As businesses rapidly outsource their IT functions to the cloud, customers seeking cloud computing or cloud services must understand the risks, especially when sensitive, regulated or confidential data is stored in the cloud. Sensitive data carries business risk and may be subject to a host of legal and regulatory requirements. Cloud service agreements usually are based on the cloud services provider’s standard form agreement. These forms do not typically favor the purchaser and may not align the purchaser’s risks with the provider’s obligations. This can be especially critical when considering indemnification for IP infringement.
Cloud service providers often indemnify companies against IP infringement claims and remedial costs arising from violations of law. While a provider’s boilerplate language may only provide protection against claims of copyright infringement, IP indemnity provisions should cover all potential IP claims. Patent infringement suits are particularly expensive, and increasingly frequent in the cloud context. Likewise, companies should not bear the costs of repairing any violations of the law caused by the provider. Both parties should negotiate and accept financial responsibility for compliance with all applicable laws and regulations.
However, the customer must read the indemnification terms closely, not just for the explicit language in the agreement, but for what the customer is really getting from the cloud services supplier and whether the indemnification terms will be of any help to the customer’s business if sued by a third party. There are benefits and pitfalls in some of the major cloud services agreements. A customer seeking these services should pay close attention to what the agreement does and does not provide.
Indemnification Coverage – What Are The Gaps?
Cloud services providers now often provide indemnification for open source IP lawsuits. As more and more open source software underlies cloud computing services, such as Hadoop and Apache, providers claim to be stepping up to protect customers against lawsuits directed to these technologies.
While this is a step in expanding indemnification, there are some notable exclusions which may not be apparent from a high-level reading of the agreement with the provider. There are some patent risks. The coverage typically completely excludes combination claims where a cloud service is used with customer data or the customer’s applications or third party applications. Therefore, the uncapped indemnification applies only to customers just using the cloud computing platform, where claims against this rarely arise. Any other usage, which is the more common instance that leads to patent infringement claims, such as innovations based on the cloud computing platform or interaction with third party applications, would be excluded from coverage. There are often additional caveats. If there is a claim, the provider will usually seek to obtain the right for the customer to keep using the product, or modify or replace it with a functional equivalent. But, if the provider deems these alternatives commercially unreasonable, the provider can terminate the customer’s right to use the product. This option may not be palatable to cloud subscribers, especially when it could negatively affect downstream customers. It should be noted, this is not new for cloud computing services, as software providers for years took this approach.
Some providers also agree to defend customers against claims and to pay the amount of any resulting adverse final judgment or settlement. But this coverage does not extend to the customer’s own losses, and moreover, typically, the provider requires customers to waive any rights to sue them for these losses. The customer must consider if this is an acceptable risk.
Patent Defense- Does It Help?
Cloud services providers sometimes add terms to their agreements where a customer can get a license to any number of the provider’s patents in defense of a patent infringement lawsuit, ostensibly to deter operating companies from suing their customers for patent infringement.
While this sounds like an advantage for a customer to rely on to avoid or better fight patent infringement lawsuits with a thicket of patents, there are glaring limitations to this benefit. The reality in typical patent infringement cases is that a non-practicing entity – with no ongoing business concerns at risk – would have no fear of a counterclaim of patent infringement based on a provider’s patent. If the customer does not own the patent, which would be the case, the right to assert the provider’s patents by a customer would also be almost non-existent unless the provider granted an exclusive right to these patents to the affected customer. That does not seem likely.
In addition, even if the provider were to provide an exclusive license to its patents, there would be risk that the patents could be invalidated as a standard practice for counterclaimants. The cloud computing provider would likely not want to go down that avenue with its valuable cloud services patent portfolio.
The only likely benefit would be a deterrent effect – if a party asserting patent infringement feared that the provider may take over the defense and prevent a quick settlement by a non-practicing entity.
The “Springing License”
Providers sometimes offer an additional indemnification benefit where they will supply a “springing license” to allow eligible customers to become fully licensed to some of the provider’s patents if the provider transfers those patents to a non-practicing entity. The patent license would “spring” into existence on the event of such a transfer.
Companies rarely transfer patents to non-practicing entities, except in bankruptcy or liquidation proceedings. The provider would not want a non-practicing entity to transfer the patent down the line and have a lawsuit on its hands. Nonetheless, this indemnification term tries to assure customers they will be protected even if a patent were transferred to another party. The same considerations discussed above for patent “defense” apply here as well.
Overall, customers interested in cloud computing services should not assume that the agreement provides a blanket IP insurance or access to any number of patents as a thicket against infringement claims. As with any contract, the devil is in the details.
IP Insurance -What Is It Worth?
As an alternative or augmentation for cloud services customers to better protect themselves against patent infringement suits, they can consider intellectual property insurance. As many companies learn after receiving a demand letter from a patent holder or a complaint of IP infringement, their commercial general liability (CGL) insurance policy typically only provides coverage for certain claims arising from intellectual property-related “advertising injury” – injury arising out of “advertising activities.” If applicable, this may cover claims related to copyrights and trademarks, but very rarely patent infringement.
IP insurance is becoming offered increasingly as a way to obtain coverage not provided by CGL policies. “Defense” coverage covers the costs of a defense of an intellectual property suit (a significant amount, when patent infringement defense expenses through trial often exceed $1 million) and also covers settlements or judgments arising out of the suit (another possibly multi-million dollar exposure). However, these policies typically do not come cheap. Premiums can be high – maybe prohibitively so for small companies and start-ups – and some policies require high deductibles and risk-sharing provisions. “Offense” coverage is also available, for parties who need to obtain funding to go after competitors who they believe are infringing their IP. These are usually not cheap either.
Nonetheless, insurance providers are becoming creative in structuring policies and coverage options that may be palatable to smaller companies. For example, RPX Corporation has achieved success in offering subscriptions to its client that allow the client to obtain licenses to RPX’s portfolio of patents, which it has been growing since its foundation in 2008. While this does not provide the type of insurance coverage many smaller companies need in the wake of an IP infringement claim, RPX’s coverage may fill in the “patent defense” gap discussed above.
Navigating cloud computing agreements to understand their indemnification coverage can be tricky. There may be terms that a customer will not appreciate until a claim is filed against them. Patent insurance may back-stop the customer, but at possibly substantial cost upfront. The cloud computing customer must wear many hats or seek out advisors to ensure it obtains not only the technological solution it wants, but also minimizes the risks from IP exposure.