December 7, 2021
JOSHUA DUGAS, Director, Department of Public Health
Non-Financial End User License Agreement and Service Level Agreement with LogRhythm, Inc. for Licensing, Maintenance, Support, and Service of LogRhythm System
1. Approve the non-financial End User License Agreement with LogRhythm, Inc., including non-standard terms, for the license, maintenance, and support of LogRhythm, Inc. Software for the period of December 7, 2021 through December 6, 2026.
2. Approve non-financial Service Level Agreement, including non-standard terms, with LogRhythm, Inc., for a subscription to the LogRhythm, Inc. Software, for purchase amounts as authorized by County purchasing policies, for the period of December 7, 2021 through December 6, 2026.
(Presenter: Joshua Dugas, Director, 387-9146)
Provide for the Safety, Health and Social Service Needs of County Residents.
Approval of this Agreement will not result in the use of additional Discretionary General Funding (Net County Cost). Any future costs required for the license, maintenance, and support of LogRhythm, Inc., (LogRhythm) Software will be funded by existing centralized support service budget and will be allocated to benefitting programs within the department. Adequate appropriation and revenue have been included in the Department of Public Health’s (DPH) 2021-22 budget and will be included in future recommended budgets.
LogRhythm is an American security intelligence company that specializes in Security Information and Event Management (SIEM), log management, network and endpoint monitoring and forensics, and security analytics.
The Department of Public Health (DPH) has a requirement to examine activity in information systems containing or using electronic Protected Health Information (ePHI), in accordance with the Health Insurance Portability and Accountability Act (HIPAA). DPH has been using LogRhythm for over seven years to automate the process of examining activity on servers that host and process ePHI. LogRhythm collects, categorizes, and correlates server-log-event messages, to simplify monitoring and alerting to over 50 servers. Without LogRhythm, San Bernardino County (County) would access each server manually to review, investigate, and audit information found in the log files. With LogRhythm the County can review the collected, categorized and correlated log data centrally, making the review process more efficient.
The Contract is the LogRhythm End User License Agreement (EULA) and the Service Level Agreement between the County and LogRhythm. The EULA is LogRhythm’s standard commercial contract, which includes terms that differ from the standard County contract. The non-standard and missing terms include the following:
1. Payment terms include late payment interest of 1.5%.
• County standard payment terms do not include interest or late payment penalties.
• Potential Impact: This term allows the contractor to charge the County interest at a rate of 1.5%, which would exceed the approved contract amount.
2. Indemnity: The County is required to give LogRhythm sole control of the defense third-party claims and any related settlement negotiations.
• The County standard contract indemnity provision gives the County sole control of litigation and requires the Contractor to indemnify, defend, and hold County harmless from third-party claims arising out of the acts, errors or omissions of any person.
• Potential Impact: Limiting the County’s ability to control the terms of potential settlements in litigation could result in unfavorable settlement terms. County Counsel cannot advise on, whether and to what extent, Colorado law may limit or expand the exclusion of limits to the extent prohibited by applicable law.
3. Governing Law and venue are in the state of Colorado.
• The County standard contract requires venue for disputes in Superior Court of California, San Bernardino County, and San Bernardino District.
• Potential Impact: The contract will be interpreted under Colorado law. Any questions, issues or claims arising under this contract will require the County to hire outside counsel competent to advise on Colorado law, which may result in additional fees. Having a venue in Colorado may also result in additional expenses that exceed the amount of the contract.
DPH recommends approval of the non-financial perpetual End User License Agreement and Service Level Agreement, including the non-standard terms, and recommends continued use of LogRhythm to bring automation to support DPH in meeting the requirement to examine activity in its information system servers that host or process ePHI.
The Purchasing Department supports the expanded non-competitive procurement of LogRhythm Software, as transitioning to another vendor would increase costs, require additional staff time and training, and disrupt services currently utilized by DPH Information Technology.
This item has been reviewed by Human Services Contracts (Becky Giroux, Contracts Manager, 388-0241) on November 10, 2021; County Counsel (Adam Ebright, Deputy County Counsel, 387-5455) on November 10, 2021; Purchasing (Bruce Cole, Supervising Buyer, 387-2148) on November 16, 2021; Finance (Paul Garcia, Administrative Analyst, 386-8392) on November 12, 2021; and County Finance and Administration (Cheryl Adams, Deputy Executive Officer, 388-0238) on November 16, 2021.