With more nonprofits and other organizations adopting new platforms and systems to further their goals, understanding the processes for acquiring the related technology has never been more important. It’s crucial to evaluate both the technology itself and the obligations and liabilities that may arise under the related contracts and licensing, particularly those involving third parties. In this recent webinar, Venable attorneys Kelly DeMarchis Bastide and Christopher Kim examined the common issues and pitfalls that organizations need to be aware of when considering adopting new technologies. They also addressed some follow-up questions.
Q: When data breaches occur, are the vendors or the customers typically held liable?
A: Vendors generally prefer to be held liable only where a security breach results from their actions or a material breach of contract, so an “at fault” data breach is more commonly accepted. The ideal for a customer would be to secure coverage for third-party data liability even when there is no specific material breach by the vendor. Common (and not mutually exclusive) compromises on this point include (i) allowing for coverage of third-party liability when the vendor has been negligent in its security duties, not just for breach; and/or (ii) specifying a particular category of third-party liability that the vendor will cover even when there is no contract breach, such as government fines, investigations, and mandatory notification.
Q: What types of indemnity terms are vendors typically willing to offer customers for third-party and other claims?
A: Vendors are typically more willing to offer indemnification from third-party IP infringement claims, rather than a representation or warranty of non-infringement. It’s also true that, given the choice between the two, indemnification is probably the more practical option in most cases, if there is serious infringement risk. However, it is not impossible to get vendors to agree to representations and warranties regarding non-infringement, especially if the creation of text, photo, or audiovisual content forms a substantial part of the services. The best case would be to have both – indemnification as the priority, but also a potential warranty claim and the opportunity to terminate the contract if infringement occurs.
Q: What are some types of special damages for which organizations should consider supercaps, that is expansions of the liability cap that applies to specific types of breaches and other liabilities?
A: Confidentiality/information, security breach, and indemnification are the three most common requested categories for supercaps. Accordingly, vendors often have fallback positions at negotiation that they will offer to customers who specifically request such exclusions.
Q: Regarding the California Consumer Privacy Act (CCPA) applicability to nonprofits: Do nonprofits that rent or sell email lists to other nonprofits have to include a “right to opt out of sale” under 1798.120?
A: The California Consumer Privacy Act (CCPA) has a broad nonprofit exemption that would encompass the requirement to offer a right to opt out of sale, although there may be nuances to this question, which we would be happy to discuss.
Q: Are there exemptions for nonprofits under the Virginia Consumer Data Protection Act and the Colorado Privacy Law?
A: The Virginia Consumer Data Protection Act exempts 501(c)(3), 501(c)(6), and 501(c)(12) organizations. But while interpretation of the new Colorado Privacy Act is still evolving, it does not at present include an express nonprofit exemption.
Guidance surrounding the acquisition and implementation of new technology is ever evolving. For more information, watch the full webinar, or contact our panelists Kelly DeMarchis Bastide and Christopher Kim to learn more about our data privacy and IP services.