I will be referring some to an article that showed up in the ACC Docket for December 2011 entitled “Legal Considerations in Migrating to the Cloud” by H. Ward Classen and Walter S. DelaCruz. I actually respect Mr. Classen’s work in software licensing as he literally wrote a book on the matter, but I have to say: I have problems with this article. It’s more balanced than the other stuff I’ve seen floating around (I won’t call out those attorneys), but I was expecting more of a middle ground consensus.
Everyone is concerned with data breach and getting hacked in today’s world. With all of the recent hacks and groups like Anonymous, people are scared. I don’t think it justifies this little statement from Mr. Classen’s article nonetheless:
The services provider should be obligated to notify the customer of any attempted hacking and any known security breaches affecting the confidentiality of the customer’s information or the security of the customer’s data.
Wait—any attempted hacks? If that were the case, then some folks would be providing notifications every hour frankly. That’s ridiculous. What if I was a large vendor like IBM? I’m sure they’re getting targeted all the time.
And any known security breaches? Are you kidding? SaaS vendors should be working to patch their systems, not provide notice of all their known weaknesses to their customers. That’s inviting trouble frankly speaking. There just aren’t that many white hats in this world. This should be limited to any security breach where the customer’s data is actually lost or exposed. This is a case of paranoid lawyers who don’t understand the actual implications of what’s being asked.
Limitation of Liability and Indemnity
Now this is where I get really frustrated because I find most of my time being eaten up negotiating these points when the reality is that they don’t get invoked often in practice. (and when they do, they are so messy that whatever is there ends up being rewritten in court… I know this firsthand as a litigator!)
These provisions need to make sense for both sides. Think about this: if you’re a buyer and you want to save money by moving to a cloud or SaaS vendor, do you really think you can obtain valuable services on the cheap, save money, and buy yourself more insurance all at the same time? I didn’t think so. Just because SaaS vendors can reach an economy of scale doesn’t mean that margins are that good. In fact, it often isn’t. And yet, this is what happens in so many of the negotiations I’ve been a part of.
For this to make business sense for both sides, there need to be reasonable limitations on both indemnity and limitation of liability. Here is the industry standard for both:
Limitation of liability: one times the amounts paid by the customer for the 12 months preceding any claim
Indemnity: SaaS or cloud vendors indemnify if the customer receives any third party claim for IP infringement based on use of the services. Customer indemnifies if they use the services to break the law.
Notice what isn’t listed here: fraud, personal injury, wrongful death, any breach of the contract, etc. Why? They aren’t core to the contract. Sorry risk allocation specialists, I don’t think broader indemnities allocate risk well at all—they cause trouble for everyone but outside litigation counsel. And without caps on liability, I’ll be frank: insurance is expensive and that will cause me to raise my rates as a vendor. Seriously, if you can save money by outsourcing to the cloud, use some of that savings to buy your own insurance.
Mr. Classen’s article says:
In addition, the services provider should indemnify the customer for all losses suffered in the event of a data breach. This indemnification should be carved out from any limitation of liability contained on the underlying agreement.
If your goal is to put your vendor out of business fast, listen to Mr. Classen’s advice. But if you understand the industry and what you’re buying (at a ridiculously low price often), then you need a reality check. I’ve surveyed many standard cloud and SaaS contracts and the standards I mention above apply nearly everywhere—from small SaaS startups to large enterprise IT company SaaS divisions.
The old SaaS standard for very fair minded companies regarding limitation of liability used to be 1×12 months fees on most claims and 3x12months fees on indemnity related issues. Sad to say, I think that’s now dead because buyers have responded by trying to extract more in contract negotiations and it got out of hand. Remember how video killed the radio star? Fear and greed killed fairness in SaaS contracts.