Legal quicksand: Shrink-wrap and click-wrap agreements – Part 2

Typical Shrink-Wrap Terms and Conditions

While the type of terms and conditions found in shrink-wrap agreements vary greatly from vendor to vendor, there are a number of common themes. In general, shrink-wrap agreements include the following potentially problematic terms:

• Little or no warranty protection. In most instances, all warranties are expressly disclaimed — meaning the software is provided entirely “as-is.”
• There is generally no protection in the event the purchaser is sued for intellectual property infringement arising out of its licensed use of the products (e.g., a purchaser could be sued for patent infringement arising out of use of a software product and, even though the vendor is the cause of the infringement because of the way it developed the software, find itself with no protection under its software license agreement with the vendor). These types of claims have become more and more prevalent. In fact, entire businesses have been founded based on developing large patent portfolios and then, as their revenue source, suing the licensees of software for damages. Most negotiated agreements include an indemnification from infringement claims.
• A limitation of liability that absolves the vendor of all or substantially all liability for all damages of every kind and type. If an indemnity for intellectual property infringement is provided, the indemnity is generally subject to the overarching limitation of liability, significantly diminishing the vendors obligation to indemnify.
• In contrast, the purchaser will have unlimited liability for all forms of damages. The purchaser may also be required to give the vendor a broad and frequently poorly defined indemnity for a wide-range of claims, some of which may arise from the vendor’s own conduct.
• Little or no protection for confidentiality of the purchaser’s information. The lack of this protection is a critical risk if the vendor has the right to access the purchaser’s facilities and systems to conduct audits. Shrink-wrap and click-wrap agreements frequently contain specific language permitting the vendor to have broad rights to conduct onsite audits of their customer’s facilities and computer systems, frequently with little or no notice. Those audits can expose highly sensitive information of the purchaser.
• The location (venue) at which a potential litigation or arbitration must be conducted may be in a location that is likely not convenient for the purchaser. For example, a purchaser in California may be required to arbitrate a dispute under the agreement in Florida. If the value of license is only, say, $10,000, having to engage an attorney and attend meetings in a distant location will be cost prohibitive.

These are general observations only. The specific language of a given shrink-wrap agreement may present additional risks. In particular, as discussed in the next section, a growing number of shrink-wrap agreements may present substantial risks to the purchasers own intellectual property or, if the purchaser is in a regulated industry (e.g., financial services or healthcare), to the purchaser’s data.

Inherent Risks of Shrink-Wrap Products

The end result of the terms and conditions commonly found in shrink-wrap agreements, as discussed in the preceding section, is that the purchaser has little or no remedy against the vendor in the event there is an issue with the product or damages arise (e.g., the product has a substantial bug in it, ceases to function, causes an intellectual property infringement claim) out of use of the product. The product is, essentially, being licensed on an “as-is” basis. In most instances, the purchaser’s only remedy in the event of a problem is to cease use of the offending product. A refund or other compensation is unlikely.

In general, the purchaser’s primary protection in purchasing shrink-wrap products is the concept of “safety in numbers.” That is, the product is widely distributed and usually well established in the community. This reduces the potential for a substantial bug or defect to go without a fix from the vendor. The purchaser is essentially relying on the power of the market to force the vendor to correct issues (i.e., vendors with poorly designed or buggy products will lose market share and, at least arguably, be easy to identify).

A growing number of shrink-wrap agreements present additional risks beyond those identified in the preceding section. Two of the most common additional risks relate to the purchaser’s own intellectual property and data.

Some shrink-wrap agreements contain expansive “feedback” and similar clauses that could result in the licensor gaining ownership of the purchaser’s own intellectual property. The contract actually includes language that the purchaser is assigning its intellectual property rights to the vendor. In some cases, almost anything the purchaser shares with the vendor, including during support discussions, may become the vendor’s property or, at minimum, result in the vendor having an unbridled license to use what it has learned for its own business purposes. At best, this can result in the purchaser essentially granting the vendor a free license to the purchaser’s valuable intellectual property. At worst, it can result in purchaser losing all control over its intellectual property.

Shrink-wrap agreements may also include broad audit rights, permitting the vendor almost unlimited access to the purchasers facilities, records, and systems. In some instances, these rights permit any or all of the vendor’s agents, contractors, and licensors to also have full access to the purchasers facilities, records, and systems. Under these terms, purchasers assume the additional risk of having third parties, with whom the licensee has no contract and no confidentiality protection, unfettered access the licensees facilities, records, and systems. For regulated entities (e.g., in financial services and healthcare) and all others in possession of consumer information, these audit rights subject the licensee to the additional risk and potential of exposing highly sensitive and regulated data to vendors and other third parties without adequate contractual protections (e.g., confidentiality clauses, information security protections, limitations on use, etc.). Consider the potential risk presented by a vendor showing up at a purchaser’s facility, without notice, and demanding full access to their systems and records — without any protection for the purchaser’s highly sensitive confidential information and data or any protection if that access causes a disruption in the purchaser’s operations.

Audits can also be excessive and abusive, disrupting the licensees normal operations and potentially making the licensee liable for substantial financial liability for third party auditor fees (which can reach the hundreds of thousands of dollars). This is because many vendors view these audit rights as a means to derive additional revenue from its purchasers. Some auditors even work on a contingency basis, forcing them to either find a problem or not be paid. This creates an undue incentive for the auditor to search until they find something. In a number of instances, audits have led to substantial additional fees being paid by purchasers in agreements that were not properly negotiated. In one case, an audit revealed a relatively minimal excess use of the software which resulted in the payment of a few thousand dollars in additional license fees. Unfortunately, the customer was also responsible for paying nearly forty thousand dollars in audit costs.

Given the current economic climate, vendors are conducting these audits on an ever increasing basis to try to squeeze more revenue from their customers. The headlines are full of instances where companies have paid substantial additional fees for excess license uses. Some examples:

• Arcadian Healthcare Inc. paid $150,000 to settle claims that it had unlicensed copies of Microsoft Corp., Symantec Corp. and McAfee Inc. software.
• BioTrove Inc. paid $82,442.70 to settle claims that it had unlicensed copies of Adobe Systems Inc., Apple Computer Inc., Microsoft and Symantec software.
• Dimensional Innovations Inc. paid $80,000 to settle claims that it had unlicensed copies of Adobe, Microsoft and SolidWorks Corp. software.

With regard to reseller relationships, additional risk can arise in situations in which the reseller is providing support or subcontracted support for the licensed product. Splitting the agreements governing the purchase of the product from support obligations and having two different responsible contracting parties can lead to finger pointing when failures occur and leave a customer without adequate remedies to bridge the two agreements (e.g., if the purchaser purchases a piece of hardware and the reseller breaches its support agreement, the customer may be able to show damages under the support agreement, but will likely have no claim or remedy under the purchase agreement).

Addressing Risk

There are essentially three methods of addressing the risk of shrink-wrap agreements: blind acceptance, knowing acceptance, and mitigation.

Blind Acceptance. Blind acceptance refers to the practice of looking at a proposed use of a product, ensuring its falls within the common elements of shrink-wrap products identified above (e.g., low fees, non-critical use, off-shelf, well established, potentially trialed, etc.), and electing to proceed with the purchase without further consideration. Few sophisticated organizations take this approach. It would require the purchaser to proceed without regard for the risk — abandoning any effort at due diligence.

Knowing Acceptance. Knowing acceptance refers to the process of quickly reviewing the applicable license agreement for a proposed purchase of a shrink-wrap product and assessing whether it presents any unique risks (i.e., something beyond the typical terms identified above). Unless a unique risk is identified or the purchase would present conditions beyond the common elements identified above, the transaction is approved. If unusual or unique risks are present (e.g., the aggregate value of the transaction is substantial, the contract presents risks to the purchasers intellectual property or data, etc.), the risks would be clearly identified in a memorandum for review and, if the cost-benefit of the engagement warrants, potential approval by senior management. This is the most prevalent means employed by sophisticated organizations in addressing risk in transactions of this kind.

Mitigation. The mitigation approach is used in circumstances where the relevant license agreement presents unusual risks or in situations where the purchaser operates in a regulated industry where the protection of data and contracting requirements, in general, are of heightened concern. It has become common in those industries to review proposed uses of shrink-wrap products as they would for any other product purchase transaction. With due regard for the relatively limited ability of purchasers to negotiate these types of agreements, purchasers quickly assess the risks posed by a new engagement and focus on mitigating only the most substantial risks. This is commonly done in the form of an amendment to the shrink-wrap agreement. Such amendments are usually brief, addressing only terms like basic warranties, basic infringement indemnity, audit rights, and protection of the purchasers own intellectual property. A number of large organizations are now using these types of amendments to quickly mitigate key risks in these engagements. Their acceptance by vendors, particularly in larger transactions, is growing. If the amendment is rejected by the vendor and no alternate vendor of a similar product is readily available, the risks would be clearly identified in a memorandum for review and, if the cost-benefit of the engagement warrants, potential approval by senior management.

The mitigation approach presents the most mature approach to addressing risk in shrink-wrap engagements.

Conclusion

The risks presented by shrink-wrap and click-wrap agreements should not be minimized. As with any contract, they must be reviewed and assessed to identify risk. The business can then conduct a cost-benefit analysis to determine whether the risk is warranted and whether that risk can be controlled, at least to some degree, through the use of the mitigation approach discussed above.

This is Part 2 of a 2 -part blog. Click HERE to read Part I.

**Note** Originally published on CSO Online by Michael R. Overly. See original article here.

Michael R. Overly

Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law. Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices.

Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

Recognition

In 2010 – 2015, The Legal 500 recognized Mr. Overly for his information technology work in the U.S. In 2005, he was selected for inclusion in the Southern California Super Lawyers® list and also was honored by Los Angeles Magazine for this recognition. In addition, Mr. Overly was recognized by Chambers USA for his IT & outsourcing work (2013 – 2016).

Education

Mr. Overly is a graduate of Loyola Law School (J.D., 1989), where he was articles editor of the Loyola Law Review and elected to Order of the Coif, and Texas A&M University (M.S., electrical engineering, 1984; B.S., 1982). He was admitted to the California Bar in 1989.

Professional Memberships

Mr. Overly is chair of the Legal Working Group for the Cloud Standards Customer Council, an end user advocacy group dedicated to accelerating cloud’s successful adoption, and drilling down into the standards, security and interoperability issues surrounding the transition to the cloud. He is also a member of the Computer Security Institute, the Information Systems Security Association, the Computer Law Association, and the International Technology Law Association.

Thought Leadership

Mr. Overly’s numerous articles and books have been published in the United States, Europe, Korea, and Japan. He has been interviewed by a wide variety of print and broadcast media (e.g., the New York Times, Los Angeles Times, Business 2.0, Newsweek, ABCNEWS.com, CNN, and MSNBC) as a nationally recognized expert on technology and security related matters. In addition to conducting seminars in the United States, Norway, Japan, and Malaysia, Mr. Overly has testified before the U.S. Congress regarding online issues.

Selected Publications

• A Guide to IT Contracting: Checklists, Tools and Techniques (CRC Press; December 2012)
• The Executive MBA in Information Security (CRC Press 2009)
• Negotiating Telecommunication Agreements Line-by-Line (Aspatore Press 2005)
• Software Agreements Line-by-Line (Aspatore Press 2004)
• The Open Source Handbook (Pike & Fisher 2003)
• Overly on Electronic Evidence (West Publishing 1998)
• E-Policy: How to Develop Computer, E-Mail, and Internet Guidelines to Protect Your Company and Its Assets (American Management Association 1998)
• Document Retention in The Electronic Workplace (Pike & Fisher 2001)

[Disclaimer: The information on this blog or article is provided without any warranty or guarantee, does not provide legal advice to the reader, and does not create an attorney-client relationship with the reader. Any opinions expressed in this blog or article are those only of the author and do not necessarily reflect the views of the author’s law firm or any of the author’s or the law firm’s clients. In some jurisdictions, the contents of this blog or article may be considered Attorney Advertising.]