by Robert Scott
The enterprise software industry is undergoing one of the most significant transformations in its brief history. The battle for cloud supremacy among major software publishers has potentially significant implications for lawyers that represent both service providers and end users. While IT and business professionals can be easily convinced of the benefits of moving from on-premises software deployments to cloud based solutions, security, legal, and risk management professionals must take the lead in making sure that adoption of cloud software solutions makes good business sense. The legal issues in cloud contracts are different than traditional software licensing. Here is a list of key issues to look for when reviewing cloud contracts.
A good cloud contract has a clearly written license grant that identifies the scope of the software license being granted. The key is to make sure that the grant covers all existing and anticipated use cases. Lawyers should review the specific grant language with their clients after discussing all potential use cases. Use cases involving sub-contractors, consultants, vendors, and customers are often overlooked. A grant to the customer and its affiliates may not be acceptable to a client that needs to provide access to non-affiliate joint venture partners. Any use outside the license grant may give rise to copyright infringement liability so it is very important to discuss these issues with the client.
Implementation and Service Level Descriptions
Cloud contracts generally involve a bundled solution including hardware, software, and services. It is important for lawyers to work closely with clients to make sure that all known operational risks are covered.
Confidentiality clauses were mostly non-substantive boilerplate in on-premises software licenses, but they take on added significance in cloud contracts. Customers contemplating storing confidential information need to ensure that providers are going to appropriately safeguard that information and agree not to misuse it or disclose it to third parties. Because the definition of confidential information is often carried through to other important risk-balancing provisions in a cloud contract, lawyers should carefully review language to make sure that the client is adequately protected.
In on-premises software licenses, intellectual property provisions were generally not difficult to negotiate. Ownership of intellectual property in cloud contracts is more hotly contested. Vendors want to own all of the rights to enhancements to the software, including those commissioned and paid for by the client. The client’s lawyer should request that the client owns everything that it owned prior to entering into the contract, plus all enhancements the client commissions.
Compliance with Laws
Another frequently overlooked provision in cloud contracts is the compliance with laws section. It usually requires the client to be responsible for compliance with all laws related to its industry. If the Customer is in a regulated industry, such as healthcare or financial services, federal regulations require service providers to agree to be bound to those regulations. Provisions that do the exact opposite are therefore problematic.
Given the security and business continuity risks in cloud contracts, many clients will require service providers to carry professional liability insurance to cover claims arising out of or related to the service. Lawyers should include language in the agreement specifying the exact nature of the coverage that is required. General liability coverage for personal industry and property damage is not sufficient. Covered claims should include data breach, data loss, regulatory responses, and consumer-oriented claims. Coverage limits should be set so that they are reasonable in light of potential claims scenarios.
Historically, indemnity for third-party infringement claims related to ownership of the software was the extent of what was offered by vendors. In cloud contracts, third-party IP claims continue to be a key indemnity issue. Indemnification for third-party claims related to data disclosure or data loss are equally, if not more, important. Lawyers for end users should work to make the provider’s indemnification obligations align with the indemnity being offered in the professional liability insurance. It makes no sense to require the provider to carry insurance if your indemnity provision is not at least as broad as the indemnity obligation that has been transferred through insurance.
Limitations of Liability
Most cloud contracts limit the provider’s liability in some way to the revenue that customer pays. Provider agreements will frequently read, “. . . in any event Provider’s liability shall be limited to the amounts paid by Customer in the six months preceding the incident giving rise to a claim.” Lawyers for end users need to carefully explain and negotiate the limitation of liability, taking advantage of insurance coverage whenever possible.
Robert J. Scott is Managing Partner of Scott & Scott, LLP. He may be reached at firstname.lastname@example.org.