This Article appeared in the December 2005 issue of Web Host Industry Review magazine. Click here to subscribe for free.
December 15, 2005 -- (WEB HOST INDUSTRY REVIEW) -- Most litigation and, as a result, risk mitigation, begins with contracts. Hosts, like most people, spend little if any time reviewing their contracts with significant vendors. Many hosts don't even create acceptable use policies or terms of service tailored to their businesses. While it's easy to understand the lack of motivation to read contracts - they're boring - spending an hour actually understanding your bandwidth contract can save you 20 hours arguing with your provider when problems arise.
Level 1 PCI DSS Certified Service Provider! DataPipe delivers the best network & support; top tier data centers; New York metro, Silicon Valley, London, Hong Kong, Shanghai. DataPipe - Personal Touch, Global Reach.
Contract Review
Almost every contract you sign will contain multiple clauses that structure liability. These clauses range from "limitation of liability" clauses, annoyingly set out in all caps, to clauses that require you to provide certain information to your customers. Not understanding how these contracts affect your business, as well as your relationships with customers and vendors, is a sure way to end up hiring a lawyer to get you out of trouble.
Bandwidth providers often present Web hosts with opaque and sometimes oppressive "flow down" provisions. These clauses often refer vaguely to requirements that your customers comply with the AUP of your bandwidth provider. Technically your bandwidth provider can cut your services if you, or your customers, violate its AUP.
Analyzing contracts and incorporating their provisions into your business documents is crucial for two reasons. First, vendors can and do enforce flow down provisions - which could create a painful situation for you. Let's say you have a client who creates a problem for someone else - maybe a hate site. You decide that your AUP allows this site to continue operation, but the person complaining goes to your bandwidth provider. The site violates the bandwidth provider's AUP, and it shuts off your bandwidth. Now you've lost connectivity and will face claims from customers who may have no path to the Internet and significant latency. And you have a customer you have to terminate to recover those things. A quick review and synchronization of your customer facing policies with those of your significant vendors might have prevented this.
Second, these contracts may have included representations that you would pass along the vendor's policies, or align your policies with theirs. These contracts may also contain limitation of liability clauses. You need to make sure these are reflected in your AUP and TOS so that you do not leave a liability gap should a customer sue you based on a vendor failure. Finally, you need to make sure that you are not extending to customers more rights than you are given by vendors.
Draft your own AUP and TOS
At one point in my career, I actually had to send letters to hosts who had stolen my client's acceptable use policy and terms of service, demanding that they stop using them, or at least replace my client's name with their own until they drafted new documents. Each business has a unique set of services, network architecture, and target customers. As a result, each business has a unique risk profile. Creating contract protections that respond to your business's risk profile is fundamental to mitigating your risk.
To create an AUP and TOS that respond to your risk profile, start by determining what type of customers you have. A shared host whose customer base consists of mom and pop businesses climbing the ladder from small to large is going to have significantly different abuse problems than a host whose customer base is made up largely of gamers. Focusing on the issues unique to your business will bring up the complaints and threats you most often deal with.
Whose laws apply?
A fundamental piece of any risk mitigation strategy is determining where geographic liability lies. Most hosts think they need only comply with the laws of the jurisdictions in which they are located and where they have operations such as data centers. This argument is relatively sound, though it is often litigated. However, if you claim to be bound by the laws of the state in which your headquarters is located, take the time to review the laws of that state as they apply to your business. After reviewing your AUP, TOS and operations for federal and common law compliance, make sure you comply with state or other jurisdictional laws. Your TOS should also set out whose laws you've chosen to be bound by, and make your customers and contracts subject to that law.
Where Can You Be Sued?
An often-missed risk mitigation strategy is limiting where you can be sued. In most cases, a contract that contains a choice of forum provision is honored. And it will be much easier to defend yourself in the city and state in which you are located. What's more, this often creates a hurdle for anyone thinking of suing you, since they will be required to travel, and bear the expenses of the trip. Most courts have found, however, that this location must relate in some way to your business, or your customer's business. So its unlikely, if your business is in the District of Columbia, that a court would honor a choice of forum clause that selects Kazakhstan as the location for any litigation.
