Key Risks of Shrink-Wrap Products
This section presents some of the key considerations and risks presented by shrinkwrap, web-wrap, and click-wrap agreements. In the following section, various risk mitigation strategies are discussed.
■ Where’s the agreement? In many cases, just locating the applicable agreement(s) may present a challenge. It is not uncommon for these types of agreements to reference other agreements, including other terms provided on other web pages. In addition, as mentioned previously, in some cases the agreements are hidden in licensing files on the installation disk for the software. Finally, once presented to the user, it may be all but impossible to later find the agreement (or version of the agreement) actually accepted by the user.
- When presented with these types of agreements, customers should make sure to print or otherwise retain copies of the agreement, including the date on which it was accepted.
■ No remedies. The end result of the terms and conditions commonly found in shrink-wrap agreements, as discussed in the preceding section, is that the purchaser has little or no remedy against the vendor in the event there is an issue with the product or if damages arise (e.g., the product has a substantial bug in it, ceases to function, causes an intellectual property infringement claim) out of use of the product. The product is, essentially, being licensed on an “as-is” basis. In most instances, the purchasers only remedy in the event of a problem is to cease use of the offending product. A refund or other compensation is unlikely.
■ Safety in numbers. In general, the purchaser’s primary protection in purchasing shrink-wrap products is the concept of “safety in numbers.” That is, the product is widely distributed and usually well established in the community. This reduces the potential for a substantial bug or defect to go without a fix from the vendor. The purchaser is essentially relying on the power of the market to force the vendor to correct issues (i.e., vendors with poorly designed or buggy products will lose market share and, at least arguably, be easy to identify).
■ Risks to customer intellectual property. Some shrink-wrap agreements contain expansive “feedback” and similar clauses that could result in the licensor gaining ownership of the purchaser’s own intellectual property. The contract actually includes language that the purchaser is assigning its intellectual property rights to the vendor. In some cases, almost anything the purchaser shares with the vendor, including during support discussions, may become the vendor’s property or, at minimum, result in the vendor having an unbridled license to use what it has learned for its own business purposes. At best, this can result in the purchaser essentially granting the vendor a free license to the purchaser’s valuable intellectual property. At worst, it can result in the purchaser losing all control over its intellectual property.
- The only way to control this risk, absent declining to accept the contract, is to carefully coach all personnel having contact with the vendor not to reveal or discuss proprietary information and intellectual property of the customer.
■ Beware of broad audit rights. Shrink-wrap agreements may also include broad audit rights, permitting the vendor almost unlimited access to the purchaser’s facilities, records, and systems. In some instances, these rights permit any or all of the vendor’s agents, contractors, and licensors to also have full access to the purchaser’s facilities, records, and systems. Under these terms, purchasers assume the additional risk of having third parties, with whom the licensee has no contract and no confidentiality protection, unfettered access the licensee’s facilities, records, and systems. For regulated entities (e.g., in financial services and healthcare) and all others in possession of consumer information, these audit rights subject the licensee to the additional risk and potential of exposing highly sensitive and regulated data to vendors and other third parties without adequate contractual protections (e.g., confidentiality clauses, information security protections, and limitations on use). Consider the potential risk presented by a vendor showing up at a purchaser’s facility, without notice, and demanding full access to its systems and records—without any protection for the purchaser’s highly sensitive confidential information and data or any protection if that access causes a disruption in the purchaser’s operations.
■ Abusive audits. Audits can also be excessive and abusive, disrupting the licensee’s normal operations and potentially making the licensee liable for substantial financial liability for third-party auditor fees (which can reach the hundreds of thousands of dollars). This is because many vendors view these audit rights as a means to derive additional revenue from their purchasers. Some auditors even work on a contingency basis, forcing them to either find a problem or forego payment. This creates an undue incentive for the auditor to search until it finds something. In a number of instances, audits have led to substantial additional fees being paid by purchasers in agreements that were not properly negotiated. In one case, an audit revealed a relatively minimal excess use of the software, which resulted in the payment of a few thousand dollars in additional license fees. Unfortunately, the customer was also responsible for paying nearly $40,000 in audit costs. Given the current economic climate, vendors are conducting these audits on an ever-increasing basis to try to squeeze more revenue from their customers. Tire headlines are full of instances in which companies have paid substantial additional fees for excess license uses.
■ Avoid placing sensitive information at risk. Given the as-is nature of the software or service and the lack of any substantive contractual protections, customers should generally avoid placing any highly sensitive information at risk in connection with the engagement (e.g., refraining from uploading confidential personally identifiable information of consumers to a web-based service under a click-wrap agreement that affords no real protection for that information).
■ Reseller issues. With regard to reseller relationships, additional risk can arise in situations in which the reseller is providing support or subcontracted support for the licensed product. Splitting the agreements governing the purchase of the product from support obligations and having two different responsible contracting parties can lead to finger pointing when failures occur and leave a customer without adequate remedies to bridge the two agreements (e.g., if the purchaser purchases a piece of hardware and the reseller breaches its support agreement, the customer may be able to show damages under the support agreement, but will likely have no claim or remedy under the purchase agreement).
There are essentially three methods of addressing the risk of shrink-wrap agreements: blind acceptance, knowing acceptance, and mitigation.
■ Blind acceptance. Blind acceptance refers to the practice of looking at a proposed use of a product, ensuring it falls within the common elements of shrink-wrap products identified above (e.g., low fees, noncritical use, off-shelf, well established, potentially trialed), and electing to proceed with the purchase without further consideration. Few sophisticated organizations take this approach. It would require the purchaser to proceed without regard for the risk—abandoning any effort at due diligence.
■ Knowing acceptance. Knowing acceptance refers to the process of quickly reviewing the applicable license agreement for a proposed purchase of a shrink-wrap product and assessing whether it presents any unique risks (i.e., something beyond the typical terms identified above). Unless a unique risk is identified or the purchase would present conditions beyond the common elements identified above, the transaction is approved. If unusual or unique risks are present (e.g., the aggregate value of the transaction is substantial, or the contract presents risks to the purchaser’s intellectual property or data), the risks would be clearly identified in a memorandum for review and—if the cost-benefit of the engagement warrants—potential approval by senior management. This is the most prevalent means employed by sophisticated organizations to address risk in transactions of this kind.
■ Mitigation. The mitigation approach is used in circumstances where the relevant license agreement presents unusual risks or in situations where the purchaser operates in a regulated industry where the protection of data and contracting requirements, in general, are of heightened concern. It has become common in those industries to review proposed uses of shrink-wrap products as they would for any other product purchase transaction. With due regard for the relatively limited ability of purchasers to negotiate these types of agreements, purchasers quickly assess the risks posed by a new engagement and focus on mitigating only the most substantial risks. This is commonly done in the form of an amendment to the shrink-wrap agreement. Such amendments are usually brief, addressing only terms like basic warranties, basic infringement indemnity, audit rights, and protection of the purchaser’s own intellectual property. A number of large organizations are now using these types of amendments to quickly mitigate key risks in these engagements. Their acceptance by vendors, particularly in larger transactions, is growing. If the amendment is rejected by the vendor and no alternate vendor of a similar product is readily available, the risks would be clearly identified in a memorandum for review and, if the cost-benefit of the engagement warrants, potential approval by senior management.
The mitigation approach presents the most mature approach to addressing risk in shrink-wrap engagements.
Except in rare instances, shrink-wrap, web-wrap, and click-wrap agreements are enforceable. As with any contract, they must be reviewed and assessed to identify risk. The business can then conduct a cost—benefit analysis to determine whether the risk is warranted and whether that risk can be controlled, at least to some degree, through the use of the mitigation approach discussed in this chapter. The risks presented by shrink-wrap, web-wrap, and click-wrap agreements should not be minimized.