Presentation on theme: "Topics Changes Risk Assessments Cloud Data Security / Data Protection Licenses, Copies, Instances Limits of Liability and Indemnification Requests for."— Presentation transcript:
Topics Changes Risk Assessments Cloud Data Security / Data Protection Licenses, Copies, Instances Limits of Liability and Indemnification Requests for Proposals Good Practice Trends Resources
Changes Increased use of agreements required to extend service periods Increased use of software as a service (no longer buying a commodity) Increasingly complex agreements Increased litigation and risk exposures Increased drive to limit liability Audits
Risk Assessments What is the software use Is data collected, used, or transmitted Define the data and the classification level Identify any financial transactions (PCI) Describe Installation and Support requirements Define if software is self-hosted or web-hosted
Where is my data?
Cloud There is no ‘cloud’. Data is collected and stored somewhere. Where is the data center How secure is the data and the center If outside US, how risky is the data exposure How will data be returned
Data Security and Protection
Data Security & Protection Campus Chief Information Security Officer Safeguards Access, Transmission, Storage Movement and co-location Can the vendor aggregate, slice and dice, or compile Can the vendor have co-location, failovers, etc. How does system safeguard protected data: HIPAA, PCI, FERPA, Personal Information
License / Copy / Instance What does your license cover? What is a ‘copy’, ‘instance’, or ‘impermissible copy’ Does your license transfer from hardware to hardware? Storage box to storage box. “unfettered right to ‘move, migrate, transfer’ license without it being deemed an impermissible copy Use, Access, and Benefit / Authorized Users “install, execute, use, have access to, benefit from, copy, test, display, and perform and make back up and archival copies. Audit
Liability and Indemnification Limits of Liability “Vendor’s liability for damages to customer will not exceed fees paid under this agreement for 36 months preceding date of claim.” Consider Adding: “Except as set forth in paragraphs (list sections pertaining to copyright/intellectual property, indemnification provision, and confidentiality / data breach section).” Indemnification Indemnify, defend, and hold harmless Copyright Infringement costs, data breach costs
Liability and Indemnification EXAMPLE FROM VENDOR AGREEMENT 6.2. Disclaimer. EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT, THE PROGRAM AND DOCUMENTATION ARE PROVIDED “AS IS” AND“WITH ALL FAULTS,” AND VENDOR MAKES NO REPRESENTATIONS OR WARRANTIES, AND DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, WRITTEN OR ORAL, ARISING FROM COURSE OF DEALING, COURSE OF PERFORMANCE, USAGE OF TRADE, OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF NON-INTERFERENCE, ACCURACY, MERCHANTABILITY, SYSTEMS INTEGRATION, QUALITY, AND FITNESS FOR A PARTICULAR PURPOSE.
Liability and Indemnification EXAMPLE Monetary Liability. THE AGGREGATE TOTAL LIABILITY OF VENDOR UNDER OR IN CONNECTION WITH THE PROGRAM, THE DOCUMENTATION, OR THIS AGREEMENT TO LICENSEE OR ANY OTHER PERSON OR PERSONS SHALL UNDER NO CIRCUMSTANCES EXCEED THE AMOUNTS PAID BY LICENSEE UNDER THIS AGREEMENT.
Request for Proposals (“RFP”) The RFP is a team effort and requires collaboration Conflict of Interest & Confidentiality Develop RFP with the end in mind The RFP Response should be an Exhibit to agreement Detailed project plan and/or statement of work is obtained prior to contract execution. Maintenance and Support detailed including service levels
Request for Proposals (“RFP”) Consider additional items: Service Level Provisions as part of RFP Intellectual Property Rights for co-development Contract Close out plans State in RFP that the CSU General Provisions for IT will be required Security Questionnaire and Requirements as part of RFP All functionality for license is contained in implementation – no future release solutions
Good Practice Templates Eliminate hyperlinks in your agreements Ensure that no disabling devices are in the software Collaborate with IT: meet, discuss, cross educate Collaborate with other campuses
Interesting Trends Migration to Tablets and Devices – BYOD and Apps Social Media as daily communications Big Data Cloud Computing Software as a Service, Platform as a Service, and Infrastructure as a Service.