A Guide to IT Contracting:

Checklists, Tools and Techniques

By

Michael R. Overly

Matthew A. Karlyn

Companion CD

4812-1128-2702.1
 Chapter 1: Non-Disclosure Agreements

Checklist

FORM AND TYPE OF AGREEMENT o Other exceptions

 Company’s form or vendor’s form  Procedure for disclosure for
 Unilateral (one-way) NDA subpoena/court order
 Mutual (two-way) NDA  Opportunity to obtain injunctive relief
 Notification of potential or actual breach
DEFINITIONS  No obligation to disclose
 Precise purpose for NDA  No ownership transfer
 Definition of “Confidential Information”  No removal of proprietary notices
 Protection of intellectual property
GENERAL REQUIREMENTS  Term
 Marking requirements o IP
 Obligation to return and/or destroy o PII
 Obligations of confidentiality o Other protection beyond term
o Reasonable Care  Information handling requirements
o Consistent with internal practices  Encryption/other protection for highly
 Internal disclosure of information sensitive information
o Employees  Residual knowledge
o Agents
o Subcontractors TECHNIQUES
o Others  Avoid use of NDA as final/ongoing
 Exceptions to confidentiality agreement
o No fault or wrongdoing of receiving  Avoid commencement of services before
party definitive agreement
o Received from third party  Receipt of competitor’s information
o Independently developed

4812-1128-2702.1
 Chapter 2: Professional Services Agreements

Checklist

PRELIMINARY CONSIDERATIONS o Intellectual property infringement

 Due diligence process o Violation of applicable laws
 Form of Professional Services Agreement o Personal injury and property damage
o Breach of confidentiality
GENERAL REQUIREMENTS o Procedures to permit supplier control
 Term – open ended or limited of claim
 Termination provisions o No settlement without customer
o Material breach of agreement consent
o Insolvency / cessation of business o Exclusion from limitation of liability
o For cause  Limitation of liability
 Acceptance testing o Mutual
o Procedures o Exclude indemnity obligations
o Criteria o Exclude gross negligence and willful
o Remedies at no cost misconduct
o Timeframe for failures to correct o Exclude confidentiality and data
o Payment of fees linked to milestones security breaches
and testing completion o Tie cap to all fees paid under
 Personnel requirements agreement
o Minimum skill requirements  Intellectual property ownership
o Interview process o License to use pre-existing materials
o Naming of key personnel o Who owns IP developed under the
o Replacement procedures; no charge agreement
for overlap and ramp-up o If supplier owns, restrictions on use
o Efforts to ensure consistency of (competitors)
personnel o Identification of third party IP and
o Turnover penalties fees associated with third party IP
o Supplier has sole responsibility for  Change order process
personnel  Confidentiality and information security
 Use and identification of subcontractors o Simple provision (basic information)
 Warranties o Detailed provision (sensitive
o Material compliance of services information)
o Compliance with applicable laws o Information security requirements
o Workmanlike manner depending on nature of data
o Timeliness  Force majeure
o Disabling devices o Ensure proper scope
o No IP owned by third parties o Avoid over broad provisions to
o Compliance with data security and include staffing problems,
privacy laws unavailability of materials and
 Indemnification failure of third parties

4812-1128-2702.1
 o Right to terminate
o No payment for services not
rendered
 Non-solicitation of supplier’s employees
 Insurance tailored to customer’s
requirements
 Fees and costs
o All fees expressed in contract, SOW
or change order
o Payment schedule for all fees
o Fixed fee vs. time and materials
o Overall cap for time and materials
projects
o Ensure estimates are accurate
o Specify percent over estimate to be
paid by supplier
o Specify percent over estimate to be
share by both parties
o Rate card for future services
o Allocation of taxes (customer pays
only for tax on services received)
4812-1128-2702.1
o Payment of fees tied to performance
o Holdback if payment based on
passage of time
o Travel and expenses tied to
customer’s policies
o Financial audit rights
RELATIONSHIP TO OTHER AGREEMENTS
 All contract terms in a single agreement
 If multiple agreements, ensure termination
rights across agreements
 Acceptance testing of services linked to
acceptance testing of related software and
hardware
 Limitation of liability caps account for
fees paid across agreements
 Chapter 3: Statements of Work

Checklist

PRELIMINARY CONSIDERATIONS o Intellectual property infringement

 Due diligence process o Violation of applicable laws
 Form of Professional Services Agreement o Personal injury and property damage
o Breach of confidentiality
GENERAL REQUIREMENTS o Procedures to permit supplier control
 Term – open ended or limited of claim
 Termination provisions o No settlement without customer
o Material breach of agreement consent
o Insolvency / cessation of business o Exclusion from limitation of liability
o For cause  Limitation of liability
 Acceptance testing o Mutual
o Procedures o Exclude indemnity obligations
o Criteria o Exclude gross negligence and willful
o Remedies at no cost misconduct
o Timeframe for failures to correct o Exclude confidentiality and data
o Payment of fees linked to milestones security breaches
and testing completion o Tie cap to all fees paid under
 Personnel requirements agreement
o Minimum skill requirements  Intellectual property ownership
o Interview process o License to use pre-existing materials
o Naming of key personnel o Who owns IP developed under the
o Replacement procedures; no charge agreement
for overlap and ramp-up o If supplier owns, restrictions on use
o Efforts to ensure consistency of (competitors)
personnel o Identification of third party IP and
o Turnover penalties fees associated with third party IP
o Supplier has sole responsibility for  Change order process
personnel  Confidentiality and information security
 Use and identification of subcontractors o Simple provision (basic information)
 Warranties o Detailed provision (sensitive
o Material compliance of services information)
o Compliance with applicable laws o Information security requirements
o Workmanlike manner depending on nature of data
o Timeliness  Force majeure
o Disabling devices o Ensure proper scope
o No IP owned by third parties o Avoid over broad provisions to
o Compliance with data security and include staffing problems,
privacy laws unavailability of materials and
 Indemnification failure of third parties

4812-1128-2702.1
 o Right to terminate
o No payment for services not
rendered
 Non-solicitation of supplier’s employees
 Insurance tailored to customer’s
requirements
 Fees and costs
o All fees expressed in contract, SOW
or change order
o Payment schedule for all fees
o Fixed fee vs. time and materials
o Overall cap for time and materials
projects
o Ensure estimates are accurate
o Specify percent over estimate to be
paid by supplier
o Specify percent over estimate to be
shared by both parties
o Rate card for future services
o Allocation of taxes (customer pays
only for tax on services received)
4812-1128-2702.1
o Payment of fees tied to performance
o Holdback if payment based on
passage of time
o Travel and expenses tied to
customer’s policies
o Financial audit rights
RELATIONSHIP TO OTHER AGREEMENTS
 All contract terms in a single agreement
 If multiple agreements, ensure termination
rights across agreements
 Acceptance testing of services linked to
acceptance testing of related software and
hardware
Limitation of liability caps account for fees
paid across agreements
 Chapter 4: Idea Submission Agreements

Checklist

UNDERSTANDING RISK OF SUBMISSIONS

 Determine whether you collect
“submissions”
 Implement an Idea Submission Agreement
 Determine if purchase or license
agreement is required
 No compensation for submissions (unless
provided in an agreement)
 No confidentiality of submissions (except
under an NDA or as required by an Idea
Submission Agreement)
 No submission of ideas without Idea
Submission Agreement (e.g. via email)

KEY PROVISIONS OF IDEA SUBMISSION

AGREEMENT
 Simple agreement or “full blown”
agreement
 No compensation
 No confidential treatment
 Writing requirement
 Demonstration of IP rights
 No obligation to return
 No obligation to provide any confidential
information to the other party
 Ability to contest IP rights in submissions

REVERSE SUBMISSIONS
 Avoid broad feedback provisions

4812-1128-2702.1
 Chapter 5: Cloud Computing Agreements

Checklist

SERVICE LEVELS o Indemnification obligations

 Uptime o Infringement of IP rights
 Response time o Breach of advertising / publicity
 Problem response and resolution restrictions
 Remedies  Overall liability cap as a multiple of fees

DATA SECURITY LICENSE / ACCESS GRANT AND FEES

 Protection against security vulnerabilities
 Disaster recovery and business continuity
requirements
 Frequency of data backups
 Use of / return of data
 Format for return of data
 Review of security policies
 Physical site visit
 SAS 70 audit
 Limitations on right to use data
INSURANCE
 Cyber liability policy
 Technology errors and omissions
 Electronic and computer crime
 Unauthorized computer access
 Avoid only general liability policy
INDEMNIFICATION
 For breach of confidentiality and security
requirements
 For infringement claims
 No limitation on types of IP covered
 Consider limitation to U.S. patents
LIMITATION OF LIABILITY
 Application to both parties
 Exclusions (from both consequential
exclusion and cap on direct damages)
o Breaches of confidentiality
o Claims for which the vendor is
insured
 Broad permitted use
 Avoid limitation to internal business
purposes
 Application to affiliates, subsidiaries,
outsourcers and others
 Consider pricing
TERM
 Free ability to terminate
 Consider limited notice period
 Consider limited termination fee (if
justified by vendor’s upfront costs)
WARRANTIES
 Data security
 Redundancy / disaster recovery / business
continuity
 Performance in accordance with
specifications
 Services provided timely and in
compliance with best practices
 Provision of training as needed
 Compliance with laws (both the software
and personnel)
 No sharing of client data
 Software will not infringe
 Software will not contain viruses
 No pending / threatened litigation
 Sufficient authority
PUBLICITY / USE OF TRADEMARKS
 No media announcement unless agreed

4812-1128-2702.1
  No use of customer marks without
permission
NOTIFICATION FOR SECURITY ISSUES
 Customer gets sole control over
notification
 Reimbursement for costs and expenses

ASSIGNMENT
 Ability to assign freely
 Assignee assumes responsibilities under
the agreement

PRE-AGREEMENT VENDOR DUE

DILIGENCE
 Questionnaire to vendors to include
questions regarding
o Financial condition
o Insurance
o Existing service levels
o Capacity
o Physical and digital security
o Disaster recovery and business
continuity processes
o Redundancy
o Ability to comply with applicable
laws

4812-1128-2702.1
 Chapter 6: Joint Marketing Agreements

Checklist

PRE-ENGAGEMENT CONSIDERATIONS o No pending or threatened litigation

 Scope of engagement
 Non-disclosure agreement
MARKETING OBLIGATIONS
 Exhibit with precise marketing obligations
 Mutual agreement
 Responsibility for expenses – shared
REFERRAL ARRANGEMENTS
 Definition of who is a referral
 Referral period (anything outside of period
is not a referral)
 Compensation to referring party
 Audit rights
CONFIDENTIALITY
 Protection of all confidential information
exchanged
 Overrides any NDA entered into in pre-
engagement
INTELLECTUAL PROPERTY ISSUES
 Any software or products are provided as
is
 Return of software / products at end of
relationship
 Narrow license for any materials or
information shared
 License for use of trademarks and names
 Approval for trademark / name usage
 Reservation of IP rights
 Residual knowledge / feedback clause
 Broad warranty disclaimer
 No guarantee of revenue (unless
appropriate)
NO AGENCY
 Agent relationship not intended
LIMITATIONS OF LIABILITY
 Common limitation of liability exclusions
o Breaches of confidentiality
o Claims for which the vendor is
insured
o Indemnification obligations
o Infringement of IP rights
 Disclaimer of all other liability
INDEMNIFICATION
 Limited to violations of law and misuse of
IP
TERM AND TERMINATION
 Renewal after stated term
 Free ability to terminate
Termination for breach

WARRANTIES AND DISCLAIMERS

 Basic warranties
o Ability to enter into agreement
o Compliance with applicable laws
 Chapter 7: Software Development Kit (SDK) Agreements

Checklist

CONTENT OF SDK
 APIs LIMITATIONS OF LIABILITY
 Sample code  Complete limitation
 Sample documentation  Exclusion of consequential damages
 Other data and information  No recovery of direct damages
 Ensure IP protected  Stop gap if unenforceable

SCOPE OF LICENSE INDEMNIFICATION

 Scope  Developer indemnification of company for
 Internal development all claims against company related to
 Internal testing developer’s use of SDK
 Distributable
 What agreement applies to distribution EXPORT AND IMPORT
 Developer rights  Developer’s compliance with all export
and import laws
OWNERSHIP  Indemnification for claims against
 Company owns SDK materials company
 Modifications and derivatives
ACQUISITION BY FEDERAL GOVERNMENT
 Company ownership of suggestions and
feedback  Protection of IP

CONFIDENTIALITY TERM AND TERMINATION

 Testing of third party software products  Term?
 No representations or warranties as to  Termination for convenience
compatibility Termination for breach / bankruptcy
 Confidentiality of SDK

SUPPORT
 Not generally provided
 If provide, precise obligations
 No representations or warranties with
respect to support services
 As is and as available

WARRANTY DISCLAIMERS
 No warranties
 No liability of company
 As is, as available

4812-1128-2702.1
 Chapter 8: OEM Development Agreements
Checklist
CONTENT OF JDA
 Avoid joint IP ownership
 Accounting risk
 License and disclosure risk
 Disagreement on future direction
 Threat to pre-existing IP
 Third party misuses or infringes
 Liability for co-developer acts
SCOPE OF SERVICES
 Define scope of development and services
 Attached statement of work
ACCEPTANCE
 OEM’s short inspection for deliverables
 Timely notice or acceptance
OWNERSHIP
 One party owns IP, other licenses it
 Approval for OEM to own IP related to
pre-existing IP
EXCHANGE OF IP
 IP provided to/from OEM
 Rarely give source code to OEM
 Provide development services
CONFIDENTIALITY
 No “poison pill” confidentiality
 No non-compete provisions
 Retain right to use feedback from OEM
 Use developed IP without disclosing pre-
existing confidential information from
OEM
COMPENSATION, FEES AND REVENUE
SHARING
 Clear
statement of company compensation
 Service fees
 Commissio
n
 Revenue
share of OEM product sales
 Caution
regarding fixed fees
CHANGE OF CONTROL
 Only perform services from
agreement
 Change of order approval
OEM CUSTOMER OBLIGATIONS
 State assumptions of agreement
 Include obligations of OEM
MARKETING
 Marketing rights and obligations
 Sales efforts
 No direct marketing by OEM
 License rights to trademarks
END USER LICENSE AGREEMENT
 Use standard agreement
 Between company and end user
 Insert key provisions
AUDIT RIGHTS
 Company right to audit OEM
 Company right to inspect OEM systems
WARRANTIES
 OEM not developing similar IP
 Mutually agreeable operation of
deliverables
 Customer modifications
 Misuse of deliverables
 Disclaim implied warranties
 Disclaim express warranties not in
agreement

SUPPORT AND MAINTENANCE
 OEM provides first tier support
 Company provides second tier support
 Company supports OEM if issues arise
LIMITATION OF LIABILITY
 Disclaimer
 Cap on direct damages
 Misuse of company’s IP excluded
 Breaches of confidentiality
 Willful misconduct
INDEMNIFICATION
 IP provided by OEM to company
 Third party IP infringement claims
 Breach of agreement
 Violation of applicable laws
 Negligence
 Wrongful acts by OEM
 Mutual indemnification
TERMINATION
 Uncured breach by OEM
 No substantial misconduct by company
 Brief sell-off period of OEM
CONTRACT NEGOTIATIONS
 Review of OEM form by legal counsel
 Advice of legal counsel
 Business and legal terms negotiated
contemporaneously
 No discussion with OEM lawyers
 Basic term sheet
 Company creates own redlines
 Password-protected documents
 Sending documents outside the company
 Open provisions by OEM
 Negotiation by telephone
 E-mail access during telephone
negotiations
 Discussion of issues internally during
negotiation
 Chapter 9: HIPAA Compliance
Checklist
HIPAA/HITECH COMPLIANCE
 HITECH Act
 Civil and criminal penalties
 Expanded definition of Bas
WHO ARE BAS
 Working on or behalf of CEs
 Providing PHI data to CEs
 Vendors contracting with CEs
FAIL TO COMPLY WITH HIPAA
 CMPs: $100-$10,000/violation
 Criminal penalties
 Mandatory HHS investigation and
assessment
 Civil actions by state AGs
SECURITY BREACH NOTIFICATION
 Must notify CEs of unsecured PHI
breaches
 CEs must notify individuals
 CE may need to notify HHS and local
media
 BAs bear burden to prove reasonable
delay in notification
 Security breaches of unsecured PHI
include unauthorized acquisition,
access, use or disclosure of PHI
 Unsecured PHI is not encrypted or
destroyed
 CEs must notify patients within 60
days after discovery of breach
 Date of discovery or date breach
should have been discovered
 Information BAs provide to CEs
following breach
 Contractual obligations of BAs to
notify on behalf of CEs
 Compliance with state laws
 BAs’ internal policy for notification
 Contractual binding of subcontractors
HIPAA SECURITY RULE
 Administrative, physical and technical
safeguards
 Specific standards of implementation
 Gap analysis for shortfalls
 HHS recommends technical safeguards
 Subcontractor agreements
 Information security due diligence
questionnaire
STATUTORY LIABILITY
 Amending noncompliant BAAs
 Renegotiate with CEs
 BAAs increase in complexity
 Indemnifying CEs
 Required notification of breach on
behalf of CEs
 Responsibility for costs of breach
 Draft form amendments to BAAs
 Minimize negotiation terms not
required by law
 Reflect new obligations of BAs, but
protect from liability for subcontractor
breaches
ADDITIONAL HIPAA
REQUIREMENTS
 Comply
with new minimum necessary
standards
 Use of a
limited data set?
 Ongoin
g assessment of what is minimum
necessary
 CEs
must account to individuals of
disclosures from EHR
 Monitor
developing HHS advice
 No
direct or indirect remunerations to BAs
for EHR or PHI
 Making
recommendations for products or
services
STEPS FOR BREACH NOTIFICATION
COMPLIANCE
 Analyze existing policies and
procedures
 State breach notification
requirements?
 Designate person to ensure
breach investigation and determine if
breach occurred
 Outside legal counsel
 No unreasonable delay in
reporting
 Impacted individuals identified
 Impacted individuals reported to
CE
 Employees trained on reporting
breaches and handling PHI
 Sanctions for employees
 Can BA-controlled PHI be
secured?
o Encrypted
o Destroyed
 Amend existing reporting policies
 Seek outside legal review of
amendments
 Risk prevention and mitigation
strategies
 Decrease risk of breach?
 Insurance covers costs from breach?
STEPS FOR SECURITY RULE
COMPLIANCE
 Perform gap analysis
o Administrative safeguards
o Physical safeguards
o Technical safeguards
 Make written policies and procedures
for each standard above
 Seek legal review of policies
 Train employees on requirements
AMENDMENT OF BAAs
 Draft template amendments
 CE may conduct due diligence of BA
 Negotiate broad indemnification or
cost-allocation provisions
 Terms in existing service agreements
conflict with BAA?
 Amend subcontractor agreements
INVENTORY HIPAA-RELATED
POLICIES
 Current policies facilitate compliance?
 Accounting for disclosures made from
an EHR?
 Minimum necessary
disclosures/limited data set?
 Prohibition on sale of EHRs or PHI?
 Conditions on marketing
communications?
 Training procedures for personnel?
 Review sanctions for employee
violations
 Chapter 10: Key Issues and Guiding Principles for
Negotiating a Software License or OEM Agreement
Checklist
INITIAL MATTERS
 Customer executes mutual NDA
 NDA only addresses confidentiality
 Use company’s standard license
agreement
 Give customer proposed agreement
early
 Customer should return redline of
agreement before negotiation begins
 No calls to “talk over the agreement”
before redlines
 Respond to customer’s redline with
company’s redline
 Accept customer’s revisions or
propose alternative language
 Show customer’s form to legal counsel
 No negotiating revisions without legal
counsel
 No discussion of agreement with
customer’s attorneys
 Create basic term sheet
 Never rely on redlines produced by
customer or third party
 Require editable Word documents
 Be cautious in mailing documents
outside company
 Defer negotiation of open provisions
 Negotiate telephonically
 Business and legal teams need e-mail
access during negotiations
 Defer negotiation for questions
requiring internal consideration
LICENSE/OWNERSHIP SCOPE
 Non-exclusive
 Non-transferable
 Non-sublicensable
 No irrevocable licenses
 Required development activities?
4812-1128-2702.1
 No access to source code
 Customer must use standard end
user license agreement
 Licensee has no ownership interest
in company’s software
PRICING
 Commensurate with scope of license
granted
 No single-price broad licenses
 Specify uses for software in fixed price
license
 Annual maintenance fee
 Major new versions and new software
products
 Company retains audit rights
LIMITATIONS OF LIABILITY
 Includes exclusion of consequential
damages and cap on direct damages
 If mutual, exclude customer misuse of
company software and IP
 Cap on company’s overall damages
 Breaches of confidentiality and willful
misconduct exclusions
WARRANTIES
 Requires material compliance with
company’s documentation
 No longer than 90 days
 Exclusive remedy for breach is repair
 Implied warranties
 Written warranties not included in
agreement
SUPPORT AND MAINTENANCE
 Support vs. maintenance
 No new versions or new functionality
in support
  No material alterations to standard
support program
 Priced annually
 Automatic renewal of support term
 No commitment to support after 5
years
 No agreements to provide “free”
professional services
 Initial fixed fees become “then current
rates”
PAYMENT
 Based
on objective and easily identifiable
event
 Testing/
acceptance language reviewed by legal
counsel
 License
fees not subject to refund
 Monthl
y invoices
 No
fixed fee arrangements
4812-1128-2702.1
TERM AND TERMINATION
 Consistency between license type
and term of support
 Initial term with automatic year-
to-year renewal
 Licenses immediately terminate
 Licenses to end users do not
terminate with customer agreement
 Misuse terminates perpetual
license
 Opportunity to cure before
termination for cause
INFRINGEMENT INDEMNIFICATION
 Company liability unlimited
 Legal counsel drafts indemnification
 Company controls defense/settlement
 “Standing alone”
 Approved list of countries/jurisdictions
 Chapter 11: Drafting OEM Agreements (Where the Company is the

OEM)

Checklist

SCOPE OF ENGAGEMENT SUPPORT AND TRAINING

 Agreement covers all relevant activities  Train
 NDA prior to substantive discussions personnel adequately
 Describe coordination efforts  Ensure
 Who will contact customers? supplier cooperation
 “Private label”?  Specify service levels

CUSTOMER TERMS CONFIDENTIALITY

 Controlling liability  Strong clause in agreement
 Appropriate license
 Terms and conditions IP ISSUES
 Absolve of liability  Standard commercial licenses
 Appropriate drafting  Terms and conditions
 Returning products
TERRITORY  Reserve rights explicitly
 Geographic restrictions  No transfer or assignment
 Clear identification of restrictions
WARRANTIES / DISCLAIMERS
HARDWARE PRODUCTS  Authority to enter agreement
 How order will be placed  Non-infringement
 How order will be filled  Free of known defects
 Timing of orders  Unaware of litigation
 Return procedures  Freedom from viruses
 Warranty claims  Freedom from disabling code
 Non-binding order projections  Compliance with relevant codes
 Price reduction incentives
LIMITATIONS OF LIABILITY
EXCLUSIVITY  Direct and consequential damages
 Address exclusivity explicitly  Last three months of fees paid
 Specific revenue commitments  Injury to persons
 Remedy is not breach of contract
 Broad termination rights INDEMNIFICATION
 IP infringement claims
SUPPLIER PRODUCT CHANGES  Supplier violation of applicable law
 Obligation to coordinate with company  Products liability
 IP infringement claims caused by OEM
 Limited jurisdictions

4812-1128-2702.1
 TERM AND TERMINATION
 Specific initial term
 Agreement to renew company’s option
 Automatic renewal
 Company right to terminate without cause
 Revenue commitments?
 Breach of agreement
 Sell-off period
 Continue to support existing customers

22

4812-1128-2702.1
 Chapter 12: Collecting Basic Deal Information

Checklist

BASIC PRINCIPLES  Vendor uses offshore partners/affiliates?

 Marshal basic information  Vendor uses subcontractors? If so, who?
 Value of proposed transaction?  Location for vendor performance?
 Term of agreement?  Vendor provides hosting services?
 Criticality of technology to business?
 Unique regulatory issues? INTELLECTUAL PROPERTY
 Other foundational information?  Will the customer want to own vendor-
 Circulate a “deal memo” created IP?
 Circulate a “term sheet”  Vendor cannot share with competitors?
 Vendor cannot share with industry?
DESCRIBE THE ENGAGEMENT  Vendor has access to sensitive IP?
 What is the deal about?
 Business advantage from contract? PERSONAL INFORMATION
 Use non-technical English  Vendor
access to personally identifiable
USEFUL LIFE information?
 Anticipated duration of contract  What
 Desired renewal terms information is at risk?
 Duration of services rendered  Financial
 License for years or perpetual? account information?
 Renewal rights  Health
 Costs for renewal information?
 Social
EXPECTED FEES security numbers?
 Compensation to vendor  Legal and
 Breakdown of first year fees regulatory requirements
o License  Transmission across international borders
o Professional services
INFORMATION SECURITY
o Implementation
o Customization  Vendor access to sensitive customer
data?
o Hardware
 Cloud computing based service?
o Telecommunication
 Hosting service?
 If no fees, good faith estimate
 Is vendor sole custodian of customer data?
 When to use customer’s form
UNIQUE ISSUES
PERFORMANCE
 Vendor’s financial situation is suspect
 Customer-facing application?
 Vendor is subject of litigation
 Location for service performance?
 Vendor had recent security breach
 Offshore vendor?

4812-1128-2702.1
  Performance constraints
 Substantial regulatory/compliance issues

24
4812-1128-2702.1
 Chapter 13: Reducing Security Risks in Information Technology

Contracts

Checklist

TRADE SECRETS POLICIES AFTER INFRINGEMENT

 Stamp with “CONFIDENTIAL”  Audit rights
 Control physical access  “Phone-home” features
 Use time stamps and ID logs  Swift action upon infringement
 Strong password requirements  Terms for end of license
 Encryption o Uninstall program code
 Firewalls o Destroy electronic copies
 Prohibited use of USB drives o Return physical copies
 Isolate development and testing  Insure against IP infringement
environments
EMPLOYEE TRAINING
COPYRIGHT  Need to
 Establish and communicate policy protect software
 Mark with © symbol  How to
 Mark with year of first publication protect software
 Mark with name of legal owner  Responsibil
 Include textual marking in source code ities for protection during and after
 U.S. copyright registration employment
 Register with U.S. Customs  Exit interviews

JOINT IP CONTRACTUAL PROTECTIONS

 “Clean room” protocols
 Isolate independent IP from joint IP
EMBEDDED OPEN SOURCE
 Policy against embedding open source
 Advance planning for correct embedding
if at all
 Proprietary information of former
employer
 Assignment
 Prohibited use or disclosure of
confidential information
 Noncompete agreements
 Nonsolicitation agreements

INTERNAL PROCEDURES NONEMPLOYEES AND

 Archive copies of each software version
 Verify company’s right to use other IP
 Enforce security policies
 Appropriate use of computers
 Appropriate use of mobile devices
 Passwords
SUBCONTRACTORS
 Confidentiality agreements
 Need-to-know basis
 Work-for-hire agreements
 Assignment of all IP ownership rights
SOFTWARE DISTRIBUTION
 Only distribute object code, but if not:

4812-1128-2702.1
 o Source code obfuscator
 Embed signature in code
LICENSE AGREEMENTS
 End User License Agreement
 Require acceptance of EULA
 Licensing in writing
 State clear terms and conditions
 No limited liability for misappropriation
 Breach results in breach of contract
 Breach results in IP infringement
 Specify narrow uses for IP
 No selling/transferring embedded software
 Prohibit reverse engineering
 Prohibit decompiling
 Prohibit discovering source code
 Prohibit discovering trade secrets
 Disclosure of accompanying documents
 Explicit statement of confidentiality
NDAS
 Standard NDA for initial discussions
 After code delivery, license
 Perpetual trade secret confidentiality
AUDIT RIGHTS
 Include audit rights
 Written certification by licensee officer
4812-1128-2702.1
 Identify installations of software
 Retain certification copies for 5 years
FOREIGN JURISDICTIONS
 Distribute with care
SOURCE CODE LICENSES
 Escrow the source code
 Limit release conditions
 Prohibit installation on network computer
 Licensee keeps copies in locked safe
 Prohibit copying onto removable media
 Limit personnel who can access code
 Third party: require written authorization
 No competitor access to code
 Keep logs of source code
 Use no open source software
 Indemnify company from all infringement
 Warranties apply to unmodified software
 Prohibit IP rights in derivative works
 License to company for derivative works
 Total assignment of all IP is better
 Require specific security measures
 Right to audit licensee’s use
 Strict confidentiality requirements
 Limited jurisdictions
 Limited remote access
 Risk of a “deemed export”
 Chapter 14: Web Site Assessment Audits
Checklist
SITE EVALUATION
 Target audience?
 Accessibility to all users?
 Users in U.S. or abroad?
 Process transactions?
 Products or services sold?
 Forms?
 Enter data or access database?
DOMAIN NAMES
 Proper registration
 Proper entity listed as owner
 Trademark due diligence
 Search for “cybersquatters”
 Using domain brokers
USE OF THIRD PARTY TRADEMARKS
 Written permission prior to use
 Written permission for quotations
 Meta tags
 White text on white background
 Microscopic type
HYPERLINKS
 Trademark or logo symbols
 Interstitial notice in Terms and Conditions
 Written linking agreement
 No implicit endorsements
 No representations about linked sites
 No framing without permission
 Written permission for deep-linking
CONTENT
 Development agreement
 Agreements with independent contractors
 Employment agreements
 Other agreements regarding the site
 Website has right to use content
 Third party content providers
 Photographs
VISITOR UPLOADS
 Submission agreement
 Visitor accepts liability associated with
upload
 Chat/discussion room disclaimers
Attorney for Plaintiff
 Windermere Holdings, LLC and
 Cross-Defendant Thomas Kinkade
Attorney for Plaintiff
 Windermere Holdings, LLC and
 Cross-Defendant Thomas Kinkade DMCA
requirements
o Permit operator to terminate service
o Do not interfere with protection of IP
o Agent to notify if infringement
 File Agent name at Copyright Office
INTERNET LAWS
 Spamming
 Sales
 Advertising
 COPPA
TERMS AND CONDITIONS
 Accessible from home page
 Accessible by link
 Methods to determine visitor assent
o Required online registration
o Required acceptance
o Prominent notice
o Basic notice
 Changes to legal notices
 Applicable law and venue
 Arbitration clause
DATA SECURITY AND PRIVACY
 Privacy policy?
 Accessible from home page
 Links to Terms and Conditions
 Employees follow policy
  Third party online privacy certification
 Agreement with hosting provider
 Firewall

INSURANCE
 Intellectual property infringement
 Invasion of privacy
 Defamation
 Personally identifiable information
 Protected health information
 Personal financial information
 Misuse of information by site
 Misuse of information by employee

ADDITIONAL CONCERNS
 Record of modifications to T&C
 Copyright notice on site

4812-1128-2702.1
 Chapter 15: Critical Considerations for Protecting IP in a Software

Development Environment

Checklist

KEY ISSUES ADMINISTRATIVE SECURITY

 Definitions  Written Privacy Policy
 Risk of contracting  NDAs for personnel with access
 Trade secrets
VENDOR DUE DILIGENCE  Written security plan
 Put vendors on notice  Encryption
 Security standards  Procedures for removable media
o Gramm-Leach-Bliley  Permission settings and restrictions
o HIPAA Security Rule/HITECH Act  Separate networks with respect to access
o FFIEC Guidance  Permanent logs of any access
o States  No unauthorized access to Client Data
o Federal Trade Commission  No installation or removal of programs
 Diligence should cover:  Require reasonable security
o Criminal convictions  Vendors abide by regulatory framework
o Litigation  Document access by Vendors
o Regulatory and enforcement
o Breaches of security TECHNICAL SECURITY
o Breaches of health information  Enable use of firewalls
o Adverse audits  Ensure secure Internet access
o Use of parties outside U.S.  Consider disconnecting computers
 Standardized questionnaire  Encryption
o Corporate responsibility  Procedures for data in transit
o Insurance coverage  Separate testing from production
o Financial condition
o Personnel practices PERSONNEL SECURITY
o Information security policies  All aware of security requirements
o Physical security  Client can request removal of personnel
o Logical security  Pre-screening
o Disaster recovery  Control over access
 Business continuity  Review of materials taken outside

TREATMENT OF DATA SUBCONTRACTORS

 Maintain data as confidential
 Liability for unauthorized disclosures
 No data removed by Vendor
 Identified
in writing
 Client right
to approve/reject
 Vendor
accepts liability

4812-1128-2702.1
  Mirror PSA
SCAN FOR THREATS
 Prohibit install
 Accessible by link
 Methods to determine visitor assent
o Required online registration
o Required acceptance
o Prominent notice
o Basic notice
 Changes to legal notices
 Applicable law and venue
 Arbitration clause
DATA SECURITY AND PRIVACY
 Privacy policy?
 Accessible from home page
 Links to Terms and Conditions
4812-1128-2702.1
 Employees follow policy
 Third party online privacy certification
 Agreement with hosting provider
 Firewall
INSURANCE
 Intellectual property infringement
 Invasion of privacy
 Defamation
 Personally identifiable information
 Protected health information
 Personal financial information
 Misuse of information by site
 Misuse of information by employee
ADDITIONAL CONCERNS
 Record of modifications to T&C
 Copyright notice on site
 Chapter 16: Click-Wrap, Shrink-Wrap, and Web-Wrap Agreements

Checklist

WHERE’S THE AGREEMENT o No remedy for misuse of

 Identify all relevant contract terms confidential information
 Keep accurate copies of the agreements  Beware broad audit rights
 Record the date of acceptance o Abusive audits
o Contingent fee audits
RISKS AND ISSUES o Access to company facilities and
 Business assessment of risks posed systems without adequate contractual
 Understand as-is nature of software or protections
service o Access by undefined third party
o No warranties agents of vendor
o No indemnities  Assess risks of use of resellers
o Very limited liability, if any, for the o Additional contract to review
vendor o Splitting of responsibility
 Customer has unlimited liability for both o Potential finger pointing between
direct and consequential damages vendor and reseller
 Identify contractual provisions that could
place customer intellectual property at risk TECHNIQUES
o Feedback clauses  Blind Acceptance
o Train personnel not to reveal or  Knowing Acceptance
disclose proprietary information or o Identify all terms
intellectual property o Conduct brief review and assessment
 Avoid placing sensitive information at risk o Adequately document
o No confidentiality protection  Mitigation
o No real liability for breaching o Process for review
confidentiality o Development of form amendment
Chapter 17: Transactions Involving Financial Services Companies as
the Customer
Checklist
FORM AND TYPE OF AGREEMENT
 Company’s form or vendor’s form
DEFINITIONS
 Definition of “Confidential Information”
o Personally identifiable information
o Trading and account information
o “Insider information”
 Definition of “aggregated data,” if
applicable.
GENERAL REQUIREMENTS
 Include all standard requirements
discussed elsewhere in this book for the
particular type of contract under
consideration
 Strong confidentiality clause
o Perpetual protection for personal
information
o Ongoing protection for trade secrets
 Compliance with customer’s privacy
policy, including updates
 Control over notices for data breaches
o Reimbursement for costs, notice,
investigation, identity theft insurance
 Avoid data aggregation rights
o Obligation to cleanse/scrub the data
o As-is
o Indemnity for failure to cleanse and
all use of data
 Information security
o Best industry practices
o Compliance with applicable laws and
regulations
o Prompt reporting of potential or
actual breaches
o Maintain and provide log files and
other forensic evidence
o Audit rights
o Testing, including penetration testing
o Right to SAS 70 Type II or similar
audits (e.g., SSAE 16)
o Requirements for secure deletion and
data removal
 Background checks
 Indemnification for breach of
confidentiality.
 Breaches of confidentiality and
indemnifications obligations excluded
from limitations of liability.
 Audit rights
o Security
o Contract performance
o Confirm charges and fees
o Regulators
 Termination for regulatory issues
 Reject vendor audit rights in favor of
offsite record review
 Review pricing and tying arrangements
between and among products and services
 Compliance of software and services with
relevant laws and regulations
o Right to updates without charge
 Limit subcontractors
o Offshore
o Due diligence
o Potential separate NDA
TECHNIQUES
 Be ready to explain the unique legal and
regulatory requirements
 Be familiar with the FFIEC Handbook
 Review checklist of regulatory
considerations at the end of this chapter
 Make your own checklist of key issues
 Chapter 18: Maintenance and Support Agreements

Checklist

FEE PREDICTABILITY AVAILABILITY

 Price Locked for a Fixed Term  Support available 24/7 if needed
 After Rate of Price Increases Capped at
CPI PROBLEM ESCALATION
 Support Escalation Matrix
TERM
 Minimum Period of Support SERVICE LEVELS
 Escalation Matrix Response Time Service
TERMINATION AND RESUMPTION OF Level
SUPPORT  Service Credits for Service Level Failures
 Ability to Resume Support After Earlier
Expiration or Termination LIMITATIONS OF LIABILITY

SPECIFICATIONS
 Support Obligations Tied to
“Specifications” Rather Than
“Documentation”
 Chapter 19: Source Code Escrow Agreements
Checklist
WHAT TYPE OF ESCROW?
 Two Party
 Three Party
 Self-Escrow
RELEASE CONDITIONS
 Insolvency of vendor
 Filing of voluntary or involuntary
bankruptcy proceedings that remain
undismissed
 General assignment for the benefit of
creditors
 Ceasing to provide support and
maintenance services
 Breach of the license agreement.
KEY ISSUES TO BE ADDRESSED IN
SOFTWARE LICENSE
 Requirement that source code be escrowed
 Identify approved escrow agent
 Definition of “source code”
 Identify release conditions
 Require vendor to update the source code
to reflect current version of the software
 Identify all relevant fees and the
responsible party
 Include right to request verification
services from the escrow
o Include cost shifting to vendor if
verification fails
 On the occurrence of a release condition,
include right for customer to use and
modify the software to provide its own
support
TECHNIQUES
 In critical applications, include right for
the customer to use a consultant to verify
the source code is well written and
documented.
o Non-Disclosure Agreement with
consultant
o Termination right for customer in the
event of adverse findings
 Consider requiring the vendor to deposit
names and contact information of key
developers in the escrow.
 Ensure the escrow company is well
established and financial viable.
 Chapter 20: Integrating Information Security Into the Contracting
Life-Cycle
Checklist
USE THE THREE TOOLS FOR BETTER
INTEGRATING INFORMATION SECURITY
INTO THE CONTRACT LIFE-CYCLE
 Pre-Contract Due Diligence
 Key Contractual Protections
 Information Security Requirements
Exhibit
PRE-CONTRACT DUE DILIGENCE
 Develop a Form Due Diligence
Questionnaire
 Ensure the Questionnaire covers all key
areas
 Use the Questionnaire as an early means
of identifying security issues
 Use the Questionnaire to conduct an
“apples-to-apples” comparison of
prospective vendors
KEY CONTRACTUAL PROTECTIONS
 Fully Fleshed-Out Confidentiality Clause
 Warranties
o Compliance with best industry
practices; Specify the relevant
industry
o Compliance with applicable laws and
regulations (e.g., HIPAA, GLB, etc.)
o Compliance with third party
standards (e.g., PCI DSS, Payment
Application Data Security Standard).
o Compliance with customer’s privacy
policy.
o Prohibition against making data
available offshore
o Responses to Due Diligence
Questionnaire are true and correct
 General Security Obligations
o All reasonable measures to secure
and defend systems
o Use of industry standard anti-virus
software
o Vulnerability testing
o Immediate reporting of actual or
suspected breaches
o Participation in joint audits
o Participation in regulatory reviews
 Indemnity against claims, damages, costs
arising from a breach of security
 Responsibility for costs associated with
providing breach notifications to
consumers; control of timing and content
of notice
 Forensic Assistance
o Duty to preserve evidence
o Duty to cooperate in investigations
o Duty to share information
 Audit Rights
o Periodic audits to confirm
compliance with the agreement and
applicable law
o Provision of any SAS 70 or similar
audits
 Limitation of Liability should exclude
breaches of confidentiality from all
limitations and exclusions of liability
 Post-Contract Policing
INFORMATION SECURITY
REQUIREMENTS EXHIBIT
 Where appropriate, develop an exhibit,
statement of work, or other contract
attachment describing specific required
information security measures
 Use of wireless networks
 Removable media
 Encryption
 Firewalls
 Physical security
 Chapter 21: Software Development Kit Agreements
Checklist
KEY CONTRACTUAL PROTECTIONS --
LICENSORS
 Think through what should be included in
the SDK and clearly define it.
o Provide no more intellectual property
than is necessary
o Be cautious about disclosing trade
secret information
 Define the scope of the license being
granted
o Consider identifying the permitted
licensee products and services for
which the SDK may be used.
 The licensor’s intellectual property should
be clearly protected.
o Licensor should own all rights in the
SDK and any derivative works based
on the SDK
o Include a “feedback” clause
 Include a strong confidentiality clause
o Typically only protects the licensor’s
information
 Consider including a compatibility testing
requirement
o Define how testing will proceed
o Consider a seal or certification
program for the licensee’s products
and services
o Avoid liability to the licensee’s
customers by requiring the licensee
to disclaim the licensor’s liability to
the customers
o Protect the licensor’s trademarks
 Include any applicable support obligations
 Disclaim all express and implied
warranties
 Disclaim all liability
4812-1128-2702.1
o Include failsafe language to limit all
damages
 The licensee should indemnify the licensor
from any and all damages that may flow
from the licensee’s use of the SDK
 The licensee should be liable for
compliance with all applicable import and
export laws
 Include language to prevent intellectual
property issues in licenses to the
government
 Address term and termination
o In general, termination for
convenience should be included in
all SDK Agreements.
KEY CONTRACTUAL PROTECTIONS --
LICENSEES
 The agreement should make clear whether
any fees are contemplated. If not, the
agreement should state no fees are due.
 Beware of wide-ranging audit rights for
the licensor, particularly when the
agreement contains no substantive
confidentiality protections.
 All provisions relating to intellectual
property ownership should be reviewed to
determine whether they pose a threat to the
licensee’s intellectual property
 Chapter 22: Distribution Agreements

Checklist

LICENSE GRANT  Ensure that distributor cannot misrepresent

 Consider necessity and scope or otherwise make false statements
o Exclusivity regarding product
o Territorial limitation
o Hybrid of exclusive and territory PRODUCT PRICING
o Quotas  Determine price of product and royalty
 Reservation clause payments
 Non-Competition clause  Collecting fees
 Intellectual property license o Initial license
 Termination in the event of a breach o Add-on services
o Subscriptions
END USER LICENSE AGREEMENT  Shipping costs and taxes
 Which agreement will govern use of  Expenses incurred in distribution
distributed product  Invoicing and collection of fees
 Process for getting agreement to customer  Distributor’s periodic reports:
 Who may accept agreement on o Sales
manufacturer’s behalf o Marketing
 Who owns the customer that purchases the o Audit payments
product  Maintain records after termination of
distribution agreement
DEVELOPMENT OF THE PRODUCT
 Identify parties’ representatives CONFIDENTIALITY
 Describe process for setting meetings
 Draft development plan with technical TERM OF AGREEMENT
aspects of product design  Ensure survivorship of certain contractual
 Agree ahead of time how parties will clauses
allocate expenses o Warranties
o Indemnification
OBLIGATIONS OF THE PARTIES o Risk of Loss
 Distribution and sale of the product o Limitation of Liability
 Training distributor’s employees o Intellectual Property
 Customer support
 Marketing of product
o Marketing materials
o Marketing plans
o Press releases
 Assign primary marketing contact for each
party
 Chapter 23: Data Agreements
Checklist
KEY CONTRACTUAL PROTECTIONS
 Include basic contractual protections
common to all technology agreements
o Confidentiality
o Limitation of liability
o Termination rights
 Ensure the scope of the license is broad
enough to include all intended uses, both
those existing at the time the contract is
signed and reasonably anticipated in the
future
 Pre-negotiate fees for increasing the scope
of the license
 Avoid overreaching audit rights
o Limit frequency of audits
o Limit the type of records that can be
reviewed
o Limit the duration of the audit
o Include protections relating to third
party audits (e.g., require auditors to
sign an NDA and to be mutually
agreed upon by the parties).
o Limit costs recoverable for third
party auditors
o Reject requests from the vendor to
recover internal personnel costs
4812-1128-2702.1
 Warranties
o Rights to grant the license
o The vendor has no knowledge of
infringement claims
o Reasonable efforts to ensure
timeliness and accuracy of data
o Reasonable efforts to notify the
customer of known errors in the data
 Include an indemnification against
infringement claims based on the
customer’s licensed use of the data
 Negotiate broad termination rights,
including termination for convenience,
wherever possible
 The contract should specify the manner
and format of delivery for the data
 The customer should ensure it has the
unilateral right to renew the contract for at
least a few years
 The agreement should include price
protection for the initial term and first few
renewal terms
 Chapter 24: Service Level Agreements

Checklist

COMMON PROVISIONS IN TERMS &  Performance credits

CONDITIONS o Specify amount or percentage
 Root Cause Analysis o Total category allocation pools
o Identify reasons for failure o Specify parameters, including timing
o Develop Corrective Action Plan and notice requirements
o Implement preventative corrections  Presumptive Service Levels
 Cost and efficiency reviews  Exceptions to Service Levels
 Continuous improvements to Service  Supplier responsibilities
Levels  Additions, deletions, and modifications to
 Termination for failure to meet Service Service Levels
Levels  “Earnback” of performance credits
 Cooperation  Map the form of Service Levels. Include:
o Title
COMMON PROVISIONS IN SERVICE o Measurement window
LEVEL AGREEMENTS AND o Actual Service Level or Expected
ATTACHMENTS and Minimum Service Levels
 Measurement window o Calculation for how Service Level is
 Reporting requirements derived
 Maximum monthly at-risk amount
 Chapter 25: Critical Considerations For Records Management And

Retention

Checklist

SCOPE ELECTRONIC RECORDS

 Applicability to all types and formats of
records
 Applicability to all affiliates, divisions and
business units
 Risk assessment
 Third-party contractors and outsourcers
 Active vs. inactive records
RETENTION SCHEDULE
 Detailed list of records categories
 Employee surveys and interviews
 Organized by department/business unit
 Retention periods based on applicable law
 Retention periods based on operational
needs
 Retention periods based on statutes of
limitation
 Citations to applicable laws
 Periodic (e.g. annual) review and update
LITIGATION HOLDS
 Responsibility for issuing litigation holds
 Litigation hold notice
 IT department involvement in litigation
hold process
 Notification of outside vendors and
outside counsel
 Employees obligated to notify
management of pending or foreseeable
claims
 Termination of litigation hold
 E-discovery procedures
 Data map
 Authorized storage locations
 Retention, archiving and destruction of e-
mails
 Retention, archiving and destruction of
voicemail
 Security and encryption where required
(e.g. protected health information,
sensitive financial information, laptops
and removable media, etc.)
ADMINISTRATION
 Designated records manager
 Input and approval by Board and senior
management
 Confidentiality of employee personnel and
medical records
 Approved methods for destroying paper
and electronic records
 Procedures for distribution to and training
of employees
 Auditing compliance with the policy
 Off-site storage of inactive paper records
 Chapter 26: Website Development Agreements

Checklist

CRITERIA TO CONSIDER WHEN  Consequences if “check point” not met:

SELECTING A WEBSITE DEVELOPER o Extension
 Developer’s experience and qualifications o Monetary penalties
 Identify parties and their relationship o Termination
 Extent of allowable subcontracting o Delay
 Whether to include both designing and o Acceleration
hosting
 Implications of co-branding or joint TERM AND TERMINATION
development  Initial Term
 Maintenance, hosting, and co-location
BASIC OBJECTIVES services
 Specifications for website  Requirements for developer:
o Statements of work o Return company property
o Technology and equipment to be o Transfer software to company
supplied o Turn over documents
 Change management process o Confidentiality assurances
 List competing websites and extent to o Receipts for reimbursements
which your website is based on them  Final statement from developer and
 Required functions company that work was completed
 Maintenance and updating requirements  Termination without consent for material
 Define developer rights of access breach of contract

INTELLECTUAL PROPERTY OWNERSHIP OTHER PROVISIONS

 Obtain proper licenses and assignments  Fees, charges and expenses
 Project management
SOFTWARE REQUIREMENTS  Acceptance testing
 Ensure “open use” software  Warranties
 Determine rights to software, and whether  Identifications
to sublicense or separately license  Content of website
 Acquire disclosures from developer  Linking issues
 Identify who owns the software  Insurance
 Address disabling devices  Reports, records, and audits
 Training, education, and troubleshooting
SCHEDULES AND TIMETABLES
 Disputes
 Start date
 Trademarks and copyright
 Anticipated termination date
 Privacy
 Intermediate “check points”
 Terms of use
 Process for modifying schedule
 Chapter 27: Social Media Policies
Checklist
KEY STEPS
 Understand your company’s need for a
Social Media policy.
 Acknowledge that the definition of Social
Media is a moving target – so define the
term broadly.
 Describe the overall scope of the Social
Media policy and how it relates to other
company policies.
 Set guidelines for internal computer use
generally. Employees should know that:
o If it is done on a work machine, it
belongs to the company.
o Content produced on work machines
is not private.
o Content may be monitored.
 Set guidelines for outbound
communications. Employees should:
o Exercise care in drafting all
communications, whether personal
or professional. Pause before
posting.
o Never post inappropriate content.
o In general, employees should not
hold themselves out as representative
of company when posting Social
Media content.
o Establish approval and moderating
process for employees who wish to
hold selves out as representative of
company (e.g., writing a
professional blog).
 Employees should ask questions, and
ultimately sign the policy.
 Chapter 28: Software License Agreements

Checklist

ASK YOURSELF: o Prohibition on right to assign

 Business purpose and goals
 Criticality
 Fees and costs
 Implementation time

TERMS TO INCLUDE
 License and Restrictions
 Acceptance testing
 Third party software
 Fees
 Warranties
 Indemnification
 Limitation of liability
 Specifications
 Confidentiality and security
 Maintenance and support
 Announcements and publicity
 Term and termination
 Additional terms:
o Force majeure