Software Licensing & Master Service Agreements : Chicago Software Licensing Lawyer & Attorney : Sam Conforti Law Firm : Master Service Agreements, Negotiations, Outsourcing : Cook County, Illinois

Alex Goldman reports for Internetnews.com on McAfee’s recent announcement of its latest SaaS security software, Total Protection Service 5.0 in his article McAfee Embraces SaaS Security. McAfee’s senior vice president and general manager for SaaS, Marc Olesen, is quoted:

“The SaaS security market is growing a little over 30 percent per year, three or four times faster than the on premises security software market”.

 McAfee feels that its competitive advantage for Total Protection Service 5.0 is the solution’s comprehensive feature covering DLP, compliance, vulnerability scanning, e-mail, network protection, and endpoint protection. Its competitors in this marketplace are Symantec and Trend Micro. Although SMB’s will find the product’s “Security Center” straightforward and easy to use, this solution is not meant for the SMB market alone. McAfee plans to market this solution to the large enterprise customers as well. One interesting feature of this new product is that vulnerability testing can be performed from outside the network at POP’s (public points of presence) at ISP’s. This is something that cannot be done with on-premise software. The product will be user based pricing, subject to the number of modules employed, with quantity discounting available. McAfee envisions that some enterprises may choose a mix of the protections their product provides alongside any competencies the enterprise may build on its own.

• Email This
• Print
• Comments
• Trackbacks

Michael Markulec, COO of Lumeta Corporation, writes in CIO Update that the Obama Administration has appointed Melisa Hathaway as Advisor to the President on National Cyber Security. For a more comprehensive review of the appointee and her relationship to the Bush Administration see Siobhan Gorman’s article in the Wall Street Journal, Hathaway to Head Cybersecurity Post. Markulec is all for the newly created position. He points to the disconnect between the federal government and the private sector when it comes to our infrastructure and the necessary control systems in these most important industries. He states the obvious that their connection to the internet leaves us open to a cyber-attack. He also touts Hathaway’s concern that simple hand-held devices can be used to conduct foreign and industrial espionage.

I’m sorry but I just don’t see anything new or any quantum leap towards more effective cyber security from this newly created position. But one only needs to read further and the newness becomes apparent. Markulec predicts, and I agree with him, that new regulations are on the way. He compares the coming new regulations for the IT community and the CIO to the Sarbanes-Oxley legislation aimed at corporate CFO’s. Well, I guess we all know how that went. Do we really need more regulations or do we just need enforcement of the existing laws? If we are using our latest string of financial debacles as our guide, I guess arguments can be made for both sides. Some might say if the Congress didn’t block the creation of regulations for Freddie Mac and Fannie Mae we might not have had the subprime mortgage meltdown. Others might argue if the SEC had only investigated and enforced its own existing regulations the Bernie Madoff Ponzi Scheme would have been discovered much sooner with less devastating financial losses for investors.

I think the Obama Administration may have tipped their hand at what may or may not be coming down the pike as it relates to cyber security, and that I am afraid is more of the same. Gorman reports that James Jones, National Security Advisor, has requested a further study on cyber security. Hathaway is tasked with conducting this 60 day study. And so the end result will be a study that will collect and discuss issues that are apparently known. Will the ends justify the means? Will we have tougher regulations for CIO’s as Markulec predicts, and if we do, will they be enforced and make any difference? That remains to be seen.

• Email This
• Print
• Comments
• Trackbacks

Due to the differences between traditional “on premise” software licensing and the newer software as a service (“SaaS”) offering, there were bound to be required adjustments on how the software customer contracted for these services.  We owe a debt of gratitude to Gene Landy with the law firm of Ruberto, Israel & Weiner, P.C. in Boston, MA.   Landy has put together a list of 8 items in his article 8 Legal Tips for SaaS Vendors that should be considered by the SaaS Vendor while developing their SaaS offering.  Including some or all of these tips in your contract may be a smart decision.  Here is a brief summary of those legal tips:

1.     Look for restrictions in your own software licenses:  As you develop your offering, do your licenses prohibit use as a service bureau or are there restrictions on remote access or use as an Application Service Provider.  You wouldn’t want your SaaS application to be in violation of any of these restrictions.

2.     Has your contract model evolved:  Initially the SaaS offering came in a 2 part form - first a software license and then a hosting agreement.  Today the more common contract model is to view this as a subscription and not mention licensing in the agreement.

3.     The Tax Man:  Your customers may be interested to know that most states do not levy a tax on services as they do for the sale of a license.

4.     Trials:  The SaaS Vendor could include a trial period bundled into the subscription agreement.

5.     Required upgrades limit the SaaS vendor’s maintenance costs:  Require customers to upgrade and eliminate having to maintain prior releases.

6.     Security:  It is fine to tout your security measures, but never promise 100% guaranteed data protection.  This is IT after all and you are using the internet.

7.     Consider SAS 70 as a selling feature:  You can provide your customers with an extra level of comfort and some of your customers may actually require a SAS 70 certification.  This is a certification performed by an outside accounting firm which attests to the accuracy and security a vendor provides.  The certification states that the controls are adequate.

8.     Data Breach Notification:  In the event of a data breach most states require a notification be sent out to the subjects of such a breach.  Make sure that your customers do not attempt to place such obligation upon you.  The costs could be prohibitive.

This is by no means an inclusive list, but Landy has hit some key issues. I found it very informative and helpful.

• Email This
• Print
• Comments
• Trackbacks

There are many items to consider before deciding to adopt a SaaS approach to your IT operation.  Marcia Gulesian, a software developer, project manager, CTO, CIO, and author of numerous feature articles on IT, has captured the salient points in her article SaaS: Financial, Legal & Negotiation Issues.  As the title to her article suggests, the financial implications should be addressed first.  Gulesian has a very descriptive section on the differences between buying the software application and leasing it.  She discusses the differences of owning an asset and its tax advantages of the deductibility of depreciation as opposed to the leasing option.  There is a brief explanation of cash flows between the two alternatives, finding your opportunity cost, and making your determination on the comparison of the present values of the cash flows from the cost of owning versus the cash flows from the cost of leasing.  Before we go too far afield, my readers can attest to the fact that I always try to define our terms before delving into the nuances that the subject line suggests.

Wikipedia’s definition of SaaS is very complete yet succinct:

“Short for Software as a Service, SaaS is a software delivery method that provides access to software and its functions remotely as a Web-based service. SaaS allows organizations to access business functionality at a cost typically less than paying for licensed applications since SaaS pricing is based on a monthly fee. Also, because the software is hosted remotely, users don't need to invest in additional hardware. SaaS removes the need for organizations to handle the installation, set-up and often daily upkeep and maintenance. Software as a Service may also be referred to as simply hosted applications.”

I also have a posting in this blog, which I must admit has become quite popular based on the number of hits registered to it, entitled SaaS is the Future.  In it I discuss how a Managed Service Provider (“MSP”) can help software developers get their product to the market faster since the infrastructure barriers and capital expenditures are significantly lessened.  In another posting about Unified Communications I have quoted Mat Taylor, a senior software architect with British Telecom, regarding the benefits of SaaS:

"The ability to get things done faster, get workers more engaged in a business scenario, provide better customer service, are all big productivity wins that benefit the bottom line"

In light of the above discussion surrounding “lower total cost of ownership and quicker time-to-value”, Gulesian cautions us that the other factors to include in the financial calculation is the maintenance and support fees that come with ownership as compared to the SaaS fees which includes these items.

SO WHAT DO I INCLUDE IN THE SAAS CONTRACT?

Gulesian points out three areas that must be addressed in the contract:

·         Integration with your non-SaaS systems

·         Loss of control of data

·         Dependence on the provider for security

The CIO and his or her team are the main players to address the integration issue.  Although the next two points also require the IT organization’s participation and input, these are matters that must be addressed upfront in the agreement itself.

Risk of loss of your data is paramount.  In the event that the SaaS provider is unable to provide the support anticipated, it is essential that you have access to the applications as well as your proprietary data.  Inability of the provider to provide support may happen for a myriad of reasons such as bankruptcy of the provider or a real or threatened patent infringement claim and subsequent injunction.  The preferred approach to protect against such loss is to insist that the provider place its code into an ESCROW account.  Language can be drafted which will instruct the trustee  of the escrow ( an independent and trusted third party) to release the code to the beneficiary (i.e. you) upon the happening of certain events which are defined in the escrow language in your SaaS agreement.  One shortcoming to this occurrence is the downtime that may be involved in getting your systems up and running, but this is a necessary protection that you must include in your contract.

Transition assistance is another item to consider.  In the future you may wish to change the SaaS application currently in use.  Language should be included to require the provider’s assistance in developing the data migration strategies and the procedures to be followed so you can move your data to another application.

Since the SaaS model is economical by nature (see Wikipedia definition above), traditional discounting expectations are not available.  Pricing is based on users or seats.  The more users subscribed, the more likely the cost per user can be discounted.  So plan accordingly and try to build in volume discounting per blocks of users.

Other items Gulesian notes for inclusion in the agreement are:

·         Service Level Agreements (SLAs) regarding

§  Availability

§  Response times

§  Notifications of outages

·         Regulatory compliance

·         Data integrity

·         Data Privacy

·         Frequency of backups

·         Disaster Recovery

Gulesian’s article hits the main points and I highly recommend it to my readers.

• Email This
• Print
• Comments (1)
• Trackbacks