The Telephone Consumer Protection Act creates a seemingly endless list of compliance challenges and other headaches for companies determined to mitigate the financial cost and resource burden of TCPA litigation. This year brought welcome good news from the U.S. Supreme Court, with its unanimous decision in Facebook, Inc. v. Duguid establishing a narrow “autodialer” standard, applicable nationwide. We are on the cusp of another positive development with respect to TCPA compliance. On October 1, 2021, the Federal Communications Commission announced its interim fee structure for the new reassigned numbers database, which launched on November 1, 2021.
The TCPA compliance problem created by accidental calls to reassigned numbers began in 2015. At that time, the FCC issued formal guidance explaining that the consent required by the TCPA must come from the person actually called, not the person the caller intended to reach. The FCC conceded that this created a compliance complexity in the case of reassigned numbers. Specifically, a caller may have had valid consent to call a particular consumer at a particular phone number but, unbeknownst to the caller, the consumer had surrendered the number, which was subsequently reassigned to an unrelated third party. If the caller used an autodialer or a prerecorded message to reach the intended call recipient using a number that had been reassigned, that call would violate the TCPA: the caller would not have consent from the person actually called.
As a practical matter, callers had no way to avoid these inadvertent TCPA violations. The FCC responded to this difficulty by offering a series of unserious options purportedly available to companies to avoid these calls. These included periodically contacting customers to ask if their numbers had changed and contractually obligating customers to notify the company when their number changes. (Presumably, companies could sue their customers for breach of contract if they failed to provide this notice.) However, the FCC also acknowledged that companies needed a more effective solution on this issue, so it established a limited, one-call safe harbor. Companies who inadvertently called a reassigned number automatically used up this safe harbor in that one call, no matter the result. Every subsequent call to that reassigned number using an autodialer or prerecorded message would violate the TCPA.
In 2018, the U.S. Court of Appeals for the District of Columbia Circuit vacated the FCC’s one-call reassigned number safe harbor as arbitrary and also vacated the FCC’s interpretation imposing TCPA liability for calls to reassigned numbers generally. In the wake of that decision, the FCC launched a new proceeding to create a reassigned numbers database, which would enable callers to verify whether a telephone number had been reassigned before calling that number.
Three years later, the FCC is ready to launch this comprehensive database containing reassigned number information from participating providers. After completing a beta test, the FCC opened access for paid subscribers on November 1. The FCC released an interim fee schedule for users ahead of the announced debut. The FCC explained that the current fee schedule is subject to change because it lacked an adequate record to determine on a more permanent basis how much it would need to collect from users to offset the cost of maintaining the database.
The interim fee schedule creates six categories of users, based on the number of database queries per subscription period, ranging from extra small to jumbo. Extra small companies can submit up to 1,000 queries per month; jumbo companies can submit up to 30,000,000 monthly queries. The fee schedule also includes three available subscription periods: one month, three months, and six months. The greater the volume of queries, the lower the per-query cost. Extra small users would pay $10 per month; jumbo users would pay $35,100 per month. The FCC’s interim fee structure also presents options for companies who use up their allotted number queries and want additional database access.
Notably, the FCC’s approach allows companies to work with a “caller agent,” who would access the database on behalf of one or more companies. This would allow smaller companies to work in cooperation with a vendor to qualify for the discounts available to larger-sized subscribers. This is in contrast to how the national do-not-call list’s fee structure works. The FTC expressly prohibits sellers from partnering with a vendor who accesses the do-not-call list on behalf of multiple companies. Here, extra small companies would pay one cent per query. Jumbo companies would pay about one-ninth as much. Small companies who want to take advantage of the reassigned numbers database to avoid inadvertent, and heretofore unavoidable, TCPA violations could see significant cost savings by working with a caller agent.
For more information, view the official webinar and slide presentation that accompanied the public launch of the FCC’s new reassigned number database on November 1, 2021.
In May 2020, just after George Floyd’s murder and as many across our nation were protesting social injustice and racial inequity, a large group of law firm leaders in Charlotte, North Carolina were thinking the same thing at the same time: what can we do to help with the resources we have? How can we drive the change that we want to see?
Two dozen of us gathered to brainstorm on how we could pool our strengths and resources to make a true difference. We discussed what we were doing within our own firms and how we could work together to do something even more meaningful. Those conversations eventually led to our forming the Carolinas Social Impact Initiative, an effort to foster a more inclusive community and reduce systemic barriers to social and economic mobility in the Carolinas.
More than a year later we are still going strong. With our joint efforts picking up steam, we are on our way to harnessing our collective resources to facilitate lasting change in our community.
As with many efforts such as ours, establishing a core mission is a crucial first step. We took that step by listening to community leaders. Many in Charlotte have been working to improve economic mobility in our minority communities in the wake of a 2014 study that ranked the city last in upward mobility among the 50 largest U.S. cities. Our county at large and many others across North and South Carolina also rank poorly in offering children the best chance to rise out of poverty. We decided we would align our strengths and address mobility and inclusiveness by establishing four separate focus areas:
Supporting minority-owned businesses and entrepreneurs
Advancing educational opportunities
Supporting family stability and social justice
Improving access to social capital and career opportunities
We selected these priorities because we felt they were a good match for our skill set as lawyers, and because we believe they give us the best chance to make a difference and assist with long-term solutions to long-standing challenges. Our goal is to make a generational difference that will benefit our community and citizens well into the future.
“Tackling issues of race and equity is not easy but certainly necessary, especially after the events of last year and the continued impacts of the pandemic,” said Sherri Chisholm, executive director of Leading on Opportunity. Her organization is focused on improving economic mobility in the Charlotte area, and we have benefitted greatly from Ms. Chisolm’s guidance and the work of Leading on Opportunity in our organization and planning.
“The members of the Carolinas Social Impact Initiative have been intentional about their work in the community, speaking directly with community members and leaders to determine the best approach for their unique skills and network,” Ms. Chisolm said. “Leading on Opportunity is thankful to walk alongside the Initiative on this journey and looks forward to the lasting impact it will make on Charlotte for years to come.”
We were especially excited to launch the coalition’s first program in summer 2021: the Charlotte Legal Initiative to Mobilize Businesses (CLIMB), through which volunteer lawyers provide pro bono business legal services to low-income entrepreneurs in the Charlotte area.
CLIMB is an example of how the coalition firms are aligned and can combine resources to make a greater impact together. Both Moore & Van Allen and Robinson Bradshaw were independently brainstorming in the summer of 2020 about providing pro bono legal services to entrepreneurs in our historically under-resourced communities. Through the Carolinas Social Impact Initiative, the two firms combined their separate ideas to create a more meaningful, lasting, scalable program. The result is CLIMB, through which coalition firms apply our unique skills as lawyers to help entrepreneurs and small businesses. By volunteering those skills, we hope to help broaden economic opportunities and stability.
“The CLIMB model is one that will benefit our small businesses that often struggle to afford the legal protection and support needed to succeed in this economy,” said Charlotte Mayor Vi Lyles. “We are grateful to the Carolinas Social Impact Initiative—and Robinson Bradshaw and Moore & Van Allen in particular—for bringing this equity-based resource to our city and investing in the success of our business community.”
CLIMB has been up and running as a pilot program since June of this year. During the pilot phase, volunteer lawyers from Robinson Bradshaw and Moore & Van Allen coordinated the program and provided legal services. In the coming months, we expect a broad range of coalition lawyers—as well as lawyers from other firms and legal employers—to join this effort.
In the near future, the Carolinas Social Impact Initiative plans to expand CLIMB and launch additional programs to advance our other three focus areas. Planning is well underway, as are our conversations with community leaders. We will also work to expand our impact beyond the Charlotte region.
We are so proud of the community spirit exhibited by all of our law firm leaders and are thrilled that the Carolinas Social Impact Initiative remains a true team effort. The member firms are: Alexander Ricks; Alston & Bird; Bradley; Cadwalader, Wickersham and Taft; Hamilton Stephens Steel + Martin; Hedrick Gardner; Holland & Knight; Hunton Andrews Kurth; James McElroy & Diehl; Johnston, Allison & Hord; Katten Muchin Rosenman; King & Spalding; K&L Gates; Mayer Brown; McGuireWoods; Moore & Van Allen; Nelson Mullins; Offit Kurman; Parker Poe; Robinson Bradshaw; Shumaker; Troutman Pepper; Winston & Strawn; and Womble Bond Dickinson.
We would love for more firms and legal professionals to join and help us drive needed change in our communities.
The Antitrust Division of the U.S. Department of Justice (DOJ) and several state Attorneys General are challenging the American Airlines Group Inc. (“American”) collaboration with a competitor, JetBlue Airways Corp. (“JetBlue”). Both sides of the dispute accuse the other of harming competition amongst airlines. On September 21, 2021, the DOJ and its state attorney general partners filed suit in Massachusetts federal court to block a series of agreements between the airlines called the “Northeast Alliance.” The plaintiffs argue this Alliance will reduce competition between American and Jet Blue to the detriment of consumers. On the other hand, American and JetBlue say that the Alliance allows them to better compete with other major airlines.
Background
The attorneys general of Arizona, California, Florida, Massachusetts, Pennsylvania, Virginia, and the District of Columbia have signed on to the DOJ’s suit. American is the world’s largest airline. In 2019, it flew approximately 215 million passengers and took in roughly $45 billion in revenues. JetBlue is a low-cost airline founded in 1998. In 2019, JetBlue flew over 42 million passengers and took in approximately $8 billion in revenues.
On July 15, 2020, American and JetBlue entered into a collaboration, memorialized in a series of agreements, including an umbrella agreement titled the “Northeast Alliance Agreement.” That agreement commits the companies to pool revenues and coordinate network planning at Boston Logan, JFK, LaGuardia, and Newark Liberty, including deciding together which routes to fly, when to fly them, who will fly them, and what size planes to use. The companies also committed to pool and apportion revenues earned on flights.
The Lawsuit
The lawsuit argues that consolidation, which the government contends negatively impacts consumers, has occurred rapidly in the U.S. airline industry. In 2000, the four largest airline companies controlled 55% of the market. Today, they allegedly control 81%. One of the ways the government claims consolidation harms consumers is that it allows airlines to reduce capacity—the industry’s term for the number of available seats—which inextricably raises prices.
The agencies’ complaint describes Jet Blue as a disruptive force in the marketplace, including acting as downward pressure on the prices of American and other airlines. The agencies also assert that the alliance operates as if the two airlines merged. The lawsuit argues that even though each airline is permitted to set its own prices, the Northeast Alliance will allow American and Jet Blue to coordinate important strategic decisions that will cost American consumers hundreds of millions of dollars in higher airfares and reduced travel options. “In an industry where just four airlines control more than 80% of domestic air travel, American Airlines’ ‘alliance’ with JetBlue is, in fact, an unprecedented maneuver to further consolidate the industry. It would result in higher fares, fewer choices, and lower quality service if allowed to continue,” Attorney General Merrick Garland said.
The complaint asserts a single claim under Section 1 of the Sherman Act, the federal antitrust law prohibiting unreasonable restraints of trade. To succeed under Section 1, the plaintiffs will have to show that the “Northeast Alliance Agreement” unreasonably restrains trade. Courts analyze agreements under either the “Per Se Rule” or the “Rule of Reason.” Under the Per Se Rule, agreements that always or almost always tend to restrict competition and decrease output are considered automatically illegal and condemned without further examination. Ohio v. Am. Express Co., 138 S. Ct. 2274, 2283. The plaintiffs do not appear to be arguing that here. When using a Rule of Reason analysis, the factfinder weighs all the circumstances in the case to determine if the challenged restraint substantially suppresses or destroys competition. Am. Express Co., 138 S. Ct. at 2284. The goal is to distinguish between restraints with anticompetitive effects harmful to the consumer and restraints stimulating competition in the consumer’s best interest. Courts have developed a burden-shifting test where the plaintiff may show harm using either (1) direct evidence, like increased prices or reduced output, or (2) indirect evidence, like demonstrating the challenged restraint substantially harmed competition in a defined market in which the defendant has market power. If the plaintiff carries that burden, the defendant then must come forward with evidence of the restraint’s procompetitive effects, and the plaintiff must then show that any legitimate objectives can be achieved in a substantially less restrictive manner.
American and JetBlue’s Response
American and JetBlue seem undeterred. American Chairman and CEO Doug Parker argued the Northeast Alliance would increase, rather than harm, competition because the Alliance allows American and JetBlue to better compete with other airlines that currently dominate the New York airports. “Ironically, the Department of Justice’s lawsuit seeks to take away consumer choice and inhibit competition, not encourage it,” Parker said. “This is not a merger: American and JetBlue are—and will remain—independent airlines. We look forward to vigorously rebutting the DOJ’s claims and proving the many benefits the Northeast Alliance brings to consumers.” JetBlue CEO Robin Hayes similarly said JetBlue’s “commitment to competition and low fares remains as strong as ever. This is not at all like a merger with American—we have two different business models and are not working together on pricing.”
Takeaways
This matter raises a few interesting questions. If American and JetBlue stick to their guns and litigate this matter, how will the court resolve the parties’ conflicting claims of effect on competition? What role, if any, will post-Northeast Alliance price changes play? Of course, the agencies will view any price decreases with great skepticism, while the airlines will argue that they are one of the benefits of the alliance. Is this a one-off case, or does the DOJ intend to bring antitrust actions against other large competitors that form strategic partnerships with smaller competitors to better compete against larger competitors that enjoy the largest market share?
WHAT EXACTLY IS THIS PRIVATE TARGET DEAL POINTS STUDY, ANYWAY?
The Private Target Deal Points Study is a publication of the Market Trends Subcommittee of the Business Law Section’s M&A Committee. It examines the prevalence of certain contract provisions in publicly available, private target M&A transactions during a specified time period. The Private Target Deal Points Study is the preeminent study of M&A transactions and is widely utilized by practitioners, investment bankers, corporate development teams, and other advisors.
WHAT TIME PERIOD WILL BE COVERED BY THE STUDY?
The 2021 iteration of the Private Target Deal Points Study will analyze publicly available definitive acquisition agreements for transactions executed and/or completed either during calendar year 2020 or during the first quarter of 2021.
WHAT INDUSTRIES WILL BE COVERED BY THE STUDY?
The deals in the Private Target Deal Points Study reflect a broad array of industries. The healthcare, technology and industrial goods and services sectors together make up approximately 41% of the deals in this year’s study.
WHAT IS THE SIZE OF THE TRANSACTIONS OF THE STUDY?
The transactions analyzed in the Private Target Deal Points Study were in the “middle market,” with purchase prices ranging between $30 million and $750 million; purchase prices for most deals in the data pool were below $200 million.
WHERE ARE YOU IN THE PROCESS OF RELEASING THE STUDY?
Given the busier-than-ever M&A environment this year, our working group members had less than the usual amount of time to dedicate to their work on the study. The vast majority of our 10 issue groups have turned in their data, and the members are processing and analyzing it, and finalizing the slides.
CAN YOU SHARE ANY SNEAK PREVIEW DATA?
We shared a couple of sneak preview data points with attendees at the meeting of the Market Trends Subcommittee at the ABA’s M&A Committee meeting in September and encourage you to sign up for the M&A Committee and its various subcommittees if you haven’t already—at the following link on the ABA’s website.
We can give you a similar peek ahead (understand, however, that our process is still ongoing and thus these data points may not be final):
The sneak peek: For obvious reasons, measuring representations related to COVID-19 is a new data point for the 2021 version of the Private Target Deal Points Study. What we learned is that the global pandemic impacted representations and warranties in our selected data set,[1] but not in a consistent way. Nearly one-third of our selected data set contained a representation related to COVID-19. However, these representations varied dramatically, covering matters such as the Paycheck Protection Program, furloughs, and supply chain matters.
What to watch for: Given the broad range of approaches to representations related to COVID-19 in our selected data set, we will publish an addendum containing the specific representations when we release the 2021 version of the Private Target Deal Points Study.
More RWI deals
The sneak peek: Representations and warranties insurance (RWI) has been a huge game changer in M&A deals. We measure whether a deal in our study pool utilized RWI by the closest proxy we can access: whether the purchase agreement references RWI. (Of course, RWI may have been obtained without such a reference in the purchase agreement.) The 2017 version of the Private Target Deal Points Study showed RWI references in less than one-third of the deals. The 2019 version of the Private Target Deal Points Study marked the first time a majority of the deals referenced representations and warranties insurance (RWI). The 2021 version of the Private Target Deal Points Study shows even more growth, to nearly two-thirds of the deals referencing RWI.
What to watch for: Use of RWI in a deal impacts a variety of the negotiated provisions, as evidenced by our prior study data correlations. We are correlating even more data points with RWI references in the 2021 version of the Private Target Deal Points Study, so watch for those.
Please keep an eye out for our study and for an In the Know webinar to be scheduled, during which the chairs and issue group leaders will provide analysis and key takeaways from the results of the 2021 Private Target M&A Deal Points Study.
[1] We recognize that it is not helpful to include in our denominator deals that were negotiated before the effects of the pandemic were understood in the United States. Thus, because our data set includes deals from 2020 and the first quarter of 2021, we excluded deals from this data point if the agreement was signed before March 11, 2020, which is the date the World Health Organization declared a global pandemic.
The 2020 election brought many changes to Washington, DC, with the Democrats taking control of the White House and the United States Senate and continuing control of the House of Representatives. For businesses, the new political alignment in Washington provides policy opportunities and risks. Democratic control of Washington also creates new Congressional investigation risks for some businesses. It is imperative that an organization have a proactive governmental affairs strategy and implement best practices to establish an effective and compliant governmental affairs program.
As with any election, and particularly with elections where political power shifts from one political party to the other, there are policy implications for businesses. Proactive businesses should evaluate those policy risks and opportunities so they can develop an effective engagement strategy with the federal government. Businesses should also take the following initial steps to ensure their engagement is effective:
Assess opportunities and risks
Identify key stakeholders, including government officials, potential allies and opponents
Identify the key opportunities to influence policy, including the nominations process and through legislation and regulations
When it comes time to interact with government officials and staff, there are best practices to keep in mind:
Ensure compliance with lobbying requirements before engagement
Establish internal compliance systems
Engage early and do not wait for a crisis
Do not assume they know your business and its issues
Know your audience
Engage constituents where possible
Develop a concise presentation and leave behind documents
Make a clear request for action
Ensure no one is blindsided
Thank them appropriately
Overview of the Federal Lobbying Disclosure Act
The federal Lobbying Disclosure Act of 1995 (“LDA”), as amended by the Honest Leadership and Open Government Act of 2007, is a federal lobbying statute administered by Congress that applies to legislative and executive branch contacts. The LDA does not cover state or local lobbying. State and local jurisdictions have their own lobby registration and reporting requirements.
The LDA requires entities employing in-house lobbyists, lobbying firms, and self-employed lobbyists to register and report certain lobbying activities—including matters lobbied, lobbyists, and lobbying expenses—with the Clerk of the US House of Representatives and the Secretary of the US Senate.
Registrations and quarterly reports are submitted by registrants (i.e., the registered entity), not individual lobbyists. In addition, the LDA requires that semi-annual reports and certifications are submitted by both registered entities and individual lobbyists.
Whether an organization must register depends on whether the entity employs any individual who meets the LDA’s definition of lobbyist. Under the LDA, a lobbyist is an individual who, for compensation, makes more than one lobbying contact and spends 20% or more of his or her time during a quarter on federal lobbying activities, as defined.
The LDA is important for any entity whose employees contact federal officials regarding covered matters. Understanding these requirements, best practices surrounding federal lobby compliance, and potential pitfalls is imperative for any organization that interacts with the federal government.
Necessity of Effective and Compliant Governmental Affairs Program
Any company or organization that is active in the political or public policy arenas should have a robust governance structure that includes an effective compliance management system created specifically to address these activities. Just as companies have compliance policies and processes to address laws designed to prevent bribery, discrimination, and privacy violations, a company that engages with government officials or advocates on political or public policy issues must build a political law compliance system designed to address the unique legal and reputational risks that may arise from such engagements. There is no one-size-fits-all approach, but each company that participates in the political or public policy process should carefully consider what foundational principles, policies, and processes are necessary for the company, not only to engage in a legal and responsible manner, but also to ensure a good governance structure for its decisions.
There are four key components of a political law compliance program. First, the detailed corporate policies should govern a company’s activities in the public policy and political arena. These policies need to be clear and concise. Second, the company must have strong, robust, internal processes and structures, including approval procedures for political contributions, gifts, and lobbying activities, as well as recordkeeping requirements. Next, a comprehensive compliance program needs to focus on what is communicated to both employees and the public. This includes an interactive training and communications program to ensure employees are aware of the requirements that govern their behavior. Additionally, the company should consider what elements of its compliance program it communicates to the public via its corporate website. Finally, a company must build audit and oversight mechanisms into its compliance program to detect potential wrongdoing and to determine whether the program is operating effectively and efficiently.
In this memorandum opinion and following trial on a paper record, the Delaware Court of Chancery denied plaintiffs’ request for a mandatory injunction to compel CytoDyn Inc. (the “Company”) to allow plaintiffs’ dissident slate of directors to stand for election to the board at the Company’s October 28, 2021, annual meeting. The Court concluded that plaintiffs’ nomination notice, which was submitted on the eve of the notice deadline specified in the Company’s bylaws, was deficient and the board was justified in rejecting it, despite a nearly month-long delay in responding to the notice.
Plaintiffs, who had launched a proxy contest in July 2021 to replace five of six incumbent directors at the Company’s 2021 annual meeting, argued that the board wrongfully rejected the nomination notice, triggering enhanced scrutiny under Blasius Indus., Inc. v. Atlas Corp., 564 A.2d 651 (Del. Ch. 1988). Defendants argued in the alternative that the Court’s legal analysis should be “purely contractual,” with any fiduciary considerations analyzed under the deferential business judgment rule. The Court declined to invoke Blasius review after concluding that the board did not act for the sole or primary purpose of thwarting the effectiveness of a stockholder vote. The Court further concluded that the board’s failure to respond to the activist group in order to give plaintiffs an opportunity to cure “materially deficient disclosures” contained in the notice was not manipulative conduct.
Although Blasius did not apply, the Court recognized that board members tasked with enforcing bylaws against stockholders confront a “structural and situational conflict,” and the Court is empowered to address the inequitable application or enforcement of an advance notice bylaw. In this instance, the Court found there was no inequitable conduct on the part of the board, which, upon receiving the deficient notice on the eve of the deadline specified in the Company’s bylaws, did not afford plaintiffs an opportunity to cure the notice defect. Importantly, the Company’s advance notice bylaw did not impose an express duty on the board to reach out to stockholders to cure deficiencies or otherwise to provide a process to cure a deficient notice.
The Court noted that plaintiffs could have made a stronger case of manipulative conduct had they submitted their nomination notice “well in advance of the deadline,” as the board would have had more difficulty justifying its nearly month-long silence in light of its fiduciary duties if “ample time remained before the arrival of the notice deadline.” On the record presented, however, the Court concluded that plaintiffs were required to submit a compliant notice given the last-minute nature of their submission, and their decision to submit the nomination notice on the eve of the deadline left no room for the Court to invoke equitable principles to override the decision made by the Company’s board.
Importantly, the CytoDyn opinion represents the first ruling on the merits by a Delaware court analyzing a board’s rejection of a nomination notice for disclosure deficiencies relating to information required by an advance notice bylaw. As noted by the Court, “[w]here Plaintiffs ultimately went wrong here is by playing fast and loose in their responses to key inquiries embedded in the advance notice bylaw….”
“Global Rule of Law Trends Pose Challenges for ESG Movement” is the fourth article in a series on intersections between business law and the rule of law, and their importance for business lawyers, created by the American Bar Association Business Law Section’s Rule of Law Working Group. Read more articles in the series.
Growing investor concern for Environmental, Social, and Governance (ESG) issues has business lawyers scrambling to advise clients on an ever-expanding list of norms, best practices, and regulatory and reporting requirements. This advice tends to focus on the immediate ESG dimensions and impacts of a given client’s business activity, but the broader rule of law context in which companies hire, buy, manufacture, and sell has significant ESG implications that business lawyers need to incorporate into their advice.
The 2021 Rule of Law Index® from the World Justice Project (an American Bar Association spinoff for which I work) shows rule of law declining globally and underscores the challenges these trends pose to the private sector ESG movement. The data reveal persistent widespread corruption, growing discrimination, and failing justice systems, among other rule of law issues confounding ESG compliance. Businesses looking to make meaningful and sustainable ESG progress need strategies that not only protect them against these rule of law realities but also help reverse the negative trends and strengthen the rule of law over the long term.
The Rule of Law Context for ESG Advice
The mushrooming field of ESG compliance encompasses everything from recruiting and supporting a diverse workforce to minimizing environmental impact and safeguarding against corruption and human rights abuses. Business lawyers advising on these issues tend to focus on the direct ESG impacts of and risks to their clients’ operations, but the state of rule of law in the broader society provides important context for this advice. Where the rule of law and governance are strong, the private sector benefits from state action on a wide range of fronts, from combating discrimination and corruption to protecting rights, maintaining security, and enforcing environmental regulations. Good governance of this nature complements and reinforces corporate best practices and internal controls. By contrast, contexts in which rule of law is weak present significant ESG challenges to which even the best compliance program is vulnerable. For this reason, comprehensive ESG advice incorporates a strong understanding of the broader rule of law context for business operations and provides specific strategies for addressing risks that context presents.
New data from the World Justice Project provide a valuable—and concerning—input to such ESG advice. For the fourth year in a row, the recently published 2021 WJP Rule of Law Index® shows the rule of law declining in a majority (74.2%) of the 139 countries studied. The Index reflects the views of 138,000 households and 4,200 legal practitioners surveyed about how the rule of law works in practice. The study scores and ranks jurisdictions on the following eight factors of the rule of law: constraints on government powers, absence of corruption, open government, fundamental rights, order and security, regulatory enforcement, civil justice, and criminal justice. The Index is widely regarded as the leading source of original rule of law data, relied upon by a range of governments, intergovernmental organizations, corporations, scholars, civil society, and the media. An interactive Rule of Law Index data site enables users to probe the data for particular jurisdictions, identify comparative weaknesses in specific dimensions of the rule of law, and observe trends over time.
Since the last Index was published in March 2020, a majority of countries studied declined in all factors except “order and security.” The negative trends hold in all regions of the world and in both developed and developing countries. Of particular concern to business lawyers is the decline in the Index measures of open government, regulatory enforcement, and civil justice, areas in which we had seen modest improvements in recent years.
From an ESG perspective, the persistent, broad, and deep deterioration in Index measures of constraints on government powers, corruption, and respect for rights is a wake-up call. While businesses have in recent years made important strides to improve governance, compliance, and accountability in their boardrooms, factory floors, and supply chains, powerful negative rule of law forces have been pulling in the opposite direction and risk undermining private sector ESG gains. Business lawyers advising clients on ESG matters should be helping them develop strategies for contending with these broader negative rule of law developments.
Proactive Strategies for Addressing Rule of Law Issues
Specific strategies for mitigating rule of law-related ESG risk depend on the context, the nature of the relevant governance weaknesses in the business operating environment, and the vulnerabilities of the particular business operation. Companies and the lawyers who advise them generally prioritize prophylactic measures, putting in place training, safeguarding, assessments, controls, and other policies and practices to protect their operations from the risks posed by the operating environment. While such approaches are important, they do little to address the underlying rule of law conditions generating ESG risk. Too often, such approaches amount to a privatization of governance, letting governments off the hook for failing to uphold the rule of law. Over the long term, even the best compliance programs leave businesses susceptible to risks posed by an operating environment characterized by weak rule of law. As the data outlined above underscore, that risk is only growing. For that reason, a business lawyer’s advice on ESG matters should not just entail defensive strategies to ensure compliance in a client’s operations but also include proactive approaches to strengthen the rule of law more broadly in society.
A proactive business strategy for advancing the rule of law can have many different elements. Company leaders can signal publicly and privately that the rule of law matters, that they track government performance on rule of law metrics such as the WJP Rule of Law Index®, and that this performance affects business decisions. When private sector leaders say that the rule of law matters to their business—as Microsoft President Brad Smith did on the occasion of the Index launch—it creates powerful incentives for government actors to embrace reform. It can be challenging for an individual business to take on what can be politically sensitive rule of law issues. But businesses can make the point effectively through trade and professional associations and networks, such as the US Chamber of Commerce Rule of Law Coalition or the Corporate Alliance for the Rule of Law. In this regard, the American Bar Association Business Law Section’s Rule of Law Working Group is developing a valuable new initiative to encourage its lawyers to join with business organizations and clients in crafting strategies and engaging in direct action to strengthen the rule of law.
Beyond broadly signaling concern about the rule of law, businesses can engage government counterparts to address specific governance issues that affect the operating environment. This can entail supporting and promoting research on international standards, best practices, and model reforms and advocating their uptake by governments. Again, this can be done by individual companies or in association with others. Transnational businesses can also engage their home government to address rule of law issues in its bilateral and multilateral dialogue with other countries. Finally, businesses can provide financial and in-kind support to organizations working to address rule of law weaknesses. The World Justice Project’s World Justice Challenge competition identifies hundreds of such change-makers working across a wide range of issues of concern to the private sector.
The new Rule of Law Index® data underscore the urgency of these kinds of proactive strategies to strengthen the rule of law as a critical bulwark for ESG progress. Without such strategies, ESG efforts provide little more than a flimsy shelter against a growing, powerful storm. Private sector action to take on the negative rule of law trends and work to reverse them promises sunnier days and sustainable ESG progress.
As the M&A market breaks records, the pandemic wears on, and new market trends emerge, deal lawyers are likely to continue to confront a host of drafting challenges and reassess routine provisions in mergers and acquisitions contracts. From buzzwords to vaccines, here are some thoughts on what deal agreements might look like in 2022.
Pandemic Year Three
2022 will be the third year of the Covid-19 pandemic. Deal lawyers have adjusted quickly to the crisis, both in how they have conducted the deal process (see, for example, the discussion below on remote closings) and how they have addressed the complex collection of evolving pandemic-related issues that impact businesses and transactions in the body of their agreements.
As the pandemic continues to evolve, contract provisions will continue to do the same. One of the newer issues, which has only recently begun to show up in publicly available agreements, is Covid-19 vaccines. With government and corporate vaccine mandates increasing in prevalence, and the administration of Covid-19 booster shots just getting underway, agreements will increasingly need to address the vaccines—potentially in a wide range of provisions from representations and warranties to post-closing covenants. (By way of example, the definition of “fully vaccinated” could at some future time include the notion of booster shots or new health measures that protect workers against future variants, potentially impacting a variety of representations, covenants, and other provisions.)
With some pandemic issues, what we have seen is less evolution and more vacillation: the easing, then tightening, then easing again of health measures like masking and social distancing due to a variety of reasons, including the availability of new data and the emergence of new virus variants. Also, businesses are navigating a patchwork of conflicting guidance and best practices. This continuing state of change will undoubtedly impact how provisions, such as those regarding the ordinary course of business vis-à-vis Covid-19 and Covid-related exceptions to access-to-information covenants, are drafted. It could also impact how reasonableness is interpreted, as well as which, if any, reasonableness requirements parties elect to include in their references to Covid-19 responses.
On a related issue, will we get to a point where we are so deep into the pandemic that parties don’t feel the need to make qualifications to the definition of the ordinary course of business anymore, because pandemic ordinary course has already been in place for years?
There’s also a potential scenario none of us wants to consider, but given the events of the past year, it’s hard not to: What if, goodness forbid, the pandemic unexpectedly gets worse (again)? What if it gets really really bad? Right now, the pandemic market standard is to exclude pandemics generally, with it being very common to also explicitly exclude the current pandemic from the scope of the definition of “Material Adverse Effect” (MAE). Many of these exclusions go as far as to also exclude “worsening” and “future waves” of the pandemic. So with respect to these deals that exclude the pandemic from the MAE scope, especially those also explicitly excluding the worsening thereof, the answer would be that in such a doomsday scenario, those deal parties will most likely still be on the hook to close the deal, depending on the specifics of the agreement.
The pandemic has already caused legal scholars to take a more critical look at MAE definitions and MAE-related provisions. On one hand, changes in the severity of the pandemic could imaginably lead to shifts in the current MAE-exclusion trends. On the other hand, the legal scholarship and practitioner discourse that has been sparked by Covid-19 could introduce some new innovative approaches to MAEs with the potential to solve problems with the standard framework that long predate the pandemic.
The Future Arriving
In the the world of M&A, everything is up this year. So are references in M&A agreements to certain emerging issues and trending market topics that make it feel like, in some areas, the future is already arriving. “Future words” feels like an appropriate label for these, though some might call them “buzzwords.”
According to Bloomberg Law Precedent Search, which is an advanced search of M&A agreements filed with the SEC via EDGAR, references to “remote work” in publicly available agreements first appeared in 2017. But the numbers clearly reflect that it didn’t become a thing until last year. Only one agreement containing the phrase appeared in 2017, and we found zero in 2018. References to “remote work” have jumped from only one agreement containing the exact phrase in 2019 to 13 agreements in 2020, and 24 agreements in 2021 thus far. Considering the slow pace of return to the office, we expect to continue to see “remote work” show up in deal agreements in 2022.
As discussed above, the issue of Covid-19 vaccines is an emerging one, and while our search yielded only three agreements containing a reference to Covid vaccines in 2020, we have found seven such agreements in 2021 as of October 26.
Corporate and market interest in cryptocurrency and blockchain are on the rise, and so are the number of agreements containing these exact phrases. “Crypto”—which, according to our search, has never appeared in more than five publicly available agreements in any prior year—has appeared in 12 M&A agreements this year, marking a significant leap in presence.
Corporations are incorporating sustainability, diversity, human rights, and other corporate social responsibilities (CSRs) into their contracts. Thus far, in M&A, references to “ESG” or “environmental, social, governance” are still found in very few publicly available agreements. Based on our search, 2020 and 2021 have had the highest number of agreements referencing ESG yet, and we expect to see more in 2022, especially if ESG is incorporated into regulatory frameworks and financial systems. Potentially a related indicator for ESG is “climate change,” which had a consistent level of references in agreements over the past decade before reaching an all-time high in 2021.
Remote Closings
According to our search of publicly available M&A agreements, which was crafted to capture agreements that allow for “remote” or “virtual” closings, the number of agreements explicitly allowing this type of closing has surged this year.
In 2021, we found 506 agreements allowing for remote closings. This number is way up from 279 agreements in 2020 and 200 in 2019. Some are saying virtual dealmaking is here to stay, and these numbers make that stance hard to ignore.
PE Deal Drafting
There has been a massive amount of private equity M&A activity this year. When recently asked about the drafting trends he has been seeing in PE M&A deals, Andrew Nussbaum, corporate partner of Wachtell, Lipton, Rosen & Katz, noted that PE deals, both on the buy side and the sell side, “look more and more like a public company M&A transaction.” Nussbaum also noted that when the pandemic caused some deals to be renegotiated or terminated, it reminded sellers that “the boilerplate never matters until it does.” (The full discussion from August 2021 can be accessed here.) More public-style deal terms and closer attention to the boilerplate are trends to watch in PE deals into 2022.
This article was originally published on Bloomberg Law as “ANALYSIS: Predicting M&A Drafting Innovations in 2022” on Nov. 1, 2021.
Reproduced with permission. Bloomberg Law, Copyright 2021 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bloombergindustry.com
Project Chair: Matthew R. Kittay, Fox Rothschild LLP Key Contributors: Haley Altman, Litera; Anne McNulty, Agiloft; David Wang, Wilson Sonsini Goodrich & Rosati Peer Reviewer: David Albin, Finn Dixon & Herling LLP Committee Chair: Wilson Chu, McDermott Will & Emery LLP Subcommittee Chair: Daniel Rosenberg, Charles Russell Speechlys LLP
“We’re often and in fact almost always way behind the curve on what is actually happening in the market. As a result, we’re backing into the regulation of the market by observing what is actually happening in the market.” — David Wang, Chief Innovation Officer, Wilson Sonsini Goodrich & Rosati
Goal. The goal of this guidance is to review the ethical implications of the use of legal technologies by M&A lawyers. While the group that developed this guidance understands that negotiating changes to contracts with many popular service providers is impractical in most scenarios, we believe that there are safe, productive and client-focused steps that can and should be taken by all attorneys to improve their workflows and their clients’ legal product. Faced with the fact that most readers probably will accept this general premise, this guidance focuses on how to effectively counsel clients and provides items for action and consideration by attorneys, for example when clients (or lawyers on the other side of a transaction) ask to use a particular technology on a transaction.
Although the examples given in this guidance refer to M&A, much of this will be of wider implication including the concise list of key issues set out in Appendix A.
Key questions addressed include:
What ethical duties must lawyers discharge when engaging these technologies?
What are the ethical and practical considerations regarding “automation” and the “unauthorized practice of law”?
Where is data that lawyers upload onto technology platforms hosted, and what are the data sovereignty implications?
What rights (IP and other) do the technology platforms take over the data that lawyers upload?
What level of security/confidentiality should lawyers require from technologies that we use?
How can lawyers effectively evaluate software?
1.0. Framework.
In order to provide guidance and some best practices to consider in leveraging technology in an M&A practice, we must start with the key ethical frameworks that underlie the use of technology and may encourage or require its usage in certain contexts. The American Bar Association’s Model Rules of Professional Conduct (the “Model Rules”), case law, and statutes help define the lawyer’s professional responsibility for utilizing technology in the practice of law, as well as the risks that must be addressed when certain technology is leveraged in the practice.
1.1. ABA Model Rules of Professional Conduct.
The specific Model Rules which govern or implicate requirements to use technology include: Rule 1.1 Duty of Technological Competence; Rule 1.5 Obligation not to collect unreasonable fees; and Rule 1.6 Duty of Confidentiality.
1.1.1. Model Rule 1.1 — Duty of Technological Competence (Comment 8):
“Tomaintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”
The profession has increasingly recognized a two-fold duty with respect to the use of technology. Namely, these are the obligations to assess technology and determine whether the technology improves the services and benefits to a client, and also to understand the technology and ensure its use does not jeopardize the confidentiality of client information.
1.1.2. Model Rule 1.5(a) — Obligation not to collect unreasonable fees:
“A lawyer shall not make an agreement for, charge, or collect an unreasonable fee or an unreasonable amount for expenses…”
For example, if a client needs exactly the same agreement duplicated, except with altered party names, dates, and contact information, a lawyer must consider what are reasonable fees to collect for the work.
1.1.3. Model Rule 1.6 — Confidentiality of Information:
(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).
(b) A lawyer may reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary [as listed[1]];
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
When applying this Model Rule, the information may require additional security measures, and potentially could prohibit the use of technology depending on criteria including: the sensitivity of the information; the likelihood of disclosure if additional safeguards are not employed; the cost of employing additional safeguards; the difficulty of implementing the safeguards; and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Furthermore, when considering Model Rule 1.6, attorneys should consider obligations of confidentiality with respect to client data specific to the platform in question, taking into consideration, for example:
that technology platforms take different intellectual property rights over the data uploaded;
Opinion Number 477, which evaluates data breaches and possible ethical considerations;[2]
and in addition to ethical obligations with respect to the data:
contractual obligations, regulatory and compliance obligations, IP rights, training, diligence of the vendors and client expectations and other business considerations.
Practically speaking, this means attorneys should, at a minimum, know where the data is; know that they protected client data; know that they own it, and maintain the ability to remove it from systems in a secure manner. By way of example, using cloud service could violate non-disclosure agreements and potentially result in heavy fines and a loss of trust among clients, as discussed immediately below in Section 1.2.[3]
1.2. Laws and Regulations.
In addition to the ethical obligations imposed by the Model Rules, there are several key legislative acts and case law decisions which lawyers need to consider.
1.2.1. Stored Communications Act (SCA).
The Stored Communications Act (SCA), 18 U.S.C. §§ 2701 et seq., governs the disclosure of electronic communications stored with technology providers. Passed in 1986 as part of the Electronic Communications Privacy Act (ECPA), the SCA remains relevant to address issues regarding the privacy and disclosure of emails and other electronic communications.
As a privacy statute, diverse circumstances can give rise to SCA issues:
Direct liability. The SCA limits the ability of certain technology providers to disclose information. It also limits third parties’ ability to access electronic communications without sufficient authorization.
Civil subpoena limitations. Because of the SCA’s restrictions on disclosure, technology providers and litigants often invoke the SCA when seeking to quash civil subpoenas to technology providers for electronic communications.
Government investigations. The SCA provides a detailed framework governing law enforcement requests for electronic communications. SCA issues often arise in motions to suppress and related criminal litigation. For example, a growing number of courts have found that the SCA is unconstitutional to the extent that it allows the government to obtain emails from an internet service provider without a warrant in violation of the Fourth Amendment. See S. v. Warshak, 631 F.3d 266 (6th Cir. 2010).
1.2.2. Microsoft Case.
Microsoft had data hosted in one of its Ireland data centers. Microsoft was sued by a US government entity, and the prosecutors wanted to pull data from the Microsoft servers in Ireland. The case affirmed that the US government cannot access data in a foreign country. See S. v. Microsoft Corp., 584 US ___, 138 S. Ct. 1186 (2018).
1.2.3. The CLOUD Act.
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was passed in March 2018 in response to the Microsoft Case, and clarified related data sovereignty issues, confirming that a company can determine data residency by designating where information must be stored or resides as part of contract and company policies. This legislation added to the complexity of the data sovereignty laws (the laws to which a company’s data is subject) for multinational companies that store data in different regions, as it can conflict with US, UK (GDPR), EU, and Chinese data storage regulations.
1.2.4. Consumer Data Protections.
There are of course also consumer protection laws and regulations protecting data and determining ownership. These regulations limit disclosure of information and protect people’s data. The General Data Protection Regulation (GDPR) is an excellent precedent for the tension between surging forward with automation of legal processes, and protecting against legal ethics and malpractice concerns. GDPR’s purpose is to give personal control of data back to the individual through uniform regulation of data and export control.
1.2.5. Global Problems for Global Law Firms.
For law firms with offices in different regions and with different carriers, each office may be subject to different data storage rules applicable to a particular office. This requires law firms consider data sovereignty rules in connection with their cloud services providers and the related data licenses for global entities.
2.0. Taxonomy of Data.
For any particular technology, lawyers need to take a step back and consider several issues, including: what is it actually trying to accomplish; what is the business goal of that technology; what is your goal in the representation; and how do those things interact. The professional responsibilities and consequences implicated will differ depending the technology and the type of interaction.
2.1. Automation.
There is no practice too complex to be at least partially automated; it is a matter of cost. It’s not impossible for technology to solve many of the inefficiencies involved in drafting documents; it’s a matter of costs and the costs are decreasing over time. Drafting a complex, well-functioning and technically coherent merger agreement, for example, may be very hard and beyond the limits of technology even theoretically. But it is not a requirement for automation that the automation must “fully” automate everything about a process before the technology fundamentally disrupts the status quo. If even 50% of a merger agreement became automatable, it will change how these agreements are done and how the business of mergers are priced.
2.2. Ethical Issues Arising from Structured Data.
2.2.1. Process elements, workflow management, due diligence software—all create deal process efficiencies but also have ethical implications. Often, a lawyer can invite collaborators—which can involve confidentiality breaches as well as eliminate attorney-client privilege. And closing automation tools require the data to be structured to automate the closing process, which requires the software to store facts about the specific transaction to close the deal. Likewise, transaction technology for populating contracts must process data of how a document is assembled and then incorporate some rules in its system. Initial data storage, active management during the deal, data retention and ultimately data destruction all need to be considered.
2.2.2.Examples of Implications for “Reasonable” Fees and the “Unauthorized Practice of Law” — Automated Cap Tables and NDAs. Cap tables’ inputs, outputs and procedures used in a transaction are largely the same as what computer programs and programmers use in data. There exists now working software that manages cap tables for private companies, public companies, and the individuals at these companies. A CEO or HR manager of a startup can access information directly, live at any time and handle transactions on the platform themselves if they choose. There are rules that go into the system and then there are processes—data inputs in a digitalized transaction to automatically populate form documents, check automatically whether a company is complying with limitations such as available shares in the plan, generate consents directly, and go back into the cap table automatically and update it. Other software, for example, undertakes automatic reviews of an NDA. The non-lawyer client or lawyer uploads the NDA, and the software will mark up the document, spot all the issues, produce an issues list by comparing it against the company’s playbook, and recommend edits to strengthen the client’s position.
2.2.3. No lawyer is involved in either the cap tables system or NDA review, and these technologies are deployed hundreds of times a day all over the country. There may be a one-time licensing fee or monthly contract for this service, no matter how times it is utilized. How much can a law firm charge? If it’s more than a minimal amount per issuance, is the firm’s fee reasonable and consistent with the Model Rule 1.5(a)? And furthermore, are software developers or the individuals and companies that license the software engaged in the unauthorized practice of law? In reality, clients will likely always want their attorney to scrutinize and augment the output to ensure accurate and excellent legal work, but these questions should still be considered.
3.0. Ownership of Data, IP Rights and Client Rights.
3.1. Types of Data.
When evaluating ownership issues, there are three types of “data” to consider, and the critical and harder questions relate to Mixed Data:
3.1.1. User-Created Data.
For example, a photographer is clearly the owner of a picture they take, and ownership is protected by copyright laws. In the legal-services context, the attorney work product—the documents themselves, any work done on those documents, comments, tags, as well as any record that are generated on the basis of that work—are User-Created data.
3.1.2. Servicer-Created Data.
Data created before uploading into the cloud has clear ownership and intellectual property claims by the creator or someone working on a paid basis for a business or organization, either licensed or sold to the end-user.
3.1.3. Mixed Data.
“Gray areas” that are the result, for example, of data that is modified or processed. In these cases, data that has been created within the cloud could come with some strings attached. It’s incumbent on the end-user to properly claim and protect this data and intellectual property. This is difficult as the legal processes have not kept pace with the developed technology.
3.2. Laws and Lawyers Protecting Data Rights.
3.2.1. Laws and Regulations.
There are of course laws and regulations protecting data and determining data ownership. These regulations limit disclosure of information and protect people’s data (infra, Section 1.2). Relying on laws and regulations, however, is not sufficient for an attorney to discharge their ethical obligations.
3.2.2. Contractual Protection.
Underlying ownership needs to be clarified in license agreements—where that data needs to be located, the privacy that needs to be retained, and how that data can be used. Key concerns include:
protection of the confidential data, particularly if it pertains to client confidential information, and
controlling what technology providers do when they receive a lawyer’s data, including what happens to pieces of information they need to collect and store to provide the contracted service.
To protect confidentiality, privilege and work product, lawyers need to own the derivative works that the technology produces, and therefore usage terms and conditions need to be reviewed very carefully.
3.2.3. Artificial Intelligence (“AI”) Tools.
AI tools are key digital assets for lawyers. But most software, and the software that is most easily accessible, is built for consumers, not lawyers. These tools are typically free, and produce mixed data. Foreign language translation tools (a machine and a human may be doing the translation together to teach the software to be more accurate over time), have presented specific concerns. These “derivative works” often have meaningful, even beneficial, intents. The vendor may want to analyze and use the customer data to provide tailored services to the customer, or process and aggregate the customer data for commercial exploitation by creating new products and services; using the processed data to enhance its internal operations, products or services; or licensing the data to third parties. “Free” tools, however, may collect and use data in ways the end-users did not contemplate when they used the software.[4]
In addition, lawyers often need to review large volumes of contracts (and other documents) in the context of transactions or in regulatory reviews, or for the purpose of producing market intelligence or deal term studies. AI-assisted contract review software can facilitate these processes. When using this kind of software, there are two possibilities: the system can find what the lawyers need it to find out of the box, or the lawyers will need to embed their own knowledge into the platform by “teaching” it to find the information they need it to find. Lawyers can teach AI systems to find custom information by identifying examples of that information in a document set that is representative of the types of documents they will need to review in practice. The software will then study those examples, figure out the pattern, and produce a “model.” This model would then be used to find that information in new documents imported into the software. The process for using AI-assisted contract review software to review contracts is generally straightforward: upload the contracts for review into the software. The platform then automatically extracts information from those contracts (via either pre-built models or custom models built by the lawyer’s organization) for the lawyer to review. If more junior lawyers are doing the initial review, they can flag problematic provisions for second-level review.
In considering the implications of using this kind of software, both rights to the uploaded documents and rights to the custom models must be considered. While in-house lawyers may be comfortable with giving software providers copies of or rights to their documents where contractually permissible to do so, law firm lawyers providing services to their clients likely would not be (at least not without their clients’ consent). Any software provider that serves professional services organizations would have an uphill battle if they attempted to take ownership or have rights to the data that is typically from their customers’ customers. It is also important to consider how the software license agreements deal with any intellectual property created when lawyers embed their own knowledge into the software by creating custom models. Custom models may represent the knowledge of expertly trained lawyers, and those lawyers’ organizations may want to control any use and/or sharing of that knowledge. While the code underlying the model may be retained by the software provider, it is important to confirm that the rights to use and share custom built models match the firm’s expectations around this issue.
To assist in review and negotiation of license agreements, please see attached Appendix A: Issues for Lawyers to Consider in Legal Technology Agreements.
4.0. Conclusion.
There is no “one size fits all” solution to solve for the ethics issues presented when lawyers engage technology. This guidance, however, captures the issues and serves as a framework for evaluating these issues as they continue to develop. By focusing on these issues, law firms and their attorneys can continue to work with their clients and the legal industry, not just in compliance with their ethical obligations, but also as thought leaders at the intersection of law and technology.
APPENDIX A
Issues for Lawyers to Consider in Legal Technology Agreements
Legal technology agreements are not always abundantly clear, but consider addressing the following issues:
Three types of data—original, derived and usage data
How this data can be used, other than for the benefit of the system
What “access rights” non-lawyers have
What can the software provider aggregate and extrapolate from the data?
How data is being delivered between the parties
Where it is being stored to inform compliance with sovereignty requirements and data residency requirements?
Specify how data can be stored for each of your different regions and then the global framework
How does the user access the data across different regions without pulling data inadvertently from one location to other privacy policies and other protocols?
How does the information get into the system?
Storage requirements
Data retention requirements
Removal requirements and controls
Control of data the lawyer inputs
Control of new data and right to remove (complicated by cloud technology from different providers), and as implicated by GDPR
Specific provisions regarding how data can be used, what derivative works can be created, what sort of aggregated de identified data can be leveraged in any sorts of contracts
If the agreement is silent, assume this information can be used in different way
“Derivative Works” provision, critical because part of the benefit of the solution is to provide the lawyer a derivative work, such as a fully compiled PDF version of the document with its appropriate signature pages; this is difficult because the vendor wants to make sure that the lawyer can do everything needed or promised by the technology
Clarify no other uses of the data
Add specific permissions around client confidential information
Data residency requirements that tell the lawyer exactly where the data will be and cannot be shifted between regions
Specify that all “Customer Data” (or “Company Content”) is owned by the customer and define customer data; any exceptions must be clearly spelled out.
[1] (1) to prevent reasonably certain death or substantial bodily harm; (2) to prevent the client from committing a crime or fraud that is reasonably certain to result in substantial injury to the financial interests or property of another and in furtherance of which the client has used or is using the lawyer’s services; (3) to prevent, mitigate or rectify substantial injury to the financial interests or property of another that is reasonably certain to result or has resulted from the client’s commission of a crime or fraud in furtherance of which the client has used the lawyer’s services; (4) to secure legal advice about the lawyer’s compliance with these Rules; (5) to establish a claim or defense on behalf of the lawyer in a controversy between the lawyer and the client, to establish a defense to a criminal charge or civil claim against the lawyer based upon conduct in which the client was involved, or to respond to allegations in any proceeding concerning the lawyer’s representation of the client; (6) to comply with other law or a court order; or (7) to detect and resolve conflicts of interest arising from the lawyer’s change of employment or from changes in the composition or ownership of a firm, but only if the revealed information would not compromise the attorney-client privilege or otherwise prejudice the client.
[2] ABA Formal Opinion 477R: Securing Communication of Protected Client Information.
[3] Note, however, various potential benefits from technology: lower fees for clients; increased client retention; more accurately priced projects and the ability to show the breakdown of such fees; recruitment—associates want technology efficiencies, and they may prefer to perform tasks offsite and/or through automated systems instead of manually.
Many, perhaps trending to most, commercial licensors and licensees are utilizing delivery models other than the historic on-premised method (i.e., using computer hardware located at the end user’s location) for providing and accessing software applications. Most commonly illustrated through the use of “cloud computing,” these delivery models raise many of the same issues involved in traditional software licensing, while at the same time creating issues unique to the respective delivery model. Cloud computing provides on-demand delivery of IT resources and applications via the Internet with substantially pay-as-you-go pricing, allowing customers to reduce initial IT expenses while having the ability to quickly increase or decrease IT resources to meet their perhaps varying needs.
Under a “SaaS” model, access to a software application is provided to the customer as a service. The vendor/cloud provider or another party hosts the software application on its web servers or via a third-party application service provider, allowing customers access to the software using web browser software via a portal and/or the Internet. The customer does not license a copy of the software but accesses the software as a service on an as-needed basis.
(a) Overview
(i) Benefits
From a software cloud provider’s perspective, SaaS allows the cloud provider to reduce its support costs by maintaining a single version of its software on a single platform. A SaaS model allows cloud providers to monitor how their customers use the application, bring improvements to the market, and address uniformly for all customers any problem that arises. The cloud provider’s support staff is able to evaluate a customer’s problem as each customer is using the same application on the same platform. Updates are automatically made available to customers instead of customers having to wait to receive, install, integrate and pay for, the newest update. In addition, SaaS allows the cloud provider to sell to customers who may not be able to afford the upfront fees required to procure the software and/or the infrastructure to support it.
From the customer’s perspective, the customer is able to reduce its information technology costs by not having to purchase an application license, the hardware required to run it, as well as fees for updates and technical support. All of these costs are built into the fee for accessing the application, allowing the customer to direct its technology budget to those technologies that will provide a competitive advantage in its industry.
For cloud provider–owned applications, the customer’s cost to access the application should be reduced as the price is amortized among several users and the subscription fee is often based on usage. By paying only for its proportionate share of computing power and other resources that it uses, the customer avoids paying for excess capacity. The usage fee is amortized over the period of the customer’s use as differentiated from the purchase of a software license where payment in full is usually due immediately upon acquisition of the license. This payment mechanism evens out the user’s payments over the course of a year, potentially helping cash flow.
The customer will also avoid the significant time and cost of installing an application. In essence, application management has been outsourced, allowing the customer’s IT staff to focus on other projects. Because the software is already operating on the cloud provider’s system, the time to begin using the new application is dramatically reduced. The customer’s software usage is fully monitored by the cloud provider, allowing the cloud provider to instantaneously receive “feedback,” speeding the pace of improvements to the application, and allowing customers to benchmark against their peers. Further, the customer is able to automatically access the most recent updates and enhancements to the application without the risks inherent in transitioning to a new version.
(ii) Limitations
SaaS does have several limitations/reasons for concern. The greatest is that the customer has relinquished control over its IT to a third party and is totally dependent on the third party to consistently deliver access without interruption while using a secure environment. Although the customer is purchasing a service not a software license, a customer still needs contingencies that address sudden cessation of the cloud provider’s business or an event of force majeure, as application continuity is necessary to enable end user business continuity (contingency) plans. The customer also lacks the ability to customize the applications for its needs as most cloud providers will only modify the application for very large customers.
Another challenge for customers is that many cloud providers require customers to use the cloud provider’s non-negotiable template agreement to purchase the cloud provider’s services. These cloud providers argue that pro forma contracts are industry standard and reflect the nature of lower margins and shared services, thus negating the need to negotiate the contract. Although a cloud provider’s contract may be non-negotiable, customers should carefully review the agreement to make sure it meets their needs. For example, does the agreement provide the use rights the customer requires, such as allowing the customer, its contractors, and the customer’s customers to access and the software?
(iii) Delivery Models
SaaS is usually delivered through one of two models: a hosted application model or a software-on-demand model. In the hosted application management model, a hosting provider hosts the desired application, delivering the application to its customers over the Internet. Under the software-on-demand model, the cloud provider (i.e., the software cloud provider/licensor or cloud provider) provides its customers network-based access to a single copy of an application modified for SaaS over a network. Software on demand is also known as the “application service provider” model. In both cases, the customer is paying for access to the application. The cloud provider may choose to have someone else host it, but delivery is the same and essentially “on-demand.” In most situations, the cloud provider will provide, maintain and host an application while providing the customer access to the application. The application may be held in a dedicated environment with its own instance of the application, or alternatively, the application may be hosted in a multi-tenant environment with a common version of the application running on a logically partitioned environment.
A shared multi-tenant environment uses a single instance of the application to provide access to multiple customers. All customers access and use the same instance of the application, creating an efficient means of implementing patches, upgrades, fixes and maintenance. A single tenant environment provides access by a single customer creating a more expensive service that cannot be easily scaled. A shared environment creates greater security risks as many clients’ data may be hosted on a single server. Thus, clients with sensitive data will often insist on dedicated servers. The language below reflects the potential convers of customers.
Dedicated/Partitioned Environment. Any time Services are performed at the Customer Facilities, Vendor shall provide the Services using hardware, software and related resources dedicated solely to supporting Customer. Unless otherwise expressly provided in this Agreement, all Services provided from the Vendor’s Facilities shall be provided using partitioned or dedicated Equipment. Vendor shall not provide any Services from a shared processing environment unless specifically approved in writing by Customer.
The cloud provider may choose to deliver SaaS either by hosting the application itself or by outsourcing the hosting of the application to a hosting provider. Usually, the cloud provider will use its own proprietary software which it provides to its customers. In some cases, a hosting provider will license a copy of the software from the cloud provider and set up a SaaS model with its own customers. In the latter case, the hosting provider acquires rights from the software cloud provider and provides access and use of the application to customers. This approach is often co-defined through a “reseller” situation.
(b) Contractual Provisions
(i) Services
The underlying SaaS agreement between the parties should clearly set forth the cloud provider’s obligations and the services it will provide. In a SaaS relationship, most cloud providers will provide:
Access to an identified application,
Technology updates,
Data storage,
Data back-up,
Data security, and
User support.
To the extent a service is not listed, the customer should assume it is not included. For example, if data back-up is not listed, the customer should assume the cloud provider will not be providing such services and the customer should back-up its own data on a regular basis. To the extent the cloud provider desires to implement a material change in the provided services, the cloud provider should be required to provide the customer advance notice of any material change, and the customer should have the right to terminate the agreement for convenience without penalty.
If applicable, proof of concept or beta testing should be conducted prior to making any long-term commitments to the cloud provider. The customer should ensure that the data created by the application is compatible with the customer’s legacy systems (e.g., that the data schema are susceptible to “extract transform and load” (“ETL”) modification and injection to other current systems) and thus avoid any potentially costly and time-consuming data migration project. The cloud provider should also be willing to provide the customer a written commitment as to the application’s future features and functionality that will be made available to customers. A prudent cloud provider may be hesitant to do so, however, to retain the maximum flexibility to operate its business.
(ii) Ownership of Data
From the customer’s perspective, the agreement should clearly state:
the customer owns its data (and all intellectual property rights related thereto);
the customer will have immediate access to its data without charge upon demand;
upon termination of the agreement the customer may take its data to a new cloud provider; and
the format in which the data will be returned to the customer.
The agreement should also describe how and in what format the data will be returned and prohibit the cloud provider from withholding data for non-payment. Return of the data should be prompt and not conditioned on the customer meeting a payment demand by the cloud provider.
Sometimes it is the customer’s responsibility to remove the data, i.e., to copy it onto its own system. If this is the case, the customer should make sure that once the data has been copied and the customer has confirmed it has a reliable copy of its data, the cloud provider destroys the data that remains on the cloud provider’s systems. Usually, the cloud provider will want to do so in accordance with its own practices, e.g., by overwriting, etc. To the extent any data is contained on backup tapes, the backup tapes should be immediately destroyed, and an authorized officer of the cloud provider should certify that the tapes have been destroyed. Finally, the agreement should set strict time frames for the destruction or return of the data.
Some customers may require the cloud provider to issue a “destruction certificate” as proof of action by the cloud provider. However, there may be issues with respect to multi-tenancy environments where redundant data sets or similar copies of data continue to exist. Unless the relationship is managed in a single tenant database, it may not be possible to assure total destruction of the data. Contrary to the point above, it is also critical from the customer’s perspective that the cloud provider be prohibited from destroying the customer’s data in the event of non-payment until the customer has provided written instructions to do so.
Prudent cloud providers should develop an internal guidance/checklist setting forth the actions to be completed prior to executing a destruction certificate to avoid unintentionally creating liability on the cloud provider’s behalf. To avoid potential problems, the certificate should be signed by the team lead for the team that completed the work, usually a member of the IT department.
(iii) Cloud Provider Access and Use of Customer Data
Cloud providers often seek access to the customer’s data for many reasons including the cloud provider’s desire to aggregate and resell the customer’s data to third parties. Under no circumstances should the cloud provider be able to sell the customer’s data to a third party even if it has been “cleansed” of any identifying information. The cloud provider should be contractually prohibited from accessing or disclosing the customer and customer data. While prudent customers should seek to limit the cloud provider’s use of their data, the cloud provider should have the ability to collect and analyze usage data to improve the quality of the cloud provider’s services including as input for its product/services “roadmap.” The agreement should clearly state that all customer data, including customer data, is confidential regardless of whether it is displayed or accessible by the cloud provider. Allowing the cloud provider to access customer data may raise antitrust issues as well as limit the customer’s ability to claim trade secret protection for such data. For a discussion of trade secrets in the cloud see Sandeen, Lost in the Cloud: Information Flowsand the Implications of Cloud Computing for Trade Secret Protection, 19 Va. J.L. & Tech. 1 (2014).
The customer should not agree to amorphous language such as the cloud provider will “comply with industry standards” or the cloud provider will “use commercially reasonable efforts to protect the customer’s confidential information.” A prudent customer will also seek to prohibit the storage of users’ credentials and passwords by the cloud provider.
Model language favoring the cloud provider:
We routinely collect and analyze metadata regarding your usage of the Cloud Services, excluding any personal data. We may use this information to gauge Cloud Services usage levels and application performance, as well as to create anonymized statistics for our own marketing purposes.
The following language provides the cloud provider even greater leeway to utilize the customer’s data.
Vendor may use and reproduce Company Data at the direction of Company (such direction taking the form of the terms of this Agreement and the relevant Schedules) for the limited purposes of providing, operating, and maintaining the Services provided to Company. Company will secure for Vendor the right to use and reproduce Company Data, including any Personal Information therein, solely to the extent necessary to provide the Services to Company, without creating any obligations for Vendor beyond those set forth in this Agreement. Vendor may use usage patterns, trends, and other statistical data derived from use of the Services (but not Company Data itself) for the purposes of providing, operating, maintaining, or improving the Services and any Vendor products and services used to deliver the Services.
Compare the preceding language to the following language which favors the customer:
Customer grants Vendor a limited, royalty-free, non-exclusive, non-transferable and non-sublicensable license to process the Customer Data only in the United States as instructed by Customer and only to provide the services for Customer’s benefit so long as Customer uploads or stores Customer Data in the System, subject to all terms and conditions of this Agreement.
(iv) Data Retention
Given significant numbers of customers, relatively short contract lengths, and the commoditized nature of cloud computing, many cloud providers retain customer data for very short periods of time. To the extent the customer has specific concerns, it should ensure the underlying agreement allocates not only responsibility for data retention and backup but also the time period in which data will be retained. The period of retention will depend on RTO/RPO’s, requirement for the retention of metadata and the cost of doing so. RTO and RPO are common terms used to measure “Recovery Time Objectives” or how long it will take to recover data and resume using an application that has gone down. “Recovery Point Objectives” speaks to data freshness at the time of recovery. Sometimes, companies can recover data that is a week old meaning all the data from the current week would be lost. For mission critical applications, RPOs of less than one hour are standard.
Another issue for consideration is litigation holds for litigation, including the ability of the cloud provider to retain metadata. A prudent customer will contractually provide how it will notify the cloud provider of any litigation hold and how the cloud provider will preserve the relevant data. The failure to do so may lead to discovery sanctions on the customer in the event of any litigation.
Further, to the extent a cloud provider is required to destroy or retain the customer’s data, the parties should realize that it is virtually impossible to destroy all data as customers’ data will be inevitably retained in backup tapes and the memory of the servers. As a result, some negotiated transactions include provisions for ongoing but secure storage by the former cloud provider of former customer data for specified, tax, quality control, or other purposes.
(v) Pricing and Payment
Customers may be charged through various means, including on a per-user per-month basis, on a monthly subscription for the customer’s entire company, and results for a customer’s use of the application. For example of the last, infrequent pricing metric, a marketing software company is paid according to the number of solid leads generated through the customer’s use of the software.
Customers should carefully evaluate a contract’s pricing model to ensure the pricing structure is clearly delineated and that the customer has the ability to independently verify any amounts that it is billed by the cloud provider. If access is based on the number of seats or users, the definition of “users” will serve as the basis for establishing the aggregate fee paid by the customer. As such, the customer should clearly understand how the application will be used and who will be accessing and using the application.
For example, if a cloud provider defines a “user” as a named individual accessing the system, the “named user” terminates their employment, and a replacement employee is hired, is the customer is required to purchase a new license of the new employee or may it transfer the license from the old employee to the new employee? Like a traditional license, the price should be fixed for a set period of time, and the amount of any future price increases should be capped.
Further, if the customer’s customers will be indirectly accessing the application, do they need a license? The customer’s failure to obtain the rights it requires or understand its use rights may prevent it from achieving the synergies it expected from using the application as well as cause the customer to incur significant unforeseen costs. SeeSAP UK Limited v. Diageo Great Britain Ltd [2017] EWHC 189 (TCC) February 16, 2017 (SAP successfully sought additional compensation for Diageo’s customers access and use of SAP’s software).
Most cloud providers require the customer to pay quarterly or annually in advance, eliminating any payment risk.
Service levels are very important as they establish the cloud provider’s minimum performance obligations and the degree of access that the customer will have to the application or services, including the customer’s own data. Many cloud providers, however, do not offer meaningful SLAs, arguing the application must meet the demands of multiple customers. Most cloud providers will at least offer availability service levels, and some may be willing to provide additional remedies beyond service credits for an additional fee. If appropriate, customers should seek to negotiate additional SLAs including response times, bandwidth and security breaches, although most cloud providers will only agree to meet minimum legal requirements. SLAs almost never cover failover guarantees or contingencies that address issues beyond the cloud provider’s control, such as the sudden cessation of the cloud provider’s business or an event of force majeure. Cloud providers should avoid being measured on any customer-dependent elements such as location processing capability.
Service levels should reflect the usage of the application. For example:
How is the application being used?
Where are the employees using the application located?
What time of day will the employees be accessing and using the application?
A successful service level should be objective, critical to the successful performance of the services, tailored to the services, and achievable by the measured party. Common service levels include:
Availability (both network and application)
Remedies (including financial penalties/credits)
Problem response time
Issue resolution/Escalation Procedures, including status reporting
User support
Data return (Recovery Time/Recovery Point Objectives)
Simultaneous visitors/users
Page response times
(vii) Data Security
Security is important when utilizing a SaaS model, but it is especially important for those customers utilizing a public cloud. By centralizing a party’s data in a secure data center, a party may actually increase its security (e.g., via the greater skills, resources, oversight, and testing that may be enabled by greater scale, i.e., a cloud provider testing and optimizing cybersecurity on behalf of multiple customers and its overall business model, versus a single entity attempting to achieve cybersecurity excellence only on its own behalf and outside its core focus or competencies). On the other hand, the customer has ceded control over its data and now is dependent on the cloud provider for protection.
There are three aspects of security: physical security, technical security and administrative security. Prudent customers should undertake a comprehensive risk assessment that evaluates the scope of the purchased services and seek to identity any threats and vulnerabilities to receiving those services. It should assess the cloud provider’s security policies and ascertain the potential risk of a threat triggering a vulnerability as well as the potential impact if such a threat occurs. Customers will typically address their concerns with the cloud provider and incorporate its security requirements in the underlying agreement—often as a detailed, separate exhibit to the contract. Depending on the value of the contract and the importance of the application, the customer should visit the facility from which the cloud services are provided, if applicable and allowed, and request a written copy of the cloud provider’s security protocol for the building’s physical security and the security of the network from intrusion, and viruses, as well as annual updates. The customer should closely examine and vet the cloud provider’s policies as well as ascertain the specific type of infrastructure used by the cloud provider to provide the hosting services.
The cloud provider should undertake an external and internal security analysis several times a year. The results of these efforts should be provided to the customer without the customer having to request it.
Most important, however, is the definition of “data,” as the definition will establish the cloud provider’s security, confidentiality, and privacy obligations. Is “data” limited to information stored by the cloud provider, or does it include data created and collected by the cloud provider in the course of delivering services to the cloud provider? Customers should seek to draft the definition of “data” as broadly as possible to ensure that its data is completely secured.
Security Standards
Multi-tenancy creates significant risks that other customers may be able to access or extract a customer’s data, increasing the risk of viruses and malware entering the customer’s environment as well as other security lapses. As such, customers should carefully negotiate the agreement’s security standards after identifying potential risks and potential approaches to mitigate the identified risks. Such risks, both internal and external, as well as the agreed upon risk mitigation controls, must be continually monitored during the term of agreement.
To avoid ambiguity, the parties should specify the specific security standard the cloud provider must adhere to. The customer should ensure that the data center is ISO compliant as well as SSAE 18/ ISAE 3402 compliant. SSAE 18 SOC 2 and SOC 3 set forth significantly more stringent audit standards and are specifically focused on data centers. ISAE 3402 is the international equivalent of SSAE 18 and should apply and be reported against whenever data is kept in a global environment. See Chapter 7.E of The Practical Guide to Software Licensing and Cloud Computing, 7th Edition, for a more detailed discussion of SSAE 18 and its requirements.
The cloud provider should maintain a written comprehensive information security program that includes reasonable security procedures and practices to ensure the security, confidentiality, privacy, availability and integrity of user content and other information if transmitted through or stored in connection with the services. Sophisticated customers seek to negotiate these cybersecurity specifications, attaching the agreed upon standards as a detailed exhibit to the agreement.
Location of Data
Prudent customers should consider contractually specifying the jurisdiction in which their data must be housed, or alternatively require that all data remain within the continental United States to avoid subjecting the customer to the laws of those jurisdictions in which the data resides, including the jurisdiction’s privacy laws, data transfer laws and jurisdictional discovery rules. The European Union has very restrictive laws as to data protection and prohibits the transfer of data to countries with inadequate data protection laws. To the extent a customer allows its data to be removed from the United States, a customer should monitor the data’s location to avoid any potential prohibition by the jurisdiction to which its data was moved from relocating the data back to the United States. Savvy customers will include an audit provision allowing the customer to audit the cloud provider’s compliance with its contractual obligations related to data location.
The citizenship of the owners of the data will dictate which state laws govern the vendor’s privacy and security obligations.
Physical Security
Physical security should not be overlooked. The cloud provider should be able to provide the customer with a written security plan setting forth the protections implemented at its data centers including:
limiting and segmenting physical access,
restricting physical access to required personnel,
personnel background checks,
badging, and
training.
The customer should carefully evaluate the cloud provider’s security protections. The customer should understand who has access to its confidential information and data and under what circumstances.
Who has the ability to modify such data?
What controls are in place to protect the customer from an unauthorized individual accessing and modifying the customer’s data?
Where is the cloud provider’s data center located?
Does the data center have adequate physical and virtual security?
Does the cloud provider have appropriate virus protection software and appropriate security measures to protect the customer’s data and internal systems?
What particular testing and validation processes and third-party certifications, if any, will be required?
May the customer initiate periodic “penetration testing” and if so under what parameters?
What if any cybersecurity-specific insurance coverage(s) must the cloud provider procure and maintain on the customer’s behalf, at what levels and for what duration? The customer should ensure the required protections are maintained 24x7x365 days a year.
Technical Security
The cloud provider should utilize advanced software to detect any attempted and any actual intrusions to its network, as well as eliminate viruses and similar problems. A customer should require that its data be encrypted not only at rest (storage) but also during transmission (i.e., both “at rest” and “in transit”). Not all cloud provider applications are encrypted, making data stored on such applications vulnerable to misappropriation or theft. A customer should insist that the cloud provider comply with specific encryption standards for the encryption of the customer’s data. The language below illustrates this point:
Customer will encrypt the Data using the AES-256 standard and store on Vendor Simple Storage Service (S3) devices within the Vendor east coast and west coast data centers. When needed, the encrypted Data will be replicated to Elastic Band Storage (EBS) devices and made available during the boot process to server instances and associated server user accounts with proper credentials. The credentials will be stored and maintained within the Customer-managed data center and presented to the Vendor server instances only during the boot process. No credentials will be stored in the Vendor cloud environment.
The cloud provider should be required to utilize sophisticated intrusion protection and detection software as well as peripheral equipment and be required update it on a continuous basis to ensure it remains current with the latest technology. The cloud provider should be contractually obligated to provide detailed reports for any attempted intrusions of material significance as well as any resulting data breaches. The agreement should establish a change-of-custody log and tightly control and restrict access to any data as well as provide an audit procedure for auditing network and user transactions. In cases where the nature of the customer’s data warrants it, the parties should also consider the use of a virtual private network (VPN) to further reduce security risks.
The parties should establish stringent requirements for the storage of customer credentials and passwords outside of the cloud, including strong access controls. In addition, the agreement should address other common-sense security controls, such as staff screening, firewall standards, access logs and the ability of third-party contractors to access the system. Priority should also be given to preservation of security controls as part of any disaster recovery plans.
Administrative Security
Administrative security refers to the management operational controls and procedures implemented to protect the system’s security, including:
Authentication of HTTP clients
Administrative console security
Naming security
Use of SSL transports
The common user registry
The authentication mechanism
The authentication protocol
Security Breaches and Incidents
The cloud provider should be obligated to notify the customer immediately in the event of a data breach or suspected breach and provide a detailed written explanation of the nature of such breach/suspected breach and the actions it has taken to remedy such breach. The agreement should address the parties’ respective responsibilities for complying with all federal, state, and local data breach notification laws, including which party has responsibility for drafting a notice to any affected parties, sending the notice, paying for all costs associated with doing so, and identifying costs the responsible party must assume. In addition, the agreement should address which party must pay for any costs associated with complying with new laws enacted after the execution of the agreement.
The most important aspect in framing the parties’ obligations is the definition of “data breach,” as the definition will establish the scope of each party’s obligations. Both parties should ensure they understand the ramifications of the definition and how it will impact their obligations and potential liability.
The agreement also should set out in detail the necessary response on the part of the cloud provider to a data breach, including how quickly the cloud provider must contact the customer to disclose the existence of an intrusion or breach, via what means, how much information the cloud provider must provide the customer, what steps the cloud provider must take to investigate, if the cloud provider will interface with law enforcement and how, how often the cloud provider will update the customer on actions taken to mitigate the effects of any breach, and what remedies the cloud provider will offer, if any. From the customer’s perspective, the customer does not want the affected individuals or entities or its board of directors and executives to first learn that there has been a security breach involving its data from the media or a third party.
(viii) Disaster Recovery
Disaster recovery differs from business continuity in that business continuity addresses issues that may arise in the ordinary course of business such as bugs, hacking, general down time and other service interruptions. Disaster recovery addresses incidents more akin to an event of force majeure such as a natural disaster. The cloud provider’s disaster recovery plans should be carefully reviewed by the customer and include the level of redundancy for the application, i.e., the availability of the application in the event of a failure of the primary server or application (such as a geographically distant “hot” site), the cloud provider’s protocol for backing up data (e.g., what frequency, testing, passwords, chain of custody, etc.), the storage of such data offsite, as well as the duration for which it will retain the backups. See Chapter 7.F of The Practical Guide to Software Licensing and Cloud Computing, 7th Edition, for a more detailed discussion of disaster recovery issues. The cloud provider should be able to provide a detailed plan addressing a power outage, natural disaster, equipment failure, the sudden cessation of its business (bankruptcy notwithstanding) and so on, as well as service level agreements for uptime and the ability to log onto the application independently of the cloud provider (for more information, see Chapter 9, Section A.5 of The Practical Guide to Software Licensing and Cloud Computing, 7th Edition, discussing SaaS Escrow). Finally, the cloud provider should disclose any audit protocols it has adapted to ensure its existing protocols and methodologies are followed. The customer should also ask the cloud provider about any previous security problems or service interruptions.
(ix) Indemnification
As with any commercial agreement, indemnification plays an important role in allocating and managing the parties’ risk. While indemnities have traditionally addressed third-party claims, both parties should provide a direct cross-indemnity to the other, although the breadth of their respective indemnification obligations will likely differ. Many parties will seek an indemnity for breach of contract but doing so cannot be justified as each party’s remedy should lie in a breach of contract claim.
Customers should seek to have the cloud provider indemnify them for:
Intellectual property infringement claims arising from intellectual property selected and used by the cloud provider
Compliance with laws
Breach of confidentiality
Breach of the agreement’s security obligations and standards by the cloud provider
In those situations where the cloud provider will not agree to indemnify the customer, the customer should seek to have the cloud provider pay for any costs associated with a party’s notification obligations under law or the terms of the contract. These may include investigating the breach, notifying the affected individuals and entities of any breach or security incident, staffing any help desk assisting with questions regarding the breach or security incident and the cost of any credit monitoring.
Model language for the cloud provider’s indemnity obligations follows:
Vendor will defend, indemnify and hold Customer and its respective officers, directors, employees and agents (each an “Indemnified Party”) harmless from and against all liabilities, damages, claims, costs and expenses (including reasonable attorneys’ fees and costs and expenses of expert witnesses) or other losses (collectively, “Losses”) brought by a third party against an Indemnified Party arising from the acts or omissions of Vendor, its employees, affiliates, subcontractors or agents in the performance of the Services.
Vendors should seek to have the customer indemnify them for:
Intellectual property infringement claims arising from the customer’s content as well as any intellectual property selected and used by the customer
Compliance with laws
Breach of confidentiality
Defamatory statements
Violation of law
Breach of the cloud provider’s Acceptable Use Policy (AUP) including non-compliance with the cloud provider’s security policy
Model language for the customer’s indemnity obligations follows:
You agree to indemnify, defend and hold Us, our affiliates and licensors, each of our and their business partners and each of our and their respective employees, officers, directors and representatives, harmless from and against any and all claims, losses, damages, liabilities, judgments, penalties, fines, costs and expenses (including reasonable attorneys’ fees), arising out of or in connection with any claim arising out of:
Your use of the Services in a manner not authorized by this Agreement, and/or in violation of the applicable restrictions, AUPs, and/or applicable law,
Your Application, Your content, or the combination of either with other applications, content or processes, including but not limited to any claim involving infringement or misappropriation of third-party rights and/or the use, development, design, manufacture, production, advertising, promotion and/or marketing of Your Application and/or Your content,
Your violation of any term or condition of this Agreement, including without limitation, Your representations and warranties, or
You or Your employees’ or personnel’s negligence or willful misconduct.
(x) Limitation of Liability
To understand and quantify its risk, the customer should undertake due diligence that includes a review of the cloud provider’s technology platform and security practices. Doing so will allow the customer to potentially mitigate any risks associated with the purchased services. By purchasing SaaS services, the customer is outsourcing a service that it did not want to provide itself as well as a set of operational, compliance, and legal risks that it did not want to assume. Thus, a cloud provider should not be expected to assume a risk that the customer itself was unwilling to assume, as the cloud provider is not an insurer of the customer’s risks.
It is in both parties’ interest to limit risk. The mere fact that personally identifiable information (PII) is exposed does not necessarily mean that the cloud provider (as opposed to the customer or a third party) did anything wrong or that it could have prevented the breach. Some industry commentators assert that no cloud provider (or government agency or non-profit) can guarantee against sophisticated intrusions and all technology failures. One solution may be to have the parties share any potential liability. Although the structure of any compromise is subject to negotiation, one compromise may be to have the cloud provider assume liability up to a certain dollar amount, with the customer assuming any excess liability.
Some breaches should naturally result in greater liability on the cloud provider’s behalf. If a cloud provider fails to follow its stated security procedures, there is justification to seek a larger or even unlimited liability. In many contracts, intentional actions impose unlimited contractual liability on the cloud provider’s behalf, at least after negotiation by knowledgeable customers.
The actual limits of liability will depend on the facts of the underlying transaction:
What is the nature of the stored/processed data?
Is the data highly confidential and proprietary, or a mere aggregation of data that may be re-assembled from other sources?
To what extent does the data set include data owned by third parties who have entrusted it to the customer, who may have its own obligations and liability under such arrangements?
How much revenue is the cloud provider receiving?
How much risk is arising from the underlying technology platform?
Is the customer utilizing a public or a private cloud?
If the cloud provider offers premium services and/or additional security protection at a higher fee, has the customer elected same?
Almost all cloud providers insist on a waiver of any special incident or consequential damages and seek to limit the cloud provider’s liability to any service level credits. Any overarching cap is usually tied to a multiple of the monthly fees received by the cloud provider within a set time period, e.g. three months (though many customers will negotiate seeking longer durations). Common exclusions to the limitation of liability include intellectual property infringement, gross negligence, willful misconduct and some indemnification obligations.
Customers should carefully consider whether a disclaimer of indirect damages is appropriate, as in the event of a breach, a significant portion of the customer’s damages may be indirect damages. For example, the destruction or loss of data will result in substantial consequential or indirect damages. The sensitivity of the data in question will likely determine the importance for a customer to recover its consequential/indirect damages.
At least one court has voided a limitation of liability where the cloud provider acted in a reckless or grossly negligent manner resulting in a substantial loss of the customer’s data. Clark Street Wine and Spirits v. Emporos Systems Corp., Italy, 754 F. Supp.2d 474, 481–82 (E.D.N.Y. 2010) (“In view of great damage to customers and business that breaches of a computer system may cause, a jury may find that the responsible entities, such as [the cloud provider], should take special precautions to protect these systems.”).
(xi) Term
SaaS agreements often have a relatively short term as opposed to on premise licenses. Given the trend of failing prices over the last several years, a fixed priced, shorter term (1–2 year) cloud agreement is often favored by the customer.
Many cloud providers require buyers of subscription-based services to commit to purchase a minimum volume or dollar amount for a set period of time. In doing so, cloud providers argue that “revenue recognition” rules require the cloud provider to seek revenue minimums and committed term lengths to recognize the associated revenue. Contractual minimums also allow the cloud provider to recover its upfront research, development, infrastructure, and other service-enabling costs incurred in establishing the software availability. From the customer’s perspective, minimum commitments create the potential for significant financial risk. Therefore, prudent customers will seek to negotiate shorter minimum terms and favorable termination rights to ensure financial flexibility and avoid limiting their options.
(xii) Suspension and Termination
Most cloud providers insist on the contractual right to immediately suspend access or use of the services in the event the customer undertakes any actions that:
violate the law,
violate the cloud provider’s acceptable use policy (AUP),
adversely impact the ability of other customers to use the service,
access other customers’ data,
spam,
create offensive content,
cause intellectual property infringement, or
endanger the security of the system.
While most cloud providers will not relinquish the right of suspension, prudent customers often try to limit suspension solely to material violations of the underlying agreement that threaten the security of the cloud service. In addition, they seek to negotiate a notice and cure period for inadvertent violations to avoid an immediate interruption of the customer’s access to the services. While some cloud providers will agree to provide notice and a very short cure period, other cloud providers are unwilling to do so.
Some large customers take the position that the cloud provider may not terminate the agreement for any reason, including the customer’s nonpayment, arguing that the cloud provider’s remedy lies solely in a suit for breach of contract. Further, the customer’s access and use rights shall continue during the termination process. They do so in the belief that the services are mission critical and cannot be easily transferred to a new cloud provider. From the cloud provider’s perspective, the requirement to bring a suit delays its remedy and increases its costs while creating a significant administrative and financial burden.
Many customers seek the ability to terminate their agreement for convenience. While termination for convenience provisions are common in many services agreements, the customer’s ability to terminate the agreement and the cost to do so will depend on a number of factors, including the pricing model used by the cloud provider and the cost of any capital expenditures the cloud provider made on the customer’s behalf.
If the cloud provider is providing services under a metered model without a commitment, the customer may have the right to terminate the agreement for convenience, but under a subscription model, where pricing discounts are provided based on volume commitments that termination for convenience would negate, cloud providers are unlikely to accept a termination for convenience provision. If the cloud provider purchased hardware and software on the customer’s behalf, another factor that will impact the customer’s ability to terminate for convenience is the amount of any unamortized capital expenditures. In such cases, cloud providers will most likely require the customer to pay the cost of any unamortized capital expenditures as a condition precedent to any termination for convenience.
Also important from the cloud provider’s perspective, revenue is recognized ratably over the life of the contract, and if the contract may be terminated for convenience, the cloud provider will likely be unable to potentially recognize the total contract value to investors, lenders or other constituents.
If the underlying agreement provides the cloud provider the right to make unilateral changes to the parties’ agreement or the underlying application, the customer should insist on the right to terminate the agreement for convenience without charge in the event any such change has a material impact on the services purchased by the customer.
(xiii) Transition Rights
Perhaps the most important issue, but perhaps under-managed, for the customer is transition rights. In the event of the early or natural termination of the agreement, the customer wants to ensure an orderly transition of its business to a new cloud provider. Also known as the “Exit Strategy” or “Exit Plan,” most good customer Program Management Offices (PMOs) contemplate an exit strategy as a part of their Governance, Risk and Compliance (“GRC”) policy; that is, if they have a GRC policy.
The agreement should set out in detail the time period during which the cloud provider must provide transition support to the customer, the cost of such services and preferably the process for coordinating the parties (possibly including not only the end user and initial cloud provider, but also the successor cloud provider, if any). The cloud provider should be contractually obligated to provide services during the transition period at the same service level as it did during the agreement term and to fully cooperate with the customer during the transition of its data to an alternative provider or back in-house. In the event the agreement was terminated due to the customer’s breach, the cloud provider should strictly limit the length of any transition period to limit the time and effort it is required to exert in the transition effort and possibly require pre-payment including any professional services necessary to extract and migrate data to a new solution.
Finally, a prudent customer should ensure the underlying agreement sets forth in detail the customer’s rights upon the termination of the agreement and that any such transition will not interrupt its business. To that end, the customer should obtain:
a contractual commitment regarding its right to continue to use the services during the transition period,
the right to the immediate return of its data in the contractually agreed format so that it can be utilized by any subsequent cloud provider,
an agreement on a rate card establishing the rates for any transition assistance fees, and
a commitment to cooperate with any new cloud provider, preferably for a specified duration.
At the same time, prudent customers will want to require the cloud provider to retain their data for some period of time (30–60) days while they are identifying a new cloud provider or in transition. Cloud providers are hesitant to store data for any length of time due to the cost of storage unless they are compensated for doing so.
In the event the cloud provider is also providing a license to a specific application, the agreement should address ownership and use of the license after termination of the agreement. From the cloud provider’s perspective, the underlying agreement between the cloud provider and the customer should clearly state that the customer does not receive any rights for future use of the application and that upon termination, the customer’s only right is to port its data to a new cloud provider. If the customer purchased a software license as part of the services, the customer should be contractually entitled to transfer the license to the new cloud provider. At the time the agreement is negotiated the customer should understand its rights, including its transfer rights, if it is “purchasing a license.” Although the customer may have paid to “purchase” a license and the cloud provider granted the customer access to use software through a license, the license may terminate with the agreement and prohibit the customer from taking the software to the new cloud provider.
(xiv) Compliance Obligations
Customers often seek to transfer their compliance and regulatory obligations to the cloud provider. Prudent cloud providers will reject the customer’s efforts to do so, as the obligation legally rests with the customer, and the customer cannot escape its liability by contractually requiring the cloud provider to assume such obligations. Agreeing to assume such responsibility is very risky for the cloud provider as, in most cases, the cloud provider lacks the requisite industry knowledge to fully understand the risk it is assuming as well as the cost to comply with such obligations. This is especially true with consumer data laws such as HIPAA, where the cloud provider may not know the type of data being stored by the customer or the citizenship of the data owners.
(xv) Acceptable Use Policies (AUPs)
Acceptable Use Policies (AUPs) are used by cloud providers to establish the parameters of the customer’s access and use of the cloud provider’s network and services. The customer’s failure to abide by these requirements may result in the suspension of the customer’s ability to access the cloud provider’s network and services and in extreme cases the termination of such rights. Cloud providers usually set forth a list of prohibited activities which may include:
Any activities that are illegal, that violate the rights of others, or that may be harmful to others.
Content that infringes or misappropriates the intellectual property or proprietary rights of others.
Content that is defamatory, obscene, abusive, or invasive of privacy.
Content that may damage, interfere with, surreptitiously intercept, or expropriate any system, program, or data, including viruses, Trojan horses, worms, and time bombs.
Actions that violate the security or integrity of any network, computer or communications system, software application, or network or computing device.
Accessing or using the cloud provider’s network without permission, including attempting to probe, scan, or test the vulnerability of the cloud provider’s network or to breach any security or authentication measures used by the cloud provider’s network.
Forging TCP-IP packet headers, e-mail headers, or any part of a message describing its origin or route.
Monitoring or crawling of the cloud provider’s network that impairs or disrupts the cloud provider’s network being monitored or crawled.
Inundating a target with communications requests so the target either cannot respond to legitimate traffic or responds so slowly that it becomes ineffective.
Interfering with the proper functioning of the cloud provider’s network, including any deliberate attempt to overload a system by mail bombing, news bombing, broadcast attacks, or flooding techniques.
Using manual or electronic means to avoid any use limitations placed on the cloud provider’s network, such as access and storage restrictions.
Distributing, publishing, sending, or facilitating the sending of unsolicited mass e-mail or other messages, promotions, advertising, or solicitations (“spam”), including commercial.
Connect with a global network of over 30,000 business law professionals
