Software Licensing & Master Service Agreements

So You Want to Negotiate A High-Tech Deal

Sam Conforti — Sat, 07 Jan 2012 09:29:33 -0600

I have been practicing law for approximately 25 years and concentrating my practice in the area of negotiating and drafting contracts for the purchase or sale of High Technology for the last 13 years. I recently came across Mark Grossman’s guest blog posting in IP In Brief entitled, “A How-To Guide for Negotiating Tech Deals”. This is a must read. If you are considering making any high-tech purchase, I highly recommend that you take the time to read this article in order to gain an insight and perspective that is little discussed but impacts your deal greatly. As a practitioner in this area, I found myself one early Saturday morning sitting in my office reading Grossman’s article and shouting “Yes, Yes, Yes”. I was fist-pumping and if anyone was near to me they would have gotten a high-five. His approach is straight-forward and no nonsense.

Andrew Berger’s introduction sets the stage and reveals to the reader for the first time the concepts of “unwritten industry norms” and “choreographing your concessions around areas where you’re not likely to win the battle anyway”. Grossman starts his analysis by pointing out the obvious (i.e. the first drafts of the agreements are poorly written). I think this was my first “Yes” that I heard myself say out loud while reading in my office all alone. I can’t tell you how many times I’ve received new templates or first drafts of proposed new agreements which were simply a mishmash of cuts and pastes from older useless documents. My second “Yes” and my first fist-pump was Grossman’s admission that the sales teams are in charge of the deal. I freely admit, and in the spirit of full disclosure I happily accept that the sales team is the entity that brings the deal to me. Without them I would be out of work. However, Grossman points out, without actually stating it, that the sales team views the attorney as an obstacle that must be overcome. Perhaps it was the way he explained the process of requesting a revision to some contract language to more accurately describe the issue and then commented,

“All the while, I can feel the sales team seething at me because of my absurd requirement that the contract accurately state the deal”.

That comment garnered fist pump number two and a loud chuckle. I would have enjoyed it if Grossman had discussed the mirror image on the buy side. I have represented both Buyers and Sellers. By the time the deal comes to me from the buy side (i.e. the Project Team), there is what is commonly called a “love affair” with the functionality of the proposed software package. In essence the Project Team “has been sold” and they know that they cannot live without having this software in their repertoire. As an attorney, I get that same glare from the Buyers when revisions for clarity are requested.

Grossman has a very salient section on the “Norms in the Industry”. To put it simply, why waste your time arguing points that will not be changed. These “Norms” need to be understood simply due to their peculiarity. He has an excellent section explaining Warranties in the industry and how they differ from what would be expected. Limitations on Liability is another section worth reading because it goes against what a Buyer expects and readily requires from its vendors. I must confess it was good for me to read these sections simply because I have been so inculcated with these industry “Norms” that I needed a refresher on why outsiders would consider these absurd.

He concludes his article by stressing the practical side of mutuality. A software vendor can and usually does readily accept revisions to sections to make the obligations mutual. One must remember that the parties are usually starting from paper that was first drafted by the vendor and so the natural urge to make the language one-sided must be addressed and overcome where possible.

As Cloud Computing Market Heats Up SAP Buys Leader in Employee Performance Management

Sam Conforti — Tue, 06 Dec 2011 10:15:36 -0600

SuccessFactors makes software used to manage employee performance, which helps companies decide which employees to retain and how much to pay them. Their stock soared 51% and at the end of trading on December 5, 2011 closed at $39.75 as reported in Ragnhild Kjetland’s and Aaron Ricadela’s article in Bloomberg Businessweek entitled SAP Shed M&A Shyness as Oracle Rivalry Moves to the Cloud. Another good article to read is Ragnhild Kjetland’s article in Bloomberg Businessweek entitled SAP to Buy SuccessFactors for $3.4 Billion to Match Oracle.

SAP is the world’s largest developer of software for the business community. The premium they paid for the purchase of SuccessFactors demonstrates their commitment to compete head-to-head with Oracle in the Cloud Computing market space. This specific acquisition will aid SAP in selling its full suite of “human capital management” software to its installed base.

Ray Wang, head of San Francisco-based Constellation Research, said in a phone interview,

“This is a much-needed move by SAP. What SAP had in human resources -- basic transactional software such as payroll -- was good enough for the old era. In the new era, performance reviews and talent management will be important.”

SuccessFactors has:

· 3500 customers

· 15 million subscribers

· Present in 168 countries

· $332 million in revenue for 2011

· $502 million in revenue predicted by 2013

Brendan Barnicle, an analyst at Pacific Crest Securities in Portland, Oregon said,

“We saw Oracle buy RightNow Technologies just a couple of weeks ago at 5.5 times that company’s next year revenue and SAP is going to pay almost 8 times 2012 revenue, but these guys are growing much faster than other people in software on demand, this is a marvelous addition for SAP.”

The new management team at the helm of SAP, co-CEOs Bill McDermott and Jim Hagemann Snabe, are not as reticent to growth through acquisition as compared to the prior management’s philosophy of organic growth internally. Since taking over, they have made three large acquisitions: Sybase, a mobile device maker; Business Objects, a BI developer; and now SuccessFactors. These purchases pale in comparison to Oracle’s $42 Billion buying binge over the last 6 years, but all seems to be coming together as the market evolves from the capital intensive data centers with their huge cash outlays for hardware to software delivered over the web.

SuccessFactor’s CEO, Lars Dalgaard, will oversee SAP’s full line of SaaS (“software-as-a-service”) products, including its Business ByDesign Web programs for midsized companies.

Cloud Security: Myths Busted - What Chief Security Officers Need To Know

Sam Conforti — Tue, 01 Nov 2011 17:38:03 -0600

I found a very good White Paper on Cloud Security entitled Cloud Security Myths and Strategies Uncovered. I think the best way to start off is with the opening quote from the White Paper itself:

“In today’s evolving information economy, cloud computing offers immense opportunity. Whether companies have started their cloud journey or not, security concerns remain the largest inhibitor to adoption. Concerns around control, data privacy, and security abound. However, the technology and expertise required to build a trusted cloud is closer than imagined. Progressive CSOs are embracing a new strategic role as a true business enabler in partnership with business leaders, to make sure that the trusted cloud becomes a reality and enterprises can capitalize on cloud technology.”

Security concerns still abound with Cloud Computing and a fair number of adopters still opt for a private cloud environment. However, there is a trend towards a more hybrid approach, allowing enterprises to take advantage of the cost saving a public cloud provides. A majority of IT professionals surveyed indicated that their top priority was managing access to the data in the cloud. The White Paper suggests that “Virtualization” provides better visibility than the older legacy systems.

The White Paper then lists the three major Myths about Cloud Computing and provides the answer that debunks each one:

1. The Cloud simply cannot be secure - YES IT CAN.

2. Cloud Security is a new challenge – NO IT’S NOT.

3. Compliance equals security – not necessarily … it is only an “as of” date.

The authors state that a successful and secure Cloud is one that has “Trust” as its foundation. The Trust Equation is as follows:

Control + Visibility= Trust

Control

· Availability: Ensure access to resources and recovery following interruption or failure.

· Integrity: Guarantee only authorized persons can use specific information and applications.

· Confidentiality/privacy: Protect how information and personal data is obtained and used.

Visibility

· Compliance: Meet specific legal requirements and industry standards and rules.

· Governance: Establish usage rights and enforce policies, procedures, and controls.

· Risk management: Manage threats to business interruption or derived exposures.

The White Paper goes on to say that the key to obtaining the visibility needed to control the Cloud is Virtualization. “Virtualization consolidates multiple physical components into a logical view so they can be administered from one place. This alleviates the complexity of managing and monitoring multiple moving parts across internal and external infrastructure.”

When it comes to building a trusted cloud, Checklist for Your Trusted Cloud is as follows:

· Use virtualization as your foundation.

· Build control and visibility into your security framework.

· Extend your security perimeter to include applications and endpoints.

· Adopt the three-layer controls framework: controls enforcement, controls management, and security management.

· Select a cloud vendor with offerings that can meet enterprise-class cloud security requirements across private and public clouds.

· Ensure services are secured to a common standard, in a transparent and auditable fashion.

· Tap prescriptive guidance from industry coalitions such as the Cloud Security Alliance (www.cloudsecurityalliance.org).

Rest In Peace

Sam Conforti — Fri, 07 Oct 2011 05:25:05 -0600

How SAP will Almost Double Revenue by 2015

Sam Conforti — Mon, 19 Sep 2011 10:05:43 -0600

SAP has set the goal of increasing revenue from 12.5 billion EUROS to 20 billion EUROS annually by 2015. First we have to start out with Full Disclosure: I worked for SAP negotiating and drafting contracts in the late 90’s and early 2000’s. I learned my trade there dealing with Fortune 500’s and also the SME market space. Additionally, as a sole practitioner, my largest client is a National SAP Channel Partner for a global entity. Needless to say, I am very familiar with the corporate culture and I also have a bias toward increasing revenues, because as the saying goes a rising tide raises all ships.

Dan Woods, chief technology officer and editor of CITO Research, a firm focused on the needs of CTOs and CIOs, reports in his article in FORBES entitled How SAP is Betting Its Growth on Partnerships that SAP will need to change its approach to its partners and be more open to working with them and allowing these partners to share in the revenue potential from new sales and new innovations as it had in the past with system integrators. Woods refers to the old corporate culture as “historically insular”. As the person whose duties included acting as the primary contract support for SAP’s national network of VARs (these VARs were originally referred to as CBS ‘Certified Business Solutions' providers, revised to the SMB market place, finally revised to the SME market space) and now as outside counsel to a large SAP Channel Partner, I have been on both sides of the table. I can attest to Woods’ description as being accurate.

Woods refers to an interview given by Eric Duffaut, President SAP Global Ecosystem and Channels. Duffaut came to SAP from Oracle, where he spent 15 years working in the SME Channel. Upon arrival to SAP in 2005, Duffaut headed up the SME market for EMEA (Europe, Middle East, Asia). In the interview Duffaut states that while the industry average is 40%, that in 2005 only 7% of sales were through Channel partners. This increased to 20% by 2010 and 25% through the second quarter of 2011.

Duffaut states that the new strategy to expand revenue by utilizing its Channel partners is centered on a 3 prong approach:

1. Consolidation of all partner activity under Duffaut’s leadership (developments, sales, and service).

2. Expansion of its co-development program. ERP is no longer the sole product, although it remains the central focus. Business Objects and the Sybase mobility capability are two other platforms to build upon. The new direction encompasses new solutions for these platforms, through co-developments with partners.

3. Increase the availability of competent service integrators and execute new engagements and transfer these to the partners (i.e. “SAP will become much more like an incubator for new service offerings …”).

The cultural shift for SAP will be tough. The two obstacles Woods points to are:

a. SAP’s product standards for the resale of SAP products and also to allow SAP to sell others products are extremely rigorous, and

b. The certification process to become an SAP Partner is onerous and arduous to say the least.

Woods lays out the salient issue facing Duffaut quiet succinctly. SAP can succeed in growing its revenue through its Channel partners by allowing its Channel Partners to keep more of the expanding revenue that is generated. As Woods states it, “SAP will have to get good at making its partners rich.”

Time will tell …..

Google Shocks: $12.5 billion for Motorola Mobility

Sam Conforti — Sat, 20 Aug 2011 07:17:31 -0600

It’s too early to go through all the possible iterations. Robin Wauters posted an announcement in Techcrunch on August 15^th entitled “Google Buys Motorola Mobility For $12.5B, Says “Android Will Stay Open”. I’ll try to give you a brief synopsis and to put things into perspective; however, stay tuned as this mega-deal unfolds and as the players shakeout.

Google was sitting on $39 Billion in cash. Google owns Android and Motorola Mobility is a dedicated partner. Motorola Mobility is sitting on 14,600 patents and another 6700 patent pending apps. So the leading search engine and online advertising goliath is combining with not only a strong Android smartphone manufacturer but also the “market leader in the home devices and video solutions business”.

Google co-founder and CEO Larry Page stated that Motorola Mobility will “enable us to better protect Android from anti-competitive threats from Microsoft, Apple and other companies”. It remains an open question how HTC, LG, Samsung, Sony Ericsson, Acer, Lenovo and other Android device makers will handle this acquisition. Wauters gives us a link in his announcement to reaction already from some of these vendors.

Here’s the Full press release:

“Google to Acquire Motorola Mobility

Combination will Supercharge Android, Enhance Competition, and Offer Wonderful User Experiences

MOUNTAIN VIEW, Calif. & LIBERTYVILLE, Ill.–(BUSINESS WIRE)–Google Inc. (NASDAQ: GOOG) and Motorola Mobility Holdings, Inc. (NYSE: MMI) today announced that they have entered into a definitive agreement under which Google will acquire Motorola Mobility for $40.00 per share in cash, or a total of about $12.5 billion, a premium of 63% to the closing price of Motorola Mobility shares on Friday, August 12, 2011. The transaction was unanimously approved by the boards of directors of both companies.

“Motorola Mobility’s total commitment to Android has created a natural fit for our two companies. Together, we will create amazing user experiences that supercharge the entire Android ecosystem for the benefit of consumers, partners and developers. I look forward to welcoming Motorolans to our family of Googlers.”

The acquisition of Motorola Mobility, a dedicated Android partner, will enable Google to supercharge the Android ecosystem and will enhance competition in mobile computing. Motorola Mobility will remain a licensee of Android and Android will remain open. Google will run Motorola Mobility as a separate business.

Larry Page, CEO of Google, said, “Motorola Mobility’s total commitment to Android has created a natural fit for our two companies. Together, we will create amazing user experiences that supercharge the entire Android ecosystem for the benefit of consumers, partners and developers. I look forward to welcoming Motorolans to our family of Googlers.”

Sanjay Jha, CEO of Motorola Mobility, said, “This transaction offers significant value for Motorola Mobility’s stockholders and provides compelling new opportunities for our employees, customers, and partners around the world. We have shared a productive partnership with Google to advance the Android platform, and now through this combination we will be able to do even more to innovate and deliver outstanding mobility solutions across our mobile devices and home businesses.”

Andy Rubin, Senior Vice President of Mobile at Google, said, “We expect that this combination will enable us to break new ground for the Android ecosystem. However, our vision for Android is unchanged and Google remains firmly committed to Android as an open platform and a vibrant open source community. We will continue to work with all of our valued Android partners to develop and distribute innovative Android-powered devices.”

The transaction is subject to customary closing conditions, including the receipt of regulatory approvals in the US, the European Union and other jurisdictions, and the approval of Motorola Mobility’s stockholders. The transaction is expected to close by the end of 2011 or early 2012.”

Microsoft Announces Cloud "Office 365": Will Skype Be Next?

Sam Conforti — Tue, 12 Jul 2011 07:55:52 -0600

Well it looks as though we may be entering the doldrums of a long hot summer with no exciting news to spark our interest. And then Stuart J. Johnston’s article in Small Business Computing.com entitled “Microsoft Launches Office 365 for SMB Markets” and its companion article in Small Business Computing.com entitled “Is a Low-cost Calling Plan in the Works for Office 365” comes to save the day. Actually, I think we have to give Microsoft a bit of the credit as well, because after all it was their recent announcement that the cloud applications suite known as “Office 365” was ready for GA (“General Availability”) to the SMB market place.

The enterprise suite will contain the following applications in the CLOUD:

· Exchange Online for email

· SharePoint Online for collaboration

· Lync Online for unified communications

· Web versions of its Office applications -- called the Office Web Apps

The price is right. Microsoft will be offering an optional monthly subscription fee for those SMB’s without a full-time or even part-time IT department. A Microsoft Spokesman stated:

“With Office 365 for small businesses, customers can be up and running with Office Web Apps, Microsoft Exchange Online, Microsoft SharePoint Online, Microsoft Lync Online and an external website in minutes, for $6 per user, per month. These tools put enterprise-grade email, shared documents, instant messaging, video and Web conferencing, portals and more at everyone’s fingertips.”

Microsoft is building an infrastructure of service providers to help service the SMB market place which include: AppRiver, Intuit, Premier Global Services, CDW, Bell Canada, Telefonica, Telstra, and Vodafone. Microsoft Spokesman stated:

“These companies will package Office 365 with their own services -- from Web hosting and broadband to finance solutions and mobile services -- and bring those new offerings to millions of small and midsize businesses globally"

Is Skype Next?

Back in May 2011 Microsoft announced its purchase of the low-cost calling service Skype for $8.5 billion. Microsoft’s purchase has obtained US Regulatory approval. What remains is obtaining such approval globally. Sharon Pian Chen, technology reporter for the Seattle Times, quotes Kurt Delbene, president of Microsoft’s Business Division:

“Office 365 will be the first place Skype will be added to a Microsoft product when Microsoft closes its purchase of Skype"

The cloud version of Lync 2010, Lync Online, a key component of Office 365, provides instant messaging, voice, and video calling. Microsoft’s CEO, Steve Ballmer, envisions huge benefits to be obtained by combining the Lync’s unified communications server and Skype.

The Cloud Provider's Infrastructure - AND - Apple's New Data Center

Sam Conforti — Sat, 11 Jun 2011 09:54:03 -0600

Once again Thomas Trappler has come up with a very informative piece and at a very opportune time (Steve Jobs, Apple’s CEO, just announced its iCloud featuring its state-of-the-art iDataCenter – more on that later in this posting). Trappler’s article in COMPUTERWORLD entitled “The Cloud Contract Adviser: Know your provider's infrastructure” deals with the importance of knowing your provider and their ability to meet your need for availability (i.e. “uninterrupted service”). As Trappler points out, Service Level Agreements are just part of the equation (see April 30, 2011 posting in this Blog entitled Importance of Service Level Agreements for the Cloud). What should really matter is the ability for the Provider to manage its Cloud and he ponders if perhaps the technology to provide Cloud Computing is ahead of the skill to manage the data center that will be providing the cloud services. In a nutshell Trappler lays out the complexity facing the operations management team:

“In addition to general computing components such as virtual machine monitors, data storage and associated middleware, a public cloud infrastructure has to deal with things like workload management, data replication and recovery, and resource metering. And to make matters worse, all of these have to interact effectively, while they change over time as feature improvements and bug fixes are continuously rolled out.”

Trappler suggests that you develop a set of questions to ask the Cloud Provider and he assists in this endeavor by positing a few vital points that need to be covered in order to educate yourself on the infrastructure of the Could Provider, such as:

* Capacity and resource planning

* Data replication, storage, distribution and recovery

* Change management policies and procedures

* Virtual server provisioning and management

* Asset inventory and management policies and processes

*Software development quality assurance

Apple’s iCloud and its Suite of Services

Derrick Harris reports in his article in GIGAOM entitled “Apple launches iCloud; here’s what powers it” that just this week, Steve Jobs, Apple’s CEO, announced the launching of its iCloud and their infrastructure that will make it all happen.

Apple’s iDataCenter is in Maiden North Carolina:

It is 500,000 square feet, cost $1billion to build, uses clustering technology from IBM, Veritas and Oracle, and a second data center is planned for the same site:

Apple ordered 12 petabytes of Isilon file storage from EMC:

Financial Health of "Pure Play" Cloud Vendors

Sam Conforti — Mon, 06 Jun 2011 07:45:05 -0600

I was contacted by Hunter Richards of Software Advice. He alerted me to an article by Dan Fornes, Software Advice Founder & CEO, entitled: Q1 2011 Cloud Apps Financial Results Roundup. This article they published in their Blog reports on the quarterly financial results of ten publicly traded cloud software vendors, such as Salesforce.com. It contains data on quarterly revenue, operating income, customer count, market cap, and a host of other measurements. It provides a snapshot of the health of cloud computing as a business model. It’s clear the model is doing very well. The graphics in this report are clear and very informative. There is a short commentary and/or explanation with each graph to help the reader understand the salient points. Here are a few examples of the sort of information available to you:

QUARTLY REVENUE

OPERATING INCOME OR LOSS FOR THE QUARTER

SAAS REVENUE BY APPLICATION

CUSTOMER COUNT

ANNUAL SUBSCRPTION VALUE

MARKET CAPITALIZATION

Software Advice helps buyers find the right software for their business. Similar to the big consulting firms, they research the market identifying the best solutions for each buyer. Software Advice then publishes product profiles, comparisons, best practices guides and other research to their site. Software Advice is 100% free for software buyers. Their revenue comes from software companies after making a good match between a software buyer and that software vendor. So they are motivated to make great matches.

IaaS, SaaS, PaaS: Too Many Choices - Which Is Best for You

Sam Conforti — Tue, 24 May 2011 11:58:02 -0600

Dick Benton, principle consultant at GlassHouse Technologies, has written a 2 part article on the trials and tribulations of which Cloud to use entitled; “Cloud Thunder: The Biggest Bang for the Buck, Part 1”. I thought we would deal with the first part, IaaS, and examine his analysis of INTERNAL versus EXTERNAL Infrastructure as a Service (“IaaS”). His article has a bit for everyone, the IT manager, the Finance department, and the contract draftsman. As you all know, I get a little “weak in the knees” with the technical stuff and so I will defer to the techies on those issues. But Benton has some good insight on which “Cloud” to choose and solid advice on how to get there.

Benton starts off by commiserating with the IT Manager because the virtualized world of Cloud Computing does offer many alternatives to reduce cost while at the same time increasing service. He breaks down his discussion in part 1 on IaaS to the benefits and possible disadvantages of Internal IaaS as opposed to External IaaS.

In order to chose the Internal IaaS model, Benton notes that the x86 platform must be virtualized and ITIL (“Information Technology infrastructure Library”) service model has been adopted (See: “weak in the knees” comment above). I’ll leave the previous comment for the techies to determine. The benefits of the Internal IaaS model are:

· Availability

· Performance

· Security

· Quick provisioning

· Just as Quick De-provisioning

· Ease of billing to identify unit cost (Giga-bytes of storage or Giga-hertz of power)

· Automation improves Service Levels

With IaaS comes ITIL best practices which require automated self-provisioning. For the finance department the billing should have the ability to determine unit costs. And with all the above benefits, Benton still stresses that, “The biggest impediment to the introduction of IaaS under IT is that the service provider is the requirement for some form of portal/Web-based self-provisioning capability.”

Outsourcing IaaS (i.e. External IaaS) has its distinct advantages as well. But, of course, as we have discussed in the past security remains the paramount disadvantage. Your data is stored off-site and the infrastructure is shared with many other entities and dynamically managed as your data is moved from server to server. Benton points out three other necessary issues to consider:

· Back-out strategy. If your provider does not live up to the service levels promised, how do you get your data back?

· Scalability. Is this built into your contract? Premiums charged and can the Provider deliver in your time frame?

· Hybrid approach. Useful when using Internal IaaS and there is extra capacity needed in an overload situation for a special project.

Benton discusses SaaS and PaaS in the second part of his article.

IaaS, SaaS, PaaS: Too Many Choices - Which Is Best for You

Sam Conforti — Tue, 24 May 2011 10:38:12 -0600

Availability
Performance
Security
Quick provisioning
Just as Quick De-provisioning
Ease of billing to identify unit cost (Giga-bytes of storage or Giga-hertz of power)
Automation improves Service Levels

Back-out strategy. If your provider does not live up to the service levels promised, how do you get your data back?
Scalability. Is this built into your contract? Premiums charged and can the Provider deliver in your time frame?
Hybrid approach. Useful when using Internal IaaS and there is extra capacity needed in an overload situation for a special project.

Benton discusses SaaS and PaaS in the second part of his article.

Importance of Service Level Agreements for the Cloud

Sam Conforti — Sat, 30 Apr 2011 10:43:31 -0600

Thomas Trappler is Director, UCLA Software Licensing, UCLA. He is the Manager (and I believe he is also the Founding Member) of “Software Licensing Professionals”, a group on LinkedIn which I am a member. Tom has a wealth of experience and his articles and commentary have been an excellent resource for me during my research on Cloud Computing and many other software licensing related topics. His current article in Computerworld entitled “The Cloud Contract Adviser: Service-level agreements” will be very helpful to those of you considering moving some or all of your computing to the Cloud.

He begins his article by breaking down SaaS, IaaS, and PaaS to its simplest terms, and that is “Service”. As Trappler points out, the key concern for the licensee should be “Uptime”. The service availability should be memorialized in the contract itself. Trappler cautions us about the vendor’s claims of 99.9% uptime. As he comments, the initial impression to the licensee to such a claim is favorable, but as the cliché goes, read the fine print. Such service availability and the vendor’s responsibility for downtime are not always computed as part of the 99.9% claims if your internet connection is lost. Also not included in the percentage is scheduled maintenance. Trappler also suggests that in the contract definition of service availability the percentage can be affected if it is measured by consecutive minutes or such downtime is spread over a certain period of time. Any or all of these components can be included in the contract definition of service availability or downtime.

Trappler’s section in his article on the remedies built into the contract is very useful. He states that this is the place where the draftsman builds in certain incentives to help assure compliance with the 99.9% uptime claims. These incentives usually come in the form of credits to be applied to future billings. I’ve been practicing law for close to 25 years and I have a particular angst when I hear my opposing counsel say something like “I’ve never heard of that before”, but I have to admit I was not familiar with one of the suggested remedies, as Trappler labels it, the reputational remedy. Apparently, one might consider including a remedy which would require the vendor to take out a full page ad in a newspaper of general circulation announcing missed service levels. A strong motivator, no doubt; but getting it into the contract itself might be a bit tricky.

The Paradigm Shift: Software Execs Move to the Cloud

Sam Conforti — Sat, 02 Apr 2011 08:35:00 -0600

Kamesh Pemmaraju heads cloud computing research for Sand Hill Group. He writes a weekly blog, Leaders in the Cloud for weekly updates on developments in the cloud market. In an opinion piece for Sand Hill entitled Cloud Leaders Face a Changing Tide he reports to us on the latest Sand Hill survey of 100 software CEOs and senior executives and their responses regarding their firms expected revenues from Cloud Computing for the next few years, their customer’s attitudes and readiness to adopt Cloud Computing, and which products and services seem to be catching hold. What appears to be obvious to Pemmaraju from the results of the survey is that these vendor’s customers want to be in the Cloud and the execs recognize this demand and no longer expect their customers to accept the existing products for sale. The survey respondents seem to feel that the global recession is ending and they expect considerable growth in the Cloud Computing market space.

85% of the respondents already had cloud products and service offerings ready for sale to their customers and 43% expect that Cloud Computing sales will make up the majority of their sales in the next 5 years:

The survey showed an interesting dichotomy between small firms (i.e. revenues of $250M or less) and large firms. The larger firms will grow their revenue from Cloud Computing but at a much slower pace in the next 5 years:

Pemmaraju identifies the key to success for these software vendors are to recognize the value their customers see in the applications and the platforms on which these applications are developed. Hence these software vendors “also need to create platforms to attract developers to extend and build new applications.” The concerns from all parties are very real and consist of:

· PaaS (Platform as a Service) is still relatively new and unproven

· Enterprise customers are stocked with on-premises development tools

· Customers want to avoid being locked into one vendor

Although SaaS is the primary model today, Pemmaraju reports that the surveys show that PaaS is the choice for most respondents in the next 3 years:

The paradigm is shifting once again and as the software vendors learn and adapt there will be many missteps along the way. Pemmaraju sums it up nicely in his opinion piece:

“But as customers move away from traditional licensing models, software vendors—particularly the incumbents—face challenges in adjusting their products, go-to-market strategies and pricing models. How can they move towards cloud computing without cannibalizing their existing product revenues? Even the metrics or methods that software firms use to track their business are evolving rapidly. Moreover, nearly 50 percent of the executives surveyed said the cloud offerings today are not yet ready for enterprise use, and the current lack of standards is a growth inhibitor.”

Intellectual Property Magazine - Cloud Computing: What In-House Counsel Needs to Know

Sam Conforti — Sun, 06 Mar 2011 10:07:29 -0600

Intellectual Property Magazine - Cloud Computing: What In-House Counsel Needs to Know

Intellectual Property Magazine asked me to write an article for their March 2011 issue. We discussed various topics and ultimately settled on the subject matter in the title of this Blog posting above. Our arrangement allows me to publish my work in my Blog. The graphics in the published article are really quite amazing. What follows is the text of my article minus the graphics:

Cloud Computing: What In-House Counsel Needs to Know

The only constant is change. I remember being at an Oktoberfest back in the late ‘80’s. My friends and I noticed a young man wearing a phone on his belt. We laughed and thought how self-important he must think he is. Well, I confess that today I do not leave the house without my Smart-Phone firmly attached to my belt. I can make and receive calls, send and receive emails, surf the net, and even take a picture if needed. The old adage “Change, embrace it” holds true in today’s technological environment.

It is said that the speed of processing chips doubles every 18 months. There does not seem to be an end in sight in the growth in sales for the ubiquitous mobile phones. Apple’s iPad is all the rage and the Apple stores cannot keep them on the shelves. The number of applications to be written for all mobile computing devices in the coming year is staggering. So the next phase in innovation in this burgeoning IT industry is Cloud Computing. The term “Cloud” gives the concept a rather nebulous tone. Studies show the sales in the Cloud Computing marketplace have doubled in the last few years and there is no slowdown in sight. Let’s first define exactly what Cloud Computing is in order to rid ourselves of the uncertainty and then examine its advantages and disadvantages.

Cloud Computing – What is it?

Software as a Service, also known as SaaS or On-Demand, is the term most closely associated with Cloud Computing. The key word is “Service”. SaaS acts similar to a linked network of computers, or a cluster of linked networked computers, to perform different functions. This cluster of networked computers acts as a virtual supercomputer. Each person working on his or her own laptop computer is provided with the exact application they need to work and perform the tasks on their part of a project or to perform their assigned tasks in their area of work in the corporate entity. These applications are provided to that person via the internet. The user can work remotely and the applications needed are accessed by them from the internet through their web-browser. It is a seamless delivery system and it appears to the user that the applications are installed on their lap-top. The software and the data generated are not stored on the premises or the user’s own hard drive, but rather on shared servers at the vendor’s site.

What are its advantages?

The major reason usually given for Cloud Computing is that SaaS is faster to get up and running into a productive environment when compared to a full blown enterprise wide implementation and therefore a much less expensive alternative. Hand in hand with the touted speed to productivity is the claim that the enterprise can avoid the upfront capital expenditures for additional or specialized hardware that are usually required in most Enterprise Resource Planning (“ERP”) implementations. The servers are not on premises. It is a shared server array at the software vendor’s site. Since it is a service, the pricing is based on a per seat use rate and so the millions in the initial cash outlay for the software suite are non-existent. The theory is that the enterprise pays for what one uses and no more. Depending on the application, the pricing might not be exactly pay as you go, but a hybrid. The software vendor may have a subscription based pricing for the estimated number of users or hits required over a shorter period of time. This pricing model can then be adjusted as events require. Another advantage to this delivery model is that it is easily scalable and provides flexibility as projects or the enterprise at large experiences growth. Users, storage space, and upgrades to new versions and releases to the software can all be dealt with as the needs arise.

What are its disadvantages?

Security is the paramount concern. Where’s my software? Where’s my data? We have government regulations to adhere to. There are new banking regulations and new privacy rules. What about protecting non-public personal information? How do you assure me that my data does not get mixed up with another entity’s data? And the list can go on and on.

How do we address these concerns?

Cloud Computing is inevitable. Given the centralized nature of Cloud Computing, security becomes more efficient. Instead of fighting the concept, it might be wiser to prepare for its eventual acceptance and implementation. It is a good idea to train your IT department personnel for the change so they can have a shorter learning curve when the switch is made. One way to approach this matter is to initiate trials for your personnel by creating an innovation sandbox in the cloud. Contractually, this is the time when in-house counsel needs to lean on the “techies” on the business team. Actually both sides must feel comfortable with the solutions to the security issues. Let the business teams gather all the questions and all the means to address those concerns. Then it is the contract draftsman’s job to memorialize these areas of concern and the consequences into the contract to be signed if such matters are not met.

The teams must agree on the specifications of how the data is to be isolated and protected. Include language that allows and mandates that the customer’s data is retrievable in a format that is desirable and safe. The ability to retrieve your data in the right format should be part of any Disaster Recovery language and the policies and procedures discussed and inserted into the contract. Your data should be backed-up periodically on a regular basis and copies of the back-ups should be stored off-site at another secure facility. Support levels and upgrades are part of the selling feature of any SaaS initiative and so these must be clearly spelled out in the contract, usually via a separate Support Schedule attached to the terms and conditions and incorporated by reference. In addition to clearly defining what is included in Support, make sure to have your team develop in conjunction with in-house counsel and the vendor’s team a Software Support Response Schedule for inclusion into the contract. Such a Response Schedule should have up-time availability percentages for the Productive System and a sufficient penalty if these availability percentages are not met. Do not be afraid to include tough penalties for failure to achieve the agreed upon up-time availability to adequately incentivize the On-Demand vendor to meet their promised availability times. These penalties usually are a dollar percentage credit to the customer’s monthly or quarterly use fees. The teams should work on clearly defining different levels of priority and the times to respond to such calls for support (e.g. Level 1 is Very High Priority due to Productive System Shutdown. Response time after reported is 1 hour). The contract must clearly state that the vendor is SAS 70 certified and such certificate must be made available to the customer upon signing of the contract. It should go without saying, but verify that all of the promises made have been confirmed by a team from the customer by an on-site visit to the vendor’s facilities. The on-site visit should be able to confirm all the physical security claims and the policies and procedures discussed in the contract negotiations. Once the promised savings materialize due to reduced costs on maintenance and upfront costs for specialized hardware, the enterprise can use these funds and direct its efforts to more innovative ways of running the business.

Is complete surrender the only alternative?

Depending on the type of business your company is engaged in, considering the move to Cloud Computing and the nature of the data to be processed, the concerns over security might be just too high a hurdle to overcome. The new Privacy Laws and computer hacking and new government regulations sometimes present an insurmountable obstacle. Another approach is to perform a cost benefit analysis of just certain parts of your business and the results might make the transition to Cloud Computing more palatable. On-demand service providers, another name of SaaS software vendors, are coming up with hybrid delivery approaches to Cloud Computing. If the enterprise has a myriad of smaller customer interfacing transactions at a multitude of cites, why not make use of the Cloud with all its advantages of scalability and pricing based on use while leaving the more sensitive data processed and stored on premises in a single tenancy traditional approach. This allows the enterprise to take advantage of the cost savings of using Cloud Computing while still maintaining the integrity of the more sensitive data stored on premises.

Where do we go from here?

The worldwide recession has kept the lid on software vendors raising prices. But this economic downturn cannot last forever. During this time, there has been a consolidation of software developers in the ERP industry. In April 2009 Oracle purchased Sun Microsystems. This purchase alone gave Oracle, one of the prime players in the ERP market space, access to not only Sun’s premiere hardware capabilities, but also the keys to some of Sun’s stalwart software applications, most importantly the Java programming language. Along with Oracle’s purchase of Sun came the Solaris operating system asset as well. With all the assets of the Sun Microsystems purchase, including both the software and hardware, Oracle has placed itself in a position to provide the foundation to build its SaaS and Cloud Computing services.

SAP, who has been partnering with IBM since the late 90’s, plans on developing along with IBM a product that will facilitate the creation of an in-house cloud. SAP’s new endeavor, the “Reservoir” cloud computing project’s aim is to spread the utilization of requested applications across the enterprise’s servers thus addressing under utilization and spikes in usage.

Intel, the world’s prime chip manufacturer, purchased McAfee, a leader in network security industry. With this purchase Intel hopes to integrate security directly into the architecture of its chip. If this is accomplished, Intel’s potential to enter such new markets as network security, smart phones, and PC tablets is boundless.

Google, purveyor of the prime search engine of choice, has recreated itself into a vendor of mobile devices, operating systems, and Cloud Computing. Other big IT players such as CISCO, IBM, and HP, now flush with cash and seeing the impending paradigm shift in the industry, have gone on a shopping spree purchasing unified communications vendors, and network security companies, and business intelligence vendors. Oddly enough all of these companies apparently are perceived as being outside of the acquirer’s original area of expertise.

With this consolidation in the market many of the potential ERP customer’s choices will be eroded as only a handful of ERP vendors will remain. It’s a fair assumption that prices will be on the rise. Your IT budgeters should expect the need to request increases in funding for the usual items that accompany an ERP Business Suite purchase such as increased costs for support, higher rates for users, and the ever burdensome costs of a full blown enterprise wide implementation with all its foibles and miscues. One way to counteract the consolidation in the ERP market space is to examine the alternative methods for deployment of the needed IT services. Cloud Computing, Software as a Service, a hybrid approach, or Managed Services are options your IT department should be considering. As I have discussed the insurmountable hurdles to Cloud Computing can be overcome. With the right contracting model, adequate assurances and protections, along with sufficient penalties to incentivize adherence to agreed upon terms of protection, Cloud Computing can be the viable alternative for your IT department. Change is coming. Embrace it.

Epilogue : My editor asked me to develop a “To Do” list for the readers. The graphics in the published piece consist of a yellow legal pad with the following bullet points:

To-do-list

· When implementing cloud computing, it is a good idea to train your IT department personnel for the change so they can have a shorter learning curve when the switch is made.

· In addition to clearly defining what is included in support, make sure to have your team develop in conjunction with in-house counsel and the vendor’s team a software support response schedule for inclusion into the contract.

· The contract must clearly state that the vendor is SAS 70 certified and such certificate must be made available to the customer upon signing of the contract.

· Make use of the cloud with its advantages of scalability and pricing based on use while leaving the more sensitive data processed and stored on premises in a single tenancy traditional approach.

Intellectual Property Magazine: Computer Hacking and IP Theft

Sam Conforti — Tue, 01 Mar 2011 10:01:46 -0600

Catherine White, Staff Writer & Sub-Editor for Intellectual Property Magazine, contacted me about an article she was about to write on Computer Hacking and IP Theft. In the interview she asked me a series of in-depth and thought-provoking questions. She has done her research quite well and also interviewed some outstanding experts in the field. Her article appears in the March 2011 issue of Intellectual Property Magazine and is entitled "I spy with my little virtual eye" and the text of the article is as follows:

I spy with my little virtual eye...

Catherine White taps into the virtual world of computer hacking and its real threat to IP

Hackers who single out their target have done their homework. They do background research on that person, they know their friends, their family, their hobbies and interests. These forms of attacks are very dangerous,” said Kevin Rowney, director of breach response at software security company Symantec.

You would be forgiven for thinking that you are reading an excerpt from a fictional spy novel or thriller but what you are actually reading about is the growing reality of cyber crime and IP theft. A virtual world where anything can happen from financial institutions being breached by Russian networks to hacking operations taking place in a church. Plots so inconceivable that even James Bond would be shaken and most definitely stirred.

What is computer hacking?

Computer hacking involves trying to circumvent computer and network security and then selling the information obtained to criminals, competitors or to use for extortion. President of NetWitness, a network security company, Nick Lantuh said, “Hackers make billions of dollars from cybercrime. The revenues are greater than in the drug trade and far safer. It is much easier, cheaper and informative than sending out spies to countries to perform the act of gathering information. The other main benefit is that it’s anonymous.”

Richard LaMagna of consulting firm LaMagna and Associates said that it can also refer to the “ ‘cracking’ (gain unauthorised access to computers with malicious intentions) or by-passing of security features that are intended to prevent unauthorised use of a software programme, often referred to as digital rights management technologies (DRM).”

LaMagna continued, “In both cases, the hacker gains unauthorised access to a computer or a system from which he or she can steal information, intellectual property, trade secrets, personal identifying information, user names, passwords, email addresses, contact lists, etc.

“Pirates often distribute or sell the criminally hacked versions of software, which have security access controls removed, and the software programmes are either copied onto CDs, offered through peer-to-peer file sharing programmes, or offered for downloading for a fee on websites.”

Rowney pointed out that there are three major adversaries that pose a threat to IP:

1) Hackers-parties who are breaking into computers via the internet remotely and stealing IP;

2) Malicious insiders – employees who have turned against their organisations and have sought to rip-off IP from their employer or the enterprise they work for; and

3) Well meaning insiders – employees who mean well and stay loyal to their companies but end up making a mistake out of ignorance or haste that results in the breach and the exposure of IP eg, copying large amounts of IP onto laptops without encryption, then leaving that laptop unattended or losing it. Or by loading peer-to-peer file share programmes to download music and not realising that these programmes can also access other information on the computer.

There is also the issue of ‘data spill events’. This is when employees copy sensitive data inside a company to a secondary drive and leave it there without any protection. Thus, inside the corporate network, workers are using, updating, browsing content and copying out of the primary system, which is protected and into the secondary location where it has no protection at all. This leaves it open to theft by malicious insiders or hackers. “All three forms of these sources of threat impose significant risk to IP and anyone trying to defend their IP must be aware of all three risks”, Rowney said.

What do hackers look for?

Most hackers look for vulnerabilities in a company’s computer system and often gain access through third-party partners and collaborators who access the firm’s system via an extranet or virtual private network, commonly the weakest points of access.

Sam Conforti of law firm Sam Conforti LLC said, “The new industrial espionage no longer is the tourist taking a factory tour and clicking away with his or her camera. Today industrial espionage is gaining surreptitious access to a company’s network and downloading confidential files.”

These files can be anything of value to the hacker, from personal identifiable information to very targeted products, facts, formula, mergers and acquisition activity, patented processes, design documents and executive emails. Lantuh said, “If it provides a competitive advantage or intelligence which supports technology acquisition or has a monetary value that can be sold or exploited, then it is of value to hackers. The damage which occurs to the victim is a hit to their brand and a hit to their potential market cap.” LaMagna added that when counterfeit brands do enter the market and companies are unable to protect confidential and customer data, “they face serious issues of liability and possible government sanctions”.

Employer v employee

Theft of IP and other sensitive information from companies is very common. Insider hacking reached 48% of overall hacking activity in the 2010 Data Breach Investigations Report by Verizon Business, an IP communications and information technology service, and the United States Secret Service (USSS).

Insiders, who for malicious purposes abused their right to access corporate information, were the most common cases worked by the USSS. This crime increased by 26%. Conforti noted the increase in insider hacking indicated “the new white collar crime of the day is IP theft.”

Whilst all companies are exposed to IP theft, LaMagna said that, “healthcare and financial services are the most vulnerable when it comes to data breaches and hacking attempts, while the high-tech sector is most exposed to attempts to steal IP, often by careless or disgruntled insiders or third-party collaborators.”

As a result, Rowney noted that there is no definitive measurement of IP loss within enterprises and the main reason for this is because “companies do not report the extent of loss and often hide the event after a security breach because they fear this could harm their reputation”.

Lantuh added that if a firm does report a breach there are many others that do not, due to a “lack of visibility in these organisations meaning that these numbers are actually higher since many companies simply don’t know they have been breached”.

Countries and hackers

Hacking is both an insider and outsider problem. There is a lot of targeting from the cyber crime gangs in Eastern Europe, Latin America and Asia. There is also a significant amount of IP theft that occurs from nations which support home-grown industries/interests in gaining military technology or research and development efforts. There is a consistent top 10 list of countries most responsible for hacking and these include China, Brazil, Germany, UK, Russia and the US.

However, Lantuh noted that where a hack is aimed at commonly differs from where it began, “The highest hacker rate is actually in the US, but this is not necessarily indicative of where those hacks originate from. Many hacks from China or Eastern Europe originate their attacks from machines that have been compromised in the US or in another country.”

LaMagna offered some insights into why these particular countries are in the lead. “Countries such as the US, the UK and Germany have a high rate of internet use and the high rate of e-commerce and banking presents a target-rich environment for criminals to make money. Countries such as Brazil, India and China are experiencing dramatic growth in internet infrastructure and broadband usage which presents new opportunities for criminals. In many cases, countries lag behind in terms of cyber crime legislation and enforcement—thus there is no risk or deterrence.”

Computer hacking growth

IP theft is growing rapidly. Conforti said, “In the 21st century it is a foregone conclusion that computer hacking is a part of everyday life, both business and private home computing. If you feel you are immune to such matters or that it could never happen to you, then you are unwise and simply tempting fate.”

Research group Osterman published a study which showed that 74% of companies worldwide believed hacking and malware will increase in 2011. Malware refers to software that can destroy data, affect a computer’s performance and allow spammers to send emails to accounts. Malware includes viruses or worms (a software programme capable of reproducing itself that can spread from one computer to the next over a network).

There are several reasons why computer hacking is increasing:

1) New hacking techniques – the pace of innovations in hacking techniques has developed rapidly over the past few years. Such techniques are called ‘targeted attacks’, which are built around the idea of customising the computer virus in a way that will be effective for single use against a particular target. These customised viruses are called ‘mutated malware’ which have been altered so that no classic, signature-based anti-virus programme can detect them.

2) Information becoming digitised – more data is put online and made accessible via the computer network, resulting in information becoming more portable. The more applications and technology that can access this data, like smartphones, iPads, the more difficult it becomes to secure that data.

3) Profit margins - selling data is extremely profitable for hackers. It is also easy to deploy hacking technology and target it towards organisations.

4) Disregard for IP – there is a prevailing view that digital theft isn’t really theft and that it is a harmless practice with no victims.

In response to the rise in hacking incidences, new technologies are being invented. Many IP products have copy prevention features and DRM, like product activation keys, which notify the IP holder if a piece of software is being hacked or copied. Some products have a “time bomb” which means that after a certain period, if they are not registered with the manufacturer or authenticated, they will no longer function.

There is also a mutated malware identification system based on anti-virus technology which builds up an encyclopaedia of software running worldwide and monitors this malware. It has 1.5 billion programmes that help to understand new threats. Therefore, if something unrecognisable comes up on the encyclopaedia this is alerted straight away.

Approaching IP security

A small percentage of organisations understand what is needed to combat IP theft and protect valuable assets. Rowney said, “Many enterprises first do not have clear knowledge of where their most essential data is, where it is going and how it is being used. Without knowledge of this, it is hard to claim that you are doing an adequate job of managing the risk of a possible breach. Second, many organisations have not taken the basic steps to enumerate chief IP assets.”

The most common mistakes made by enterprises regarding IP security are:

• Budget issues – many companies are in denial about the level of risks that are currently at play eg, significant IP theft can compromise an entire product line, so they under value security issues. On the other hand, some businesses do not have the money for IP security. This is especially true for smaller firms that have no policies and procedures in place and regard safety as low priority. The majority of data leaks and breaches could be avoided by system administrators and employees’ adoption of best safe practices through tools, technology and greater awareness via training;

• Becoming overwhelmed – protecting IP is a massive task. There is so much data and if a company attempts to embrace the entire range of protection available, it becomes impossible to do. Therefore, enterprises should be realistic that only the narrow range of essential IP should be defended. This way they can focus their attention and be on top of the situation;

• Point solution’ confusion (solving one particular problem without regard to related issues)- when addressing IP security, companies point their resources towards the next point solution technology eg DLP or web filtering. This can become unmanageable because a company will have to maintain, operate and keep the technology up to date. Although all these point solutions are targeted towards a piece of the problem, they do not offer protection and this causes a management nightmare for the security teams. Lantuh said, “Add this to the fact that security has to some extent used compliance as a proxy for sound operational security practices and has gone to a ‘check-box mentality’ which provides a false sense of security, meaning cyber criminals will not get caught by your signature based solutions.” Firms therefore need a real-time ‘catch-everything’ network- monitoring solution that can be mined for intelligence on what is happening. Thus, businesses can detect risk, qualified threat and do this on an ongoing basis; and

• Time factor– many organisations often underestimate the amount of resources, money, people and time it takes to really protect and implement a sound security protection strategy. LaMagna noted that companies that rely heavily on IP such as pharma, technology and publishing groups, “are surprisingly reluctant to allocate substantial budgets to IP protection programmes ... This is because assessing IP is a difficult and time-consuming exercise. Often, law enforcement referrals take time to come to a successful conclusion and even then the penalties are not severe enough to act as a deterrent.”

Your mission, should you choose to accept it...

Rowney highlighted the steps on how enterprises should protect themselves from security breaches:

1) Protect infrastructure with modern systems to defend against infection. Virus infection is usually the primary mode of intrusion, which hacker teams are using to access IP. So companies should use new advanced techniques that can specifically confront the threat of targeted attacks.

2) Appropriate authorisation and authentication infrastructure. Make sure that only the intended parties and appropriate consumers of IP inside the enterprise are able to see it. Such means could be passwords but sometimes these are insufficient and insecure. Therefore, some companies are looking into ‘two factor authentication’ which is a form of advanced authentication such as ID cards, personal identification numbers and fingerprints.

3) Adequate management on the underline system. Many computers that are hacked into have out- of-date configurations or lack appropriate patches against the most up to date solutions vendors offer. In addition, if a company has security problems this makes hacker access easier. They also may not have the appropriate updates to accompany applications, like PDFS or Java, which can open up a gap in security framework allowing hackers to break in. Appropriate management systems should have patch-updates and appropriate revisions of commercial software.

4) Know where information is and where it is going. Data loss prevention solutions allow to identify IP at its source and track its transmission in email, its exposure on servers and possible copy or theft. There are modern detection algorithms, which are quite good at identifying specific forms of IP breach, like words stored, where it is going to and how it is used.

5) Appropriate network monitoring. This allows an enterprise to watch for traces of infection. These break-in events create patterns of network activity, which could alert a team to the urgent need for a remediation of the affected systems.

6) Education. Employees should be educated and trained to not rely on point solutions or ‘fix-of-the-day’ technologies. There needs to be a deep continual monitoring of what is going on, Lantuh added.

Steps for post attack

Lantuh highlighted what companies should do after a security breach has taken place:

1) a) Engage their incident response plan if they have one. b) Perform a forensics investigation to find the root cause of the attack. c) Remediate the situation. d) Do a post-mortem analysis on the incident and determine any lessons learned which can be incorporated into the incident response plan for process improvement. e) Check the entire enterprise for like compromise

2) Use what was learned from the attack. After an attack, companies should incorporate what they have learnt into the internet response process for the next incident, continually improving the process.

3) Spread knowledge. After a company realises what needs to be done, they should spread this knowledge out to see if there was compromise anywhere else in the corporation. Employees should be educated in understanding the importance of clicking on links or helping workers/well meaning insiders understand the potential risks of posting links on the web or sharing them inappropriately.

Mission impossible?

Ending the war on cyber crime will be a long battle, as long as data accessible technology, like iPhones and iPads, keep evolving. The only real way companies can defend themselves is if they implement the correct security steps, but Rowney noted enterprises are their own worst enemies. “Malicious insiders stealing data can easily be prevented by using modern security technology. Despite this, businesses are not using such software, so hacking happens all over again”.

A message many companies wish would “self destruct in 5,4,3,2,1”.

Footnotes

1. Predictions for 2011. An Osterman Research Survey Report

2. Verizon 2010 Data Breach Investigations Report

3. Further reading: Online Trust Alliance 2011 Data Breach & Loss Incident Readiness Guide to Help Businesses Protect Online Trust & Confidence https://otalliance.org/news/releases/DataBreach1_25_11.html

Is Software Patentable

Sam Conforti — Sun, 30 Jan 2011 08:51:09 -0600

Recently, I was attending a get together of some old school friends from my youth. We try to see each other every once and a while. I was chatting with a friend of mine and invariably the question is raised “Well Sam, what is it that you actually do”. Having fielded this question before I said, as I have many times in the past, “I negotiate and draft contracts for the licensing of software and I also draft the consulting contracts to implement that software”. My friend, who is a software engineer and a very intelligent man, countered with “I thought you couldn’t get a patent for software”. He relayed his experience of 15 years hence writing code for software games and not being allowed to patent the algorithms. Well, he had me back on my heels and flat-footed. I wasn’t sure how to answer him. I relied on my experience as a Law Professor and being asked questions where I did not have the answers at my finger tips. The secret is to ask rhetorical questions in a sort of Socratic manner and get to the answer. I did not feel comfortable at first stating definitively that “Yes, of course software can be patented”. My discomfort came from the knowledge of asking this very question in the past and not getting a conclusive and authoritative response. So I began asking the questions and stating that when I draft a software license and I am representing the buyer I include indemnification language to protect my client similar in tone to the following:

“Seller shall indemnify Buyer against all claims, liabilities, and costs, including reasonable attorneys' fees, reasonably incurred in the defense of any claim brought against Buyer by third parties alleging that Buyer's Use of the Software infringes or misappropriates any United States patent; a copyright; or trade secret rights, provided that: such indemnity shall not apply if the alleged infringement results from Use of the Software in conjunction with any other software, an apparatus other than a designated apparatus, or unlicensed activities and so long as Buyer promptly notifies Seller in writing of any such claim and Seller is permitted to control fully the defense and any settlement of such claim as long as such settlement shall not include a financial obligation on Buyer. Seller may settle any claim on a basis requiring Seller to substitute for the Software alternative substantially equivalent non-infringing programs.”

And when I am representing the Seller I include language in the license to protect my client that limits its liability for any claims of patent infringement with language similar in tone to the following:

“Buyer's sole and exclusive remedies for any damages or loss in any way connected with the Software furnished by Seller, whether due to Seller's negligence or breach of any other duty, shall be, at Seller's option: (i) to bring the performance of the Software into substantial compliance with the functional specifications; (ii) re-performance of services; or (iii) return of an appropriate portion of any payment made by Buyer with respect to the applicable portion of the software or services. Seller will not be responsible under this Agreement if the Software is not used in accordance with the documentation; or (ii) if the defect is caused by Buyer, a Modification, third-party software, or third party database. ANYTHING TO THE CONTRARY HEREIN NOTWITHSTANDING, EXCEPT FOR DAMAGES RESULTING FROM UNAUTHORIZED USE OR DISCLOSURE OF PROPRIETARY INFORMATION, UNDER NO CIRCUMSTANCES SHALL SELLER, OR BUYER BE LIABLE TO EACH OTHER OR ANY OTHER PERSON OR ENTITY FOR AN AMOUNT OF DAMAGES IN EXCESS OF THE PAID LICENSE FEES.”

So this little exercise helped me to raise my confidence level in order to respond to my friend that yes in the US software is patentable. But just why is there such an open question on this issue. There is no definition of software from the US patent office. As of today in the US it is readily accepted that software embodied in a physical computer readable medium and aiding an innovative process or machine is considered patentable. If you seek such a patent you must “subtly claim the software as employing or performing certain functions or processes and as embodied in a computer readable medium”. Please see http://ezinearticles.com/?A-Soft-Introduction-to-Software-Patents&id=593392

“Software patents have a very recent history as the first software patent granted was in 1981, in the legal case of Diamond v. Diehr. The claimed invention is a heat treatment of rubber, wherein software code is employed to compute the optimum time duration for the treatment. In another case of State Street Bank & Trust v. Signature Financial Group, a software business method was granted a patent in the year 1998, redefining software patentability. Software patentability has been a topic of debate world over. The first question an inventor, who wishes to patent his invention, asks is "Is software patentable". The short answer is that the US patent office does grant software patents, and there has been a surge in software patenting in the US.” Id.

In my research I found some very interesting facts.

· A classification of software patents is virtually nonexistent, although a majority of recent patents are software patents based on the above criteria and

· There are about 1400 patents purely on computational software.

· IBM possesses 31,995 US patents.

· HP possesses 21,000 patents worldwide as on 2003.

· Microsoft possesses 5000 US patents.

· Siemens possesses more than 10,000 issued and pending US patents.

· In the USPTO database there are about 25,123 claimed software patents and about 284,978 granted patents that disclose the use of software in their inventions.

For further reading on this subject please see several articles listed at the following URL http://ezinearticles.com/?expert=Ash_Tankha

Please note that the above discussion is on US patents only. In Europe this is still an open question. See European Patent Office quiet on whether software can have a patent. And in Asia and the rest of the world it is anybody’s guess.

More Government Intervention Needed Says FCC Chairman

Sam Conforti — Sun, 09 Jan 2011 08:46:26 -0600

The Consumer Electronics Show (“CES”) was held last week in Las Vegas. So the tech industry showed up with all its gadgets, smartphones and tablets and whatnot, and all the promises of 4G and mobile computing. So we’ve got this new, relatively speaking, and burgeoning wireless industry. Isn’t this what economists and critics and politicians and enthusiasts predicted and clamored for, American inventiveness and exceptional-ism to come to the rescue and reverse the global economic downslide. Not so fast my friends. As Kenneth Corbin reports in his article for Datamation entitled FCC Boss Takes Spectrum Shortfall Warning to CES, The FCC Chairman, Julius Genachowski, announced plans at the CES for his agency to intervene into the wireless industry and forcibly reallocate bandwidth among the major players. Corbin explains the situation succinctly in his article:

“Federal Communications Commission Chairman Julius Genachowski was talking about spectrum, the invisible airwaves that power the wireless networks that are coming under increasing strain from the surge in mobile computing.”

It comes as no surprise to the industry that the possibilities and wonders of the new wave in mobile computing are dependent upon sufficient supply and access to the air waves. However, as Corbin reports, The FCC has plans to conduct auctions of the air waves licenses currently owned by the TV broadcasters to the wireless vendors. Maybe not a bad idea, but along with incentives to do so, the FCC would impose fees, fines, and penalties in order to ensure the government’s idea of the proper allocation of the Spectrum to be implemented. So is this truly voluntary.

Once again, the age old question must be addressed …. Who is better equipped and suited to put into practice and maintain a sound business strategy, the Free Market or the Government. You decide.

2011: The Next Computing Platform

Sam Conforti — Mon, 06 Dec 2010 09:50:04 -0600

David Needle reports in EnterpriseMobile Today on IDC’s prediction of the plethora of sales of mobile devices expected in the coming year with over 25 billion apps expected to be written for these devices in his article entitled Mobile Apps Will Heat up to 'Staggering' Levels in 2011: IDC. This will be the eventual merging of Cloud Computing, Mobile Computing, and Social Networking. This will be the next paradigm shift in the computing world. For me this shift is clearly signaled when Needle quotes Frank Gens, IDC's senior vice president and chief analyst:

"In 2011, we expect to see these transformative technologies make the critical transition from early adopter status to early mainstream adoption"

“In addition to creating new markets and opportunities, this restructuring will overthrow nearly every assumption about who the industry's leaders will be and how they establish and maintain leadership"

Apple’s iPhone will dominate, but Android’s Marketplace will not be a distant second for long. With the staggering prediction of over 25 billion apps to be written and sold for all the new mobile devices, the other two budding technologies of cloud computing services and social networking will combine to move the new way of computing to warp speed.

Should we expect the acquisition by major software vendors of social networking providers? The IDC research says yes.

The Cloud or On-Premises: HP Says Why Not Both

Sam Conforti — Sun, 07 Nov 2010 06:38:54 -0600

As I have discussed in several articles in this Blog, the concern over security has been a huge hurdle for most enterprises when considering whether to adopt Cloud Computing. There also is the simply reticence to change. David Needle discusses this in his article in ServerWatch entitled HP Pushes ‘Instant On’ Vision of Enterprise Cloud Services and explores an ingenious response to the resistance to change developed by HP. Perhaps the best way to describe this new development in Cloud Computing is to call it a hybrid approach. HP also offers the consulting services that will assist the enterprise to implement and manage these services. Needle’s article is peppered with quotes from Sandeep Johri, vice president of enterprise strategy and industry solutions at HP, and from a company spokesman. I think the fastest and most direct way to describe this approach and the services to implement it is to read exactly what they say about it. Here are some select quotes and you can make the determination if this could be the game-changer for the adoption of Cloud Computing:

“Part of our vision is about transforming old applications, not necessarily to the cloud, but to make them more available using new frameworks that can be accessed as a service.”

“We think the cloud needs to be more than the standard definition of on-demand services. An enterprise needs a level of security commitments and service quality commitments, among other attributes we believe are necessary.”

"The cloud can be something you use to augment other parts of your business. For example, for some of our airline customers we do 'ticketing as a service.' Those companies get billed on a per passenger basis and they don't get billed for servers -- the backend infrastructure is all handled by HP.

"From an instant-on perspective, an airline might just want the ticketing aspect, which we let them get right away without buying new infrastructure, but they may also want to keep a lot of other IT functions in house, and this program lets them do that."

"We do medical claims processing for 20 states in the U.S. and we get paid on a per claim basis. We process over a $100 billion in claims every year," he said. "We don't call it software as a service, but that's effectively what it is.”

And on the hybrid delivery services that implement this approach:

"This offering provides clients with a patent-pending, model-driven framework to introduce hybrid delivery concepts into their existing environments.”

"The optimal architecture for the enterprise is a hybrid architecture, not everything is moving to the cloud or staying in-house. At the end of the day, IT needs to deliver services and some of those are best delivered in-house in a traditional single-tenancy environment, some in the cloud and some outsourced. We believe HP can bring optimization across multiple dimensions.”

3 Stories: SaaS Utilization Grows; Infosys Profits Up; IT Street Fighting Hollywood-Style

Sam Conforti — Sat, 16 Oct 2010 08:42:25 -0600

There has been a lot happening recently. I have found three articles I think will be of interest to all of you. The first presents anecdotal evidence that SaaS is steadily becoming accepted in the IT world, but doubts still linger regarding security. The article presents some interesting clues on what’s important from a contracting standpoint. The second article provides some insight into the global marketplace’s emergence from the slump of demand for IT (i.e. companies increase spending for IT services). And the third article is a very witty compilation of the Board Room melodramas over the past few months. Space constraints prevent me from a full analysis of the three articles, but I think I can give you enough information to whet your appetites for more, and of course I’ll provide the links.

I. SaaS Adoption Continues:

Patrick Thibodeau provides examples of the continued adoption to the SaaS cloud based system in his article in Computerworld.com entitled IT shifts to the cloud; anecdote by anecdote. It appears that the reasons given by the CIO’s and IT Managers are of no surprise. Mark Stone, the CIO at Safety-Kleen Systems Inc. states:

“With a cloud-based approach, he said, "I can go today to a variety of SaaS providers and put in software that's every bit as functionally rich as anything I've developed on-site" -- without having to worry about the upkeep of an IT infrastructure.”

Lien Chen, CIO at RAE Systems Inc. had an Oracle ERP system that she wanted to integrate with Salesforce CRM. She could have purchased an integration package, which of course would necessitate hiring consultants to implement (i.e. factor in those costs as well). Instead she opted for the less costly cloud-based integration from Informatica. Security issues prevent her from moving all apps to the cloud.

From a contracting perspective the comments I found most informative were from Robert Scott, managing partner at Scott & Scott LLP, a Dallas-based law firm that advises clients on IT contractual issues. He acknowledges the angst over security concerns. His advice when developing the contract for cloud-based services is “You own everything you bring and everything you pay for.” Scott went on to say:

“That means, for instance, that if a cloud vendor undertakes integrations and customizations or builds templates and layouts, users have to be certain they can take that work with them if they move to another provider. This could have a big impact on your ability to switch."

II. Infosys Profits Up: Forecasts revised

As for evidence that the slumping world economy and in particular global enterprises’ spending estimates for IT is on the way back, see Ketaki Gokhale’s article in Bloomberg Businessweek entitled Infosys Profit Beats Estimate; Increases Forecast. It appears the rebound may be a double edged sword for India’s second largest exporter of software. Yes, Net Income is up 13% for the first three months of their fiscal year, and yes, Infosys joins the likes of Intel in reporting that IT spending is likely to increase in the coming year. However a stronger rupee is stifling the return of those monies earned abroad back to the owner’s in the country of origin, India. Infosys derives 66% of its revenue from North America and 23% from Europe. Gokhale reports on the latest from Forrester Research Inc. that “Worldwide information technology spending, which includes computer equipment and software purchases, will grow 7.8 percent to $1.58 trillion this year after falling 8.9 percent in 2009, according to July estimates.”

III. IT Street Fighting Hollywood-Style

As an attorney involved in the intricacies of software contract drafting, I have a special place in my heart for lists. For a very informative and also enjoyable read, I highly recommend Thomas Wailgum’s article in CIO.com entitled 10 Lessons Learned from the HP-Oracle-SAP-NY Times Saga. In case you haven’t noticed there have been some very high-profile and entertaining board room antics for the past several months. It appears that the CEO, now the ex-CEO, of HP might have been involved in a dalliance that caused the HP board to summarily dismiss him. Not to worry his tennis partner and uber-rich CEO of Oracle, Larry Ellison, hired him in an instant as co-President. Apparently a New York Times columnist wrote nasty things about SAP’s former CEO and this columnist’s girlfriend is employed by the law firm suing SAP. And it seems everybody is taking pot-shots at HP’s board and HP’s board is fighting back. And what about IBM? Looks like they want in on all the tomfoolery.