()

Nearly every company today is a mass consumer of technology. Business would come to a standstill without the installed software products, cloud products and technology-related outsourcing arrangements that companies have come to depend on to manage and run their day-to-day business operations. From desktop computing to data processing to product barcode labeling and everything in between, our companies and our economy are entirely dependent on third-party software and other third-party technology products.

Companies’ use of third-party technology is always governed by a contract. Depending upon the product or service at issue, the contract may be called a license agreement, subscription agreement, hosting agreement or something else entirely. While it is typically the lawyers (in consultation with the procurement group and the business stakeholders) that draft and revise technology contracts, they are ultimately business negotiations that allocate the rights, obligations, risks and liabilities among the parties.

Negotiating technology contracts is not an easy process and often requires compromise by both parties. A company’s leverage to obtain the best possible contract terms and risk allocation will depend on many factors, including the types of data involved, transaction size, the type of technology product being licensed and the size and sophistication of the vendor. This article describes some of the key contractual provisions to be aware of when negotiating a technology contract, including provisions related to information security, as well as typical negotiation positions taken by vendors on certain issues.

When a company has not had the opportunity to thoroughly test and vet mission critical technology, the company should obtain acceptance testing rights from the vendor. Typically, acceptance testing rights will give the licensee anywhere from 30 to 90 days after a product is installed or made available to the licensee to test the product, using licensee test procedures and sample input. Acceptance testing provides the licensee with the opportunity to determine whether the product meets specifications and fulfills its purported function as agreed upon by the parties.

If the licensee finds that the product does not work as advertised, the vendor should correct the defect, at no cost, within a specified period of time (typically 15 to 30 days). If the vendor is unwilling or unable to resolve the defect within this period, then the licensee should have the right to terminate the contract and receive a refund of any license and installation fees already paid to the vendor.

Vendors dislike acceptance testing and acceptance or rejection rights for several reasons, the most common of which is revenue recognition. Many vendors recognize revenue associated with software licenses immediately upon delivery of the software to a licensee. If the licensee has months to test the product and the ability to reject the product if it does not conform to agreed specifications and other acceptance criteria, then the vendor cannot recognize the revenue associated with the licenses until the software is finally accepted by the licensee.

There is no perfect solution to this problem. The parties can always agree to shorten the testing period so that the vendor can recognize the revenue earlier, or they can agree to “deemed” acceptance if the licensee does not affirmatively accept or reject the product within a specified period of time. However, when a company is licensing a new technology product that will have a sizeable impact on business operations, it is clearly a bad idea to forgo acceptance testing rights merely to prevent revenue recognition problems for the vendor.

License or use rights are a critical component of any technology license agreement. Companies must be certain that the rights contained in the license agreement and any associated order forms are broad enough to cover all uses for which a licensee plans to utilize the product and allow access to the product by all individuals and entities that will be accessing and using the product.

Technology products are licensed in myriad ways. A product may be licensed on a metric basis, such as per user, per computer, per server, per site, etc. Similarly, a product may limit use to only the licensee’s employees, or it may be an enterprisewide license that allows for use of the product by licensee affiliates and service providers. In some cases, license rights will even allow a licensee to use a product in connection with a joint venture entered into with an unrelated third party. Companies must pay close attention to whether the license and use rights in a particular agreement will meet the needs of the company and, if not, the company should negotiate for broader rights.

Some of the most significant monetary and reputational risks to companies can result from information security breaches precipitated by a vendor. A number of recent, high profile information security breaches have involved third-party vendors, including the Target breach reported in 2013 and the Home Depot breach reported in 2014. If part of the services provided by a technology vendor involves the vendor storing, maintaining or having any form of access to a licensee’s sensitive data, then the licensee should negotiate sufficient confidentiality and information security protections into the governing contract to include, at a minimum, the following:

Compliance with Law. Vendors should be required to comply with all current and future privacy and data security laws that apply to the vendor, the licensee and the products or services provided by the vendor under the contract.

Compliance with Licensee’s Policies. If at all possible, licensees should obtain contractual commitments from their technology vendors to comply with the licensees’ policies and procedures relating to information security. However, requiring vendors to comply with each licensee’s internal information security policies can be an impractical and very costly mandate. Thus, licensees should carefully vet prospective vendors’ own information security policies and procedures to identify any critical “gaps” ahead of time. These “gaps” can be addressed during the contract negotiation process.

Data Location. Vendors should be required to access, store, process or transmit personal information only in jurisdictions authorized by the contract. Because of regulatory restrictions on cross-border transmissions of personal information imposed by various countries (particularly, the European Union), the safest approach is to prohibit vendors from handling personal information outside of the jurisdiction from which it was collected.

Data Encryption. All personal information handled by technology vendors should be encrypted using highest industry standard encryption technologies. Encryption is critical to preventing a third-party hacker from using stolen personal information. Moreover, encryption is a safe harbor in nearly all data breach notification laws, which could save a company significant expense and embarrassment in the event of a data breach precipitated by a vendor.

Notification of Data Breaches. Vendors should be contractually obligated to notify the licensee immediately upon discovery of an actual or suspected data breach. This obligation should extend to any breach experienced by the vendor—not just a breach impacting the licensee. Any breach, even unrelated, is a telling sign of the effectiveness of a vendor’s information security program.

In addition to typical indemnification obligations, the vendor should be contractually obligated to indemnify the licensee against (i) third-party claims arising out of the technology product’s infringement or misappropriation of any intellectual property right of a third party; and (ii) first-party costs and third-party claims arising out of information security breaches. In addition, if the licensee is enjoined (or likely to be enjoined) from continued use of the product because of an infringement claim, then the vendor should have a contractual obligation to obtain the necessary licenses for the licensee to continue using the product or provide the licensee with a substitute product that has functionality substantially similar to the enjoined product.

Every technology contract should contain service levels to which the vendor must adhere. The service level elements will vary depending upon the type of technology product at issue, but should focus on product uptime and/or the vendor’s response and resolution time to any defects or bugs in the product discovered by the licensee.

Most technology agreements should also contain a service credit regime that kicks in when the vendor fails to meet the agreed service levels. Service credits are intended to incentivize the vendor to meet the agreed service levels. Parties typically negotiate a cap on service credits of somewhere between 10 percent and 25 percent of the fees at risk.

Negotiating appropriate use rights, protections and remedies into technology contracts is of paramount importance not only to companies’ operations and financial well-being, but also the security of its data and its customers’ data. Given companies’ increased reliance on third-party technology products and services to run day-to-day business operations, the potential damage to companies that can result from insufficient rights and remedies built into its agreements can have a devastating impact. By committing the time and resources necessary to negotiate favorable technology license arrangements, companies can save significant costs and headaches down the road.

Joshua T. Silver is a shareholder in Bernstein Shur’s business law practice group and co-chair of the data security team. He advises on and negotiates technology and outsourcing transactions on behalf of suppliers and customers across a broad range of industries, including finance, education, telecom and software. With 11 years of experience, he provides practical guidance to help clients address business needs and mitigate risk in outsourcing arrangements. He is also experienced in formulating data security and privacy policies for clients subject to federal and state data security laws and regulations, and assisting clients with data breach response measures. He can be reached at jsilver@bernsteinshur.com.


Join thousands of legal leaders at the only legal event that brings together the entire legal team to drive the business of law forward!

Introducing Legalweek, The Experience. Taking place January 31 – February 2, 2017 at the Hilton Midtown, NY, Legalweek brings together the entire team that manages the business of law through seven strategic areas of focus. Learn more about how Legalweek can help you face the biggest challenges and issues facing legal professionals.

Nearly every company today is a mass consumer of technology. Business would come to a standstill without the installed software products, cloud products and technology-related outsourcing arrangements that companies have come to depend on to manage and run their day-to-day business operations. From desktop computing to data processing to product barcode labeling and everything in between, our companies and our economy are entirely dependent on third-party software and other third-party technology products.

Companies’ use of third-party technology is always governed by a contract. Depending upon the product or service at issue, the contract may be called a license agreement, subscription agreement, hosting agreement or something else entirely. While it is typically the lawyers (in consultation with the procurement group and the business stakeholders) that draft and revise technology contracts, they are ultimately business negotiations that allocate the rights, obligations, risks and liabilities among the parties.

Negotiating technology contracts is not an easy process and often requires compromise by both parties. A company’s leverage to obtain the best possible contract terms and risk allocation will depend on many factors, including the types of data involved, transaction size, the type of technology product being licensed and the size and sophistication of the vendor. This article describes some of the key contractual provisions to be aware of when negotiating a technology contract, including provisions related to information security, as well as typical negotiation positions taken by vendors on certain issues.

When a company has not had the opportunity to thoroughly test and vet mission critical technology, the company should obtain acceptance testing rights from the vendor. Typically, acceptance testing rights will give the licensee anywhere from 30 to 90 days after a product is installed or made available to the licensee to test the product, using licensee test procedures and sample input. Acceptance testing provides the licensee with the opportunity to determine whether the product meets specifications and fulfills its purported function as agreed upon by the parties.

If the licensee finds that the product does not work as advertised, the vendor should correct the defect, at no cost, within a specified period of time (typically 15 to 30 days). If the vendor is unwilling or unable to resolve the defect within this period, then the licensee should have the right to terminate the contract and receive a refund of any license and installation fees already paid to the vendor.

Vendors dislike acceptance testing and acceptance or rejection rights for several reasons, the most common of which is revenue recognition. Many vendors recognize revenue associated with software licenses immediately upon delivery of the software to a licensee. If the licensee has months to test the product and the ability to reject the product if it does not conform to agreed specifications and other acceptance criteria, then the vendor cannot recognize the revenue associated with the licenses until the software is finally accepted by the licensee.

There is no perfect solution to this problem. The parties can always agree to shorten the testing period so that the vendor can recognize the revenue earlier, or they can agree to “deemed” acceptance if the licensee does not affirmatively accept or reject the product within a specified period of time. However, when a company is licensing a new technology product that will have a sizeable impact on business operations, it is clearly a bad idea to forgo acceptance testing rights merely to prevent revenue recognition problems for the vendor.

License or use rights are a critical component of any technology license agreement. Companies must be certain that the rights contained in the license agreement and any associated order forms are broad enough to cover all uses for which a licensee plans to utilize the product and allow access to the product by all individuals and entities that will be accessing and using the product.

Technology products are licensed in myriad ways. A product may be licensed on a metric basis, such as per user, per computer, per server, per site, etc. Similarly, a product may limit use to only the licensee’s employees, or it may be an enterprisewide license that allows for use of the product by licensee affiliates and service providers. In some cases, license rights will even allow a licensee to use a product in connection with a joint venture entered into with an unrelated third party. Companies must pay close attention to whether the license and use rights in a particular agreement will meet the needs of the company and, if not, the company should negotiate for broader rights.

Some of the most significant monetary and reputational risks to companies can result from information security breaches precipitated by a vendor. A number of recent, high profile information security breaches have involved third-party vendors, including the Target breach reported in 2013 and the Home Depot breach reported in 2014. If part of the services provided by a technology vendor involves the vendor storing, maintaining or having any form of access to a licensee’s sensitive data, then the licensee should negotiate sufficient confidentiality and information security protections into the governing contract to include, at a minimum, the following:

Compliance with Law. Vendors should be required to comply with all current and future privacy and data security laws that apply to the vendor, the licensee and the products or services provided by the vendor under the contract.

Compliance with Licensee’s Policies. If at all possible, licensees should obtain contractual commitments from their technology vendors to comply with the licensees’ policies and procedures relating to information security. However, requiring vendors to comply with each licensee’s internal information security policies can be an impractical and very costly mandate. Thus, licensees should carefully vet prospective vendors’ own information security policies and procedures to identify any critical “gaps” ahead of time. These “gaps” can be addressed during the contract negotiation process.

Data Location. Vendors should be required to access, store, process or transmit personal information only in jurisdictions authorized by the contract. Because of regulatory restrictions on cross-border transmissions of personal information imposed by various countries (particularly, the European Union), the safest approach is to prohibit vendors from handling personal information outside of the jurisdiction from which it was collected.

Data Encryption. All personal information handled by technology vendors should be encrypted using highest industry standard encryption technologies. Encryption is critical to preventing a third-party hacker from using stolen personal information. Moreover, encryption is a safe harbor in nearly all data breach notification laws, which could save a company significant expense and embarrassment in the event of a data breach precipitated by a vendor.

Notification of Data Breaches. Vendors should be contractually obligated to notify the licensee immediately upon discovery of an actual or suspected data breach. This obligation should extend to any breach experienced by the vendor—not just a breach impacting the licensee. Any breach, even unrelated, is a telling sign of the effectiveness of a vendor’s information security program.

In addition to typical indemnification obligations, the vendor should be contractually obligated to indemnify the licensee against (i) third-party claims arising out of the technology product’s infringement or misappropriation of any intellectual property right of a third party; and (ii) first-party costs and third-party claims arising out of information security breaches. In addition, if the licensee is enjoined (or likely to be enjoined) from continued use of the product because of an infringement claim, then the vendor should have a contractual obligation to obtain the necessary licenses for the licensee to continue using the product or provide the licensee with a substitute product that has functionality substantially similar to the enjoined product.

Every technology contract should contain service levels to which the vendor must adhere. The service level elements will vary depending upon the type of technology product at issue, but should focus on product uptime and/or the vendor’s response and resolution time to any defects or bugs in the product discovered by the licensee.

Most technology agreements should also contain a service credit regime that kicks in when the vendor fails to meet the agreed service levels. Service credits are intended to incentivize the vendor to meet the agreed service levels. Parties typically negotiate a cap on service credits of somewhere between 10 percent and 25 percent of the fees at risk.

Negotiating appropriate use rights, protections and remedies into technology contracts is of paramount importance not only to companies’ operations and financial well-being, but also the security of its data and its customers’ data. Given companies’ increased reliance on third-party technology products and services to run day-to-day business operations, the potential damage to companies that can result from insufficient rights and remedies built into its agreements can have a devastating impact. By committing the time and resources necessary to negotiate favorable technology license arrangements, companies can save significant costs and headaches down the road.

Joshua T. Silver is a shareholder in Bernstein Shur ‘s business law practice group and co-chair of the data security team. He advises on and negotiates technology and outsourcing transactions on behalf of suppliers and customers across a broad range of industries, including finance, education, telecom and software. With 11 years of experience, he provides practical guidance to help clients address business needs and mitigate risk in outsourcing arrangements. He is also experienced in formulating data security and privacy policies for clients subject to federal and state data security laws and regulations, and assisting clients with data breach response measures. He can be reached at jsilver@bernsteinshur.com.


Join thousands of legal leaders at the only legal event that brings together the entire legal team to drive the business of law forward!

Introducing Legalweek, The Experience. Taking place January 31 – February 2, 2017 at the Hilton Midtown, NY, Legalweek brings together the entire team that manages the business of law through seven strategic areas of focus. Learn more about how Legalweek can help you face the biggest challenges and issues facing legal professionals.