Legal quicksand: Shrink-wrap, click-wrap agreements

1 2 Page 2
Page 2 of 2

These are general observations only. The specific language of a given shrink-wrap agreement may present additional risks. In particular, as discussed in the next section, a growing number of shrink-wrap agreements may present substantial risks to the purchasers own intellectual property or, if the purchaser is in a regulated industry (e.g., financial services or healthcare), to the purchaser's data.

Inherent Risks of Shrink-Wrap Products

The end result of the terms and conditions commonly found in shrink-wrap agreements, as discussed in the preceding section, is that the purchaser has little or no remedy against the vendor in the event there is an issue with the product or damages arise (e.g., the product has a substantial bug in it, ceases to function, causes an intellectual property infringement claim) out of use of the product. The product is, essentially, being licensed on an "as-is" basis. In most instances, the purchaser's only remedy in the event of a problem is to cease use of the offending product. A refund or other compensation is unlikely.

In general, the purchaser's primary protection in purchasing shrink-wrap products is the concept of "safety in numbers." That is, the product is widely distributed and usually well established in the community. This reduces the potential for a substantial bug or defect to go without a fix from the vendor. The purchaser is essentially relying on the power of the market to force the vendor to correct issues (i.e., vendors with poorly designed or buggy products will lose market share and, at least arguably, be easy to identify).

A growing number of shrink-wrap agreements present additional risks beyond those identified in the preceding section. Two of the most common additional risks relate to the purchaser's own intellectual property and data.

Some shrink-wrap agreements contain expansive "feedback" and similar clauses that could result in the licensor gaining ownership of the purchaser's own intellectual property. The contract actually includes language that the purchaser is assigning its intellectual property rights to the vendor. In some cases, almost anything the purchaser shares with the vendor, including during support discussions, may become the vendor's property or, at minimum, result in the vendor having an unbridled license to use what it has learned for its own business purposes. At best, this can result in the purchaser essentially granting the vendor a free license to the purchaser's valuable intellectual property. At worst, it can result in purchaser losing all control over its intellectual property.

Shrink-wrap agreements may also include broad audit rights, permitting the vendor almost unlimited access to the purchasers facilities, records, and systems. In some instances, these rights permit any or all of the vendor's agents, contractors, and licensors to also have full access to the purchasers facilities, records, and systems. Under these terms, purchasers assume the additional risk of having third parties, with whom the licensee has no contract and no confidentiality protection, unfettered access the licensees facilities, records, and systems. For regulated entities (e.g., in financial services and healthcare) and all others in possession of consumer information, these audit rights subject the licensee to the additional risk and potential of exposing highly sensitive and regulated data to vendors and other third parties without adequate contractual protections (e.g., confidentiality clauses, information security protections, limitations on use, etc.). Consider the potential risk presented by a vendor showing up at a purchaser's facility, without notice, and demanding full access to their systems and records -- without any protection for the purchaser's highly sensitive confidential information and data or any protection if that access causes a disruption in the purchaser's operations.

Audits can also be excessive and abusive, disrupting the licensees normal operations and potentially making the licensee liable for substantial financial liability for third party auditor fees (which can reach the hundreds of thousands of dollars). This is because Many vendors view these audit rights as a means to derive additional revenue from its purchasers. Some auditors even work on a contingency basis, forcing them to either find a problem or not be paid. This creates an undue incentive for the auditor to search until they find something. In a number of instances, audits have led to substantial additional fees being paid by purchasers in agreements that were not properly negotiated. In one case, an audit revealed a relatively minimal excess use of the software which resulted in the payment of a few thousand dollars in additional license fees. Unfortunately, the customer was also responsible for paying nearly forty thousand dollars in audit costs.

Given the current economic climate, vendors are conducting these audits on an ever increasing basis to try to squeeze more revenue from their customers. The headlines are full of instances where companies have paid substantial additional fees for excess license uses. Some examples:

* Arcadian Healthcare Inc. paid $150,000 to settle claims that it had unlicensed copies of Microsoft Corp., Symantec Corp. and McAfee Inc. software.

* BioTrove Inc. paid $82,442.70 to settle claims that it had unlicensed copies of Adobe Systems Inc., Apple Computer Inc., Microsoft and Symantec software.

* Dimensional Innovations Inc. paid $80,000 to settle claims that it had unlicensed copies of Adobe, Microsoft and SolidWorks Corp. software.

With regard to reseller relationships, additional risk can arise in situations in which the reseller is providing support or subcontracted support for the licensed product. Splitting the agreements governing the purchase of the product from support obligations and having two different responsible contracting parties can lead to finger pointing when failures occur and leave a customer without adequate remedies to bridge the two agreements (e.g., if the purchaser purchases a piece of hardware and the reseller breaches its support agreement, the customer may be able to show damages under the support agreement, but will likely have no claim or remedy under the purchase agreement).

Addressing Risk

There are essentially three methods of addressing the risk of shrink-wrap agreements: blind acceptance, knowing acceptance, and mitigation.

Blind Acceptance. Blind acceptance refers to the practice of looking at a proposed use of a product, ensuring its falls within the common elements of shrink-wrap products identified above (e.g., low fees, non-critical use, off-shelf, well established, potentially trialed, etc.), and electing to proceed with the purchase without further consideration. Few sophisticated organizations take this approach. It would require the purchaser to proceed without regard for the risk -- abandoning any effort at due diligence.

Knowing Acceptance. Knowing acceptance refers to the process of quickly reviewing the applicable license agreement for a proposed purchase of a shrink-wrap product and assessing whether it presents any unique risks (i.e., something beyond the typical terms identified above). Unless a unique risk is identified or the purchase would present conditions beyond the common elements identified above, the transaction is approved. If unusual or unique risks are present (e.g., the aggregate value of the transaction is substantial, the contract presents risks to the purchasers intellectual property or data, etc.), the risks would be clearly identified in a memorandum for review and, if the cost-benefit of the engagement warrants, potential approval by senior management. This is the most prevalent means employed by sophisticated organizations in addressing risk in transactions of this kind.

Mitigation. The mitigation approach is used in circumstances where the relevant license agreement presents unusual risks or in situations where the purchaser operates in a regulated industry where the protection of data and contracting requirements, in general, are of heightened concern. It has become common in those industries to review proposed uses of shrink-wrap products as they would for any other product purchase transaction. With due regard for the relatively limited ability of purchasers to negotiate these types of agreements, purchasers quickly assess the risks posed by a new engagement and focus on mitigating only the most substantial risks. This is commonly done in the form of an amendment to the shrink-wrap agreement. Such amendments are usually brief, addressing only terms like basic warranties, basic infringement indemnity, audit rights, and protection of the purchasers own intellectual property. A number of large organizations are now using these types of amendments to quickly mitigate key risks in these engagements. Their acceptance by vendors, particularly in larger transactions, is growing. If the amendment is rejected by the vendor and no alternate vendor of a similar product is readily available, the risks would be clearly identified in a memorandum for review and, if the cost-benefit of the engagement warrants, potential approval by senior management.

The mitigation approach presents the most mature approach to addressing risk in shrink-wrap engagements.

Conclusion

The risks presented by shrink-wrap and click-wrap agreements should not be minimized. As with any contract, they must be reviewed and assessed to identify risk. The business can then conduct a cost-benefit analysis to determine whether the risk is warranted and whether that risk can be controlled, at least to some degree, through the use of the mitigation approach discussed above.

Michael R. Overly is a partner in Foley & Lardner LLP's Information Technology & Outsourcing Practice and the Privacy, Security and Information Management Practice. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information Systems Security Professional (CISSP), Certified Information System Auditor (CISA), Certified in Risk and Information Systems Controls (CRISC), and Certified Information Privacy Professional (CIPP) certifications.

This story, "Legal quicksand: Shrink-wrap, click-wrap agreements" was originally published by CSO.

Related:

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon