Were you aware that if you supply SaaS software to public authorities they can be legally obliged to release details of your SaaS agreement to competitors?

Public Tendering and Disclosure

Atos won a major tender to supply an IT system to a Government department to handle information requests and transactions between Government departments and the public. Atos was the only bidder for the tender.

In 2007 an individual made a request under the Freedom of Information Act (FOI) for disclosure of particular details of the IT agreement. The details requested included information on the liability of Atos, benchmarking and prices. The Data Commissioner ordered the Government department to disclose the details requested.

Right to Refuse Disclose of Confidential Information

The Government department refused to disclose the information pursuant to its rights under section 43 of the FOI, namely that the information requested was a trade secret and that disclosure would damage the commercial interests of the parties. An appeal was made to the Information Tribunal, and last week the Tribunal agreed with the Data Commissioner’s office and ordered that disclosure of some of the details requested was in the public interest.

Are Prices Trade Secrets?

What may be reassuring to SaaS suppliers is that not all of the information requested had to be disclosed on appeal. The Tribunal agreed with Atos that its pricing model was a trade secret and disclosure of this “could undermine the owner’s business and give competitors a commercial advantage”.  The Tribunal also agreed that the exact location of the Atos data centre must not be disclosed, for security reasons, but that the country of its location should be disclosed to show that there was compliance with the Data Protection Act.

Protecting Confidential Information

The above illustrates the real dangers of confidential information being disclosed by a customer, by law. In order to limit and control the information which can be requested and disclosed under a FOI request ,it is essential that adequate clauses are included, not just in any NDA which is signed during the tendering process, but also  in the confidentiality sections of the final SaaS agreement.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

• SaaS Agreements – Need for an NDA Prior to Signing a SaaS Agreement
• SaaS, ASP Agreements – FAQs – Confidential Information
• SaaS, ASP Agreements – FAQs – Data Protection
• SaaS, ASP Agreements – Data Protection, Sub-Contractors &  Model Clauses
• SaaS, ASP Agreements – Data Protection and Safe Harbor, Issues with German Customers
• SaaS, ASP Agreements – Essential ElementsSaaS Agreements – SLAs Explained – Essential Elements
• SaaS, ASP Agreements – FAQs – Security
• SaaS, ASP Agreements – FAQs – Software Licence
• SaaS, ASP Agreements – FAQs – Source Code and Object Code
• SaaS, ASP Agreements – FAQs – Escrow
• Cloud Computing and the Legal Cloud
• SaaS, ASP, Software on Demand – Confused?

Prior to a SaaS agreement being negotiated with a customer, SaaS suppliers are often required to provide prospects with internal business sensitive information about their prices, polices and software functionality (confidential information) as part of the public procurement, tendering or sales process.

Need for an NDA

If prospects do not sign a non-disclosure agreement (NDA) or confidentiality agreement prior to a SaaS supplier disclosing its business secrets and confidential information, the prospect will have no duty to keep this information confidential.  Confidentiality terms in the later SaaS agreement will only protect information disclosed after this is signed. If the prospect does not become a customer, they will be free to use your confidential information as they please.

An NDA should therefore be signed before providing a prospect with any sensitive information and this should include some basic legal clauses to protect your business if you win the sale and more importantly, if you don’t.

Mutual Protection

Often a prospect will require a SaaS supplier to sign their standard NDA prior to discussing a possible SaaS agreement. More often than not, the prospect’s NDA will only protect their confidential information and not provide the supplier with any protection. It is therefore essential that the NDA includes mutual rights to protect your confidential information.

If the prospect is a public authority this is essential, as under the Freedom of Information Act, your competitors can exercise their right to try to obtain access to your documents via a FOI request if their bid was unsuccessful. If you have an NDA in place with the public authority you may be able to block such requests.

What Information is Confidential?

All information provided by you to a prospect during the sales process should be treated as confidential information. This should also include any documents referred to in the documents you provide as part of your proposal.  You will probably have given the prospect copies of price lists,  functional descriptions of your software and other internal documents which you do not want third parties to see.

If the proposal does not lead to a sale and the prospect is speaking to your competitors…. it is imperative that you have made your definition of confidential information as wide as possible. Additionally the prospect should agree to keep all information confidential and to return or confirm the destruction of all confidential information, if no sale is agreed.

Who may Access the Confidential Information

If you are dealing with a multi-national prospect, you need to carefully state which companies or individuals within the prospect’s group of companies are entitled to see your confidential information. The prospect should undertake to apply the terms of the NDA to all such parties. Conversely, if companies or individuals within your group of companies need to see the prospect’s confidential information, ensure that you have these rights in the NDA.

Please note that these are just some of the basic clauses that need to be included in a NDA. There are many other clauses which have not been referred to here and legal advice should be sought when negotiating the terms of an NDA.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

• SaaS, ASP Agreements – Essential Elements
• SLAs Explained – Essential Elements
• SaaS, ASP Agreements – FAQs – Confidential Information
• SaaS, ASP Agreements – FAQs – Data Protection
• SaaS, ASP Agreements – FAQs – Security
• SaaS, ASP Agreements – FAQs – Software Licence
• SaaS, ASP Agreements – FAQs – Source Code and Object Code
• SaaS, ASP Agreements – FAQs – Escrow
• SaaS, ASP Agreements – Data Protection, Sub-Contractors &  Model Clauses
• SaaS, ASP Agreements – Data Protection and Safe Harbor, Issues with German Customers
• Cloud Computing and the Legal Cloud
• SaaS, ASP, Software on Demand – Confused?

A SaaS supplier can be liable for the loss of backup tapes, not just under the terms of its SaaS agreement but also the Data Protection Act 1998, the Financial Services Authority regulations or other UK rules or regulations  regardless of whether the SaaS supplier, its data centre or a third party losses  the backups of customer data.

Financial Services Authority – FSA

Zurich Insurance was recently fined £2,275,000 by the FSA after a backup tape containing unencrypted personal details on 46,000 policy holders went missing in transit, because Zurich had inadequate systems and controls in place. In breach of Principle 3 of the FSA rules Zurich failed to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.

Despite the fact that Zurich agreed to settle the claim at an early stage  and thereby received a 30% discounted fine – this is still the highest fine imposed by the FSA on a single company to date.

Data Protection Act 1998

Since April 2010 the Data Commissioner has had the  power to impose a fine of up to £500,000 on a data controller who seriously breaches the data protection principles, if the contravention was of a kind likely to cause substantial damage or substantial distress. The contravention must either have been deliberate or the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.

In a SaaS agreement the customer is the data controller and primarily liable for breaches of the Data Protection Act, however under the terms of the SaaS agreement the supplier will invariably be liable for compensating a customer for any supplier breaches (and those of its agents and sub-contractors, i.e. the data centre, outsourced backup service provider, storage facility) of the Data Protection Act. For example if a backup tape is lost in transit to the storage facility or there is a fire, theft or power loss at the data centre which results in a backup tape being unavailable.

SaaS Contractual Liability

In the SLA of a SaaS agreement, you will undertake to make backups of customer data, usually using sub-contractors, third parties or subsidiaries of the group. Customers will usually require the supplier to be liable for any breaches of the SaaS agreement caused by a sub-contractor, third party or subsidiary of the group who provides any part of the SaaS services, as if the supplier had committed the breach itself. Accordingly, if a backup tape is lost you will be liable to your customer for the loss of the backup tape.

Limiting your Liability

In view of the above, it is imperative that you take precautions to limit your liability in the event of a backup tape being lost. Such protection should be included in the terms of your SaaS agreement and where possible in your agreements with sub-contractors and third parties who supply any part of the services.

In addition you could:

• obtain insurance cover for loss of backup tapes,
• carry out due diligence on the security procedures used by your sub-contractors and third parties,
• audit compliance with the security procedures of sub-contractors and third parties regularly,
• ensure that all backup tapes are encrypted.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

• SaaS, ASP Agreements – FAQs – Data Protection
• SaaS, ASP Agreements – Data Protection, Sub-Contractors &  Model Clauses
• SaaS, ASP Agreements – Data Protection and Safe Harbor, Issues with German Customers
• SaaS, ASP Agreements – Data Protection – Data Stored in the USA
• SaaS, ASP Agreements – Essential Elements
• SLAs Explained – Essential Elements
• SaaS, ASP Agreements – FAQs – Security
• SaaS, ASP Agreements – FAQs – Confidential Information
• SaaS, ASP Agreements – FAQs – Software Licence
• SaaS, ASP Agreements – FAQs – Source Code and Object Code
• SaaS, ASP Agreements – FAQs – Escrow
• Cloud Computing and the Legal Cloud
• SaaS, ASP, Software on Demand – Confused?