Doing Business Globally HostingCon Europe Amsterdam, October 2014 W. David Snead Attorney + Counselor – Washington, D.C. Tactical Legal Advice for Internet Business david.snead@dsnead.com

Paolo Balboni European ICT & Data Protection Lawyer – ICT Legal Consulting Int. – Amsterdam paolo.balboni@ictlegalconsulting.com

• Creating a contract that works • Compliance • Key provisions in a global contract

Why do you need a global contract?

Pros • Attracts larger clients • Ease of administration • May ease legal compliance

Cons • Complicated contract • Jurisdictional issues • Vendor compliance difficulties

1. Exceeding customer expectations 2. Supporting your brand 3. Protecting your revenue 4. Meeting your contract obligations 5. Litigation prevention

Contract goals

• Engage in a 180’ contract review • Procure insurance • Stand behind your product • Don’t rely on limitations of liability

What should you do first?

Vendors • Flow down provisions • Right to change products • Fee changes • Warranties • Responsibility for subcontractors • Indemnification

180’ contract review • Match up to your agreement • Create implementation period • Include right to substitute • Create implementation period • Provide evidence to customers • Match up to your agreement • Include responsibility flow down • Match up to your agreement • Procure insurance • Match to technology

Customer Vendor Company Skin in the game No refunds Applies to purchased services

Reliability Force Majeure No subcontractors Cable cuts 90 day warranty

Detailed Service Level Agreement written in plain English

Price Right to change prices No subcontractors Difference in contract term

Tolerate price gaps Provide documentation

Support Tier 2 Self help

Ready access on website Clear response times.

Customer Contract Implementation Skin in the game SLA: credits • Automatic notification and

credit

Reliability SLA: plain English • Tie back to vendors • Internal metric score cards • Percentages implemented

mechanically

Price • Price changes at term • Increases with evidence

• Contract term process • Negotiate notice of

increases • No asterisks

Support Support based on revenue • Self help available • Automatic notice of cut off

Customer Goal Flow down provision

Legal issues Operations issues

Summary provision

Price stability Increase in electric prices

• Increase prices

• Disclose information

• Meeting of the minds

• Measure • Provide

information • Revenue

stability • Monitor

vendor contracts

• Prices stable during term

• Pass through prices increase on notice

THIS PRODUCT COULD INCLUDE TECHNICAL OR OTHER MISTAKES, INACCURACIES OR TYPOGRAPHICAL ERRORS. WE MAY MAKE CHANGES TO THE MATERIALS AND SERVICES AT THIS SITE, INCLUDING THE PRICES AND DESCRIPTIONS OF ANY PRODUCTS LISTED HEREIN, AT ANY TIME WITHOUT NOTICE. THE MATERIALS OR SERVICES AT THIS SITE MAY BE OUT OF DATE, AND WE MAKE NO COMMITMENT TO UPDATE SUCH MATERIALS OR SERVICES.

THE USE OF THE SERVICES OR THE DOWNLOADING OR OTHER ACQUISITION OF ANY MATERIALS THROUGH THIS SITE IS DONE AT YOUR OWN DISCRETION AND RISK AND WITH YOUR AGREEMENT THAT YOU WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE TO YOUR COMPUTER SYSTEM OR LOSS OF DATA THAT RESULTS FROM SUCH ACTIVITIES.

Customer Vendor Company Skin in the game No refunds Applies to purchased services

Reliability Force Majeure No subcontractors Cable cuts 90 day warranty

Detailed Service Level Agreement written in plain English

Price Right to change prices No subcontractors Difference in contract term

Tolerate price gaps Provide documentation

Support Tier 2 Self help

Ready access on website Clear response times.

• Creating a contract that works • Data compliance • Addressing cultural issues

• Sectoral Based • Reactive • Generally state

based • Narrowly tailored

• Issue Based • Proactive • National

implementation

DATA PROTECTION/SECURITY COMPLIANCE AS A

COMPETITIVE MARKET ADVANTAGE

• A couple of deal-breaking elements from our daily experience:

1. Personal Data Processing Agreements (where duties and

obligations are clearly identified) 2. Transparency and control over the personal data flow

(circulation/transfer of personal data) • These elements are requested by customers for 2 main reasons: 1. COMPLIANCE: to establish enough control by the customer (Controller)

on the personal data processing carried out by the provider (Processor) 2. INTERNAL RESPONSIBILITIES: to internally show that protection and

control over personal data, as a company asset, have been considered in the choice of a provider that offers enough guarantees

EU data protection/security checklist A Service Provider (SP) will have to share: ① Information about its identity (and the representative in the EU, if

applicable), its data protection role, and the contact details of the Data Protection Officer or of a “privacy contact person”

② SP will have to describe in which ways the data will be processed and

provide information on data location and subcontractors

③ How data transfers may take place and on which legal ground (mainly model contracts, binding corporate rules – SH principles have been under revision)

④ Data security measure in place, with special reference to: - availability of data - integrity - confidentiality - transparency - isolation (purpose limitation) - intervenability ⑤ Way to monitor SP data security / possibility to run audits for clients or

trusted third-parties

⑥ Personal data breach notification policy

⑦ Data portability, migration, and transfer back assistance

⑧ Data retention, restitution and deletion policies

⑨ Accountability, meaning the policies and procedures SP has in place to

ensure and demonstrate compliance, throughout the SP value chain (e.g., sub-contractors)

⑩ Cooperation with clients to respect data protection law, e.g., to assure the

exercise of data protection rights

11 Management of law enforcement request of access to personal data

12 Remedies available for the customer in case of CSP breach of contract

• HIPAA / GLB / FCRA • FTC needs most attention • Marketing to minors • State laws may apply • No Federal breach law

• Massachusetts sets standard • Focus on identification numbers • Increasingly includes biometric • No private right of action • Nexus requirement • Encryption exemption • No exemption for deminimus disclosures • 7 states with no law

Transparency +

Contractual reassurance on legal compliance =

Customer Trust

CUSTOMER TRUST = BUSINESS

• Creating a contract that works • Data compliance • Key provisions in a global contract

Company will indemnify, defend and hold harmless Customer, its affiliates, directors, officers, employees and agents (collectively, the “Customer Group”) from and against all Losses asserted against, resulting to, imposed upon or incurred by the Customer Group (or any member thereof) to the extent arising from (i) any personal injury, death or physical damage to, or loss or theft of, tangible personal property caused by the gross negligence or willful misconduct of Company or its employees, agents or subcontractors, or (ii) allegations that the Services (excluding any third party components) directly infringe a patent issued under the laws of a country in which the Services are actually provided to Customer; provided, however, that, in addition to the foregoing indemnification, Company’s sole and exclusive liability with respect to this Section 1, and Customer’s sole and exclusive remedy with respect to this Section 1, is limited to Company making the Services non-infringing or arranging for Customer’s continued use of the Services by license or otherwise, but if either of the foregoing options are commercially impracticable for Company, in Company’s sole discretion, upon written notice to Customer, Company may cancel the directly affected Services, refund to Customer any prepaid fees for such cancelled Services and, if applicable, adjust Customer’s ongoing monthly fees for the continuing Services to account for such cancelled Services. Notwithstanding anything to the contrary in this Section 1, Company will have no indemnification obligation to Customer under this Section 1 for any infringement arising from (A) an unauthorized modification of the Services by Customer, (B) Customer’s combination of the Services with any intellectual property not developed or owned by Company if the Services would have avoided the infringement but for such combination by Customer, or (C) Customer’s failure to install updates, patches or other similar items provided by Company or the licensor of the intellectual property that is the subject of such a claim.

Legalese Plain English

• Cover all intellectual property that is yours. • Take up the suit. • Agree to work proactively

Indemnification means it.

NOTWITHSTANDING ANY ORAL OR WRITTEN COMMUNICATIONS BETWEEN COMPANY AND CUSTOMER ABOUT OR IN CONNECTION WITH THE SERVICESAND TO THE FULL EXTENT PERMITTED BY APPLICABLE LAW, NEITHER COMPANY NOR ANY OF ITS EMPLOYEES, AFFILIATES, AGENTS, SUPPLIERS, SUB-CONTRACTORS OR LICENSORS MAKE ANY WARRANTIES OF ANY KIND, ORAL OR WRITTEN, EXPRESS OR IMPLIED, ARISING FROM COURSE OF DEALING, COURSE OF PERFORMANCE OR OTHERWISE INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, CONFORMITY TO ANY REPRESENTATION OR DESCRIPTION, COMPLETELY SECURE, ERROR-FREE, NON-INTERRUPTION, NON-INTERFERENCE OR NON-INFRINGEMENT. EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT OR IN THE ADDENDA, THE SERVICES AND EQUIPMENT PROVIDED UNDER OR ASSOCIATED WITH THIS AGREEMENT ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS.

Legalese Plain English

EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT (INCLUDING, WITHOUT LIMITATION, THE SERVICE LEVEL AGREEMENTS)

Make Warranties. Not Disclaimers.

Company guarantees 100% availability of the Company Cloud Network. The Company Cloud Network will be deemed 'available' if the networking components are available and responding to Company monitoring tools as designed and in a non-degraded manner (as evidenced in the Company monitoring tool).

Legalese Plain English

• Monitor proactively • Provide automatic credits • Agree to consider customer

monitoring No hoops.

Start from the customer’s perspective

No “hot coffee” decisions

Consider data protection/security compliance as a competitive market advantage

Engage in a 180’ contract review

W. David Snead Attorney + Counselor – Washington, D.C. Tactical Legal Advice for Internet Business david.snead@dsnead.com wdsneadpc / Twitter thewhir.com / Blog

Paolo Balboni European ICT & Data Protection Lawyer – ICT Legal Consulting Int. – Amsterdam paolo.balboni@ictlegalconsulting.com @balbonipaolo / Twitter www.ictlegalconsulting.com / Website