Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
20 Omnitrans reported that it âupgraded its legacy Integrated Vehicle Logic Units (IVLU) Mobile Display Terminal (MDT) equipment with the new VI-IVLA and touch MDT as part of a Transitmaster hardware and back office equipment upgrade.â253 However, the Maryland Transit Administration (MTA) emphasized the difficulty of procuring technol- ogy projects when new technologies must interface with existing technologies. The issue becomes particularly difficult when vendors are competi- tors for both new and existing technology and often make it difficult to work together. This can add significant burden to the agency in either time or money. It can take time to work out contractual relationships that lead to the desired end- product. It can cost significant money if the agency [must] become the integrator for the two technologies, dealing with both vendors and separate contractual arrangements.254 The MTA discussed one of its technology proj- ects for which interfacing with MTAâs existing soft- ware products is a requirement. The MTAâs Bus Unified Systems Architecture project involves the procurement of an Intelligent Transportation System (ITS) consisting of on-board hardware and a fixed-end CAD/AVL system. The all on-board hardware is to be âunified to a complete package with all interfaces necessary for full operation.â255 The CAD/AVL system is to handle all data-gathering from the on-board hardware and provide a robust reporting mechanism that can be used across multiple departments. The fixed-end software is required to interface with several existing software products that the MTA owns, including fixed-route scheduling software and operational assignment software. Because of bid protests and re-advertising, the MTA said that the project is currently in âactive evaluation.â256 VI. TECHNOLOGY CONTRACTING AND CLOUD COMPUTING A. Cloud Computing as an Alternative Delivery Mode This report discusses cloud computing and services as a separate topic because âsoftware licensing in the cloud differs from traditional licensing in that the end user is often not the licensee and may not have contractual privity with the licensor.â257 As other commentators explain, â[t]raditional IT outsourcing arrangements typically involve negotiated contracts for narrowly specified data storage and processing facilities and services for set periods of time,â whereas â[c]loud computing tends to be rather different. The quantity of IT resources procured by the customer may fluctuate over time, often rapidly and dynami- cally in response to demand.â258 As for their use of cloud computing, twenty-four transit agencies responding to the survey stated that they use cloud computing and/or other cloud- services.259 Although a typical contract with a cloud service provider (CSP) has been described as an adhesion contract because of most clientsâ inability to modify the contract,260 larger organizations, such as transit agencies, may be able to secure more favorable terms and conditions.261 With cloud computing, an end user âis purchasing a service not a software license.â262 Thus, the usual technology agreements may not adequately cover the risks that are present with cloud computing.263 When considering the use of cloud services, among the threshold issues for transit agencies to evaluate are âhow the cloud provider determines whether service levels are being achievedâ¦who is responsi- ble for measurement, andâ¦what exceptions apply to service level performance.â264 At the federal level, according to the Congressional Research Service (CRS), since 2009 the government has been shifting its data storage needs to cloud-based services and away from agency-owned, in-house data centers. This shift is intended to reduce the total invest- ment by the federal government in information technol- ogyâ¦, as well as realize other stated advantages of cloud 253 See Appendix C, Omnitransâs response to question 2. 254 See Appendix C, Maryland Transit Administrationâs response to question 2. 255 See id. 256 See id. 257 Ward Classen, A Practical Guide to Software Licens- ing for Licensees and Licensors, at 269 (ABA 5th ed. 2011), hereinafter referred to as âClassen 5th ed.â 258 Simon Bradshaw, Christopher Millard, & Ian Walden, Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services, 19 int. j. Law info. tecH. 187 (2011), at text at notes 4â5), hereinafter referred to as âBradshaw, Millard, & Walden.â 259 See Appendix C, transit agenciesâ responses to ques- tion 13. Eighteen agencies said that they do not use cloud computing. Id. 260 Carlos A. Rohrmann & Juliana Falci Sousa Rocha Cunha, Some Legal Aspects of Cloud Computing Contracts, 10 J. intâL comm. L. & tecH. 37, 41 (2015), hereinafter referred to as âRohrmann.â 261 Id. 262 Classen 5th ed., supra note 257, at 275. 263 Andrew Geyer & Melinda McLellanMchellen, Strat- egies for Evaluating Cloud Computing Agreements, 3 BLoomBerg Law rePorts no. 13, at 1 (unnumbered) (2011), hereinafter referred to as âBloomberg,â https://www. hunton.com/files/Publication/662c62d8-9bb3-4b7d-b3ff- c878cd4b0ab7/Presentation/PublicationAttachment/ d87ebda3-053a-4c23-b320-b999b7595738/Strategies_ for_Evaluating_Cloud_Computing_Agreements.pdf (last accessed Feb. 24, 2017). 264 Id.
21 adoption: efficiency, accessibility, collaboration, rapidity of innovation, reliability, and security.265 However, there are challenges as agencies transi- tion to cloud computing and services; for example, some agency chief information officers (CIOs) have stated that in spite of the stated security advantages of cloud computing, they are, in fact, concerned about moving their data from their data centers, which they manage and control, to outsourced cloud services. This and other concerns must be addressed to build an agency culture that trusts the cloud.266 The CRS report discusses security concerns and solutions from the perspective of a government agency when contracting for and using cloud computing.267 In contrast to the CRS report, another report foresees a rapid shift at the state level to the cloud.268 In fact, there are already some state statutes on cloud computing.269 In Illinois, all state agencies must âevaluate safe, secure cloud computing options, before making any new information technology or telecommunications investments, and, if feasible, adopt appropriate cloud computing solutions,â as well as re-evaluate an agencyâs âtechnology sourcing strategy to include consideration and use of cloud computing solutions as part of the budget process.â270 In New Jersey, the Big Data Alliance (BDA) is designated as the stateâs âadvanced cyberinfrastruc- ture consortium.â BDAâs mission is to encourage state government to address in a strategic and coordinated manner the challenges posed by a deluge of digital data, including âdeveloping a shared data cloud that integrates data infrastructure, hosted data, and data analytics.â271 A Texas statute directs state agencies to consider cloud computing service options when purchasing âmajor information resourcesâ but to ensure that projects using cloud computing services satisfy state standards for cybersecurity.272 Individuals responsible for procurements and contracts for cloud computing should consider private, public, and hybrid cloud computing and the services provided,273 include contractual provisions that identify an agencyâs objectives, and detail the service model, such as Infrastructure as a Service (IaaS) or Software as a Service (SaaS).274 A typical CSP contract or subscription agreement may include or be accompanied by a service level agreement.275 As an alternative delivery mode, cloud computing âraise[s] many of the same issues involved in soft- ware licensing, while at the same time creating issues unique to the respective delivery model.â276 Because cloud computing provides a âcontinuum of servicesâ that businesses may access as needed, there are efficiencies and cost savings, because an end user pays only for âactual consumption.â277 Although the use of a private cloud is more expen- sive, an end user has more control of its data and greater security by using a private cloud.278 B. Risks to Address by Contract and Other Factors to Investigate Privacy and security issues are implicated in cloud computing because in the course of a day, the data may reside âall around the globe.â279 A clientâs data âmay be transferred at any time to another data center for performance reasons,â transfers that a CSP may not report.280 In such instances, data may become subject to different laws while in tran- sit or when located at different data centers.281 There is also a risk that data will be exposed to third parties while in transit.282 A transit agency consider- ing using a CSP should ascertain whether under the partiesâ agreement and/or under the law applicable to the agreement, the transit agency would have a claim for damages against the CSP for loss or destruction of the agencyâs data.283 The possible loss of full ownership rights and/or access to data have important ramifications for 273 Rohrmann, supra note 259, at 42. 274 Id. at 41. 275 T. Noble Foster, Navigating Through the Fog of Cloud Computing Contracts, 30 J. marsHaLL j. info. tecH & Pri- vacy L. 13, 19 (2013), hereinafter referred to as âFoster.â See also, Rohrmann, supra note 259, at 39â41. 276 Classen 5th ed., supra note 257, at 265. 277 Id. at 266. 278 Id. at 267. 279 Id. at 269. 280 Foster, supra note 275, at 23 (emphasis in original). 281 Id. at 25. 282 See id. 283 See id. at 23â24. 265 Patricia Moloney Filiola & Eric A. Fischer, Overview and Issues for Implementation of the Federal Cloud Com- puting Initiative: Implications for Federal Information Technology Reform Management, Congressional Research Service, at 1 (Jan. 20, 2015), http://www.fas.org/sgp/crs/ misc/R42887.pdf (last accessed Feb. 24, 2017). 266 Id. 267 Id. at 14â15. 268 Steve Towns, State CIOs See Rapid Shift to the Cloud, Government Tech, (May 2, 2015), http://www.gov- tech.com/computing/State-CIOs-See-Huge-Shift-to-the- Cloud.html (last accessed Feb. 24, 2017). 269 There are state statutes also on cloud computing and student information. idaHo code ann. § 33-133 (2016); KY. rev. stat. ann. § 365.734 (2016); N.H. rev. stat. ann. § 189:68a (2016), and R.I. gen. Laws § 16-104-1 (2016). 270 20 ILCS 45/15(g) (2016). 271 N.J. stat. ann. § 52:17C-3.4(a)(6) (2016). 272 tex. govât code ann. §§ 2157.007(a)â(d) (2016).
22 litigation.284 Information that is retrievable on demand by a CSP client is considered to be within the clientâs control for purposes of discovery.285 According to one source, a CSP could refuse to allow sufficient access to enable a client to comply with its e-discovery obligations.286 Because a CSP could be subpoenaed for the same data,287 a CSP contract should require that a CSP notify a transit agency of a subpoena before the CSP discloses any data.288 C. Negotiating the Terms of a CSP Contract Scholars have analyzed the terms and conditions used by CSPs and have determined that the issues that providers and users tend to negotiate mostly are as follows: 1. Exclusion or limitation of liability and reme- dies, particularly regarding data integrity and di- saster recovery; 2. Service levels, including availability; 3. Security and privacyâ¦; 4. Lock-in and exit, including term, termination rights, and return of data on exit; 5. Providersâ ability to change service features unilaterally; and 6. IP rights.289 Users generally, however, for several reasons are not successful in obtaining more favorable terms, because CSP contracts tend to be âdesigned for high- volume, low-cost, standard, commoditized services on shared multi-tenant infrastructure.â290 However, when users have more leverage or relative bargain- ing power, âlarge providers have departed from their standard terms to secure deals they perceive to be sufficiently worthwhile in terms of financial, strate- gic or reputational âtrophyâ value.â291 Not only may government bodies and financial institutions have more purchasing power, but also âtheir internal procedures may make it difficult and time-consum- ing to contract on terms other than their ownâ¦.â292 It should be noted that there are resellers or outsourc- ers, referred to collectively as integrators, that contract with both providers and end users and that may be âbetter able than end users to negotiate improved terms with providersâ and âprepared to give more contractual assurances than providers.â293 D. Checklist of Provisions for a Cloud Computing Contract A CSP contract should address access, confidenti- ality, hosting, privacy, and security as issues of utmost importance. It is recommended that a transit agency conduct âdetailed due diligenceâ before executing an agreement and using a CSPâs services.294 A transit agency will want any agreement to protect the confidentiality of data and make adequate provi- sions for the return or other disposition of data at the end of the contract.295 To the extent possible, transit agencies should ascertain the jurisdictions where data will reside and locations through which data will pass.296 A transit agencyâs contract with a CSP should state clearly that a transit agency holds âall right, title, and interest in its data at all times,â297 including while in transit,298 as well as stipulate that a CSP does not hold any property rights in an agen- cyâs data.299 The contract should state which jurisdic- tionâs law governs the partiesâ agreement, in part because a CSP may have or use physical sites in different states or countries.300 A transit agency should have contractual rights both to audit a CSPâs facilities and operations301 and to request reports from a third party on a CSPâs data 291 Id. at 90, 91. 292 Id. at 91. 293 Id. at 92. 294 Classen 5th ed., supra note 257, at 283. 295 Bradshaw, Millard, & Walden, supra note 258, at 207. 296 Rashbaum, Borden, & Beaumont, supra note 284, at 81. 297 Foster, supra note 275, at 25. 298 dePât of defense, Best Practice for Negotiating Cloud-Based Software Contracts, at 10 (2015), hereinafter referred to as âdePât of defense,â http://www.esi.mil/ contentview.aspx?id=549 (last accessed Feb. 24, 2017). 299 Id. 300 Rohrmann, supra note 260, at 43. 301 dePât of defense, supra note 298, at 10. 284 Kenneth N. Rashbaum, Bennett B. Borden, & Theresa H. Beaumont, Outrun the Lions: A Practical Framework for Analysis of Legal Issues in the Evolution of Cloud Comput- ing, 12 ave maria L. rev. 71, 83 (2014), hereinafter referred to as âRashbaum, Borden, & Beaumontâ (stating that the â[l]ocation of data stored in the Cloud can raise thorny juris- dictional issuesâ and that â[i]n the Cloud environment, even determining where data is located may be complexâ). 285 Id. at 86â87. 286 Id. at 83. 287 Id. at 85â86. See also, Josiah Dykstra & Damien Riehl, Forensic Collection of Electronic Evidence from Infrastructure-as-a-Service Cloud Computing, 19 ricH. j. L. & tecH. 1 (2012) and Joshua Gruenspecht, Reasonable Grand Jury Subpoenas: Asking for Information in the Age of Big Data, 24 Harv. j. L. & tecH. 543 (2011). 288 Bloomberg, supra note 263, at 2. 289 W. Kuan Hon, Christopher Millard, & Ian Walden, Negotiating Cloud Contracts: Looking at Clouds from Both Sides Now, 16 stan. tecH. L. rev. 79, 81, 83 (2012), hereinafter referred to as âHon, Millard, & Walden.â See also, Bradshaw, Millard, & Walden, supra note 258, text at note 2 (also stating, based on a study of European provid- ers of cloud services, that â[i]n the case of large commer- cial or Government cloud contracts, such [terms and con- ditions] are likely to be negotiated and tailored to fit the specific requirements of the customerâ). 290 Hon, Millard, & Walden, supra 289, at 85.
23 security.302 If an audit discloses flaws that are not corrected timely to a transit agencyâs satisfaction, the agreement should give a transit agency the right to terminate the contract.303 The agreement should include provisions to mitigate the risk of a data breach, for example, by providing that data may not be shared with third parties or subsidiaries without a transit agencyâs prior written consent.304 An agree- ment should provide for the protection of a transit agencyâs data305 and for the backing-up and recovery of data.306 A transit agencyâs agreement should spec- ify required standards of performance and promised level of service by the CSP, that a CSP will comply with applicable laws on data security and notifica- tion of a data breach, and that a CSP will install the necessary and appropriate measures to prevent intrusions and viruses.307 If a CSP agreement allows a CSP to use data for certain purposes, a transit agency should consider whether the use or uses are acceptable to the agency and/or its patrons.308 As noted in part V.A with respect to contracts with vendors, a CSP contract should state whether a provider is entitled to retain and market a transit agencyâs data after contract termination. An agreement should require a CSP to identify its employees, agents, contractors and/or subcon- tractors who may have access to a transit agencyâs data. A CSP agreement and/or a separate confiden- tiality agreement should obligate the CSPâs employ- ees, agents, contractors and/or subcontractors to protect the confidentiality of a transit agencyâs data.309 A transit agency may want data to be stored in multiple locations.310 A CSP contract should provide for the preservation of a transit agencyâs data or the return of data to the agency when requested, specify who is responsible for deleting data, and provide for an audit to verify the deletion of data.311 A transit agency may want a provision that permits the agency to terminate an agreement if a CSP changes the âfeatures and functionalityâ of its services.312 Because a CSP could delete a transit agencyâs data on the termination of a contract, an agreement should require that on termination, the CSP will protect the data and further authorize a transit agency to retrieve or transfer its data.313 For example, an agreement could provide for the return or destruction of a transit agency data as follows: At any time during the term of this Agreement at the [Tran- sit Agencyâs written] request or upon the termination or expiration of this Agreement for any reason, the Service Provider shall, and shall instruct all Authorized Persons to, promptly return to the [Transit Agency] all copies, whether in written, electronic or other form or media, of [Data] in its possession or the possession of such Authorized Persons, or securely dispose of all such copies, and certify in writing to the [Transit Agency] that such [Data] have been returned to the [Transit Agency] or disposed of securely. Service Provider shall comply with all [reasonable] directions provided by the [Transit Agency] with respect to the return or disposal of [Data].314 It is recommended that a CSP contract include termination assistance services,315 meaning that a CSP must âcontinue performing its services for a specified periodâ¦[and] assist with the orderly transi- tion either back to the customer or to a new vendor.â316 As for other provisions, a CSP contract may credit an agency for a loss of service.317 A contract may include an acceptable use provision to restrict how a transit agency may use the service.318 Although an acceptable use provision usually prohibits the use of the system for unlawful acts, some CSP contracts reportedly prohibit other uses.319 However, a CSP may want to be indemnified for any claim caused by a transit agencyâs use of the CSPâs services.320 To protect the confidentiality of a transit agen- cyâs data, an agreement should state that there will be no monitoring of a transit agencyâs activity.321 Some CSPs, however, may want to monitor activity to enforce a contractual provision governing what are acceptable uses of its services.322 E. Liability Issues and Indemnification Scholars have found that the most difficult issue to negotiate for CSP contracts concerns a CSPâs liability. 302 Id. 303 Rohrmann, supra note 260, at 44. 304 Foster, supra note 275, at 25. 305 Rohrmann, supra note 260, at 44. 306 dePât of defense Department, supra note 298, at 11. 307 Bloomberg, supra note 263, at 3. 308 Id. at 2. 309 Rohrmann, supra note 260, at 42â43. 310 Id. at 42. 311 Id. 312 Bloomberg, supra note 263, at 3. 313 Bradshaw, Millard, & Walden, supra note 258, at 204. 314 See Dana B. Rosenfeld & Alysa Zeltzer Hutnik, Data Security Contract Clauses for Service Provider Arrange- ments (Pro-customer), at 15 (2011), The International Asso- ciation of Privacy Professionals, https://iapp.org/media/pdf/ resource_center/Rosenfeld_Hutnik_Contract-clauses_ Service-provider.pdf (last accessed Feb. 24, 2017). 315 Bloomberg, supra note 263, at 3. 316 Id. 317 Bradshaw, Millard, & Walden, supra note 274, at 213â14. 318 Id. at 200â01. 319 Id. 320 Id. 321 Id. at 207. 322 Id. at 208.