PitfallsOf Third-party Data Processing

In traditional in-house operations, on-site data storage does not involve unique legal issues. Off-site data storage is up a notch in terms of complexity. You need to take steps to prevent unauthorized access or disclosure and to be assured that the data will be accessible on a timely basis. Further complications arise with off-site data processing through the use of the services of an application service provider, commonly known as an ASP.

On the disclosure issue, here is a brief description of laws that protect proprietary interests in data.

Most countries in the world are signatories to copyright treaties of long standing. Copyright statutes of signatory countries are similar but not identical; moreover, further variations arise, from time to time, through domestic court decisions. As a result, the same copyrighted work may be entitled to different degrees of protection from country to country. Copyright protection for data affords a good example of these variations.

Until 1997, compilations of data of most kinds, such as published lists and directories, were thought to be protected in Canada from direct copying. In 1997, in the Tele-Direct case, the Federal Court of Appeal considered the level of protection for a telephone directory, its organization, and its “look and feel”. The court ruled that, for copyright protection, there is the requirement of some intellectual effort. It decided that there was no copyright in the directory as a mere compilation. This decision changed the interpretation of the Canadian Act and brought it into harmony with the U.S., where copyright protection is not available for compilations that require only the “sweat of the brow”. There remains a difference with the European Union, where data that is compiled only through effort and no originality is protected.

Confidentiality Agreements

The use of confidentiality agreements represents another legal instrument for the protection of proprietary data. They generally address, in addition to secrecy provisions, obligations to refrain from using the data for any purpose other than the provision of contracted services from the ASP. With the advent of privacy legislation, they should also contain express provisions for compliance with the protection of privacy.

From the point of view of unauthorized disclosure, a contract for services from an ASP does not represent an increased risk when compared to the use of any other third-party data storage. From the point of view of business continuity, however, an ASP poses greater risks. Often times, ASPs use proprietary software for the processing of input data supplied by the ASP’s customer. The services often consist simply of the delivery of the output resulting from the processing operations. Frequently, the customer’s background data resides with the ASP and is often in a format that requires the ASP’s application software for ready access. In case of service interruption, even if the background data is available from third-party backup sites, it is not useable without the same application software. Some contracts call for the backup data to be available in a readable file, such as a flat file, but this is often impractical where the ASP’s systems are highly sophisticated.

Access To ASP’s Software

Most IT professionals are familiar with security of supply issues involving traditional software licensing and support arrangements. These generally address the need for access to source code in service failure contingencies. With ASP processing, the same principals should apply. But with the ASP, you don’t normally have a copy of the application in object code, let alone source code. As a partial solution, you should consider the need for a contingency license and access to the application software in the event of service failure. The contract would include a license in favour of the customer for the use of the ASP’s proprietary software. The customer would undertake not to use the software except in non-performance contingencies. The license would also be accompanied by support obligations that would only be triggered after the customer commences to use the proprietary software. As with any such support arrangements, it would be logical to include provisions dealing with access to source code in the event of failure to support.

Security of supply is important in any business but is paramount where the ASP’s services are, in turn, offered by the customer to its own clients. To illustrate, consider a bank supplying back-office services to its clients, using an ASP. The back-office service is most likely only one of many supplied by the bank to the same clients. The risk of poor performance by the ASP will put at risk all of the revenues from the other services as disappointed clients move to another bank.

Reliance on third-party operations

may be inevitable if the ASP’s propriety offering is unique or the economics of third-party supply is too compelling. To mitigate additional risks, strong and practically enforceable contractual rights for self help may be necessary.

Gabe Takach is Head of Technology Contracting for the Toronto law firm Torys. He can be reached at gtakach@torys.com.