REPORT/RECOMMENDATION TO THE BOARD OF SUPERVISORS
OF THE COUNTY OF SAN BERNARDINO
AND RECORD OF ACTION
February 11, 2020
FROM
LARRY AINSWORTH, Interim Chief Information Officer, Information Services Department
SUBJECT
Title
Master Services Agreement with DigiCert, Inc. for Digital Certificates
End
RECOMMENDATION(S)
Recommendation
1. Approve non-financial Master Services Agreement with DigiCert, Inc. for the period of February 11, 2020, through February 10, 2025, for digital certificates.
2. Designate the Chief Information Officer, or their designee, as authorized to act as a Certificate Requester, Certificate Approver, and Contract Signer for Subscriber Agreements and to communicate with DigiCert, Inc. regarding the management of digital certificates.
(Presenter: Jake Cordova, Division Chief, 388-0503)
Body
COUNTY AND CHIEF EXECUTIVE OFFICER GOALS & OBJECTIVES
Operate in a Fiscally-Responsible and Business-Like Manner.
FINANCIAL IMPACT
The Master Services Agreement (MSA) is non-financial in nature; however, after approval, the MSA will be used to accompany future purchases to be approved, as necessary per County Policy 11-04. The cost of ISD’s DigiCert, Inc. (DigiCert) digital certificates is included in the Information Services Department (ISD) Computer Operations 2019-20 adopted budget and will be included in future recommended budgets. Operating costs are recovered via service rates approved annually by the Board of Supervisors (Board). ISD manages the purchase of DigiCert digital certificates for all County departments and purchases are paid directly from those County departments’ budgets.
BACKGROUND INFORMATION
ISD purchases high-assurance digital Secure Sockets Layer (SSL) certificates from DigiCert for the County’s websites. These digital certificates are used to establish an encrypted connection between a browser or user’s computer and a server or website. The SSL connection protects sensitive data, such as credit card information and social security numbers, exchanged during each visit from being intercepted by non-authorized parties. Encryption is the process of scrambling data into an undecipherable format that can only be returned to a readable format with the proper decryption key. When an Internet user attempts to send confidential information to a Web server, the user's browser accesses the server's digital certificate and establishes a secure connection.
DigiCert has implemented a new MSA that governs the use of its SSL certificates. The MSA contains terms that differ from the standard County contract. The non-standard terms include the following:
1. DigiCert limits its total cumulative liability to the amount paid by County in the 12 months prior to the event giving rise to the liability, excluding death or personal injury from the negligence of a party, gross negligence, willful misconduct or violations of law or fraud or fraudulent statements made by a party to the other party in connection with the MSA.
• The County standard contract does not provide a limitation of liability.
• Potential Impact: Claims could exceed the liability cap leaving the County financially liable for the excess. In addition, the County’s liability under the contract is not similarly limited.
2. The County’s right to bring a legal claim is limited to one year after the basis for the claim becomes known to the County.
• The County standard contract does not provide a limit on the time to bring action.
• Potential Impact: Limiting the County’s ability to bring suit shortens the period of time in which the County may file a lawsuit under the contract and amounts to a waiver of the Statute of Limitations for claims.
3. Venue is in Santa Clara County, California.
• The County standard contract requires venue for disputes in Superior Court of California, County of San Bernardino, San Bernardino District.
• Potential Impact: Having a venue in Santa Clara County, California may result in additional expenses that exceed the amount of the contract.
4. The MSA does not require DigiCert to meet the County’s insurance standards.
• The County standard contract requires contractors to carry appropriate insurance at limits and under conditions determined by the County’s Risk Management Department.
• Potential Impact: The County has no assurance that DigiCert will be financially responsible for claims that may arise from the County’s use of the software, which could result in expenses to the County that exceed the total contract amount.
The Certification Practices Statement (CPS), incorporated as Exhibit A to the MSA, contains terms that differ from the MSA and the standard County contract. The additional non-standard terms include the following:
1. County indemnifies DigiCert, its partners, and any cross-signed entities for intentional and unintentional misrepresentation or omission of material facts by County, breach of the MSA, CPS or applicable law, the compromise or unauthorized use of a Certificate or Private Key caused by County’s negligence or intentional acts, or County’s misuse of the Certificate or Private Key. In addition, DigiCert may seek indemnification and attorneys’ fees from County for damages, losses, and expenses related to County’s conduct.
• The County standard contract does not require the County to indemnify a Contractor.
• Potential Impact: By agreeing to indemnify DigiCert, its partners, and any cross-signed entities, the County could be contractually waiving the protection of sovereign immunity. Claims that may otherwise be barred against the County, time limited, or expense limited could be brought against DigiCert without such limitations and the County would be responsible to defend and reimburse DigiCert for costs, expenses, and damages, which could exceed the total contract amount. County Counsel cannot advise on, whether and to what extent, Utah law may limit or expand this contract term.
2. The term of the CPS is non-expiring.
• County Policy 11-04 does not permit indefinite term or automatically renewing contracts unless approved by the Board.
• Potential Impact: There is no end term to the contract and the County is indefinitely bound to the terms and conditions of the contract.
3. The CPS is reviewed annually, and amendments are made by posting an updated version of the CPS to the online repository.
• The County standard contract requires that any changes to the contract be reduced to writing, executed and attached to the original Contract and approved by the person(s) authorized to do so on behalf of Contractor and County.
• Potential Impact: DigiCert may change the terms of the CPS without notice to the County. The County could be agreeing to new terms without review by anyone, including County Counsel, and without the approval of the new terms by the Board.
4. Governing law is the State of Utah.
• The County standard contract requires California governing law.
• Potential Impact: The CPS will be interpreted under Utah law. Any questions, issues or claims arising under this contract will require the County to hire outside counsel competent to advise on Utah law, which may result in fees that exceed the total contract amount.
5. Venue is in the State of Utah.
• The County standard contract requires venue for disputes in Superior Court of California, County of San Bernardino, San Bernardino District.
• Potential Impact: Having a venue anywhere in the State of Utah may result in additional expenses that exceed the amount of the contract.
The Digital Certificates by DigiCert - Terms of Use, incorporated as Exhibit C to the MSA, contains terms that differ from the standard County contract and the MSA. The non-standard terms include the following:
1. To the extent any third-party claim, suit, proceeding or judgment arises from Customer’s failure to strictly comply with the obligations of a Registration Authority, Customer must defend, hold harmless, and indemnify DigiCert and its directors, officers, agents, employees, successors and assigns from such claim.
• The County standard contract does not require the County to indemnify a Contractor.
• Potential Impact: By agreeing to indemnify DigiCert, the County could be contractually waiving the protection of sovereign immunity. Claims that may otherwise be barred against the County, time limited, or expense limited could be brought against DigiCert without such limitations and the County would be responsible to defend and reimburse DigiCert for costs, expenses, and damages, which could exceed the total contract amount. County Counsel cannot advise on, whether and to what extent, Utah law may limit or expand this contract term.
The End User License Agreement, incorporated as Exhibit B to the Certification Practices Statement, contains terms that differ from the standard County contract and the MSA. The non-standard terms include the following:
1. DigiCert provides the software “AS IS” without warranty of any kind, disclaims all liability arising out of the use or inability to use the software, and provides no indemnification for claims made against the County.
• There is no warranty requirement in the County standard contract, there is no limitation of liability in the County standard contract, and the standard contract provision for intellectual property indemnity is: Contractor will indemnify, defend, and hold harmless County and its officers, employees, agents and volunteers, from any and all third party claims, costs (including without limitation reasonable attorneys’ fees), and losses for infringement of any United States patent, copyright, trademark or trade secret (Intellectual Property Rights) by any goods or services.
• Potential Impact: Should the County be sued for its use of the software under any legal theory, the County will be solely liable for the costs of defense and damages without any right to reimbursement from DigiCert.
Approval of the MSA with DigiCert will allow ISD to purchase new and renew existing DigiCert SSL certificates to protect the County’s websites against known and future threats. ISD recommends approval of the MSA, including the non-standard terms, to protect the County’s websites.
DigiCert requires ISD to authorize administrators within the DigiCert Portal Account to act as a Certificate Requester, Certificate Approver, and Contract Signer for Subscriber Agreements and to communicate with DigiCert regarding the management of Certificates. Designating the Chief Information Officer, or their designee, to act as a Certificate Requester, Certificate Approver, and Contract Signer for Subscriber Agreements and to communicate with DigiCert regarding the management of Certificates according to the MSA will facilitate the management of Certificates for the County and comply with the terms and conditions of the MSA.
PROCUREMENT
The MSA is non-financial in nature and the terms will be used to accompany future purchases to be approved, as necessary, per County Policy.
REVIEW BY OTHERS
This item has been reviewed by County Counsel (Bonnie Uphold, Deputy County Counsel, 387-5455) on January 14, 2020; Purchasing (Danny Shaftary, Buyer III, 388-5546) on January 10, 2020; Finance (Joon Cho, Administrative Analyst, 387-5402) on January 22, 2020; and County Finance and Administration (Kelly Welty, Deputy Executive Officer, 387-5423) on January 23, 2020.