can't we all agree? clickwrap agreements

Can’t We All Agree?A Solution for Software Clickwrap

Agreements

Bill CokerManager of Software Licensing Management

Office of Information TechnologyNorth Carolina State University

[email protected]

What is a Clickwrap Agreement?

A clickwrap agreement is a type of contract that is widely used with software licenses and online transactions in which a user must agree to the terms and conditions prior to using the product or service by clicking an “I Agree” or “I Accept” button.

Clickwrap Agreement Challenges

Clickwraps are becoming more prevalent in IT

Clickwraps agreements are typically non-negotiable

Clickwraps creates logistical difficulties and approval issues for the Office of General Counsel and Purchasing

Many users click “I Agree” without reading the terms or having the authority to bind the university

Clickwrap Agreement Strategy

Implement an efficient process for reviewing and approving clickwraps

Create a delegation of authority to approve clickwrap agreements

Educate campus

A Clickwrap Awakening:iOS Developer Agreement

Apple required an iOS developer to bind the university to agreement

Terms of agreement violated State law

Apple would not negotiate terms

A Clickwrap Awakening:iOS Developer Agreement

Written justification showing low risk for each issue

Approvals by Office of General Counsel, Trademarks & Licensing, and Regulatory Compliance

CIO did not have signature authority

I’m Glad That’s Over

“I never want to go through this

process again”

“Hopefully we won’t have any other

clickwrap agreements”

“Surely no enterprise

solutions will employ clickwraps”

Another Clickwrap Awakening:Google Consumer Apps Pilot

Campus wants Google Consumer Apps (Blogger, Maps, Picasa, YouTube, etc.)

Using personal accounts instead of NCSU.EDU accounts

Clickwrap agreement for the Google Apps Trusted Tester Agreement

Every user on campus will be required by Google to click “I Agree”

Looking for a Clickwrap Solution

UNC Greensboro was ahead of the curvehttp://www.uncg.edu/ucn/clickwraps/approved_clickwraps.html

Google Consumer Apps approved by UNC-G’s Chancellor

Could not find solutions at other universities

NCSU’s ApproachOn-going meetings with:

Office of General Counsel

Security Standards and Compliance

Outreach, Consulting and Communications

Software Licensing Management

Reviewed terms for desired Google Consumer Apps

NCSU’s ApproachSeparated Consumer Apps into Four Tiers

Tier 1 Alerts, Feed Burner, Reader

Tier 2 Maps, Map Maker, Picasa, YouTube, Blogger, Google+, Places

Tier 3 Takeout, News, Moderator, Public Groups, Voice

Tier 4 Analytics, Chrome Web Store, Google Chrome Sync

Acceptance of Terms

RISK: Any use of these services constitutes acceptance of the Google Terms of Service

RESPONSE: These products are not made available to NCSU users until they are activated by the NCSU Google administrator. No user can accept the terms until all terms are vetted by the university.

Ensuring Compliance of Terms

RISK: NCSU is responsible for ensuring End Users comply with the applicable Google terms of service for each of the Google Consumer Apps used.

RESPONSE: Students are bound by NCSU Policy 11.35.01 – Code of Student Conduct and Employees are bound by the various Policies, Regulations and Rules

Stapler PrincipleA stapler is safe only when it is used as a stapler, not as a weapon.

Hold Harmless and Indemnify

RISK: Requires the University to hold harmless and indemnify Google if the Service is being used on behalf of the University.

RESPONSE: The fact that the university will effectively enforce compliance from students and employees using the Code of Conduct and Policy, Regulations and Rules, the university should assume minimal risk by indemnifying Google.

Ensuring Compliance with Federal Law

RISK: NCSU agrees that it is solely responsible for compliance with all laws and regulations that apply to these Services, including FERPA

RESPONSE: A FERPA Modular Course Consent and Waiver Form has been created that allows faculty members to customize the consent form to be applicable to the course requirements.

Consent and Waiver Form

Modified form used by DELTA

Allows faculty to customize form based on Google Apps used and the assignment

Other Risks Identified

Limitation of Liability

Governing Law

Storing data outside of the US

Google creates derivative works

Risk Assessment Matrix

Risk Assessment Summary

Using the Risk Assessment Matrix:

Identified the Probability and Impact for each known risk

Assigned a Risk Level and Risk Assessment Level

Summarized the Findings

Risks Assessment Summary

Google Apps Use Cases & Risks“Stapler Principle”

Working with faculty who use personal Google Apps as part of their instruction:

Identified what products are being used

How the products are being used

Identified the Probability and Impact for each known risk

Assigned a Risk Level and Risk Assessment Level

Summarized the Findings

Use Cases & Risks Summary

ResultsCIO provided limited signature authority and delegation authority

Google Apps Trusted Tester Agreement was completed

NCSU was able to approve Tiers 1 & 2 of the Google Consumer Apps

Google Apps made available to campus

We began working on Tiers 3 & 4

Moving the Process Forward

Began discussions to apply the process to other clickwrap agreements

Created new issues since software and agreements vary so much

Other Clickwrap AgreementsIdentified common risks found in general clickwrap agreements

Secure systems will utilize the software, possibly placing secure data at risk

Risk of university data exposure

Includes broad audit rights, permitting the vendor almost unlimited access to the NCSU’s facilities, records, and systems

Contains expansive "feedback" and similar clauses that could result in the licensor gaining ownership of intellectual property or data

Contains confidentiality or non-disclosure clauses


Requires the University to "hold harmless“ or "save harmless” or "indemnify" the vendor

Limitation of liability for vendor

No limitation of liability for University

Potential litigation outside of North Carolina

Little to no warranty. Software is provided entirely "as-is"

The software is not widely distributed nor well established in the community


Requires all disputes to be submitted to binding arbitration

Permits vendor's agents, contractors and licensors (third parties) to have audit rights

No protection if University is sued for third-party intellectual property infringement

Requires University to reimburse the vendor for all attorney fees and costs

Violates other State laws not already identified

The Solution

Identified risks were categorized into three categories

Category 1: Common Problematic Clauses

Category 2: Unique/Challenging Problematic Clauses

Category 3: Risks arising from the Product Itself and/or End-User Conduct or Misconduct Involving the Product

Category 1Common Problematic Clauses

Limitation of Vendor’s Liability

Indemnification and “Hold Harmless” Clauses

Governing Law

Binding Arbitration

Requirements to reimburse vendor for attorney fees

Category 1Common Problematic Clauses

Clauses are permitted

Office of General Counsel is constrained from “approving” the clauses by the letter of the law

However, they are prepared to defend a business decision to accept these clauses

This business decision is consistent with the actions of many existing users in State government and other schools

The benefits outweigh the risks associated

Category 2Unique/Challenging Problematic Clauses

Broad Audit Rights permitting vendor almost unlimited access to NCSU’s facilities, records and systems

Grants audit rights over NCSU to vendor’s agents, contractors and third parties

Clauses that could result in the licensor gaining ownership of intellectual property or data

Confidentiality or non-disclosure clauses

• Clauses permitting storage of NCSU data outside the US

Category 2Unique/Challenging Problematic Clauses• Clauses are not be permitted without review

• Clauses must be evaluated jointly by the Office of General Counsel and the Office of Information Technology on a case-by-case basis

• A risk assessment using the Risk Matrix must be completed

• If approved, strategies must be determined to reduce risk (educating end-users)

Category 3Risks arising from the Product Itself and/or End-

User Conduct or Misconduct Involving the Product

• NCSU’s secure systems will utilize the product, possibly placing secure data at risk

• Use of product may create risk of NCSU data exposure

• Clauses restricting NCSU’s use of the product

• Agreement contains little to no warranty – provided “as-is”

• Product is not widely distributed nor well established in the community



• Issues are typically the result of misuse or misconduct (the Stapler Principle)

• Student consent should be obtained using the Consent and Waiver Form when the use of the software raises FERPA concerns



• NCSU can treat its risks by restricting or eliminating access to users who violate computer use policy

• Behavior violating NCSU policies, state or federal laws can be addressed under existing student, staff and faculty processes dealing with misconduct

Communication• Communicated the clickwrap process to

leadership for feedback and approval

• Office of General Counsel

• Purchasing

• Campus IT Governance committees

• College IT Directors

• Office of Information Technology

The Final Process• Software Licensing Management, with the help of

the Software Manager in the Colleges of Engineering, began reviewing clickwraps agreements

• All issues are identified as Category 1, 2 or 3

• All clickwraps, issues and categories are entered into a master spreadsheet

• A risk assessment is conducted for Category 2 issues (probability/impact) and sent to the Office of General Counsel for review

The Result• When completed, clickwrap agreements are listed

on the Software@NC State web site• http://software.ncsu.edu/clickwraps

• Clickwraps are listed with the following statuses:

• Approved

• Conditionally Approved

• Denied

• Pending

Be Aware• We can not review every clickwrap

• Mobile device apps (iTunes, Google Play, etc.)

• Device drivers

• Not all open source licenses should be approved

• Patent violations

Be Aware• Some free software has restrictions that prevents

use on some campuses

• Overall budget

• Non-commercial home-use only

• Not all software has a clickwrap agreement

• Some software states agreement by downloading or installing

The Response• Campus has embraced the new process and has

submitted new clickwraps for review

• In the first three months, the clickwrap list grew from approximately 100 clickwraps to more than 350

Maintenance• Every six months, the dates and versions of

clickwrap agreements are reviewed to determine if there have been updates

• Updated agreements are reviewed

• New clickwraps are added when submitted

• Outdated clickwraps and retired software are removed

Questions?

Can’t We All Agree?

Bill CokerNorth Carolina State University

[email protected]