Reconciling information security and shrink-wrap agreements

Addressing the security risks that come with non-negotiable shrink-wrap (or click-wrap) agreements.

02 clicker
Thinkstock

There is simply no avoiding it. Every business, regardless of size or type, has entered into “shrink-wrap” or “click-wrap” agreements (i.e., non-negotiable agreements provided with various types of software and cloud services). In most instances, even small organizations are bound by dozens of such agreements. One of the primary challenges of these agreements is reconciling information security concerns when presented with what is essentially a non-negotiable contract.

What is a “shrink-wrap” or “click-wrap” agreement?

The term “shrink-wrap” derives from the method by which software was distributed in the past (as opposed to electronic downloads of today) as a package of installation disks and associated documentation sealed by shrink-wrap cellophane. The accompanying end user license agreement was often itself packaged in shrink-wrap cellophane and placed on the outside of the package or included as the top most item in the package. 

Today, shrink-wrap agreements can take a variety of forms and are found in software, cloud, and hardware transactions. However, they all have a common structure: essentially non-negotiable terms and conditions that accompany the product. The terms may appear as part of the documentation accompanying the product, as part of an online purchase process whereby the terms are displayed (and the purchaser, potentially, required to affirmatively click an “accept” button as part of the process), or presented to the purchaser on first use of the application as part of the installation process.

If the terms are displayed electronically, either online or in connection with the installation process, they are often referred to as “click-wrap” terms. For purposes of this discussion, there is no difference between click-wrap and shrink-wrap terms. 

Products purchased under shrink-wrap agreements – common elements

While there are no bright-line rules as to the specific types of products that are made available under shrink-wrap agreements, the following are common elements:

  • The product typically has a relatively low cost per unit (e.g., less than $20,000). While the cost per unit for a given product may be low, or even trivial (e.g., less than $100), the total cost to the organization should not be overlooked (e.g., 1,000 units at $100 per unit results in aggregate fees of $100,000);
  • The product is provided “off-the-shelf,” meaning that it is not customized for the purchaser. Each purchaser purchases the exact same version of the product as every other purchaser, without modification;
  • The product requires very little implementation effort. The purchaser generally assumes all of the installation effort without obtaining professional services from the vendor or a third party;
  • The product is generally not mission critical; and
  • The product is typically well understood and established in the marketplace. Frequently, the product is available for trial and evaluation before a license is required.

The above are, of course, only generalities. It is important to note that there are many instances in which shrink-wrap agreements are used for the purchase of products that cost hundreds of thousands of dollars, require extensive customization and a significant implementation effort, and are mission critical to the organization. As discussed below, the risk of the products purchased under a shrink-wrap model can increase dramatically when the proposed application varies from the foregoing common elements.

Inherent risks of shrink-wrap products

The result of the terms and conditions commonly found in shrink-wrap agreements, as discussed in the preceding section, is that the purchaser has little or no remedy against the vendor in the event there is an issue with the product or damages arise out of use of the product. From an information security prospective, this means little or no liability if the product results in a security breach (e.g., the product itself has a vulnerability or, in the case of a cloud service, the product is used to store data that is then compromised). The product is, essentially, being licensed on an “as-is” basis. In most instances, the purchaser’s only remedy in the event of a problem is to cease use of the offending product. A refund or other compensation is unlikely. 

In general, the purchaser’s primary protection in purchasing shrink-wrap products is the concept of “safety in numbers.” That is, the product is widely distributed and usually well established in the community. This reduces the potential for a substantial bug or defect to go without a fix from the vendor. The purchaser is essentially relying on the power of the market to force the vendor to correct issues (i.e., vendors with poorly designed or buggy products will lose market share and, at least arguably, be easy to identify).

Specific information security risks

Shrink-wrap agreements present several significant information security risks:

  • Lack of warranties relating to viruses and other harmful code or, if such warranties are present, the vendor has little or no liability.
  • If information security language is included, it is typically keyed to vendor policies and procedures that may change at any time, without notice.
  • If the product involves hosted data of the customer, the vendor is typically granted very broad rights to use that data. In some instances, this language may be framed in terms of seemingly innocuous “aggregated data” rights. The problem is that those rights are seldom described with any reality clarity. In particular, there is almost never any specificity as to what aggregation really means (e.g., aggregated and de-identified according to applicable law and in a manner that ensures the data is truly de-identified and not capable through any means of being re-identified).
  • Lastly, and perhaps the least obvious risk, is the very broad audit rights typically found in shrink-wrap agreements. These audit rights permit the vendor almost unlimited access to the customer’s facilities, records, and systems. In some instances, these rights permit any or all of the vendor’s agents and licensors to also have full access to the licensee’s facilities, records, and systems. Under these terms, customers assume the additional risk of having third parties, with whom they have no contract and no confidentiality protection, unfettered access the customer’s facilities, records, and systems. For regulated entities (e.g., in financial services and healthcare) and all others in possession of consumer information, these audit rights subject the licensee to the additional risk and potential of exposing highly sensitive and regulated data to vendors and other third parties without adequate contractual protections (e.g., confidentiality clauses, information security protections, limitations on use, etc.).

Addressing risk

There are essentially three methods of addressing the risk of shrink-wrap agreements: blind acceptance, knowing acceptance, and mitigation. 

Blind acceptance refers to the practice of looking at a proposed use of a product, ensuring its falls within the common elements of shrink-wrap products identified above (e.g., low fees, non-critical use, off-shelf, well established, potentially trialed, etc.), and electing to proceed with the purchase without further consideration. Few sophisticated organizations take this approach. It would require the purchaser to proceed without regard for the risk – abandoning any effort at due diligence. 

Knowing acceptance refers to the process of quickly reviewing the applicable license agreement for a proposed purchase of a shrink-wrap product and assessing whether it presents any unique risks (i.e., something beyond the typical terms identified above). Unless a unique risk is identified, or the purchase would present conditions beyond the common elements identified above, the transaction is approved. If unusual or unique risks are present (e.g., the aggregate value of the transaction is substantial, the contract presents risks to the purchaser’s intellectual property or data, etc.), the risks would be clearly identified in a memorandum for review and, if the cost-benefit of the engagement warrants, potential approval by senior management. This is the most prevalent means employed by sophisticated organizations in addressing risk in transactions of this kind.

The mitigation approach is used in circumstances where the relevant license agreement presents unusual risks or in situations where the purchaser operates in a regulated industry where the protection of data and contracting requirements, in general, are of heightened concern. It has become common in those industries to review proposed uses of shrink-wrap products as they would for any other product purchase transaction. With due regard for the relatively limited ability of purchasers to negotiate these types of agreements, purchasers quickly assess the risks posed by a new engagement and focus on mitigating only the most substantial risks. This is commonly done in the form of an amendment to the shrink-wrap agreement. Such amendments are usually brief, addressing only terms like basic warranties, basic infringement indemnity, audit rights and protection of the purchaser’s own intellectual property. A number of large organizations are now using these types of amendments to quickly mitigate key risks in these engagements. Their acceptance by vendors, particularly in larger transactions, is growing. If the amendment is rejected by the vendor and no alternate vendor of a similar product is readily available, the risks would be clearly identified in a memorandum for review and, if the cost-benefit of the engagement warrants, potential approval by senior management. 

The mitigation approach presents the most mature approach to addressing risk in shrink-wrap engagements. 

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.