SlideShare a Scribd company logo

Can't We All Agree? Clickwrap Agreements

Download as PPT, PDF
B
Bill Coker

Presentation at UNC CAUSE 2013 Bill Coker, North Carolina State University

TechnologyBusiness
1 of 44
Can’t W All Agree? e A Solution for Software Clickwrap Agreements Bill Coker Manager of Software Licensing Management Office of Information Technology North Carolina State University Bill_Coker@ncsu.edu
W is a Clickwrap Agreement? hat A clickwrap agreement is a type of contract that is widely used with software licenses and online transactions in which a user must agree to the terms and conditions prior to using the product or service by clicking an “I Agree” or “I Accept” button.
Clickwrap Agreement Challenges Clickwraps are becoming more prevalent in IT Clickwraps agreements are typically non-negotiable Clickwraps creates logistical difficulties and approval issues for the Office of General Counsel and Purchasing Many users click “I Agree” without reading the terms or having the authority to bind the university
Clickwrap Agreement Strategy Implement an efficient process for reviewing and approving clickwraps Create a delegation of authority to approve clickwrap agreements Educate campus
A Clickwrap Awakening: iOS Developer Agreement Apple required an iOS developer to bind the university to agreement Terms of agreement violated State law Apple would not negotiate terms
A Clickwrap Awakening: iOS Developer Agreement Written justification showing low risk for each issue Approvals by Office of General Counsel, Trademarks & Licensing, and Regulatory Compliance CIO did not have signature authority
I’m Glad That’s Over “I never want to go through this process again” “Hopefully we won’t have any other clickwrap agreements” “Surely no enterprise solutions will employ clickwraps”
Another Clickwrap Awakening: Google Consumer Apps Pilot Campus wants Google Consumer Apps (Blogger, Maps, Picasa, YouTube, etc.) Using personal accounts instead of NCSU.EDU accounts Clickwrap agreement for the Google Apps Trusted Tester Agreement Every user on campus will be required by Google to click “I Agree”
Looking for a Clickwrap Solution UNC Greensboro was ahead of the curve http://www.uncg.edu/ucn/clickwraps/approved_clickwraps.html Google Consumer Apps approved by UNC-G’s Chancellor Could not find solutions at other universities
NCSU’s Approach On-going meetings with: Office of General Counsel Security Standards and Compliance Outreach, Consulting and Communications Software Licensing Management Reviewed terms for desired Google Consumer Apps
NCSU’s Approach Separated Consumer Apps into Four Tiers Tier 1 Tier 2 Alerts, Feed Burner, Reader Maps, Map Maker, Picasa, YouTube, Blogger, Google+, Places Tier 3 Takeout, News, Moderator, Public Groups, Voice Analytics, Chrome Web Store, Google Chrome Sync Tier 4
Acceptance of Terms RISK: Any use of these services constitutes acceptance of the Google Terms of Service RESPONSE: These products are not made available to NCSU users until they are activated by the NCSU Google administrator. No user can accept the terms until all terms are vetted by the university.
Ensuring Compliance of Terms RISK: NCSU is responsible for ensuring End Users comply with the applicable Google terms of service for each of the Google Consumer Apps used. RESPONSE: Students are bound by NCSU Policy 11.35.01 – Code of Student Conduct and Employees are bound by the various Policies, Regulations and Rules
Stapler Principle A stapler is safe only when it is used as a stapler, not as a weapon.
Hold Harmless and Indemnify RISK: Requires the University to hold harmless and indemnify Google if the Service is being used on behalf of the University. RESPONSE: The fact that the university will effectively enforce compliance from students and employees using the Code of Conduct and Policy, Regulations and Rules, the university should assume minimal risk by indemnifying Google.
Ensuring Compliance with Federal Law RISK: NCSU agrees that it is solely responsible for compliance with all laws and regulations that apply to these Services, including FERPA RESPONSE: A FERPA Modular Course Consent and Waiver Form has been created that allows faculty members to customize the consent form to be applicable to the course requirements.
Consent and W aiver Form Modified form used by DELTA Allows faculty to customize form based on Google Apps used and the assignment
Other Risks Identified Limitation of Liability Governing Law Storing data outside of the US Google creates derivative works
Risk Assessment Matrix
Risk Assessment Summary Using the Risk Assessment Matrix: Identified the Probability and Impact for each known risk Assigned a Risk Level and Risk Assessment Level Summarized the Findings
Risks Assessment Summary
Google Apps Use Cases & Risks “Stapler Principle” Working with faculty who use personal Google Apps as part of their instruction: Identified what products are being used How the products are being used Identified the Probability and Impact for each known risk Assigned a Risk Level and Risk Assessment Level Summarized the Findings
Use Cases & Risks Summary
Results CIO provided limited signature authority and delegation authority Google Apps Trusted Tester Agreement was completed NCSU was able to approve Tiers 1 & 2 of the Google Consumer Apps Google Apps made available to campus We began working on Tiers 3 & 4
Moving the Process Forward Began discussions to apply the process to other clickwrap agreements Created new issues since software and agreements vary so much
Other Clickwrap Agreements Identified common risks found in general clickwrap agreements Secure systems will utilize the software, possibly placing secure data at risk Risk of university data exposure Includes broad audit rights, permitting the vendor almost unlimited access to the NCSU’s facilities, records, and systems Contains expansive "feedback" and similar clauses that could result in the licensor gaining ownership of intellectual property or data Contains confidentiality or non-disclosure clauses
Other Clickwrap Agreements Identified common risks found in general clickwrap agreements Requires the University to "hold harmless“ or "save harmless” or "indemnify" the vendor Limitation of liability for vendor No limitation of liability for University Potential litigation outside of North Carolina Little to no warranty. Software is provided entirely "as-is" The software is not widely distributed nor well established in the community
Other Clickwrap Agreements Identified common risks found in general clickwrap agreements Requires all disputes to be submitted to binding arbitration Permits vendor's agents, contractors and licensors (third parties) to have audit rights No protection if University is sued for third-party intellectual property infringement Requires University to reimburse the vendor for all attorney fees and costs Violates other State laws not already identified
The Solution Identified risks were categorized into three categories Category 1: Common Problematic Clauses Category 2: Unique/Challenging Problematic Clauses Category 3: Risks arising from the Product Itself and/or End-User Conduct or Misconduct Involving the Product
Category 1 Common Problematic Clauses Limitation of Vendor’s Liability Indemnification and “Hold Harmless” Clauses Governing Law Binding Arbitration Requirements to reimburse vendor for attorney fees
Category 1 Common Problematic Clauses Clauses are permitted Office of General Counsel is constrained from “approving” the clauses by the letter of the law However, they are prepared to defend a business decision to accept these clauses This business decision is consistent with the actions of many existing users in State government and other schools The benefits outweigh the risks associated
Category 2 Unique/Challenging Problematic Clauses Broad Audit Rights permitting vendor almost unlimited access to NCSU’s facilities, records and systems Grants audit rights over NCSU to vendor’s agents, contractors and third parties Clauses that could result in the licensor gaining ownership of intellectual property or data Confidentiality or non-disclosure clauses • Clauses permitting storage of NCSU data outside the US
Category 2 Unique/Challenging Problematic Clauses • • • • Clauses are not be permitted without review Clauses must be evaluated jointly by the Office of General Counsel and the Office of Information Technology on a caseby-case basis A risk assessment using the Risk Matrix must be completed If approved, strategies must be determined to reduce risk (educating end-users)
Category 3 Risks arising from the Product Itself and/or End-User Conduct or Misconduct Involving the Product • NCSU’s secure systems will utilize the product, possibly placing secure data at risk • Use of product may create risk of NCSU data exposure • Clauses restricting NCSU’s use of the product • Agreement contains little to no warranty – provided “as-is” • Product is not widely distributed nor well established in the community
Category 3 Risks arising from the Product Itself and/or End-User Conduct or Misconduct Involving the Product • • Issues are typically the result of misuse or misconduct (the Stapler Principle) Student consent should be obtained using the Consent and Waiver Form when the use of the software raises FERPA concerns
Category 3 Risks arising from the Product Itself and/or End-User Conduct or Misconduct Involving the Product • • NCSU can treat its risks by restricting or eliminating access to users who violate computer use policy Behavior violating NCSU policies, state or federal laws can be addressed under existing student, staff and faculty processes dealing with misconduct
Communication • Communicated the clickwrap process to leadership for feedback and approval • Office of General Counsel • Purchasing • Campus IT Governance committees • College IT Directors • Office of Information Technology
The Final Process • • • • Software Licensing Management, with the help of the Software Manager in the Colleges of Engineering, began reviewing clickwraps agreements All issues are identified as Category 1, 2 or 3 All clickwraps, issues and categories are entered into a master spreadsheet A risk assessment is conducted for Category 2 issues (probability/impact) and sent to the Office of General Counsel for review
The Result • When completed, clickwrap agreements are listed on the Software@NC State web site • • http://software.ncsu.edu/clickwraps Clickwraps are listed with the following statuses: • Approved • Conditionally Approved • Denied • Pending
Be Aware • We can not review every clickwrap • • • Mobile device apps (iTunes, Google Play, etc.) Device drivers Not all open source licenses should be approved • Patent violations
Be Aware • Some free software has restrictions that prevents use on some campuses • Overall budget • Non-commercial home-use only • Not all software has a clickwrap agreement • Some software states agreement by downloading or installing
The Response • • Campus has embraced the new process and has submitted new clickwraps for review In the first three months, the clickwrap list grew from approximately 100 clickwraps to more than 350
Maintenance • Every six months, the dates and versions of clickwrap agreements are reviewed to determine if there have been updates • Updated agreements are reviewed • New clickwraps are added when submitted • Outdated clickwraps and retired software are removed
Questions? Can’t We All Agree? Bill Coker North Carolina State University Bill_Coker@ncsu.edu

Recommended

Software development
Software developmentSoftware development
Software developmentRosie Jane Enomar
 
MOST POPULAR 21 LANGUAGE ALPHABET
MOST POPULAR 21 LANGUAGE ALPHABETMOST POPULAR 21 LANGUAGE ALPHABET
MOST POPULAR 21 LANGUAGE ALPHABETSarkar Palash
 
Sdee sal-01
Sdee sal-01Sdee sal-01
Sdee sal-01Stefano Succu
 
Roma di una volta
Roma di una voltaRoma di una volta
Roma di una voltaStefano Succu
 
Bus stop
Bus stopBus stop
Bus stopAJL15
 
Conic8.com The 8 step process for your success
Conic8.com The 8 step process for your successConic8.com The 8 step process for your success
Conic8.com The 8 step process for your successNoel Omar Furrer
 
Josep Carner - Vora la mar és nada
Josep Carner - Vora la mar és nadaJosep Carner - Vora la mar és nada
Josep Carner - Vora la mar és nadaCarlos-Cuevas
 
Roma dei romani
Roma dei romaniRoma dei romani
Roma dei romaniStefano Succu
 

Recommended

Software development
Software developmentSoftware development
Software developmentRosie Jane Enomar
 
MOST POPULAR 21 LANGUAGE ALPHABET
MOST POPULAR 21 LANGUAGE ALPHABETMOST POPULAR 21 LANGUAGE ALPHABET
MOST POPULAR 21 LANGUAGE ALPHABETSarkar Palash
 
Sdee sal-01
Sdee sal-01Sdee sal-01
Sdee sal-01Stefano Succu
 
Roma di una volta
Roma di una voltaRoma di una volta
Roma di una voltaStefano Succu
 
Bus stop
Bus stopBus stop
Bus stopAJL15
 
Conic8.com The 8 step process for your success
Conic8.com The 8 step process for your successConic8.com The 8 step process for your success
Conic8.com The 8 step process for your successNoel Omar Furrer
 
Josep Carner - Vora la mar és nada
Josep Carner - Vora la mar és nadaJosep Carner - Vora la mar és nada
Josep Carner - Vora la mar és nadaCarlos-Cuevas
 
Roma dei romani
Roma dei romaniRoma dei romani
Roma dei romaniStefano Succu
 
Post 1Participative Budgetary Process serves several benefit.docx
Post 1Participative Budgetary Process serves several benefit.docxPost 1Participative Budgetary Process serves several benefit.docx
Post 1Participative Budgetary Process serves several benefit.docxstilliegeorgiana
 
Software Liability.pptx
Software Liability.pptxSoftware Liability.pptx
Software Liability.pptxRaeesKhan691281
 
Smoothwall and Ampliphae - Networkshop46
Smoothwall and Ampliphae - Networkshop46Smoothwall and Ampliphae - Networkshop46
Smoothwall and Ampliphae - Networkshop46Jisc
 
Takeaways from a Simulated Cyber Attack
Takeaways from a Simulated Cyber AttackTakeaways from a Simulated Cyber Attack
Takeaways from a Simulated Cyber AttackBoston Consulting Group
 
Compliance and Commercial Contracts: Playing Offense and Defense in Drafting ...
Compliance and Commercial Contracts: Playing Offense and Defense in Drafting ...Compliance and Commercial Contracts: Playing Offense and Defense in Drafting ...
Compliance and Commercial Contracts: Playing Offense and Defense in Drafting ...Jason Meyer
 
Jon alperin 2013
Jon alperin 2013Jon alperin 2013
Jon alperin 2013jowen_evansdata
 
Edc2013 compliance conundrum-alperin
Edc2013 compliance conundrum-alperinEdc2013 compliance conundrum-alperin
Edc2013 compliance conundrum-alperinjowen_evansdata
 
Tech Connect Live 30th May 2018 ,GDPR Summit Anne quinn
Tech Connect Live 30th May 2018 ,GDPR Summit Anne quinnTech Connect Live 30th May 2018 ,GDPR Summit Anne quinn
Tech Connect Live 30th May 2018 ,GDPR Summit Anne quinnEvents2018
 
OUTSTANDING OUTSOURCING - Checklist
OUTSTANDING OUTSOURCING - ChecklistOUTSTANDING OUTSOURCING - Checklist
OUTSTANDING OUTSOURCING - ChecklistJoe Orlando
 
Outsourcing checklist1
Outsourcing checklist1Outsourcing checklist1
Outsourcing checklist1Joe Orlando
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCruzIbarra161
 
Mobility innovation and unknowns
Mobility innovation and unknownsMobility innovation and unknowns
Mobility innovation and unknownsLisa Marie Martinez
 
"The Risks and Rewards when Implementing Electronic Medical Records Syst...
"The Risks and Rewards when Implementing Electronic Medical Records Syst..."The Risks and Rewards when Implementing Electronic Medical Records Syst...
"The Risks and Rewards when Implementing Electronic Medical Records Syst...mcarruthers
 
CIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn BehrensCIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn BehrensCloudIDSummit
 
'Using OpenChain as a framework for M&A transactions'
'Using OpenChain as a framework for M&A transactions''Using OpenChain as a framework for M&A transactions'
'Using OpenChain as a framework for M&A transactions'Shane Coughlan
 
SAI-GLOBAL-whitepaper-program-assessment-maturity-curve
SAI-GLOBAL-whitepaper-program-assessment-maturity-curveSAI-GLOBAL-whitepaper-program-assessment-maturity-curve
SAI-GLOBAL-whitepaper-program-assessment-maturity-curveJames D. Meacham, CCEP, CRISC
 
ACCT230_Ch13.ppt
ACCT230_Ch13.pptACCT230_Ch13.ppt
ACCT230_Ch13.pptLassaadBenMahjoub
 
8367 collaborative policy-administration-pdf
8367 collaborative policy-administration-pdf8367 collaborative policy-administration-pdf
8367 collaborative policy-administration-pdfChinnu SD
 
Open standards in document output
Open standards in document outputOpen standards in document output
Open standards in document outputScriptura Engage
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationImplementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationJim Kaplan CIA CFE
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 

More Related Content

Similar to Can't We All Agree? Clickwrap Agreements

Post 1Participative Budgetary Process serves several benefit.docx
Post 1Participative Budgetary Process serves several benefit.docxPost 1Participative Budgetary Process serves several benefit.docx
Post 1Participative Budgetary Process serves several benefit.docxstilliegeorgiana
 
Smoothwall and Ampliphae - Networkshop46
Smoothwall and Ampliphae - Networkshop46Smoothwall and Ampliphae - Networkshop46
Smoothwall and Ampliphae - Networkshop46Jisc
 
Compliance and Commercial Contracts: Playing Offense and Defense in Drafting ...
Compliance and Commercial Contracts: Playing Offense and Defense in Drafting ...Compliance and Commercial Contracts: Playing Offense and Defense in Drafting ...
Compliance and Commercial Contracts: Playing Offense and Defense in Drafting ...Jason Meyer
 
Edc2013 compliance conundrum-alperin
Edc2013 compliance conundrum-alperinEdc2013 compliance conundrum-alperin
Edc2013 compliance conundrum-alperinjowen_evansdata
 
Tech Connect Live 30th May 2018 ,GDPR Summit Anne quinn
Tech Connect Live 30th May 2018 ,GDPR Summit Anne quinnTech Connect Live 30th May 2018 ,GDPR Summit Anne quinn
Tech Connect Live 30th May 2018 ,GDPR Summit Anne quinnEvents2018
 
OUTSTANDING OUTSOURCING - Checklist
OUTSTANDING OUTSOURCING - ChecklistOUTSTANDING OUTSOURCING - Checklist
OUTSTANDING OUTSOURCING - ChecklistJoe Orlando
 
Outsourcing checklist1
Outsourcing checklist1Outsourcing checklist1
Outsourcing checklist1Joe Orlando
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCruzIbarra161
 
Mobility innovation and unknowns
Mobility innovation and unknownsMobility innovation and unknowns
Mobility innovation and unknownsLisa Marie Martinez
 
"The Risks and Rewards when Implementing Electronic Medical Records Syst...
"The Risks and Rewards when Implementing Electronic Medical Records Syst..."The Risks and Rewards when Implementing Electronic Medical Records Syst...
"The Risks and Rewards when Implementing Electronic Medical Records Syst...mcarruthers
 
CIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn BehrensCIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn BehrensCloudIDSummit
 
'Using OpenChain as a framework for M&A transactions'
'Using OpenChain as a framework for M&A transactions''Using OpenChain as a framework for M&A transactions'
'Using OpenChain as a framework for M&A transactions'Shane Coughlan
 
SAI-GLOBAL-whitepaper-program-assessment-maturity-curve
SAI-GLOBAL-whitepaper-program-assessment-maturity-curveSAI-GLOBAL-whitepaper-program-assessment-maturity-curve
SAI-GLOBAL-whitepaper-program-assessment-maturity-curveJames D. Meacham, CCEP, CRISC
 
8367 collaborative policy-administration-pdf
8367 collaborative policy-administration-pdf8367 collaborative policy-administration-pdf
8367 collaborative policy-administration-pdfChinnu SD
 
Open standards in document output
Open standards in document outputOpen standards in document output
Open standards in document outputScriptura Engage
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationImplementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationJim Kaplan CIA CFE
 

Similar to Can't We All Agree? Clickwrap Agreements (20)

Post 1Participative Budgetary Process serves several benefit.docx
Post 1Participative Budgetary Process serves several benefit.docxPost 1Participative Budgetary Process serves several benefit.docx
Post 1Participative Budgetary Process serves several benefit.docx
 
Software Liability.pptx
Software Liability.pptxSoftware Liability.pptx
Software Liability.pptx
 
Smoothwall and Ampliphae - Networkshop46
Smoothwall and Ampliphae - Networkshop46Smoothwall and Ampliphae - Networkshop46
Smoothwall and Ampliphae - Networkshop46
 
Takeaways from a Simulated Cyber Attack
Takeaways from a Simulated Cyber AttackTakeaways from a Simulated Cyber Attack
Takeaways from a Simulated Cyber Attack
 
Compliance and Commercial Contracts: Playing Offense and Defense in Drafting ...
Compliance and Commercial Contracts: Playing Offense and Defense in Drafting ...Compliance and Commercial Contracts: Playing Offense and Defense in Drafting ...
Compliance and Commercial Contracts: Playing Offense and Defense in Drafting ...
 
Jon alperin 2013
Jon alperin 2013Jon alperin 2013
Jon alperin 2013
 
Edc2013 compliance conundrum-alperin
Edc2013 compliance conundrum-alperinEdc2013 compliance conundrum-alperin
Edc2013 compliance conundrum-alperin
 
Tech Connect Live 30th May 2018 ,GDPR Summit Anne quinn
Tech Connect Live 30th May 2018 ,GDPR Summit Anne quinnTech Connect Live 30th May 2018 ,GDPR Summit Anne quinn
Tech Connect Live 30th May 2018 ,GDPR Summit Anne quinn
 
OUTSTANDING OUTSOURCING - Checklist
OUTSTANDING OUTSOURCING - ChecklistOUTSTANDING OUTSOURCING - Checklist
OUTSTANDING OUTSOURCING - Checklist
 
Outsourcing checklist1
Outsourcing checklist1Outsourcing checklist1
Outsourcing checklist1
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
 
Mobility innovation and unknowns
Mobility innovation and unknownsMobility innovation and unknowns
Mobility innovation and unknowns
 
"The Risks and Rewards when Implementing Electronic Medical Records Syst...
"The Risks and Rewards when Implementing Electronic Medical Records Syst..."The Risks and Rewards when Implementing Electronic Medical Records Syst...
"The Risks and Rewards when Implementing Electronic Medical Records Syst...
 
CIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn BehrensCIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn Behrens
 
'Using OpenChain as a framework for M&A transactions'
'Using OpenChain as a framework for M&A transactions''Using OpenChain as a framework for M&A transactions'
'Using OpenChain as a framework for M&A transactions'
 
SAI-GLOBAL-whitepaper-program-assessment-maturity-curve
SAI-GLOBAL-whitepaper-program-assessment-maturity-curveSAI-GLOBAL-whitepaper-program-assessment-maturity-curve
SAI-GLOBAL-whitepaper-program-assessment-maturity-curve
 
ACCT230_Ch13.ppt
ACCT230_Ch13.pptACCT230_Ch13.ppt
ACCT230_Ch13.ppt
 
8367 collaborative policy-administration-pdf
8367 collaborative policy-administration-pdf8367 collaborative policy-administration-pdf
8367 collaborative policy-administration-pdf
 
Open standards in document output
Open standards in document outputOpen standards in document output
Open standards in document output
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationImplementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation
 

Recently uploaded

Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxFIDO Alliance
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?Paolo Missier
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewDianaGray10
 
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligenceRevolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligencePrecisely
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPTiSEO AI
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 

Recently uploaded (20)

Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligenceRevolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 

Can't We All Agree? Clickwrap Agreements

  • 1. Can’t W All Agree? e A Solution for Software Clickwrap Agreements Bill Coker Manager of Software Licensing Management Office of Information Technology North Carolina State University Bill_Coker@ncsu.edu
  • 2. W is a Clickwrap Agreement? hat A clickwrap agreement is a type of contract that is widely used with software licenses and online transactions in which a user must agree to the terms and conditions prior to using the product or service by clicking an “I Agree” or “I Accept” button.
  • 3. Clickwrap Agreement Challenges Clickwraps are becoming more prevalent in IT Clickwraps agreements are typically non-negotiable Clickwraps creates logistical difficulties and approval issues for the Office of General Counsel and Purchasing Many users click “I Agree” without reading the terms or having the authority to bind the university
  • 4. Clickwrap Agreement Strategy Implement an efficient process for reviewing and approving clickwraps Create a delegation of authority to approve clickwrap agreements Educate campus
  • 5. A Clickwrap Awakening: iOS Developer Agreement Apple required an iOS developer to bind the university to agreement Terms of agreement violated State law Apple would not negotiate terms
  • 6. A Clickwrap Awakening: iOS Developer Agreement Written justification showing low risk for each issue Approvals by Office of General Counsel, Trademarks & Licensing, and Regulatory Compliance CIO did not have signature authority
  • 7. I’m Glad That’s Over “I never want to go through this process again” “Hopefully we won’t have any other clickwrap agreements” “Surely no enterprise solutions will employ clickwraps”
  • 8. Another Clickwrap Awakening: Google Consumer Apps Pilot Campus wants Google Consumer Apps (Blogger, Maps, Picasa, YouTube, etc.) Using personal accounts instead of NCSU.EDU accounts Clickwrap agreement for the Google Apps Trusted Tester Agreement Every user on campus will be required by Google to click “I Agree”
  • 9. Looking for a Clickwrap Solution UNC Greensboro was ahead of the curve http://www.uncg.edu/ucn/clickwraps/approved_clickwraps.html Google Consumer Apps approved by UNC-G’s Chancellor Could not find solutions at other universities
  • 10. NCSU’s Approach On-going meetings with: Office of General Counsel Security Standards and Compliance Outreach, Consulting and Communications Software Licensing Management Reviewed terms for desired Google Consumer Apps
  • 11. NCSU’s Approach Separated Consumer Apps into Four Tiers Tier 1 Tier 2 Alerts, Feed Burner, Reader Maps, Map Maker, Picasa, YouTube, Blogger, Google+, Places Tier 3 Takeout, News, Moderator, Public Groups, Voice Analytics, Chrome Web Store, Google Chrome Sync Tier 4
  • 12. Acceptance of Terms RISK: Any use of these services constitutes acceptance of the Google Terms of Service RESPONSE: These products are not made available to NCSU users until they are activated by the NCSU Google administrator. No user can accept the terms until all terms are vetted by the university.
  • 13. Ensuring Compliance of Terms RISK: NCSU is responsible for ensuring End Users comply with the applicable Google terms of service for each of the Google Consumer Apps used. RESPONSE: Students are bound by NCSU Policy 11.35.01 – Code of Student Conduct and Employees are bound by the various Policies, Regulations and Rules
  • 14. Stapler Principle A stapler is safe only when it is used as a stapler, not as a weapon.
  • 15. Hold Harmless and Indemnify RISK: Requires the University to hold harmless and indemnify Google if the Service is being used on behalf of the University. RESPONSE: The fact that the university will effectively enforce compliance from students and employees using the Code of Conduct and Policy, Regulations and Rules, the university should assume minimal risk by indemnifying Google.
  • 16. Ensuring Compliance with Federal Law RISK: NCSU agrees that it is solely responsible for compliance with all laws and regulations that apply to these Services, including FERPA RESPONSE: A FERPA Modular Course Consent and Waiver Form has been created that allows faculty members to customize the consent form to be applicable to the course requirements.
  • 17. Consent and W aiver Form Modified form used by DELTA Allows faculty to customize form based on Google Apps used and the assignment
  • 18. Other Risks Identified Limitation of Liability Governing Law Storing data outside of the US Google creates derivative works
  • 20. Risk Assessment Summary Using the Risk Assessment Matrix: Identified the Probability and Impact for each known risk Assigned a Risk Level and Risk Assessment Level Summarized the Findings
  • 22. Google Apps Use Cases & Risks “Stapler Principle” Working with faculty who use personal Google Apps as part of their instruction: Identified what products are being used How the products are being used Identified the Probability and Impact for each known risk Assigned a Risk Level and Risk Assessment Level Summarized the Findings
  • 23. Use Cases & Risks Summary
  • 24. Results CIO provided limited signature authority and delegation authority Google Apps Trusted Tester Agreement was completed NCSU was able to approve Tiers 1 & 2 of the Google Consumer Apps Google Apps made available to campus We began working on Tiers 3 & 4
  • 25. Moving the Process Forward Began discussions to apply the process to other clickwrap agreements Created new issues since software and agreements vary so much
  • 26. Other Clickwrap Agreements Identified common risks found in general clickwrap agreements Secure systems will utilize the software, possibly placing secure data at risk Risk of university data exposure Includes broad audit rights, permitting the vendor almost unlimited access to the NCSU’s facilities, records, and systems Contains expansive "feedback" and similar clauses that could result in the licensor gaining ownership of intellectual property or data Contains confidentiality or non-disclosure clauses
  • 27. Other Clickwrap Agreements Identified common risks found in general clickwrap agreements Requires the University to "hold harmless“ or "save harmless” or "indemnify" the vendor Limitation of liability for vendor No limitation of liability for University Potential litigation outside of North Carolina Little to no warranty. Software is provided entirely "as-is" The software is not widely distributed nor well established in the community
  • 28. Other Clickwrap Agreements Identified common risks found in general clickwrap agreements Requires all disputes to be submitted to binding arbitration Permits vendor's agents, contractors and licensors (third parties) to have audit rights No protection if University is sued for third-party intellectual property infringement Requires University to reimburse the vendor for all attorney fees and costs Violates other State laws not already identified
  • 29. The Solution Identified risks were categorized into three categories Category 1: Common Problematic Clauses Category 2: Unique/Challenging Problematic Clauses Category 3: Risks arising from the Product Itself and/or End-User Conduct or Misconduct Involving the Product
  • 30. Category 1 Common Problematic Clauses Limitation of Vendor’s Liability Indemnification and “Hold Harmless” Clauses Governing Law Binding Arbitration Requirements to reimburse vendor for attorney fees
  • 31. Category 1 Common Problematic Clauses Clauses are permitted Office of General Counsel is constrained from “approving” the clauses by the letter of the law However, they are prepared to defend a business decision to accept these clauses This business decision is consistent with the actions of many existing users in State government and other schools The benefits outweigh the risks associated
  • 32. Category 2 Unique/Challenging Problematic Clauses Broad Audit Rights permitting vendor almost unlimited access to NCSU’s facilities, records and systems Grants audit rights over NCSU to vendor’s agents, contractors and third parties Clauses that could result in the licensor gaining ownership of intellectual property or data Confidentiality or non-disclosure clauses • Clauses permitting storage of NCSU data outside the US
  • 33. Category 2 Unique/Challenging Problematic Clauses • • • • Clauses are not be permitted without review Clauses must be evaluated jointly by the Office of General Counsel and the Office of Information Technology on a caseby-case basis A risk assessment using the Risk Matrix must be completed If approved, strategies must be determined to reduce risk (educating end-users)
  • 34. Category 3 Risks arising from the Product Itself and/or End-User Conduct or Misconduct Involving the Product • NCSU’s secure systems will utilize the product, possibly placing secure data at risk • Use of product may create risk of NCSU data exposure • Clauses restricting NCSU’s use of the product • Agreement contains little to no warranty – provided “as-is” • Product is not widely distributed nor well established in the community
  • 35. Category 3 Risks arising from the Product Itself and/or End-User Conduct or Misconduct Involving the Product • • Issues are typically the result of misuse or misconduct (the Stapler Principle) Student consent should be obtained using the Consent and Waiver Form when the use of the software raises FERPA concerns
  • 36. Category 3 Risks arising from the Product Itself and/or End-User Conduct or Misconduct Involving the Product • • NCSU can treat its risks by restricting or eliminating access to users who violate computer use policy Behavior violating NCSU policies, state or federal laws can be addressed under existing student, staff and faculty processes dealing with misconduct
  • 37. Communication • Communicated the clickwrap process to leadership for feedback and approval • Office of General Counsel • Purchasing • Campus IT Governance committees • College IT Directors • Office of Information Technology
  • 38. The Final Process • • • • Software Licensing Management, with the help of the Software Manager in the Colleges of Engineering, began reviewing clickwraps agreements All issues are identified as Category 1, 2 or 3 All clickwraps, issues and categories are entered into a master spreadsheet A risk assessment is conducted for Category 2 issues (probability/impact) and sent to the Office of General Counsel for review
  • 39. The Result • When completed, clickwrap agreements are listed on the Software@NC State web site • • http://software.ncsu.edu/clickwraps Clickwraps are listed with the following statuses: • Approved • Conditionally Approved • Denied • Pending
  • 40. Be Aware • We can not review every clickwrap • • • Mobile device apps (iTunes, Google Play, etc.) Device drivers Not all open source licenses should be approved • Patent violations
  • 41. Be Aware • Some free software has restrictions that prevents use on some campuses • Overall budget • Non-commercial home-use only • Not all software has a clickwrap agreement • Some software states agreement by downloading or installing
  • 42. The Response • • Campus has embraced the new process and has submitted new clickwraps for review In the first three months, the clickwrap list grew from approximately 100 clickwraps to more than 350
  • 43. Maintenance • Every six months, the dates and versions of clickwrap agreements are reviewed to determine if there have been updates • Updated agreements are reviewed • New clickwraps are added when submitted • Outdated clickwraps and retired software are removed
  • 44. Questions? Can’t We All Agree? Bill Coker North Carolina State University Bill_Coker@ncsu.edu