If you represent clients in business transactions and/or intellectual property matters, you know that agreements to purchase hosted, managed or “cloud” computing services are becoming very common in today’s business world. More and more companies (and law firms for that matter) are outsourcing all or a portion of their information technology (IT) functions to third parties.
The upside of cloud-based IT is well known: Companies can often save significant money and management time because they don’t need to maintain as much IT infrastructure (hardware, software and personnel) in-house.
Lawyers advising clients in this area need to focus clients not only on the business deal (fees, the services provided, risk allocation, etc.), but also on the often complicated operational issues that can give rise to intellectual property concerns (both directly and indirectly).
What follows is a description of some of the more common IP issues that arise in cloud deals.
By definition, cloud computing raises confidentiality issues because your client’s data, documents and proprietary information/trade secrets will be in the hands of a third party.
Some key questions to ask the service provider include: Will my client’s data be stored on dedicated pieces of hardware (i.e., will there be servers or other storage resources devoted just to my client’s information?) or will the data be commingled with that of other customers? What types of service provider personnel will have access to my client’s data — employees only? Employees and contractors?
Does the service provider bind all employees and contractors to nondisclosure agreements? Will my client’s documents and data physically reside at a facility operated by the service provider itself or will they locate at a third party data center? (Often, the answer is both, because cloud computing companies usually use third-party data centers for backup and redundancy.)
If your client collects data as part of its operations that must be used and stored in compliance with state or federal privacy regulations (e.g, patient information generated by a health care client, credit card information generated by a consumer products client), does the cloud computing service provider have experience with other clients in the relevant industry? Will the arrangement comply with the applicable statutes? Does the service provider make any warranties about assisting with or maintaining such compliance?
If third-party data centers will be used, find out how they are classified in industry parlance — i.e. Tier 1, Tier 2 or Tier 3. These different levels are based on industrywide standards and can be a handy way of determining how secure your client’s data is.
Each tier is defined by the data center’s infrastructure (e.g., the redundancy of its various telecom and utility services) and its security and access procedures. If your client handles particularly sensitive information, you may want to consider a requirement in the deal documents that all data centers used not be below a certain tier.
Customized Interfaces or Services
When your client outsources its IT functions, a one-size-fits-all approach usually won’t work. The client will often be paying its cloud service provider (or a third-party consultant) significant professional fees (fees that exceed $100,000 are not unusual) to customize the screens and other interfaces that its employees see.
Most enterprise software will not work for your client right out of the box — it needs to be configured to align with your client’s operations. This work is usually categorized in cloud contracts under the broad heading of “implementation services.” If your client also needs its customers to have access to the data in the cloud, the implementation services will usually involve the design of websites and other online portals that include the company’s service marks, distinctive colors and trade dress.
With your client spending all of this money, it is crucial that you secure for your client in the deal documents sufficient rights in the customized work so that it can use the work product again in the future — either with another IT service provider or even by its own employees if your client is retaining some in-house IT capability.
You will need to pay particular attention to the provisions in the documents describing which party owns or retains rights in the “work product” or “deliverables.” Obviously, the service provider will want to retain some rights in customized work so that useful solutions originally designed for your client can be used with its other customers.
How extensively your client will want to negotiate these provisions depends on how much of a competitive advantage your client believes that its business processes confer. If your client thinks its particular business practices as reflected in the custom IT work that the consultant is performing are distinctive in its industry and constitute a valuable trade secret, you’ll want provisions that give your client broad ownership rights and exclusive rights to use the work product.
If the custom work isn’t so crucial to your client’s success, an agreement with the service provider that permits concurrent rights to use and modify certain parts of the deliverables will usually be acceptable.
Work for Hire
On a more basic level, you will also need to confirm that the service provider itself has the power to grant ownership and use rights to your client. If the service provider uses subcontractors to perform work for your client rather than employees (a very common approach in the IT industry), you need to provide in the deal documents that the service provider is required to bind all of the contractors to “work for hire” and other agreements that transfer all rights in their work to the service provider. Only then will the service provider have rights to transfer ownership and use rights to your client in the work product and deliverables.
When your client outsources its IT functions, one of the tradeoffs in the new arrangement is a certain loss of operational flexibility. The cloud service provider will typically be managing IT for numerous clients and will have developed institutional procedures and practices that are more routinized than your client may be used to when its own employees were running its in-house IT department.
This downside to cloud-based IT often manifests itself in the software licenses for the applications your client uses.
You’ll need to assist your client in figuring out which provisions in the licenses could have operational significance and then attempt to negotiate them accordingly. For example, can the cloud provider host all of the software applications that your client uses or will certain programs and databases need to remain local (i.e., on site)? If the provider won’t or can’t host certain programs, does it offer suitable alternatives that your client can use? Can your client add new applications or modules to the cloud whenever it wants or will the provider act as a gatekeeper to decide which programs it will or won’t host?
One of the most crucial issues to nail down is whether the cloud provider will require your client to migrate to the newest version of the applications soon after they get released (thereby forcing the company to incur training expenses and the disruption new software inevitably causes) or can your client remain on the old version of its software for some period of time?
How to unwind the licensing arrangements at the end of the cloud provider’s contract is another issue you should deal with at the beginning of the relationship. Your client will need the cloud provider to cooperate with and assist the successor service provider (or your client’s in-house IT staff if the functions are being returned to a local environment) in licensing all necessary software and then migrating all existing data and documents and, more importantly, preserving intact all information and metadata embedded in your client’s documents (like dates, author, customer file numbers, etc.).
If the databases are particularly complex or large, the migration process could be lengthy and you may need to negotiate a transition period following the term of the contract during which your client can have access to the old cloud while preparing the new cloud.
This is by no means an exhaustive list of the IP issues that arise in cloud computing deals, but they give you a sense for the questions that counsel should raise with clients that are seeking advice in this area. Obviously, lawyers (whether outside or in-house) are no substitute for your client’s IT employees or consultants, but if you take the time to learn about your client’s business and the particular operational challenges the company has in the IT area, you will be in a much better position to offer truly valuable representation in these transactions.
Thomas H. Speranza is a partner in Kleinbard Bell & Brecker’s business and finance department. He has more than 20 years of experience handling both corporate and intellectual property transactions offering his clients a valuable perspective in today’s business environment, where technology and IP assets are a crucial element in most deals.