REPORT/RECOMMENDATION TO THE BOARD OF SUPERVISORS
OF SAN BERNARDINO COUNTY
AND RECORD OF ACTION
December 17, 2024
FROM
LYNN FYHRLUND, Chief Information Officer, Innovation and Technology Department
SUBJECT
Title
Non-Financial Agreements with DigiCert, Inc. for Digital Certificates
End
RECOMMENDATION(S)
Recommendation
1. Approve the following non-financial agreements, including non-standard terms, with DigiCert, Inc., for digital certificates, effective the date of acceptance until terminated by either party:
a. Master Service Agreement
b. Certification Practices Statement
c. Terms of Use
d. End User License Agreement
e. Service Specific Terms
f. Services Addendum
2. Authorize the Chief Information Officer or Assistant Chief Information Officer to electronically accept the agreements in Recommendation No. 1 with DigiCert, Inc., and any future updates to the agreements, as they pertain to changes to the digital certificates, subject to County Counsel review, provided that such updated terms do not substantively modify the terms of the agreements in Recommendation No. 1.
3. Authorize the Chief Information Officer or Assistant Chief Information Officer to act as a certificate requester, and certificate approver for Subscriber agreements and to communicate with DigiCert, Inc., regarding the management of digital certificates in Recommendation No.1.
4. Direct the Chief Information Officer or Assistant Chief Information Officer to transmit printed copies of any updated terms to the agreements in Recommendation No. 1, that are electronically accepted, to the Clerk of the Board of Supervisors within 30 days of execution.
(Presenter: Lynn Fyhrlund, Chief Information Officer, 388-5501)
Body
COUNTY AND CHIEF EXECUTIVE OFFICER GOALS & OBJECTIVES
Operate in a Fiscally-Responsible and Business-Like Manner.
FINANCIAL IMPACT
Approval of this item will not result in the use of Discretionary General Funding (Net County Cost). The Master Services Agreement, Certification Practices Statement, Terms of Use, End User License Agreement, Service Specific Terms, and Services Addendum (collectively, MSA Package) with DigiCert, Inc. (DigiCert) are non-financial in nature and do not commit the County to make any purchases. If future purchases are made under the MSA Package, the Innovation and Technology Department (ITD) will adhere to County purchasing policies and return to the Board of Supervisors (Board) for approval, if necessary.
BACKGROUND INFORMATION
ITD manages the lifecycle of digital certificates for multiple County departments including the County Administrative Office, Arrowhead Regional Medical Center (ARMC), Public Health, Sheriff, and ITD. Several County sites, such as the County’s public-facing landing page, ARMC’s public-facing landing page, the County’s internal Employee Management and Compensation System (EMACS) website, and the County file transfer protocol website use Secure Sockets Layer/Transport Layer Security (SSL/TLS) digital certificates for website security, authentication, and identification. SSL/TLS is an encryption-based internet security protocol that protects data exchanges between the web server and the browser from computer hackers and other digital and cyber threats. Each time a user visits a website, digital certificates provide authentication between the browser and web server that websites use to process online transactions securely and maintain expected levels of privacy for users’ information. Without the digital certificates users will receive a “not secure” warning from their browser indicating the website is unprotected and that any information they enter may be exposed. This may cause a user to no longer visit a website.
DigiCert is a certificate authority that provides digital certificates to secure and encrypt communications between users and websites.
On February 11, 2020 (Item No. 44), the Board approved Contract No. 20-81 with DigiCert, including non-standard terms, for digital certificates for the period of February 11, 2020, through February 10, 2025.
DigiCert has implemented a new MSA Package containing multiple agreements that govern the use of its SSL/TLS certificates. The MSA Package contains terms that differ from the standard County contract and omit certain County standard contract terms. The MSA Package in a non-negotiable clickwrap accepted by click-to-accept. The non-standard and missing terms include the following:
1. Governing law is the State of Utah.
• The County standard contract requires California governing law.
• Potential Impact: The agreements will be interpreted under Utah law. Any questions, issues or claims arising under any Agreement will require the County to hire outside counsel competent to advise on Utah law, which may result in fees that exceed the total agreements amount.
2. DigiCert may assign the agreements without notice to the County and without the County’s approval.
• The County standard contract requires that the County must approve any assignment of the contract.
• Potential Impact: DigiCert could assign the agreements to a third party or business with which the County is legally prohibited from doing business due to issues of Federal debarment or suspension and conflict of interest, without the County’s knowledge. Should this occur, the County could be out of compliance with the law until it becomes aware of the assignment and terminates the applicable agreements. County Counsel cannot advise on whether and to what extent Utah law may permit or restrict a party’s right to assign without an express provision in the contract.
3. There is no provision in the agreements addressing each party’s responsibility for paying attorneys’ fees.
• The County standard contract requires each party to bear its own costs and attorney fees, regardless of who is the prevailing party.
• Potential Impact: County Counsel cannot advise on whether and to what extent, Utah law may affect a party’s requirement to pay the prevailing party’s attorneys’ fees and costs in a legal action where no specific provision is provided in the agreements.
4. The County is required to indemnify DigiCert against third party claims arising from: (a) County’s breach of the Master Services Agreement; (b) County’s online properties for which DigiCert provides Services hereunder, or the technology or content embodied therein or made available through such properties; (c) DigiCert’s access or use in compliance with this agreement of any County Content or any other information, systems, data or materials provided by or on behalf of County to DigiCert, (d) County’s failure to protect the authentication mechanisms used to secure the Portal or a Portal Account; (e) County’s modification of a DigiCert product or service or combination of a DigiCert product or service with any product or service not provided by DigiCert; (f) personal injury or property damage caused by the County’s fault or negligence; (g) County’s failure to disclose a material fact related to the use or issuance of the Services; or (h) an allegation that the County or its agent used DigiCert’s Services to infringe on the rights of a third party. The County is further required to indemnity DigiCert for: (a) any misrepresentation or omission of material fact by County; (b) County’s breach of the Subscriber Agreement, the CP/CPS, or applicable law; (c) the compromise or unauthorized use of a certificate or Private Key caused by the County’s negligence or intentional acts; or (d) the County’s misuse of the certificate or Private Key. The County will further indemnify DigiCert against third-party claims, government regulatory action or fines, arising from the County’s use of the DigiCert notification tools or the contents of any County communication sent using the notification tools.
• The County standard contract does not include any indemnification or defense by the County of a contractor.
• Potential Impact: By agreeing to indemnify DigiCert, the County could be contractually waiving the protection of sovereign immunity. Claims that may otherwise be barred against the County, time limited, or expense limited could be brought against DigiCert without such limitations and the County could be responsible to defend and reimburse DigiCert for costs, expenses, and damages, which could exceed the total amount of the agreements. County Counsel cannot advise on, whether and to what extent, Utah law may limit or expand this term.
5. The agreements do not require DigiCert to meet the County’s insurance standards as required pursuant to County Policies, 11-05, 11-07 and 11-07SP.
• County policy requires contractors to carry appropriate insurance at limits and under conditions determined by the County’s Risk Management Department and as set forth in County policy and in the County standard contract.
• Potential Impact: The County has no assurance that DigiCert will be financially responsible for claims that may arise under any agreement, which could result in expenses to the County that exceed the total amount of the agreements.
6. DigiCert’s maximum liability to the County is limited to the amounts paid by the County in the 12 months prior to the event giving rise to the claim, excluding death or personal injury resulting from DigiCert’s negligence, gross negligence or willful misconduct, and fraud.
• The County standard contract does not include a limitation of liability.
• Potential Impact: Claims could exceed the liability cap and the amount of the agreements leaving the County financially liable for the excess. County Counsel cannot advise on, whether and to what extent, Utah law may limit or expand the exclusion of limits to the extent prohibited by applicable law.
7. County’s right to bring legal claims is limited to one year after the basis for the claim becomes known to the County.
• The County standard contract does not include a limit on the time to bring action.
• Potential Impact: Limiting the County’s ability to bring suit to one-year amounts to a waiver of the statute of limitations for claims and shortens the period of time in which the County may file a lawsuit under the agreements. DigiCert’s right to bring claims is not similarly limited, so DigiCert may bring claims any time within the statute of limitations. County Counsel cannot advise on, whether and to what extent, Utah law may allow parties to contractually agree to override the statute of limitations on claims.
8. Payment terms are 30 days from date of purchase with late payment interest of 1.5% per month.
• County standard payment terms are Net 60 days with no interest or late payment penalties.
• Potential Impact: County standard processing time is 60 days or more. Failing to pay 30 days after purchase may result in a material breach of the agreements, which could allow DigiCert to terminate the agreements and seek other legal remedies, including charging the County interest at a rate of 1.5% per month, which could exceed the amount of the agreements.
9. Venue for disputes arising under the Agreements is in Salt Lake County, Utah.
• County Policy 11-05 requires venue for disputes in Superior Court of California, County of San Bernardino, San Bernardino District.
• Potential Impact: Having a venue in Salt Lake County, Utah may result in additional expenses that exceed the amount of the agreements.
ITD recommends approval of the MSA Package with DigiCert, including non-standard terms and extending the contract period from February 10, 2025, until terminated by either party, to allow ITD to purchase new and renew existing SSL/TLS certificates to protect the County’s websites against known and unknown threats.
DigiCert also requires ITD to authorize administrators within the DigiCert Portal Account to act as a certificate requester, certificate approver, and for Subscriber Agreements, and to communicate with DigiCert regarding the management of certificates. Designating the Chief Information Officer, Assistant Chief Information Officer, or their designee, to act as a certificate requester and certificate approver for Subscriber Agreements, and to communicate with DigiCert regarding the management of Certificates according to the MSA Package will facilitate the management of Certificates for the County and comply with the terms and conditions of the MSA package.
PROCUREMENT
Purchasing supports the non-competitive procurement of the MSA Package with DigiCert due to the high level of integration of SSL/TLS certificates and the need to protect sensitive County and Public information across both internal and public-facing County websites. The MSA Package, including any non-standard terms, will be used to accompany future purchases to be approved, as necessary, in accordance with County Policy 11-04 Procurement of Goods, Supplies, Equipment and Services.
REVIEW BY OTHERS
This item has been reviewed by County Counsel (Bonnie Uphold, Supervising Deputy County Counsel, 387-5455) on November 19, 2024; Purchasing (Monica Centeno, Buyer II, 387-2065) on November 15, 2024; Risk Management (Gregory Ustaszewski, Staff Analyst II, 386-9008) on November 13, 2024; Finance (Iliana Rodriguez, Administrative Analyst, 387-4205) on November 26, 2024; County Finance and Administration (Paloma Hernandez-Barker, Deputy Executive Officer, 387-5423) on December 2, 2024.