By:  Reece Clark   Software escrow arrangements are gaining increasing importance in complex technology deals. Software escrows can be an effective way to mitigate certain future risks involving the licensing of commercial software, a SaaS service, or some other technology product. The application of escrow principles to technology deals comes with unique considerations for parties seeking such services. This article explores basic software escrow principles and best practices.   1.    What is a Software Escrow?   In typical off the shelf purchases of software, only object code (i.e. executable code) is licensed out to the end user.  [1]  In commercial licensing deals, however, the licensee may have a legitimate interest in object code and source code. Accessing source code allows the licensee to see how the software is processing data or performing functions, and can even allow the licensee to change the operation of the software . [2]  The licensor is usually hesitant to grant rights to source code, as it represents a key piece of intellectual property. To compromise, the parties may choose to enter a software escrow arrangement.  The software escrow allows the licensor (“Depositor”) to deposit its source code, associated build/deployment documentation, and/or other proprietary technology as needed (the “Deposit Material”) with an escrow agent (“Agent”) for the benefit of the licensee (“Beneficiary”). In the event certain pre-defined conditions are met (each, a “Release Condition”), the Agent will release the Deposit Material to the Beneficiary. In this way, a licensee acquires the protection it is looking for without requiring the licensor to directly convey intellectual property rights.    2. When is a Software Escrow Needed?   Software escrow arrangements can be expensive and are not right for every deal. [3]  As a result, it is important to make a fact-based determination as to whether a software escrow should be built into a particular contract. While every deal is different, there are several factors which a party may consider in determining whether a software escrow is needed.  Some of these include [4] :  Whether the licensor is signaling:   Financial instability;  Declining business forecast;  Discontinuation of software maintenance and support;  Infrequency of software updates; or  Risk of future breach of contract.   Whether the licensed software is:          Critical to licensee’s business growth;  Difficult to acquire through competitor products;  Touching or affecting key stakeholders of licensee;  Necessary for licensee’s business continuity preparation or operations; or  Offered by an unestablished vendor.   After evaluating the above factors, if the parties believe the benefits of having the Deposit Material safely stored with a neutral third party outweigh the costs, then a software escrow may be a prudent measure.   3.   How Does a Software Escrow Work?   In principle, a software escrow functions in the same way as any other escrow arrangement. After determining that a software escrow is desirable, the parties execute an escrow agreement with an Agent. Escrow agreements will vary depending on the Agent’s scope of engagement and suite of value-added verification services, but the core responsibilities of the parties should remain fairly consistent and are substantial as follows:   Depositor    Makes initial deposit of Deposit Material.  Agrees to release updates as necessary to Deposit Material during the term.  Gives market representations and warranties regarding the Deposit Material.    Beneficiary    Monitors compliance between the Depositor and Agent during the term.  Requests additional verification services for Deposit Material as needed.    Agent    Receives Deposit Material and confirms receipt to Beneficiary.  Offers additional verification services upon request.  Holds and controls Deposit Material until Release Conditions are met.   In addition to the above responsibilities, the following terms are unique to software escrow agreements and should be defined between the parties:     Deposit Material Description   .  The Deposit Material should be adequately described in the escrow agreement and the actual Deposit Material should match the description. A market example of such a description is as follows: “the computer program expressed in a source code language consisting of a full source language statement of the program the software is comprised of and all related compiler command files, build scripts, complete maintenance documentation, application programming interfaces, graphical user interfaces, schematic diagrams and annotations which comprise the pre-coding detail design specification, and all other material necessary to allow a reasonably skilled programmer to maintain and enhance the software without the assistance of the licensor.” [5]     Type of Escrow Arrangement  . While a software escrow is most common, some Agents have the capacity to manage different types of escrow arrangements. Other types of escrow arrangements include: (1) technology escrows, holding items of physical technology such as encryption keys or prototypes, (2) SaaS escrows, involving the components necessary to ensure a SaaS product remains viable, such as code, virtual machines, data, and other key components of the SaaS service; (3) domain escrows, holding a website domain name. [6]     Single Beneficiary vs. Multi-Beneficiary  . [7]  A single beneficiary agreement is a standard three-party agreement that designates the Beneficiary as the receiver of the Deposit Materials upon a Release Condition. A multi-beneficiary agreement involves multiple receivers of Deposit Materials. This type of agreement may be complex by separating the software escrow into projects or releases and designating certain Beneficiaries to receive different Deposit Materials based on the identity of the Beneficiary and/or which project or release the Beneficiary is logically tied to.     Designation of Paying Party  . Either the Depositor or the Beneficiary or some combination of both may be designated as the paying party. There are usually two key payments to be made: the setup fee and an annual fee. Some strategic considerations on where the cost should be placed may be found  here , and a sample fee schedule of the costs associated with a software escrow may be found  here . Expect additional verification services to substantially increase the cost of the escrow arrangement.    Defined Release Conditions  . These conditions will vary from deal to deal. Typically, they will revolve around, (i) the Depositor’s financial condition, triggering if, for example, the Depositor enters voluntary or involuntary bankruptcy, or (ii) the happening of a future event or condition, such as the Depositor failing to function as a going concern or operate in the ordinary course. Upon the occurrence of a Release Condition, the Depositor will be given a notice period to contest whether the Release Condition has actually occurred. If the Depositor fails to timely contest, the Agent will release the Deposit Material to the Beneficiary and will terminate the agreement.    Verification Services   .    Agents typically offer services that verify the Deposit Material’s functionality, accessibility, or usability and such services are offered at varying degrees of thoroughness. Verification services range from basic file list tests analyzing readability and file listing/classification, to full comprehensive usability tests, which may involve the Agent setting up an environment, installing and configuring the Deposit Material, and then running functional tests as necessary to confirm the Deposit Material is in an executable condition. Extensive verification services typically require a separate executed statement of work between the parties.      4.    Conclusion.    Utilizing a software escrow can be an effective means to ensuring business continuity in the event of a realized risk. Software escrow arrangements can be complex in nature and require careful structuring of release conditions, payment responsibilities, and other services as necessary. If you are contemplating a licensing agreement and are seeking further assurances of the future accessibility of the licensed product or service, consider a software escrow arrangement. Polsinelli attorneys are experienced in technology transactions and can help counsel and develop a protective software escrow arrangement for your deal.   [1]  Katheryn A. Andersen & Jen C. Salyers,  Source Code Escrow,  § 21:1 available at: http://www.bssdlaw.com/files/lbcs_source_code_escrow.pdf   [2]   Source Code,  Techopedia, available at https://www.techopedia.com/definition/547/source-code (last visited Apr. 4, 2018)   [3]  EscrowTech,  Software Escrow Fundamentals ,  When Should I Use a Software Escrow?  EscrowTech, https://www.escrowtech.com/software-escrow.php#whatSoftwareEscrow (last visited Apr. 4, 2018)   [4]   Id.    [5]  Andersen & Salyers,  supra  note 1, at   § 21:4.   [6]  EscrowTech,  Supra  note 4,  Software Escrow Fundamentals, Types of Escrows .   [7]  Nccgroup,  Software Escrow Agreements , Nccgroup, https://www.nccgroup.trust/us/our-services/software-escrow-and-verification/escrow-agreements/ (last visited Apr. 4, 2018)

By: Reece Clark

Software escrow arrangements are gaining increasing importance in complex technology deals. Software escrows can be an effective way to mitigate certain future risks involving the licensing of commercial software, a SaaS service, or some other technology product. The application of escrow principles to technology deals comes with unique considerations for parties seeking such services. This article explores basic software escrow principles and best practices.

Read More

Winter is Coming…and so is PSD2

Winter is Coming…and so is PSD2

By Reece Clark

Consumers can expect increased competition, efficiency, and innovation in the payment services sphere when the European Union’s long-anticipated revised Payments Service Directive (“PSD2”) comes into effect on January 13, 2018. However, European banks and service providers will not be required to immediately harden their customer data exchange security measures in response. According to a recent press release from the European Commission, payments service providers will have up to 18 months after the release of the PSD2’s Regulatory Technical Standards (“RTS”) to upgrade their payment security systems. RTS is slated for release in September 2019, giving market players until Q1 2021 to move their systems and procedures into compliance.

Read More

EU Watchdog Advocates for New Fin Tech Regulations

EU Watchdog Advocates for New Fin Tech Regulations

By Daniel L. Farris

The European Securities and Markets Authority – a top EU security watchdog – published a paper last week calling for new regulation on so called blockchain technology in financial markets. The comments come as financial markets are experiencing a rapid increase in virtual currencies and the underlying Digital Ledger Technology that supports them.  

Read More

Data Security Violations Found by the Consumer Financial Protection Bureau Against Payment Processor Dwolla, Inc.

Data Security Violations Found by the Consumer Financial Protection Bureau Against Payment Processor Dwolla, Inc.

By Mary Kathryn Curry

Dwolla, Inc., a company that claims secure, ready-to-use payment tools used to simplify how people send or receive money from anyone in the U.S., has been hit with a $100,000 penalty and an annual data-security audit compliance plan. Dwolla, based in Des Moines, Iowa, has collected and stored sensitive personal information from consumers since 2009, such as address, date of birth, telephone number and Social Security number. In addition, consumers provide their bank account and routing number to link their bank accounts to their Dwolla account. Dwolla has approximately 653,000 members and transfers as much as $5,000 per day.

Read More

Target to Pay Nearly $40 Million to Settle with Banks over Data Breach; Total Costs Reach $290 Million

Target to Pay Nearly $40 Million to Settle with Banks over Data Breach; Total Costs Reach $290 Million

By Daniel L. Farris

A settlement filed Wednesday provides that Target Corp. will pay $39.4 million to the banks and credit unions who brought class action claims against the retailer for alleged losses the financial institutions suffered as a result of Target’s 2013 data breach. The breach, which impacted as many as 110 million individuals, compromised as many as 40 million credit cards. 

Read More

The Vast Reach of a Security Breach

The Vast Reach of a Security Breach

By Joseph D. McClendon

Experian’s most recent earnings report shows that it has spent $20 million to date on its response to the September 2015 data breach that exposed the personal information of nearly 15 million wireless carrier customers. The exposed information included names, addresses, birthdates, social security numbers, driver’s license numbers, and passport numbers – all information Experian uses to process credit checks as part of the customer registration process. The $20 million spent so far on notification and credit monitoring for affected individuals may only be just the beginning of Experian’s financial woes – the credit monitoring firm still has several pending class action lawsuits to manage as well as cooperating with the government’s investigations in to the matter.

Read More

FFIEC Warns Banks of Increased Cyber Attacks Involving Extortion

FFIEC Warns Banks of Increased Cyber Attacks Involving Extortion

By Daniel L. Farris

The Federal Financial Institutions Examination Council (“FFIEC”) issued a press release last week “alerting financial institutions to the increasing frequency and severity of cyber attacks involving extortion.” The FFIEC went on to say that “financial institutions should develop and implement effective programs to ensure the institutions are able to identify, protect, detect, respond to, and recover from these types of attacks.”

Read More

SEC Uses Safeguard Rule to Sanction, Penalize Investment Firm for Data Breach

SEC Uses Safeguard Rule to Sanction, Penalize Investment Firm for Data Breach

By Daniel L. Farris

Following a decision in August not to pursue penalties or other sanctions against Target for the company's massive 2013 data breach, the Securities and Exchange Commission announced new penalties last week against investment firm R. T. Jones Capital Management for its role in a much smaller 2013 breach involving investor data. The SEC's announcement came on the same day that it issued guidance to investors about how to protect their personal and financial information in the event of a financial institution data breach.  

Under section 504 of the Gramm-Leach-Bliley Act, which regulates disclosure of consumer information, the SEC has the authority to impose penalties on companies that don’t disclose the magnitude of data breaches, fail to properly detail their policies and procedures in protecting consumer data, or fail to implement adequate cybersecurity measures.  To-date, however, the SEC has largely left data breach enforcement activities to the Federal Trade Commission.  

Whether the SEC’s decision in the R.T. Jones case marks a shift in enforcement philosophy is unclear, particularly given the facts of the R.T. Jones case, which all but forced the SEC’s hand.  According to the SEC, R.T. Jones “failed to adopt written policies and procedures designed to protect consumer records and information, such as employing a firewall or encrypting data to protect the web server it used to store sensitive client information. As a result, the personal data of nearly 100,000 people was compromised in the hack.”  

Read More