Fiscal Note
The fiscal impact depends on particular claims or suits in which a vendor may seek indemnification; in which case the City may have coverage for such indemnification under its current insurance policies.
Title
Authorizing certain staff to click or agree to certain agreements for the purchase or use of software and other technology services up to $25,000, and amending Resolution No. RES-17-00762 accordingly.
Body
All City agencies and operations require technology to function, and requests for new software and technology are made daily. All software or online technology requires the user to click on a set of legal terms online, commonly referred to as an End User License Agreement (“EULA”), Terms of Service or Terms of Use (TOS).
On-premise software, software-as-a-service (SaaS), cloud hosting and web-based services are the most commonly requested technology and must be approved by City IT. Some services are only available via a website, but don’t involve software or a network connection. These services also require the user to click on non-negotiable legal terms, in violation of city policies. Examples are online training courses, webinars, subscriptions to research databases, or services like Stamps.com. Even setting up an account to buy office supplies online requires the office manager to bind the City to legal terms and click to agree.
Most software is now hosted in the cloud, by the vendor or data centers such as Amazon AWS or the Microsoft cloud. The legal terms for hosting often require the City to grant the vendor certain licensing rights in our data, so they can provide the service. Some data access is appropriate, but City staff are not vested with the authority to grant such a license.
Some technology is requested to accept online payments from the public, including a review for Payment Card Industry (PCI) compliance that must be made by the City Treasurer (see MGO 3.055(1).)
MGO 39.02(9)(b) requires a nondiscrimination clause in every City contract. The City also has a set of desired legal terms for small purchases that are normally included through a Purchase Order. There is no opportunity to use a Purchase Order or add the City’s legal terms when clicking on online agreements.
Pursuant to APM 1-1 and established municipal law, no City employee can sign a contract for the City without authorization through an ordinance or from the Common Council. APM 1-1 also prohibits the City from indemnifying a vendor without Council approval.
With the variety of architecture in new technology, most staff do not recognize or understand the type of technology they are trying to buy, and need assistance to process their requests.
City IT has limited staff to intake every such request. It is not efficient or feasible for the City Attorney and Risk Manager to negotiate a contract for all new software, and technically impossible for the Purchasing Supervisor to “click to agree” for every City agency. These requests demand coordination, input and resources across many City departments. The volume of requests continues to increase, and IT must review and approve every new software product to protect network security and City data, per APM 3-20.
Resolution RES-17-00762 (File No. 47764) adopted in 2017, authorized the IT Director to click on some software agreements up to $10,000, indemnification of vendors and waiving the mandatory nondiscrimination clause, when there is no opportunity to negotiate. Technology has evolved and the City’s need for software and technology continues to grow. This resolution would expand staff authority to provide a reasonable method to keep up with the City’s ever-expanding demands for technology in all areas of service.
***
WHEREAS, many forms of technology (software, SaaS, cloud hosted solutions) require a network connection, downloading or accessing of proprietary software, and require non-negotiable legal terms that result in a contract between the City and the vendor; and
WHEREAS, such legal terms often include indemnification clauses requiring the City, as customer, to indemnify, defend and hold harmless the software vendor and other parties against various claims, losses and expenses, and such clauses are non-negotiable; and
WHEREAS, APM 1-1 requires permission from the Common Council before the City may agree to indemnify, defend or hold harmless another party with very limited exceptions; and
WHEREAS, some mandatory City policies apply to purchases exceeding $10,000, $25,000, or $50,000 and the City has no mechanism to bind a vendor to these requirements when clicking on legal terms online; and
WHEREAS, some software and technology solutions involve storage or sharing of City data with the vendor (in the cloud) for the vendor to provide the service, and the legal terms for those services include a license grant in some of the City’s data; and
WHEREAS, some online services do not involve software, license agreements, or a network connection but still require the user to click to agree to non-negotiable legal terms and City staff do not have that authority;
CRITERIA AUTHORITY FOR EXPEDITED SOFTWARE REVIEW PROCESS:
NOW, THEREFORE, BE IT RESOLVED that staff designated by the Information Technology Director or designee, using procedures established by the IT Director, are authorized to click and agree to legal terms to purchase, use, or subscribe to software, SaaS, cloud hosting and other related technology services that require IT approval on behalf of the City, under the following circumstances:
• up to $25,000 in total or not more than $25,000 per year, if the City will not exceed $50,000 with that vendor in the calendar year
• if the purchase is not funded by federal grant dollars
• if the product does not include Surveillance Technology unless all required procedures for Surveillance Technology under MGO 23.63 and APM 3-17 have been followed
• any license grant for City data has been reviewed and approved by the City Attorney or other authorized staff and deemed necessary and reasonable in relation to the need for the technology service in question
• any SaaS or hosting services do not include Protected Health Information (PHI) subject to HIPAA, unless the vendor signs a Business Associate Agreement approved by the City Attorney or HIPAA Security Officer
• any SaaS or hosting services do not include Personally Identifiable Information (PII) or other sensitive data, unless necessary protections are present and have been approved by the City Attorney or other appropriate staff
• any system that collects payment on behalf of the City must have been approved by the City Treasury Division of the Finance Department.
ADDITIONAL AUTHORITY TO CITY STAFF FOR NON-SOFTWARE TECHNOLOGY:
BE IT FURTHER RESOLVED that staff of all City of Madison agencies, CDA, PHMDC, and any other related organization for whom City IT provides network services, with authorization from their supervisors, are authorized to click to agree to legal terms necessary to purchase or access non-software online services such as training, webinars, or other services that do not involve a download of software, access to SaaS, cloud hosting, a network connection or network security vulnerabilities (according to criteria that may be established by City IT) and if not more than $25,000 in total (or if sold as an annual subscription, per year) and if the City will not exceed $50,000 with that vendor in the calendar year; and
CONTINUED AUTHORITY TO INDEMNIFY THE VENDOR:
BE IT FURTHER RESOLVED the Common Council authorizes indemnification of such vendors if such language is included in the online legal terms and only after receiving the City Attorney and Risk Manager’s approval; and
AUTHORITY TO GRANT A LICENSE TO CITY DATA:
BE IT FURTHER RESOLVED the Common Council authorizes granting a license to the vendor for City data only to the extent such license grant has been deemed necessary and reasonable in relation to the need for the technology or service in question, does not authorize the sale of any such data, contains adequate privacy safeguards, and the language has been approved by the City Attorney or other appropriate, authorized staff; and
AMENDING PREVIOUS EULA RESOLUTION:
BE IT FINALLY RESOLVED that this resolution amends RES-17-00762 accordingly, and that resolution is deemed amended to include the authorizations herein for purposes of section 39.02(9)(b), Madison General Ordinances.