Wednesday, October 12, 2022

Thankfully, most businesses seemingly survived the unexpected, and once-in-a-century, COVID pandemic. While our collective personal and professional lives were turned upside down 2 ½ years ago, life gradually has been returning to a level of familiar normalcy. Even with questions swirling around current economic forecasts, at least those matters have some history to provide guidance, and can therefore be managed. Or at least there is a level of experience managing through that.

In that vein, much as they did 2+ years ago, many businesses appear to be once again retooling their operations to prepare again for possibly leaner times. Additionally, the “new normal” forged of the pandemic over the last 2 years is now changing, with the “new, new normal” reflecting changing attitudes about the need for maintaining past levels of physical office/workspace, and the desire to allocate a portion of the workweek to WFH. Many employees and even management have found a silver lining in WFH, allowing for a better work/life balance, and may not see a compelling argument to revert—or fully revert—to their previous status even though the original impetus for the change is gone.

Just as remote technology was put to the test (and for the most part, passed) over 2 years ago, with the stampede of workforces to remote work environments giving rise to a multitude of connectivity and security issues, bringing staff back into the office plays host to a different, but equally important, set of IT issues to be assessed:

1. Count Your Blessings, and Your Users. If you are reading this, it likely means you weathered the storm of the pandemic. Congratulations! Many weren’t so lucky. There may be challenges ahead, but at least you are still around to meet them. However, there is a good chance that your organization now has fewer employees and less or new, smaller space. Or you may be paying for duplicate instances of software for each employee/user, if they have systems at home and the office. As such, you may be now overpaying on certain IT licenses to the extent they are based on user headcount that is only periodically measured. Also, in many cases, while user numbers may be increased during the contract term, subject to paying the additional fees for such increase in users, many vendors do not allow headcount numbers to decrease during the term. If your contracts have such a clause, that should be marked for renegotiation at the first opportunity (such as renewal). Lastly, as many remote users may have been less than diligent in guarding their log-in credentials while working from home, it would be wise to have everyone establish new credentials.

2. Check on Upcoming Renewals. Given the change in circumstances brought about by these external factors, your organization may be in a position of either (a) wanting to renegotiate pricing or contract term of your current IT contracts, as many IT agreements allow for automatic price increases at renewal, or (b) reassess any renewal term, to ensure its duration still matches with your new needs. As such, you should undertake a review of your current IT contracts to determine the deadlines for exercising any right of non-renewal to allow adequate opportunity for your organization to consider your next steps. Additionally, be sure to take advantage of any ability to lower your fees to reflect any reduction in headcount, if applicable.

3. Inventory Your Hardware and Software. While this step sounds very basic, it is often overlooked, or at least not fully contemplated. With staff coming back to the office, many companies may have duplicate instances of the same software and hardware—one at home (for WFH) and one at the office—for its employees. Many IT contracts with variable pricing will oftentimes have a relatively strict (or worse yet, an ambiguous) methodology for counting instances of licensed software. We have seen time and again clients who are audited by an IT vendor, only to be told that instances of software that are not being actively used still count, and are accruing license fees. A common occurrence involves “mothballed” hardware that has not been wiped clean of all licensed applications prior to inactivation—in all too many cases, even though such instances of software are on hardware that may have been in a storage closet for months, or possibly years, they may still be deemed “active” licenses. Even if the organization never intends to use the software on such equipment again, the test may be: can it be used, and not if it will be used, so if it is installed, it counts. The outcome can be severe—if license fees have not been paid for such seemingly “retired” software, past due license and maintenance fees, and possibly penalties (and even possibly a breach claim), can be assessed, and can be substantial, and not budgeted. Commonly, IT vendors will look for opportunities to recover additional revenue from existing customers by conducting audits to uncover any areas of underpayment. Given the challenging economic outlook, we can expect software usage audits to once again become heavily utilized, and if you don’t look in your own house for areas of under licensing, rest assured your IT vendors likely will. Plus, redundant systems do present a possible security risk—much like users are instructed never to leave their laptop unattended anywhere, the same should hold true for at-hone systems.

4. Inventory Your Data. With staff working remotely, your organization’s data may not be where you think it is, and is therefore not necessarily secure (and possibly not in compliance with contractual commitments you have with your own customers to safeguard their data), and such “misplaced” data can quickly become a security issue, or worse yet, result in a data breach. Regardless of your stance on continuing WFH, organizations should undertake efforts to have all employees bring all organization (or customer) data back to the organization’s systems to be catalogued and secured, and have your employees certify to same. Any extraneous copies of datasets should be considered for deletion/destruction in accordance with relevant protocol. Additionally, this could be a perfect time to dust off your organization’s record retention policies and determine if any older data can be disposed of in accordance with such policies, thereby saving money (by reducing storage needs) and mitigating liability (by reducing the amount of data you need to secure, and stand liable for if a breach). You may also want to assess your use of any collected data against any applicable privacy policies of yours, as well as any applicable laws (for data that is statutorily protected, such as PII and PHI), as the rules might have changed since it was first collected.

5. Stress Test Your Office Environments and Platforms. In early Spring 2020, virtually all IT systems were subjected to a stress test purely out of necessity, when a majority of organizations’ staff became largely remote, something many platforms were not expecting. However, because of limited options, most companies modified their systems as necessary to accommodate a largely remote workforce. But in many cases where full attention was given to remote access, on-site access may have been largely ignored. As a result, moving a large faction of the workforce back on-site may need a similar assessment and updating of systems. Conducting a stress test of your systems should highlight any areas in need of attention.

6. Exercise Your Audit Rights of IT Vendors. The last 2 years were a stressful time for everyone, and a report card of vendors’ performance (such as SAS audits) may tell a very good, or a very bad, story of how they weathered the crisis. If any reports highlight any shortcomings, determine which issues, if any, were attributable to the pandemic, versus those attributable to a vendor not being prepared. If the latter, then one may want to take this opportunity to seek out a better situated vendor.

7. Obtain Updated Certificates of Insurance from Vendors. During trying times, companies will look for any opportunity to reduce costs, and in some cases will reduce or even eliminate certain lines of insurance coverage. Organizations should request current Certificates of Insurance from their vendors, and compare those against the contractually-dictated levels (and even if no contractual requirements, assess it against what a vendor should reasonably be carrying).

8. Check for Availability of Service Level Credits. With the pandemic came confusion and chaos, and in the IT space, with confusion and chaos often comes interruptions in service. To the extent any of your IT contracts have Service Level Credit (SLC) provisions, you may have some credits you can claim, being alert for any “expiration dates” for when such credits need to be requested. You should also be sure to check for any contractual time limits on when litigation must be commenced, as well as any “feeshifting” provisions (e.g., “losing” party pays fees and costs of “winning” party), which may guide your timing and appetite for informal dispute resolution efforts. Over the past 2 years, we witnessed many vendors using force majeure clauses as a defense against claims for credits. However, FM clauses quickly became a very heavily challenged provision, as in a substantial number of instances, the FM clauses as drafted pre-pandemic did not technically cover interruptions caused by CDC-mandated closings. Even if you feel litigation may not be worthwhile in such cases, litigation isn’t the only option, as any such issues can be used as currency in your next round of negotiations.

9. Check Your Business Continuity Protocols. In many cases, BC plans were modified to reflect a largely offsite workforce, but which now may not be best suited for an on-site workforce. Conducting a desktop exercise or other self-audit now will ensure your staff are aware of any changes to the BC protocols. We all now know that anything is possible, so we should prepare for any eventuality.

10. Marshall Executed Agreements. Every organization should ensure it has signed (electronically or in ink) copies of all documents that were executed during WFH, and make sure they are catalogued and secure. With a remote workforce enabled by applications allowing for extensive use of electronic execution, or in many cases contracts simply being executed by wet signing and scanning, with originals kept wherever, operative agreements may be residing in many locations, which locations may lack adequate security. Much as an organization will want to have its employees return all hardware to the organization, you will want to undertake a similar initiative to have all executed contracts located, stored centrally, and secured. This is also a perfect time to review your files to determine if any obsolete contracts can be destroyed consistent with the organization’s record retention policies.

*                     *                     *

The attorneys at WBS have decades of experience advising clients on a wide array of IT matters, for both vendors and users, and stand ready to help organizations in self-assessments such as those summarized above. We are well-suited to assist our clients in successfully meeting challenges during troubled times, and have expertise in all levels of involvement, from negotiation of contract terms to asserting or defending breach claims, and everything in between. With extremely competitive hourly rates, and the ability to utilize fee caps and fixed fee engagements when appropriate, WBS can help clients efficiently and economically manage the risks inherent in their IT environments brought about by market factors.

Please feel free to contact WBS corporate attorney Jeffrey Davis (davis@wbs-law.com), Joel Goldblatt (goldblatt@wbs-law.com) or Andrew Arons (arons@wbs-law.com) to discuss any of the above issues, or any other ways in which we can be of assistance.