Mailing List

Popular Articles

Recent Articles

Follow Us

Archive for March, 2015

New Senate Cybersecurity Bill May Expand Government Surveillance Pressures on Cloud Companies

Written by on Friday, March 20th, 2015

Privacy groups are raising alarms in response to the Senate Intelligence Committee’s Introduction of a new cybersecurity bill: the Cybersecurity Information Sharing Act of 2015 (“CISA”).  The text of the current bill has been made available for viewing at this link.

According to a National Journal report discussing the proposed legislation, the bill “is intended to help forestall cyberattacks like the one that crippled Sony Pictures last year.”  The two key features of the bill are data sharing with regard to cybersecurity and liability protections for companies that participate.

As you might expect, the opposition to this bill already being raised is that it imposes new surveillance pressures on companies and provides virtually no protection to the individual.  The Electronic Frontier Foundation (“EFF”) has already posted a scathing statement of opposition to this bill on its website, arguing that the bill grants to companies very broad powers to protect information systems with the sole restriction that no “substantial” harm arises from the action, and that it also authorizes companies to the broad powers to conduct monitoring on information systems which can broadly be used to conduct surveillance of individuals.  The EFF’s position is as follows:

This fatally flawed bill must be stopped.  It’s not cybersecurity, but a surveillance bill.

Wired reports that the concern of other privacy advocates is that the bill would permit the sharing of personal data that goes beyond just stopping cybersecurity threats, but to also allow sharing for the stated purpose of preventing terrorism, the imminent threat of death or serious bodily harm, and even the investigation of crimes having nothing to do with cybersecurity.

After reviewing the text of the proposed bill myself, I would agree with the vocal opposition on this bill that there is a reason that the Senate Intelligence Committee is proposing this type of legislation that has little to do with preventing cyber attacks:  to increase the surveillance powers of the federal government and to encourage broader corporate cooperation and participation in these surveillance activities.  I would also argue that this type of legislation, if enacted, has the potential to disproportionately affect cloud-based software and Internet companies, co-opting them into providing enhanced governmental surveillance of their customers.

I can understand why Silicon Valley’s tech community might be hesitant to take a position in opposition to a bill that California’s own Senator Diane Feinstein has been supporting, but I would argue that this is an issue that the software industry, and particularly, the cloud industry, should step up to the plate on and strongly oppose, given the fact that data collection is such an integral part of the online software business and revenue model.  This type of legislation, if passed, has the potential to put such companies in the undesirable position of conducting what amounts to surveillance activities on its customers on behalf of the government, which is not a position that most Silicon Valley companies would probably like to find themselves in.   It takes the surveillance gathering that has been going on since 9/11 to an entirely new level.

The Silicon Valley Software Law Blog will keep you posted on developments with this legislation as they arise.

Share On Facebook
Share On Twitter
Share On Google Plus
Share On Linkedin

Category: Internet Legislation, Software Legislation  |  Comments Off on New Senate Cybersecurity Bill May Expand Government Surveillance Pressures on Cloud Companies

Insurance Industry Guidance to Consider When Negotiating a SaaS Indemnification Clause

Written by on Tuesday, March 17th, 2015

As a software attorney advising SaaS companies in contract negotiations, I am frequently asked for advice on negotiating indemnification clauses. While clients all have different risk tolerances when it comes to the issue of indemnification, it is always challenging to advise parties on either side of the negotiating table, as it is difficult to provide clients with any concrete guidance of what their actual risk may be.

The San Francisco Business Times recently published an article shedding some light on what the actual risk may be to parties on both sides of a data breach, which as any attorney in the software industry knows, is often the concern that prompts the most contentious indemnification negotiations in any SaaS contract discussion.

According to the San Francisco Business Times, the insurance brokerage Aon estimates that 80% of commercial privacy breaches around the world result in $1 million or less in direct costs and damages.  On the other hand, the San Francisco Business Times reported that Aon estimates that  approximately 15% of privacy breaches cost approximately between $1 million and $20 million, with the average cost of those larger breaches running about $7 million.

So what are the significance of these liability estimates to parties negotiating an indemnification clause in a SaaS contract negotiation?

The significance is that a particular group of industry experts are estimating the liability risk for parties on either side of the transaction to generally be at $1 million or less per transaction, with only a small portion of the cases rising significantly above this, and that where the breaches result in greater than $1 million in damages, the loss averages about $7 million.  Thus, for indemnification negotiation purposes, this information suggests that most customers of SaaS services are not going to incur more than $1 million of damages in a privacy breach, and that on the flip side, most SaaS providers will not suffer more than $1 million of damages on a privacy breach affecting a particular customer.

Of course, insurance companies such as Aon do offer cyberinsurance which will provide some insurance against such risk, which is why Aon is in the business of making predictions about the cyber-liability risk to businesses: to sell cyberinsurance and evaluate its own risks as an insurer.

For my purposes, however, as a software transactions attorney, these numbers provide some helpful guidance as to how parties on either side of a deal should be evaluating their real risks for the purpose of indemnification clause negotiations.  While as a customer, an unlimited liability indemnification for a privacy breach might be nice, these numbers suggest that something far less would likely be sufficient to protect your company.  On the flip side, as a SaaS provider, these numbers suggest that your actual risk in the case of an unlimited liability indemnification on a particular customer contract will probably not exceed $1 million, which is far less than the numbers might be envisioned by the phrase “unlimited liability.”   All in all, this data is useful to consider in the context of any SaaS contract negotiation, regardless of whether you are negotiating on the side of customer or the service provider.

Share On Facebook
Share On Twitter
Share On Google Plus
Share On Linkedin

Category: Software Agreement Drafting  |  Comments Off on Insurance Industry Guidance to Consider When Negotiating a SaaS Indemnification Clause

Copyright 2008-2017 The Prinz Law Office.

The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA | Atlanta, GA | Tel: 1.800.884.2124

Mailing Address: 117 Bernal Rd., Suite 70-110, San Jose, CA 95119. Silicon Valley Office: 2033 Gateway Place, 5th Floor, San Jose, CA 95110 (408) 884-2854. Los Angeles Office: 3110 Main St., Building C, Santa Monica, CA 90405. (310) 907-9218. Orange County Office: 100 Spectrum Center Drive, 9th Floor, Irvine, CA 92618. (949)236-6777. San Diego Office: 4455 Murphy Canyon Road, Suite 100, San Diego, CA 92123. (619)354-2727. Atlanta Office: 1000 Parkwood Circle, Suite 900 Atlanta, Georgia 30339. (404)479-2470

Serving Silicon Valley, San Jose, San Francisco, Santa Cruz, Los Angeles, Irvine, Anaheim, Orange County, Santa Monica, Silicon Beach, Santa Barbara, San Diego, Sacramento, Atlanta. Licensed in California & Georgia.