REPORT/RECOMMENDATION TO THE BOARD OF SUPERVISORS
OF THE COUNTY OF SAN BERNARDINO
AND RECORD OF ACTION
November 5, 2019
FROM
WILLIAM L. GILBERT, Director, Arrowhead Regional Medical Center
SUBJECT
Title v
Purchase Order with Nth Generation Computing, Inc. for Security Software
End
RECOMMENDATION(S)
Recommendation
1. Approve the Master License Agreement with Varonis Systems, Inc. for security software to protect and control access to patient data in the amount of $474,813 for a perpetual term license and support of the software in the amount of $292,888 for a three year period from November 5, 2019 through November 4, 2022.
2. Authorize Purchasing to issue Purchase Order with Nth Generation Computing, Inc. in the amount of $767,701 for the software licenses and support in recommendation No. 1.
(Presenter: William L. Gilbert, Director, 580-6150)
Body
COUNTY AND CHIEF EXECUTIVE OFFICER GOALS & OBJECTIVES
Provide for the Safety, Health and Social Service Needs of County Residents.
FINANCIAL IMPACT
Approval of the recommendations with Nth Generation Computing, Inc. (Nth Generation) and Varonis Systems, Inc. (Varonis) will not result in the use of Discretionary General Funding (Net County Cost) as the associated cost of $767,701 is funded by State Medi-Cal, Federal Medicare, private insurances, and other departmental revenue. Funding sources may change in the future pending any legislative activity related to the repeal and/or replacement of the Affordable Care Act. Sufficient appropriation and revenue are included in the Arrowhead Regional Medical Center (ARMC) 2019-20 budget and will be included in future recommended budgets.
BACKGROUND INFORMATION
Approval of the recommendations will allow ARMC to improve its current network security. The Varonis security software platform will allow ARMC to track, visualize, analyze and protect private health information, personally identifiable information, and payment card data. The data is monitored and provides alerts upon unauthorized access to this sensitive information. The system helps to identify and prioritize sensitive information based on user profile and user behavior. In addition Varonis can make security recommendations based on inconsistent access permissions, overexposed and at-risk sensitive and classified data, evaluate access controls and authorization processes, and analyze folder and file access permissions to determine risk factors in order to reduce the overall risk.
ARMC will purchase the 5000 perpetual term licenses from Nth Generation, a value added reseller and part of the partner community for Varonis. Once the term of the licenses end, ARMC will own the product and would only be required to pay for product support.
Varonis’ Master License Agreement is its standard commercial license, as negotiated by the County, which contains terms that differ from the standard County contract. The non-standard terms include the following:
1. Varonis has the right to audit County’s use of the software to ensure compliance with the terms of the Master License Agreement. If the audit reveals any underpayments of any fees payable under the Agreement, County shall promptly pay any outstanding amounts, plus 1.5% interest, and reimburse Varonis for its out-of-pocket audit costs.
• The County standard contract does not include audit rights for the contractor.
2. Limitations of liability of Varonis of the cumulative liability to the County or any third party for any loss, cost or damage resulting from any claims, demands or actions arising out of or relating to the license shall not exceed the license fees actually paid.
• The County standard contract does not include a limitation of liability.
3. Governing law is New York
• The County standard contract requires California governing law.
4. Venue is set as the state or federal courts in the city of New York.
• The County standard contract requires venue for disputes in Superior Court of California, County of San Bernardino, San Bernardino District.
5. Varonis may assign the contract without notice to the County and without the County’s approval.
• The County standard contract requires that the County must prior approve any assignment of the contract.
6. The contract does not require Varonis to indemnify the County, including for intellectual property infringement claims.
• The standard contract provision for intellectual property indemnity is: Contractor will indemnify, defend, and hold harmless County and its officers, employees, agents and volunteers, from any and all third party claims, costs (including without limitation reasonable attorneys’ fees), and losses for infringement of any United States patent, copyright, trademark or trade secret (Intellectual Property Rights) by any goods or services.
7. The contract does not address attorneys’ fees.
• The County standard contract requires each party to pay their own attorneys’ fees regardless of who is the prevailing party in any legal action.
8. The contract does not require Varonis to meet the County insurance standards.
• The County standard contract requires Contractors to carry appropriate insurance at limits and under conditions determined by the County’s Risk Management Department.
Potential impacts of these non-standard provisions include:
1. If an audit determines that the County’s use of the software exceeds the number of licenses purchased, Varonis may demand payments of additional fees plus interest, and reimbursement of audit costs, which will result in fees that exceed the total contract amount.
2. Varonis caps its liability at a maximum of the fees actually paid by County. Claims could exceed the liability cap and the contract amount leaving the County financially liable for the excess. County Counsel cannot advise on, whether and to what extent, New York law may limit or expand the exclusion of limits to the extent prohibited by applicable law.
3. The contract will be interpreted under New York law. Any questions, issues or claims arising under this contract will require the County to hire outside counsel competent to advice on New York law, which may result in fees that exceed the total contract amount.
4. Having a venue in any state or federal court in the city of New York, may result in additional expenses that exceed the total contract amount.
5. Varonis may assign the contract to a third party without notice to the County and without the County’s approval. This could allow the contract to be assigned to a business with which the County is legally prohibited from doing business due to issues such as Federal debarment/suspension or conflict of interest, without the County’s knowledge.
6. Varonis is not required to defend, indemnify or hold the County harmless from any claims, including indemnification for claims arising from Varonis’ negligent or intentional acts and intellectual property infringement. If the County is sued for any claim, including intellectual property infringement based on its use of the Contractor software or services, the County will be solely liable for the costs of defense and damages, which could exceed the total contract amount. County Counsel cannot advise on whether and to what extent New York law may allow the County to require Varonis to defend or indemnify it absent an express provision in the contract.
7. There is no provision in the contract addressing each party’s responsibility for paying attorneys’ fees. County Counsel cannot advise on, whether and to what extent, New York law may affect a party’s requirement to pay the prevailing party in a legal action where no specific provision is provided in the contract.
8. The contract does not include County standard insurance requirements. This means that the County has no assurance that Varonis will be financially responsible for claims that may arise from the County’s use of the software, which could result in expenses to the County that exceed the total contract amount.
ARMC recommends approval of Master License Agreement with Varonis, including the non-standard terms, as it is required, by law, to identify, locate and protect patient data and control access to that data. Approval of the contract will allow ARMC to comply with laws and regulations required to ensure the protection of patient information and to continue to provide quality medical services to County residents.
PROCUREMENT
This is a non-competitive procurement due to functional specifications. The County Purchasing department supports this non-competitive justification mandated by the State of California.
REVIEW BY OTHERS
This item has been reviewed by County Counsel (Bonnie Uphold, County Counsel, 387-5455) on October 22, 2019; Purchasing Department (Ricardo Salazar, Supervising Buyer, 387-2060) on October 22, 2019. Finance (Amanda Trussell, Principal Administrative Analyst, 387-4773) on October 22, 2019; and County Finance and Administration (Katrina Turturro, Deputy Executive Officer, 387-5423) on October 22, 2019.