Cardware Conference presentation on BIG DATA June 17-18 2014
Mining IT Summit Nov 6 2014
1. NEGOTIATING SUCCESSFUL IT CONTRACTS
IN THE MINING INDUSTRY
Lisa Abe-Oldenburg
November 6, 2014
3rd
Global Mining IT & Communication Summit 2014
2. Introduction
• Software Licensing Top 10 Tips
• Cloud Computing risks and how to avoid them
• IT outsourcing best practices
• Protecting confidential IT and data
3. Software Licensing Top 10 Tips
1. Do Your Due Diligence
• Reps and warranties are a tool to manage risk
after due diligence
2. Be clear about what rights are being licensed and to
whom
• Beware of the word "use"
3. Know the Difference Between Exclusive, Sole and
Non-Exclusive
• Competition and duties
4. 4. Do Sweat The Small Stuff in the License Grant
• perpetual, non-transferable, non-sublicensable, grant-
backs
5. Don’t Blindly Agree to Restrictions on Licensing
• Be careful with limitations on scope, location, copying,
confidentiality
6. Beware of Reps & Warranties that look good from afar, but
are far from good
• E.g. Licensor ownership, third party qualifications,
licensor's rights, non-infringement not tied to exercise
of license rights, security
5. 7. Do structure compensation strategically
• Create the right incentives for royalties, e.g. minimums,
de-escalating, calculation variables, tax exemptions,
R&D credits
8. Do Consider Bankruptcy and Insolvency
• Source code and other escrow, survival of license terms
beyond termination, security interest, keep services
separate, FMV option to purchase
6. 9. Don’t Underestimate the Term & Termination
• Start date, conditions, different, early, causes,
remedies, renewals, transitioning, survival
10. Be Choosey About Choice of Law
• Governing, forum, location, dispute resolution,
IP rights, import/export controls, currency
exchange
7. Cloud Computing Risks and How to Avoid Them
• Overview of cloud computing
• Cloud delivery, service and deployment models
• Issue identification
• Risk mitigation
8. Overview of Cloud Computing
• National Institute of Standards and Technology (NIST) v. 15
• Cloud computing is a model for enabling convenient, on-demand network
access to a shared pool of configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be rapidly provisioned
and released with minimal management effort or service provider interaction.
This cloud model promotes availability and is composed of five essential
characteristics, three service models, and four deployment models.
• “Surge computing” analogous to electricity providers, where players intra
cloud (or in cloud stacks) or inter-cloud, are essentially trading processing and
storage capacity. Data, software and servers are able to be moved
instantaneously to available computation resources
• Rearden LLC v. Rearden Commerce, Inc., 597 F.Supp. 2d 1006 (N.D. Cal.
Jan. 27, 2009) – “Cloud Computing” defined as a software as a service
platform for the online delivery of products and services
9. Cloud Delivery/Service Models
• Software as a Service (SaaS)
• cloud provider supplies the software
• user can set limited configuration of the software
• Platform as a Service (PaaS)
• cloud provider supplies the programming language and tools
• user selects and controls applications and hosting environments
• Infrastructure as a Service (IaaS)
• cloud provider manages and controls underlying cloud infrastructure
• user selects and configures operating systems, storage, applications,
networking components (e.g. firewalls, load balancers)
• Cloud service integrators bundle multiple services into a single offering, to
appear as a seamless consolidated application
• E.g. customer relationship and reservations system, e-signature/e-
commerce app, payment processing, billing platform, etc.
10. Deployment Models
• Private cloud. The cloud infrastructure is operated solely for an
organization. It may be managed by the organization or a third party and may
exist on premise or off premise.
• Community cloud. The cloud infrastructure is shared by several
organizations and supports a specific community that has shared concerns
(e.g., mission, security requirements, policy, and compliance considerations).
It may be managed by the organizations or a third party and may exist on
premise or off premise.
• Public cloud. The cloud infrastructure is made available to the general
public or a large industry group and is owned by an organization selling cloud
services.
• Hybrid cloud. The cloud infrastructure is a composition of two or more
clouds (private, community, or public) that remain unique entities but are
bound together by standardized or proprietary technology that enables data
and application portability (e.g., cloud bursting for load-balancing between
clouds).
11. Issue Identification
• Where is the Cloud and which jurisdictions laws
apply?
• Governing law of the contract governs contractual
terms, but still subject to local laws and
regulations – cannot contract out of them
• Ownership, control, preservation and return or
destruction of data, especially in the cloud –
cross-border transfer , eDiscovery and data
retention issues
• Risk of asset/data loss, security and privacy
breaches more serious in the Cloud
• How and where can you access your data? For
compliance, correction, deletion, at end of service,
if disaster or insolvency of cloud provider occurs,
or for litigation purposes
12. Issue Identification
• Where is the data??? Both data at rest and
data in motion. Cloud is flexible and data
(and software) can move easily across
borders if network is big enough - moved
around to where storage or processing is
more cost effective, efficient or available
• Provider may not have standards, controls
or notification process that meet regulatory
compliance and guidance requirements
applicable to your business
• Watch out for freezing of accounts and no
access to data upon termination or breach
– data could be deleted (hijacked until fees
paid or dispute resolved)
13. Issue Identification
• Backup and disaster recovery issues – risk and
cost shifts customer
• Risk of Copyright infringement if software or
systems being migrated to the cloud - creation
of virtual servers or applications could be
making a “copy” and require additional license
rights and payment of fees
• Ownership complications if cloud used for any
development – need to examine applicable
copyright law and cloud service agreement
14. Issue Identification
• Limits on provider's liability may be too low -
disclaimers, exclusions, short limitation periods;
risk of liability shifts to customer
• What is your recourse if provider is in breach?
There is a service interruption/outage, errors,
damages, loss, disclosure ?
• Cloud providers providing public services will not
give indemnities and will ask for broad
indemnities from the customer – must renegotiate
• Contracts or services in foreign jurisdictions could
have problems with local laws, storage, handling
of disputes, exports
• Cross-referenced terms must be agreed to in
advance of procurement
• Watch out for terms that could be unilaterally
amended by service provider, deemed accepted by
use
15. Mitigating Issues with Cloud Computing Agreements
• Due diligence – insist on transparency
• Scope of services, location, data management, logical partitioning
• SLAs – minimums, measurement, periods, frequency, downtimes,
connectivity, uptime percentage calculations, review and
assessment, reporting, audit, exclusions (customer, 3rd
party, etc.)
• Customer responsibilities – data, licenses, compliance, users
• Data issues- cleansing, storage, retrieval, transitioning
• Termination implications, business continuity
• Confidentiality and Security terms, audits – financial, physical,
technical, security, controls and standards, compliance
• Liability and disclaimer clauses to be negotiated
16. Risk Mitigation
• Maintain control over critical data or services and access to them
• Consider choosing a private cloud or community cloud with
services within the province
• Revise employee technology policies to ensure BYOD doesn't
translate into BYOC – ensure employees are trained on the risks of
cloud computing and not using publicly available free services for
work related matters, e.g. conference calls, gmail, contact list
management, slide sharing, web-based presentations
17. IT Outsourcing Best Practices
• In-scope, out of scope, critical operations, SLAs, dependencies
• Hardware, software, data, infrastructure, websites, R&D, testing,
maintenance, backup, disaster recovery, business continuity, transitioning
• Change management – regulatory, business operations, disputes
• Governance – committees (Executive, Project), key persons,
reporting, meeting, voting, dispute resolution
• Ownership of IT, IP, prior and new, data and licensing
• Remedies for default, minor vs. material
• Representations, warranties and indemnities
• Term and termination, survival of obligations and rights
• Renewal terms – automatic or not, notice periods, term, COLA
clauses
18. Allocating Risk and Minimizing Liability
• Defining "Losses" becomes important
• All damages including internal costs
• Just those resulting from third party claims
• Legal fees and disbursements
• Costs of investigation, audit
• Security breaches, third party hacking, theft
• Standards of care and responsibilities
• Representations and warranties as to compliance and security
• Breach disclosure obligations – to parties, regulators, public?
• Caps on liability and exclusions, e.g. for privacy, confidentiality and
security breaches
• Who is best able to mitigate risk?
19. Revenue Structures
• Basis for calculating fees and payment terms
• For services, products, data transfer, backup, disaster
recovery, updates and upgrades, licenses (royalties)
• Fees and rates
• fixed
• variable
• unit of measure (time, output/input)
• Transition services
• Pass-through costs
• Set-offs (e.g. credits, third party fees)
• Timing of payments – deliverables, testing, deployment
20. Revenue Structures
• Adjustments, e.g. cost-of-living and inflation escalators,
consumer price indices
• Credits (remedies for breaches or failures in performance) –
Sole and exclusive remedy? Liquidated damages? Triggers?
Caps? Applied against specific service/SOW or entire
agreement?
• Taxes
• Invoicing – frequency, interest, currency
• Reporting, officers' certificates (MFN) and audit –
restrictions
21. Protecting Confidential IT and Data
• Prevention of competition, leakage of trade-secrets, ideas and
know how
• non-competition covenants
• non-solicitation covenants
• Employment and subcontractor contracts
• NDAs
• Which way does the confidential information flow?
• Define "Confidential Information" - scope of protection
• Exclusion examples:
• Information independently developed
• Information licensed from third parties
• Publicly available information without breach
22. Protecting Confidential IT and Data
• obligations:
• non-disclosure - other party’s confidential info
• security/retention
• technologically isolate customer data and records at all times
• location of records and data storage
• return/destruction
• exclusions, e.g. permitted disclosures
• notification and mitigation of breaches (potential or actual)
• term for each obligation
• liability for losses if security breach
• injunctive remedies
23. Practical Tips
• Limit disclosure only to those persons who have a “need to
know”, establish "clean rooms"
• Disclosure of confidential information to any third party, e.g. an
outsourced service provider, may be prohibited under certain
software licenses
• Security standards, controls, audits – SOX, technical, systems
and compliance
• Confidentiality obligations to survive for so long as information
remains confidential or trade secret
24. Questions?
Lisa K. Abe- Oldenburg, B.Comm., J.D.
Abe-oldenburgL@bennettjones.com
Tel.: 1-416-777-7475
www.bennettjones.com
• This presentation
contains statements of
general
principles and not legal
opinions and should not
be acted upon without
first consulting a lawyer
who will provide
analysis and advice on a
specific
matter.