Wednesday, April 6, 2022
As the business logistics roller-coaster of 2020 and 2021 fades into memory, one cannot not lose sight of lessons learned. The last 2 years have made it very clear that embracing and optimizing technology is no longer optional or a routinely controllable function within even the most technologically sophisticated companies. Navigating logistical demands of the pandemic has truly been “trial by fire” for the ability of any corporate technology platform to perform at a very high level–ideally revealing an IT program’s resilience but often laying bare weaknesses in many corporate IT strategic plans.
Historically, organizations often lack focus on the continuous improvement of their IT operations, internal or external, until something goes wrong. At that point, unfortunately, being behind the IT development curve puts one in a position of weakness, and possibly resulting in substantial unforeseen contract liability exposure. An effective way to avoid this predicament is an annual self “check-up” on an organization’s Information Technology operations.
To help with the process, we have developed a checklist of 10 IT goals every organization should consider periodically (at least annually) to assess its IT “health.” This list, while not exhaustive, should enable a workable, systematic approach to identifying and mitigating IT risks, and, perhaps more importantly, avoiding extraordinary (and unbudgeted) IT costs. The list captures the primary components of contractual IT health, reflecting practical and straightforward considerations which IT Directors and CIOs should already be contemplating. It is not an exhaustive list, however; as the IT profile within each industry differs. Still, the below items should all be “checked off” as part of any internal IT review.
First bear in mind that certain basic tenets will serve as the foundation for this exercise:
- Size doesn’t matter. The dollar spend under an IT contract usually doesn’t necessarily correlate to the inherent contractual risks, as actual damages resulting from a breach can greatly exceed the amounts paid.
- Scope of software use is a slippery slope. The permitted “scope of use” specified in IT agreements is usually narrower than the scope of the actual use, and any use beyond the specified scope likely constitutes a breach, or will at least require payment of additional license fees.
- “Employees” aren’t always employees. Individuals who look, walk and talk like W2 employees may actually be independent contractors or staffing services resources. As such, their status may fall outside of the narrow definition of “employees” permitted to use certain licensed products. Again, any such use could be deemed a breach, or at least an expansion of use beyond the agreed-to scope.
- Affiliates are separate legal entities from the contracting party. A license grant to the contracting party likely doesn’t automatically extend to its affiliates unless the contract language expressly provides for such use. Without such additional language, use by or for the benefit of an affiliate can constitute use by an unlicensed party, which is a breach.
- Licensors do not like unlicensed use, even if it lets them charge more fees. Boards of directors don’t like those kinds of surprises either. An organization should always know the scope of its current uses of IT before the vendor does.
- In vendor-hosted platforms, license grants, data security and service levels absolutely still matter. Bear in mind that SaaS found its beginning more as a competitive pricing alternative, as it provided the flexibility of subscription-based, pay-as-you-go, pricing. Regardless, vendor-hosted solutions still involve licensing the use of IT, the processing and storage of data, and the provision of services, and should be evaluated as such.
- Cloud hosted data = unknown locations. Regardless of which side of the engagement you are on, you should always have a clear understanding of (1) where your (or your customers’) data is located, and (2) any relevant commitments you have made to your customers.
With that in mind, here are our Top 10 Resolutions for IT Health:
- Build the right team. An organizations’ management must remain involved in the review, negotiation and ongoing management of IT engagements. Too many times, we lawyers see a client organization looking solely to us for the “green light” to sign the relevant documents. While legal review and input is a critical component, many aspects of IT agreements are financial or operational in nature, and cannot be fully assessed by the lawyers. Besides, the lawyers’ primary purpose is to protect rights and provide remedies, but the organizations’ management needs to confirm the adequacy of the contract terms for day-to-day performance.
- Be specific. Only those products and services specified in relevant IT agreements are within scope. Whatever isn’t specified will usually be deemed “out of scope” and will cost extra. While this seems simple enough, there is an increase in instances where services and products are bundled and “branded” with possibly benign names, which are ambiguous as to what exactly is included. In those cases, one must ensure that somewhere in the documentation there is a clear description of all products and services that actually are included in that bundled/branded offering, and that the components of such branded offering cannot be unilaterally changed by either party without the express consent of the other party. Basically, anything not listed as a product or service will be deemed an extra, and will carry with it an extra charge.
- Know what you are signing. Almost without exception of late, any “master” IT agreement will include hyperlinked materials that are incorporated by reference (and therefore contractually binding). But if something is linked, it can change, and still be binding as modified, unless precautions are taken. The use of linked documents isn’t necessarily a bad thing, as it can make the master agreement more manageable. However, this practice is not necessarily all a good thing—experience shows that most linked documents will, by their terms, greatly favor one party over the other, and be subject to unilateral amendment at any time by the issuing party, with modified terms applying upon posting on the website. While some progression of certain terms is needed to reflect the “evolution” of the underlying product or service, adding some fairly simple contract language to limit, and to provide timely notice of, such permitted changes will protect the users.
- Remember that everything is negotiable. Certain vendors will push using their own paper for IT engagements, with the added caveat that the documents cannot be negotiated. Historically, there is a direct correlation between the firmness with which one party pushes using their own template agreements, and the outsized benefit to such party from using their paper. It is wise to bear in mind that usually the harder they push, the harder you will fall. The unwillingness of a party to entertain any edits to their paper, or to only permit a small number of edits, is not a good sign. Commonly, where we see this approach, we also see what some call the “6 foot tall bowling pin” terms—terms that are so far out of market that no one reading them would ever agree to them, so the other party must resort to using their limited number of asks to remove terms that should not be there in the first place. If any party pushes their paper, and refuses to consider any changes, then you should probably consider partnering with someone else.
- Know where your data is. Data privacy requirements will continue to change. History will repeat, and trends will continue. Certain data that might not be subject to certain data privacy obligations on one day could very well be covered in the near future. As a father to a daughter, I equate assessing a vendor’s data security obligations with how a father would assess their daughter’s dates—ask a lot of questions, confirm their answers, and watch them like a hawk! Always ensure your own organization, and all of your vendors, are knowledgeable of and able to stay abreast of such changing requirements, and can maintain compliance at all times.
- Protect your Confidential Information, wherever it may be. Confidential Information is everywhere, and sometimes people see or hear what they aren’t supposed to see or hear. While no one would ever advocate for storing Confidential Information wherever is convenient, it is highly likely that a counterparty may come across some of your proprietary information in the ordinary course. To ensure its protection, including enforceability of confidentiality provisions, one should beware of too-narrow definitions of “Confidential Information” in IT agreements, such as being limited to “information provided to [the other party] in connection with obligations under this agreement.” In the example above, the information was neither provided to the other party, nor was it in connection with the performance under the agreement, but still needs protection.
- Verify your “1 Throat to Choke.” Oftentimes, vendors will use third parties for certain, and sometimes critical, components of their product/service offerings, but will also then disclaim any responsibility for such third-party components. From an operational perspective, this approach has obvious risks, at a minimum possibly resulting in gaps in maintenance and support for certain key aspects of your contracted-for solution. But there is a much greater risk, depending on the nature of such third-party component: A vendor’s use of a third-party hosting platform, coupled with language disclaiming any responsibility for same, could negate any protections afforded by uptime commitments, data security obligations and non-infringement covenants.
- Review your service credits. Service credits serve 2 purposes: First, they are used to recalibrate compensation to be commensurate with the level of service provided, assuming the diminished level of service is still acceptable. This serves both parties well, as it allows some flexibility for the vendor, but also doesn’t require the user to overpay for lesser levels of use and performance. Service credits oftentimes also have a shelf-life, so pay heed to that. However, they should not be the sole remedy for service lapses, and should provide for a termination right triggered by an agreed-to level of diminished performance--the thought being at some level of non-performance, even credits will not make the aggrieved party whole.
- Read all requested materials. Any agreement with a term of greater than one year should require the submission of updated reports and documentation, such as SOC reports, business continuity plans, insurance coverage, etc. To not include that requirement in any such agreement is hazardous, but a possibly greater sin is to require, and actually receive, but not read, such materials. Third party providers should be viewed as merely another corporate department. Regulators have for years taken this approach, holding regulated entities responsible for the actions (or inactions) of contracted service providers. Even if an organization isn’t regulated, this is still a good path to follow. Many of us have heard of bad situations involving practices of third-party providers that could have been mitigated with advance notice of potential issues. These materials may not make for the most interesting reading, but they are very important reading.
- Review your Website Terms of Use and Privacy Policies. The functionality of your website, and the requirements around data privacy, are ever-changing. Your Terms of Use and Privacy Policies need to reflect those changes. If your website doesn’t have Terms of Use and/or Privacy Policies, stop reading and call your legal counsel to remedy that “oversight.”
BONUS RESOLUTION: Verify you have legible copies of all signed documents. Do not wait for an issue to arise only to find out you are missing signed versions, or even final drafts, of the operative agreements. This can be especially problematic for any hyperlinked documents (see #3 above) which may have been modified since you executed everything. A good practice is print all such documents on the date you execute the hard copy documents (given that many of them will be auto-dated), and keep them all together in a secure location.
* * *
While disciplined adherence to measures described in the above list may seem like a heavy burden to take on, and perhaps it is at first, corporate IT leaders should still gather the necessary people and get through it now; doing so now will make it that much more manageable going forward. To the extent you need external support in the process, be sure to use qualified resources. WBS has the experienced attorneys and resources to help you tackle these challenges, and better prepare your organization for the expected, and the unexpected. Please feel free to contact any of our corporate law partners Jeff Davis (davis@wbs-law.com), Joel Goldblatt (goldblatt@wbs-law.com) or Andy Arons (arons@wbs-law.com) with any questions or comments on this subject.
Jeff Davis has spent over 25 years serving as principal counsel for both vendors and users of IT products and services, regularly advising clients on contracting matters as well as strategic initiatives in the IT space. He regularly handles a wide variety of agreements and matters for clients and has written and spoken extensively on the subject.