Legal Issues Impacting Data Center Owners, Operators and Users
1. Legal Issues
Impacting Data
Center Owners,
Operators and Users
by John Yates &
Larry Kunin
December 9, 2010
2. Presenters
Larry Kunin
Partner, Litigation Practice
Telephone: 404.504.7798
E-mail: lkunin@mmmlaw.com
John Yates
Partner, Corporate Technology Practice
Telephone: 404.504.5444
E-mail: jyates@mmmlaw.com
2
3. Goals
MMM’s goal is to work with data center owners,
operators and users to identify key legal issues
and their related claims, and to provide ways to
minimize liability.
3
5. Key Questions
What are the key concerns of the data center owner, user, operator?
1. Is there adequate security to avoid security and privacy breaches?
2. How are external forces such as power outage, natural disaster, and
terrorism controlled? What if contractor/subcontractors don’t perform
adequately?
3. What if there are hardware/software failures resulting in down time?
4. How can a user be compensated for non-performance by the data center
owner or operator?
5. What steps need to be taken if there is a security breach?
6. Are there safe harbors?
5
6. Power Outages
1. What are the terms of your agreement with the power company?
2. Do you have a claim against the power company in case of an outage?
3. Do you have an adequate back-up system?
4. How do you determine the adequacy of a back-up system - - what is reasonable under the
circumstance?
5. What is your liability?
6. Power outage – liability
i. Have you taken steps that are reasonable under the circumstances to provide for the
contingencies of a power outage?
ii. Do you have a contractual arrangement with the power company to provide certain levels of
performance?
iii. Do you have a contractual arrangement with a back-up power source? Does it include
liquidated damages?
iv. Do your customers’ contracts provide for uptime warranties?
v. Do they include representations and warranties regarding uptime?
vi. Do they include liquidated damage clause?
6
7. What is a Liquidated Damage Clause?
1. The elements of a liquidated damage clause:
- The parties desire to avoid the cost of proving damages in the event of
future breach.
- Damages will be incapable or very difficult to accurately estimate at the
time the contract was made.
- Liquidated damages are a reasonable forecast of what damages might be
in the event of breach.
2. Liquidated damages are not penalties: A liquidated damage clause
that is found to punish rather than provide reasonable
compensation will be declared an invalid penalty and will be
stricken.
3. Note, however, that the inability of individuals to prove actual
damages has been a block to sustaining a lawsuit.
7
8. Sample Liquidated
Damage Clause
The parties agree that in the event of data loss [or security
breach], damages will be difficult to calculate. To avoid
the cost and effort to attempt to calculate such damages,
the parties agree that in the event of a proven data loss [or
such breach] a reasonable forecast of resulting damage is
$_________, which COMPANY shall pay to CUSTOMER
within 20 days of confirmation of such breach. Such
payment shall be the exclusive remedy and shall satisfy all
liability for such data loss [or security breach].
8
9. Force Majeure Clauses
A force majeure clause prevents liability for harm caused
by issues beyond a party’s reasonable control, such as an
act of God (hurricanes, fire, etc.)
- Might not protect against failure to back-up data.
It is unlikely that a force majeure clause will protect
against third party illegal hacking if there is evidence that
the hacking could have or should have been prevented
through better security measures (i.e., the act was
preventable).
9
10. Sample Force Majeure Clause
A party will not be liable to the other party for any failure, delay, or
disruption of telecommunications services, caused by a Force
Majeure Event, whether or not such matters were foreseeable, and
such failure or delay will not constitute a material breach of this
Agreement. “Force Majeure Event” means any cause beyond the
reasonable control of a party that could not, by reasonable diligence,
be avoided, including acts of God, acts of war, terrorism, riots,
embargoes, acts of civil or military authorities, denial of or delays in
processing of export license applications, fire, floods, earthquakes,
accidents, or strikes.
10
11. Hardware/Software Failures
1. Do you have a contract with your software/hardware vendors?
2. Does it include warranties and representations?
3. Does it include indemnification to protect you in case you get sued
by third parties (for example, users of your system)?
4. Do you have insurance to cover the liability? Have you reviewed
the policy to determine the scope of coverage?
11
12. Privacy/Security
1. Do you store personally identifiable information?
2. Are you aware of the security breach notification statutes on the
State level? Do you have policies in place to comply with them?
3. What damages could you incur by a security breach that results in
disclosure of personally identifiable information?
- Safe Harbor under State breach laws?
4. What other liability could be incurred as a result of a security or
privacy breach?
5. Is data encrypted?
12
13. Sample Security Notification
Breach Law
California Security Breach Information Act, SB 1386:
Companies that possess or store personal information (SSN, Drivers
license, account number, etc.) must provide notice to each person in
their database upon discovery of a security breach involving such
personal information.
Applies to government agencies, companies, and nonprofit
organizations regardless of geographic location.
13
14. Practical Pointers
1. Review existing contracts and license agreements with hardware and
software vendors, especially with regard to representations and
warranties, indemnification provisions, liquidated damage provisions,
performance criteria, etc.
2. Review your existing user agreements with regard to limitations of
liability, representations and warranties, performance criteria, etc.
3. Review existing insurance policies, especially exceptions.
4. Review existing policies and procedures in case of security or privacy
breaches, especially with regard to restate breach notification laws.
5. Review existing case law on an ongoing basis to determine reasonable
steps required of a data center owner/operator and standards of care.
14
15. Recent Court Cases
In re TJX Companies Retail Sec. Breach Litigation (1st Cir.): Bank
represented class in a claim for violation of Mass. unfair trade practices
statute following security breach. Damages were amount of fraudulent
charges resulting from the security breach. Settled for over $40 million.
Krottner v. Starbucks and Lalli v. Starbucks (W.D. Wash.): Two class
action lawsuits alleged that theft of laptops contained personal
information of Starbucks employees. Starbuck gave notice to all
employees. One plaintiff alleged that his bank account was opened, but
the bank closed the account and there was no monetary loss. Plaintiff
also failed to show a nexus between the security breach and the access
to his account. The court dismissed both cases.
15
16. Recent Court Cases
Ruiz v. Gap (N.D. Cal.): In this class action, a burglar broke into the
offices of Gap's job application processing vendor and stole two laptops
that contained unencrypted personal information about thousands of job
applicants. The only alleged harm was an alleged “increased risk of
identity theft." The court dismissed, holding that this is not a loss.
Hendricks v. DSW Shoe Warehouse (D.Mich.): Damages were cost of
credit monitoring service. But in this case, there was no Michigan
authority that this is a recoverable damages and case was dismissed.
Carbonite lawsuit: Sued two vendors alleging loss of data owned by up
to 7,500 Carbonite customers (cloud storage) due to failed disk arrays
and failure in back-up procedures. Vendors responded that only a de
minimus number of customers were affected. Lawsuit appears settled.
16
17. Bios
John C. Yates – Tele.: 404.504.5444 – E-mail: jyates@mmmlaw.com
Partner-in-charge of the Technology Practice. Mr. Yates is one of the pioneers of the
technology law field and has been practicing exclusively in this area for over 27 years. The
firm’s technology practice has represented hundreds of technology companies and
provided legal services in such areas as IPOs, mergers and acquisitions, patent
prosecution, Internet law, biotech and medical devices, ecommerce/distribution, corporate
finance and venture capital, international law and dispute resolution.
Larry Kunin – Tele.: 404.504.7798 – E-mail: lkunin@mmmlaw.com
Partner in the Litigation Practice with a concentration in technology and intellectual property
litigation, including software performance, trade secret, trademark and copyright litigation,
as well as general commercial and business tort litigation. Mr. Kunin is also serves as a
special master or mediator in disputes involving technology or e-discovery.
17