If you are a ProVisors member with a goal of launching your own software product, then please plan to attend a special virtual presentation + networking event on Wednesday, March 19 at 4 p.m. PT: “Best Practices on How to Launch a Software Development Project.” The presentation will address what you need to know to get started with launching your software development project. Attendance at this event is limited to ProVisors members only. The event is intended for anyone having software development aspirations without specific software development experience. It is anticipated to be the first of a series of similar events for ProVisors members with software development aspirations. To register to attend, please sign up at this link.

The Prinz Law Office is pleased to announce that the article authored by Kristie Prinz on “Managing the Legal Risks of Artificial Intelligence on Intellectual Property and Confidential Information” has just been published online by the American Psychological Association’s Consulting Psychology Journal. Digital access is available for purchase at this link.

The Prinz Law Office is pleased to announce that we have added a new Silicon Valley address in downtown San Jose.

Our new address is centrally located in downtown San Jose at 84 W. Santa Clara St, Suite 788, San Jose, CA  95113.  We are conveniently located near the San Jose airport and other downtown San Jose attractions, including the Superior Court of California and the new Santa Clara County Family Justice Center. We are also walking distance from the U.S. District Court, Alfred E. Alquist State Building, and McEnery Convention Center.

Our address change is effective immediately and we are now accepting reservations for in-person meetings at this location.

To schedule a meeting at our new Silicon Valley location in downtown San Jose, you may visit our scheduling link at https://calendly.com/prinzlawoffice.com.

 

Tech Lawyer Kristie Prinz presents a short introduction of herself in this video recorded on 1.28.25.

Tech Lawyer Kristie Prinz explains the unique Prinz Law Approach in this video of January 28, 2025.

Tech Lawyer Kristie Prinz describes subscription services at The Prinz Law Office in this video recorded January 24, 2025.

Tech Lawyer Kristie Prinz describes fixed rate services at The Prinz Law Office in this video recorded on 1.24.25.

Tech Lawyer Kristie Prinz explains the vision for The Prinz Law Office in this video recorded on 1.24.25

Tech Lawyer Kristie Prinz explains flat fee services at The Prinz Law Office in this video recorded 1.23.25.

Tech Lawyer Kristie Prinz explains fractional rate services at The Prinz Law Office in this video recorded 1.23.25.

Tech Lawyer Kristie Prinz discusses the Services Made Available at The Prinz Law Office in this video recorded 1.22.25.

SaaS Lawyer Kristie Prinz will be presenting a webinar for Strafford on Tuesday, January 7th at 10:00 a.m. PT/ 1:00 ET on “Negotiating SaaS Agreements: Key Contract Provisions and Protections.” Her co-presenter for this event will be Ash Masrani, who is an associate with Clifford Chance. To learn more about the program or register to attend, please see the Strafford website at https://www.straffordpub.com/products/negotiating-saas-agreements-key-contract-provisions-and-protections-2025-01-07.

SaaS Lawyer Kristie Prinz will be presenting a webinar for Strafford on Tuesday, January 7th at 10:00 a.m. PT/ 1:00 ET on “Negotiating SaaS Agreements: Key Contract Provisions and Protections.” Her co-presenter for this event will be Ash Masrani, who is an associate with Clifford Chance. To learn more about the program or register to attend, please see the Strafford website at https://www.straffordpub.com/products/negotiating-saas-agreements-key-contract-provisions-and-protections-2025-01-07.

The Prinz Law Office is pleased to announce the availability of new quarterly fractional service plans, effective immediately.  The new fractional service plans are intended for the client who seeks to reserve the firm’s time on defined terms without the commitment of exhausting the time reserved within a single calendar month.  The new quarterly plans allow for  ninety (90) days to utilize the reserved time instead of the usual thirty (30) day legal subscription periods, thereby providing clients with more flexibility in utilizing their subscription commitments.  The quarterly plans start at just a ten (10) hour commitment, and increase at ten (10) hour increments above the minimum commitment.  To learn more about the firm’s fractional service plans, the firm’ invites you to schedule a new client consultation today.

The Prinz Law Office is pleased to announce the availability of new advisory and contract review subscription plans, which will be offered on both a monthly and a quarterly basis, effective immediately.    These plans are intended for clients with ongoing but unpredictable legal needs who are seeking more certainty with their legal budget and prefer not to work with an attorney on a billable hour arrangement.  The plans will provide the client with access to a defined set of legal services during the subscription period, as well as access to certain additional services outside the defined legal services for a specified flat fee charge.  Unlike many other legal subscription plans currently on the market, clients will have no obligation to remain on the subscription plan beyond the defined subscription period, and may elect to upgrade or discontinue the subscription upon expiration at their sole and absolute discretion.  For more information about the firm’s new subscription plans, please schedule a new client consultation today.

The Federal Trade Commission (“FTC”) has just announced the final version of its “Click to Cancel” Rule for consumer subscriptions. The Rule will go into effect 180 days after it is published with the Federal Register.  This Rule will directly apply to all SaaS, digital health, tech, and non-tech companies selling on a subscription basis to consumers.

Full Text of FTC Rule

The full text of the FTC Rule is linked here, at pages 222-230.

Fact Sheet of FTC Rule

The FTC has also made available a fact sheet which briefly summarizes key provisions of the “Click to Cancel Rule,” which is attached here.

Key Provisions of the FTC Rule

According to the FTC announcement, the “Click to Cancel” Rule will apply to “almost all negative option programs in any media.” The key provisions of the FTC Rule will prohibit:

• misrepresenting any material fact made while marketing goods or services with a negative option feature;
• failing to “clearly and conspicuously disclose” material terms prior to obtaining a consumer’s billing information in connection with a negative option feature;
• failing to obtain a consumer’s express informed consent to the negative option feature before charging the consumer; and
• failing to provide a simple mechanism to cancel the negative option feature and immediately stop the charges.

Revisions to Final Version of the FTC Rule

Also according to the FTC announcement, the FTC  dropped from its final Rule an annual reminder requirement that would have required vendors to provide annual reminders to consumers advising them of the negative option feature of their subscription, as well as a requirement that vendors had to ask canceling consumers for approval before a vendor could tell a canceling subscriber about reasons to keep the existing agreement or of possible modifications that could be made without canceling the subscription.

Reasons for Adoption of the Rule

Why did the FTC adopt a Click to Cancel Rule?  According to the FTC Announcement, the FTC was receiving 70 consumer complaints per day over negative option programs, and this number was “steadily increasing over the past five years.”

The FTC’s announcement follows a recent California enactment of a more comprehensive “Click to Cancel” law.

Does the FTC Rule Supersede California Law?

The FTC Rule should not supersede California’s more comprehensive law;  in fact, the Rule specifically states in its text that the Rule will not be construed to supersede any State statute, regulation or order “except to the extent that it is inconsistent with the provisions of this part, and then only to the extent of the inconsistency.”  The expected impact of the FTC Rule is primarily to bring federal regulatory law closer to California regulatory law as it pertains to subscriptions and memberships.

What do SaaS, Digital Health, Tech, and other Companies Utilizing the Subscription Model Need to do in Response to this Announcement?

All companies utilizing a subscription model should revise consumer contracts and processes to comply with the FTC Rule over the next 180 days.   Companies utilizing the subscription model with a business-focused customer base should similarly consider what changes to make to their contracts and processes as public policy will likely change regarding subscriptions generally along with the new FTC Rule and California law changes.

If you have questions or concerns about how new FTC “Click to Cancel” Rule or the new California ”Click to Cancel Law” will impact your digital health company, please schedule a consultation at https://calendly.com/prinzlawoffice.

Silicon Valley Tech Business Lawyer Kristie Prinz of The Prinz Law Office will be speaking at an upcoming one-day Practicing Law Institute Program to be held on October 9, 2024 at the PLI headquarters in San Francisco, California.

Kristie will be speaking on “Drafting Privacy Policies for Devices with No User Interface – What Do You Do?”, along with Peter McLaughlin of Rimon, P.C.   The presentation will examine the challenges of managing legal and privacy terms with IOT devices.

The one-day program is titled “Advanced Internet of Things 2024: Deeper Dive, Practical Wisdom” and will also feature presentations by Leonard Naura of Flatiron Law Group, LLP, Ian Ballon of Greenberg Traurig, LLP, Kate Downing of the Law Office of Kate Downing, Megan Ma of Stanford University, and John Yates of Morris, Manning & Martin, LLP.  For more information and to register to attend this event, visit the Practicing Law Institute website at this link.

California has just adopted the new “click to cancel” law that will regulate consumer subscriptions, along with memberships and other autorenewing or continuous service arrangements with consumers.

AB 2863 amends California’s existing autorenewal law to add additional protections for consumers with respect to autorenewing or continuous billing charges.

SaaS, digital health, tech and other consumer-focused companies need to be aware of this new law and is potential to impact contracts and customer relationships, particularly in light of the currently slow tech and life sciences market.

Text of AB 2863

To view the full text of AB 2863, please click here. The law goes into effect in 2025, and applies to all contracts entered into, amended, or extended after its effective date.

New Requirements for Consumer Subscriptions

Under the new California law, it will now be unlawful for any company in the state that makes an autorenewal or continuous service offer to a consumer in the state to do any of the following:

• Fail to present the terms of the offer in a clear and conspicuous manner in visual proximity to the request for consent of the offer, which includes if there is a free gift or trial, a clear and conspicuous explanation of the price that will be charged when the trial ends;
• Charge the consumer’s credit or debt card or any third party account for the automatic renewal or continuous service without first obtaining affirmative consent from the consumer to the automatic renewal or continuous service agreement;
• Fail to provide an acknowledgement that includes the automatic renewal offer terms or continuous service offer terms, cancellation policy, and information regarding how to cancel in a manner that the consumer can retain, and if the offer contained a free gift or trial, the acknowledgement must include a disclosure of how to cancel and must permit the consumer to cancel before the consumer pays for the goods or services;
• Fail to obtain express affirmative consent from a consumer to the automatic renewal or continuous service offer terms;
• Include terms in a contract that interfere with, detract from, contradict, or otherwise undermine the ability of consumers to provide their affirmative consent to automatic renewal or continuous service terms;
• Fail to maintain verification of consumer’s affirmative consent for at least three years, or one year after the contract is terminated, whichever is longer;
• Misrepresent expressly or by implication a material fact related to the transaction;
• Fail to provide consumer with a notice, before confirming the consumer’s billing information that clearly and conspicuously states:
  • The service will automatically renew unless the consumer cancels;
  • The length and any additional terms of the renewal period;
  • The amount or range of costs consumer will be charged and the frequency of those charges, unless consumer stops the charges;
  • One or more methods which consumer can cancel the autorenewal or service;
  • If sent electronically, the notice must include a link that directs consumer to the cancellation process, or another electronic method that directs the consumer to cancellation; and
  • Contact information for the business.

New Requirements for Gifts and Trials

In addition, companies offering free gifts or trials at promotional or discount prices that last for more than 31 days in conjunction with an automatic renewal or continuous service offer will now be mandated to provide the same kind of clear and conspicuous notice no less than 3 days before and no more than 21 days before the expiration of the gift or trial.  The only exception to this requirement is in cases of contracts that are not electronic, where the business has not collected or maintained the consumer’s valid email address, phone number, or other means of notifying the consumer electronically.  “Free gifts” for the purpose of this law does not apply to a gift that is different than the subscribed product or service.

New Requirements for Contracts or Offers with Initial Term of One Year or Longer

If the contract or service offer was for an initial term of one year or longer, companies will now be required to provide the specified notice at no less than 15 days and no more than 45 days before the offer renews.

Online “Click to Cancel” Requirement

Companies that sign-up or subscribe consumers online will be required to provide one of two methods to allow consumers to cancel at will by either (a) a prominent link or button within the customer account or profile or within device or user settings, or (b) an immediately accessible termination email formatted and provided by the business that a consumer can email to the business without any additional requirement.

Direct Billing Requirement

Companies that direct bill consumers on an automatic renewal or continuous offer basis will be required to provide a toll-free telephone number, email address, and postal address or “another cost-effective, timely, and easy-to-use mechanism for cancellation” that is described in the acknowledgement.  If a telephone number is provided as the mechanism for termination, the business is required to answer calls promptly during normal business hours without obstructing or delaying the ability to cancel.  If a voice mail is left by the consumer requesting cancellation, the company shall be required to either process the requested cancellation in one business day or call the customer back regarding the request within one business day.

Customer Retention Offer Requirement

Requirement for Material Term Changes

Requirement for Annual Reminder

Implications of Requirements

While these new rules apply only to automatic renewal agreements and continuous service agreements with consumers, they may be applied to  companies in cases where they are run by sole proprietors.  Also, they may be applied in other contexts to companies on public policy grounds, where the terms of service or contract terms in effect are not at least as good as what is required now by law in the case of consumers.

What does this mean for SaaS, Digital Health, Tech and other Companies Operating on a Subscription Basis?

Companies need to start reviewing and updating their contracts and terms of service, as well as their practices and procedures.  Given there are so many changes, most companies who serve a consumer client base will need to rethink their terms and practices and procedures, and companies who serve a business client base will also want to consider whether or not their current agreements and practices and procedures are aligned with the new law.

If you have questions or concerns about how this new law will impact your company, please schedule a consultation today at https://calendly.com/prinzlawoffice.

I am pleased to announce that I am a new ProVisors home group leader in the Silicon Valley Region.  I will be leading a new Silicon Valley Virtual 1 Group, which will be an all-virtual home group for service providers engaged in Silicon Valley business.  The group will meet the first Friday of the month at 11:30 a.m. PT, and we are currently seeking our first members.  If you would like to learn more about ProVisors or Silicon Valley Virtual 1, please reach out to me for additional information, either through Linked In or email at kp****@pr************.com.  I am excited about this new opportunity and look forward to the challenge of leading a new ProVisors group in this dynamic region.   For more information on ProVisors, view https://provisors.com.

Silicon Valley Tech Lawyer Kristie Prinz of The Prinz Law Office will be speaking at an upcoming one-day Practicing Law Institute Program to be held on October 9, 2024 at the PLI headquarters in San Francisco, California.

Kristie will be speaking on “Drafting Privacy Policies for Devices with No User Interface – What Do You Do?”, along with Peter McLaughlin of Rimon, P.C.   The presentation will examine the challenges of managing legal and privacy terms with IOT devices.

The one-day program is titled “Advanced Internet of Things 2024: Deeper Dive, Practical Wisdom” and will also feature presentations by Leonard Naura of Flatiron Law Group, LLP, Ian Ballon of Greenberg Traurig, LLP, Kate Downing of the Law Office of Kate Downing, Megan Ma of Stanford University, and John Yates of Morris, Manning & Martin, LLP.  For more information and to register to attend this event, visit the Practicing Law Institute website at this link.

Tech Lawyer Kristie Prinz introduces The Prinz Law Office in this video recorded on 8.20.24.

Tech Lawyer Kristie Prinz explains why to review key customer contracts in a sluggish economy in this video recorded on 8.16.24.

It has become increasingly clear over the past few months that businesses are in a cost-cutting mode, as the economy has become more and more sluggish.  While your software company is likely focusing on its own cost-cutting strategy, have you stopped to consider whether your most significant customers might be doing the same?   Is it possible those key customers may be focusing on how to cut the cost of their contract with your business?  Could they be talking to one of your competitors?  Could they be building their own proprietary product to replace the cost of your product?

A sluggish economy is the perfect occasion to audit and review your key customer contracts for weaknesses that might allow your customer to walk out the door as a cost-cutting move.

You might wonder why you should spend any resources on contracts when business is already sluggish: isn’t this exactly the time when you should be reducing legal expenses, along with all your other cost-cutting efforts?

Well, no, actually.  While, it has been my experience that this is in fact what most software companies do; however, I have been practicing now for 26 years and had the occasion to see a lot of sluggish economies, and given that experience, I would argue that it is exactly the wrong move to make in a sluggish economy.  Why would I say this?

Imagine this: it is two months in the future.  Over the last 30 days, all of your key customers have stopped paying on their contracts with you and have advised you that they are suspending performance.  You are confident that they are just cutting costs and have no grounds to terminate the relationship.  You pull out the executed contracts and send them to your software attorney to review for the first time, confident that he or she will confirm your assessment.  However, instead of confirming your position, your software attorney tells that the signed contracts were poorly drafted and that the customers may have had valid grounds to terminate.

In this scenario, if you had known there was something you could do to interrupt this chain of events and shore up the customer relationships before they collapsed, would it have been worthwhile to do it?  Presumably, yes.  If the customers were your truly your key customers, you probably had a lot riding on the continuation of those relationships.

If the fact pattern seems far-fetched, I’ve actually seen it play out many times during sluggish economies.  The larger and more expensive the contract, the more at risk it is for termination in a sluggish economy.  If you are confident it won’t happen to your company, consider what kind of representation you had for the drafting and negotiation of that contract?  Did you work with experienced software counsel who had advised other software and SaaS companies through multiple bad economies, and involve that counsel at every stage of the negotiation and drafting process and then implement all of his or her recommendations?  Or did you cut a few corners in getting your deal done?  Perhaps handled a lot of the negotiation and drafting without counsel, or relied on less experienced counsel that was more affordable?  If you are like many software companies, you probably cut at least a few corners–perhaps you even cut a lot of corners–and the contracts executed by you and your key customers are full of holes.

What would truly be the impact to your software company of a complete loss of your three largest customers?  Your six largest customers?  Your ten largest customers?  How fast could you really recover in a sluggish economy?

If the prospect of this kind of business loss fills you with terror, then this is precisely why you should revisit your significant contracts now.

So, what is it that you can do to shore up your key client relationships now?  Well, skilled software counsel can evaluate those contracts and identify the potential liabilities and then work with you to develop a strategy to renegotiate them.  By taking the opportunity to renegotiate a weak contract before the contract terminates, you can extend the term of the relationship, fix the legal problems in the contract, and keep the customer happy in the first place by giving the customer a concession that the customer really wants in exchange for the longer relationship term that carries the relationship through the down economy.

Isn’t this a better outcome than losing a key customer altogether over a vulnerability in your contract that is exploited in a cost-cutting effort?

If your software company has not had its key software contracts evaluated recently by an experienced software lawyer, schedule a consultation today at https://calendly.com/prinzlawoffice.  Let’s identify the vulnerabilities in your key contracts before a key customer exploits the vulnerabilities as a cost-cutting move and resolve potential problems in the relationships before they arise and become the reason you lose those relationships.

The California Telehealth Policy Coalition presented a webinar last week on cross-state licensure and compacts, which provided an excellent overview of ongoing efforts in California and other states in facilitating cross-state licensure for physicians and other licensed providers.  The webinar is now publicly available for viewing at the following link: https://www.cchpca.org/resources/cross-state-licensure-compacts-webinar/.  The powerpoint is also separately available at this link: https://www.cchpca.org/2024/08/CTPC-Licensure-Compacts-Webinar-Slides-v31-Read-Only.pdf.

In case you are unfamiliar with the California Telehealth Policy Coalition (the “Coalition”), the list of Coalition members is published here:  https://www.cchpca.org/california-telehealth-policy-coalition/coalition-members/.  The Coalition first came together in 2011 when AB 415, The Telehealth Advancement Act, was introduced, in order to keep each other apprised on developments and to share information with each other.  See this link for the full discussion of the history of the Coalition:  https://www.cchpca.org/california-telehealth-policy-coalition/.  The Coalition is today focused on modernizing California telehealth policy.  See link for more information: https://www.cchpca.org/california-telehealth-policy-coalition/.

The Prinz Law Office is pleased to announce that Kristie Prinz has been selected to the 2024 Super Lawyers Northern California list.  Each year, no more than five percent of the lawyers in the state are selected by the research team at Super Lawyers to receive this honor.  Super Lawyers, part of Thomson Reuters, is a rating service of outstanding lawyers from more than 70 practice areas who have attained a high degree of peer recognition and professional achievement.  The annual selections are made using a patented multiphase process that includes a statewide survey of lawyers, an independent research evaluation of candidates, and peer reviews by practice area.  For more information about Super Lawyers, visit Super Lawyers.com.

The Prinz Law Office is pleased to announce that we have recently made available three new service offerings to our clients.  First, we have just launched a new fractional counsel services plan for those of our clients seeking a recurring monthly arrangement with the firm based on an anticipated volume of work at a discounted rate.  To view our new fractional services plan, please click here.  Second, we have just launched a new subscription services plan for those of our clients seeking a recurring monthly arrangement with the firm based on an uncertain volume of work at a discounted rate.  To view our new subscription services plan, please click here.  Third and finally, we have just entered into a relationship with several senior paralegals to make available paralegal services through the firm, which our clients may utilize at their option.   Our paralegal services will be priced at special paralegal price rates.

The firm is excited to be able to make these new offerings available to our valued clients.   If you have any questions about the new offerings, please reach out to Kristie Prinz with questions, or schedule a consultation at this link.

Silicon Valley Tech Lawyer Kristie Prinz introduces herself in this video recorded on July 24, 2024.

Software Lawyer Kristie Prinz explains the software contract lessons to be learned from the technology disruption in this video recorded on July 19, 2024.

Software Lawyer Kristie Prinz discusses FTC concerns with annual paid monthly software subscription plans in this video recorded 7.17.24.

The FTC has just filed a complaint against a Silicon Valley software company over its “Annual Paid Monthly” subscription contract.  The FTC has separately also sought the expansion of its “Negative Option Rule” to amend the provisions to specifically apply to subscriptions by adding a “Click to Cancel” provision.  A copy of the FTC notice of proposal is linked here.

What is the FTC’s Negative Option Rule?

The Negative Option Rule was adopted by the FTC in 1973, to address “negative option offers,” which the FTC defines as offers containing “a term or condition that allows a seller to interpret a customer’s silence, or failure to take an affirmative action, as acceptance of an offer.”

According to the FTC, negative option marketing utilizes four types of offers: prenotification plans, continuity plans, automatic renewals, and free trial conversion offers.

However, the FTC’s original Negative Option Rule only pertained to prenotification plans, excluding the continuity plans, automatic renewals and free trial offers that have become commonplace in 2024.  Also, in the case of the original Negative Option Rule, prenotification plans were limited to the sale of goods, where sellers provided periodic notices to participating customers and then sent and charged for those goods only if the consumers took no action to cancel and decline the offer (i.e. the example of a wine club).

Also, the Negative Option Rule required clear and conspicuous disclosure of certain terms before a subscription agreement was reached.  According to the FTC, those terms were as follows:

• how subscribers must notify the seller if they do not wish to purchase the selection;
• any minimum purchase obligations;
• the subscribers’ right to cancel;
• whether billing charges include postage and handling;
• that subscribers have at least ten days to reject a selection;
• that if any subscriber is not given ten days to reject a selection, the seller will credit the return of the selection and postage to return the selection, along with shipping and handling; and
• the frequency with which announcements and forms will be sent.’

Finally, under the existing Negative Option Rule, sellers were required to define particular periods for sending merchandise, to give consumers a defined period to respond, to provide instructions for rejecting merchandise, and to promptly honor written cancellation requests.

What is “Click to Cancel’?

What would change with the FTC’s newly proposed “Click to Cancel” amendment?

Under the FTC’s proposed “Click to Cancel” rule change, the scope of the Negative Option Rule would be increased to make it pertain to not only prenotification plans but also to continuity plans, automatic renewals, and free trial conversion offers.  Also, the proposed “Click to Cancel” rule provisions would mandate the following:

• Businesses would be required to make cancelling a subscription or membership at least as easy as it was to start it;
• Businesses would have to ask consumers if they want to hear new offers when they ask to cancel before they would be able to pitch new offers;
• Businesses would be required to provide an annual reminder if enrolled in a negative option program involving anything other than physical goods, before they are automatically renewed.

Another “Click to Cancel” change is that the under the new provisions any misrepresentation of a material fact related to any of the four negative option offers, whether expressly or by implication, would constitute a violation of not only the Negative Option Rule but also an unfair or deceptive act or practice in violation of Section 5 of the Federal Trade Commission Act.

What is the Potential significance of “Click to Cancel” to the SaaS, Tech, and Digital Health Industries?

The potential significance of the “Click to Cancel” change to the average SaaS, tech, and digital health company is that, if this proposed rule is adopted, SaaS, tech, and digital health companies who sell directly to consumers will need to update consumer contracts and terms of service to confirm that they are compliant with the requirements of the Negative Option Rule, as amended.

If your company is concerned about its compliance with “Click to Cancel” please schedule a consultation today at https://calendly.com/prinzlawoffice.

California is currently considering the adoption of a bill that would impose unprecedented new regulations on the development of AI.  The bill under consideration is SB 1047, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act.  A full copy of the bill is linked here.

SB 1047, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act

The Safe and Secure Innovation for Frontier Artificial Intelligence Models Act or SB 1047 would create a new Frontier Model Division within California’s Department of Technology which would have oversight powers over the training of new AI models. Pursuant to SB 1047, developers of AI models would be required to build a so-called kill switch into the AI model and to potentially shut down the model until the Frontier Model Division deems that the AI model is subject to a “limited duty exemption,” which would be defined as:

a determination. . . . that a developer can provide reasonable assurance that the covered model does not have a hazardous capability, as defined, and will not come close to possessing a hazardous capability when accounting for a reasonable margin for safety and the possibility of posttraining modifications.

A “covered model” under SB 1047 would be defined to mean an AI model “that was trained using a quantity of computing power greater than 10^26 integer or floating-point operations, and the cost of that quantity of computing power would exceed one hundred million dollars ($100,000,000) if calculating using average market prices of cloud compute as reasonably assessed by the developer at the time of training.”

As currently proposed, “derivative” AI models would be exempt from the new compliance obligations: only “non-derivative” AI models would be subject to the obligations.

Under SB 1047, a  “derivative model” is defined to constitute an artificial intelligence model that is derivative of another AI model, including either ” a modified or unmodified copy of an artificial intelligence model” or “a combination of an artificial intelligence model with another software.  The “derivative model” is defined not to include “an entirely independently trained artificial intelligence model” or an “artificial intelligence model, including one combined with other software, that is fine-tuned using a quantity of computing power greater than 25 percent of the quantity of computing power, measured in integer or floating-point operations, used to train the original model.”

What constitutes a “hazardous capability” under the proposed legislation?

SB 1047 would define “hazardous capability” to constitute the capability of a covered model to be used in one of the following harms:

• the creation or use of a chemical, biological, radiological, or nuclear weapon in a manner that results in mass casualties
• at least $500 million dollars of damage through cyberattacks on critical infrastructure via a single incident or multiple related incidnts
• at least $500 million dollars of damage by an AI that autonomously engages in conduct that would violate the Penal Code if taken by a human
• bodily harm to another human
• the theft of or harm to property
• other grave threats to public safety and security that are of comparable severity to the harms described above.

Penalties for noncompliance with this legislation would include punitive damages and a civil penalty for a first violation not to exceed ten percent of “the cost of the quantity of computing power used to train the covered model to be calculated using average market prices of cloud compute at the time of training” and 30 percent of the same in case of a second violation.  The legislation authorizes joint and several liability against the developers directly where

(1) steps were taken in the development of the corporate structure among affiliated entities to purposely and unreasonably limit or avoid liability.

(2) The corporate structure of the developer or affiliated entities would frustrate recovery of penalties or injunctive relief under this section.

The reaction to SB 1047 from the Silicon Valley start-up community

Bloomberg also reported that the a key point of contention in the startup community is the idea that AI developers are responsible for people who misuse their systems, pointing to Section 230 of the Communications Decency Act of 1996, which has shielded social media companies from liability over content users create on platforms.

Author Jess Miers of the Chamber of Progress criticized the legislation on the basis that it would “introduce a high degree of legal uncertainty for developers of new models, making the risks associated with launching new AI technologies prohibitively high.”

The Prinz Law Office will continue following legislative developments relating to SB 1047 as this bill advances.

If you have questions regarding your software company’s potential compliance obligations under SB1047, please schedule a consultation with The Prinz Law Office at this link.

The Prinz Law Office is pleased to announce the launch of a new subscription plan, which is intended to simplify the process of working with a lawyer for companies as well as individuals.  The firm’s subscription plans have been been designed to uniquely enable clients to hire and communicate with counsel without the fear or worry of an accruing billable hour.

Subscriber clients will pay a flat monthly rate each month with the option of purchasing add-on services at an additional flat fee rate that they can easily estimate in advance of making a work request.  Subscription prices will start at just $150 at the lowest bronze level.

To view the currently available subscription plans, please click here:  Prinz Law Office Subscription Plans.

The new subscriptions are available to clients immediately.

The Department of Health and Human Services (“HHS”), the Office of the National Coordinator for Health Information Technology (“ONC”) and the Centers for Medicare & Medicaid Services (“CMS”) have just published a proposed rule defining the consequences for medical providers who fail to comply with the new information blocking regulations.

HHS previously established information blocking penalties for IT providers, health information exchanges, and networks  of up to $1 million per violation.  A full discussion of the previously proposed information blocking regulations was previously published on the Silicon Valley Digital Health Law Blog at this attached link

The newly announced proposal linked here will establish penalties in the form of financial disincentives for the medical providers who violate the information blocking regulations and are also Medicare-enrolled providers or suppliers.  (For the avoidance of doubt, the proposed rules do not apply to medical providers who fail to comply with the regulations but are not Medicare-enrolled providers or suppliers.)  The proposed financial disincentives are as follows:

• “Eligible Hospital(s)” or “critical access hospital(s)” would not be deemed to be a “meaningful electronic health record (“EHR”)” user, meaning that an “eligible hospital” would not be able to earn the three quarters of the annual market basket increase associated with qualifying as a meaningful EHR user and a “critical access hospital” would have its payment reduced to 100 percent of reasonable costs from the 101 percent of reasonable costs it might otherwise have earned in an applicable year.
• A health care provider that is an a “MIPS eligible clinician” would not be a “meaningful EHR user” in an applicable information blocking performance period and would also be required to report on the Promoting Interoperability performance category of MIP, as not earning a score.
• A health provider that is an accountable care organization (“ACO”), ACO participant, or ACO provider/ supplier will be barred from participating in the Shared Savings Program for at least a year.

What are the potential financial implications for these disincentives?

According to reporting by Healthcare IT News, the consequences to an “eligible hospital” deemed to be non-compliant “could result in a median disincentive amount of $394,353, ” whereas the consequences to a group of “MIPS eligible clinician(s)” deemed to be non-compliant could result in a loss ranging $1,372 to $165,326 for group sizes ranging from two to 241 clinicians.

HHS, ONC and CMS are currently seeking comments on the proposed rule.  Comments should be submitted on or before January 2, 2024 at 5 p.m. ET.  The submission instructions are published at this attached link.

The Drug Enforcement Administration (“DEA”), jointly with the Department of Health and Human Services (“HHS”), has announced that the current telemedicine regulations will continue in place through the end of December 31, 2024.  To view the full text of the announcement, please click here.  The full text of the extension is available here.

The decision comes after the DEA received more than 38,000 comments on its proposed telemedicine rules and held two days of public listening sessions related to those rules.

The DEA stated in the announcement that the final regulations should be available by the fall of 2024.

Governor Newsom has just signed SB 54, which will require venture capital firms in the state of California to annually report the diversity of founders they are backing.  According to Tech Crunch’s reporting, SB 54 will result in amendments to the Business and Professional Code and also will amend part of the Government Code pertaining to venture capital.

What is California SB 54?

SB 54 goes into effect as of March 1, 2025, and requires the following aggregated information to be reported on all VC investments:

• The gender identity of each member of the founding team, including nonbinary and gender-fluid identities.
• The race of each member of the founding team.
• The ethnicity of each member of the founding team.
• The disability status of each member of the founding team.
• Whether any member of the founding team identifies as LGBTQ+.
• Whether any member of the founding team is a veteran or a disabled veteran.
• Whether any member of the founding team is a resident of California.
• Whether any member of the founding team declined to provide any of the information described above.

Failure to timely comply with the reporting requirement may result in the assessment of a penalty of One Hundred Thousand Dollars ($100,000.00) to be assessed against a “covered person.”  SB 54 defines “covered person” as any person who does both of the following:

• Acts as an investment adviser to a venture capital company.
• Meets any of the following criteria: (i)  Has a certificate from the Commissioner of Financial Protection and Innovation pursuant to Section 25231 of the Corporations Code.  (ii) Has filed an annual notice with the Commissioner of Financial Protection and Innovation pursuant to subdivision (b) of Section 25230.1 of the Corporations Code. (iii) Is exempt from registration under the Investment Advisers Act of 1940 pursuant to subsection (l) of Section 80b-3 of Title 15 of the United States Code and has filed a report with the Commissioner of Financial Protection and Innovation pursuant to paragraph (2) of subdivision (b) of Section 260.204.9 of Title 10 of the California Code of Regulations.

SB 54 provides that reports will be due by March 1st of each year.

What is the Argument in Favor of SB 54?

Tech Crunch reports that supporters of SB 54 have argued that this law will make venture capital more “transparent.”  According to Tech Crunch, less than 3 % of all venture capital investments go to women or black founders.

Tech Crunch reported that SB 54 was opposed by the National Venture Capital Association and TechNet, though both organizations professed to support generally the concept of diversity in venture capital.

What is the Anticipated Impact of SB54?

Although the impact of SB 54 will go beyond just the software industry, this new law is likely to have a significant impact on software and SaaS companies, particularly those having diverse founders, as mandated reporting will likely incentivize venture capital firms to further focus on considering diversity in investment.  If your software company has diverse founders, you will definitely want to keep this law on your radar screen going forward.

The Food and Drug Administration (“FDA”) has issued final guidance to advice developers on their compliance obligations for premarket submissions.  To view the FDA’s finalized document, please click here: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (fda.gov).   The guidance issued by the FDA supersedes the earlier draft guidance issued on April 8, 2022 as well as the “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” issued October 2, 2014.

The guidance describes recommendations regarding the cybersecurity information to be submitted for the following:

• Premarket notification (510(k)) submissions;
• De Novo requests;
• Premarket Approval Applications  (PMAs) and PMA supplements;
• Product Development Protocols (PDPs)
• Investigational Device Exemption (IDE) submissions;
• Humanitarian Device Exemption (HDE) submissions;
• Biologics License Application (BLA) submissions; and
• Investigational New Drug (IND) submissions.

The FDA states in its release that “this guidance applies to all type of devices within the meaning of section 201(h) of the Federal Food, Drug, and Cosmetic Act (“FD&C Act”), including devices that meet the definition of a biological product under section 351 of the Public Health Services Act, whether or not they require a premarket submission.”  In addition, the FDA says that the guidance applies “to devices for which a premarket submission is not required (e.g. for 510(k) exempt devices)” as well as “cyber devices as defined in section 524B of the FD & C Act.”  Finally, the FDA states that the guidance applies to the device portion of a combination product “when the device constituent part presents cybersecurity considerations, including but not limited to devices that have a device software function or that contain software (including firmware) or programmable logic.”  Although the FDA indicates in the release that the guidance should not be construed as “legally enforceable responsibilities,” the FDA advises that the guidance represents its “recommendations” on the topic of cybersecurity.

What exactly recommendations exactly does the FDA make in this guidance?

First of all, the FDA recommends that device manufacturers follow the quality system requirements found in the QS regulation in 21 CFR Part 820, which may include establishing cybersecurity risk management and validation processes where appropriate in accordance with FDA’s guidance “Content of Premarket Submissions for Device Software Functions.”  The FDA says that healthcare facilities may manage devices within their own frameworks such as the National Institute of Standards Technology (“NIST”) cybersecurity framework.   The FDA also points to the following frameworks to consider: the Medical Device and Health IT Joint Security Plan, which is available at https://healthsectorcouncil.org/the joint-security plan;  IEC 81001-5-1; and ANSI, ISA 62442-4-1.

Second of all, the FDA recommends that device manufacturers implement security controls, which include authentication; authorization, cryptography, code, data and execution integrity; confidentiality; event detection and logging; resilience and recovery, updatability and finally, patchability.

Third, the FDA recommends that the manufacturers must establish and maintain procedures for verifying the device design, which verification must confirm that the design output meets the design input requirements.  The FDA again points to 21 CFR  820.30 for guidance on the procedures for verification.

Fourth, the FDA recommends transparency in advising users of relevant security risks through labeling, and provides specific examples of information to include in labeling.  The FDA points to IEC TR 80001-2-2 and IEC TR 80001-2-9 for further guidance on labeling to comply with the standards.

Fifth, the FDA recommends that manufacturers establish a plan for how to identify and communicate to users vulnerabilities identified after releasing the device in accordance with 21 CFR 820.100, which plan can also support security risk management processes described in the QS regulation.  The FDA states that these plans should include the following elements:

• Personnel responsible;
• Sources, methods, and frequency for monitoring and identifying vulnerabilities (e.g. researchers, NIST vulnerability database (NIST NVD), third party manufacturers;
• Identify and address vulnerabilities identified in “CISA’s  Known Exploited Vulnerabilities Catalog” available at https://www.cisa.gov/known-exploited-vulnerabilities-catalog;
• Periodic security testing;
• Timeline to develop and release patches;
• Update processes;
• Patching capability (i.e. rate at which update can be delivered to devices);
• Description of their coordinated vulnerability disclosure process; and
• Description of how the manufacturer intends to communicate forthcoming remediations, patches, and updates to customers.

The FDA points to its “Postmarket Cybersecurity Guidance” for additional recommendations on plans.

Digital health companies should definitely take the time to review and familiarize themselves with the new guidance, as it is likely that health care customers will be expecting compliance with this new guidance going forward, regardless of whether or not digital health companies’ products are actually subject to FDA regulation.  Even though this guidance constitutes merely a recommendation to those digital health companies which are subject to FDA regulation, it provides specific minimum recommendations that health care customers will likely expect their providers to be compliant with going forward.

The final update to the HIPAA Privacy Rule on reproductive health is anticipated to be issued soon by the Department of Health and Human Services (“HHS”).

HHS issued a Notice of Proposed Rulemaking on April 17, 2023 to solicit comments on its proposal to modify the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”).  The comment period on the proposed update closed as of June 16, 2023.

If adopted, the proposed update would modify existing standards permitting uses and disclosures of protected health information (“PHI”) by prohibiting uses and disclosures of PHI about reproductive health care for criminal, civil, or administrative investigations or proceedings against individuals, covered entities or their business associates or other persons for seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided.

The update was originally prompted by an executive order from President Biden directing HHS to take actions to strengthen the protections under HIPAA for reproductive health information following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.  Attached is a link to the Court’s decision: https://www.supremecourt.gov/opinions/21pdf/19-1392_6j37.pdf.  A copy of President’ Bidens’s executive order may be viewed here: https://www.govinfo.gov/content/pkg/FR-2022-07-13/pdf/2022-15138.pdf.

According to the HHS Notice, the proposed Privacy Rule will “strengthen privacy protections for individual’s PHI related to reproductive health care” in order to “avoid the circumstance where an existing provision of the Privacy Rule is used to request the use or disclosure of any individual’s PHI as a pretext for obtaining PHI related to reproductive health care for a non-health care purpose where such use or disclosure would be detrimental to any person. ”

To view the full HHS notice on the anticipated HIPAA Privacy Rule update, please click here: https://www.federalregister.gov/documents/2023/04/17/2023-07517/hipaa-privacy-rule-to-support-reproductive-health-care-privacy.   For additional HHS commentary on the proposed Privacy Rule updates, please click here: https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/hipaa-reproductive-health-fact-sheet/index.html.

 

The American Telemedicine Association has just released a new toolkit intended to help with assessing the impact of telehealth on addressing disparities in healthcare among communities.  Please click here to view the ATA Press Release, which announces the release and explains the significance.

The toolkit, which was developed by an ATA advisory group, provides functionality to review digital infrastructure by zip code and county, and a tool to scope the cost of telehealth-based improvements, as well as a collection of other resources the ATA has released to date.

According to the ATA Press Release, ATA developed the tool for the purpose of empowering healthcare industry members to address gaps in care that can be mitigated using virtual care.  In other words, the tool is intended to further one of the key aspirational goals of digital health, which is to improve access to healthcare for underserved populations.

To access the toolkit, please click here.

The DEA conducted a two day listening session last week to receive practitioner comments on  regulations relating to the prescribing of controlled substances via telemedicine.   Transcripts of the public comments are available for viewing at this link:  https://www.deadiversion.usdoj.gov/Telemedicine_listening_session.html.

According to reporting by Fierce HealthCare, the listening sessions were held in response to a backlash from doctors and telehealth groups after the DEA released proposed rules in February, 2023 that would have reinstated the restrictions that existed before the COVID era on the prescribing of controlled substances via telehealth.  In particular, the proposed rule would mandate that Schedule 2 medications or narcotics be prescribed in-person and Schedule 3 medications or higher could be prescribed for 30 days via telehealth but would require an in-person visit prior to refill.  Fierce HealthCare reported that the DEA received a record 38,000 comments on its proposed telemedicine rules, which were among the highest ever received in DEA history.

The American Telemedicine Association (“ATA”) has opposed the DEA’s February, 2023 position, asserting that the DEA’s plans will “simply limit. . . . access to legitimate health care”.  See ATA’s March 28, 2023 letters to the DEA at this link, in which the ATA submitted comprehensive recommendations regarding the proposed rules: https://www.americantelemed.org/press-releases/ata-action-submits-comprehensive-recommendations-to-dea-on-proposed-rules-regarding-remote-prescribing-of-controlled-substances/.

The ATA has advocated for a special registration process for telemedicine prescribing of controlled substances without a prior in-person visit based on seven key tenets, stated in its press release attached here:

1. The Special Registration process should work in conjunction with the existing registration process.
2. Telemedicine providers should not be required to maintain local addresses in every state where they practice.
3. Special Registration should include the elements DEA needs to monitor for illegitimate practitioners and illegal prescribing practices.
4. Special Registration should not be limited to any specific specialty or treatment condition. Schedule II prescribing could involve additional oversight but should not have additional restrictions.
5. Dispensers (pharmacies and pharmacists) should be able to identify legitimate prescribers who have a current Special Registration.
6. The location of the patient should not require any registration unless otherwise required because controlled substances are dispensed or administered at that site.
7. The Special Registration process should not place any arbitrary limits on a clinician’s ability to practice within the scope of their authority.

According to Fierce HealthCare the DEA was originally mandated fifteen years ago within the Ryan Haight Act to develop a special registration process for remote prescribing, which was mandated again by Congress in 2018, but the DEA failed to act on both occasions.  The ATA and other advocates are pushing the DEA to follow through on the prior mandates to keep COVID-era telemedicine flexibilities in place.

The Silicon Valley Digital Health Blog will continue to follow this issue as it develops.  Clearly, the DEA’s next steps will have a tremendous impact on patient access to telemedicine going forward.

If your company is currently subject to, or alternatively, may be subject in the future to HIPAA security requirements, you may be interested to know that the Office for Civil Rights (“OCR”) and the Office of the National Coordinator for Health Information Technology (“ONC”) have just released an updated version of their security assessment tool, which is intended to help with the identification and assessment of risks and vulnerabilities to electronic protected health information (“ePHI”), as well as with remediation and compliance planning.

Version 3.4 of the updated tool is available for download at the following link:  https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool.

The newly released version of the tool contains updates such as a remediation report, a glossary and tool tips section, bug fixes, usability improvements, and references to the 2023 edition of the Health Industry Cybersecurity Practices (HICP) publication.

The security assessment tool is currently made available in Windows and Excel Workbook format and also comes with a convenient user guide.

The California legislature is currently considering a controversial new telehealth bill that would dramatically expand the access to veterinary care for animal patients located in California.  AB 1399 would change California’s existing law to permit a veterinarian-client-patient-relationship to be established solely via telemedicine.   Existing California law limits the practice of veterinary telemedicine to existing veterinarian-client-patient-relationships only, where the animal has previously been examined by the veterinarian, except in cases where the advice is given in an emergency.  See the attached link to view the bill in its entirety: Bill Text – AB-1399 Veterinary medicine: veterinarian-client-patient relationship: telehealth. (ca.gov)

Proponents of AB 1399 argue that passage of this bill is necessary to make permanent the COVID-era relaxation of California’s existing regulations, which permitted care virtually when local veterinary practices were inundated with new patients and human caretakers were dealing with challenging personal circumstances.  They argue that California continues to deal with a shortage of veterinarians and telemedicine improves access to care for California animals, many of whom would not otherwise receive care at all.  Attached are links to arguments and statements in support of the bill by Dr. Christie Long and the SFSPCA.

However, critics of AB 1399 warn of the unintended consequences of relaxing the existing regulations to California animals.  In particular, the American Veterinary Medical Association has opposed the bill on this ground (see the attached link).  While the California Veterinary Medical Association had also opposed AB 1399 (see the attached link), it just recently amended its position after several new amendments were made to the bill.  Attached is a copy of the letter published by the CVMA explaining the change of position:  AB-1399-Friedman-NEUTRAL-position.pdf (cvma.net).

For the digital health community, the adoption of AB 1399 and permanent relaxation of existing veterinary care restrictions in California would be a clear win for digital health providers seeking to expand access to veterinary care to more of the state’s animal residents.  The adoption of AB 1399 in this state could also have the effect of influencing other states with similar restrictions in place to also consider relaxing their regulations.

The Veterinary Virtual Care Association, a global nonprofit association dedicated to developing standards for veterinary virtual care, is actively tracking the current status of veterinary telehealth laws around the country at the following website:  The VVCA Telemedicine Regulatory Map – Veterinary Virtual Care Association.  According to the VVCA’s regulatory reporting map,  Michigan, Connecticut and the District of Columbia are currently the only states not requiring that telemedicine be tied to a veterinarian-client-patient-relationship.  If accurate, this means that California’s adoption of AB 1399 would set an important national precedent for veterinary telemedicine law.

The Silicon Valley Arbitration and Mediation Center has published for public comment a first draft of “Guidelines on the Use of Artificial Intelligence in Arbitration.”  The proposed guidelines were drafted by the Center’s AI Task Force Guidelines Drafting Subcommittee and are intended to provide a framework for how to use artificial intelligence in domestic and international arbitrations.

The guidelines contain three key chapters: a chapter that applies to all participants in international arbitrations, a chapter that applies to parties and party representatives, and a chapter that applies to arbitrators.   The topics addressed by the guidelines include safeguarding confidentiality, duty of competence or diligence in the use of AI, and non-delegation of decision-making responsibilities.

To view and comment on the guidelines, check out the following link: SVAMC AI GUIDELINES PORTAL (typeform.com)  The deadline for submitting comments is September 30, 2023.

SaaS Lawyer Kristie Prinz explains why not to use the term “SaaS License” in this video recorded October 2022.

The Prinz Law Office is pleased to announce that we are adopting a number of new options for working with our clients. We received feedback asking for new fixed rate and subscription packages for specific business scenarios, and in response to that feedback we have designed a variety of new packages designed around those requests. Existing clients who are working with us already under another billing arrangement will be able to switch to a new plan at any time upon request.  The firm is confident that these new options will better address the current business needs of the technology and life sciences communities we serve.  For additional information about our various available alternative billing packages, please submit your request to kp****@pr************.com.

If you have other ideas for new billing arrangements, the firm always welcomes the feedback. All feedback should also be submitted to kp****@pr************.com.

The Federal and Trade Commission (“FTC”) announced today a settlement with Twitter, Inc. (“Twitter”) in which Twitter agreed to pay $150 million for its alleged misuse of user account security data, specifically email addresses and phone numbers, for advertising purposes.  The government alleged that the misuse of account data was in violation of a 2011 FTC Order against Twitter, which prohibited the company from misrepresenting the extent to which it maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information.  The government alleged that the misuse of consumer data also violated the EU-US Privacy Shield, and the Swiss-U.S. Privacy Shield.

The FTC press release is attached here.  The complaint is attached here, and the stipulated order is attached here.

In addition to the paying a $150 million fine, the government announced that Twitter has agreed to the following:

• Twitter will not profit from deceptively collected data;
• Users will have other options to multi-factor authentication such as apps or security keys that do not require the provision of phone numbers;
• Notify all users that Twitter misused the phone numbers and emails collected for targeted advertising and to provide users with information about Twitter’s privacy and security controls;
• Implement and maintain a comprehensive privacy and information security program which requires an assessment of the potential privacy and security requirements of new products;
• Limit employee access to users’ personal data; and
• Notify the FTC if it experiences a data breach.

With this enforcement action against Twitter, the FTC is clearly making a statement to companies in the business of collecting consumer data that they need to truthfully disclose the purposes for which data used for advertising purposes is collected, and that failure to disclose this information will have potential federal regulatory consequences.  SaaS, Tech, and digital health companies should take note of this particular enforcement action, and ensure that they avoid engaging in the same practices that were the subject of this enforcement action.

 

I was recently asked by a client whether arbitration or litigation in a SaaS contract was better. The issue had been raised by an attorney on the other side of the SaaS contract negotiation, who had not only tried to persuade my client to revise the specific clause in that case, but had also provided my client the unsolicited advice that “he should prefer litigation over arbitration” in all cases.

My client, who had elected to include an arbitration clause in his standard SaaS contract terms, was unsure what to do and how to respond, and so he reached out to me for guidance.

While the debate over whether arbitration or litigation is better for a particular organization is not a dilemma specific to the SaaS industry, it is one that clients often raise with me in frustration, hoping that I can advise them that one option is definitively “better” than the other.   The answer, like many things in the law, is not so black and white, and it should not be decided without considering the pros and cons of each option.

What happens when a SaaS or digital health contract includes an arbitration clause?

First of all, let’s assume you have no arbitration clause in your contract and a dispute arises, then the only contractually available forum to hear the dispute will be a courtroom.  If your company does not have an in-house legal department with litigators on staff, then you will need to hire a litigation support to handle the litigation process, either from the plaintiff side or the defense side.  You will incur costs every time a motion is filed or defended, and you will incur costs for discovery, depositions, mediation, and the trial preparation, all until the case is either settled or a judgment is reached.  This process could take years to go through.

On the other hand, let’s assume you have an arbitration clause in your contract and a dispute arises, then the contractually available forum to hear the dispute will be a courtroom.  However, your opponent may not want to arbitrate the case, and so your opponent may file in court first, in which case you will have to file to compel the case to arbitration.  Alternatively, your opponent may be unwilling to participate in the arbitration, so you may have to file a motion to compel your opponent participate in the arbitration.  Once you win any motion in court, you will then have to initiate the arbitration with the private organization that will handle the arbitration, which will generally be AAA or JAMS in the US, but there are other organizations that handle commercial arbitration internationally.  This will require you to pay the filing fees, which are often far higher than is required to initiate a case in a court.  Once the case is initiated an arbitrator will be appointed to hear the case, and the parties will decide on the format for the case, and the case will proceed outside of court within the private dispute resolution process of the organization selected.

What are the advantages of arbitration in a SaaS or digital health contract?

What are the advantages?  Well, arbitration is intended to be a commercial process rather than a legal process, so it is much less formal.  It also can be faster, as there is no judicial backlog to slow down the process.  There are fewer rules governing the process, so it often viewed as less predictable.  But fewer rules also means that the process is more easily managed by business-people who are not litigators.  The goal of arbitration is generally to get to a rendered decision as quickly as possible, which may be advantageous.

How is arbitration different than the standard court path to dispute resolution?

In contrast, the court option is very formal.  It can be slow, which may be a negative in some situations and a positive in other situations.  And it is governed by rules and precedent, which will require knowledge and familiarity with both to proceed through.  Most litigated cases settled, so the goal of litigation may not be to get to a judgment.  Instead, the goal may actually be to get to a settlement.

Is arbitration cheaper than going to court to resolve the dispute?

Is one option necessarily cheaper than the other?  Arbitration is generally perceived in the business world to be cheaper, due to the faster process and the relaxed rules, but because the process is a private commercial process, the fees for the administration of the case can be higher in some situations and it is still possible to incur legal fees during the process.  In contrast, discovery, depositions, and motion hearings can drive up the cost of a litigation process, both in terms of legal hours billed but also in terms of other costs.

Is an arbitration award a faster path to enforcement?

It is important to recognize that getting an arbitration award may not actually be better than a mediated settlement to the party owed an award, since a voluntary settlement may be easier to enforce than a decision.  On the other hand, the process is private and stays completely confidential and outside of court records, which may be preferred by both parties, and the informality may be less stressful on both sides of the dispute.

How to Decide between Dispute Resolution via Arbitration or Litigation When Drafting?

In the end, the choice between arbitration vs. litigation is one of personal or commercial preference.  You have to expect that a commercial litigator who spends his career in the courtroom is going to prefer to stay as far away from arbitration as possible.  In contrast, transactional lawyers are generally going to prefer to stay as far away from litigation as possible.

I generally recommend to clients that they should contemplate the type of dispute that would arise from a particular set of contract terms before deciding how they prefer to resolve that dispute.  For example, if a dispute arises, would an informal private solution to resolving the dispute be better than the formality of litigation?  Will the other side have significantly more resources to apply towards the dispute?  Would the other side benefit from delaying the resolution of the dispute and causing you to invest significant resources in the process?  What will be the anticipated filing fees for each side in the dispute?

All in all, arbitration vs. litigation is not a decision that should be made without some careful consideration of the underlying issues and the consequences of each decision.  There are valid reasons why parties gravitate to one option or the other.  It is up to your business to decide what should be your organization’s preferred standard with respect to a particular type of contract, and whether or not you will be willing to concede your position upon request by a particular client.  You may realize that your preferred position is going to be the same in every case, or alternatively, that your position may require review on a scenario-by-scenario basis.

If you have questions regarding whether to accept or reject arbitration in a dispute resolution clause in a contract, please schedule a consultation today to discuss at https://calendly.com/prinzlawoffice.

If you work in the software industry, you may be surprised to discover that digital health software products may be subject to regulation by the Food and Drug Administration (“FDA”).  Some software is considered a software as a medical device (“SaMD”) product or software in a medical device (“SiMD”) product.

So, how do you know whether or not a digital health product you are building is going to be considered a SaMD or SiMD product?

The FDA issued a “Policy for Low Risk Devices” on September 27, 2019, which provides general nonbinding recommendations to clarify its policy on health software that has been deemed not to be a device under Section 201(h) of the FD&C Act.  In this policy, the FDA specifically stated that software intended “for maintaining or encouraging a healthy lifestyle and is unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease of condition” does not constitute a “device” under section 201(h) of the FD & C Act.  According to the FDA policy, general wellness products will not be examined to determine if they are devices and comply with the regulatory requirements for devices.  The FDA further defines general wellness products to include products meeting the following requirements: (1) they are intended for only general wellness use as defined in the guidance and (2) they present a low risk to the safety of users and other persons.

In the Policy for Low Risk Devices, the FDA states that a “general wellness product” has the following:

(1) an intended use that relates to maintaining or encouraging a general state of health or healthy activity, or

(2) an intended use that related the role of healthy lifestyle with helping to reduce the risk or impact of certain chronic diseases or conditions and where it is well understood and accepted that healthy lifestyle choices may play an important role in health outcomes for the disease or condition.

The FDA then provides examples of the specific types of uses that would fall under each category.

The FDA also states the test for assessing the degree of risk for general wellness products:

(1) Is the product invasive?

(2) Is the product implanted?

(3) Does the product involve an intervention or technology that may pose a risk to the safety of users and other persons if specific regulatory controls are not applied, such as risks from lasers or radiation exposure?

If all of the above answers are “no,” then the product is deemed to be low risk and not subject to FDA regulation.

The FDA also issued a “Policy for Device Software Functions and Mobile Medical Applications” on September 27, 2019, which provided nonbinding recommendations for regulation software applications intended for use on mobile platforms or on general purposes computing platforms.

In the “Policy for Device Software Functions and Mobile Medical Applications” the FDA clarified that it intended to focus its regulatory oversight to “only those software functions that are medical devices and whose functionality could pose a risk to a patient’s safety if the device were to not function as intended.”  The FDA listed three categories of software functions that would be subject to this regulatory oversight focus:

(1) Software functions that are an extension of one or more medical devices by connecting to such device(s) for purposes of controlling the device(s) or analyzing medical device data.

(2) Software functions (typically, mobile apps) that transform the mobile platform into a regulated medical device by using attachments, display screens, or sensors, or by including functionalities similar to those of currently regulated medical devices.

(3) Software functions that become a regulated medical device by performing patient-specific analysis and providing patient-specific diagnosis, or treatment recommendations.

The FDA also clarified that it intended to exercise enforcement discretion for software functions that “help patients. . . . self-manage their disease or conditions without providing specific treatment or treatment suggestions” or “automate simple tasks for health care providers.”  The FDA listed four categories of software functions that would be subject to this regulatory enforcement discretion:

(1) Software functions that provide or facilitate supplemental clinical care, by coaching or prompting, to help patients manage their health in their daily environment.

(2) Software functions that provide easy access to information related to patient’s health conditions or treatments.

(3) Software functions that are specifically marketed to help patients communicate with healthcare providers by supplementing or augmenting the data or information by capturing an image for patients to convey to their healthcare providers about potential medical conditions.

(4) Software functions that perform simple calculations routinely used in clinical practice.

The FDA also provided a list of categories of software functions that are not medical devices:

(1) Software functions that are intended to provide access to electronic “copies” of medical textbooks or other reference books with generic text search capabilities.

(2) Software functions that are intended for health care providers to use as educational tools for medical training or to reinforce training previously received.

(3) Software functions that are intended for general patient education and facilitate patient access to commonly used reference information.

(4) Software functions that automate general office operations in a health care setting and are not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease.

(5) Software functions that are generic aids or general-purpose products.

(6) Software functions that are intended for individuals to log, record, track, evaluate, or make decisions or behaviorial suggestions related to developing or maintaining general fitness, health, or wellness.

(7) Software functions that enable individuals to interact with EHR software certified under the ONC Health IT Certification Program.

(8) Software functions that provide patients with simple tools to organize and track their health information.

(9) Software functions that provide easy access to information related to patients’ health conditions or treatments.

(10) Software functions that provide patients with simple tools to organize and record their health information.

(11) Software functions that are specifically marketed to help patients document, show, or communicate to providers regarding potential medical conditions.

(12) Software functions that enable, during an encounter, a health care provider to access their patient’s personal health record (health information) that is hosted on a web-based or other platform.

(13) Software functions for health care providers certified under the ONC Health IT Certification Program, such as those that help track or manage patient immunizations by documenting the need for immunization, consent form, and immunization lot number;

(14) Software functions that help asthmatics record (i.e. collect and log) inhaler usage, asthma episodes experienced, location of user at the time of an attack, or environmental triggers of asthma attacks;

(15) Software functions certified under the ONC Health IT Certification Program that prompt the health care provider to manually enter symptomatic, behavioral, or environmental information, the specifics of which are pre-defined by a health care provider, and store the information for later review;

(16) Software functions that record the clinical conversation a clinician has with a patient and sends it (or a link) to the patient to access after the visit;

(17) Software functions that allow a user to record (i.e. collect and log) data, such as blood glucose, blood pressure, heart rate, weight, or other data from a device to eventually share with a health care provider, or upload it into an online (cloud) database, or personal or electronic health record (PHR or EHR, respectively) that is certified under the ONC Health IT Certification Program;

(18) Software functions that enable patients or health care providers to interact with PHR systems or EHR systems that are certified under the ONC Health IT Certification Program;

(19) Software functions that meed the definition of Non-Device-MDDS, which are functions solely intended to transfer, store, convert formats, and display medical device data or results, without controlling or altering the functions or parameters of any connected medical device.

(20) Software functions that display patient-specific medical device data.

(21) Software functions that are intended for transferring, storing, converting formats, or displaying clinical laboratory test or other device data and results, findings by a health care professional with respect to such data and results, general information about such findings, and general background information about such laboratory test or other device, unless such function is intended to interpret that data, results, and findings.

The policies provide much more detail about the scope of the regulatory authority to be exercised over software than what can be captured in a blogpost, but this overview at least summarizes the key points of the guidance.

If you are developing a digital health software product, you will want to carefully consider how the FDA will classify your product, and you will likely want to consult with an attorney who focuses in this niche.  FDA legal practice is a narrow practice niche which includes a small circle of attorney practitioners, so it may be challenging to find a lawyer who practices in this specialty area outside of Washington, D.C.  It is possible that a medical device patent attorney in your area may have this expertise or may be able to make a good referral for you, so that is a possibility you may want to explore.

What is the concept of “Digital Health”?  If you work in the field and are still unsure of how exactly to define the term, then you are in good company: while there seems to be some consensus regarding what is included in the concept of “Digital Health,” there is still some confusion on the scope of everything that is included under the “Digital Health” umbrella.

The Food and Drug Administration (“FDA”) has attempted to answer this question by defining “Digital Health” to broadly include mobile health, health information technology, wearable tech, telehealth, telemedicine, and personalized medicine.

In contrast, the World Health Organization (“WHO”) provides a slightly different definition of “Digital Health” defining it to constitute “e-health” and emphasizing instead of the areas of technology encompassed in the term the themes or goals of the “Digital Health” movement:  strengthening health systems and public health, increasing equity in access to health services, and working towards universal health coverage.

A quick search of the Internet will quickly generate many other slightly different definitions of what actually encompasses the term “Digital Health.”

So, the truth of the matter is, if you are unclear what the parameters of “Digital Health” really are, you are not alone.  In all honesty, I am not completely clear as to what the current industry thinking is on how the concept of “Digital Health” and the concepts of “Health Technology” and “Medical Technology” overlap with one another.    The best answer is probably that the term “Digital Health” is evolving as the technology itself continues to develop.

For the purposes of the Silicon Valley Digital Health Blog, when we talk about “Digital Health,” we will be talking about the apps, software, SaaS products, and digital devices employing and connecting with this software for wellness, medical, and health care purposes.

Digital Health Lawyer Kristie Prinz explains the definition of digital health in this video recorded on February 16, 2022.

SaaS Lawyer Kristie Prinz presented on “Best Practices for Drafting SaaS Contracts” on November 19, 2021.

A copy of the video recording of the full webinar is available for viewing at this link:  https://theprinzlawoffice.vhx.tv/products/best-practices-for-saas-contracts-2021.

Have you ever heard the term “SaaS license” or “SaaS Licensing” being used among lawyers and businesspeople?

There is a misconception that there is such a concept as a “SaaS license.”  However, in fact, two principles are actually being confused: the “software license” and the “SaaS agreement.”  Why does this matter?  Well, if you do not know the type of agreement that you are drafting, you are going to confuse the important terms in the agreement, and this is going to have a huge impact on what you draft or negotiate.  In addition, if you do not know what you are drafting, this is going to impact other terms beyond the agreement such as taxes and revenue recognition.  So, the bottom line is that it does matter what you draft.

What is different about the concepts of “SaaS agreement” and “Software license” ?

Also, the concepts of “SaaS agreement” and “software license” are completely different.  In the case of a software license, the licensor grants to the licensee the rights to use a specific piece of intellectual property, the software, under certain conditions and limitations, and if you exceed the parameters of the grant, you will be infringing on the intellectual property.  The license grants licensee the right to use the software for the length of the copyright or other specific period of time and will specify who can use the software,  how the software can be used, and under what conditions the software can be used.  In contrast, in the case of the SaaS agreement, no intellectual property rights will be granted in the software.  Instead, the grantee receives access rights in the software in the cloud and in a bundle of services.  The rights that the grantee receives are more along the lines of what someone might receive to intellectual property in content posted on a website on the Internet. The internet user might have the right to view the posted content, but that right does extend to doing anything to the content beyond just viewing it.

What rights are provided in a “SaaS Agreement?

In the case of the SaaS agreement, you may have rights to certain services in addition to access rights, such as hosting, maintenance, and technical support by way of the SaaS agreement, but your rights are to services and not to intellectual property in the software.

What rights are provided in a “software license”?

In the case of the software license, the rights to hosting, maintenance and technical support are generally going to be obtained through other agreements.

Another difference between the two concepts is that in the case of the software license, you have more control and the ability to change service providers if a service is not being provided at the level you require.  In the case of the SaaS agreement, you are “stuck” if you are unhappy with the quality of any service.  So, the quality of the service delivered is far more important in the case of SaaS agreements than in the case of the software license.  You cannot just easily move your content if you are unhappy with a particular service, as you have no direct control over the content in the case of the SaaS agreement.  In essence, you delegate that control to a third party, the SaaS provider.

So, the “SaaS agreement” and the “software license” are two fundamentally different concepts, and the term “SaaS license” or “SaaS licensing” is just a confusion of those two concepts.

If you have questions about whether your SaaS agreement was incorrectly drafted as a SaaS license, please schedule a consultation with us today at https://calendly.com/prinzlawoffice.

Kristie Prinz introduces this video on digital health contracts in October 2021.

Kristie Prinz welcomes audience to the updated Silicon Valley Software Law Blog in this video recorded October 2021.

Kristie Prinz speaks on the complexities of enterprise SaaS contracts in this video recorded in October 2021.

 

Silicon Valley Lawyer Kristie Prinz will present on “Best Practices in Negotiating, Drafting, and Managing Sublicenses” on Tuesday, September 28, 2021 from 10 a.m. to 11 a.m. PT for Tech Transfer Central. To register to attend the event, please sign up at this link.

Kristie Prinz will present a webinar on “Best Practices in Negotiating, Drafting, and Managing Sublicenses” on Tuesday, September 28, 2021 from 10-11 a.m. PT. The event will be hosted by Tech Transfer Central. To register for the event, please sign up here.

Silicon Valley Tech & Life Sciences Lawyer Kristie Prinz will present a webinar on “Negotiating Consulting Services Agreements in an Uncertain Economy” on December 30, 2020 from 10 – 11:30 a.m. PST. In the program, Kristie will discuss the key risks in a consulting relationship during an uncertain economy and discuss how to negotiate the terms to minimize the risks. To learn more and register for the program, please click here.

Silicon Valley SaaS Lawyer Kristie Prinz will present “Introduction to Negotiating & Drafting SaaS Agreements” on December 14, 2020 at 10-11:30 a.m. PST. The program will provide an overview of the basic concepts that you need to know before attempting to negotiate and draft a SaaS contract. For more information about the program, please register here.

Silicon Valley SaaS Lawyer Kristie Prinz will present a webinar on “Best Practices for Negotiating SaaS Agreements in an Uncertain Economy” on December 8, 2020 from 10 a.m. to 11:30 p.m. PST. To attend, please register here.

Silicon Valley Tech & Life Sciences Lawyer Kristie Prinz will present on “Negotiating Consulting Services Agreements in an Uncertain Economy” on December 30, 2020 at 10-11:30 a.m. PST. The program will address the key risks in a consulting services relationship during an uncertain economy and how you negotiate terms to minimize the risks. To learn more about the program or register, please click here.

Silicon Valley SaaS Lawyer Kristie Prinz to present a webinar on “Introduction to Negotiating & Drafting SaaS Agreements” on December 14, 2020 from 10-11:30 a.m. PST. The program will provide an overview of the basic concepts that you need to know before attempting to negotiate and draft a SaaS contract. To learn more and register to attend the program, please click here.

Silicon Valley SaaS lawyer Kristie Prinz will be presenting a webinar on “Best Practices for Negotiating SaaS Agreements in an Uncertain Economy” on December 8, 2020 from 10-11:30 a.m. PST. The program will provide an overview on how companies should approach the negotiating of SaaS agreements in the current economy climate and steps they can take to better protect the business in the negotiation process. To learn more about the program and register, please click here.

If you are on a law firm mailing list, it is likely that you have seen emails or alerts in the last few weeks that discuss the concept of “force majeure.”

Why has the concept of force majeure suddenly become a favorite topic of law firms around the country?  Well, over the month of March, many state and local governments have imposed stay-at-home orders on businesses and their employees.  In addition, there have been mass cancellations and closings, all as a result of the coronavirus pandemic.  The economic damage arising from these events is already affecting many contractual relationships, rendering parties unable to perform.  For this reason, the boilerplate force majeure clause included in many contracts is now anticipated to take on new significance.

If you are unclear on what exactly a force majeure clause is, this is the clause routinely included in many contracts that specifically addresses what happens if one party cannot perform a contractual obligation due to the occurrence of an event beyond that party’s control.  Such clauses generally provide that the force majeure event will not constitute a material breach provided that certain requirements are met.

So, do the events of the last month automatically permit the nonperformance of an obligation by a party to a contract if a force majeure clause exists?  As is the case with most contract interpretation issues, the answer is not so black and white.

Since this particular set of circumstances has not happened in the lifetime of most practicing lawyers, it is unlikely that the average force majeure clause specifically contemplated the possibility of a pandemic or a widespread, stay-at-home order over an extended period affecting most businesses and workers across an entire city, county, or state.  So, the first question will be: is the force majeure clause in the relevant contract drafted broadly enough to apply to specific circumstances causing the failure to perform?  A force majeure clause that specifically addressed “acts of government” may be broad enough to apply.    However, a force majeure clause that only contemplated “acts of God” or ” acts of nature” may not.  So, the specific wording of the force majeure clause will be critical.  Also, the application may be subject to interpretation, if the applicability depends on words like “beyond the reasonable control of either party” or “epidemic.”

Assuming that the definition of force majeure is defined broadly enough to apply to the particular circumstances many businesses and workers have faced over the last month, then the next question to determine will be whether the conditions were met for the force majeure clause to apply.  Many force majeure clauses impose requirements on the affected party that must be met for the force majeure clause to apply.  Have these requirements been strictly followed?  Is that answer subject to interpretation?

Then, assuming that the force majeure definition applies and the conditions were met, then the next question is whether or not there were any carve-outs for the particular obligation that has not been performed, which render the clause inapplicable?  One carve-out that I see from time to time is failure to make a payment.

Finally, assuming that the force majeure definition applies, the conditions were met, and there were no carve-outs that apply, the question will be whether the continuation of the event for an extended period then enables the other party to terminate.  It is not uncommon for a force majeure clause to specify that if the event continues for more than thirty or sixty days, then the performing party will be able to terminate.

Of course, there may be other clauses in a particular contract beyond just the force majeure clause that may apply to excuse or simply address a failure or delay in performance.  Additionally, if a party is facing the likelihood of not being able to perform, that party always has the option of simply approaching the other party directly and attempting to renegotiate the contract to specifically address the changed circumstances and contemplate a particular resolution.  In many cases, this may actually be the preferred way to tackle an unforeseen situation along the lines of what many businesses are facing as a result of the coronavirus pandemic.  However, if the other party is not open to renegotiation or other options are just not available, a force majeure clause may provide the contractual answer to the deal with the current circumstances of your business.

If you have questions or concerns about a force majeure clause and how it might apply to your circumstances, please schedule a consultation today at https://calendly.com/prinzlawoffice.

Silicon Valley SaaS Lawyer Kristie Prinz will present a webinar on “Best Practices for Negotiating SaaS Agreements in an Uncertain Economy” on April 20, 2020 at 10:00 a.m.-11:30 PST.  For more information, please register at The Prinz Law Store Website.

Silicon Valley Tech Transactions Lawyer Kristie Prinz will be presenting a webinar on “Best Practices for Negotiating Development Agreements in an Uncertain Economy” on April 13, 2020 at 10 a.m. – 11:30 a.m. PST.  For more information, please register at The Prinz Law Store Website.

Technology Transactions Lawyer Kristie Prinz will be presenting a webinar on “Negotiating Master Service Agreements in an Uncertain Economy” on April 6, 2020 at 10:00 a.m. PST-11:30 a.m PST.  To register, please sign up at The Prinz Law Store Website.

SaaS Lawyer Kristie Prinz presented “Best Practices for Negotiating SaaS Contracts” on March 31, 2020.

A copy of the video recording is available for viewing at this link:  https://theprinzlawoffice.vhx.tv/products/best-practices-for-negotiating-saas-contracts.

Silicon Valley SaaS Lawyer Kristie Prinz will present a webinar on “Best Practices for Negotiating SaaS Contracts & Managing Customer Relationships” on March 31, 2020 from 10-11:15 a.m. PST.  To register for the webinar, please sign up at The Prinz Law Store Website.

If your software company is like many, you are probably already contemplating the renegotiation of certain contracts due to the uncertainty and changed business conditions arising from the coronavirus pandemic.

However, the renegotiation of contracts will inevitably open your software company up to the possibility of having to agree to terms and conditions far less favorable than what you previously agreed to.  Furthermore, if not carefully drafted, any modification to an existing agreement could create legal issues that did not previously exist, leaving your software company in a vulnerable position should your company end up in a legal dispute with the other party down the road.

So, what are some practice tips for the successful renegotiation of contracts in a period of economic and business uncertainty?

First and foremost, approach contract re-negotiations as an opportunity to clarify any vague or uncertain terms in the previously executed contract.  It is critical in periods of economic and business uncertainty to fully contemplate in the contract the parties’ intentions.  So, a renegotiation is the perfect time to address any such issues that have come to light with the contract since execution.  You definitely do not want to spend the time and money on renegotiating only to leave in the contract all the problems that have previously come to light with it, any one of which could result in a contract dispute down the road.  Also, you want to think through all the possible scenarios that could arise and make certain the contract fully addresses those possibilities.  For example, right now, many cities around the world are in lockdown for a period that has been assigned an expected end date.  What happens if the date gets pushed back by three months?  How does this impact the relationship?  What happens if the date gets pushed back by six months? How does this impact the relationship?  Thinking through the implications on the contract of potential scenarios and ensuring they are appropriately address in the contract is key.

Second, approach contract renegotiation with the intention of ensuring that the terms will be a “win” for both parties.  In other words, both sides of the contract should obtain a benefit from the renegotiation, so that one side is not making all of the concessions on the mere promise of a future relationship.  For example, if one side is seeking new payment terms, consider whether the other party would benefit from a longer contractual commitment.  Good relationships require mutuality for both sides to remain satisfied with that relationship.  If one side feels forced to agree to terms against its interest, then the relationship is likely to be negatively impacted on an ongoing basis.

Third, anticipate the possibility that the contract renegotiation does not truly resolve the issue prompting the renegotiation and develop a fallback solution that will enable the parties to easily go their separate ways without the necessity of further negotiations or proceedings.  Contemplate what terms would need to be included that would allow for a clean and painless parting of ways if the issues do not end up being resolved by the modification.

Fourth, make sure you are really contemplating the full impact of the proposed modification(s) on every single clause of the contract, and not a single clause or set of clauses in the contract.  Perhaps the single most common mistake I see with contract modifications is that parties fail to contemplate how a modification affects an entire agreement and draft documents that add a lot of uncertainty into the terms.  Even a minor modification has the potential to impact all or nearly all of the clauses in a previously executed document.  Thus, make sure you have taken the time to fully contemplate the impact of a proposed modification before agreeing to it.

Fifth, make sure you identify the specific contract you are modifying, and the specific clauses you are modifying, as well as what specific modifications you are making.  Also, clearly state what happens specifically to the clauses you are not modifying.  The worst contract modifications are unclear as to the contract version being modified and/or the specific clauses being modified, and are not clear as to the effect on other clauses.  An effective contract modification is one that does not create new uncertainty.

The bottom line is that even a seemingly simple modification proposal requires careful contemplation beyond just merely the request proposed.  While it might be tempting to cut corners with a contract renegotiation in order to save on legal fees or expedite the signing of a contract modification in an uncertain economic climate,  such decisions often lead to disputes with previously good relationships that would never have arisen otherwise. It generally pays to take the time do a contract modification the right way.

If you have questions about how to best renegotiate a contract, please schedule a consultation today at https://calendly.com/prinzlawoffice.

SaaS Lawyer Kristie Prinz will present on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” for Virginia-based Clear Law Institute on March 23, 2020 at 1 p.m. ET/10 a.m. PT.

Silicon Valley SaaS lawyer Kristie Prinz will be presenting on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” for Clear Law Institute on March 23, 2020 at 1 p.m. ET/10 a.m. PT.

Although many businesses are concerned about the potential economic fallout of recent shelter-in-place orders in Silicon Valley as well as more limited office and business closings across the United States, the coronavirus crisis is presenting a unique sales opportunity to savvy SaaS companies, given the fact that much of the United States workforce has suddenly been forced to work remotely.

How can your company capitalize on the sales opportunities now presented by the increased demand for SaaS and other tech solutions while avoiding the legal pitfalls that can arise from economic uncertainty?

First and foremost, increased customer demand presents an opportunity to improve poorly drafted contracts, which can be more easily renegotiated in conjunction with a customer-initiated request. If your customer is looking to add user access or other services as a result of the new focus on a remote workforce, then you may want to update your customer contract at the same time, particularly given all the predictions of a post-coronavirus recession. It would be in your company’s best interests to have a strong contract in place with your customers in the event of any recession, since poor economic conditions tend to result in contract cancellations by customers. If you have never had your customer contract reviewed by a lawyer with SaaS contract expertise, now might be a perfect time to do so in conjunction with meeting any new customer demand, so that your business is better prepared to weather an economic downturn and customers looking for loopholes to walk away from your agreement.

Second, if your customer is looking to add authorized users at new locations, ensure that you are addressing the new sales by properly amending your existing contract as contemplated by the SaaS lawyer who originally drafted the contract. More often than not, I see companies making huge mistakes with subsequent SaaS sales, where they execute amendments that incorrectly override key terms in their original contracts or add significant legal loopholes into the original contracts. Obviously a poorly drafted amendment can completely undo any investment you made in a well written original agreement, and can create legal disputes where you previously had none. So, you definitely want to exercise a high degree of care to ensure that any new sales are appropriately addressed by a correctly drafted amendment.

Additionally, you need to consider whether any implementation services will be required to make these additions, whether the possibility of future implementations was contemplated by the original contract, and how the delivery of implementation services might be impacted as a result of the coronavirus pandemic or any economic conditions that might arise as a result of the pandemic. In the prior recession, implementation was one of the most commonly disputed issues between software companies and customers.

Third, if your customer has gone entirely remote, you need to anticipate a greater demand for various types of support services, which also creates new customer sales opportunities. For example, perhaps instead of one-size-fits-all free standard support, there may now be a customer demand for multiple levels of paid, enhanced support services. However, if your company suddenly decides to completely revamp support services in response to new customer demand, you definitely need to make sure such changes have been contemplated in your original contract, and to the extent they have not, make sure the contract again is appropriately amended to address a complete revamp of your support offering.

Fourth, you may find that your customer now has new custom functionality or feature development needs in response to changing service demands by the customer’s own client base, which is similarly responding and trying to adapt to the same crisis. If you are fortunate enough to have this type of opportunity arise, then you need to ensure that ownership of custom functionality features was sufficiently contemplated by the original contract with your customer, not only with respect to whether or not those features can subsequently be made available to your entire customer base but also with respect to the specific terms for costs, timetable, and specifications for development. To the extent these issues are not fully addressed by your original contract, you will want to make sure they are properly addressed by separate agreement. In light of the current crisis, you will want to ensure that any potential delays that might arise due to the coronavirus crisis have been properly addressed in the terms.

Fifth, the new circumstances may present new customer demands for live and recorded remote training that did not exist previously, which may be able to be sold at different price-points. However, again, if such an opportunity for sales presents itself, you should ensure that your original contract contemplated the possibility of different levels of training for a fee being purchased by the customer. If not, then you will want to ensure that your agreement is properly amended to reflect the new training service offerings. And of course, if your customer is seeking training to be provided by a particular instructor, you will want to ensure that the possibility of that instructor falling seriously ill to coronavirus has been contemplated and any risks properly addressed.

Sixth, the new remote circumstances may present customer demands for enhanced levels of service in terms of available bandwidth and other service enhancements, which you also may be able to make available to customers at different price-points. Should this arise, you will again need to ensure that the possibility of different levels of service was contemplated by the original agreement, and if not, appropriately amend the agreement to address this possibility.

Finally, the new remote circumstances may present opportunities to sell new professional services to your customers that you had not previously considered. Should an opportunity of this nature arise, then you will need to ensure that the possibility of future professional services was contemplated by the original agreement, and if not appropriately amend the agreement to address this possibility and then potentially draft a separate professional service agreement that addresses the contemplated services required by the customer.

All in all, the coronavirus crisis is presenting a unique business opportunity for cloud-based SaaS providers to deliver more services to a workforce suddenly forced to work remotely. However, to capitalize on the opportunity to meet the demands of a newly remote workforce, SaaS companies will need to apply a high level of care to the technical drafting of their contracts. Otherwise, to the extent they cut corners, they are likely to pay the price by attracting customer disputes in a subsequent weak economy.

To explore how you might capitalize on SaaS sales opportunities in the current business climate, please schedule a consultation today at https://calendly.com/prinzlawoffice.

Silicon Valley Tech Transactions Lawyer Kristie Prinz will be presenting a series of webinars on negotiating in a very uncertain economy, sharing practice tips developed and lessons learned from the last recession. Kristie will be kicking off the series with a webinar on “Best Practices for Negotiating Master Services Agreements in an Uncertain Economy” on April 6th, followed by a webinar on “Best Practices for Negotiating Development Agreements in an Uncertain Economy” on April 13th, and and a webinar on “Best Practices for Negotiating SaaS Agreements in an Uncertain Economy” on April 20th. The next webinars in the series will be announced soon. To register for any of these programs, please check out the webinar notices at The Prinz Law Store Website.

SaaS Lawyer Kristie Prinz will present on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” for Virginia-based Clear Law Institute on March 23, 2020 at 1 p.m. ET/10 a.m. PT.

The Prinz Law Office has revamped its standard billing options for 2020 and dramatically increased the number of fixed rate options available for clients in 2020.  Starting on January 1st, 2020, clients will have the opportunity to elect as many as five different levels of standard fixed fee options for many routinely requested services, which will enable entrepreneurs, start-ups and small businesses with limited budgets to better choose a fixed fee plan that meets their needs.

The new fixed rate options will significantly expand the firm’s existing alternative billing arrangements.  The firm announced in early 2019 the launch of a new subscription and fixed hour billing program, which will continue to be offered in 2020.  For more information about the firm’s billing options, please contact us.

If your company is like many, you have known about the upcoming effective date of the California Consumer Privacy Act (“CCPA”), but are still making last minute preparations in advance of it going into effect.

If you are one of many procrastinators out there just starting to think about the law, here is a recap of some highlights for you:

• Your business is subject to the law, regardless of its location,  if any one of the following is true:
  • Your company has gross annual revenues in excess of $25 million.
  • Your company buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
  • Your company derives 50 percent or more of its revenues from selling consumers’ personal information.

• The CCPA creates new rights for California consumers: (a) the right to know; (b) the right to delete; (c) the right to opt out; and (d) the right to non-discrimination.
• You must provide notice to consumers at or before the point of data collection of the personal information to be collected and the purposes it will be used.
• You must provide clear and conspicuous notice to consumers of the right to opt out of the sale of personal information, which includes providing a “Do Not Sell My Personal Information” link on the website or mobile application.
• You must respond to requests for consumers to know, delete, and opt-out within specified timeframes (generally 45 days).  Privacy settings to opt out must be treated as a validly submitted opt out request.
• You must verify the identity of consumers who make requests to know or to delete, regardless of any password-protected account settings with the business.
• You must disclose any financial incentives offered in exchange for the retention or sale of a consumer’s personal information, explain how the value of the personal information is calculated, and explain how the incentive is permitted under the CCPA.
• You must make available to consumers at least two or more designated methods for submitting requests, including at a minimum a toll-free phone number, and if you maintain a website, a website address by which to submit requests.  However, a business that operates exclusively online and has a direct relationship with the consumer from who it collects personal information is only required to provide an email address.
• You must make your privacy policy accessible to consumers with disabilities, or to provide consumers with disabilities information on how they can access the policy in an alternative format.
• You must make your privacy policy available in a format where consumers can print it out in a separate document.
• You must ensure that the privacy policy explains how a consumer can designate an authorized agent to make a request on the consumer’s behalf.
• You must retain records of all requests and responses to requests for at least 24 months; provided that businesses that buy or sell personal information of more than 4 million consumers annually have additional reporting obligations.

Also, if your business qualifies as a “data broker” you are required to register with the Attorney General by January 1, 2020.  How do you know if your business is a “data broker”?  Your business knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.  Three categories of businesses are excluded from these obligations:  (i) consumer reporting agencies to the extent they are covered by the Fair Reporting Act; (ii) financial institutions to the extent they are covered by the Gramm Leach Bliley Act; and (iii) entities covered by the Insurance Information and Privacy Protection Act.

The CCPA, its amendments, and regulations define more compliance obligations that businesses should be familiar with, but this list is a good starting point in advance of the effective date.

Obviously, even if your business is not subject to these laws, these privacy requirements will now constitute the best practices for doing business in California, so all businesses should seriously consider incorporating these privacy practices into their standard privacy practices and procedures.

SaaS Lawyer Kristie Prinz will present an upcoming webinar for Tech Transfer Central on December 10, 2019 from 10 a.m. to 11 a.m. PST on “Drafting and Negotiating SaaS Agreements: Best Practices for University Tech Transfer Offices.”  To read more about this program or register, please check out the Tech Transfer Central website: https://techtransfercentral.com/marketplace/distance-learning/drafting-and-negotiating-saas-agreements/.

Software Lawyer Kristie Prinz presented a webinar on “Legal Developments in the Software Industry” on November 21, 2019.  A copy of the video recording is available for viewing at this link:  https://theprinzlawoffice.vhx.tv/products/legal-developments-in-the-software-industry-2019.

SaaS and Software Lawyer Kristie Prinz to Present Webinar on November 21, 2019 on “Legal Developments Impacting the Software Industry 2019.”  The program will provide an overview of what software companies need to know about key legal developments in 2019 and practical steps that they should be taking in response to those developments.  At this webinar you will learn about:

• Key state law developments impacting the industry, including but not limited to the California Consumer Privacy Act, which goes into effect January 1, 2020;
• Federal regulatory activity impacting the software industry, particularly with respect to the Federal Trade Commission (“FTC”);
• Cases and trends in litigation impacting the software industry; and
• Best practices to navigate the current legal landscape.

The Prinz Law Office is sponsoring a webinar on November 21, 2019 on “Legal Developments Affecting the Software Industry.”  The program will provide an overview of what software companies need to know about key legal developments facing the software industry and steps they should be taking to respond to those legal developments.  For more information or to register for the event, please check out:https://prinzlawstore.com/2019/10/legal-developments-impacting-the-software-industry-2019/

SaaS Lawyer Kristie Prinz will be presenting a webinar on Tuesday, December 10, 2019 for Tech Transfer Central on “Drafting and Negotiating SaaS Agreements: Best Practices for University Tech Transfer Offices.  To register, please sign up at https://techtransfercentral.com/marketplace/distance-learning/drafting-and-negotiating-saas-agreements/.

SaaS companies in the business of brokering data are on notice: the state of California intends to keep you on a tight leash.

In anticipation of the January 1, 2020 effective date of the California Consumer Privacy Act (“CCPA”), California took yet another bold step to protecting the personal information of Californians when it passed  a new data broker law on October 11, 2019, which applies to anyone in the business of collecting and selling the personal information of consumers:  AB-1202 establishes a new compliance framework for data brokers.

What is California’s New Data Broker Law?

Under the new law, data brokers will be required to register with the Attorney General, pay a registration fee, and provide their name, physical address, email, and website address, which will be publicly displayed online.  Any data broker who fails to register will be (a) subject to injunction and liable for civil penalties, fees, and costs at a rate of $100 for each date that the data broker fails to register; (b) liable for an amount equal to the fees due during the period it failed to register; and (c) the expenses incurred by the Attorney General in the investigation and prosecution of the action.

What is a Data Broker under the California Law?

What businesses are defined as “data brokers” under the law?   The law defines “data broker” to mean a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”  The law specifically excludes three categories of businesses from the definition of “data broker”: (i) consumer reporting agencies to the extent they are covered by the Fair Reporting Act; (ii) financial institutions to the extent they are covered by the Gramm Leach Bliley Act; and (iii) entities covered by the Insurance Information and Privacy Protection Act.  “Personal information” is defined to have the meaning provided in subdivision (o) of Section 1798.140, so publicly available information may be excluded to the extent the data is used for a purpose that is compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained

California’s New Data Broker Law Applies to Companies Selling Data

So, if your company is in the business of selling data in any capacity, not only do you need to prepare for the January 1, 2020 launch of the CCPA, you also need to prepare to register with the state of California as a data broker.  Businesses will be required to register on or before January 31st following each year when your business meets the definition of a “data broker.”

News Update 10.22.19

In anticipation of the California Consumer Privacy Act (“CCPA”) going into effect on January 1, 2020, California Governor Gavin Newsom has just signed into law seven amendments to the statute, and the California Department of Justice published the text of its new regulations to be adopted in furtherance of the CCPA.

The signed bills are as follows: AB 25, AB 874, AB 1146, AB 1355, AB 1564, and AB 1130.  The text of the published regulations are made available here.  The deadline to submit written comments is 5 p.m. on December 6, 2019.   California is accepting comments submitted in accordance with the instructions posted on this Office of the Attorney General website: https://www.oag.ca.gov/privacy/ccpa.

So now that there is a little more statutory and regulatory clarity on what exactly will be going into effect on January 1st, 2020, SaaS and tech companies are in a better position to start preparing for the law to take effect.

CCPA Compliance Requirements

So, what does your SaaS or tech company need to know about complying with the California law as of January 1, 2020, as the California privacy laws collectively stand today?

First of all, your business will be subject to the law if at least one of the following are true:

• Your company has gross annual revenues in excess of $25 million;
• Your company buys, receives, or sells the personal information of 50,000 or more consumers, households or devices;
• Your company derives 50 percent or more of its revenues from selling consumers’ personal information.

“Consumer” is currently defined as a natural person who is a California resident.  “Personal information” is currently defined as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirect, with a particular consumer or household” and includes not only name, address, and social security number, but also purchasing history or tendencies, biometric information, internet activity, geolocation data, employment information, and education information.  However, publicly available information and de-identified or aggregate consumer information is now specifically excluded from the definition.  “Business” is currently defined to include for-profit businesses as well as other legal entities.

CCPA Consumer Rights

Second all, California consumers are going to have certain new rights that your business will be responsible for ensuring:

• A Right to Know (a) the specific pieces of personal information the business has collected about the consumer; (b) the categories of personal information it has collected or sold about that consumer; (c) the purpose for which it collected or sold the categories of personal information; and (d) the categories of third parties to whom it sold the personal information.
• A Right to Delete personal information held by your business or by a service provider of your business; provided that, however, there will be some exceptions, where it is necessary for your business or service provider to do any of the following: (a) complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’ ongoing business relationship with consumer, or otherwise perform a contract between the business and the consumer; (b) detect security incidents; protect against malicious, deceptive fraudulent, or illegal activity; or prosecute those responsible for that activity; (c) debug to identify and repair errors that impair existing functionality; (d) exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law; (e) comply with the California Electronic Communications Privacy Act; (e) engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent; (f) to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business; (g) to comply with a legal obligation; or (h) to otherwise use consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.  If you or your service provider does not delete consumer’s information upon request, you must inform the consumer as to why and notify the consumer of any rights he or she has to appeal the decision, and you must do it within the timeframe you would have had to delete the information.
• A Right to Opt Out of the Sale of personal information.  “Sale” is defined to include selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other consideration. The proposed regulations provide more clarification on the practices businesses should follow to ensure this right to opt out of the sale.    In the case of children under the age of 16, your business cannot sell their personal information unless they have opted-in to the sale.  In the case of children under 13, a parent or guardian must opt-in on behalf of the child.  The proposed regulations further define the rules related to the protection of children.
• A Right of Non-Discrimination.  Your business will be prohibited from discriminating against a consumer for exercising his or her rights under the CCPA.  Discrimination will be defined to include denying goods or services to the consumer, charging different prices or rates for goods or services, providing a different level or quality of goods or services to the consumer, or suggesting that the consumer will receive a different price or quality of goods or services; provide that you will be able to charge a different price or rate, provide a different level or quality of goods or services, or offer financial incentives if the difference is reasonably related to the value provided to the business by the consumer’s personal data, so long as the business practice is not unjust unreasonable, coercive, or usurious in nature.  The proposed regulations further define how the right of non-discrimination will be implemented.

CCPA Business Obligations

Third, businesses will now have other new business obligations to consumers, including the following:

• Provide notice to consumers at or before the point of collection of the categories of personal information to be collected from them and the purposes they will be used.
• Provide clear and conspicuous notice to consumers of the right to opt-out of the sale of personal information in the form of a “Do Not Sell My Personal Information” link on their website or mobile application.
• Respond to requests from consumers to know, delete, and opt-out within the specified timeframe (generally 45 days).  The proposed regulations require businesses to treat privacy settings to opt out selected by a consumer as a validly submitted opt out request.
• Make available to consumers at least two or more designated methods for submitting requests for information, including at a minimum, a toll-free phone number, and also specify other business practices for handling requests by consumers.
• Verify the identity of any consumer making a request to know or delete.  Password protected account settings are not considered sufficient verification.  The proposed regulations require a business unable to verify a request to comply to the greatest extent it can even if it denies a request.
• Disclose financial incentives offered in exchange for the retention or sale of consumer’s personal information (as specified by the proposed regulations), including a short summary of the incentive, a description of the summary and the categories of personal information impacted, an explanation of how a consumer can opt-in to the incentive, a notice to consumer that he or she has the right to withdraw at any time and how he or she can exercise this right, and an explanation of why the incentive is permitted under California privacy law.
• Retain records of all requests and responses to those requests for at least 24 months; provided that businesses (alone or in combination) collecting, buying or selling the personal information of more than 4 million consumers annually are subject to extra  recordkeeping obligations.
• Disclose a privacy policy which describes consumer’s rights under California privacy law, how to submit requests to exercise rights under California privacy law, and information regarding their data collection and sharing practices.  The proposed regulations define additional requirements for the privacy policy, including that it must be accessible to consumers with disabilities or provide consumers with disabilities information on how they can access the policy in an alternative format;  that it must be in a format where consumers can print it out as a separate document; it must explain the right of a consumer not to receive discriminatory treatment; and it must explain how a consumer can designate an authorized agent to make a request on the consumer’s behalf under California privacy law.
• Train employees or contractors handling consumer requests on compliance with California privacy law and directing consumers to exercise their rights under California privacy law; provided that businesses collecting, buying or selling the personal information of more than 4 million consumers are subject to higher  training obligations.

CCPA Conflicts with GDPR

Fourth, businesses are now going to have to reconcile the requirements of the European Union’s General Data Protection Regulation (“GDPR”) with California’s privacy laws.  In particular, California’s Department of Justice has advised businesses to be wary of the following:

• Data inventory and mapping of data flows to demonstrate compliance with the GDPR may have to be re-worked to reflect the different requirements of California.
• Processes and/or systems set up to respond to individual requests for access to or erasure of personal information will need to be reviewed in order to apply different definitions of what constitutes personal information and different rules on verification of consumer requests.
• Contracts with service providers or data processors adopted to comply with the GDPR may need to be rewritten to reflect the requirements under California law.

Regardless of whether  your SaaS or tech company is going to meet the threshold to be subject to the new California law when it goes into effect,  it would be prudent to start incorporating these new requirements into your company’s privacy practices and procedures, since they will at the very least become the new best practices for businesses serving California consumers effective January 1, 2020.  It goes without saying that companies who will be subject to the law when it goes into effective need to take steps to become compliant immediately, as the law is set to go into effect in less than 75 days.

If you have questions regarding the CCPA and your company’s compliance obligations, schedule a consultation with today at this link.

News Update 10.17.19

SaaS Lawyer Kristie Prinz presented a webinar on “Best Practices for Negotiating SaaS Contracts & Managing Customer Relationships” on October 8, 2019.   A copy of the video recording is available for viewing at this link:  https://theprinzlawoffice.vhx.tv/products/best-practices-for-negotiating-saas-contracts-1

The Prinz Law Office will be sponsoring a webinar on October 8, 2019 on “Best Practices for Negotiating SaaS Contracts & Managing SaaS Customer Relationships.” Firm Founder and SaaS attorney, Kristie Prinz, will be presenting this webinar, which will be intended not only for in-house counsel and other attorneys, but also for founders, businesspeople and CFOs dealing with SaaS agreements.

To register to attend, please sign up at The Prinz Law Store website at https://prinzlawstore.com/2019/08/saas-contracts/.

The Prinz Law Office will be sponsoring a webinar on October 8, 2019 on “Best Practices for Negotiating SaaS Contracts & Managing SaaS Customer Relationships.” The firm’s own Silicon Valley SaaS attorney, Kristie Prinz, will be presenting this webinar, which will address such issues as:

• What makes an effective SaaS customer contract?
• What are the essential terms in a well-drafted SaaS contract?
• What are the common issues that arise in SaaS negotiations? What are the best strategies to resolve them?
• What are the best practices to manage the customer relationship?

To register to attend, please sign up at The Prinz Law Store website at https://prinzlawstore.com/2019/08/saas-contracts/.

If you are in the software business, you likely recognize that you can be sued for materially breaching contracts, infringing third party IP, and data breaches but you may not realize the extent of your liability just for making the sale of a software product deemed to contain a security flaw in the first place, even if the security flaw was never exploited and only identified.

Increasingly, however, just the act of selling software later deemed to be “defective” due to security flaws  has resulted in liability to companies.

The Federal Trade Commision (the “FTC”) has recently imposed fines and put in place ongoing oversight on companies for this type of issue.

But as Cisco just discovered,  if the sales were made to a federal or state agency, the mere act of making the sale can also result in significant liability.  Cisco has agreed to pay $8.5 million to settle a case originally filed in New York Western District Court in 2011 involving the sale of video surveillance technology to a variety of government organizations, including but not limited to Homeland Security, the Secret Service, the Army, the Navy, the Marines, the Air Force and the Federal Emergency Management Agency.

According to The New York Times, the Cisco case was initiated by the Justice Department in the Federal District Court for the Western District of New York, and the allegations were based on violations of the False Claims Act, which addresses fraud and misconduct in federal government contracts.  Fifteen states and the District of Columbia joined in the suit.  As The New York Times reported, the argument made by the government was that the software had no value because if failed to serve its primary purpose of security enhancement.  According to The New York Times, the flaw was identified back in 2008 by a Cisco subcontractor, who brought it to the company’s attention at that time.  However, as The New York Times reported, the subcontractor was subsequently terminated, and when he realized two years later that the vulnerability was still not fixed, he contacted the FBI.  The New York Times reported that Cisco continued to sell the software with the flaw until July 2013, when if finally notified customers and fixed the flaw.

While the Cisco case applies only to sales made to government, a class action suit is pending right now on similar facts, where the sales were made to non-government consumers.  The class action lawsuit was initiated late last year against Symantec for critical defects in its security products under the Norton Brand.  It is not clear as to the status of that litigation.

The bottom line: if you are selling software that provides security functionality, you need to have internal systems in place to identify security flaws and quickly fix the flaws, particularly if the software is being sold to a government organization.  However, if you are selling to the general public, you may still be liable for sales of the software containing security flaws, whether liability is assessed through the FTC or through class action litigation, regardless of the terms of your contract for those sales.

When your company releases its next software update, you may want to consider the potential legal implications of the release.  There seems to be a new trend in class action litigation: suits over software updates.

As Reuters first reported, an owner of a Tesla vehicle has filed a lawsuit against Tesla, Inc. claiming that a software update fraudulently limited the battery range of older vehicles, which reduced the distance that they can travel without recharging the vehicles.  Reuters reported that the lawsuit was filed in a Northern California federal court and seeks class action status for owners of Model S and X vehicles around the world.

According to Reuters, the lawsuit claims that the software update was released with the intention of avoiding liability for defective batteries.

CNET reports that the affected owners claim to have lost some eight kilowatt hours of capacity after the software update, which occurred back in May, 2019, and that the affected cars are older model S and X vehicles, which have batteries that should still be covered under the eight (8) year warranty on the batteries.  InsideEvs explained the argument as Tesla “enter[ing] [owners’] garages and replac[ing] a 40-gallon tank for a 20-gallon tank.”

Tesla is not the first company to be sued for a software update and how the update affected the performance of a device.  Apple has also been the subject of numerous suits in the past few years on a similar issue.  This Business Insider article reports on the legal controversy involving Apple regarding an update affecting battery performance.  Class action suits were also filed against Microsoft over its Windows 10 upgrade strategy.  See this Consumeraffairs.com article.

While these cases all pertain to software that controlled performance of a device, whether batteries or computers, it seems clear that with the increasing reliance on software functionality across so many industries, lawsuits over software updates are likely to continue.

So, the next time your company contemplates a software update or upgrade, it may be prudent to to contemplate the legal implications of the release and whether or not it is likely to result in litigation.  You also may want to reconsider the sufficiency of your legal agreements in place with the parties to whom you are sharing the updates or upgrades before making available the new software.   Software companies are clearly on notice that they may be sued for updates or upgrades, if they are alleged to have a negative impact on customers or users after the release.

Silicon Valley SaaS Lawyer Kristie Prinz will present a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” on August 9, 2019 at 10:00 a.m. PST/1 p.m. EST.  The program will be sponsored by Virginia-based Clear Law Institute.  To register, please sign up at https://clearlawinstitute.com/.

The CARIN Alliance, which is a coalition of companies from the health and tech industries, has just announced the release of a new standard for sharing health claims data in conjunction with the Blue Button Developers Conference.  The announcement is linked here.

The newly released standard is linked here:  CARIN Blue Button Implementation Guide CI Build.

According to FierceHealthcare, the standard was developed by working group comprised of alliance members and includes more than 240 claim data elements.  FierceHealthcare reports that 20 organizations, including Apple, Anthem, Blue Cross Blue Shield, Cambia Health Solutions, Google, and Humana have agreed to test an application programming interface (“API”) employing the standard in anticipation of a product lunch of the standard next year.

CNBC reports that the significance of the news is that this is the first time that industry has agreed to standards for sharing claims data to third party developers, and the Alliance aspires not only to make the data available to consumers but also to provide fraud detection functionality and functionality to help consumers avoid paying bills with errors in them.

FierceHealthCare reports that the new standard “builds” on Blue Button 2.0, which was released by the Centers by Medicare and Medicaid Services (“CMS”) last year and is an API enabling Medicare beneficiaries to access to their Medicare claims data.   A web page dedicated to Blue Button 2.0 is linked here.  FierceHealthCare reported on the  Blue Button 2.0 initiative by CMS  here.

Obviously the development of new digital health standards is a victory for the digital health industry, which has arguably been slow to develop industry standards along the lines of what exist in the tech industry generally.

For more information on how to join The Carin Alliance, click here.  For a list of alliance members, please click here.

Silicon Valley Software Lawyer Kristie Prinz will be presenting an upcoming webinar with FieldFisher partner Laura Berton on “Drafting Software Hosting Agreements: Service Availability, Performance, Data Security, Other Key Provisions” for Strafford on Thursday, July 25th from 10 a.m. to 11:30 a.m. PST.   For more information on the program, please click here.

The Software Industry is closely following legislation in California that, if passed, could have a huge impact on Gig workers and the software companies that rely on them.

The legislation at issue is AB 5, which would codify and expand the California Supreme Court’s recent decision in Dynamex Operations v. Superior Court (2018) 4 Cal. 5th 903.  The text of the proposed legislation is available here.

According to The Intercept, the bill was sponsored by Lorena Gonzalez, a Democratic assemblywoman from San Diego.  The Intercept reports that that California is losing an estimated $7 billion in payroll tax annually due to the misclassification of employees as independent contractors, so the state is eager to close the loophole.

Obviously, Uber and Lyft, directly oppose the legislation, since it would directly impact their current Gig worker business model.  In fact,  The Los Angeles Times has reported that Uber and Lyft have actually paid drivers to organize protests against the legislation.

For Uber and Lyft, the obvious concern is that the passage of AB-5 in California could prompt other states to pass their own versions of the legislation, or even, that similar legislation could be passed at the federal level, which could potentially expand the impact of the legislation far beyond the borders of California.

Both The Intercept and  The Los Angeles Times are reporting that Uber and Lyft have each warned investors of this potential risk in recent regulatory filings.  Indeed, an investment publication,  Investorplace, warns that the passage of the bill will have a very detrimental impact on both companies.

The bottom line is that software companies who have built business models around the Gig worker model may soon be forced to either cease operations in California or, alternatively, to change their models for the state, if AB-5 is passed and signed into law, so if your company has been developed around this model or you are building a company relying on this model, you will want to follow this legislation closely as it moves through the California legislature.

News Update 7.17.19

Multiple media outlets are reporting today that the Federal Trade Commission has agreed to settle its case against Facebook on its privacy  practices for $5 Billion.

The Wall Street Journal reports that the vote by FTC commissioners was 3-2 in favor of accepting the agreement and split along party lines with the Republican majority favoring the settlement.  According to The Wall Street Journal, the matter next goes the the Justice Department’s civil division for final review.

According to the Mercury News, assuming reports are correct, this will be the largest fine imposed to date by the U.S. government on a tech company.  The Washington Post reports that the fine is more than 200 times higher than any previous fine.

Interestingly enough, The Wall Street Journal is reporting that the fine obtained by the FTC exceeds what the European Union could have obtained under its privacy laws.

The Washington Post predicts that the settlement will impose serious consequences on Facebook that go far beyond just a $5 billion fine.  However, The Washington Post acknowledges that the dissenting commissioners opposed the settlement because they wanted some assessment of personal liability against CEO Mark Zuckenberg; commissioners reportedly decided to accept a settlement without any such assessment in order to ensure that the matter did not end up in litigation.

While controversial, the FTC’s enforcement action in this matter still sets a significant precedent for the software industry with respect to the consequences of not protecting data uploaded to or generated by  software.  Software companies are on notice: the FTC is closely following your privacy practices and may assess fines in the billions of dollars against you if you fail to take sufficient steps to protect user data.

As The New York Times and The Washington Post recently reported, facial recognition software is being heavily utilized by government agencies, who are using the software to search state driver’s license databases, despite the fact that most of the photos in the databases are of citizens who have never committed a crime and have never given any sort of consent to the searches.  The reports have raised concerns about the lack of regulation and oversight currently with respect to the use of facial recognition software by law enforcement.

According to a report by The New York Times, since 2011, the FBI has run nearly 400,000 facial recognition searches  of federal and local databases, including DMV records.   The Washington Post reports that the FBI is currently running about 4000 searches per month.

Moreover, The New York Times and The Washington Post are reporting that in states offering driver licenses to undocumented immigrants, Immigration and Customs Enforcement (“ICE”) is  using the software to conduct searches on undocumented immigrants.

The Washington Post reports that twenty-one (21) states and the District of Columbia allow federal investigators to scan driver’s license photos, and that those searches generally require no more than an email request to conduct the search.

A number of lawmakers in Washington are raising concerns about the recent revelations, and two cities, San Francisco and Somerville, MA, have now imposed a ban preventing police and public agencies from using the software.  The Washington Post reports that a privacy coalition has petitioned the Homeland Security Committee for the Department of Homeland Security (“DHS”) to stop using the technology.

What are the arguments being raised in favor of greater regulation of law enforcement’s use of the technology?

First and foremost, proponents for greater regulation argue that running facial recognition searches against photos of law-abiding citizens is a huge privacy violation.  Secondly, they argue the scope of it use by law enforcement is too broad, since it has been used not only for the identification of criminal suspects but also to find witnesses, victims, and bystanders. Third, they argue its use often constitutes a breach of trust, since states encourage undocumented immigrants to submit their information to the databases and then proceed to to tun it over to ICE.  Fourth, they argue that use of the software heightens the risk of misidentification and false arrest due to inaccuracies with how certain facial features are detected.

All in all, it is clear that law enforcement considers facial recognition software to be a valuable investigative tool.  However, there are clearly some valid concerns with how the software is being used that warrant further consideration.  Should law enforcement really be able to conduct these types of searches without a warrant?  Should ICE be able to conduct searches of undocumented immigrants who have been encouraged to submit information for inclusion in a database? What kind of checks should be in place on law enforcement’s use of software that that has inherent inaccuracies?

Clear Law Press Release 7.5.19

Strafford Press Release 7.5.19

Internet of Things (“IoT”) companies  are on notice: the FTC is concerned about the the security of software installed to IoT and smart home products and is prepared to take enforcement action against companies to ensure that consumers are protected.

The FTC has just announced the proposed settlement of its case against D-Link filed in January, 2017, which mandates that D-Link put in place and maintain a comprehensive software security program for the next 20 years that incorporates certain specified requirements, including a “secure software development process” that incorporates specified software development safeguards to ensure the security of its devices.

These FTC imposed requirements include the following:

• Specifying in writing how functionality and features secure the devices;
• Engaging in threat modeling to identify potential security risks;
• Reviewing every planned release of code with automated static analysis tools;
• Performing pre-release vulnerability testing on each planned release of code;
• Performing ongoing code maintenance to address vulnerabilities as they are identified;
• Adopting remediation processes to address identified security flaws at any stage of the development process;
• Monitoring research on possible vulnerabilities to devices;
• Setting up a process for receiving and validating vulnerability reports from security researchers;
• Making automatic firmware updates to devices;
• Notifying customers at least 60 days in advance of any decision to stop making security updates to a devices; and
• Providing biennial security training for personnel and any vendors involved with the device software.

In addition to imposing the above requirements on D-LInk, the order gives the FTC the power of oversight to ensure ongoing compliance, and requires D-Link to obtain routine third party assessments by a professional with credentials specified by the FTC to perform in-depth reviews of D-Link’s security practices.  The FTC specifically mandates that the assessment meet an approved standard as defined by the FTC: the International Electrotechnical Commission (“IEC”) standard for the secure product development life cycle.   The FTC announcement is attached here and its order is attached here.

What prompted the FTC case against D-Link?  The FTC complaint filed against D-Link alleged a failure by D-Link to take “reasonable” steps to secure software constituting “unfair acts or practices in or affecting commerce, in violation of Section 5 of the FTC Act, 15 U.S.C. Sections 45(a) and 45 (n)” and misrepresentations regarding D-Link’s security practices constituting a “defective act or practice, in or affecting commerce in violation of Section 5(a) of the FTC Act, 15 U.S. C. Section 45(a).”  The FTC Complaint against D-Link is attached here.

What do companies engaged in IoT software development need to take away from this enforcement action?  First of all, companies need to be aware that the FTC is applying its regulatory powers against companies to ensure that they are securing software in accordance with any representations made to consumers.  Second of all, companies need to be aware that the FTC is looking to certain published standards by the IEC to provide the industry standards for software in this space, so IEC compliance certification may provide the measure of a company’s compliance with its security obligations.  Third, the FTC has provided some suggested guidelines for companies to follow in the following publications: Careful Connections: Building Security in the Internet of Things and  Start With Security: Lessons Learned from FTC Cases. 

The Federal Trade Commission (“FTC”) has put software companies and software service providers on notice it intends to interpret the Gramm-Leach-Bliley Act’s Safeguards Rule broadly to apply to businesses which make available software or services that serve financial, payroll, and accounting purposes and collect sensitive data on consumers and their employees.

The FTC recently announced its settlement of a complaint filed against LightYear Dealer Technologies, LLC which does business as Dealerbuilt, which required Dealerbuilt as condition of the settlement to develop, implement and maintain an information security program that incorporates the minimum requirements specified by the FTC and submit to third party compliance assessments and annual certifications over a period of the next 20 years.

The FTC’s specified minimum requirements for Dealerbuilt’s information security program  included the following:

• Develop, implement, maintain and record in writing an Information Security Program;
• Make available the written program, evaluations of the program, and updates on the program, to the company’s board of directors or governing body, or if none exists, the senior officer responsible for the program at least once per annual period and after any data breach;
• Identify an employee or employees responsible for the coordination of the program;
• Provide written assessment annually and after any data breach of any potential data breach risks;
• Develop written safeguards to ensure data security including the following:
  • Training of all employees at least once every annual period on how to protect personal information;
  • Technical measures monitoring networks, systems to identify attempted data breaches;
  • Access controls on databases containing personal information, which (a) restrict the ability to connect to only approved IP addresses; (b) require authentication to access the databases; and (c) limit the access of employees to only those databases as necessary to perform their duties;
  • Encrypt all social security numbers and financial account information;
  • Implement policies and procedures for secure installation and inventory on an annual basis
• Perform assessment annually and after any data breach of the sufficiency of safeguards and modify the program as necessary;
• Conduct test annually and after any data breach of effectiveness of safeguards, which shall include vulnerability testing every four months and after a data breach, and annual penetration testing, as well as after any data breach;
• Ensuring that contracts with any service providers ensure compliance with safeguards; and
• Evaluate and make adjustments to program upon any changes to operations or business or in event of any data breach. or on an annual basis.

The FTC Order also mandates that an information security assessment be conducted initially and biennially by a third party professional approved by the Associate Director for Enforcement for the Bureau of Consumer Protection at the FTC, and that the assessor will be required to provide the documents relevant to the assessment to the FTC for review within 10 days following the completion of the initial review and then on demand.  Furthermore, the Order requires the senior corporate manager or senior officer of Dealerbuilt to submit annual written certifications to the FTC, and that within a reasonable time following any discovery of a data breach, or at least 10 days following the provision of first notice of any data breach, Dealerbuilt must send a report to the FTC of any data breach, which meets certain specified requirements.  Also, the Order permanently enjoins  all individuals affiliated with Dealerbuilt from violating any provisions of the Safeguards Rule, and makes the Order applicable to all businesses connected to Dealerbuilt, which Dealerbuilt is to be broadly interpreted and Dealerbuilt is required to identify in detail via compliance reports, accompanied by sworn affidavits.

The FTC also imposes broad recordkeeping requirements on Dealerbuilt through the Order, requiring Dealerbuilt to create and retain for the next 20 years accounting records of all revenues collected, personnel records, consumer complaint records and responses to those records, and any documents relied upon to prepare mandate assessments and to demonstrate full compliance with the order.

Finally, within 10 days of any request by the FTC, Dealerbuilt is required to furnish compliance reports to the FTC or other requested information accompanied by sworn affidavits.

The FTC announcement is attached here and the Order attached here.

What prompted this broad enforcement action by the FTC against DealerBuilt? According to the FTC Complaint, a series of security failures resulted in the breach of a backup database through a storage device beginning in late October 2016, which resulted in the breach of personal information of nearly Seventy Thousand consumers, which included full names and addresses, telephone numbers, social security numbers, drivers license numbers, and birthdates of consumers as well as wage and financial account information of dealership employees.  The FTC Complaint further alleges that Dealerbuilt failed to detect the breach and only learned of it after a customer called its chief technology officer demanding to know why customer data was publicly available on the Internet.

The FTC Complaint alleged that Dealerbuilt was a financial institution as defined by Section 509(3)(A) of the Gramm-Leach-Bliley Act, 15 U.S.C. Section 6809(3)(A) as a result of being “significantly engaged in data processing for its customers, auto dealerships that extend credit to customers.”  The Complaint alleged that the “failure to employ measures to protect personal information” constituted an “unfair act or practice” and that the failures to (a) “develop, implement, and maintain a written information security program”; (b) identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information” and “assess the sufficiency of any safeguards in place to control those risks”; and (c) to design and implement basic safeguards and to regularly test or otherwise monitor the effectiveness of such safeguards” constituted a violation of the Safeguards Rule and an unfair or deceptive act or practice in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.

What should software companies and service providers take away from this FTC enforcement action?  First and foremost, the FTC is making a definitive statement that if you are in the business of providing software or software services that have any sort of financial or accounting function to them, you are a financial institution for purposes of Gramm-Leach-Bliley and the Safeguards Rule is going to be deemed to apply to your business.  Second, the FTC considers service providers accountable for the protection of any personal data they collect or store.  Third, the FTC expects businesses using third party software or providers to have contracts in place with those software companies or service providers imposing security requirements, monitoring requirements, and explicitly requiring them to follow websites reporting on known vulnerabilities.  Fourth, the FTC expects businesses to train and supervise employees on how to ensure the security of the company.  The FTC specifically points businesses in its announcement to comply with its publication, Start with Security: Lessons Learned from FTC Cases.FTC Puts Software Companies and Service Providers on Notice of Broad Enforcement Powers Under Gramm-Leach-Bliley Act Safeguards Rule

Two app developers have filed suit against Apple, Inc. over its App Store practices, following the recent decision by the U.S. Supreme Court in favor of consumers allowing a class action suit on similar issues to proceed.  The case was filed in the U.S. District Court for the Northern District of California (San Jose).

According to Bloomberg, the developers’ suit is also a class action suit on behalf of developers nationwide whose products are sold through the App Store.  Bloomberg  reports that the developers claims are on antitrust grounds and also allege violations of California’s Unfair Competition Law, and that they are represented by a law firm based in Seattle, Hagens Berman, which previously won a $650 million settlement against Apple and other e-book publishing companies on  similar claims in 2016.

The U.S. Supreme Court case which just ruled in favor of consumers, presented a legal question as to whether consumers had standing to sue Apple, since developers, rather than consumers, have the direct, contractual relationship with Apple.  However, the U.S. Supreme Court decision did not decide on the merits of the case and only decided whether the class action suit could proceed.  Clearly, the developers would be presumed to have standing to bring a class action suit and the same legal question would not be relevant.

The timing of these suits coincides with increasing calls in Washington for greater regulation at the federal level of Apple as well as its fellow tech giants Amazon, Facebook, and Google, particularly with respect to federal antitrust law and the handling of consumer data.  The New York Times is reporting that the four companies are in the process of assembling an “army of lobbyists” to defend them in Washington, spending a combined total of $55 million in lobbying last year.

Needless to say, the tech industry is under fire for many of its business practices, and it seems likely that some changes are on the horizon, regardless of its best efforts to maintain the status quo.

Do you have legal questions related to the App store?  Schedule a consultation today to discuss your concerns at this link.

Two app developers have filed suit against Apple, Inc. over its App Store practices, following the recent decision by the U.S. Supreme Court in favor of consumers allowing a class action suit on similar issues to proceed.  The case was filed in the U.S. District Court for the Northern District of California (San Jose).

According to Bloomberg, the developers’ suit is also a class action suit on behalf of developers nationwide whose products are sold through the App Store.  Bloomberg  reports that the developers claims are on antitrust grounds and also allege violations of California’s Unfair Competition Law, and that they are represented by a law firm based in Seattle, Hagens Berman, which previously won a $650 million settlement against Apple and other e-book publishing companies on  similar claims in 2016.

The U.S. Supreme Court case which just ruled in favor of consumers, presented a legal question as to whether consumers had standing to sue Apple, since developers, rather than consumers, have the direct, contractual relationship with Apple.  However, the U.S. Supreme Court decision did not decide on the merits of the case and only decided whether the class action suit could proceed.  Clearly, the developers would be presumed to have standing to bring a class action suit and the same legal question would not be relevant.

The timing of these suits coincides with increasing calls in Washington for greater regulation at the federal level of Apple as well as its fellow tech giants Amazon, Facebook, and Google, particularly with respect to federal antitrust law and the handling of consumer data.  The New York Times is reporting that the four companies are in the process of assembling an “army of lobbyists” to defend them in Washington, spending a combined total of $55 million in lobbying last year.

Needless to say, the tech industry is under fire for many of its business practices, and it seems likely that some changes are on the horizon, regardless of its best efforts to maintain the status quo.

Silicon Valley Software Lawyer Kristie Prinz will present a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” on August 9, 2019 at 10:00 a.m. PST/1 p.m. EST.  The program will be sponsored by Virginia-based Clear Law Institute.  To register, please sign up at https://clearlawinstitute.com/.

Press Release 5.1.19

Silicon Valley Software Attorney Kristie Prinz will be presenting an upcoming webinar with FieldFisher partner Laura Berton on “Drafting Software Hosting Agreements: Service Availability, Performance, Data Security, Other Key Provisions” for Strafford on Thursday, July 25th from 10 a.m. to 11:30 a.m. PST.   For more information on the program, please click here.

Silicon Valley SaaS Lawyer Kristie Prinz will present a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” on May 6, 2019 at 10:00 a.m. PST/1 p.m. EST.  The program will be sponsored by Virginia-based Clear Law Institute.  To register, please sign up at https://clearlawinstitute.com/.

The Prinz Law Office is pleased to announce the opening of its new San Francisco office. To read the press release announcing the opening, please click on the link:  Press Release.

Silicon Valley Software Lawyer Kristie Prinz will present a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” on May 6, 2019 at 10:00 a.m. PST/1 p.m. EST.  The program will be sponsored by Virginia-based Clear Law Institute.  To register, please sign up at https://clearlawinstitute.com/.

Tech Lawyer Kristie Prinz Presented on “Best Practices for Drafting MSAs” on March 8, 2019.  A copy of the video recording is available for viewing at this link: https://theprinzlawoffice.vhx.tv/products/best-practices-for-negotiating-msas.

Silicon Valley Tech Transactions Lawyer Kristie Prinz will be presenting a webinar on “Drafting Master Service Agreements & Managing the Service Relationship” on Friday, March 8, 2019 at 10 a.m. PST/1 p.m. PST. The Prinz Law Office will be sponsoring the event. To register, please sign up here:http://prinzlawstore.com/2019/01/best-practices-for-drafting-master-service-agreements-managing-the-service-relationship/

SaaS Lawyer Kristie Prinz presented “Best Practices for Drafting SaaS Contracts & Managing SaaS Relationships” in February, 2019.

A copy of the video recording of the full webinar is available for viewing at this link: https://theprinzlawoffice.vhx.tv/products/negotiating-saas-contracts-feb-2019.

Silicon Valley SaaS Lawyer Kristie Prinz will present a webinar on “Best Practices for Drafting SaaS Contracts & Managing SaaS Customer Relationships” on February 19th from 10-11 a.m. PST. The program will be sponsored by The Prinz Law Office and is intended for lawyers as well as businesspeople. To register, please sign up at: http://prinzlawstore.com/2019/01/drafting-saas-contracts-managing-saas-customer-relationships/.

Silicon Valley SaaS Lawyer Kristie Prinz will present a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” on February 8, 2019 at 10:00 a.m. PST/1 p.m. EST.  The program will be sponsored by Virginia-based Clear Law Institute, which is making available a 35% discount off the registration fee if you use the discount code KPrinz148075.  To register, please sign up here:   https://clearlawinstitute.com/shop/webinars/negotiating-saas-agreements-drafting-key-contract-provisions-protecting-customer-and-vendor-interests-020819/. 

Press Release 2.1.19

Press Release Best SaaS Practices 1.31.19

Press Release 1.31.19

Silicon Valley Tech Transactions attorney Kristie Prinz will present a webinar on “Best Practices for Drafting Master Service Agreements & Managing the Service Relationship” on Friday, March 8th from 10 a.m to 11 a.m. PST. The Prinz Law Office will be sponsoring the event, which will be intended for lawyers as well as businesspeople. To register, please sign up at http://prinzlawstore.com/2019/01/best-practices-for-drafting-master-service-agreements-managing-the-service-relationship/.

Silicon Valley software attorney Kristie Prinz will be presenting a webinar on February 19, 2019 at 10 a.m. PST/1 p.m. PST on “Best Practices for Drafting SaaS Contracts & Managing SaaS Customer Relationships.” The program will be sponsored by The Prinz Law Office, and is intended for lawyers as well as businesspeople. To register to attend the program, please sign up at http://prinzlawstore.com/2019/01/drafting-saas-contracts-managing-saas-customer-relationships/.

I was pleased to join Santa Clara Law School Professor Eric Goldman and other privacy experts in urging California to make revisions to the California Consumer Privacy Act (“CCPA”):

https://blog.ericgoldman.org/archives/2019/01/41-california-privacy-experts-urge-major-changes-to-the-california-consumer-privacy-act.htm

Press Release 1.14.19

The Prinz Law Office is pleased to announce the opening of its new Palo Alto office. To read the press release announcing the opening, please click on the link: Press Release 1.14.19.

Legal commentators have been raising alarms about the significant potential impact of The Foreign Investment Risk Modernization Act of 2018 (“FIRRMA”), since the legislation was signed into law in August, 2018. In case you are unfamiliar with FIRRMA, the legislation dramatically expanded the powers of the Committee on Foreign Investment in the United States (“CFIUS”) to conduct national security reviews of business deals, which obviously could have significant implications on the business community’s ability to close business transactions. The U.S. Treasury has developed a website that highlights for the public key points about FIRRMA and this review process. In particular, FIRMMA now expands CFIUS review powers to include the following types of business deals:

• A purchase, lease, or concession by or to a foreign person of real estate located in proximity to sensitive government facilities.
• “Other Investments” by a foreign person in any unaffiliated U.S. business that owns, operates, manufactures, supplies, or services critical infrastructure; produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies; or maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security. “Other investments” is defined to mean an investment that affords a foreign person access to material, nonpublic technical information in possession of the U.S. business, membership or observer rights on the board of directors or equivalent governing body of the U.S. business, or the right to nominate an individual to a position on the board of directors or equivalent voting body, or any involvement other than the voting of shares in the substantive decisionmaking of the U.S. business; the use, development, acquisition, safekeeping, or release of sensitive personal data of U.S. citizens maintained or collected by the U.S. business; the use, development, acquisition or release of critical technologies; and the management, operation, manufacture, or supply of critical infrastructure.
• Any change in rights that results in foreign control of a U.S. business or an “other investment” as defined above.
• Any transaction, transfer, agreement, or arrangement, the structure of which is intended to evade the review of the Committee.

FIRRMA further defines “critical technologies” to include “specially designed and prepared nuclear equipment, parts and components, materials, software and technology covered by part 810 of title 10, Code of Federal Regulations (relating to assistance to foreign atomic energy activities)” as well as “emerging and foundational technologies controlled pursuant to section 1758 of the Export Control Reform Act of 2018. ” While the list of what constitutes an “emerging and foundational” technology has yet to be defined, most legal commentators are expecting the list to include software that does not relate to nuclear technology, particularly in the areas of artificial intelligence, autonomous mobility, augmented virtual reality, cybersecurity, and financial technology. So, while the legislation is new and the full scope of its application and subsequent interpretation has yet to be determined, it is anticipated by most commentators that many software transactions involving foreign investment in a U.S. business will ultimately be deemed to be subject to the new CFIUS review powers. What does this mean for the software and tech industry? Well, the full impact of the law is yet to be determined and is more the subject of extensive speculation in the legal industry at the moment, but it does mean that software and tech companies could be subject to more federal compliance obligations when they are doing deals that involve foreign investment, that these compliance obligations could slow down or even derail the closing of some deals, and that some companies could potentially be subject to significant fines up to the amount of the deal if they fail to comply with their new obligations. So, it certainly means that U.S. based software and tech companies need to be aware of FIRRMA and need to closely follow any future developments related to the law, in order to potentially comply with it on future deals.

The software industry is raising concerns about the potential consequences of Australia’s recent passage of legislation to provide law enforcement with expansive new powers to compel the disclosure of encrypted data. According to ITPro, the “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018” was approved by a 46-11 majority in the Australian parliament last month. As The Verge reports, the newly passed legislation grants to law enforcement new notice powers of mandatory technical assistance and technical capability, which “require companies to give access to encrypted data if available, or to build the capacity to provide such access if they are unavailable.” Additionally, as reported by The Verge, the legislation grants a voluntary technical assistance request power “that does not have to be publicly reported.” According to The Verge, the fine for noncompliance can be up to $10 million AUD (approximately $7.2 million USD). The Verge reports that the new law also uniquely enables the Australian government to approach individuals such as key employees in order to compel their cooperation rather than limiting the enforcement powers to merely compelling cooperation by institutions. The penalty for any individual’s failure to cooperate could result in a prison sentence. As Wired has reported, the legislation has been strongly opposed by the tech industry on the grounds that “if Australia compels a company to weaken its product security for law enforcement, that backdoor will exist universally, vulnerable to exploitation by criminals and governments far beyond Australia.” Also, as Wired has noted, any company that complies with Australia’s law is likely to then be required to provide the same access to another country. Fortune suggests that the legislation is particularly intended to target What’sApp and Signal. According to The Verge, Apple’s position on the legislation has been that “encryption is actually a defense against cyberattacks and terrorism” and that “more of it is needed to make citizens safe, not less.” Apple took its concerns directly to the Australian parliament, according to Threatpost, which has posted a letter reportedly submitted by Apple to parliament. Threatpost also reports that Cisco and Mozilla have also been vocal in their opposition to the legislation. Commentator and human rights lawyer Lizzie O’Shea also observes to The Verge that “once these [backdoor] tools exist, then it would be easy for Australian authorities to share them with their counterparts in allied nations,” particularly since Australia is part of the Five Eyes intelligence sharing agreement in which Great Britain, Canada, New Zealand and the United States also participate. The Australian government’s position, according to The Verge, is that the powers are necessary to defend citizens against terrorism and crime and that the powers will not introduce a “systemic weakness” into the technology. However, a prevailing criticism has been that “systemic weakness” is not actually defined by the legislation. Fortune reports that the Australian Labor Party is already seeking to amend the legislation, particularly to define “systemic weakness.” Clearly, Australia’s new legislation has the potential to have a far-reaching impact on software companies and individuals working in the software industry.

News Update 1.8.19

Silicon Valley SaaS Contracts Lawyer Kristie Prinz will present a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” on February 8, 2019 at 10:00 a.m. PST/1 p.m. EST.  The program will be sponsored by Virginia-based Clear Law Institute, which is making available a 35% discount off the registration fee if you use the discount code KPrinz148075.  To register, please sign up here:   https://clearlawinstitute.com/shop/webinars/negotiating-saas-agreements-drafting-key-contract-provisions-protecting-customer-and-vendor-interests-020819/. 

Silicon Valley SaaS Attorney Kristie Prinz will present a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” on October 26, 2018 at 10:00 a.m. The program will be sponsored by Virginia-based Clear Law Institute.  To register for the event, sign up at  https://clearlawinstitute.com/shop/webinars/negotiating-saas-agreements-drafting-key-contract-provisions-protecting-customer-and-vendor-interests-102618/.   Clear Law Institute has made available a discount code for the course: you can receive a 35% discount with the promo code: KPrinz119433.

If your SaaS company is like most, you postpone the procurement of insurance policies until you absolutely have to obtain them, expecting to be able to obtain whatever you need on demand.

However, if your SaaS company anticipates a significant deal is on the horizon,  you should be anticipating your needs in advance of actually starting those negotiations, or you may find yourself in a situation where you have to commit to maintaining insurance during the relationship that you may not actually be able to buy on the open market.  Why is this a problem?  Well, this puts you in the position of potentially breaching the terms of the “significant” deal before you ever start performing those terms, which can obviously have serious consequences for your company’s business if your breach is ever discovered.  Since the usual insurance terms in these types of deals require the submission of certificates of insurance as proof of coverage, any failure to procure the insurance required is not likely to stay undiscovered for an extended period.

Notwithstanding the foregoing, even if you do not breach the terms of the negotiated deal, it is far better to negotiate the scope of indemnification risks you will be incurring with advance knowledge of the terms of the insurance policies you already have in place, as you can then negotiate limits of liability within the coverage of the insurance coverage previously obtained.

So, what types of insurance requirements should a SaaS company anticipate when it goes to negotiate a significant deal?

First and foremost, SaaS companies should anticipate the requirement of a general commercial liability policy.  This is a standard commercial insurance policy that every business, regardless of whether or not in the software industry, should keep.

Second of all, SaaS companies should anticipate the requirement of a commercial auto insurance policy to cover the risk that employees or contractors may have an accident while traveling back and forth to a customer or business partner’s work site.

Third of all, SaaS companies should anticipate the requirement of an errors & omissions policy to cover the risk that company workers will intentionally or negligently act in a way that harms the customer or business partner.

Fourth, SaaS companies should anticipate the requirement of a cyberinsurance policy to cover the risks of hack attacks, data breaches, and third party cybercrimes, as well as notification costs and other costs to remedy a breach after it occurs.

Fifth,  SaaS companies should anticipate the requirement of an umbrella policy to cover losses in excess of the insurance limits available.

What types of limits of coverage should a SaaS company anticipate?  In my experience, larger deals will come with larger expectations, so the more significant the deal, the more insurance your company should be lining up in advance.

The bottom line is that doing some advance planning with respect to insurance before your software company commences negotiations on a significant deal will save your company the worry down the road of being discovered to be in breach of the deal you just closed if you find that meeting the insurance requirements you agreed to is not quite as easy as you anticipated.  Furthermore, it will enable you to go into negotiations better prepared to be able to negotiate terms that actually protect your company.

If you have questions about your SaaS company’s insurance planning, please schedule a consultation today at https://calendly.com/prinzlawoffice.

If your company has just landed a big tech or software development project for a third party, do not underestimate the importance of the agreement in protecting the revenue stream you are being offered in exchange for your development services.

The typical tech or software development agreement requires lump sum payments in installments throughout the term of the relationship.  Also, the typical development agreement will have at most a statement of work connected with the project and will rarely be accompanied by technical specifications or milestones, with respect to which approval can be sought at the various phases of the development.

Why can this be a problem?  Well, if your company agrees to take on a large tech or software development project and has not defined contractually in detail the technical specifications and standards required to be performed, or developed detailed milestones that can be tied to satisfaction of particular phases of the project, how exactly can you prove that you earned the money paid in installments if the customer pulls the plug on the project at any stage?  How exactly do you prove that you fulfilled your responsibilities with respect to the development project if you never actually reached agreement as to the technical terms of the development project?

The reality is that it can be very hard to enforce an agreement when the key terms of the relationship were never actually memorialized in writing.  While the risk of not being able to enforce your agreement may be low in low dollar value development projects, that risk escalates dramatically as the dollar value of the project also increases into the hundreds of thousands of dollars or even millions.

In general, when I see disputes involving tech or software development projects, the dispute can almost always be attributed to a poorly drafted agreement between the parties.

So, what can you do to minimize your risks of taking on a tech or software development project?

First and foremost, obtain help from experienced technology transactions counsel when your company is first approached with a potential development project.  An experienced attorney in this space can guide you through the negotiation process at the early stages, so that you don’t have to renegotiate terms that have already been agreed to by the potential development partner.  It can be very hard to get partner buy-in on developing and memorializing good technical terms when the parties are already weeks or months into the negotiation the deal.

Second of all, ensure that the technical specifications and requirements for the project have been defined in detail, and develop milestones throughout the development process, which can be approved.  Also, develop a process that is very well-defined within the contract to  obtain that approval.  If a specific timeline is required at any part of the process, develop terms that reflect the agreed upon timeline as well.

Third, instead of merely requiring payment by installments through the development work, develop payments that are tied to the accomplishment of specific well-defined milestones, in order to ensure that your company is can prove that any payment received was earned a s a result of the successful accomplishment of the applicable milestone(s).

The bottom line is that a big tech or software development project should be accompanied by a very detailed, technically-specific development agreement if a company prefers to avoid big legal headaches down the road.   It is in your company’s best interest to ensure that any development agreement that the parties execute is drafted to protect the anticipated revenue stream from the development project.

If your company is contemplating a tech or software development project and is concerned about avoiding future legal headaches, schedule a consultation today at https://calendly.com/prinzlawoffice.

Prinz Law Announcement 10.3.18

Webinar Mailer 10.26.18

Press Release 10.3.18

The Prinz Law Office is pleased to announce the launch of a new alternative legal billing solution for our clients in the software/SaaS, tech and health tech/digital health, and IT/healthIT industries: the subscription billing model.  We have been following the recent popularity of this model with California companies, and have decided to adopt our own version.  We believe that it may be a good fit for clients with ongoing firm needs, particularly in the transactional space.  Our new plans will be based on daily and half-daily billing, eliminating traditional hourly timekeeping for clients who choose this option. For more information on how a subscription solution would work, please contact Kristie Prinz at kp****@pr************.com or 408.884.854.

What are the top mistakes the average company will make when it enters into a SaaS deal, when the company has not involved an experienced SaaS lawyer early in the negotiations?

Companies Negotiate with the Wrong Technology Contract 

First and foremost, the most common mistake with all types of technology negotiations, but especially with negotiations in the SaaS space, is that companies handling their own SaaS negotiations often end up negotiating with the wrong contract as the starting point.  For example, the parties may negotiate from a software license template when they need a SaaS agreement template instead, or they may negotiate from a master services agreement or a hosting agreement when the deal they were doing actually involved SaaS terms. A knowledgeable software attorney will know and understand that the terms of a well-drafted template will be completely different based on the technology model under negotiation and will be able to ask the right questions in order to identify the right technology model and therefore the necessary baseline terms that need to be addressed in a well-drafted agreement.

Companies Negotiate with the Right Technology Contract But One that was Written for a Different Product or Relationship

Another common issue is that even if the parties choose the right initial type of contract to begin the negotiations with, they begin the negotiation with a template that was designed for an entirely different product or relationship than what is currently being contemplated: a SaaS agreement transaction. Obviously, it is going to require less negotiation to reach a good deal when the starting point for the negotiation is a set of proposed terms that applies to the right type of technology transaction and the particular product or relationship under negotiation.  Also, the terms of the signed contract are far more likely to be meaningful when they were developed around the right product and services.  Otherwise, they are likely not to include the key deal terms or contemplate any of the issues that could come up between the parties.  The firm sees many signed contracts that are little better than a handshake because the terms agreed to are almost completely irrelevant to the transaction.  An experienced SaaS attorney is going to be able to ask the right questions to determine whether the contract terms were written for the appropriate product or services.

The Contracts Do Not Sufficiently Contemplate how the Relationship will Evolve

A third issue is that the contracts do not sufficiently contemplate how the relationship will evolve over time.  A standard practice in the industry is to rely exclusively on a list of prices to determine on the fee-related issues in the agreement.  What is typically missing is all the terms that explain how the pricelist will be implemented.  While this might not be fatal to the relationship if there is some sort of initial agreement on the price to be paid overall, few SaaS business relationships are up-front, fixed price relationships.  Most relationships now are intended to generate recurring revenue streams and anticipate new fees as new seats, services, and functionality are added.  So, a mere pricelist is almost never adequate to support an ongoing relationship.  Thus, if an experienced SaaS attorney is not involved with the deal, there is a high likelihood that the contract signed will not have all the necessary terms to explain precisely how all the fees will be assessed going forward.

They Overlook the Technical Concerns About the Transaction

A fourth issue typically overlooked by a SaaS contract negotiated without the assistance of experience SaaS counsel are all the technical concerns about the transaction.  In many software deals, the service level is absolutely critical to the transaction.  However, more often than not, the service level agreement being relied on by the parties was copied off the Internet and has absolutely no significance or relevance to the service being offered or provided.  Also, even where the service level agreement was obtained in a more thoughtful way, it is very common to find the agreement full of terms that are so poorly written or that have so many carve-outs that it is completely unenforceable.  In addition, many relationships contemplate the performance of a variety of services which are never addressed in the contract at the technical level required to reach any sort of understanding regarding those services.  An experienced SaaS counsel will be able to ask the right questions to understand all the technical aspects of the deal between the parties and will be able to determine all the terms that have been omitted from the contract before it is executed.

They Fail to Contemplate the Possibility of Suspension of Services

A fifth issue typically missed when a contract is negotiated without the assistance of experienced counsel is the contemplation of all the issues that could arise with regard to the suspension of services.  Today, the service provider frequently has the ability to “suspend” a company’s access to the software and the data stored therein at any time and could just as easily erase all of that data.  However, few contracts that the firm sees really address the issue of suspension at the level required to address all possible issues that could arise between the parties.  An experienced SaaS counsel will ask the right questions to identify these issues and address them in the contract.

They are Overly Focused on the Negotiation of the Indemnification Clause

A sixth mistake is contracts that contain elaborately negotiated indemnification clauses but never really contemplated all the related issues such as whether the indemnification could ever be enforced and whether the focus of the indemnification clause negotiated was on the liabilities most relevant to the transaction.  An experienced SaaS counsel will be knowledgeable about software indemnification clauses and all the issues relevant to the clauses in order to ensure that the maximum amount of protection is in place.

The bottom line is that an experienced SaaS counsel understands technology sufficiently to ask enough questions about the relationship envisioned to determine all the key terms that were never contemplated in the agreement, and can add that additional level of skill and expertise to the negotiation of the deal that a general business lawyer or business person simply cannot.   Technology deals are fundamentally technical and only someone that understands technology and technical deals sufficiently is going to be able to evaluate proposed terms sufficiently to negotiate them appropriately in order to look after the party’s best interests.

Does your company have a SaaS deal on the table right now that you are trying to negotiate?  Schedule a consultation with experienced SaaS counsel today at this link.

If your company is a SaaS company, you may come across a customer or prospective business partner who insists on the inclusion of a source code escrow agreement as part of the deal terms.   If this scenario arises, you may be inclined to immediately agree to the prospective customer or business partner’s terms in order to close the deal you are negotiating.  However, what are the five things your SaaS company needs to know about source code escrow before you agree to include source code escrow in the terms of a transaction?

Choose a Source Code Escrow Product Intended for SaaS Companies

First of all, you should know that the standard source code escrow product was not designed for SaaS and is probably not going to be very effective for a customer or business partner if they ever need to rely on it.  The traditional source code escrow offering was intended for a traditional software product, which is downloaded to hardware and is updated or upgraded on a periodic basis.  In the traditional source code escrow agreement, the deposit materials are generally only updated a few times a year.  However, in the SaaS product scenario, the product is often updated on a continuous basis, so updating the deposit materials only a few times a year is unlikely to be sufficient.  Similarly, in a traditional source code escrow agreement, the backup and storage of the data is unlikely to be addressed.  However,  in the SaaS agreement scenario, the customer or business partner is unlikely to have access to the data in the cloud, so the party receiving access to the deposit materials is more likely to expect the backup and storage of SaaS data to be a key component of the escrow relationship.

For this reason, many technology escrow companies are offering a special escrow products intended for SaaS only, which provide for the continuous update of deposit materials and include data as part of the deposit materials.  The SaaS version of the escrow product is more likely to provide uninterrupted access to the full set of materials that the customer or business partner previously had access to in the cloud, so it is likely to be the better fit for the customer or partner seeking source code escrow as part of the deal terms.

Anticipate that SaaS Source Code Escrow Products Will be More Expensive

Secondly, you should know that the SaaS version of the  source code escrow product will likely be more expensive than the traditional product since it is going to be a more labor-intensive solution.  A source code escrow company can expect in a SaaS product scenario to perform significantly more services to ensure that the escrow works if needed than it would have had to perform in a traditional software scenario, given the ongoing nature of the updates and upgrades.  As a result, the costs of SaaS escrow are likely to be significantly higher than traditional software escrow, which should certainly be contemplated in the allocation of escrow costs between the parties.

Obtain License Rights to Use the Escrowed Source Code in a Release Scenario

Third, you should know that you may not be able to obtain the rights you are seeking to use the escrowed code in a release scenario.  In SaaS, users typically receive access rights rather than license rights to the use of the intellectual property.  As a result, a SaaS provider can build products that incorporate open source code and offer access rights to the end product, even though the provider is prohibited from distributing the software otherwise.  The SaaS provider can also incorporate third party code into the product that cannot be sublicensed to third parties, even in an escrow scenario.  So, it is certainly possible that the SaaS provider will not have the necessary rights in the SaaS product to be able to authorize the license grant to the escrowed materials, which could potentially result in the customer or business partner receiving physical copies of the source code and data but not having the rights necessary to use the copies procured.

Address Transitioning Services and Know-How Transfer in Source Code Escrow Agreement

Fourth, you should consider that mere possession of a functional copy of the source code and data may not be sufficient for a customer or business partner to continue using the software and applicable data in the event of a release condition.  In fact, the customer or business partner may require transitioning services or access to the SaaS provider’s know-how before it is able to resume use of the software.  Consequently, transitioning services and know-how transfer may be important considerations that need to be addressed in any escrow terms.

Contemplate the Responsibilities and Liabilities of the Respective Parties Regarding Data and Potential for Data Breach as Well as the Availability of Cybersecurity Insurance

Fifth, you should consider that the very nature of SaaS escrow may result in the escrow provider having control over any collected data uploaded to the SaaS product and that the escrow provider could be vulnerable to a data breach arising from the acts or omissions of an employee or third party.  Thus, the deal terms should contemplate the responsibilities and liabilities of the respective parties regarding the data and the potential for a data breach, as well as any available insurance coverage to protect against this risk.

Will SaaS Source Code Escrow Will Meet Your Needs?

All in all, while escrow products are now available and on the market, which may meet the needs of a prospective customer or business partner seeking source code escrow to a SaaS product, a SaaS provider will have a variety of considerations to contemplate before acquiescing to such demands in a negotiation.  In the end, the decision of whether or not to agree to escrow terms should be based on a careful evaluation of all of the above considerations.

If your SaaS customer is asking to include source code escrow in a transaction, or you are contemplating the pros and cons of proposing it to close a customer deal, schedule a consultation today to discuss how source code escrow agreements might work in your transaction at this link.

If you run a SaaS company, you may come across a negotiation where a prospective customer or business partner insists on the inclusion of source code escrow in the deal terms.  However, the traditional source code escrow product is unlikely to provide the protections that your prospective customer or business partner is seeking.  The Silicon Valley Software Law Blog addresses the issue of source code escrow products designed for SaaS products and what SaaS companies need to know about them in the following blogpost:

http://www.siliconvalleysoftwarelaw.com/what-saas-companies-need-to-know-about-source-code-escrow-agreements/

News Update 6.29.18

Software companies are still taking steps to comply with the European Union’s General Data Privacy Regulation (“GDPR”), which just recently went into effect, but they now are facing the prospect of having to comply with a law closer to home: California’s New Consumer Privacy Act of 2018.  The Silicon Valley Software Law Blog discusses this development at the following blogpost:

http://www.siliconvalleysoftwarelaw.com/in-aftermath-of-gdpr-california-passes-consumer-privacy-act-of-2018/

Press Release 6.26.18

Silicon Valley SaaS Contracts Lawyer Kristie Prinz will present a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” on October 26, 2018 at 10:00 a.m. The program will be sponsored by Virginia-based Clear Law Institute.    To register for the event, sign up at  https://clearlawinstitute.com/shop/webinars/negotiating-saas-agreements-drafting-key-contract-provisions-protecting-customer-and-vendor-interests-102618/.   Clear Law Institute has made available a discount code for the course: you can receive a 35% discount with the promo code: KPrinz119433.

SaaS Lawyer Kristie Prinz will present a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” on June 11, 2018 at 10:00 a.m. The program will be sponsored by Virginia-based Clear Law Institute.  To register for the event, sign up at the Clear Law Institute website.

 

News Update 5.3.18

If your Silicon Valley company relies on Gig workers as part of its business model, then the California Supreme Court’s ruling is likely to have significant consequences for your business.  The Silicon Valley Software Law Blog discusses this ruling at the following blogpost:

http://www.siliconvalleysoftwarelaw.com/california-supreme-court-strikes-blow-to-software-industry-reliance-on-gig-workers/

News Update 4.25.18

News Update on SB 822

News Update 

Drafting Software Hosting Agreements for ASP & SaaS Hosting

With the impending repeal of net neutrality at the federal level, California is currently considering the passage of a net neutrality bill to restore net neutrality at the statewide level.  The Silicon Valley Software Law Blog discusses the proposed bill at the following blogpost:

http://www.siliconvalleysoftwarelaw.com/california-to-consider-bill-that-restores-net-neutrality/

If your software company has pursued Privacy Shield certification and is relying on the certification to comply with EU data privacy regulations, then you will be interested to know that a challenge to the framework is to be heard by a European High Court.  The Silicon Valley Software Law Blog has addressed this development and what it may mean for the Privacy Shield framework in the following blog post:

http://www.siliconvalleysoftwarelaw.com/irish-court-has-referred-case-to-european-court-which-challenges-privacy-shield-will-the-eu-u-s-privacy-shield-framework-withstand-scrutiny-by-the-european-high-court/

SaaS Attorney Kristie Prinz will present a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” on June 11, 2018 at 10:00 a.m. The program will be sponsored by Virginia-based Clear Law Institute.  To register for the event, sign up at the Clear Law Institute website.

 

The European Union’s General Data Protection Regulation (the “GDPR”) will go into effect on May 25, 2018.  In case you are not up to speed on the law already, what do you need to know about it before it goes into effect?  The Silicon Valley Software Law Blog addressed the highlights of the regulation in the following blogpost

:http://www.siliconvalleysoftwarelaw.com/what-software-companies-need-to-know-about-the-eu-general-data-protection-regulation/

Software Contracts Lawyer Kristie Prinz will give a live webcast for Florida-based MyLawCLE on “Drafting Software Hosting Agreements for ASP and SaaS” on March 15, 2018 from 1 to 3 p.m. PST.

Press Release 3.15.18

Software Contracts Lawyer Kristie Prinz will give a live webcast for Florida-based MyLawCLE on “Drafting Software Hosting Agreements for ASP and SaaS” on March 15, 2018 from 1 to 3 p.m. PST.

How do you identify a poorly written software contract, whether it is supposed to be a software license, a SaaS contract, or another type of agreement?  Firm Founder Kristie Prinz provides tips on how to identify bad software contracts in the following Silicon Valley Software Law Blog post:

http://www.siliconvalleysoftwarelaw.com/signs-you-are-reviewing-a-poorly-written-software-contract

Software Lawyer Kristie Prinz will be featured as a speaker on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” for a webinar hosted by Arlington, Virginia-based Clear Law Institute on Wednesday, February 21, 2018 from 10-11:15 a.m.  PST.

Silicon Valley Software Lawyer Kristie Prinz will be featured as a speaker for the webinar “Drafting Software Hosting Agreements: Service Availability, Performance, Data Security, Other Key Provisions” for the Atlanta, Georgia-based Strafford on January 23, 2018.

Silicon Valley SaaS Lawyer Kristie Prinz will be featured as a speaker for the webinar “Negotiating Software as a Service Contracts” for the Arlington, Virginia-based Clear Law Institute on Wednesday, January 17th from 10-11:15 a.m.  PST.

Press Release for February 21, 2018 webinar

Press Release on January 23, 2018 Webinar