Continuing Decline in Cloud Provider Responsibility

I have written previously that one of the primary trends in cloud computing over the last year has been a steady attempt by some, but certainly not all, cloud providers to completely erode most standard customer protections in their agreements.  While I have previously focused on the decline in SLA protections, in this entry, I would like to focus on liability.  Specifically, the issue for today is liability for intellectual property infringement.

In the overwhelming majority of instances, vendors are willing to assume full liability if they cause their customer to be sued for intellectual property infringement resulting from the customer’s authorized use of the vendor’s systems and software.  This is a fundamental protection and one that typically requires little or no real discussion in negotiations.  Many vendors include this unlimited protection in their form agreements.  Given the growing threat of patent trolls and the general increase in patent infringement claims, customers should require this protection in all vendor contracts.

The trend over the last year, however, is for vendors to limit the indemnity protection they are providing.  Most notably, vendors are limiting the type of damages they will protect their customers from (i.e., limiting their liability to direct damages, but excluding liability to consequential damages/lost profits awarded to the party claiming infringement).  This change renders the indemnity protection, at best, somewhat useless and, at worst, genuinely risky.  

The problem is twofold.  First, the most likely type of damage to be awarded in an infringement action is the lost profits/license fees of the party claiming infringement.  Those types of damages may not be recoverable under the new approach being used by vendors.  The second, more troubling problem, with this new approach is that the contract almost always requires the customer to permit the vendor full control of the defense of the lawsuit and any settlement.  That is, the customer has no say whatsoever in the conduct of the claim.  This means that if there is any cap or exclusion of damages on the indemnity, the customer would essentially serve as the vendor’s insurer for the excess.

Consider an example, the vendor agreement states the vendor will only be responsible for “direct” damages flowing from an infringement claim.  The vendor infringes a third party’s intellectual property rights and causes its customer to be sued.  The vendor settles the lawsuit for $1.00 in direct damages and $1M in consequential damages.  In that case, the customer will be responsible for the $1M in consequential damages for a claim it didn’t cause and a settlement it didn’t negotiate.  This is plainly wrong and businesses should push-back hard on any vendor that makes such a proposal in its contract.

New! Download the State of Cybercrime 2017 report