Alfred Cheng

OUR TEAM Alfred Cheng Phone: 214.952.7028 Email: alfred.cheng@king-fisher.com Location: Galleria Tower 3, 13155 Noel Road, Ste 900, Dallas, TX 75240 Alfred Cheng is an experienced and trusted advisor to clients that vary in size and industry.  He counsels clients on a broad range of technology and intellectual property-related transactions, including cloud computing and software as a service (SaaS) offerings, software licensing and maintenance/support services, IT and business process outsourcing, technology development, and distribution and reseller arrangements.  Alfred enjoys working closely with his clients to understand their businesses and to help them achieve their goals and objectives, while taking a pragmatic approach to drafting and negotiating contracts.  Prior to joining King & Fisher, Alfred worked at McDermott Will & Emery and was a partner at K&L Gates and an associate at Jones Day.  He also previously worked as an equity analyst at an investment management firm and a consultant for an Inc. 500 technology consulting firm. Alfred authored the “Privacy & Data Security” chapter of Outsourcing: Laws and Business, a legal treatise published by Law Journal Press. Areas of Emphasis Technology and intellectual property transactions Professional services contracts, including consulting and development Data licensing and aggregation agreements Marketing and advertising contracts Supply agreements and sales transactions Commercial transactions Internet and e-Commerce Telecom Outsourcing Privacy Open source software

Contracting Conundrum: “Reasonable Security Measures”

In technology contracts between customers and vendors, it is common to obligate one or both parties to implement “reasonable security measures” to protect applicable data and information. Typically, the obligation is a function of risk allocation or legal requirements. The recently enacted (and more recently amended) California Consumer Privacy Act’s authorization of a private right of action against businesses that fail to implement reasonable security procedures and practices highlights the issue. But, what are “reasonable security measures?” And, which contracting party decides? The Market Speaks Often, technology contracts merely reference, but do not explain, reasonable security measures. A contract may require a party simply to “implement reasonable security measures” to safeguard applicable information. Alternatively, a contract may obligate the party to “implement reasonable security measures as required by applicable law” or to “comply with applicable data privacy and security laws, including those regarding security measures.” Both customers and vendors can find these examples appealing. Pushing the Envelope Less often, but frequently when the technology transaction involves financial services companies, the contract may impose more stringent requirements based on statute or regulation. For example, the vendor may be obligated to “implement administrative, technical, and physical safeguards to insure the security and confidentiality of customer records and information, to protect against any anticipated threats or hazards to the security or integrity of such records, and to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.” Similarly, technology contracts involving healthcare information can mirror applicable federal regulations and obligate a party to “implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the information.” For EU personal data, the Standard Contract Clauses (which will likely soon change) may be invoked. Although usually advocated by technology customers, because these more specifically stated obligations track legal requirements, they are often acceptable to the customers’ vendors. Breaking the Envelope In a few cases, customers or vendors may choose to sidestep the vagueness of the above options. For example, agreements with ties to California may explicitly reference the 2016 California Data Breach Report, which specifically states that an organization’s failure to implement all twenty controls in the Center for Internet Security’s Critical Security Controls constitutes a lack of reasonable security. When payment card information is in scope, the contracting vendor may be directed to comply with the PCI Data Security Standards. Increasingly more common, a technology customer – or vendor – may expressly set out detailed, bespoke security measures. The contractual statement of these measures can range from one, to three, to five or more pages. Clearly, there are many ways for contracting parties to reach agreement on applicable security measures to be implemented under a technology contract. Be sure that what you sign up for works best for your company – all costs, risks, and consequences considered.

Privileged Cybersecurity Investigations – A Checklist for Contracting with Consultants

Your company may suffer a cybersecurity incident that warrants bringing in third-party forensics or other consultants to investigate and report on the cause or consequences of the cyber event or compromise. To seek to protect the third parties’ reports with the work product privilege (and, thus, to avoid having to disclose the reports in litigation) – and to try to side-step the unexpected failure to establish such protection that Capital One recently experienced (In re: Capital One Consumer Data Security Breach Litigation) – do (and don’t do) the following with respect to your contracts with these third parties: Do have outside counsel be the entity contracting directly with the third party. Have outside counsel pay the third party’s fees, directly. Then, have outside counsel bill you for reimbursement of the fees paid. Do contract under a specific statement of work or services description that is exclusive to the particular cyber incident. Do state and expressly limit the purpose of the third party’s services and reports to anticipating litigation arising from the cyber incident. The purpose should not explicitly or implicitly include, for example, financial controls or reporting. Do require that the third party’s report be in a form and of substance specific to the purpose of anticipating litigation. The report should not mirror what would be provided for reports for other purposes. Do require the third party to issue formal and informal reports and updates only to the contracting outside counsel. Outside counsel, then, as necessary or appropriate, can distribute further the reports or updates, for example, to select internal stakeholders. Don’t allow those who receive reports and updates from outside counsel to further distribute the reports or updates, whether internally or externally. Require recipients to explicitly agree to limited use and handling terms, before receiving reports or updates. Don’t allocate the costs and fees for the third party’s services to any internal billing or cost center other than Legal’s. The costs and fees should be assigned to Legal’s budget. Categorize the costs and fees as “legal” costs and fees, not, for example, cybersecurity or business costs or fees. And, in the contract with the third-party forensics firm or consultant, do include requirements that the third party conform to all of the applicable above do’s and don’t’s. Importantly, these are only a few do’s and don’t’s that may help guide many companies to attempt to structure and implement contracts with third-party consultants so as to establish the work product privilege applicable to the third party’s reports. Each company, each cybersecurity incident, and applicable law can vary and be unique, so it is perhaps even more critical for the company to immediately involve inside (or outside) counsel to navigate these thorny issues. Background – In re: Capital One Consumer Data Security Breach Litigation The above do’s and don’t’s follow from the recent decision of the U.S. District Court for the Eastern District of Virginia in the above-referenced litigation. Capital One sought to avoid having to disclose the report issued by the cybersecurity forensics firm that it retained in wake of the March 2019 data security breach suffered by the financial company. In affirming a magistrate judge’s order to compel Capital One to disclose the forensics report, the Virginia federal district court made several observations. Well before the breach (and not specific to the March breach), Capital One had retained the forensics firm under a general SOW, on a retainer basis, to provide a set number of service hours for any one of a broad range of incident response services that might be needed. After the security breach, although the bank’s outside counsel signed a letter agreement with the forensics firm for services with respect to the breach. The terms of the letter agreement provided for the same scope and kind of services, on the same terms and conditions, as the general SOW (except that the forensics firm would work at the direction of the outside counsel and provide the forensics report to the outside counsel). For performing under the letter agreement, the consultant was first paid from the retainer already provided under the general SOW. Then, Capital One directly paid the balance of the consultant’s fees due under the letter agreement – with funds from Capital One’s internal general cybersecurity budget. Capital One (at least at first) internally identified the fees paid to the consultant as a “business critical” expense – not as a “legal” expense. During the forensics firm’s investigation, it communicated directly with the bank’s external financial auditors, so that the auditor’s could assess whether the breach impacted the bank’s accounting controls. Many internal and external parties received a copy of the forensics report, but Capital One provided no explanation as to why these recipients received a copy of the report, as to whether the report was provided for business purposes, regulatory reasons, or specifically in anticipation of litigation, or as to any restrictions placed on the recipients’ use, reproduction, or further distribution of the report. Both the magistrate judge and, on appeal, the district court judge who opined on the matter saw these above facts, among others, as support for finding that the forensic firm’s investigation report was not protected from disclosure by the work product privilege.

Blog

Practice Areas

PRACTICE AREAS CLOUD SOFTWARE TECHNOLOGY & BUSINESS AGREEMENTS OUTSOURCING PRIVACY & SECURITY CLOUD Companies are rapidly shifting data, services and technology resources outside the walls of their own buildings and into third-party data centers and facilities that are accessible via the Internet, i.e. , the “cloud.” We frequently draft and negotiate deals related to hosting services, Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), business continuity and disaster recovery services, and other hosted services. We understand our clients’ needs to receive the cost benefits of a cloud service while at the same time protecting them against the risk of data loss or data breach that might occur with cloud providers. SOFTWARE Today’s business environment is built on software, whether it’s computer software, mobile apps, embedded software, hosted software, firmware or other types of code-based products. We have extensive experience drafting and negotiating contracts related to software design and development, licensing and sublicensing, distribution, maintenance and support (including service levels), and ownership. We also understand the benefits and risks of using free and open source code, and frequently provide guidance on those issues. TECHNOLOGY & BUSINESS AGREEMENTS Contracts are a regular part of operating any business, and many contracts involve technology in some fashion. We have more than 20 years of experience drafting and negotiating business and technology contracts. Whether it’s a consulting services agreement, advertising agreement, copyright license agreement, trademark license agreement, manufacturing agreement, or any other type of business agreement or contract, we can help you with it. OUTSOURCING Outsourcing is a business relationship where a company relies on a third party to provide certain administrative, business or technology functions. Take, for example, a paper company that is exceptional at providing paper products. In order to provide those paper products, the company must have computers, printers, networks and other technology resources necessary to conduct businesses. The paper company has two options: (1) It can hire its own information technology team to install and maintain the technology resources; or (2) It can outsource those information technology responsibilities to a firm that specializes in providing information technology services. If the paper company elects the second option, then it has entered into an outsourcing relationship. In today’s fast-evolving, global business environment, more companies are focusing on their core strengths and are outsourcing administrative, business and technology functions to third parties. We can help you use outsourcing as part of your business strategy. We understand the risks inherent in outsourcing relationships and have extensive experience with the outsourcing process and outsourcing contracts, including services agreements, custom development agreements, SaaS agreements, service level agreements, termination and transition plans, and, where applicable, local country agreements. PRIVACY & SECURITY Privacy and data security concerns are ever-present and the regulatory, contractual and other legal means of attempting to address these concerns are constantly evolving. We can help you understand your privacy and data security obligations, and compliance obligations, provide advice and assistance to you as you seek to negotiate and implement related contracts and contractual obligations, and help you develop privacy policies and guidelines for your company and its relationships with third-party vendors and others. If you experience a breach, we can advise you regarding your obligations and can work on your behalf with some of the best data breach response and remediation companies in the country.

Dawn C. Perotti

OUR TEAM Dawn C. Perotti Phone: 214.396.6265 Email: dawn.perotti@king-fisher.com Location: Galleria Tower 3 13155 Noel Road, Ste 900 Dallas, TX 75240 Dawn Perotti’s practice encompasses a broad range of outsourcing and technology transactions. These include global information technology and business process outsourcing agreements, cloud computing agreements, infrastructure as a service agreements, software as a service agreements, customer care/call center agreements, software development agreements, licensing and marketing agreements, and telecom agreements. She also counsels clients on data security and privacy issues. Throughout her decades of practice, Dawn has helped both service providers and users which has resulted in her having a strong understanding of the pressures that both sides face in a negotiation. Prior to joining King & Fisher, Dawn was a solo practitioner following eleven years as a member of Haynes and Boone’s Technology Transactions and Outsourcing Practice Group. She started her law career while in law school as a contract specialist and after graduation as an in-house attorney at MCI Telecommunications. In her free time, Dawn provides pro bono legal services to Dallas Children Advocacy Center and Genesis Women’s Shelter. In addition, she serves as a Court Appointed Special Advocate (CASA) and a Guardian Ad Litem in the Dallas County Family courts.  As well, Dawn and her husband David, who works in private equity, enjoy golfing, playing tennis and spending time with their three boys.  Two of their sons are in college (Texas A&M and Georgia respectively) and their third son recently graduated from SMU and works as a financial analyst. Areas of Emphasis Outsourcing (ITO and BPO) Technology Transactions Cloud Computing (SaaS, IaaS, and PaaS) Licensing Telecom Data Privacy and Security Professional/Civic Activities State Bar of Texas Computer & Technology Section Dallas Bar Association Board Member for Heart House (2007-2010) Admissions Texas Education J.D., George Mason University, 1995 (Moot Court Board) B.A., International Relations, College of William and Mary, 1991 Representative Experience Represent large airline in the negotiation of several major IT agreements: HRO with a Fortune 50 IT provider Long term Passenger Services System Agreement with a global travel technology company Cloud Agreement and IAS Agreements with a Fortune 50 IT provider Represent multiple energy companies in the negotiation of their ITO and BPO agreements. Represent prepaid telecom service provider in the development and negotiation of their customer agreements. Represent large staffing services provider in the negotiation of several ITO and BPO agreements. Represent large tire distributor in the negotiation of their IT agreements, including a large scale ERP implementation. Represent a real estate software company in the development of their customer agreements and assist with negotiations. Represent IT Services Company in the negotiation of several customer agreements. Represent Staffing Software Company in the negotiation of several customer agreements. Assist Fortune 50 Company with GDPR compliance issues.