The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Presenting a live 90-minute webinar with interactive Q&A

SaaS, PaaS and IaaS: Evaluating Cloud Service

Agreement Models, Negotiating Key Terms,

and Minimizing Contract Disputes

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

WEDNESDAY, MARCH 9, 2016

Megan Smith Demicco, Kilpatrick Townsend & Stockton, Atlanta

Monique McNeill, Commercial Counsel, Novelis, Atlanta

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-961-8499 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail sound@straffordpub.com immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

© 2016 Kilpatrick Townsend

Negotiating the Cloud: Best Practices in Cloud Agreement Negotiations

Agenda

Negotiating the Cloud

Service Levels and Credits

Security & Confidentiality

Indemnities

Limitation of Liability

Access to Data & Return after Termination

Intellectual Property

Insurance as Risk Mitigation

Other considerations

6

What is Cloud Computing?

7

What is Cloud Computing?

• Private Cloud

– Single tenant, may be hosted internally

or externally by a third party; allows a

greater degree of control of data and

systems

• Hybrid Cloud

– Use of public cloud, while keeping

other IT-resources on-premise or in a

private cloud

• Public Cloud

– For use by the general public, not a

specific entity

– Multi-tenant, massive scale, pay for

use, multi-datacenter redundancy

8

Common Service Delivery Models

SaaS: Software as

Service

PaaS: Platform as

Service

IaaS: Infrastructure

as a Service

Consumer uses

provider’s applications

running on provider's

cloud infrastructure.

Consumer can create

custom applications

using programming tools

supported by the

provider and deploy

them onto the provider's

cloud infrastructure.

Consumer can provision

computing resources

within provider's

infrastructure upon

which they can deploy

and run arbitrary

software, including OS

and applications. Allows

for dynamic scaling.

Google Docs, Google

Gmail, Salesforce CRM,

Facebook, Groupon,

Oracle

Microsoft Azure, Spring

Source, Google App

Engine

Amazon Web Services,

RackSpace, IBM,

VMware

9

Common Service Delivery Models

10

Negotiating the Cloud:

Service Levels and Credits

11

• How critical is the cloud service?

• How confidential is the data?

• What service levels are being offered?

• Can the provider meet your company’s expectations?

• What are the economics of the transaction?

• What is the relative bargaining position of the parties?

• Are other alternatives available?

Informed Tradeoffs

12

Medium

High

Transaction Risk Profile

“Nice to have”

business tool

Mission critical

application

Serv

ice c

riticalit

y/d

ata

sensitiv

ity

Risk

13

• Definition of “Services” should permit customer the

full use of the services and avoid surprise charges

• Interoperability & configuration, not customization – Cloud providers generally limit customizations so Provider can

more efficiently manage Services and provide scalable solution

– Identify upfront if any customizations will be needed

Service Definition & Quality of Service

14

• Ability to update service specifications

– “The Service descriptions are available at www.example.com. Vendor may

change or otherwise update the Service descriptions at its discretion

(including, without limitation, to reflect changes in technology, industry

practices, patterns of system use, and availability of third party content).”

– “The Service descriptions are available at www.example.com attached to

the applicable order document. Provider may change or otherwise update

the Service descriptions at its discretion (including, without limitation, to

reflect changes in technology, industry practices, patterns of system use,

and availability of third party content); provided, however, that any such

changes or updates will not result in a [material] reduction in the level of

functionality, performance, security or availability of the Service.”

Service Definition & Quality of Service

15

• Why have SLAs?

• What to measure?

• When to measure?

• Where to measure?

• How to measure actual performance?

• Who will measure/report?

Service Levels in the Cloud

16

SLA Description SLA

Metric

Measurement

Window

SLA Credit

(% of Monthly

Charges)

Availability 99.999% Daily/Monthly 10%

Severity 1 Incident

Resolution within 2

hours

99.000% Monthly 10%

SLA Metrics

• Availability • Scalability • Response times • Problem escalation/resolution • Carve-outs • Monitoring/root cause analysis • Disaster recovery – RTOs / RPOs

17

• SLA Credits

– At risk amount

– Credited towards next month’s invoice

– Right to set off against fees

– Sole remedy

• Right to Terminate

– For repeated failures of the same or different SLAs

– No termination fee

– No waiting or cure period

SLA Default – Remedies

18

Securing the Cloud:

Security and Confidentiality

19

Stormy Times in Cloud & Data Security

20

• All systems are vulnerable, most systems are

infected. - Jon Neiditz, Security / Privacy / Big Data

Specialist (and partner at Kilpatrick Townsend).

• If your contract still requires a SAS 70, you need

to update your contract!

News Flash

21

Will your data be secure?

1. Agreement should address security practices for

data;

2. Compliance with security laws (e.g., Massachusetts’

security regulations, 201 CMR 17.00-17.05) and

private standards (PCI DSS), if applicable;

3. Company-specific, independent security standards

are preferable to “industry standards”; and

4. Require that security practices be regularly updated

and audited (e.g., SOC 2, Type II, SSAE 16, ISO

27001).

Data Security – Third Party Service Provider Contracts

22

Agreement should cover:

1. Requirement to maintain all legal technical,

physical and procedural requirements of

applicable privacy laws;

2. Identity Theft/State and Federal Security Breach

Notice Laws;

3. Address user privacy and provider’s rights to

retain and use data; and

4. Notice of requests for data (e.g., subpoenas,

government inquiries).

Information Privacy

23

• Include a security breach provision that requires from

the provider: – Immediate (no more than 5 business days) notification of a breach

(and ideally a suspected or attempted security breach)

– Cooperation with the investigation including providing access to

auditors / forensic investigators (especially if it’s a credit card

breach or your regulator needs access)

– Full, uncapped (if possible) liability for all costs arising from a

security breach including the costs of providing notice, credit

monitoring services, identity restoration services, fraud insurance,

the establishment of a call center to respond to customer inquiries,

forensic investigations and attorneys’ fees. For credit card

breaches, should also include costs relating to reissuance of credit

cards, charges for operating expenses of the card brands, fraud

recovery costs assessed by the card brands, fines and penalties

imposed by the card brands under the PCI Data Security Standards

– Customer control over content and timing of notifications

Include a Security Breach Provision

24

• SSAE 16 – SOC 1 (Type 1 or Type 2): reports on

controls over financial reporting for Sarbanes-Oxley

compliance, or a SOC 2 on security, privacy, availability,

processing integrity and confidentiality.

• ISO 27001: int’l standard - certification for management

frameworks for security. (ISO 27017 is new cloud-specific

standard)

• PCI-DSS (most current version): Security of payment

networks.

Security Audits – Get them if you can

25

Indemnities in the Cloud

26

• Indemnity: current practice treats

it as a special remedy that should

be reserved for special risks, such

as IP infringement and security

violations.

– Provider typically indemnifies if its technology

infringes third party IP rights

– Customer typically indemnifies if it loads infringing

content onto provider’s systems or uses provider’s

systems to violates privacy rights

Indemnification Struggles

27

Limitations of Liability in the Cloud

28

• Using the business model (one to many) as

justification, cloud agreements typically offer very

limited liability for the provider.

• Providers are less likely to agree to exceptions to the

cap for breaches of confidentiality and security due to

the increasing costs of security breaches.

• Liability for security breaches will typically be limited

to provider’s breach of its security obligations or a

breach solely caused by provider.

• Customer instead should push to have the provider

liable for all security breaches unless the Customer

has caused the breach.

Cloud is a Battleground: Limitations & Exceptions

29

• If possible, ask for unlimited liability for the following:

– Indemnification

– Breaches of confidentiality and/or security

– Violation of law

– Gross negligence, willful / intentional misconduct

and/or fraud

• If the provider won’t agree to unlimited liability, propose

tiered caps (lower cap of the greater of $X or 12 to 24

months of fees for most claims, higher cap of $5X for

confidentiality / security breaches). Include a reasonable

“floor” for damages.

• Another way to mitigate risk is to choose a cloud provider

with a good track record and a strong reputation to

protect.

Exceptions to Request

30

Access to Data & Return After

Termination

31

Contracting in the Cloud

32

• Definition of “Customer Data”

• “means any content, materials, data and information that Customer or

its Authorized Users enter into the Service”

• “means all data and/or information provided or submitted by or on

behalf of Customer, all data and/or information stored, recorded,

processed, created, derived or generated by the Vendor as a result of

and/or as part of the Service, regardless of whether considered

Confidential Information”

Cloud Data – Ownership & Use

33

• Data Access, Storage and Return

– Who can access your data?

– How and where is it stored?

– How do I get my data back and for how long?

– What happens if the cloud vendor goes out of business or

files for bankruptcy?

– How do I ensure compliance with our record retention

policy?

Data in the Cloud

34

• Termination – Customer ability to terminate

– Provider ability to suspend or interrupt services

– Escrow of cloud application

– Termination charges

• Termination Assistance – Scope of termination assistance

– Post-termination rights

– Time frame to retrieve data

– Price protection

Exit Strategy in the Cloud

35

Intellectual Property in the Cloud

36

• No “IP infringement” rep and warranty

• Indemnity for 3rd party IP infringement claims

• Exclusions to IP infringement indemnity

• Provider may seek customer indemnity for customer

data/content

• Shifting liability depending on how much the cloud is

“customized” for a customer

Risk of IP Infringement

37

Risk of loss of trade secret status

•Trade secrets must be subject to “reasonable

efforts” to maintain secrecy

•Heightened risk of unauthorized or inadvertent

disclosure

•Subcontracting

•Use of aggregated data

38

Work Product – Ownership & Use

•Unless specific, unique deliverable / innovation

developed for customer, cloud provider typically

retains ownership of all IP

•Who should own custom work product?

•In joint developments, ownership can be tricky

•Ownership of Customer feedback

39

Insurance as Risk Mitigation in the Cloud

40

• You and your providers are most likely underinsured

when it comes to data breach / cyber coverage under

traditional liability policies.

• Due to growing concerns about the magnitude &

frequency of breaches, your CGL policy will likely no

longer cover data-related losses, because carriers

are now adopting standard-form endorsements

written by the Insurance Services Office (ISO) in May

2014.

• The new endorsements issued by ISO exclude

coverage for compromised data itself, but also for the

costs of responding to and remediating the data

breach or violation.

Cyber Insurance Coverage – NEWS FLASH

41

Specialty Cyber Insurance Should Cover All

Types of Cyber Risk, But May Not

The “Oops” The “Hacker” The “Ghost in

the Machine”

The

“Blogger”

• Now carriers issue specialty “cyber” coverage, but

there is no “standard” – examine your policies

closely to see if all risks are covered.

42

Cyber Insurance - Top Ten Questions

1. Do you have concurrency/gaps

between your cyber policy, your crime

policies, and/or other policies?

2. Are your first-party loss sub-limits

reasonable in light of your size/risk?

3. Does your policy cover third party

provider systems/negligence?

4. Does your policy cover all potential

first-party losses, or is it “opt-in”?

5. Is there an “acts of foreign

governments” exclusion?

6. Is there an exclusion for claims

alleging violations of consumer

protection laws?

43

Cyber Insurance - Top Ten Questions

7. Is there an exclusion for “any malfunction or error in

programming or error or omission in processing” or for

losses arising from “mechanical failure,” “error in design,”

or “gradual deterioration of a computer system”?

8. Is there an exclusion for an insured’s failure to follow

minimum required practices, such as the failure of the

insured to continuously implement the procedures and risk

controls identified in the application for insurance and

related materials?

9. To what extent does the policy cover regulatory risks?

10.Does the carrier mandate its choice of counsel, forensic

experts, and crisis management firms?

44

Other Contracting Considerations

45

Other Contracting Considerations

Warranties

Performance

Personnel

No disabling devices

46

Other Considerations

Testing

• Ensure the service works in accordance with its

specifications

• Ensure the system is properly implemented and

integrates with other systems

• Testing of updates

• Test environment

47

Other Considerations

Right to Suspend

• Prohibit the cloud provider’s right to suspend, or restrict it to

failure to pay

• Require prior notice and opportunity to cure

• Require that provider restore services within a certain number of

days after payment

Assignment

• Consider the risks associated with another entity obtaining control

of your cloud provider

Subcontracting

• Are there any restrictions to the provider’s ability to subcontract?

• Ensure the cloud provider is fully liable for the performance of its

subcontractors 48

Are You Ready?

49

Questions?

Megan Demicco

Kilpatrick Townsend

mdemicco@kilpatricktownsend.com

(404) 532-6969

Atlanta, GA

Monique McNeill

Novelis Inc.

monique.mcneill@novelis.com 404-760-6492

Atlanta, GA

Biographies

51

Megan Demicco

Megan Demicco focuses her practice in the areas of outsourcing agreements, technology licensing, and other complex commercial transactions.

Ms. Demicco regularly assists customers with domestic and offshore technology and business process outsourcing arrangements, and advises on and negotiates transactions relating to software licensing and support, cloud computing “as a service” transactions (SaaS, IaaS, PaaS), electronic commerce arrangements, and other similar complex commercial transactions.

Prior to joining Kilpatrick Townsend, Ms. Demicco was Assistant General Counsel at the Texas Department of Information Resources, where she served as the primary state attorney for Texas.gov, the state’s eGovernment portal, a public-private partnership offering more than 1,000 online services.

Associate MDemicco@kilpatricktownsend.com

Atlanta

(404) 532-6969

52

Monique McNeill

Monique McNeill joined Novelis in May 2011 as Commercial Counsel.

Ms. McNeill negotiates a wide range of commercial and IT agreements including customer supply agreements, procurement contracts, technology licensing, and professional services agreements. She also regularly provides legal counsel, advice and guidance on complex commercial arrangements, global technology transactions, general corporate matters and strategic initiatives.

Prior to joining Novelis, Ms. McNeill served as Associate Counsel at Aflac Incorporated where she focused on the negotiation of a variety of IT commercial and corporate transactions.

53