Search Results for: NS0-404 Schulungsunterlagen 🩱 NS0-404 Fragen&Antworten 🍕 NS0-404 Zertifikatsfragen 🚋 ➠ www.itzert.com 🠰 ist die beste Webseite um den kostenlosen Download von ⮆ NS0-404 ⮄ zu erhalten 🦗NS0-404 Fragen Antworten

Posted
By

By Richard E. Nielsen

On May 15, 2015, the New York Department of Taxation and Finance determined in Advisory Opinion TSB-A-15(2)S that the sale of certain cloud computing services were not subject to New York State sales and use tax.  The Advisory Opinion is noteworthy because of the Department’s position on the taxability of licensing prewritten software. 

  1. The Opinion was based on the unique facts of the taxpayer. The taxpayer (“Supplier”) offered Software as a Service (“SaaS”).  No specific servers of the Supplier were dedicated to any particular customer, the customers had no physical access to the servers, and the Supplier decided which of its servers would be used for each customer.  Customers were not charged by the Supplier for operating system software, and all charges were based on hourly rates and the amount of computing power consumed.  Customers were not charged any fixed fees for the service.
  2. The SaaS at issue was primarily for the use of Supplier’s computing power.  The Department considered how the Supplier advertised its offering to determine the SaaS at issue was not a taxable license to use prewritten software.  Although the operating systems offered by the Supplier were the type of pre-written software generally subject to tax, the Department found that the Supplier’s customers did not subscribe to the cloud computing service for that purpose, but rather did so primarily to use Supplier’s computing power to run applications.  Any transfer of the right to use operating system software was found to be only incidental to the offering.
  3. The Department did not address whether the Supplier’s offering was a taxable information service. Suppliers should consider whether their offerings might be taxable information services, and review the recent SunGard case from the Tax Appeals Tribunal in that regard.  (See Matter of SunGard Securities Fin. LLC, DTA No. 824336 (N.Y.S. Tax App. Trib., Mar. 16, 2015).)
  4. Businesses offering SaaS under even slight different models might be treated differently. Suppliers offering SaaS in New York should consult their tax advisors to consider the impact of the Advisory Opinion on their particular SaaS offerings.

For more information, please see our Client Alert.

Posted
By

You’ve managed to agree the deal; all that’s left is to sign the documents.  That’s the easy bit, correct?  So you might think, but it is important to be careful not to slip up at this final stage, particularly when contracting with foreign entities and considering using electronic signatures.

Which law applies when contracting with overseas entities?

In the recent case of Integral Petroleum SA v Scu-Finanz AG [2015] EWCA Civ 144 the English Court of Appeal considered whether a supply contract governed by English law and entered into by two Swiss oil companies was binding.  The defendant successfully argued that the contract was not binding as it had been signed only by one representative of the Swiss company, rather than two representatives, as required by Swiss law.

The judgment was surprising for many who may have expected English law to have been applied pursuant to the Rome I Regulation, which provides that the chosen governing law should determine matters of “formal validity”.  The Court dismissed this argument, however, on the basis that the issue was not one of “formal validity”, but rather one of capacity and so covered by common law.  This meant that the question of capacity was therefore governed by the law of the country of incorporation of the country, rather than English law.

This case highlights the importance of checking the requirements of the law of the country of incorporation when entering into contracts with overseas entities.

Is electronic signature sufficient?

Electronic signatures can take a wide range of forms, such as:

  • the signatory typing his/her name into an electronic document;
  • a scanned handwritten signature;
  • clicking an icon on a website to confirm an order;
  • electronic signatures which use cryptography technology; or
  • electronic signatures certified by a certification authority.

Whichever form the electronic signature takes, to be effective under English law, it must demonstrate that the signatory intended to be bound by the terms and to authenticate the document. It is the function that is important, not the form of the signature; however, note that the evidential weight given to a certified electronic signature is likely to carry greater evidential weight than the signatory simply typing his/her name.

Although the general rule under English law is that a contract does not need to be in a particular form to be binding, some statutes require that, to be enforceable, certain types of contract must be signed (e.g. guarantees, assignment of certain intellectual property rights and transfer of certified shares) or entered into as a deed (e.g. leases, powers of attorney and appointment of trustees).  Is electronic signature sufficient for these, or is the old fashioned pen and paper still required?

(Note also that in some circumstances a document signed by hand might be required for the purposes of registration, for example, registration of the transfer of land with the Land Registry.)

Electronic signature where there is a statutory requirement for signature

English case law and an advisory paper of the Law Commission appear to take the function over form approach, suggesting that electronic signature would be sufficient where there is a statutory requirement for a document to be signed, however, the English government’s approach to legislating in this area means there remains some uncertainty.  The UK Electronic Communications Act 2000 gave ministers the power to modify statutory provisions to authorize the use of electronic signature (amongst other things).  The government has taken a piecemeal approach to this, bringing in a number of statutory instruments which apply only in certain situations.

Where there is a statutory requirement under English law for signature, if in doubt as to effectiveness of electronic signature, it remains safest to sign documents in the traditional way.

Electronic signature for deeds

Under English law, a deed must be:

  • in writing;
  • clear that it is intended to be a deed;
  • validly executed; and
  • delivered.

The method often used for execution of deeds is for parties print and sign the execution page of a deed by hand and then deliver a PDF copy of the executed deed to the other side electronically.  Whilst this method is widely accepted as creating a validly executed deed, there is a lack of certainty around validity of electronic execution of deeds that does not involve signing a hard copy by hand.

To be validly executed, the signature must be witnessed by an individual who attests the signature as part of the same physical document, or alternatively, in the case of a company, signed by two authorized signatories on, it is considered by some, the same counterpart.  It is not yet clear from statute or case law whether under English law deeds can be validly executed electronically and, in any event, parties may face practical difficulties satisfying the attestation requirement or having both authorized signatories signing the same electronic document.

The remaining uncertainty around the validity of execution of deeds electronically as well as the practicalities mean that it remains preferable to execute deeds by hand in the traditional way.

Posted
By

As the range of technology employed by the UK’s leading banks widens, the balance between cost-effectiveness and manageability of solutions becomes increasingly difficult to strike. 

Background

The banking sector in the UK has grown significantly through acquisition and amalgamation. The result is a market dominated by banking groups, which have not yet had the time, finances or inclination to set about harmonising the underlying IT infrastructure of their respective component parts. The table below highlights some of the key retail bank elements of the UK’s major clearing banks, alongside which it is necessary to consider the various additional investment bank, private client, credit card and other major business unit components that sit within the same group.

Banking-Technology2

Some of the legacy systems still used in UK banks are decades old, were set up for batch-based branch banking, and may generally not be fit for purpose in the 24-hour roles that they are now required to fulfil. For a number of reasons, including recent global economic conditions, there has understandably been little appetite on the part of banks to break structures down and build new, holistic systems. Arguably, the ‘cobbling together’ of old parts and the addition of new, has been the cause of a number of high profile failures in customer-facing systems in recent times.

This situation also makes troubleshooting a more difficult process when things do go wrong, as the patchwork of programming languages, hardware and fixes mean the specialisms and requisite knowledge of systems amongst technical staff to address issues, are as nebulous as the range of issues to which they are attending.

Third Party Outsourcing

In seeking to remedy this situation and avoid the adverse publicity-generating outages that have made front page news in recent years, one option is to migrate services onto third party systems, including the cloud. The key for banks is in determining what functionality they are good at, or see as ‘core’ – and so still want to manage themselves; and splitting that which can effectively be outsourced to drive efficiency through scalability, cost savings and service improvement.

This decision can be made as part of a wider strategic review: greater automation, broader functionality and better performance can be achieved through a third party outsourcing, but key parts of the estate that give a bank its competitive advantage may be best kept closer to home.

However, there are risks when shifting activities to third parties. The regulator’s own view of what constitutes a ‘material’ outsourcing for a financial institution has also developed as the critical nature of IT services becomes better understood, such that hosting or desktop services that may have been ‘non material’ five or ten years ago may be ‘material’ today. Contractual levers to incentivise performance and ‘punish’ shortcomings are essential, given the application of the Systems and Controls (SYSC) 8 requirements in the FCA Handbook, under which critical or important outsourced functions are still fully the responsibility of the outsourcing financial institution in question.

Some of the key considerations to have in mind are:

  • Data protection – the proposed General Data Protection Regulation may see a substantial increase in potential fine levels for data breaches, and reputational damage can be very serious. As a result, it is common to see unlimited indemnities given by service providers for data breaches.
  • FCA and other regulatory breaches – though, as above, under the SYSC rules banks may not be able to absolve themselves of responsibility, any regulatory fines should be covered on an indemnity basis, where they are incurred as a result of failures by a service provider.
  • Reputational damage – reputational damage can be difficult to establish and quantify, though it is one of the most damaging parts of a service outage, as such incidents seldom fail to make front-page news. As a result, banks should consider a means of benchmarking reputational impact, and using a scale whereby service credits or damages are awarded for negative impacts, and potentially money goes the other way where a bank’s reputation for the service provided tangibly improves.
  • Service continuity – since there is no ‘quiet time’ for banks, continuity of service is one of the most important metrics in a hosting agreement. These should be properly documented in service levels, and audit rights, disaster recovery services, exit assistance and so on should be built around it to ensure that loss of profits and reputational damage is not incurred as a result of outages.

Transform?

Banks need also to consider transformation of their legacy estate. Since this may involve the elements of the business seen as ‘core’, the risk of such transformation could be perceived as being equally high or higher than the third party outsourcing of the non-core elements, and so transformation will also involve specialist third party input.

A report by Capgemini found that 53% of financial services IT budgets now focus on new application development initiatives, with little left over for a ‘big bang’ transformation of legacy back-end infrastructure onto a more suitable platform. Chronic underinvestment in back-end systems (as a result of squeezed budgets) and a focus on ‘sexier technologies’ such as mobile app functionality, have arguably led to a patching and layering approach and a reluctance to make a large investment for a medium- or long-term gain.

Ultimately, significant cost savings and performance gains may be achieved through transformation. Contracting with a third party, appropriately incentivised to successfully achieve the transformation of existing systems, is a potential option in order to reduce the cost, risk and time required in achieving such transformation, that will support a bank in its business mission of operating safely and successfully with the 24/7 demands that are placed upon it.

Posted
By

Part 2: How are Limits of Liability Evolving, with Respect to the Issue of Data Breaches?

Ten years ago, most “buyers/customers” expected their suppliers to absorb unlimited contractual liability if the supplier was responsible for a breach affecting the customer’s data. Today, while customers may continue to insist upon such a position at the beginning of negotiations, they frequently expect that market-leading suppliers will ask for some sort of limit to the supplier’s potential liability for data breaches.

When customers are forced to negotiate a liability cap applicable to breaches of data (including PII and PHI), they usually insist that such liability cap be an amount that is greater than the “standard” limit of liability under the Agreement (i.e., greater than the standard financial cap applicable other contract breaches).

In negotiating what that “higher cap” should be for data breaches, customers should not necessarily tie that higher cap to the total fees (or total annual fees) payable under the Agreement (for example, a liability cap for data breaches equal to 3 times the annual fees under the Agreement), unless those total fees (or total annual fees) will be so large that having a cap equal to a multiple of the contractual fees will provide adequate protection to the customer for a data breach.

Instead, customers should focus on the question of “What is the potential amount of damages that I could suffer, if my supplier’s actions (or inactions) lead to a data breach?” And the customer is, then, basing the higher liability cap for data breaches, on that potential damage amount. In other words, customers should insist that the higher financial cap for data breaches BE A DISCRETE AMOUNT OF MONEY (such as, for example, $5 million or $10 million or $50 million or $75 million). This should not impact the “standard” limit of liability for other breach of the agreement, which generally continues to be a multiple of the annual fees (such as 12 months’ trailing fees, or 18 months or 24 months depending on the transaction).

How can a customer determine the potential damage that might be suffered if a data breach occurs? We encourage customers to utilize industry analysis to drive their consideration of their own total potential damages due to a data breach. There are several industry reports that track (a) the average cost of a data breach and (b) the average “cost per record breached” (see, for example, the annual report prepared by the Ponemon Institute on the average cost of data breaches. The most recent version of the report is available for download, by registering at: http://www-935.ibm.com/services/us/en/it-services/security-services/cost-of-data-breach/). Based on this analysis, customers can come up with an informed estimate of how expensive a data breach could be to them.

In considering what the appropriate higher liability cap might be for data breaches, customers should appreciate that large/market leading suppliers that regularly have access to customer data usually have adequate insurance in order to cover potential data breach damages (or they are self-insured for such coverage). This is very important: most large/market leading suppliers are now covered for tens of millions (if not hundreds of millions) of dollars of insurance coverage for data breaches. So, when suppliers are negotiating to limit their liability for data breaches, they frequently are doing so purely from a risk avoidance perspective, and not because they are unable to cover the cost of such damages through insurance. If a supplier responds that it does not have adequate insurance or cannot obtain necessary coverage for data breaches, that is a huge red flag, and the customer should ask itself why it would allow such an under-insured supplier to have access to the customer’s data.

Of course, the final limit of liability applicable to data breaches is subject to negotiation, and in some cases, a supplier may be unwilling to contractually commit to covering the customer’s total potential damage due to a data breach. In such cases, if the customer still wants to execute an agreement with the supplier, the customer should make sure that its own insurance policies contain enough coverage (in terms of insurance policy limits and applicable exclusions) to cover the delta between (i) its total potential damages due to a data breach and (ii) the supplier’s contractual liability cap for data breaches.

Posted
By

Part 1: Contractual Protections With Respect to Data Breaches

Given the unrelenting, it seems, news reports of cyber attacks and data breaches affecting customer records and data, the issue of what are the appropriate contractual provisions that should govern data breaches in a contract between customers and suppliers remains timely, sticky, and constantly-evolving. Below are several observations regarding contractual language and protections with respect to data breaches, where a supplier has access to and/or could cause or allow a customer’s data to be breached.

  • Customers continue to insist upon strict terms and conditions requiring their suppliers to protect the customer’s confidential information, including with respect to the customer’s (i) data (i.e., information stored in equipment and software), (ii) Personally Identifiable Information (PII), and (iii) Protected Health Information (PHI).
  • In some cases, customers are requiring their suppliers to agree contractually to separate security and/or privacy exhibits as part of their Customer Agreement. These generally go above and beyond the general “Confidential Information” terms and conditions, and focus on the specific tools, equipment, software, processes, procedures, encryption, and physical/logical security that must be instituted and complied with by the suppliers. If you are a customer and concerned about how your suppliers treat your data, you may want to consider creating a (or bulking up your existing) standard set of security and/or privacy terms that can be attached to your supplier agreements. These exhibits often are prepared by the Corporate Security, Risk or CIO department, and may be applicable to some deals but not others (for instance, it would not be applicable if the scope of the deal does not involve the supplier having access to the customer’s data). As an aside, these exhibits can also cause problems from a deal negotiation perspective, if they incorporate a “kitchen sink” approach, as negotiation of “one size fits all” security terms can lead to lengthy contracting delays. To speed the negotiation process, consider tailoring such a security and/or privacy exhibit, as appropriate for the scope of your particular deal.
  • Customers frequently require that their suppliers have adequate Error & Omissions (E&O) insurance and Cyber Breach insurance policies, so that the supplier is adequately protected (financially) if the supplier causes a data breach.
  • Additionally, many customers are (themselves) making sure that they have sufficient E&O and Cyber Breach insurance policies to cover damages resulting from data breaches (especially if the customer is not successful in passing the responsibility for that liability to the supplier, or in order to cover potential damages that may be in addition to applicable limits of liability within the customer’s supplier agreements).
  • Customers should insist on indemnification protection, requiring suppliers to indemnify and defend the customer for a breach of the supplier’s obligations with respect to Confidential Information (again, including with respect to data, PII and PHI).
  • There is increasing focus on defining, within supplier agreements, the types of damages that are reimbursable by the supplier as “direct damages”, to the extent resulting from a data breach. For example, potential costs might include: (i) the notification costs/letters to affected customers informing them of the data breach; (ii) establishment of a call center/1-800 number to provide information to affected customers; (iii) costs for credit monitoring services; (iv) costs of identity restoration services or fraud resolution services; (v) costs of identity theft insurance provided for the benefit of affected customers; (vi) reimbursement for credit freezes; and (vii) fees/expenses associated with investigating and responding to a data breach.
  • Where a supplier has access to a customer’s data, there are frequently hard-fought negotiations regarding the total amount of damages that the supplier is willing to absorb, if the supplier is the cause of a data breach. We will discuss this further in Part 2 of this Post.

Posted
By

There is no shortage of commentary on why mergers and acquisitions fail or do not live up to their projected potential. The percentage of failed or underachieving deals is astounding with some placing the failure rate over eighty percent.The reasons for this dismal outlook range from ill-advised strategic vision, misaligned expectations and poor execution to cultural clashes, fumbled integration, and (some would say) misguided management objectives.

Over the past decade I’ve observed another factor that contributes to these suboptimal results: poorly planned, constructed and executed transition services, especially in connection with divestitures and carve-outs. The two main factors contributing to deficient transition service arrangements fall into two general categories: (1) a flawed perspective on the importance of transition services; and (2) errant development and execution of the transition service regime.
Let’s explore each of these factors both in terms of how they arise and how they can be avoided, focusing first on what I refer to as the flawed perspective.

I can sum up the misconception about the importance of transition services in two statements:

  1. These are short term arrangements of less importance: Since transition services are only temporary (and hopefully very short in duration), they really are of less importance. Our focus is really on the long term success of the business.
  2. They pretty much relate to the back-office (and we need to focus on our customers and revenue drivers): Transition services mostly involve back-office operations, which don’t drive valuations or contribute to the bottom line. We need to focus on revenue growth and our customers.

While at first glance these statements seem reasonable, they in fact underlie a host of conceptual shortfalls that drive behaviors which, at best, dilute the effectiveness of the post-closing enterprise and, in the worst case, result in unmitigated risks that can result in lost business, reduced revenues, or unanticipated liabilities.

With regard to the “short term” mindset, while these services generally are in place on for an interim period, they serve as a bridge to the broader (and longer term) integration of enterprise operations (both back office and front line). The thought that “we can fix things later” after the closing dust settles is a misstep that can lead to day-one business continuity issues (like interruptions in employee access to key systems), inefficiencies, (like additional license costs for unaccounted for but needed software), and employee dissatisfaction that can tug at the cultural fabric of the company. Not surprisingly, issues of this nature can (and often do) impact the customer and potentially the bottom line. This leads to my second point.

That is, what happens when the run of the mill business operations you’ve come to take for granted don’t work (or are degraded or interrupted)? Setting aside the consternation of your own people, in some cases this can have a direct impact on your customers and hence your revenues. In the heat of deal negotiations, these subjects are often relegated to the back burner as they are viewed as lower priorities and are not “sexy” in the minds of the deal team. In an interview I conducted a few years ago at a M&A event with Argyle Executive Forum, the following exchange brought to light the hazards of this mindset:

In the context of overlooking the back-office (and the resulting inadvertent business interruptions), I posed a question along the following lines:

“…if all of a sudden we’re having problems with the network and we can’t email or data centers are having down time and someone in the field on the sales force can’t get their tablet to record a sale, that’s going to have a direct impact on business. Have you experienced that at all?”

The response was telling:

“We acquired a business in the U.S. and shame on us but we didn’t put enough emphasis on the back office and it was certainly a learning process. On day one, the sales reps are going, ‘Where are my reports?’ And we ended up sending them paper copies until we got our act together. Shame on us, but I’m sure we’re not alone. It was a detail that was overlooked, because it’s not, as you said before, the ‘sexy’ part of the deal. But it gets real sexy when your customer says, ‘You mean to tell me you didn’t think about this?'”

The Right Perspective – The Value Imperative

Perhaps the best way to approach a transition services effort is to focus on what I’ll call the value imperative for these services. From my perspective, the transitional aspects of a merger, acquisition, spin-off or divestiture must help achieve the following:

  • Ensuring a Competitive Edge & Risk Avoidance – In the new economy (characterized by rapid change, innovation being seen more like “table stakes” than a differentiator, technology-driven efficiency gains, increasing cyber/security risks and globalized competition), the transition services must position the post-closing enterprise to be even more competitive while at the same time appropriately protecting against business continuity risk;
  • Preserving Valuations – The transition services and related terms must at least preserve (and potentially enhance) valuations; and
  • Exploiting the Mission – The transition service regime must enable each impacted enterprise to better exploit the target synergies that drove the transaction in the first place.

Put another way, whether market-driven, opportunistic or as part of a broader strategy, what management (and the shareholders) really care about is exploiting the intended synergies to drive value. If there are transition services, they should be aligned with these objectives.

In the second installment on this topic, I will focus on the perils of poor planning, inadequate diligence and incomplete execution in transition service arrangements, and how these perils can be avoided through a disciplined and efficient process leveraging the right terms, tools and templates.

 

Posted
By

News of Alibaba’s cloud investment and a recent software park tour indicate that China’s IT services industry is evolving in its own way.

Alibaba Invades Silicon Valley
The “Amazon of China” is following Amazon’s playbook yet again with their investment in the cloud. Aliyun, Alibaba’s technology arm, already operates five Chinese data centers supporting 1.4 million customers. They cite high performance specs, such as the ability to process 80,000 orders per second during peak shopping season, and a successful defense against the largest recorded DDoS attack in China, which lasted 14 hours with a peak onslaught of 453.8 gigabytes per second.
Even with this performance, competing on Amazon’s home turf will be no small task. Aliyun will initially pursue the growing number of US-bound Chinese companies. “We know well what Chinese clients need,” explains Sicheng Yu, Aliyun’s head of international; “now it’s time for us to learn what U.S. clients need.”

A Recent IT Industry Tour in Beijing
Nope, China is still not “the next India.”
In spite of the hype that surfaces every few years, China is not becoming “the next India.” India’s unique path cannot be replicated. Yet, a recent tour of Beijing’s Zhongguancun Software Park, where many new large buildings are bustling with bright-eyed, Starbucks-fuled youth, reveals that something is going on in China.
alibaba

A few buildings housed familiar foreign brands (Oracle, IBM and Tata are there), though many belong to large Chinese IT service providers such as Neusoft, Pactera, and Beyondsoft.

If China is not the next India, what are all of these young workers doing?

  • Asian Roots; Global Ambition – The vast majority of China’s IT outsourcing companies still serve Chinese, Japanese, and other East Asian customers – not insignificant markets. However, Chinese firms are expanding globally (1) by servicing Chinese branches of large multinational firms, and (2) by following existing Chinese customers abroad, as Aliyun is doing in the cloud space. The real value of these engagements is in providing a toehold for even deeper expansion.
  • Narrow Industry & Technology Focus – Chinese IT service providers tend to have deep technical strengths in narrow areas, often related to their legacy. For example, Aliyun was built to support Alibaba’s online marketplace. As a result, Chinese firms may be most competitive when servicing discrete projects or components, rather than acting in a broader role as, for example, an IT Service Management (ITSM) provider.
  • Leveraging Hardware & Manufacturing Enterprise – China’s manufacturing dominance has been successfully leveraged by some firms to create software and IT service offerings. For example, Neusoft, China’s largest IT service provider, developed an expertise in telemedicine and medical imaging, in part through their role in producing both hardware and software for MRIs. They also opened a Detroit office in 2013 to focus on integrated automotive software.

While Chinese IT service providers cannot yet compete with the largest one-stop global IT shops, for an increasing range of geographies, industries, and service categories, they are providing unique value.

 

Posted
By

This is the second of two postings that outline key pricing protections you should consider negotiating with licensors of ERP software to provide flexibility and predictability in managing the ongoing license and maintenance costs associated with the software.  In the earlier posting, we discussed future option discounts, exchange rights, and maintenance locks and caps.  In this posting, we focus on shelving and termination rights, acquisitions and divestitures, and successor products.

Shelving / Termination Rights

Shelving and termination rights provide the ability to reduce annual maintenance spend on unused licenses by either “putting them on the shelf” until needed or terminating unneeded licenses altogether.  There are three basic approaches to shelving and termination rights.  In descending order of desirability, they are:

  • Shelving – which allows you to shelve and later reinstate licenses subject to paying a reinstatement fee (typically based on the maintenance fees that would have been payable on the shelved licenses during the shelving period);
  • Termination – which allows you to terminate unneeded licenses to reduce maintenance fees, but does not allow reinstatement of the licenses (i.e., you would need to purchase replacement licenses if you later have a need for them); and
  • Termination Tied to New Buys – which allows you to terminate unneeded licenses only to offset maintenance fees on a contemporaneous new purchase of additional software from the licensor.

Licensors often strongly resist shelving rights and they can be difficult to obtain in the absence of considerable negotiating leverage.  As a result, termination rights may be the only viable option on some transactions.

Some licensors take the position that termination is an all-or-nothing proposition; that is, the client must terminate every license to every licensed product in order to terminate even a single licensed unit of a product.  This is an outrageous position, particularly given the broad scope of products and functionality in ERP software.  At a minimum, you should push hard for the right to terminate either individual licenses or logical groupings of licenses without having to terminate all other licenses.

Acquisitions & Divestitures

Once implemented, you can expect to use ERP software for many years.  During this period, there is a good chance that you may acquire another company or sell off one of your business units.

  • Acquisitions – To address future acquisitions, you should make sure that the license covers all existing and future affiliates of the legal entity that executes the license agreement.
  • Divestitures – To address divestitures, the license agreement should permit you to use the software to provide transition services to a divested business unit at no additional license or maintenance fees (other than fees associated with increased usage of the products). The transition period should extend for a minimum of 12 months and desirably longer.

Successor Products

From time to time, licensors will discontinue products and incorporate functionality from the discontinued products into new products.  This forces you to either migrate to the licensor’s successor product or look for an alternative in the market.  Given the cost and criticality of ERP software, you should negotiate the right to obtain successor products without additional license or maintenance fees when they are released by the licensor (and in any event at such time as the licensor announces it will cease to provide mainstream maintenance on the product).  Licensors will often condition this right on you’re not using any new functionality of the successor product.  However, the design of the successor product may make it impossible to avoid using new functionality and there should be an exception that permits your use of new functionality to the extent it cannot reasonably be avoided.

Posted
By

The licensing and implementation of ERP software is a major long-term investment for any company.  In addition to negotiating favorable upfront pricing for the software, it is important to build in pricing mechanisms that provide flexibility and predictability in managing the ongoing license and maintenance costs associated with the software.  This is the first of two postings that outline key pricing protections that you should consider negotiating with licensors of ERP software.

Future Option Discount

A future option discount provides a right to purchase additional software licenses at a specified price or at a specified discount off the licensor’s then current list price.  This right has a number of benefits:

  • It provides predictability in licensing costs due to business growth and assures that the licensor cannot take advantage of you on future purchases when you may have little or no leverage in negotiating price.
  • It may enable you to reduce the initial buy, thereby lowering maintenance costs during the period in which the software is being implemented. However, you need to strike the right balance here. Reducing the size of the initial buy may impact the discount level the licensor is willing to offer. As a result, you should seek to achieve the optimal balance between (1) high discount levels on the initial buy, and (2) savings on maintenance fees by deferring purchases until licenses are needed.

In negotiating future options discounts, you should seek the following:

  • The option price should be the same or very close to the discount level as the initial buy.
  • The option period should be at least 3 years and desirably longer given the long-term nature of the investment in ERP software.
  • The option should apply both to the license of (1) additional units of previously licensed software and (2) existing and future software products of the licensor that are not part of the initial buy.

Exchange Rights

The initial buy of ERP software is usually based on a forecast of current and future demand for the relevant license metrics (e.g., named users, cores, annual revenue, etc.).  However, demand forecasts rarely prove to be 100% accurate.  Exchange rights provide the ability to swap licenses for which you have purchased too many units for licenses for which you have purchased too few units.

In negotiating exchange rights, you should seek the following:

  • The ability to exercise exchanges across as many licensed products as possible.
  • The ability to exercise exchange rights at least annually and desirably on a more frequent basis (e.g., quarterly).
  • A period of at least 3 years and desirably longer in which to exercise exchange rights.

Maintenance Locks & Caps

  • Maintenance – the “gift that keeps on giving” for licensors – is a significant cost in software licensing. For example, if maintenance fees are set at 22% of net license fees (which is the current standard among major licensors of ERP software), you are effectively paying the cost of a new license about every 4.5 years in the form of maintenance fees. The licensor should be willing to commit to a multi-year period – desirably at least 4-6 years – in which annual maintenance fees may not be increased and thereafter to some form of cap or limitation on subsequent annual increases, such as capped annual inflation adjustments.

In our next posting, we will focus on shelving and termination rights, acquisitions and divestitures, and successor products.

Posted
By

Innovation is prized in the growing space of the Internet of Things.  But an innovative product design is not enough, and potential pitfalls abound.  As demonstrated in a report published by the Federal Trade Commission, privacy and security need to be at the forefront of developers’ minds.  Here are five lessons on what not to do when developing a connected product.

The Internet of Things (“IoT”) is an expanding ecosystem of everyday objects that are embedded with technology, allowing them to connect, communicate, and transfer information about users and their surroundings to each other.  IoT products boast beneficial effects such as increasing economic productivity and efficiency, encouraging robust innovation, and tailoring user experiences.  However, by virtue of being connected to the Internet, IoT products also carry privacy and security risks.  On January 27, 2015, the Federal Trade Commission (“FTC”) published a report focusing on privacy and security concerns for IoT devices sold to consumers.

Given the growing interest in how embedded computing advancements affect security and privacy issues, this Alert identifies what developers, investors, and entrepreneurs should avoid when entering the IoT market.

1. Ignoring Washington, Sacramento, and the European Union.

Much has been written about how privacy and security laws are outdated and have not been able to keep pace with rapidly changing technology.  While legislatures may not have succeeded in updating statutes, regulators are laser-focused on privacy and security.  Ignoring the federal, state, and international efforts to deal with these issues would be a mistake.

Indeed, the FTC has made embedded computing a top focus.  In January, the FTC issued a report, Internet of Things:  Privacy & Security in a Connected World, that recommended steps businesses should take to enhance and protect consumers’ privacy and security (FTC, INTERNET OF THINGS: PRIVACY & SECURITY IN A CONNECTED WORLD, January 27, 2015).  While the report is not formal legislation, it serves as a warning to IoT developers about the expectations of the FTC in this space.  The report offers recommendations regarding data security, data minimization, privacy notices, and consumer choice regarding collection of users’ data.  The FTC also recommends that data security legislation be enacted by Congress.

Even without IoT-specific legislation, developers should understand how technology-neutral laws are being enforced in the IoT context.  The FTC, for instance, has used its general consumer protection enforcement powers under the FTC Act, 15 U.S.C. § 45(a), regarding “unfair or deceptive acts or practices” to prosecute privacy and security violations.  Last year, in its first action against a marketer of IoT products, the FTC approved a final order settling charges that TRENDnet engaged in lax practices that failed to prevent unauthorized access to sensitive consumer information, namely video and audio feeds from its home security cameras (Press Release, FTC, FTC Approves Final Order Settling Charges Against TRENDNet, Inc., February 7, 2014).  Failure to comply with the FTC report’s recommendations could result in FTC enforcement activity.  FTC Commissioner Brill has also encouraged state attorneys general to monitor the IoT industry and to bring actions for privacy and security breaches under general state laws that may apply (Julie Brill, FTC Commissioner, Remarks at Conference of Western Attorneys General, July 21, 2014).

While the IoT industry is in its early stages and IoT-specific legislation has not materialized, stakeholders in IoT devices should also keep abreast of developments in general data security and privacy legislation.  Certain states like California have taken active roles in the privacy sphere and have passed sweeping privacy legislation that can impact IoT devices.  Consumer class action plaintiffs and their attorneys are clearly paying attention to these developments, as evidenced by the onslaught of cases being filed.  Additionally, companies cannot forget that the federal government is increasingly requiring information technology devices and systems to have high levels of security before they will be bought by the government.  Federal procurement policy is rapidly changing to integrate security into contractual obligations, so companies that fail to have adequate security may see their government contract opportunities limited or even eliminated.

To the extent the IoT device is marketed internationally or if it is intended for travel, developers should also be familiar with privacy and data security regulation in other countries in which they are operating and where the IoT device is likely to be used.  The European Union, for instance, has very restrictive privacy laws and, under new amendments, Member State regulators have the ability to issue fines up to 5% of global revenues.

2. Treating security as an afterthought.

It may be tempting to add security features to a device at the final stages of development so as not to hinder ingenuity or innovation in the early stages.  This approach, however, may allow for more security vulnerabilities to slip through the cracks than if security were considered at every stage of the design cycle.  Developers should consider security issues from the very beginning of product development–in other words, IoT “security by design.”  IoT stakeholders would also benefit from acknowledging the risk of a data breach or use of the IoT device to conduct a cyber-attack inherent in a connected product and proactively developing an action plan in the event of a data breach or cyber-attack.

In the TRENDnet case mentioned above, the FTC alleged that faulty software for home security cameras left the live feed from the cameras open to online viewing by anyone with the camera’s Internet address (FTC Press Release, supra note 2). When, according to the complaint, a hacker exploited this flaw and posted links to the live feeds to certain cameras (including babies asleep in their cribs and young children playing), it appears that the company did not have a way to repair the security flaw without forcing users to visit the website and download a software patch (Id).

Stakeholders should think about these security issues from the start:

  • How can the company integrate security measures into the product as a way of enhancing the user experience?
  • Has the company completed a privacy or security risk assessment?
  • How will IoT devices be monitored for security vulnerabilities when they are out-of-date and new products are released?
  • Does the company have a system in place to receive information about security flaws?
  • How will software patches be released to users?
  • What is the procedure for handling a data breach and how will customers be notified?   

3. Overlooking internal security risks.

While a “security by design” approach to developing an IoT product is essential, it is not foolproof.  Developers need to think about security threats not just by hackers, but by their own employees and vendors. As the FTC report explains, companies must ensure that “personnel practices promote good security” and that “product security is addressed at the appropriate level of responsibility within the organization (FTC, INTERNET OF THINGS, supra note 1, at 29).”  In addition, companies should consider the security practices of their contractors and vendors.

Companies that handle data derived from IoT devices should consider the following issues about who has the data:

  • Who needs access to user data? Are there ways that access can be limited?
  • Are there clear policies in place regarding employees’ handling of user data? Do those policies have buy-in from all of the important stakeholders?
  • Is the company providing reasonable oversight of employees’ handling of user data?
  • Has the company considered the data security policies of contractors and vendors?

4. Collecting as much data as possible, even when you don’t need it.

Data collection is a powerful tool for analyzing behavior, developing innovative products, and providing valuable insights to users.  Collecting and retaining large amounts of consumer data, however, can present a more attractive target for data thieves.  When a large variety of data is collected, it also increases the risk that some of the data that is collected will be used in ways contrary to consumers’ expectations.

While data minimization in the IoT context is challenging because a new use for data may be just around the corner, the FTC has encouraged companies to have data practices and policies that impose reasonable limits on consumer data collection and retention in light of that company’s business needs.  One option to reduce privacy concerns is to immediately de-identify the collected data so at to minimize harm if there is a data breach.

Developers should consider:

  • Are the types of data being collected needed at this particular stage of design or implementation?
  • Is de-identifying the data an option? Is there a legal obligation to de-identify consumer data?
  • How long does the company need to keep the data to accomplish its objectives? When should the data be deleted?

5. Believing that what users don’t know won’t hurt them.

The IoT presents many challenges to traditional consumer protection methods of notice and choice.  For certain data collection that is consistent with the consumer’s expectations, providing choices for every instance of data collection may be overly burdensome to the consumer and not necessary to protect privacy.  However, where the data being collected is sensitive in nature or beyond what a user might expect to be collected, developers should consider methods to provide users with notice and choice regarding data collection.  The provision of notice to consumers about what data is being collected and with whom it is being shared is governed by a labyrinth of privacy regulations.

As to providing notice and choice to users, developers should consider:

  • Is data collection limited to data consistent with the context of the consumer-device interaction?
  • Are the company’s privacy policies and terms and conditions of use customized, up to date, prominent and written in a way that is understandable to consumers? Has the company resisted the urge to cut and paste “boilerplate” policies used by others in the space?
  • When and how are notifications regarding collection of data provided?
  • In what situations will the company request users’ express consent before their sensitive data is collected?
  • What options will users be given to control privacy settings?

****

If you want to avoid these pitfalls, start asking critical questions about the security and privacy implications of your IoT device from inception through implementation.

For more information, please read our Client Alert.