Legal Issues Impacting Data Center Owners,

Operators and Users

by John Yates & Larry Kunin

December 9, 2010

2

Presenters

Larry Kunin

Partner, Litigation Practice

Telephone: 404.504.7798

E-mail: lkunin@mmmlaw.com

John Yates

Partner, Corporate Technology Practice

Telephone: 404.504.5444

E-mail: jyates@mmmlaw.com

3

MMM’s goal is to work with data center owners, operators and users to identify key legal issues and their related claims, and to provide ways to minimize liability.

Goals

4

Key Legal Areas of Concern

1. Contracts

2. Tort/Fraud

3. Products Liability

4. Regulatory Compliance

5. Privacy/Security

6. Safe Harbors

7. Post-Hacking/Security Breach Issues

5

Key Questions

What are the key concerns of the data center owner, user, operator?

1. Is there adequate security to avoid security and privacy breaches?

2. How are external forces such as power outage, natural disaster, and terrorism controlled? What if contractor/subcontractors don’t perform adequately?

3. What if there are hardware/software failures resulting in down time?

4. How can a user be compensated for non-performance by the data center owner or operator?

5. What steps need to be taken if there is a security breach?

6. Are there safe harbors?

6

Power Outages

1. What are the terms of your agreement with the power company?

2. Do you have a claim against the power company in case of an outage?

3. Do you have an adequate back-up system?

4. How do you determine the adequacy of a back-up system - - what is reasonable under the circumstance?

5. What is your liability?

6. Power outage – liability

i. Have you taken steps that are reasonable under the circumstances to provide for the contingencies of a power outage?

ii. Do you have a contractual arrangement with the power company to provide certain levels of performance?

iii. Do you have a contractual arrangement with a back-up power source? Does it include liquidated damages?

iv. Do your customers’ contracts provide for uptime warranties?

v. Do they include representations and warranties regarding uptime?

vi. Do they include liquidated damage clause?

7

What is a Liquidated Damage Clause?

1. The elements of a liquidated damage clause:

- The parties desire to avoid the cost of proving damages in the event of future breach.

- Damages will be incapable or very difficult to accurately estimate at the time the contract was made.

- Liquidated damages are a reasonable forecast of what damages might be in the event of breach.

2. Liquidated damages are not penalties: A liquidated damage clause that is found to punish rather than provide reasonable compensation will be declared an invalid penalty and will be stricken.

3. Note, however, that the inability of individuals to prove actual damages has been a block to sustaining a lawsuit.

8

Sample Liquidated Damage Clause

The parties agree that in the event of data loss [or security breach], damages will be difficult to calculate. To avoid the cost and effort to attempt to calculate such damages, the parties agree that in the event of a proven data loss [or such breach] a reasonable forecast of resulting damage is $_________, which COMPANY shall pay to CUSTOMER within 20 days of confirmation of such breach. Such payment shall be the exclusive remedy and shall satisfy all liability for such data loss [or security breach].

9

Force Majeure Clauses

A force majeure clause prevents liability for harm caused by issues beyond a party’s reasonable control, such as an act of God (hurricanes, fire, etc.)

- Might not protect against failure to back-up data.

It is unlikely that a force majeure clause will protect against third party illegal hacking if there is evidence that the hacking could have or should have been prevented through better security measures (i.e., the act was preventable).

10

Sample Force Majeure Clause

A party will not be liable to the other party for any failure, delay, or disruption of telecommunications services, caused by a Force Majeure Event, whether or not such matters were foreseeable, and such failure or delay will not constitute a material breach of this Agreement. “Force Majeure Event” means any cause beyond the reasonable control of a party that could not, by reasonable diligence, be avoided, including acts of God, acts of war, terrorism, riots, embargoes, acts of civil or military authorities, denial of or delays in processing of export license applications, fire, floods, earthquakes, accidents, or strikes.

11

Hardware/Software Failures

1. Do you have a contract with your software/hardware vendors?

2. Does it include warranties and representations?

3. Does it include indemnification to protect you in case you get sued by third parties (for example, users of your system)?

4. Do you have insurance to cover the liability? Have you reviewed the policy to determine the scope of coverage?

12

Privacy/Security

1. Do you store personally identifiable information?

2. Are you aware of the security breach notification statutes on the State level? Do you have policies in place to comply with them?

3. What damages could you incur by a security breach that results in disclosure of personally identifiable information?

- Safe Harbor under State breach laws?

4. What other liability could be incurred as a result of a security or privacy breach?

5. Is data encrypted?

13

Sample Security Notification Breach Law

California Security Breach Information Act, SB 1386:

Companies that possess or store personal information (SSN, Drivers license, account number, etc.) must provide notice to each person in their database upon discovery of a security breach involving such personal information.

Applies to government agencies, companies, and nonprofit organizations regardless of geographic location.

14

Practical Pointers

1. Review existing contracts and license agreements with hardware and software vendors, especially with regard to representations and warranties, indemnification provisions, liquidated damage provisions, performance criteria, etc.

2. Review your existing user agreements with regard to limitations of liability, representations and warranties, performance criteria, etc.

3. Review existing insurance policies, especially exceptions.

4. Review existing policies and procedures in case of security or privacy breaches, especially with regard to restate breach notification laws.

5. Review existing case law on an ongoing basis to determine reasonable steps required of a data center owner/operator and standards of care.

15

Recent Court Cases

In re TJX Companies Retail Sec. Breach Litigation (1st Cir.): Bank represented class in a claim for violation of Mass. unfair trade practices statute following security breach. Damages were amount of fraudulent charges resulting from the security breach. Settled for over $40 million.

Krottner v. Starbucks and Lalli v. Starbucks (W.D. Wash.): Two class action lawsuits alleged that theft of laptops contained personal information of Starbucks employees. Starbuck gave notice to all employees. One plaintiff alleged that his bank account was opened, but the bank closed the account and there was no monetary loss. Plaintiff also failed to show a nexus between the security breach and the access to his account. The court dismissed both cases.

16

Recent Court Cases

Ruiz v. Gap (N.D. Cal.): In this class action, a burglar broke into the offices of Gap's job application processing vendor and stole two laptops that contained unencrypted personal information about thousands of job applicants. The only alleged harm was an alleged “increased risk of identity theft." The court dismissed, holding that this is not a loss.

Hendricks v. DSW Shoe Warehouse (D.Mich.): Damages were cost of credit monitoring service. But in this case, there was no Michigan authority that this is a recoverable damages and case was dismissed.

Carbonite lawsuit: Sued two vendors alleging loss of data owned by up to 7,500 Carbonite customers (cloud storage) due to failed disk arrays and failure in back-up procedures. Vendors responded that only a de minimus number of customers were affected. Lawsuit appears settled.

17

Bios

John C. Yates – Tele.: 404.504.5444 – E-mail: jyates@mmmlaw.com

Partner-in-charge of the Technology Practice. Mr. Yates is one of the pioneers of the technology law field and has been practicing exclusively in this area for over 27 years. The firm’s technology practice has represented hundreds of technology companies and provided legal services in such areas as IPOs, mergers and acquisitions, patent prosecution, Internet law, biotech and medical devices, ecommerce/distribution, corporate finance and venture capital, international law and dispute resolution.

Larry Kunin – Tele.: 404.504.7798 – E-mail: lkunin@mmmlaw.com

Partner in the Litigation Practice with a concentration in technology and intellectual property litigation, including software performance, trade secret, trademark and copyright litigation, as well as general commercial and business tort litigation. Mr. Kunin is also serves as a special master or mediator in disputes involving technology or e-discovery.