In its Contract Corner feature, Morgan Lewis highlights considerations for drafting sublicense provisions in the context of an intellectual property license.

“A sublicense in the context of an IP license is any agreement where the licensee grants a third party rights to any of the licensed IP,” the article explains. “This provision is often overly broad, but can be tailored to include standard exceptions (e.g., ordinary course agreements with End Users, distributors, etc.) in order to avoid an overly broad definition and to make sure that the royalty calculations are clear.”

Authors Emily R. Lowe and Morgan Oksana Dudkewitz discuss sublicensing approval, compensation, termination, flow down, document control, and licensor-imposed sublicensing.

Read the article.

By Eric Begun
King & Fisher

You’re thinking that something about the title of this post sounds familiar, right? Information technology (IT) vendors and third party service providers have been in the spotlight for security breaches for some time (see, for example, vendor-based security lapses affecting Target, CVS, and Concentra, as just a few), and it doesn’t sound surprising that an IT vendor has been sued related to a security incident. After all, whether you’re an IT vendor or an IT customer, if you draft or negotiate contracts for a living, these situations are what you try to contract for, right?

Right…but…the recent federal class action suit filed in Pennsylvania against Aetna and its vendor surfaces several new privacy and security considerations for vendors and their customers. The vendor in question was not an IT vendor or service provider. Instead, the plaintiff’s allegations relate to Aetna’s use of a mailing vendor to send notification letters to Aetna insureds about ordering HIV medications by mail. According to the complaint, the vendor used envelopes with large transparent glassine windows – windows that did not hide the first several lines of the enclosed notification letters. The plaintiff asserts that anyone looking at any of the sealed envelopes could see the addressee’s name and mailing address – and that the addressee was being notified of options for filling HIV medications. As a result, the vendor and Aetna are alleged to have violated numerous laws and legal duties related to security and privacy.

For all vendors and service providers, but especially those that don’t focus primarily on privacy and security issues, the Aetna complaint is enlightening. To these vendors and service providers, and to their customers: Do your customer-vendor contracts and contract negotiations contemplate what Aetna and its mailing vendor may not have?

• Do your contracts for non-IT and non-healthcare services fully consider the risk of privacy and security litigation? A noteworthy facet of the Aetna case is that the mailing vendor was sued for privacy and security violations that were not exclusively due to the customer’s acts or omissions. That is, while the contents of the mailer certainly were key, the vendor’s own conduct as a mailing services provider (not an IT or healthcare provider) was instrumental in the suit being filed against the vendor (and Aetna). Vendor services that previously didn’t, or ordinarily don’t, warrant privacy or security scrutiny, may, after all, need to be looked at in a new light.
• Do your contract’s indemnification and limitation of liability clauses contemplate the possibility of class action litigation? Class action litigation creates a path for plaintiffs to bring litigation for claims that otherwise could not and would not be brought. Class action litigation against data custodians and owners for security breaches is the norm, and the possibility and expense of class action litigation is frequently on the minds of their attorneys and contract managers who negotiate contracts with privacy and security implications. But, for vendors and service providers providing arguably non-IT services to these customers – the idea of being subject to class action litigation is often not top-of-mind.
• Before entering into a contract, have you considered whether the specific vendor services being provided to the particular customer in question implicate laws you hadn’t considered? Vendors that operate in the information technology space – and their customers – generally are well-aware of the myriad of privacy and security laws and issues that may impact the vendors’ business, including, as a very limited illustration, the EU General Data Protection Regulation, HIPAA, New York Cybersecurity Requirements, Vendors that aren’t “IT” vendors (and their customers), on the other hand, may not be. For example, the Aetna mailing vendor may not have contemplated that, as alleged by the Aetna plaintiff, the vendor’s provision of its services to Aetna would be subject to the state’s Confidentiality of HIV-Related Information Act and Unfair Trade Practices and Consumer Protection Law.
• Have you considered which specific aspects of vendor services may directly impact potential legal liability, and have you adequately identified and addressed them in the contract? No, this is not a novel concept, but it nonetheless bears mention. A key fact to be discovered in the Aetna litigation is whether it was Aetna, or the vendor, that made the decision to use the large-window envelopes that, in effect, allegedly disclosed the sensitive and personally identifiable information. Given the current break-neck pace at which many Legal and Contract professionals must draft and negotiate contracts, however, unequivocally stating in a contract the details and descriptions of every single aspect of the services to be provided is often impractical (if not impossible). But, some contract details are still important.

Whether or not this class action suit is an outlier or is dismissed at some point, consider data security and other privacy and security issues in contracts and how vendor or service provider conduct may give rise to a security breach or security incident.

Join Our LinkedIn Group

Practical Law will present a free 75-minute webinar in which Matthew A. Karlyn, partner with Foley & Lardner LLP and co-author of “A Guide to IT Contracting: Checklists, Tools and Techniques,” to discuss practice tips on data privacy and security provisions of SaaS and other cloud service agreements, including a discussion of recent trends and issues.

The webinar will be Wednesday, June 15, at 1 p.m. EDT.

Data privacy and security are key issues for businesses who seek to upload their information onto the cloud, the company says on its website. Customers need assurance that the software as a service (SaaS) or other cloud service provider will maintain effective policies and practices to safeguard the confidentiality and security of their information.

In seeking this assurance, it is not enough for the customer to conduct due diligence of the provider’s practices because those practices, like the laws and regulations that govern them, can be a fast-moving target. Only by the skillful drafting of the customer’s cloud service agreement can counsel aim to ensure that the customer’s confidential, trade secret, and personal information stay well protected and that both the service provider and customer remain compliant with data privacy and security laws.

A key case is the pending replacement of the EU-US safe harbor framework with stringent requirements of a new, EU-US Privacy Shield for the handling of personal data. It is crucial to businesses that their cloud service agreements include terms broad enough to anticipate such legal developments, technological advances, and changes in standards and practices.

In this program, attendees will:

• Learn how to avoid common errors in data security, privacy, and disaster recovery provisions and provide for proper data protection both during and after the term of the cloud agreement.
• Explore effective remedies for breaches of data privacy and security.
• Consider the requirements of the EU-US Privacy Shield and its anticipated impact on cloud service customers and providers and the terms of their cloud service agreements.

A short Q&A session will follow.

Presenters:

• Matt Karlyn, Co-Chair Technology Industry Team, Foley & Lardner
• Paul Connuck, Senior Legal Editor, Intellectual Property & Technology

CLE credit is available for: Arizona, California, Colorado, Georgia, Hawaii, Illinois, Indiana, Mississippi, Missouri, New Hampshire, New Jersey, New York, North Carolina, Oklahoma, Pennsylvania, Vermont, Washington. CLE credit is being sought for: Louisiana, Minnesota, Oregon, Tennessee, Texas, Virginia CLE can be self-applied for in: Florida.

Register for the webinar.