At the beginning of April, I wrote a blogpost on the City of Los Angeles’ selection of Google Apps to provide the City with Cloud services. As summarized, news outlets reported that Google was willing to compete on various contract provisions in order to win the City’s business. They also identified various contractual concessions Google was willing to make. The City has released the Google contract (and another related contract with Computer Sciences Corporation, the company implementing Google’s SaaS for LA) and we have had an opportunity to review its provisions.
This multi-part blog series looks at the terms of the Google contract and the corresponding CSC contract, including how the contracts work and the concessions Google and CSC made. Part one of this series focuses on the information security, privacy and confidentiality obligations Google and CSC agreed to. Subsequent parts will review contract provisions related to due diligence, auditing and enforcement, incident response, compliance with privacy and security legal obligations, termination rights, and risk of loss terms (e.g. limits of liability, consequential damages disclaimers, indemnification). Hopefully this post will prove useful for those entering into the Cloud and negotiating contract terms.
Before diving into the details of the contracts we must address the basics of the Google/Los Angeles relationships. First off, a third party service provider, Computer Sciences Corporation (“CSC”), is involved in this transaction, and actually has a direct contract with the City of Los Angeles (the “CSC Contract”). CSC has agreed to implement, migrate and deploy Google’s Software as a Service (SaaS) model Email and Collaboration System (e.g. Google Apps Premier Edition). The City also will have a separate contract with Google that they will accept via click-assent once the system is implemented (it is actually included as Appendix J-1 to the CSC Contract – hereinafter referred to as the “Google Contract”). As such, throughout this blogpost we will be looking at both contracts to determine the extent of CSC’s and Google’s obligations (and will attempt to point out material differences between the two).
A preliminary observation: this arrangement is very interesting because there will be two contracts governing the transaction. In the Cloud context it is sometimes (perhaps often) the case that the front-end provider will not be the party operating the Cloud and actually storing, processing and transmitting the customer’s data. In most cases, however, only one contract would exist between the reseller/service provider and the customer, and there would not be one directly with the SaaS provider. Or, in some cases, the SaaS provider would offer a contract, but that contract would contain its “boilerplate” language (which is usually highly restrictive and provides little in terms of remedies). In this case, it appears that both contracts were negotiated (although there are some differences).
The contract is initially worth approximately $7 million to CSC and Google. However, we understand that other divisions of Los Angeles (City and County) and potentially state entities will be able to obtain these services. As such, the ultimate value to CSC and Google may be significantly higher. In addition, the intangible benefit of snagging one of the first major U.S. cities to adopt Cloud likely has extended intangible business value for Google.
What is Supposed to Be in The CSC and Google Contracts?
It has been reported by multiple outlets that the contract terms of the Google Contract/CSC Contract were a key part of the negotiations with Los Angeles. One magazine reported that Google moved to make the contract terms a key part of its negotiating strategy to compete against competitors. At SaaScon 2010, Kevin Crawford, Los Angeles assistant director of IT, reportedly discussed many of the relevant contract terms (his presentation is still up and provides some insight into the City’s thinking on what the Google and CSC contracts provided). Based on the reports, the Google deal included the following contract terms:
- unlimited damages for a data breach
- provisions allowing audits
- guarantees that the data remain in the contiguous 48 states, and that this guarantee is auditable
- penalties if Google’s services are unavailable for any longer than five minutes a month
- unlimited damages if its nondisclosure agreement (NDA) is breached by Google (that clause aims to protect the city from a third party claim if personal data is release)
- requires Google to encrypt the city’s data and break it into pieces when it is at rest so that no one can get their hands on a full file
- bars Google from viewing any data without permission from the city
As we review the Google and CSC contracts we will attempt to identify whether these terms are present in the agreement.
Analysis of the Contracts
The following breaks down some of the key contract terms present in the CSC Contract and Google Contract.
Security Control Requirements
CSC’s Security Obligations. Section 11.1 of the CSC Contract requires CSC to establish a security program to ensure the security and confidentiality of Protected Information (as this term is defined in the City’s own infosec program), including protecting against anticipated threats, unauthorized access and unauthorized use, and the proper disposal of Protected Data. CSC is required to make its subcontractors (including Google, which is defined as a subcontractor in section 4.5 of the CSC Contract) comply with such controls. The City has a right to conduct a security audit and CSC must implement any security safeguards identified by the City or its audit. In addition, the CSC must conduct a SAS-70 audit each year of Google’s information security program, and provide the findings of the SAS-70 upon the City’s request. In addition, CSC has warranted in section 5.2.5 that it will use commercially reasonable virus detection computer software programs to test “Software” licensed under the agreement prior to delivery to LA and ongoing.
Google’s Security Obligations. The Google Contract also contains security obligations, but their scope may be limited relative to those under the CSC Contract. Section 1.2., entitled “Facilities” provides the following:
All facilities used to store and process Customer Data will had adhere to reasonable security standards no less protective than the security standards at facilities where Google stores and processes its own information of a similar type. Google has implemented at least industry standard systems and procedures to ensure the security and confidentiality of Customer Data, protect against anticipated threats or hazards to the security or integrity of Customer Data, and protect against unauthorized access to or use of Customer Data
First, since this section is entitled “Facilities” one might argue that the security promises are related to physically securing Google’s facilities (at least in the first sentence). Creating a separate information security section (not entitled Facilities) that references reasonable technical, administrative and physical security may have been useful to address an argument of potentially limited scope.
Second, the last sentence reads in the past tense and some might argue that it amounts to an agreement with, or recognition by, LA that Google’s current controls (as of the time of contract execution) are in compliance with “industry standards.” For this obligation, it may be useful to modify the sentence in terms of ongoing obligations for Google to implement and maintain reasonable security that at all times during the term of the contract (or while holding LA’s information) must be at least consistent with industry standards. Also note, while industry standard are important, every first year law student knows that industry standards themselves may not be reasonable under the law. As such explicitly imposing a duty of "reasonable security" may be helpful.
Significantly, there does not appear to be any obligation in the Google Contract for Google to encrypt LA’s data or “break it into pieces" (as reported in the media). While the systems may actually do this, there does not appear to be a contractual obligation that tracks to this functionality. Also of note, while CSC may have an obligation to require Google to adhere to LA’s Information Security Program, LA would not be able to directly enforce that obligation against Google using the Google Contract (since that obligation is not in the Google contract).
Confidentiality/Data Privacy Obligations
There is often some overlap between information security contract terms and contractual confidentiality obligations and NDAs. This overlap can have significant liability consequences since a breach of confidentiality obligations is typically not limited by a contract’s limitation of liability clause. Put another way, if a service provider breaches a confidentiality provision, it may be subject to unlimited liability for such breach (as opposed to other contract breaches which may be limited by a liability cap or consequential damage disclaimer). For this reason, service providers may seek to limit their confidentiality obligations, especially when it comes to potential liability arising out of an information security breach.
Some service providers may take the following positions to limit their exposure for confidentiality breaches that arise out of security breaches:
- a “disclosure” of confidential information is not the same thing as allowing an unauthorized third party (e.g. a hacker) to access or use confidential information in the service provider’s possession, and only “affirmative disclosures” (e.g. a decision by the service provider to disclose) of confidential information amount to a breach of confidentiality obligations
- personal information is not confidential information, and therefore a security breach exposing personal information is not a breach of a contract’s confidentiality obligations
- a service provider is only liable for a security breach, if it also breached those parts of the contract that required it to have certain controls or protections in place
- liability arising out of security breach should be capped using a limitation of liability (although it may be different than the general limitation of liability present in the contract)
The purpose of this post is not to debate whether these positions have merit or not (that would take a lot of research), but rather to take a look at how these matters are reflected in the Google and CSC Contracts.
CSC’s Confidentiality/Privacy Obligations. Section 10. (CONFIDENTIALITY AND PROPRIETARY RIGHTS) of the CSC Contract and the NDA contained in Appendix I set forth CSC’s confidentiality obligations. Section 10.1 limits CSC’s use of any information of LA’s “contained in any [CSC] repository” and defines such information as “Confidential Information.” CSC may not disclose such information to any third party without LA’s written consent (except for approved subcontractors) and has a limited right to use that information only to the extent necessary to provide services. This section makes clear that LA is the sole owner of all City information. Notably, however, section 10 does not contain any explicit reference to a duty to “protect” the city’s information.
Under the NDA contained in Appendix I, neither party may “disclose or divulge to others” certain confidential information defined in the NDA, including “technical information,” “business information,” “security,” or “rights.” Notably there is no explicit reference to personal information or “Confidential Information” as defined in the main agreement (although the definition of “business information” may encompass that). Also, there does not appear to be any explicit duty to “protect” confidential information or personal information.
CSC’s confidentiality obligations are interesting in light of the potential positions that service providers may take. If a hacker were to obtain personal information in CSC’s control, CSC may take the position that it did not affirmatively “disclose” or “divulge” such information, and therefore did not violate the confidentiality provisions of the contract. Nonetheless, it is possible that a different provision of the CSC Contract was breached by CSC by allowing the hacker to steal personal information (see for example section 11. of the CSC Contract – INFORMATION SECURITY). However, any liability due to CSC’s breach of section 11. would be subject to the CSC’s limit of liability (see section 15.1.2 of the CSC Contract). In other words, if a security breach does not constitute a confidentiality breach, then LA will not be able to recover for liability amounts above the liability cap in the CSC Contract. We will discuss how these risk of loss provisions work in a later installment of this blog series.
Googles Confidentiality/Privacy Obligations. Google’s confidentiality obligations to the City exist under section 7. of the Google contract. Under that section, Confidential Information explicitly includes “Customer Data,” which is defined as:
All data and information provided by End Users via the sign up process for the Services, as well as data, including email, documents, spreadsheets, presentations, and videos, provided, generated, transmitted or displayed via the Services by Customer, or Reseller on behalf of Customer.
This would appear to include personal information stored, processed or transmitted through Google’s services.
Under section 7., Google agrees to refrain from disclosing confidential information (similar to the promises made by CSC in its contract). In addition, however, Google agrees to “protect” LA’s confidential information “with the same standard of care it uses to protect its own confidential information, but in no event less than reasonable care.”
With the addition of “protection” obligations, Google’s confidentiality obligations are explicitly broader than CSC’s in the CSC contract (although one can argue that the concept of “protection” is included in the concept of disclosure). Based on the explicit protection obligation, Google’s confidentiality obligations would appear to be violated if it allows an unauthorized third party such as hacker to access personal information. Note that many would argue that Google’s promise not to disclose confidential information was also violated. In addition, some may see the existence of two explicit confidentiality duties, one geared toward protection and the other focused on disclosure, evidences an intent for disclosure to mean “affirmative disclosure" (see list of positions that may be taken by service providers above).
This all said, the ultimate issue, and the reason we are looking carefully at this language, is to determine if Google has promised unlimited liability for security breaches. That question, will be more fully answered in subsequent installments of this series. However, as a sneak peak, whether Google promised some sort of unlimited liability for security breaches involving personal information (or other confidential information) may hinge on whether there is a distinction between “disclosure” and “protection.”
This is first installment of our review of Google/CSC’s ninety-one page contract with LA. In the coming installments we will look at contract provisions related to due diligence, auditing and enforcement, incident response, compliance with privacy and security legal obligations, termination rights, and most importantly risk of loss terms (e.g. limits of liability, consequential damages disclaimers, indemnification). Stay tuned.