10 07-14 hosting con europe 2014 presentation unannotated
1. Doing Business Globally HostingCon Europe Amsterdam, October 2014
W. David Snead
Attorney + Counselor – Washington, D.C.
Tactical Legal Advice for Internet Business
david.snead@dsnead.com
Paolo Balboni
European ICT & Data Protection Lawyer – ICT Legal Consulting Int. – Amsterdam
paolo.balboni@ictlegalconsulting.com
2. •
Creating a contract that works
•
Compliance
•
Key provisions in a global contract
3. Why do you need a global contract?
Pros
•
Attracts larger clients
•
Ease of administration
•
May ease legal compliance
Cons
•
Complicated contract
•
Jurisdictional issues
•
Vendor compliance difficulties
4. 1.
Exceeding customer expectations
2.
Supporting your brand
3.
Protecting your revenue
4.
Meeting your contract obligations
5.
Litigation prevention
Contract goals
5. •
Engage in a 180’ contract review
•
Procure insurance
•
Stand behind your product
•
Don’t rely on limitations of liability
What should you do first?
6. Vendors
•
Flow down provisions
•
Right to change products
•
Fee changes
•
Warranties
•
Responsibility for subcontractors
•
Indemnification
180’ contract review
•
Match up to your agreement
•
Create implementation period
•
Include right to substitute
•
Create implementation period
•
Provide evidence to customers
•
Match up to your agreement
•
Include responsibility flow down
•
Match up to your agreement
•
Procure insurance
•
Match to technology
7.
8.
9. Customer
Vendor
Company
Skin in the game
No refunds
Applies to purchased services
Reliability
Force Majeure No subcontractors Cable cuts 90 day warranty
Detailed Service Level Agreement written in plain English
Price
Right to change prices No subcontractors Difference in contract term
Tolerate price gaps
Provide documentation
Support
Tier 2 Self help
Ready access on website Clear response times.
10. Customer
Contract
Implementation
Skin in the game
SLA: credits
•
Automatic notification and credit
Reliability
SLA: plain English
•
Tie back to vendors
•
Internal metric score cards
•
Percentages implemented mechanically
Price
•
Price changes at term
•
Increases with evidence
•
Contract term process
•
Negotiate notice of increases
•
No asterisks
Support
Support based on revenue
•
Self help available
•
Automatic notice of cut off
11. Customer Goal
Flow down provision
Legal issues
Operations issues
Summary provision
Price stability
Increase in electric prices
•
Increase prices
•
Disclose information
•
Meeting of the minds
•
Measure
•
Provide information
•
Revenue stability
•
Monitor vendor contracts
•
Prices stable during term
•
Pass through prices increase on notice
12.
13. THIS PRODUCT COULD INCLUDE TECHNICAL OR OTHER MISTAKES, INACCURACIES OR TYPOGRAPHICAL ERRORS. WE MAY MAKE CHANGES TO THE MATERIALS AND SERVICES AT THIS SITE, INCLUDING THE PRICES AND DESCRIPTIONS OF ANY PRODUCTS LISTED HEREIN, AT ANY TIME WITHOUT NOTICE. THE MATERIALS OR SERVICES AT THIS SITE MAY BE OUT OF DATE, AND WE MAKE NO COMMITMENT TO UPDATE SUCH MATERIALS OR SERVICES. THE USE OF THE SERVICES OR THE DOWNLOADING OR OTHER ACQUISITION OF ANY MATERIALS THROUGH THIS SITE IS DONE AT YOUR OWN DISCRETION AND RISK AND WITH YOUR AGREEMENT THAT YOU WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE TO YOUR COMPUTER SYSTEM OR LOSS OF DATA THAT RESULTS FROM SUCH ACTIVITIES.
14. Customer
Vendor
Company
Skin in the game
No refunds
Applies to purchased services
Reliability
Force Majeure No subcontractors Cable cuts 90 day warranty
Detailed Service Level Agreement written in plain English
Price
Right to change prices No subcontractors Difference in contract term
Tolerate price gaps Provide documentation
Support
Tier 2 Self help
Ready access on website Clear response times.
15. •
Creating a contract that works
•
Data compliance
•
Addressing cultural issues
16. •
Sectoral Based
•
Reactive
•
Generally state based
•
Narrowly tailored
•
Issue Based
•
Proactive
•
National implementation
17. DATA PROTECTION/SECURITY COMPLIANCE AS A COMPETITIVE MARKET ADVANTAGE
•
A couple of deal-breaking elements from our daily experience: 1. Personal Data Processing Agreements (where duties and obligations are clearly identified) 2. Transparency and control over the personal data flow (circulation/transfer of personal data)
•
These elements are requested by customers for 2 main reasons: 1. COMPLIANCE: to establish enough control by the customer (Controller) on the personal data processing carried out by the provider (Processor) 2. INTERNAL RESPONSIBILITIES: to internally show that protection and control over personal data, as a company asset, have been considered in the choice of a provider that offers enough guarantees
18. EU data protection/security checklist A Service Provider (SP) will have to share:
①
Information about its identity (and the representative in the EU, if applicable), its data protection role, and the contact details of the Data Protection Officer or of a “privacy contact person”
②
SP will have to describe in which ways the data will be processed and provide information on data location and subcontractors
③
How data transfers may take place and on which legal ground (mainly model contracts, binding corporate rules – SH principles have been under revision)
19. ④
Data security measure in place, with special reference to: - availability of data - integrity - confidentiality - transparency - isolation (purpose limitation) - intervenability
⑤
Way to monitor SP data security / possibility to run audits for clients or trusted third-parties
20. ⑥
Personal data breach notification policy
⑦
Data portability, migration, and transfer back assistance
⑧
Data retention, restitution and deletion policies
⑨
Accountability, meaning the policies and procedures SP has in place to ensure and demonstrate compliance, throughout the SP value chain (e.g., sub-contractors)
21. ⑩
Cooperation with clients to respect data protection law, e.g., to assure the exercise of data protection rights
11
Management of law enforcement request of access to personal data
12
Remedies available for the customer in case of CSP breach of contract
22. •
HIPAA / GLB / FCRA
•
FTC needs most attention
•
Marketing to minors
•
State laws may apply
•
No Federal breach law
23. •
Massachusetts sets standard
•
Focus on identification numbers
•
Increasingly includes biometric
•
No private right of action
•
Nexus requirement
•
Encryption exemption
•
No exemption for deminimus disclosures
•
7 states with no law
25. •
Creating a contract that works
•
Data compliance
•
Key provisions in a global contract
26. Company will indemnify, defend and hold harmless Customer, its affiliates, directors, officers, employees and agents (collectively, the “Customer Group”) from and against all Losses asserted against, resulting to, imposed upon or incurred by the Customer Group (or any member thereof) to the extent arising from (i) any personal injury, death or physical damage to, or loss or theft of, tangible personal property caused by the gross negligence or willful misconduct of Company or its employees, agents or subcontractors, or (ii) allegations that the Services (excluding any third party components) directly infringe a patent issued under the laws of a country in which the Services are actually provided to Customer; provided, however, that, in addition to the foregoing indemnification, Company’s sole and exclusive liability with respect to this Section 1, and Customer’s sole and exclusive remedy with respect to this Section 1, is limited to Company making the Services non-infringing or arranging for Customer’s continued use of the Services by license or otherwise, but if either of the foregoing options are commercially impracticable for Company, in Company’s sole discretion, upon written notice to Customer, Company may cancel the directly affected Services, refund to Customer any prepaid fees for such cancelled Services and, if applicable, adjust Customer’s ongoing monthly fees for the continuing Services to account for such cancelled Services. Notwithstanding anything to the contrary in this Section 1, Company will have no indemnification obligation to Customer under this Section 1 for any infringement arising from (A) an unauthorized modification of the Services by Customer, (B) Customer’s combination of the Services with any intellectual property not developed or owned by Company if the Services would have avoided the infringement but for such combination by Customer, or (C) Customer’s failure to install updates, patches or other similar items provided by Company or the licensor of the intellectual property that is the subject of such a claim.
Legalese
Plain English
•
Cover all intellectual property that is yours.
•
Take up the suit.
•
Agree to work proactively
Indemnification means it.
27. NOTWITHSTANDING ANY ORAL OR WRITTEN COMMUNICATIONS BETWEEN COMPANY AND CUSTOMER ABOUT OR IN CONNECTION WITH THE SERVICESAND TO THE FULL EXTENT PERMITTED BY APPLICABLE LAW, NEITHER COMPANY NOR ANY OF ITS EMPLOYEES, AFFILIATES, AGENTS, SUPPLIERS, SUB-CONTRACTORS OR LICENSORS MAKE ANY WARRANTIES OF ANY KIND, ORAL OR WRITTEN, EXPRESS OR IMPLIED, ARISING FROM COURSE OF DEALING, COURSE OF PERFORMANCE OR OTHERWISE INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, CONFORMITY TO ANY REPRESENTATION OR DESCRIPTION, COMPLETELY SECURE, ERROR-FREE, NON-INTERRUPTION, NON- INTERFERENCE OR NON-INFRINGEMENT. EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT OR IN THE ADDENDA, THE SERVICES AND EQUIPMENT PROVIDED UNDER OR ASSOCIATED WITH THIS AGREEMENT ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS.
Legalese
Plain English
EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT (INCLUDING, WITHOUT LIMITATION, THE SERVICE LEVEL AGREEMENTS)
Make Warranties. Not Disclaimers.
28. Company guarantees 100% availability of the Company Cloud Network. The Company Cloud Network will be deemed 'available' if the networking components are available and responding to Company monitoring tools as designed and in a non- degraded manner (as evidenced in the Company monitoring tool).
Legalese
Plain English
•
Monitor proactively
•
Provide automatic credits
•
Agree to consider customer monitoring
No hoops.
29. Start from the customer’s perspective
No “hot coffee” decisions
Consider data protection/security compliance as a competitive market advantage
Engage in a 180’ contract review
30. W. David Snead
Attorney + Counselor – Washington, D.C.
Tactical Legal Advice for Internet Business
david.snead@dsnead.com
wdsneadpc / Twitter
thewhir.com / Blog
Paolo Balboni
European ICT & Data Protection Lawyer – ICT Legal Consulting Int. – Amsterdam
paolo.balboni@ictlegalconsulting.com
@balbonipaolo / Twitter
www.ictlegalconsulting.com / Website