All clear or some remaining IP risks in the cloud?

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

Whether we look to Olswang’s many matters with its clients, or to the IT suppliers’ press releases or the numerous industry surveys, there is no doubt that application cloud services are now part of most CTO’s current offerings or future plans. For the right customer, a cloud offering can provide higher levels of availability, greater security, wider scalability all often at a lower and more predictable cost. Like every transaction with a supplier, of course, customers need to evaluate whether there are any additional risks associated with a cloud transaction, and, whatever the answer, how the contractual framework can properly allocate all the risks. Much has been written about data protection, security and governmental access risk. This article considers only intellectual property risks.

First, the article considers the potential IP risks for a customer entering into a cloud transaction with a supplier. We consider whether these IP risks are new, and as a result of the customer transaction, or whether these risks are merely part of business-as-usual for the customer and so background risks whether the workload is put into the cloud or not. Second, we consider whether there is a real risk of a claim being brought not against the supplier but instead against the customer, and in what circumstances this is most likely to happen. Finally we look at the range of options available for a customer to best protect themselves against being sued at all, and then, how they can shield themselves from any liability from the claim.

Intellectual Property Risks in the cloud

Intellectual property rights, mainly here copyright and patent rights, do not simply float away just because a company puts infringing code into the cloud.

If another’s code is unlawfully copied, or independently created code infringes another’s patent, and that code is then uploaded to the cloud to provide support for a business there is a clear intellectual property risk. Copyright is perhaps the easiest to explain. The copying of another’s code without a licence is a copyright infringement and the execution of the code in the cloud is also likely to be an infringement under the copyright law of most countries. If a supplier provides copyright-infringing code as part of a customer’s cloud application, that application will be harbouring infringing code. If the customer had instead licensed the supplier’s code, object or source code form, and executed or used that code in their own on-premises systems, the claimant would also have been able to sue for damages and potentially an injunction.

If drafted appropriately, a patent too can be infringed when particular code or practices are deployed in the cloud. If this code or practices originate from the cloud supplier’s code stack, or systems, it may well be that the patentee, as with copyright, can choose who to sue for compensation and possible an injunction. Whilst it is true that software that might infringe a patent when deployed on-premise might not infringe the same patent when deployed in the cloud, because of the precise claim construction of the patent, customers should be very wary of any supplier which suggests that patent infringement cannot happen in the cloud. Yes, issues of jurisdiction might entertain the litigators a little more, but, the customer and supplier still have the risk.

Real world intellectual property cloud risks

This legal risk, however, should be amplified by the real world risk caused by the difference between on-premises deployments and in-cloud deployments. In general, customers are well aware of the exact number of bits and bytes in their own deployments. The customer’s own integration teams will often be in charge of pulling the full offering together and then testing it. The customer will frequently have open source policies and be mindful of open source code that is covered by patents. The customer will be hosting the code and maybe even deploying it across thousands of clients across its own sites. In this way, the customer is more aware of the types and amounts of third party or open source code they are using.

The same is not true in the cloud, and this is one of its attractions but from this perspective, one of its risks. It is simply easier for a customer to unwittingly take on additional intellectual property risk, especially patent risk, by the services and applications, they procure from the supplier. Increasingly the large suppliers are not merely competing on compute power, speed, security and availability (and cost!) they are also competing on the code that they make available “out of the box” with their cloud services. Customers are invited and often encouraged to move from merely buying compute and storage through to buying platform and then application offerings from suppliers in the guise of supplier code, third party code and open source code. This can happen in a more seamless and less diligenced way than a similar on-premises expansion would occur. That is of course one of the beauties of cloud computing. But it does mean that even though the theoretical legal risks of infringements remain whether one stays on-premises or moves up in the cloud, the practical risks increase because the amounts of third party code and new code typically increase.

Who sues whom and for how much?

When it comes to the transactional documents for any IT supply, at some point the lawyers need to move from the real and theoretical risks and start to allocate these risks between the parties. If there is no risk of a customer being sued, typically a supplier’s starting point will be that given there is no risk, the customer needs no warranty or indemnity. The well-rehearsed reply is usually that if there is no risk then that coverage from the supplier will be inexpensive to provide and so should be documented. But what are the prospects of an infringed company suing a customer? Why wouldn’t they always sue the supplier – or at least both? There are many reasons why a claimant might sue the customer, and we set them out below.

The old adage talked about “deep pocket” litigation which referred to suing the richest defendant as there lies the greatest damages. While it is true that a claimant looking for damages will always want to ensure that they can be paid, it is not always true that the easiest wins are against wealthier defendants like the largest IT suppliers. These suppliers are typically highly sophisticated in the space and employ well-resourced in-house teams – ready and able to defend lawsuits of this kind. These suppliers also will have often more to lose than a customer, so might fight harder because they cannot afford the precedent of settling. And as well as their financial and legal resources, suppliers will sometimes have their own portfolio of intellectual property rights to counterclaim against any claimant. Looked at in this way, suing a customer might look a good option for a claimant.

Customers may well have enough in funds to pay damages, and might also have the benefit of an indemnity, which we discuss below, so they will often have a deep-enough pocket for the claimant. But they will often have smaller legal departments, and even if they are large-enough, they will rarely have defensive IP teams, regularly defending patent claims. So they will often have to move to outside counsel more quickly and with greater dependency. Again, in contrast to the supplier, the customer might not want the business disruption of the litigation or worse an injunction and so might be more willing to “simply pay something to make it go away” – which for a supplier might be more a matter of principle or precedent. And, finally, in general, few customers have a litigation-ready portfolio of rights to counterclaim against a claimant.

Risk allocation in the cloud

So what is the best that a customer can expect from their intellectual property liability negotiations with a supplier?

As usual, the risk allocation needs to both land where it is economically sensible but also at the foot of the person best able to calculate and manage that risk. It follows that customers should be wary of accepting anything less than an indemnity from a supplier, where the intellectual property infringement claim resulted from the cloud supplier’s own code or platform. A customer will have enough disruption from a claim – they should not also have to take on the added contractual responsibility of mitigating their losses. A customer also should be careful because accepting a cap or constraint on an indemnity from a cloud provider for intellectual property infringement. Patent infringement actions can be extremely expensive both in final award and costs of litigation. Customers should also pay particular attention to carve-outs for areas such as infringements of third party rights from open source use. As we explain above, in cloud applications, open source can often be included more easily not less easily than in its on-premises equivalent.

***

To read this article in German, click here.

This article has shown, at a high level, that intellectual property rights can be infringed in the depths of a customer’s server room as easily as in the top rack of the cloud. Customers certainly do not lessen intellectual property risks merely because they are moving applications into the cloud. In some ways, because the governance and deployment within a cloud infrastructure can be more rapid and agile, the real-world risks can increase. We have also seen that some claimants will choose to sue customers, even where the origin of the infringement was the supplier’s own offering. And while customers can do little to deter a lawsuit they can do much to push any IP risk back up into the cloud that created it.

In addition to being named a 2014, 2015 and 2016 Global Outsourcing 100® company and included on the World’s Best Outsourcing Advisors, Dominic Dryden was included in the 2015 The Lawyer Hot 100 list for his seasoned expertise and high-profile work. Olswang’s Sourcing team was also voted Outsourcing Advisory of the Year in 2013 by the European Outsourcing Association. The firm was shortlisted in 2015 in the NOA’s Innovation category and in 2016 by the British Legal Awards for 'Commercial Team of the Year'.