Transcript Technology Decisions - Mid

The Choices We Make As CIO’s
That Matter!
Legal and Other Risk Considerations
Michele L. Cohen, Esquire| Mid-Atlantic CIO Forum|111/20/2014
Overview
•
CIO decisions may have significant legal,
financial, and operational ramifications, in
addition to technical ramifications.
•
Understanding the interplay between these
competing tensions enhances the value that you
bring to the transaction.
2
Technology Decisions
Technology decisions should contemplate the
purpose of the technology, your company’s
current and future contract needs, and the
different provider options.
3
Discussion Outline
Due Diligence Questions for
Consideration:
•
Preliminary Questions
•
To Cloud or Not to Cloud
•
The Contract
•
Post-Contract Concerns
4
Due Diligence – Why this
Technology?
•
Why are we acquiring the technology and what
are we using it for?
 How does this technology integrate into the core business and
existing IT system?
 Who will use the technology?
 What is the expected life cycle?
5
Due Diligence – Life Cycle
•
What is the anticipated “lifecycle” of the technology?
 How long do I need this to meet my
company’s needs?
 Are there corporate changes on the
horizon that necessitate flexibility in
scope and use?
6
Due Diligence – Impact on
Resources
•
How does this acquisition
impact current and
anticipated resources?
 Personnel
 Infrastructure
 Other technology
7
Due Diligence
What are my provider options?
•
Competition cannot be based only on price.
 Reputation
 Service commitments
 Flexibility in partnerships/SAP integration
8
Due Diligence – SAP
Considerations
SAP Considerations
•
Who is the primary provider
 Who are my potential secondary partners?
•
Integration
•
Cooperation
9
Due Diligence – Planning for
Company Change
Corporate change may be positive or negative but
must be faced.
•
Current Expectations
 single entity vs. enterprise needs
•
Anticipated Growth
•
Possible Downturn/Divestitures
•
Outright Sale (or purchase) of Company
10
Due Diligence – Company
Sale/Purchase
Impact on the IT contract and provider relationship.
•
Sale (or Purchase) Due Diligence
 The review process and team
 The data room/information requests
 Reps and warranties/Indemnity issues
 Contract barriers to the deal
11
The Cloud – Making the Case for
(and Against) the Cloud
•
General Benefits and Risks
 Costs – hard and soft
 Overhead
 Nature of Information Maintained
•
Cloud Service Models
•
Deployment Models
•
Provider Consideration
12
The Cloud – Information
Maintained
Criticality and Sensitivity Concerns
•
What is captured in the Cloud?
 Confidentiality and Privacy Concerns
 Legal requirements unique to corporate operations
 Criticality of services and information to the Corporation
•
Who controls the data security plan and breach
response?
13
The Cloud – Data Breach
•
•
While discussed in the
•
Currently 47 states, the
context of the cloud, data
District of Columbia, Puerto
breach can also impact local
Rico, and the U.S. Virgin
data storage (including
Islands require consumer
physical storage)
notification when there is a
No comprehensive federal
security breach involving
law or response overlay
personal information.

Only Alabama, New Mexico, and
South Dakota do not have a
statutes covering the issue.
14
The Cloud – Data Breach
Notable federal laws governing consumer data:
•
•
Federal Trade Commission Act: bars
Childrens’ Online Privacy Protection
“unfair” and “deceptive” acts and
Act: Provides additional protections
practices.
with respect to collection of personal
Gramm-Leach-Bliley Act: requires
information of minors.
financial institutions to inform customers
•
•
•
Electronic Communications Privacy
of their information sharing practices and
Act: protects wire, oral, and electronic
to safeguard sensitive data.
communications while in transit, and
Health Insurance Portability and
prohibits use of pen register or trace
Accountability Act: Relates to collection,
devices without a court order.
use, storage of health-related information.
15
The Cloud –Data Breach
Maryland Law
•
Covers any entity maintaining personal information (PI) of Maryland
residents
 PI includes SSN, Driver’s License, Account Numbers (ex. credit card) with PIN,
TIN
•
Includes notification obligations where personal information is
acquired without authorization and is used for inappropriate
purposes.
 Statute includes various notice requirements.
 Exceptions where acquisition is for appropriate business purposes or where the
company determines (in good faith) that the information taken will not be
misused.
16
The Cloud – Data Breach
Maryland Law
•
Additional requirements regarding regulatory notice and record
retention.
•
Companies may be exempt from the Maryland law if they are
subject to and/or otherwise comply with applicable federal law
requirements.
17
The Cloud – Data Breach
Protection Against Risk:
•
Company-wide plan
 Proactive Planning and Planning for the Response
•
The contract
 Know your contracting partner
Insurance:
•
GL policies may now exclude cyber/data
breach claims
•
Separate Cyber coverage
18
Contract Considerations Structure
•
Technology covered
 Services
 Tangible Items
 Custom Deliverables
•
Nature of the provider relationship
 Master Agreement or Single Purpose Transaction
•
Nature of the Contract
 Subscription, License, Consulting Services, Combination
19
Contract Considerations - Term
•
Length of the relationship
 Initial and Extension Needs
 Evergreen Term
•
Early Termination Options
 Convenience
 Breach
 Tension between provider concessions and length of term.
•
Transition Needs
20
Contract Considerations - Pricing
•
Options for Favorable Pricing
 Discounts
 Fixed rates
 Caps
 MFN
•
Changes in scope and volume of use
•
Payment Terms
 Timing
 Dispute Rights
21
Contract Considerations –
Ownership/Use Rights
•
Who Owns What
 Ownership vs. license/use rights
•
Deliverables – custom and non-custom
•
Rights Following Expiration/Termination
•
Transferability
22
Contract Considerations –
Warranties; Service
Commitments
•
Quality over Quantity
•
Address remedies meaningful to you – these may
include:
 Performance
 Legal compliance; Right to contract
 Ownership
 Security
•
SLAs
23
Contract Considerations –
Security and Data Protection
•
Security includes physical, network and provider
personnel protocols
•
You also have responsibility for security
24
Contract Considerations – Risk
Protection
•
Proactive
 Audit rights
 Escrow
 Insolvency
 Insurance
•
Responsive
 Indemnities
 Scope of liability
25
Contract Considerations – Other
Considerations
•
Provider knowledge of and commitment to legal
compliance requirements
•
Choice of Law and Venue
•
Transferability of Contract
•
“Ancillary Documents” and Priority
26
Firm Overview
Miles & Stockbridge P.C. is a full-service law firm
that represents businesses of various sizes, and has regional,
national and international capabilities. Our team of more
than 200 lawyers is widely recognized for its work in
the manufacturing, distribution, life sciences and real estate
industries. We take pride in our forward-thinking approach
and dedication to serving the best interests of our clients.
Michele L. Cohen
410-385-3449
[email protected]
Miles & Stockbridge P.C.
100 Light Street
Baltimore, MD 21202
Visit us on the web:
www.milesstockbridge.com
Follow us on Twitter:
@mstockbridgelaw
27