strikes” or “death by a
thousand cuts” termination right, e.g., if the vendor fails to
meet the availability commitment on three separate
occasions during a two month period, this should
constitute a material breach
– Customer entitled to terminate and receive at least a
prorated refund of the unused fees paid in advance.
Uptime Commitment Negotiations
28. 28
• SaaS application will perform “in all material respects”
(or “substantially”) in accordance with its applicable
specifications or documentation,
– Sometimes without limitation as to time when the
customer is paying on an annual subscription basis
• Remedy for breach can be quite limited, e.g.,
termination of the agreement if the application’s
performance does not meet the warranty and the
vendor cannot correct it
Application Performance Warranty
29. 29
• Negotiate prorated refund
– Unused portion of the
subscription license fee
for the remainder of the
term or service period
– And a refund for a portion
of the fees paid prior
to termination
Application Warranty Negotiations
• Vendors may limit warranty
– To some period of time after
either the commencement
of the agreement or after
discovery of the defect
– 90 days is typical and
reasonable.
30. 30
• Obtain the right to a refund
– Of at least the entire service period’s fees, if not more
– Given the hardship and expense associated with researching,
selecting and switching to an alternate vendor
• Expand the vendor’s overall maximum liability
– To the total amount paid over the contract period
– Common in traditional installed software license agreements
Application Warranty Negotiations
32. 32
Presenter
Richard D. Pio Roda
Principal
rpioroda@meyersnave.com
510.808.2000
Municipal and Special District Law
Public Contracts
California Public Records Act