Sunday, August 26, 2012

A Few Big Picture Thoughts on the Apple/Samsung Trial

As the world now knows, a jury in San Jose delivered Apple a rapid slam dunk verdict over its business rival (and partner), Samsung.

Tremendous analysis exploring all facets of the case has surfaced online, and I won't attempt to contribute to the detailed reporting undertaken by smart devoted followers of disparate areas such as law, technology and business. Personally, it was amazing consuming the wide-ranging resources covering the trial, and I can't recall a time with greater access to material.

That said, here are several big picture thoughts:

First, Apple is a company operating (at what seems to be) near the pinnacle of its ability from an intellectual property, innovation and operational perspective, building on the work of its legendary founder Steve Jobs. That is to say, Apple does not bring high-stakes litigation to trial, send it to a jury and come up on the short end. I do not see any reason to predict a discontinuation of this trend and expect Apple to continue to aggressively enforce its IP portfolio.

Second, and more important, the legal battle for control of the smart phone/mobile computing market between Apple and Samsung, culminating in last week's jury decision, has shone a much-needed spotlight on the current intellectual property/patent protection legal regime in the United States.

What made Apple's victory so (potentially) powerful is that  not only were certain of its utility patents found to be infringed, but the jury also concluded Samsung violated the iPhone's (but not iPad's) design patents.  Design patents protect the "look and feel" of the product, as opposed to specific software functionality.



(A brief US Patent & Trademark Office guide on the difference between utility and design patents, for those interested)

While many have criticized the jury for reaching a decision on such a complex matter in less than 3 days, it strikes me that their conclusion is a serious and fair one that upholds the current state of US law. The duty of a jury is to dispassionately apply the law as it exists to the facts of the case; in that context one can understand how the jury readily concluded that Samsung copied Apple's features and/or design. After all, Apple is the clear market leader and innovator, and US law allows for broad sweeping patent rights.

Stepping back, one has to acknowledge that there is a very real dissatisfaction with the current state of patent law. Detractors argue that patent applications are backed up, patent trolls clog the courts with frivolous claims, and innovation is stifled by the duration and scope of patent rights.

It would not surprise me to see opportunistic politicians leveraging the high-profile nature of the Apple verdict to push for patent reform. After all, when the judiciary continues to produce (arguably)unsatisfactory but correct results applying current law, the legislative branch has every right to step in and change the rules of the game.

Saturday, August 4, 2012

FOUNDER POWER: CLOUD = STEROIDS FOR FOUNDER CONTROL

Part of what I hope to accomplish in writing this Blog is to peel back the esoteric layers of the "Cloud" and distill reality from hype, facts from vagueness, and principles from chaos.

To that end, until proven otherwise, one concrete example of how I think the Cloud has and will continue to change the world is its ability to enable greater Founder control of companies.

Yes, I'm attempting to use a catchy title to draw in readers, but, the metaphor remains true.  I'll explain...


Particularly for consumer-focused internet technologies, like Instagram, DropBox, Tumblr and Yammer to name a few, the product can be scoped, built and in the market rapidly, at far lesser financial cost than was the case even 5 years ago, let alone a decade or more.

The single greatest economic factor driving down costs for early stage software companies is Cloud technology and the wide-spread availability of on-demand computing resources including, database storage/hosting, computing power, security tools and much more.

Moreover, the pricing model for cloud infrastructure services allows companies to pay for only what they actually consume, and the technology allows for rapid scaling up or down to meet network demands. No more building software for large-scale use to accomodate peak-demand, only to watch computing resources lying dormant during non-peak periods.

Whereas once software companies had to invest millions of dollars buying computer hardware and other infrastructure equipment, now they can rent this by the hour from mega Cloud providers like Amazon Web Services.

That fundamental dynamic has shifted the relationship between software Founders and their investors. Because an internet-delivered software product can be built and delivered without an initial capital expenditure of millions of dollars for computing equipment, Founders no longer must raise great sums of money during initial product development, launch and early iterations; put plainly, early on Founders can keep much more of the equity in the company for themselves and delay bringing in large-scale institutional money, which would require shareholder dilution and Founder relinquishment of control over time.

By the time larger moneyed parties are now brought in, Founders have a real product with demonstrated value, so their money buys much less of a percentage of the company's shares. Consequently, Founders of SaaS companies can hold onto a percentage ownership of the Company that allows them to control core business decisions and its overall direction.

Founders tend to have longer-term, albeit more emotional, perspectives, which fosters large-scale innovation. This trend is only beginning to play out, and I believe will have a long term impact on the global technology economy.

Yes, this analysis is a bit of an oversimplification, but the fundamental principles hold true. So get used to your Founders sticking around a while.


Tuesday, July 31, 2012

A VERY EUROPEAN EMBRACE OF CLOUD COMPUTING


Several weeks ago the European Commission’s panel on privacy, commonly known as the Article 29 Working Party, provided long-awaited clarity (in the form of an “Opinion”) on whether and how European governments and private enterprise can utilize cloud computing technology in their operations, including processing personal information and other protected data.

Cloud computing is a broad term that varies in context and has been subject to hype, but generally refers to technologies and service models allowing the sharing of on-demand scalable computer resources over the internet, including software programs, computer storage space and elastic computing power. Implementing IaaS systems has allowed companies and governments to significantly reduce capital expenditures by eliminating the need for purchase and maintenance of computer infrastructure equipment. Cloud services also allow for rapid remote deployment of software and network solutions. Importantly, cloud services also enable organizations to decrease reliance on developing sophisticated in-house IT staff since major cloud providers have trained experts monitoring the computing environment.

But, because cloud computing leverages the internet and computing resources in geographically disparate locations, the technologies present serious privacy and data security risks. In addressing this fundamental concern the Opinion indicates that the principal risks are a potential lack of control over data and limited transparency into its processing. A cloud provider’s infrastructure can seem opaque and lacking information ensuring the “availability, integrity, confidentiality, transparency, isolation, intervenability and portability of the data”. Additionally, due to the collaborative nature of cloud computing, customers may not be aware of subcontractors in the supply chain handling their data. With due respect to the data security risk, many observers consider this to be the great triumph of cloud compuing – that is that is simply “works” without its users having to worry about the back-end.

Europe’s framework of strong privacy protections has caused the adoption of cloud computing to move slower than in the United States, as the Continent grapples with how to implement the new technologies within existing legal frameworks. For example, public cloud providers extract fantastic benefits in seamlessly shifting data across a network of computers temporarily housing it in data centers (perhaps) around the globe, necessitating limited transparency on data segregation and other technical logistical details.

However, the economic benefits and technological possibilities associated with cloud computing are undeniable, and its wide-spread proliferation seems more inevitable with each passing week. As government and business seek to run leaner more efficient operations in the 21st century global marketplace, they have no choice but to consider the economic benefits of shared-resource computing. In that context, the Opinion attempts to provide practical guidance to European governments and businesses, and cloud providers wishing to infiltrate the European market, on how the parties can evaluate, contract for and utilize cloud computing services while remaining compliant with data protection obligations.

A key conclusion of the Opinion is that organizations seeking to deploy cloud technologies leveraging utility computing must conduct thorough technological compliance-focused due diligence. They must also draft and negotiate robust legal agreements with appropriate contractual safeguards in order to satisfy legal requirements espoused under the Opinion. Additionally, and perhaps controversially, the Opinion notes that users “should select cloud providers that guarantee compliance with EU data protection legislation”; compliance with that representation may be cumbersome, costly and akin to hitting a moving target.

One possible change in legal analysis arising from the Opinion is the inability of companies to rely solely on the EU Data Protection Safe Harbor in exporting data outside Europe. The Opinion states “[i]n the view of the working party, sole self-certification with safe harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment… In terms of data security, cloud computing raises several cloud-specific security risks, such as loss of governance, insecure or incomplete data deletion, insufficient audit trails or isolation failures, which are not sufficiently addressed by the existing safe harbor principles on data security.”

The Opinion requires that if an organization desires to procure cloud services a formal contract be in place between it and the cloud provider. The contract must set forth a number of specific required protections. Although the Opinion misses certain contractual protections typically included in enterprise cloud computing contracts, some of the more significant provisions suggested in the Opinion address that:

· A scope of services must be specified and uptime/service levels guaranteed, all depending on the nature of the service and whether it performs a critical business function;

· The customer makes all decisions as to processing of data;

· Specification of information security architecture, infrastructure and protocols achieving the goals of transparency, isolation, intervenability, accountability and portability must be included;

· Cloud provider must log its data process operations, and customer must have the right to audit such processing operations, or receive third party audits and certifications;

· Specification for conditions of returning and/or destroying data must be noted;

· Geographical location of all data center processing data must be noted;

· All subcontractors processing data must be identified and held to the same data protection standards;

· Appropriate confidentiality obligations must be drafted, including that only cloud provider employees with a need-to-know will have access to customer data;

· Obligation of cloud provider to facilitate access to, correction of or deletion of an individual’s personal data must be affirmed;

· Clarification of responsibilities of cloud provider to notify customer in event of a data breach impacting customer data must be set forth with specificity;

· Customer must have right to monitor and/or audit the cloud provider’s performance of its obligations;

· Cloud provider must notify customer of all legally binding requests for disclosure of personal data by law enforcement or other government representatives;

· Cloud provider must agree to export data to customer upon termination and/or otherwise help in portation/transition;

Though the Opinion is nonbinding, it is likely to influence parliaments and boardrooms around Europe in moving organizations towards adoption of cloud computing, that despite the practical challenge of implementing Europe’s legal requirements. Because the technology underlying cloud computing changes at such a rapid pace, compliance with the Opinion’s obligations cannot be understood as a one-time endeavor; rather, government and enterprise must maintain a dogged focus on constructing an appropriate security environment, and also on understanding the data security practices of its cloud computing providers.

Significant risk exists that complying with the cost of regular third party security audits and other EU legal requirements will diminish the economic benefits of cloud computing. Notwithstanding the skepticism, all stakeholders are incentivized to continue to fashion an agreeable workable framework for the continued expansion of cloud computing technologies in Europe, particularly as the Continent attempts to reduce expenditures and shape globally competitive economies. Major international corporations and the United States government, among other examples of high-risk sophisticated organizations, have already begun utilizing cloud computing in their business operations, in large part undertaking duties outlined by the European Commission in its Opinion.

Sunday, July 29, 2012

5 KEY ISSUES IN CLOUD COMPUTING CONTRACTS

Defining the Scope of Cloud Services 

This statement may seem so obvious that it wastes precious reader attention, but I will make it nonetheless: SaaS (software-as-a-service) and IaaS (infrastructure-as-a-service) relationships require thinking through different technological, business and legal issues.

Purchasers of SaaS will want to ensure their contracts include detailed documentation on software functionality (a feature matrix is quite useful); scheduling software functionality can have a direct impact on your wallet (vendors can't charge you for "new features" you were already promised), and provide a great ability to enforce legal rights in the event of a dispute. Software-as-a-service is an intangible asset in most ways, and functionality documentation provides the "substance" of what is being purchased.

IaaS contracts must address an increasingly broad array of cloud services ranging from simple storage to elastic computing power to virtualization and more. Service level agreements and related credits for failure to meet on-demand standards may apply.

Intellectual Property Rights

Consumers of SaaS development, infrastructure virtualization and other cloud-deployments must have a strategic approach to ownership of the intellectual property utilized in the cloud offering. Depending on the economics of the relationship, software developers and purchasers  may co-own or otherwise share intellectual property rights. Given the precise and infinite ways in which intellectual property can be carved up, careful attention must always be given to IP ownership rights as they often have a fundamental impact on the a company's product strategy.

Indemnification

The negotiation of indemnification coverage for third party law suits relating to intellectual property infringement, data/privacy breaches and other key items provide important risk allocation mechanisms in a contract. The parties must realistically assess the commercial value of the contract and nature of cloud services in negotiating when, and to what monetary extent, each party will take responsibility for harm caused to third parties whether for breaching IP rights, disclosing personal information or some other unforeseen harm. Given the increasing cost companies face when experiencing a data breach, ensuring appropriate indemnification coverage in a contract has real significant financial consequences.

Information Security

While movement into the cloud by both enterprise and government is inevitable and happening, regulators and consumer advocacy groups will ensure a bright spotlight is shone upon information security.

To that end, in order for company officers to discharge compliance obligations, and to ensure the security of a company's important information assets, organizations deploying cloud solutions must conduct thorough technical due diligence to understand the cloud provider's information security infrastructure and related protocols, and these must be memorialized in the contract.

Consider whether industry standards, like the ISO/IEC 27000 series, are useful. While it may not be realistic to request audit rights, the contract can require cloud providers to produce the results of third party security audits.

Compliance with Laws

In the United States a patchwork of Federal, State and even local laws govern the use of personal information, medical information and other classes of protected information. Add to this an additional layer of complexity when you consider the global presence of many companies.

International data security and privacy standards range from Europe's extremely protective regime, to more open standards in developing countries. Business must navigate this increasingly complex web of regulation.

Shared computing resources, often times bouncing information among data centers in disparate parts of the globe, underscores the brilliance of cloud computing but also its legal complexity; consider that many countries restrict the exportation of personal information outside their borders and the challenge becomes apparents. Separately, sharing of customer personal information may require the cloud provider to agree to comply with the laws of certain jurisdictions.

Making sure that a contract appropriately memorializes each party's legal compliance obligations can serve all well in creating a fruitful working relationship accomplishing all organizational goals.




INAUGURAL & INTRODUCTORY THOUGHTS

With this Cloud Technology Business Law Blog, my goal is to use Google's powerful blogging platform to connect with readers interested in exploring legal and business issues related to the commercialization of cloud computing services and the moneyed parties (think venture capital and angels) that fund development of cloud tech companies.

As a former mergers and acquisitions attorney who four years ago came upon the opportunity to retool my legal skill set to practice in the Information Technology sector of my law firm's Intellectual Property Group, I now have a broad bench of practical experiences which I hope to draw upon in these writings.

The billion dollar software-as-a-service industry, which includes vast networks of computer farms hosting and providing computing power to SaaS, is undeniably having a significant impact on the global economy and the delivery of technology to both consumers and business.

To that end, every day new business partnerships are forged among providers and consumers of cloud computing services, with complex, evolving legal and business issues that have to be reduced to writing in an understandable enforceable contract. Drafting and negotiating contracts for these complex relationships, often-times among multiple parties, has provided a fulfilling challenging legal practice that enables me to leverage a base business attorney proficiency, deep software technology licensing experience and new learnings (Probably the most fun part of my job, learning about new technology, which I try to do as much as any lawyer can).

Why blog? As a lawyer accustomed to engaging in intellectual exercises of vast scope and extreme precision, I now write in no other way. That is to say, a blog cannot be a means to sacrifice the crispness of analysis that legal thinking requires. However, the informal and fluid nature of blogging, and its instantaneous delivery of content over the cloud, is a perfect and necessary medium for a certain type of contribution of thought/analysis on the rapidly-evolving technology that is cloud computing. My hope is that these writings can be of use to a broad audience - the aim is drafting blog posts with elegant simplicity while maintaining intellectual integrity. Sounds quite Job'sian... Also I suspect that if I'm fortunate enough to find a set of readers, that I'll gain more knowledge than I provide.

With that in mind, any and all feedback will be cherished by this author.