You probably run into a lot of software contracts. Big companies may have thousands of software agreements for technologies that weave together in a complicated mess. When there’s a data breach somewhere in that web, how do you untangle liability? On this episode of Contract Teardown, we’ll use an example recently in the news—the SolarWinds data breach—to sample the many issues.
Questions in this episode
- What’s an “appropriate” level of physical and administrative security measures for a software company to take on?
- When do documents that are incorporated by reference create new liabilities?
- How realistic are limitations of liability that exclude indirect damages in software supply chain agreements?
- What liability provisions can you add early to avoid long-winded negotiations?
SolarWinds
In early 2020, Texas-based SolarWinds suffered a major data breach. The company reported to the SEC that hackers had penetrated their “Orion” program, used by more that 18,000 SolarWinds customers. Because of the size of the breach and the sensitivity of the data exposed, federal investigators quickly swept in to uncover the origin and impact of the hack.
SolarWinds uses what TermScout CEO Otto Hanson called a “pretty standard” software services agreement. According to Hanson, large corporate legal departments might reflexively click through thousands—or even tens of thousands—of very similar software agreements.
Hanson used the example of SolarWinds to uncover risks that companies assume every time they quickly accept these standard agreements.
Protecting data as the buyer
The SolarWinds software services agreement includes standard language around user liability for data protection.
Although phrased as SolarWinds’ rights, this section creates liability for the software user. In short, you agree to store information in your use of the software that’s not otherwise going to get SolarWinds in trouble.
If you violate this section, SolarWinds has asserted its right to protect their company. You are expected to maintain copies of data that SolarWinds might delete. And you are expected to take standard precautions to make sure your use of the software doesn’t harm anyone else.
SolarWind’s data protection responsibilities
This document really gets interesting in 7.2. Here, SolarWinds lists out its duty to protect buyer data by making these protection obligations mutual.
There’s a lot to unpack here. The reference to “appropriate” data security measures leaves a lot of room for interpretation. This is especially risky in these so-called supply chain agreements, where a data breach anywhere on the chain can harm third parties up and down the supply chain.
Interestingly, in this case, a standard security precaution is what caught the massive data breach—8 months after the breach actually happened! One company used a pretty standard (or “appropriate”) precaution of two-factor authentication. When the user received an email saying someone in Russia was trying to access their data, the buyer quickly reported the breach.
That set off a series of investigations that uncovered a massive breach that impacted customers and third parties whose software had been integrated with SolarWinds.
Limitations of liability
The interconnectedness of the various softwares and service companies is what makes the limitation of liabilities section so interesting. Take a look at section 11 for limits on SolarWinds’ liability for data breaches.
As Otto Hanson explained, this language is also fairly standard. The 12 months’ software cost limit is common, as is the limit to direct damages.
But these complex software supply chains mean the vast majority of damages will fall outside those limits. Who takes on the liability? If both sides really understood the scope of that risk, how could they possibly deal?
Otto gave some tips on how to deal with that friction:
- Go ahead and offer a higher cap on liability, even if not much more;
- Recognize that the buyer’s interests are the exact opposite of the seller’s and draft accordingly; and
- Make clear reference to third parties whose interests might be impacted as well.
Using technology to filter through contracts
According to Hanson, carefully reviewing every software services agreement just isn’t realistic. But how do you reconcile that with the risk created by contracts like the standard SolarWinds agreement?
He advised that you use technology tools where you can, and humans where you must.
Tools like TermScout aggregate data across similar contracts to identify common language and uncover sample language that deviates from what’s normal.
And Law Insider allows contract drafters to compare similar language across Common Contracts. This gives them the perspective to select mindfully between options that might shift or share liability in data breach cases.
Whatever you do, don’t simply click through all those “standard click-through agreements.” As Hanson pointed out in this episode, that can create a web of complicated liabilities and no clear protector of data security.
Contract Teardown Show
Show Notes
THE CONTRACT: The SolarWinds Software Services Agreement
THE GUEST: Otto Hanson is the founder and CEO of TermScout, an early-stage legal tech company that focuses on bringing transparency to contracts. His work at TermScout has included profiles of hundreds of click-through agreements that include data protection clauses. Check out www.termscout.com or email Otto at otto@termscout.com.
THE HOST: Mike Whelan is the author of Lawyer Forward: Finding Your Place in the Future of Law and host of the Lawyer Forward community. Learn more about his work for attorneys at www.lawyerforward.com.
If you are interested in being a guest on Contract Teardown, please email us at community@lawinsider.com.
Transcript
Otto Hanson [00:00:00] It may be indicative of a reality that companies aren’t doing enough to prevent this. I’m not a data security expert. I don’t know. But I think it also may just be indicative of the fact that the sophistication of these hacks continues to rise. And, you know, the hackers are getting more and more advanced and even the best, biggest companies are having a hard time protecting themselves and their customers.
Intro Speaker [00:00:26] Welcome to the contract Teardown Show from Law Insider, where legal experts tear down contracts from some of the most well-known companies and high profile executives around the world.
Mike Whelan [00:00:38] In this episode, TermScout founder and CEO Otto Hanson tears down the Solarwind’s Software Services Agreement. This document has been in the news after a historic week. But as Otto points out, these software services agreements are often part of a complex web of contracts. Otto shares how to manage and examine complex software supply chain agreements quickly and how to avoid the risk that comes with them. So let’s tear it down. Hey, everybody. Welcome back to the Contract Teardown show. I’m Mike Whelan. On this show we do exactly what it sounds like. We take documents, we beat them up, we insult them, occasionally say something nice. I hang out with smart friends like my buddy Otto over here to talk about the contract language. Otto, how are you doing today?
Otto Hanson [00:01:24] Hey, Mike, I’m doing great. Thanks for having me.
Mike Whelan [00:01:27] I appreciate you being here. We’re talking about this particular document that I want to share with you guys. It was in the news a little while ago. This is the software services agreement from Solarwinds. And we’re going to talk about why this document was in the news and what’s relevant about it. But Otto, tell me about this kind of document. When are lawyers likely to encounter this kind of document? Why is this one representative of, you know, a choice that people are going to have to make in terms of software purchases? Why this document?
Otto Hanson [00:01:59] Yes, so this is a standard clickthrough agreement that Solarwinds, as I understand it, asks most or all of their customers to sign when they start using Solarwinds software services. It’s emblematic or representative of sort of where we are in commerce today, where it’s one of thousands, maybe tens of thousands of software tools that the companies may embed in their supply chain and their infrastructure in their business. And it’s just one of many clickthrough agreements that will determine the outcome of, you know, typically what happens if something goes wrong in this relationship.
Mike Whelan [00:02:36] Yeah, and we’ll talk about this particular experience, but before we do that, tell me about you. What’s your background? When are you running into documents like this? Where where’s that insight coming from?
Otto Hanson [00:02:48] So I’m a corporate attorney by training Mike, but I’m the founder and CEO of a company called TermScout, which is basically in the business of reviewing clickthrough agreements from B2B software companies and comparing them among their peers.
Mike Whelan [00:03:02] Very cool, so let’s talk about this document, because I do think in some ways, like you said, it’s representative of other documents, but in some ways it stands out. And before we get to that, let’s talk a little bit about the background. You had mentioned that this software is one of many. There was a breach recently. We’re not necessarily saying whose fault it is, but there was a breach recently that hit the news because it was huge. It was widespread. It went on for eight months before people realized it was a thing. It affected, I think I saw 18,000 customers. This was a big breach. Many of those customers were government agencies, including really sensitive government agencies. And this breach apparently perpetuated by Russian espionage, it was a big deal. And what I read that was unique about this, to get to your point, is that this was a supply chain breach because Solarwinds is one of like a bunch of softwares that a company will buy to accomplish an end result. And I think so far on this show, we’ve talked about documents with software companies that it’s almost like I’m purchasing the software. Here’s our contract. We talk about third parties in passing. But this is you’re buying a thing that, you know is integrated into a larger ecosystem. How much attention are you paying to that? Before we get into the particular language, do you have anything to add to that sort of history and that background? Anything you want to add to that?
Otto Hanson [00:04:31] No, you summed it up nicely. And, you know, it’s worth pointing out that Solarwinds, we looked at Solarwinds contract, we don’t know if solar winds was responsible or how culpable they are. And that’s obviously you and I won’t opine on that. It’s not our place to be, as far as we’re concerned, innocent until proven guilty. But it’s a name that keeps coming up in the context of this large data breach, historic data breach. And what I know is that technology leader, friends of mine, CTO’s and legal leaders around the country are as soon as this news broke, were pulling out their Solarwinds contract and finding out, do we have a contract with solar winds? And if so, what does it say and what are our rights if Solarwinds, indeed, you know, is found to be liable in some way or responsible in some way for this breach? So that’s that’s kind of the context that I think we’re looking at. This is a purely hypothetical situation and sort of put ourselves in the shoes of if I’m one of those technology leaders or attorneys in a company that’s using solar winds and I’m pulling out this contract, what am I finding? And that’s what we’re going to answer today.
Mike Whelan [00:05:37] Hey, everybody, I’m Mike Whalen, I hope you’re enjoying this episode of the contract Tear Down Show real quick. I want to ask you to do me you really a quick favor. Look down below. You’ll see a discount code to join the law insider premium subscription. When you do that, you get access to more content like this. You’ll see webinars, daily tips on contract drafting, not to mention access to the world’s largest database of sample contracts and clauses. It will help you write better contracts faster if you want to do it. Right now, there’s a code below. So get there. Also, if you’re part of a larger team, if you’re in-house or in a law firm, just email us where it’s sales at law. Insider Dotcom will make sure you get a deal as well. Come join us in the community. The code is below. Let’s get back to the show.
[00:06:22] Yeah, so let’s do that. We’re going to jump, focusing on data and liability stuff, we’re going to jump down to seven in this document. In seven one, it talks about your data. It says Solarwinds and affiliates can remove your data or any data if they find that it’s, at its sole discretion, if they find or believe it to be a virus, illegal, libelous, abusive, used for spamming, if it’s infringing the intellectual rights of somebody else. And they can let’s see if they’re protecting backups of your data directly. They put some expectations on you. What do you think of this section? Do you think this is the right way to, you know, sort of draw the line of responsibilities where data is concerned?
Otto Hanson [00:07:06] Look, I mean, I think there are some things we could nit pick one way or the other on seven point one, but I think what’s interesting really is seven point two, which, you know, seven point one is all about what the customer’s obligations are. And my hunch is, you know, it probably isn’t one of the major provisions coming into play in the analysis under this hypothetical scenario. But if you get to seven point two, that’s where we’re learning what did Solarwinds commit to doing to protect the customers data and the customer’s infrastructure and systems. And that’s where you start to see in sentence two each party shall maintain appropriate administrative, physical, technical and organizational measures that ensure an appropriate level of security of confidential information and personal data. This is sort of kind of the table stakes data security promise that a lot of companies make. It’s good if I’m a customer, I want to see this. It’s also somewhat vague what is an appropriate administrative measure. What is an appropriate physical measure and appropriate technical measures. So it’s not a slam dunk if I’m a customer, but it is something and it’s more than a lot of customers or a lot of vendors actually commit to. So when I looked at this, I was actually pleasantly surprised and I thought, gosh, if I’m a customer. All right, chalk up a point in the win column. We’ve got a commitment that they were going to take appropriate measures. I don’t know if they did or did not, but at least I’ve got a pretty decent commitment here to start with.
Mike Whelan [00:08:35] Well, what’s fascinating is the company that discovered this breach, FireEye, the reason that they found it eight months into the breach was that one of their people, one of their customers, had two factor authentication. And so they went in and they got this ping in their email that says, hey, man, somebody is trying to do this, this get into your account. And they didn’t say yes to it. So they’re doing some of these standard, you know, best practices, prevention stuff. And that’s actually how they discovered it. But the fact that it took eight months for somebody to have what we now would consider a pretty basic level security tells me that a lot of people probably were not paying attention to this section. Just fascinating that it took that long.
Otto Hanson [00:09:21] It is, and it’s you know, it may be indicative of a reality that companies aren’t doing enough to prevent this. I’m not a data security expert. I don’t know. But I think it also may just be indicative of the fact that the the sophistication of these hacks continues to rise and the hackers are getting more and more advanced. And even the best, biggest companies are having a hard time protecting themselves and their customers from the level of risk and the types of attacks that are that we’re seeing today. So it’s a really challenging environment. And it’s a tough spot for both vendors, software vendors and their customers to try to figure out. So to wrap up seven point two, there’s one more commitment in seven point two, which is the third sentence, which says Solarwinds worldwide and its affiliates will process personal data in accordance with the data processing addendum. I consider that to be an incorporation by reference, which means that Solarwinds is basically they’ve got this data protection addendum, a DPA, that outlays a number of additional technical organizational measures that they take to protect personal data. All of it wraps up, in my opinion, when I looked at this contract, I kind of came out and said, you know what? Solarwinds has done a pretty good job of making you know, they made pretty decent commitments to protect the data of their customers. I felt pretty good when I got here. But what we’ll learn, I think if we jump into Section 11, is it now good time to go there?
Mike Whelan [00:10:57] Yeah, let’s do that. Eleven talks about the limitation of liability. Go on. We’ll talk about that section.
Otto Hanson [00:11:03] So this is really where I think the rubber hits the road. A contract is, I think, two foundational or fundamental parts of the contract. What obligations or commitments does each party commit to? And if those go wrong, what are the remedies available to the other party who who didn’t get the benefit of what they bargained for in the contract? So here on the one hand, we just saw that solar winds make some pretty decent security commitments. And now when we get to Section 11, what we see is that basically they’ve gone and said there’s really two elements to Section 11. The first sentence, which in a true lawyer fashion here is a whopping I can’t even count nine, ten lines long is the waiver of indirect damages. And what this one says is to the extent permitted by applicable law. And that, by the way, may vary in different jurisdictions. But basically what it says is Solarwinds will not be liable for indirect, consequential, punitive, those types of damages. Basically, it says unless the damages are direct, you cannot recover from us. This one is relevant in a data breach scenario because much of the damages, presumably, that the customers suffers would likely be categorized, I think, as indirect or consequential damages. I’m not a litigator, but my understanding is a lot of those damages are harms to third parties, as you pointed out earlier, and all the different sort of types of consequential damages that trickle down as something like this and the consequences unfold. So what constitutes direct damages could in reality be a relatively small portion of the overall damages. So right here in this first part of Section 11, you basically are hearing from Solarwinds, hey, yeah, we’ve made these nice commitments, but to the extent that they we fail to honor them and you’re damaged, we’re immediately limiting to direct damages. Pretty common thing to do, by the way, actually very common. In fact, out of three hundred and twenty seven contracts, similar B2B software contracts that we’ve reviewed in terms about every single one waives some form of indirect damages. And then the second part that you have in this section is the cap, what we call the cap on liability, which is solar winds is capped its liability to 12 months fees. This is also very common. This is the most I mean, this is market, I think out of three hundred and twenty seven contracts, it’s something like one hundred and eighty 60 percent limit their liability to 12 months fees. But what’s interesting about this limitation of liability provision is there are no exceptions to either the waiver of indirect damages or the cap on damages. So basically you’re I think when you come to Section 11, you’re starting to get the picture as a customer that OK, even though we have these pretty good commitments in the data security section, it’s not clear whether I’ll be able to recover much more than my 12 months fees and even the 12 months fees. I have to show that they’re direct in order to get those back. So it’s you know, if I’m a customer and I’m pulling this out and I’ve been affected by this breach, you know, I’m pulling out and looking at it, now I’m starting to chalk some points out in the oh, boy, this is this is bad news column.
Mike Whelan [00:14:42] Yeah, and I you know, as we talk about these contracts, especially because this is a newsy moment, there’s a story behind it. People are paying attention to it. I’m thinking about principles, about sort of the big picture. And I’m thinking of this in two ways. One is the drafter and one is somebody who’s in-house, who’s doing some advice. As a drafter, is there a principle from the fact that this, you know, to say to the drafter, look, this is one of many contracts that a user, you know, the end user is going to be looking at in terms of being able to actually execute on this software, to actually be able to use this thing, is there a principle from this conversation about liability and the relationships between all these different vendors that we can pull from as draft or some way that we can draft in a way that’s that recognizes that context?
Otto Hanson [00:15:33] Yeah, I think there is and first, there’s sort of I think just a recognition that has to happen, which most drafters have already gotten to, which is this is a really big friction point between the vendor and the customer, because as a vendor, if I’m drafting this for a vendor, I don’t want to take any more liability for this. I mean, this is if, in Solarewinds defense, if they took unlimited liability for data breach claims and they had hundreds or thousands of customers coming after them with uncapped liability, they would be looking at a bankruptcy proceeding, almost certainly, you know, and that might not be good for anybody either. It could be really hard for vendors to raise money if they accept uncapped liability for in particularly this type of liability that’s very hard to fully protect or insure against. So that’s the vendor’s position is I can’t you know, it’s just not possible for me to take on limited liability. But the customer’s perspective is is at perfect odds with that, because what they’re saying is, look, if I’m using your software, embedding it in my supply chain, why should I bear the risk of if you let the hacker in or if something happens there? So you have this really intense friction to just recognize and accept as a drafter. The principle in my mind is it depends on the company you’re drafting for. But if you expect your customers to have leverage or to come back and negotiate, it might make sense to craft or draft your contract up front to, you know, recognize and understand that this is likely to be an issue that they’re going to be asking for and see if you can go out of your way to make the limited liability provision a little more generous. You’re probably not going to accept all liability for data breach type issues. But what we are seeing is a number of companies, right now there are seven of the three hundred and twenty seven that we’ve reviewed at TermScout, who in their standard clickthrough agreement are offering a secondary cap that covers data breach claims. Among those companies is Snowflake, for example, the big cloud company. And what they’re says is, hey, if there’s a data breach claim, we’ll actually accept two times liability for those types of claims. So it’s 2x the normal cap. So they haven’t gone all the way to unlimited liability, but they have accepted more. And my hunch on why they did that is they were probably seeing a lot of customers coming back saying we want unlimited liability and then saying, no, it’s up to 12 months. And they were landing at this secondary cap, which is the middle ground. And they just said they made the business decision to say, let’s offer it to everybody. It’s the customer friendly thing to do and it should help us avoid negotiating the same provision over and over and over again.
Mike Whelan [00:18:16] Right. I think we all know that direct liability is sort of laughable in terms of these kinds of these kinds of breaches, these kinds of harms. And so I like that is sort of the middle ground. But, you know, I feel like this fight is going to go on as long as we have computers. I’m also thinking in terms of principles on the other side, and maybe this is getting to tell us a bit about TermScout, because I’m thinking of the lawyer who’s in-house. And again, this is a supply chain breech, meaning there are a ton of softwares that are strung together. And one of them can be the point of vulnerability at which, you know, a ton blows up. And so we’re in the end sort of looking at, let’s say, 15 different contracts were signing off on all of them. We’re supposed to review and understand every one of you know, it becomes this very complicated web, how these different softwares work together. Talk to me about a principle there and maybe how TermScout, can help people sort of speed up that process of evaluation and and raise red flags, where they’re there.
Otto Hanson [00:19:18] Yeah, well, you’re right, it is a huge problem if you are signing large volumes of these contracts as larger companies are, you know, it’s just untenable to think that you can review all of them thoroughly, understand all the risks. Many of them aren’t negotiating these terms often, no matter how big you are, but certainly only if you are quite large of a customer. So you have this this predicament of an onslaught of vendor contracts that you have to sign, which do embody a fair amount of risk, especially to the extent that those software applications are touching my data in some way. TermScout is one solution we built our company to solve for this problem. Basically, what we’re doing is reviewing those standard clickthrough agreements of big companies and we’ve reviewed three hundred twenty seven of them to date. They’re published on our website. You can go to TermScout.com and see free ratings on all of them. And we use human attorneys to do this work. A combination of natural language processing, artificial intelligence and human learning attorneys. But being attorney element actually is making sure that there’s pretty high quality on this review, because we know that if you’re going to substitute a third party tool to do this red flag screening for you, it’s hard to trust pure eye solutions. When I was working as an attorney, I couldn’t trust pure eye solution. I tried them and there were a lot of false negatives and false positives, and that actually made my work harder to sift through all that. So know, that’s one solution. There are a number of software solutions that do try to help screen for these risks, too. But the short answer, the principle, I think, is as a company, you’ve got to get sophisticated, you’ve got to get digital, you’ve got to find tools that can help your limited resources do more with less.
Mike Whelan [00:21:07] Yeah, yeah, I think if this episode can do anything for you guys, it would be to raise the red flag of the complexity of these contracts. I mean, you know, this, but tools like law insider in the drafting side and more like what TermScout does on the evaluation side. I mean, these tools are so important for being able to improve this ecosystem of contract drafting and evaluation, which in this world of complexity is so important as this TermScout example shows us. So I appreciate you hanging out with us and tearing this down with us. Otto, if people want to get in touch with you to learn more about what TermScout does and and how you’re looking through documents like this, what’s the best way they could reach out to you?
Otto Hanson [00:21:47] Yeah, visit us at www.TermScout.com or email me at Otto@TermScout.com.
Mike Whelan [00:21:56] Perfect. And you guys, we will have his information, Otto’s information, as well as a link to this document and relevant pieces of information over at TermScout at LawInsider.com/Resources. Just look for the show notes on that. Also, if you want to be a guest on the Contract Teardown show and beat one of these documents up, just email us. We’re at community@lawinsider.com. Otto thank you again. We’ll see you guys at the next episode.
Otto Hanson [00:22:22] Thanks, Mike.
Tags: Contract Teardown