The roughly two-hour session with industry representatives was an opportunity for vendors to ask questions and raise concerns about the provisions, which had not been updated for more than five years, DGS officials noted.
In addition to updating definitions to align with industry standards and technological changes, officials also consolidated portions of the provisions.
Here are the changes to the non-cloud provisions (as written by DGS):
- Sections 5.1 and 5.2 (NEW) – Added Support and Professional Services
- Sections 10.1, 10.3, 10.4 and 10.6 – Updated and added Confidentiality terms and Data Rights to align with industry standards
- Section 15.6 (NEW) – Added new Software License Audit
- Section 20.4 (New) – Notice of Insolvency
- Section 20.10 (New) – Survival
- Section 21 (NEW) – Data Protection Provisions have been added; these are based on the Cloud – SaaS Special Provisions, which have now been incorporated into ITGPs
Here are the changes to the cloud provisions (as written by DGS):
- Section 9 – Updated and added Confidentiality and Data Rights clauses
- Section 14.6 (New) – Added Software License Audit
- Section 19.4 (New) – Notice of Insolvency
- Section 19.11 (New) – Survival
- Section 20 (New) – Data security and privacy provisions from the SaaS Special Provisions were incorporated into the body of the Cloud General Provisions to consolidate the document
One point of concern among the vendors in attendance centered on the issue of breach liability when contracting with the state. Some voiced concerns that, as written, the provisions could have a chilling effect for small businesses who could not cover the costs of a breach, while larger businesses might avoid some contracts where the dollar amount was significantly smaller than potential liability costs.
DGS officials said they were cognizant of the potential impacts to small businesses and pointed out that the size of some projects and scope of data required makes the issue of vendor liability difficult to navigate with a one-size-fits-all solution. They urged more dialog with industry on the issue.
Another area vendors mentioned was the issue of breach notification rules; some felt 48 hours was not enough time for companies to identify an incident and provide notifications to the state. Similarly, the question of what classifies as a breach was a topic of discussion.
Vendors have until March 18 to submit comments on the proposed changes.