1 Steven J. McDonald and Joshua Dermott | October 20, 2011A Conversation with Campus Counsel on Current Developments in IT Outsourcing: Legal Challenges and Practical Suggestions Steven J. McDonald and Joshua Dermott | October 20, 2011

2 Cloud Cover The law, lawyers, and you Contracts 101A look inside cloud contracts Chasing the clouds away

3 DEDICATION "Could you just take a quick look at this [15-page, 8-point font, form] contract [that's been on my desk for the last three months] and let me know whether it's OK [before the vendor comes in 30 minutes from now to pick it up]?" – Numerous clients who will for their and my protection remain anonymous

4 May: What is PermissibleCan: What is Possible May: What is Permissible Should: What is Advisable Must: What is Required

5 Decisions, Decisions Risks Law Benefits Costs Values RelationshipsPublic Relations Practicalities . . . Law

6 Advice and Consent Lawyers give advice, not orders Can (may) I do X?Administrators make decisions and choices How can (may) I do X? Lawyers don't make your decisions. Lawyers help make your decisions better.

7 What is a Contract? An agreement between two or more people that is enforceable by law

8 What Does it Take to Make a Contract?Offer: I'll do/pay X if you do/don't do Y Acceptance: OK (in any form) Consideration: X and Y In other words, there must be a bargain (in the sense of an agreed, mutual exchange), but it need not be a "bargain" (in the sense of an equal exchange or good deal)

9 WHAT DOESN'T IT TAKE TO MAKE A CONTRACT?A negotiation Courts will strike out terms of non-negotiable contracts only if they are "unconscionable" A written document (usually) A written document that is consistent with your negotiations A written document that you have read A written document that you understand A signature (usually) Terms that are "fair" and "reasonable" A lawyer All that matters is that you have "manifested your mutual assent" to the contract

10 Contracts: An Owner's ManualWho: the parties What: the rights and duties of the parties Where: the place of performance When: the term(s) of the contract; deadlines Why: any relevant background How: the method of performance How much: the amount and terms of payment What if: termination rights and remedies

11 A Contract is, First and Foremost, a Business Document"You've got to be very careful if you don't know where you're going, because you might not get there." – Yogi Berra If you don't know and specify what it is you want to receive, you're going to get only what the vendor wants to provide "You don't get what you deserve, you get what you negotiate." – Chester L. Karrass

12 Let's Make a Deal All of the things that you have to worry about when you do it, they should be worrying about when they do it But it may not be in their business model Or they may not even be aware of it Trust, but verify Ignore: "No one's ever complained about that before" "We can't do that – it's 'free'" "It's organic – we can't specify details now"

13 CLOUD CONTRACT ISSUES TO WATCH OUT FORFERPA/Privacy/ Confidentiality Data security and data breach responsibilities E-discovery Patent infringement Incorporated URL terms that are modifiable at will Responsibility for end users Export controls Service level agreements Suspension/Termination and their aftermath Warranties (and lack thereof) Indemnification (both ways) Choice of law and jurisdiction

14 Data Privacy/Security/BreachFERPA – student records HIPAA – medical records Gramm-Leach-Bliley – "financial" records PCI-DSS – credit card records "Personal information" under a state data protection statute Especially "personal information" about Massachusetts residents, wherever located . . .

15 Data Privacy/Security/BreachAll have "safeguarding" requirements of varying degrees of intensity In general, must specifically require vendors to comply with them on your behalf by contract (not to mention monitor them as well) Who is responsible/liable in the event of a breach?

16 PATENT INFRINGEMENT Blackboard v. Desire2LearnAcacia Media Technologies v. The World Is your vendor willing to warrant that it actually owns what it's selling, and that it won’t be your problem if it turns out that it doesn’t?

17 Warranties "VENDOR MAKES NO WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR USE, AND NONINFRINGEMENT." Translation: "Abandon all hope, ye who enter here. We don't know whether this thing works, and we're not even sure we own it."

18 Honesty is Hardly Ever HeardWe don't claim Interactive EasyFlow is good for anything – if you think it is, great, but it's up to you to decide. If Interactive EasyFlow doesn't work: tough. If you lose a million because Interactive EasyFlow messes up, it's you that's out the million, not us. If you don't like this disclaimer: tough. We reserve the right to do the absolute minimum provided by law, up to and including nothing. This is basically the same disclaimer that comes with all software packages, but ours is in plain English and theirs is in legalese. We didn't really want to include any disclaimer at all, but our lawyers insisted. We tried to ignore them but they threatened us with the attack shark, at which point we relented.

19 Responsibility for End UsersInstitution shall be responsible for ensuring that its users comply with the terms of this agreement (which is confidential, and which it therefore may not tell them about) Institution shall use its best efforts to ensure that its users comply with the terms of this agreement Institution shall use reasonable efforts to ensure that its users comply with the terms of this agreement Institution shall inform its users of their obligations under this agreement Institution shall not authorize its users to engage in actions that violate this agreement

20 SUSPENSION/TERMINATION AND THEIR AFTERMATHHow fast, and for what reasons, can the vendor suspend or terminate service? Will you have time to make the necessary transition to another vendor? Will you have access to your data? In what format, and for how long?

21 Choice of Law and JurisdictionYours v. theirs Limitations on state institutions Delete it and defer the argument till later Suit must be filed in defendant's jurisdiction

22 And Watch Out for This This Agreement contains the entire agreement of the parties with respect to its subject matter and supersedes all prior negotiations, agreements, and understandings with respect thereto. This Agreement may be amended only by a written document duly executed by both parties. Translation: "If it's not in there, it's not enforceable." Also: "Everything the salesman told you is a lie." 22

23 ARE YOU CIRRUS? 23

24 A BREAK IN THE CLOUDS?

25 ON A CLEAR DAY 12 public and private schools issued a joint RFP for student, faculty, and staff and related apps, based on the model RFP 7 proposals were submitted; narrowed to 2 finalists Lawyers from the schools split into two teams and began to negotiate with the 2 finalists concurrently, attempting to start from the model contract Negotiations have so far resulted in mixed results, with FERPA, HIPAA/BAA agreements, location of data storage, and vendor liability for data breach among the most difficult points with at least one of the finalists each, and the model itself a point of contention with one of the finalists Hope is that the negotiations will produce agreements that will "scale" easily and that vendors can offer generally Regardless, negotiations have resulted in useful updates of the model documents, which will be released soon

26 AT HOME IN THE STORM Schools have also periodically discussed using Internet2, another group, or ourselves to develop dedicated higher ed cloud for storage or other purposes Could avoid difficulties encountered with for-profit vendors But campus users may want services we can't match Another possible alternative: Internet2 as "broker" that could increase bargaining power on difficult issues and/or obtain group discounts October 4, 2011:  Internet2 announced "Net+ Services" pilot project HP to provide high speed computing cycles Box.net to provide storage (like Dropbox) Participating schools will contract with I2 and pay administrative fee; I2 will contract with vendors Pilot schools include Cal-Berkeley, Cornell, Indiana, Michigan, Notre Dame, Penn State, Utah

27 UNDERNEATH MY UMBRELLA

28 The Silver Lining Your lawyer really isn't trying to botch the deal for you by raising these issues You're paying him or her to be a professional pessimist, for your protection Ultimately, much of this is a question of risk management, and you make the call

29 QUESTIONS AND CONVERSATION

30 THANK YOU