Navigating Risk In Data & Technology Transactions


Published on

Presentation: Negotiating risk management terms for data & technology contracts.

The information herein is presented for educational and informational purposes and is not intended to constitute legal advice. Additional information is at .

Published in: Law
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Navigating Risk In Data & Technology Transactions

  1. 1. Navigating Risk In Data & Technology Transactions John C. Yates March 27 – 28, 2014 Atlanta, Georgia
  2. 2. Negotiating Risk Management Terms For Data & Technology Contracts/Overview The parties in data and technology transactions typically allocate risks contractually through: – Disclaimers and representations and warranties – Indemnification and limitation of liability provisions 2
  3. 3. Indemnities 1. A licensee in data and technology transactions should seek to include an indemnification right for third-party intellectual property (IP) infringement claims so long as licensee stays within the scope of its permitted use of a license grant. 2. Alternatively, a licensor should ensure that its obligation to indemnify a licensee for third-party IP claims is appropriately narrowed to ensure that the licensor is not responsible for third-party IP claims that result from licensee’s improper modification or inclusion of IP that creates an infringement. 3
  4. 4. Confidentiality 1. Where the data licensee may share its own confidential information with the licensor, mutual confidentiality obligations may be appropriate. 2. The parties should consider: a. The time limit on the confidentiality obligations. b. Whether to include common exceptions from the confidentially requirements for information that is: i. Or becomes commonly known; ii. In the possession of the receiving party before disclosure; iii. Separately received from a third party; or iv. Independently developed by the receiving party. c. Which party has the burden of proof for showing that the confidentiality exception applies. d. The treatment of legally compelled disclosure, including an obligation by the receiving party to notify the disclosing party of such a request and the receiving party’s cooperation in helping the disclosing party obtain a protective order. 4
  5. 5. Security 1. Good data protection requires the participation and coordination of management and staff at all levels of a business. It often falls to the legal department, working closely with the information technology (IT) function and with the support of senior executives, to lead the company-wide information management and protection program. 2. Effective information and data security depends on developing comprehensive policies and procedures, and applying them consistently. In this regard, it is especially important to have in place: a. A uniform confidentiality and proprietary rights agreement that must be signed by all employees as a condition of employment. b. An IT and communications systems policy that governs employees' appropriate use of these company resources, in the interest of protecting confidential information. 5
  6. 6. Security 3. Further, the agreement may specify: a. The types of controls and data security to be used by the licensee including, for a service provider, the provider's data center and service network. b. The obligation to be and remain in compliance with applicable data security laws and regulations and, if applicable, professional obligations affecting persons with data in particular industries and professions, such as attorneys, healthcare providers and securities brokers and dealers. c. Procedures and obligations for data security breaches and related investigations, including obligations to notify the licensor of any detected security breaches or unauthorized access and to provide assistance in investigating security breaches and obtaining the return of misappropriated data and other appropriate remedies. d. The parties' data transfer, communications, and encryption protocols. 6
  7. 7. Limitations Of Liability 1. Each party is likely to seek limitations on liability in the form of a liability cap (i.e., the amount of fees paid to it under the agreement). 2. Each party is also likely to seek an exclusion of damages in connection with lost data, lost profits, loss of reputation, and any indirect, special, punitive or consequential damages. 3. Certain exceptions to these limitations may include: a. Indemnification obligations (particularly for IP infringement); breaches of confidentiality, privacy or data security; violations of applicable law; damage to tangible property; personal injury or death; and gross negligence and willful misconduct (for which damages may not be limited in certain states). 4. A party’s ability to carve-out the foregoing exceptions typically depends on the parties' relative bargaining power. 7
  8. 8. Export 1. The Department of Commerce is authorized to regulate the export or re-export of U.S.- origin dual-use goods, software, and technology. 2. Perform a risk assessment. Evaluate compliance issues, including the degree to which the company’s employees conduct business with foreign customers, the company’s use of third-party agents and intermediaries, the regulatory environment of the regions where the company operates, and the effects of any recent business developments. 3. Focus on countries of concern. Review your customers and the nature of transactions with them so you can gain a better understanding of where your company’s compliance focus should be placed. 4. Identify at-risk business groups. New components of U.S. export controls and sanctions laws target insurance companies, financial institutions, IT companies, and other businesses that traditionally have not had a significant risk exposure to export control issues. 8
  9. 9. Open Source 1. Risk to intellectual property – using open source software (“OSS”) may cause other IP rights in a company’s proprietary software to enter the public domain if not integrated properly. 2. Risk to future revenue – integration of OSS into a company’s developing software may dilute the future value of the software. 3. Acquisition risk – without performing adequate due diligence, companies risk acquiring software that has been diluted by the inclusion of OSS. 4. Competitive risk – incorporating OSS into a company’s proprietary software and then distributing the software might result in the software becoming part of the public domain. 9
  10. 10. Patent 1. If issues concerning the validity or scope of a patent increase the risk for the licensee, the licensee can request the following protective measures: (a) reduce royalty or other payments, (b) obtain a specific indemnification for the issue, or (c) forego the license altogether. 2. If Licensors are unwilling to provide a warranty for non-infringement in connection with licensee’s activities, the parties may craft a representation and warranty regarding the licensor's knowledge of (a) any patent blocking the practice of the licensed patent and (b) pending or threatened allegation that a licensed product infringes any third-party patent. 3. A licensor often seeks to have the licensee indemnify the licensor for third-party product liability claims relating to the licensee's commercialization of the licensed patent. 4. To back up the indemnity, the licensor may want to include a provision requiring the licensee to maintain insurance policies to cover third-party claims arising from defective licensed products the licensee distributed as well as the licensee's indemnity obligations regarding any product liability claim. 10