Mailing List

Popular Articles

Recent Articles

Follow Us

Recent Software Class Actions Provide Valuable Lesson on Why SaaS Contracts Should Be Drafted to Fit Company’s Business Model

Written by on Friday, March 10th, 2017 Print This Post Print This Post

When SaaS companies and start-ups first contact me, they are often doing so with the idea that there are a few really well SaaS template contracts circulating in the SaaS industry and they seeking the” right” attorney to provide that industry-standard template to them.  Alternatively, they contact me telling me that they’ve already put together a draft SaaS contract, and that they just want me to look over and “bless” what they’ve already written based on a particular SaaS company’s contract available for download on the Internet.

In these cases, which are the norm rather than the exception, I often encounter significant push-back when I first suggest to them that they are approaching the SaaS contract drafting process entirely the wrong way.  I always explain that a well-drafted SaaS contract should be tailored to their specific business model, and then I proceed to ask them a number of questions about their business model, which they generally aren’t prepared to answer.  They often then proceed to get frustrated by all the questions about their business, when all they are actually looking for is the “right” contract template.

If you are in the SaaS industry and have created your customer contract in a similar fashion, or committed the other common software contracting “sin” of caving into pressure exerted by a potential customer and just agreed to their standard agreement terms because you wanted to close a deal with them, then you may want to consider the example of recent litigation against an industry leader, which adopted contract language which was then alleged not to match the company’s business practices.

The litigation at issue involves class action suits against the McAfee brand security software: Williamson v. McAfee, Inc.,  No. 5:14cv00158 (N.D. Cal. Aug. 30, 2016) and Kirby v. McAfee, Inc., No. 5:14cv02475 (N.D. Cal. May 29, 2014).  Both cases focus on the company’s business practices surrounding its use of automatic renewal clauses–a standard practice widely adopted throughout the SaaS industry.  The litigation is ongoing: while the court granted final approval of a settlement in both cases, an appeal has been filed.  (See posted notice).

The particular contract clause at issue in the Williamson case is a common clause routinely included in SaaS contracts that stated at autorenewal customers would be charged the “then-current” price for the product.  However, the Williamson complaint alleged that the actual practice of the company was to charge customers upon autorenewal a higher price for the product than the price that the customer could have purchased the product for elsewhere.

The particular contract clauses at issue in the Kirby case stated that customer would be automatically enrolled in the autorenewal program and that a customer’s credit or debit card could be charged at autorenewal even after it had expired.  The Kirby complaint alleged that the actual practice of the company was to import into its billing system updated customer credit or debit card information provided by Visa or MasterCard rather than procuring a new authorization from client when the prior authorization became invalid, and to charge the customer at autorenewal at a higher price than originally paid without the customer’s express consent.

While there are a number of allegations made against McAfee in these class action suits, a fundamental problem alleged was that the terms of service binding the customer did not match the company’s actual business practices, and that the customer did not provide consent to the company’s actual autorenewal practices.

While these particular suits were filed against McAfee, the business practices alleged in these cases are perhaps the current standard of conduct for today’s software industry.  Furthermore, I would argue that more often than not terms of service are adopted by companies without any consideration whatsoever of the actual technology and business model for the software or SaaS product, so it is probably rare for the terms of service to match the company’s actual business practices.  Thus, it is my assertion that these cases provide an excellent primer of the risks of adopting terms of service that do not match the actual practices of the business.  It’s still not clear what the ultimate price tag on this matter will reach on the part of the company, but it’s clear it will be multiple millions of dollars in costs and expenses.

Moreover, these cases demonstrate the importance of consent to having an effective autorenewal clause.  State laws applicable to these cases did require the procurement of clear and conspicuous consent to autorenewal, which McAfee is alleged not to have had in these particular sets of facts.  Obviously, any deficiency with consent could have easily been addressed through the adoption of better business practices and terms that would demonstrate clear customer consent in compliance with applicable state laws.

The bottom line is that terms of service should not be adopted by a SaaS company without a thorough consideration of the technology, the business model, and the business practices of the company.  Even common business concepts like autorenewal accepted across the board within the industry may lead to costly lawsuits if insufficient consideration of business practices is contemplated in conjunction with the drafting of terms of service.

 


Category: Litigation, Software Agreement Drafting, Software Litigation  |  Comments Off on Recent Software Class Actions Provide Valuable Lesson on Why SaaS Contracts Should Be Drafted to Fit Company’s Business Model

Recent FTC Enforcement Actions Should Serve as Warning to Software Industry about Privacy Practices

Written by on Wednesday, March 8th, 2017 Print This Post Print This Post

If your software company is like most, you have probably spent little or no time contemplating what needs to be in your company’s privacy policy.  In fact,  what your company is currently calling its privacy policy was likely copied from a third party website years ago and never given much thought since.  Meanwhile, your company is likely collecting and aggregating user data and looking for new opportunities to monetize it.  Sound familiar?

Well, if this is your company’s situation, you may want to rethink how you are operating in light of recent enforcement action by the FTC on corporate data collection practices.

On February 6, 2017, the FTC announced that VIZIO, Inc. had agreed to pay $2.2 million to settle charges by the FTC and Office of the New Jersey Attorney General that it installed software on its TVs to collect data regarding consumer viewing without their knowledge or consent.  In its complaint against VIZIO, the FTC alleged that VIZIO had manufactured televisions that continuously tracked consumer viewing on the television and transmitted this information back to VIZIO, and also had remotely installed the same proprietary software on previously sold televisions.  In addition to collecting information about consumer viewing, the FTC alleged in its complaint that the software had collected information about the television, IP address, wired and wireless MAC addresses, WiFi signal strength, and nearby WiFi access points.  The FTC further alleged in its complaint that VIZIO had then entered into third party contracts to sell the data collected to third parties for the purpose of measuring the audience, analyzing advertising effectiveness, and targeting advertising to particular consumers.  While VIZIO’s contracts had provided only aggregate data to the third parties, those contracts did provide segmented demographic information by sex, age, income marital status, household size, education, home information, and household value.  According to the FTC Complaint, VIZIO did make a privacy policy available on its website, but the only onscreen notifications provided to consumers were vague and timed out after 30 seconds, never sufficiently informing consumers as to VIZIO’s data collection practices with the software installed on their televisions.   The FTC alleged that VIZIO’s actions in deceptively omitting material facts constituted deceptive acts or unfair practices prohibited by Section 5(a) of the FTC Act.

In the stipulated order, VIZIO was ordered to take all the following actions before collecting any further data from consumers:

  • Prominently disclose to consumers “separate and apart” from the privacy policy specifics on the data to be collected, what would be shared with third parties, the categories of third parties who would receive the data, and the purpose for which the third parties would receive the data.
  • Obtain affirmative express consent from consumers at the time of disclosure and upon any material changes.
  • Provide instructions at the time of obtaining consent to how consumers may revoke consent.

The stipulated order then gave specific guidelines on what would constitute “prominent” disclosure

The stipulated order also required the destruction of the previously collected data, the mandated creation of an internal privacy program meeting certain requirements, and third party oversight going forward regarding the privacy controls in place at the company.

Clearly, the FTC intended to send a message to the software industry about the collection of consumer data in the case of this particular enforcement action.

However, the FTC’s recent enforcement activities against software companies did not end with VIZIO.  In a separate statement, the FTC announced settlements with three other companies in the industry over allegations that they had made deceptive statements in their privacy policies about their participation in an international privacy program.  The companies charged in those cases were, Sentinel Labs, Inc., a software company providing endpoint protection software to enterprise customers; SpyChatter, Inc., a company marketing a private messaging app; and Vir2us, Inc., a distributor of cybersecurity software.  The FTC alleged in each complaint that the companies violated the FTC Act by making deceptive statements about their participation in privacy programs.  Attached are the complaints against Sentinel Labs, SpyChatter, and Vir2us.   In these cases, the proposed settlements merely prohibited the companies from making further misrepresentations about their participation in third party privacy or security programs, but are not final orders and still subject to possible amendment.

What conclusions should you as a software company take away from the FTC’s recent enforcement activities against software companies?  Clearly, the FTC is cognizant of the trends in the software industry to monetize data collected from software, to adopt privacy policies without actually customizing them to the practices of their particular company, and to bury privacy notices on websites without actually obtaining clear end user consent to actual business data collection practices.  So, if your company is like most in this space, you are on notice that your practices need to change.  Your privacy policy needs to be customized to the business practices of your particular company, which means that you actually need to take the time to consider each and every piece of information that you are collecting from the public and disclose what you are doing with it.  If your customers expect you to be a part of an international privacy program before they do business with you, you need to actually take the steps requirement to receive the appropriate certification from that organization before you advise consumers and the public that you are a member.  And if your software collects information, you need to make sure that not only your customers but also the parties from whom the information is collected have given their clear consent to your collection practices.  A privacy policy buried in your website is probably not sufficient to cover you legally.

If you do not change your privacy practices, you are on notice that you may soon be hearing from the FTC.


Category: FTC Regulation  |  Comments Off on Recent FTC Enforcement Actions Should Serve as Warning to Software Industry about Privacy Practices

SaaS Contracts: Is Your SaaS Contract Extending Your Sales Cycle?

Written by on Friday, March 3rd, 2017 Print This Post Print This Post

The average sales contract being signed by a SaaS company has nothing to do with the technology being sold and fails to include all of the key contract terms that need to be in a SaaS contract.  Thus, not only does the poor nature of the contract complicate the process of signing up new customers to use the product, but it also dramatically increases the risk that your company will end up in a dispute with the customer that does sign your contract.

What can be done by SaaS companies to ensure that their contracts are not creating more business problems than they solve?  The Silicon Valley Software Law Blog’s Author and Attorney Kristie Prinz will be presenting a
webinar addressing these and other important issues on March 24, 2017.  The webinar will address such questions asJEL28958-Prinz, Kristie

  • What makes an effective SaaS customer contract?
  • What terms should SaaS customers expect?
  • Common challenges with customer negotiations.
  • What drafting problems frequently result in stalled contract negotiations? Customer disputes?
  • How can better drafting close deals faster? Avoid subsequent customer disputes?

Tickets are still available to attend this webinar, and the program will be appropriate for lawyers and businesspeople alike.  To sign up, please click on the following link: https://www.eventbrite.com/e/best-practices-for-drafting-saas-contracts-that-reduce-the-customer-sales-cycle-avoid-disputes-tickets-29989175431.


Category: Upcoming Speaking Engagements  |  Comments Off on SaaS Contracts: Is Your SaaS Contract Extending Your Sales Cycle?

Complimentary Passes Available for “Negotiating Service Level Agreement Key Terms”

Written by on Tuesday, December 20th, 2016 Print This Post Print This Post

I have some remaining complimentary passes available for tomorrow’s panel presentation on “Negotiating Service Level Agreement Key Terms”  hosted by Strafford Publications.  If you would like to attend, please send me a request today at kprinz@prinzlawoffice.com and I’ll see if I can still reserve you a complimentary pass.


Category: Upcoming Speaking Engagements  |  Comments Off on Complimentary Passes Available for “Negotiating Service Level Agreement Key Terms”

US Navy Responds to Copyright Infringement Suit Filed by Bitmanagement Software

Written by on Tuesday, November 22nd, 2016 Print This Post Print This Post

Bitmanagement Software GmbH recently filed suit against the US Navy, alleging willful copyright infringement of its 3D virtual reality software “BS Contact Geo” and demanding $600 million in damages.  A copy of the complaint  has been posted by Business Insider at the attached  link.  Bitmanagement’s complaint alleges that the software license agreement entered into with the US Navy authorized the installation of the software on 38 machines “for the purposes of testing, trial runs, and integration into Navy systems” but that the US Navy decided it wanted to deploy the software on a wider scale and proceeded to install the software on more than 558,000 computers while it entered into negotiations with Bitmanagement to purchase additional licenses.

The initial reporting on this case in such publications as PC Magazine,  The Register, and ars Technica suggested that the US Navy had flagrantly infringed the intellectual property rights of this German software company on a massive scale and that the damages were likely to be significant.  However, the US Navy has now filed a response to Bitmanagement Software complaint, in which it denies that the license limited the US Navy to installation of the software on 38 personal computers and alleges instead that the Navy instead procured concurrent-use network licenses and was authorized to install the software on its network.

As a software licensing attorney who has had occasion to review many European software licenses, the nature of the US Navy’s response to facts that seem on their face to be quite clear-cut and entirely favoring the plaintiff software company leads me to question whether the license agreement at the heart of this dispute is as poorly drafted as many of the European license agreements I have reviewed in my practice over the years.  While I have no direct knowledge of Bitmanagement Software’s standard licensing terms or the terms entered into by Bitmanagement Software specifically with the US Navy, the mere fact that the Navy raised an argument in its response that it “procured concurrent-use networking licenses” suggests that the software agreement might not have had a clear license grant that clearly stated the scope of the grant and that the agreement might have just contained a fee schedule, which did not specifically define how the fees were calculated.  If this were in fact the case, the US Navy lawyers may just have interpreted the software license in such a way to favor the US Navy rather than engaging in willful copyright infringement as the plaintiff software company claims.

It has been my experience that many software companies around the world do not fully appreciate the significance of two key terms in every software license: the license grant itself and the payment clause.  It is not enough to state in a software license that you are granting a license for a particular purpose.  Rather, you have to actually define the parameters of the license grant.  For example, does the license authorize the installation of the software at a specific workstation at a specific location by a single employee? Or does the license authorize the installation of the software at a specific workstations at a specific location by an unlimited number of employees?  Alternatively, does the license authorize installation of the software on an unlimited number of workstations at several locations of the business by an unlimited number of employees? Or does the license authorize installation of the software on a server for concurrent use by a certain number of workstations of an unlimited number of employees?  As you can see the same grant to install software can be interpreted a number of different ways if all the different parameters are not carefully considered.

However, when you have a vaguely drafted software license that only “grants” a license or, alternatively, grants a very broad right to “use” the software, you have an additional interpretation problem in that it is unclear the scope of use that is in fact granted.  While the drafter might have intended “use” to mean merely the right to “install and run” the software, “use” might be interpreted to authorize not only “installation” and “running” but also “copying” and “distribution” provided the “copying” is limited to making archival backup copies or copies to other internal hardware and the distribution is similarly limited to with the licensee organization.

The other common problem I run into in reviewing software licenses is the vague drafting of license fees and payment terms and over-reliance on a fee schedule that simply lists prices based on number of licenses granted. Obviously, if you charge a set fee per license and neither the license grant nor the payment terms are specifically drafted, then the licensee is going to interpret the fees due and payable in the manner most favorable to the licensee. Frequently I see licenses, where the licensor likely intended to charge by the number of authorized users at a business but doesn’t specifically state how the fees are to be calculated, and obviously in these instances, the licensor is not likely to collect the volume of fees it intended to collect.

As previously stated, I have no knowledge of the software license at the heart of this dispute, so I am only speculating as to how this relationship might have deteriorated to the point of filing a $600 million lawsuit.  However, my own experience suggests that the contract which was the basis of this relationship may have been poorly drafted with respect the key terms of the license grant and license fee terms, and the choice of language in the response to the complaint makes me more suspicious that these problems I often see in my own practice could have been an issue in this relationship.  The bottom line is that key clauses in software licenses need to be drafted very precisely, regardless of which side of the contract you are on, and where terms are left vague, you may very end up in court having to pursue or defend copyright infringement claims which could have easily been avoided if only a better contract had been negotiated upfront.

 

 


Category: Software Litigation  |  Comments Off on US Navy Responds to Copyright Infringement Suit Filed by Bitmanagement Software

Takeaways for Software Industry from New Study on Costs of Data Breach

Written by on Thursday, November 10th, 2016 Print This Post Print This Post

If you are a cloud service provider or a software provider who offers maintenance services to enterprise-level companies, then your company has likely had occasion to negotiate indemnification clauses relating to data breaches.  Moreover, your company has probably had to provide warranties around data security or employee bad acts that would provide some protections to your customers in the event of a data breach.

But have you ever taken the time to really consider what the cost of a possible data breach might actually be for your company?

Network World recently published an article looking at the results of a 2016 data breach study conducted by the Ponemon Institute and IBM and determined that the total average cost for a breach is now $7 million, and that average cost per compromised record is now $221.  Network World further reported that the same study concluded that the average cost of a data breach of more than 50,000 records was $13 million.

Obviously, these costs are significant enough that unlimited liability indemnifications relating to data breaches have the potential to generate significant expenses, as do actions for breaches of warranties relating to data security.

So, what can software companies do to protect themselves against data breach liabilities?

First and foremost, companies need to take data security seriously and enact policies and procedures that prioritize data protection.

Second of all, companies need to carefully negotiate clauses related to cyberrisk and cyberliability with the expectation that a data breach will occur that is going to trigger the application of all such clauses down the road.  In particular, if you agree to take on unlimited liability of all costs related to a data breach, you need to be prepared to cover the expected costs that will arise from any such data breach.    Similarly, in negotiated services contracts, companies need to take the time to carefully define the full scope of services they provide with respect to data protection and data security in such a way that a data breach will not constitute a material breach so long as the services are fully performed in accordance with the defined scope of services.

Third of all, companies need to purchase cyberinsurance in order to ensure that they have sufficient coverage in the event of a data breach.  While cyberinsurance is a relatively new insurance product which has in the past often had many gaps in coverage, Tech Republic suggested in an article published today that the newer policies are starting to close some of the earlier policy gaps to coverage.  However, Tech Republic reported that companies should still watch for coverage limits in cyberinsurance policies for regulatory actions, cost of call monitoring, credit monitoring, forensic investigations, hacks that began prior to the coverage term, and attacks that have third party consequences.

The bottom line is that software companies need to have contractual and insurance protections in place to protect the businesses against the consequences of the inevitable data breach that affects their business.  With data breaches as well as costs on the rise, companies of all sizes need to be prepared to deal with the fallout of a cyberbreach when it occurs.


Category: Data Breach  |  Comments Off on Takeaways for Software Industry from New Study on Costs of Data Breach

Silicon Valley Software Law Blog’s Kristie Prinz to Speak at Webinar on “Negotiating Service Level Agreement Key Terms”

Written by on Thursday, November 10th, 2016 Print This Post Print This Post

JEL28958-Prinz, KristieThe Prinz Law Office is pleased to announce that Silicon Valley Software Law Blog’s Kristie Prinz will be speaking at an upcoming webinar on “Negotiating Service Level Agreement Key Terms” on December 21, 2016 from 10 a.m. to 11:30 PST. For more information about the webinar, please see the firm’s press release on the event published below:

Press Release on Stratford Publications Webinar


Category: Upcoming Speaking Engagements  |  Comments Off on Silicon Valley Software Law Blog’s Kristie Prinz to Speak at Webinar on “Negotiating Service Level Agreement Key Terms”

Silicon Valley Software Law Blog’s Kristie Prinz to Speak at Upcoming Webinar on “Negotiating Software as a Service Contracts”

Written by on Thursday, November 10th, 2016 Print This Post Print This Post

JEL28958-Prinz, KristieThe Prinz Law Office is pleased to announce that Silicon Valley Software Law Blog’s Kristie Prinz will be speaking at an upcoming webinar “Negotiating Software as a Service Contracts” on December 19, 2016 from 1 to 2:15 p.m. EST. For more information, please see the firm’s attached press release.

Press Release on Clear Law Institute Webinar


Category: Upcoming Speaking Engagements  |  Comments Off on Silicon Valley Software Law Blog’s Kristie Prinz to Speak at Upcoming Webinar on “Negotiating Software as a Service Contracts”

Digital Rights Management Software and the Printer Hardware Business

Written by on Thursday, September 29th, 2016 Print This Post Print This Post

HP reopened a new front in the controversy between the printer hardware business and digital rights management software when it reportedly downloaded digital rights management software to customer printers as a recent security update.  Fortune reported that HP’s actions were first recognized by a Dutch printer cartridge vendor after some 1000 customers contacted the company to inquire about the sudden problem.

The controversy received national attention when the Electronic Frontier Foundation (“EFF”) went public with its concerns and published a letter to HP.  A link to EFF’s letter is published here.  A story published by Tech Crunch on the controversy is linked here.

The publicity surrounding the controversy has reportedly already prompted HP to “reach out” to EFF and do some public back-peddling on the issue.  Wired is reporting that HP has said it will release an “optional firmware update” that will remove the software within the next two weeks.  The Wall Street Journal actually published an interview with HP, where the company apologized for “how it handled” the software update but at the same time indicated that “HP would continue such practices, which may prevent some third-party supplies from working.”

The whole episode calls to mind the Lexmark lawsuit filed against Static Control challenging the circumvention of Lexmark’s printer DRM software, which I once wrote about in a New York Law Journal publicationWired likewise referenced the Static Control case, which Lexmark ultimately lost, and reported that Lexmark simply changed its strategy and pursued and won its next case on patent rather than copyright law grounds.

According to Wired, this whole controversy has been driven purely by HP’s bottom-line: revenues in its printing business are incrementally dropping, as are sales in printing supplies.  HP is trying to preserve its revenue share in the industry for as long as possible.  However, as EFF clearly articulated, HP runs the risk of losing its existing customer base in the process.  HP’s efforts at damage control suggest that the company has recognized that there is a fine line that they are walking between preserving a revenue share and sending customers elsewhere.

Will this controversy open a new legal front over the use of digital rights management software with printing cartridges?  This episode suggests that printer companies would still like to put out of business competitors on the cartridge supply front, and ensure that their customers buy their “authentic” cartridges only.  With that in mind, why wouldn’t they pursue new legal routes to the same end?

In the current situation, however, HP has apparently relented to some degree and has said it will be making available an update, and Wired is reporting that the Danish manufacturer has already designed new chips to circumvent HP’s security update, so one way or another, customers should be able to go back to using third party printer cartridges in the near future.  Whether the next stop for HP will be to pursue the issue in litigation is yet to be determined.  The Silicon Valley Software Law Blog will keep you posted of any new developments as they unfold.


Category: Software Controversies  |  Comments Off on Digital Rights Management Software and the Printer Hardware Business

FTC Announces Approval of Final Order in Deceptive App Case Against Vulcan

Written by on Wednesday, May 11th, 2016 Print This Post Print This Post

The Federal Trade Commission has today announced the approval of its final order resolving its complaint against the San Francisco-based software company Vulcan on deceptive and misleading conduct allegations that Vulcan had purchased a browser extension game and replaced it with a program that caused the automatic installation of applications on the game users’ mobile devices without their permission.  According to the Federal Trade Commission (“FTC”), Vulcan’s unfair and deceptive acts and practices in replacing a legitimate game with the new program severely disrupted the ability of the 200,000 users of the game to subsequently use their mobile devices and put their sensitive information stored on the device at risk. The FTC’s complaint also contained a false claims allegation over the inaccurate promotional and advertising claims made by the replacement program.   The original FTC complaint filed against Vulcan can be viewed here.

In its Order, the FTC prohibits Vulcan from offering “a product or service or materially change a Covered Product or Service” unless the company has  disclosed “clearly and conspicuously” in advance of any downloading or installation the types of information the product or service will access and how the information will be used to perform related services, and the nature of any material change to a covered product or service.  Also, the FTC expressly prohibits Vulcan from making a number of specific deceptive advertising claims. The FTC Order has been made available for viewing here.

The Vulcan enforcement action by the FTC makes a clear statement to software companies that the government is monitoring the nature of the software being distributed to consumers as well as the advertising claims made in connection with such software for any conduct that may rise to the level of an unfair and deceptive trade practice.  Any software company contemplating the replacement of an app previously installed by users with their permission with another an unauthorized app are on notice that the FTC does not approve of the practice and will exercise its enforcement authority against you once your conduct is brought to its attention.

 


Category: FTC Regulation  |  Comments Off on FTC Announces Approval of Final Order in Deceptive App Case Against Vulcan

Copyright 2008-2017 The Prinz Law Office.

The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA | Atlanta, GA | Tel: 1.800.884.2124

Mailing Address: 117 Bernal Rd., Suite 70-110, San Jose, CA 95119. Silicon Valley Office: 2033 Gateway Place, 5th Floor, San Jose, CA 95110 (408) 884-2854. Los Angeles Office: 3110 Main St., Building C, Santa Monica, CA 90405. (310) 907-9218. Orange County Office: 100 Spectrum Center Drive, 9th Floor, Irvine, CA 92618. (949)236-6777. San Diego Office: 4455 Murphy Canyon Road, Suite 100, San Diego, CA 92123. (619)354-2727. Atlanta Office: 1000 Parkwood Circle, Suite 900 Atlanta, Georgia 30339. (404)479-2470

Serving Silicon Valley, San Jose, San Francisco, Santa Cruz, Los Angeles, Irvine, Anaheim, Orange County, Santa Monica, Silicon Beach, Santa Barbara, San Diego, Sacramento, Atlanta. Licensed in California & Georgia.