Managing Legal and Operational Risk in IT Agreementswebcasts.acc.com/handouts/1.21.15_NTI_Slides.pdfSubscription Agreements Cont’d. ... Confessions of an Ex-Enterprise Salesperson

© Copyright 2015 Saul Ewing LLP

Managing Legal and Operational

Risk in IT Agreements

Presented by: Donna Pond, Senior Director, Lead Counsel, Shire Pharmaceuticals Evan J. Foster, Partner, Saul Ewing LLP


Agenda:

•  Special issues in: §  Conventional Software Licenses §  Application Service Provider (ASP),

Software as a Service (SaaS), and Cloud Subscription Agreements

§  Software or Content Development Agreements

§  Professional Services Agreements (Installation or Implementation)

§  Hardware Purchase Agreements


TECHNOLOGY SKILLS •  You need to understand basic functions of what’s

being purchased or licensed, plus terminology §  But again less than you might think. §  Know an “ASP” from an “ISP”

•  Some basic questions to ask, as to both technology and data : §  Who is creating/supplying/using? §  What is being created/supplied/used? §  Why is it being created/supplied/used? §  When and Where will it be created/supplied/used? §  How will it be created/supplied/used? §  What If something goes wrong?


Special Issues in Conventional Software Licenses

Confirm that the boundaries of the right to use the software match expectations and reality: §  Where? Global vs. campus vs. single

computer §  For what? Mission critical vs. Solitaire §  How much? One time fee vs. periodic vs.

per use/user §  How long? Perpetual vs. limited term §  What form? Source code vs. object code


Special Issues in Conventional Software Licenses Cont’d.

•  Will the vendor perform the installation, implementation and/or configuration?

•  What hardware, software, infrastructure and expertise are required to install, run and support this software?

•  Does this software need to interact with other company systems (e.g., HR)?

•  What does the company need in terms of maintenance (e.g., updates, upgrades, patches), and support (e.g., phone support, onsite service).

•  Are there ongoing fees required to keep the license in force?

•  Is this software generally available or is it a beta or trial version?

•  Is this an appropriate situation for software escrow?


Special Issues in Application Service Provider (ASP), Software as a Service (SaaS), and

Cloud/Subscription Agreements •  Many of the same issues found in conventional

software licenses •  Additional issues raised by software, content,

data and environment being outside of the company’s control: §  availability/uptime §  backups/disaster recovery §  data/network security §  data privacy §  what if vendor goes dark? §  what if there is a dispute?



Subscription Agreements Cont’d. •  Response time and Availability/uptime:

§  Usually contained in a Service Level Agreement (SLA) §  Response time: System must provide a meaningful response

within a minimum time – even at full user load ●  Meaningful response is not an hourglass, “system is busy” or 404

File Not Found message §  System Availability: All system functions are accessible for a

minimum period of time ●  Usually measured as a percentage of the total time period (e.g.

99.99% of time in a given month) §  Beware of carve-outs for scheduled maintenance and force

majeure (e.g., failures of the vendor’s infrastructure providers) §  Failure to meet a service level should result in a credit of fees.

Multiple or repeated failures should allow the company to terminate.



Subscription Agreements Cont’d. •  Backups/disaster recovery:

§  How often are backups made? Onsite or Offsite? Ability to make your own backup?

§  Does the vendor have a disaster recovery plan? Get a copy!

§  How often is the full plan tested? Get the results!

§  How long will it take vendor to the company’s data back online?



Subscription Agreements Cont’d. •  Data/network security:

§  Increased focus due to security breaches •  Vendor needs to secure systems, software, data and its own premises •  Security audit rights? •  Certified compliance with published standards?

§  SSAE 16 and ISAE 3402 audits (replaced SAS 70 in June 2011.) ●  Type 1 – auditor’s opinion on service organization’s description

of controls in operation and suitability of the design ●  Type 2 – auditor’s opinion on whether controls are actually

operating effectively §  ISO 27000, Open Web Application Security Project (OWASP),

NIST, etc.



Subscription Agreements Cont’d. •  Data privacy is a hot-button issue with U.S. and EU lawmakers and regulators. •  Numerous state data breach notification laws •  Gramm-Leach-Bliley, FERPA, HITECH expansion of HIPAA privacy rules •  other statutes •  Industry regulation (e.g., Payment Card Industry (PCI)) •  Proposed changes to EU Data Protection Directive may mean additional scrutiny

“The Services shall comply, and Vendor shall comply, with all applicable federal, state and local laws and regulations, including, without limitation, all restrictions relating to the privacy of any personally identifiable information or other information. Without limiting the foregoing, the Services shall comply, and Vendor shall comply, with the Family Educational Rights and Privacy Act of 1974 (20 U.S.C. Section 1232(g)), the Gramm-Leach-Bliley Act (15 U.S.C. Section 6809), the Federal Trade Commission (FTC) Standards for Safeguarding Customer Data (16 CFR Part 314), the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the regulations promulgated thereunder by the U.S. Department of Health and Human Services (45 CFR Parts 160, 162 and 164, the “HIPAA Regulations”), the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”) and the implementing regulations of the foregoing, and the requirements of the Payment Card Industry Data Security Standards Council.”



Subscription Agreements Cont’d.

•  Enhanced B2B scrutiny of data flows to subcontractors and outsourcing providers.

•  If you are handling other people’s data, your data protection/privacy obligations to those people need to flow through to data centers and cloud services providers.

•  Need to pay attention to processes, not just physical systems.

•  Need to align your privacy commitments with actual behavior



Subscription Agreements Cont’d. •  What if vendor goes dark? •  What if there is a dispute? •  Establish contract mechanisms to:

§  Require the vendor to provide data regardless of the nature of the dispute or issue

§  Provide for self-help or ability to mitigate risks (e.g., ability to download or export data)

§  Allow for escalation and resolution of disputes §  Facilitate vendor’s cooperation with transition to another provider §  Allow for continued use of the software (e.g., escrow?)


Special Issues in Software or Content Development Agreements

•  Ownership of work product §  “Work made for hire” - must be in writing or

else author retains ownership §  Assignment- “work made for hire” is limited §  Residual rights

•  Bayh-Dole Act issues for development using federal funding


Special Issues in Software or Content Development Agreements Cont’d.

•  Development Agreements may involve an element of subjectivity and/or the unknown

•  A clear and comprehensive Statement of Work: §  Defines deliverables/milestones/schedule/resources §  Establishes functional requirements and expectations §  May include checkpoints in the process §  Avoids “scope creep” and change orders

•  It is almost always better to have a completed Statement of Work prior to execution of the agreement


Special Issues in Software or Content Development Agreements Cont’d.

•  What entitles the vendor to payment?

§  Contract signing? §  Delivery?

§  Milestone acceptance? §  Payment for performance/ holdbacks?

§  Incentives for early delivery?

•  A formalized testing and acceptance process is always a good idea, but is especially important when software is to exchange data with other systems or must be compatible with existing software or hardware.


Special Issues in Professional Services Agreements (Installation or Implementation)

•  Successful project management starts with a project plan. Should identify company and vendor responsibilities, resources and dependencies.

•  Statements of work (again!) •  Time & materials or fixed fees? Who eats

overruns? •  Consequences of delays (by company or by

vendor) •  Stipulated incentives/deductions for early/late

performance •  Compliance with company policies for onsite work

or remote access to company systems


Special Issues in Hardware Purchase Agreements

•  Acceptance – test the total package of hardware, software and services as an integrated unit

•  Maintenance/support – consider a supply of spare parts vs. onsite repair, whether refurbished parts are acceptable, and pass-through warranties

•  Obsolescence – understand the vendor’s product lifecycle and negotiate for free upgrades

•  Embedded software – can software be updated without changing hardware?

•  Delivery terms, transfer of title & risk of loss


Some Thoughts on the Art of Negotiation

•  Need to figure out roles of business & legal team

•  Think ahead •  Aim high •  Understand your leverage •  Don’t be afraid to ask •  Don’t be afraid to say no


Some Thoughts on the Art of Negotiation Cont’d.

•  Vendor tricks §  End of month/quarter/fiscal

year deals §  Revenue recognition §  RFP just “marketing” §  PDF’d documents §  “Nobody ever asked for

that” §  “Our policy is…”

“When I said, ‘Here are my prices’, what I really meant was ‘My price is totally flexible and within reason I’ll probably say yes to lowering them because we need your upfront money and recurring revenue more than I need my pride.’” - From Confessions of an Ex-Enterprise Salesperson


Tips to Remember •  Don’t just use a form •  Read every word •  Ask questions •  Seek the advice of other subject matter

experts within the company (e.g. IS/IT, HR, Risk Management)

•  Put it in writing •  Start early


DISCLAIMER The content of this webinar and the presentation materials have been prepared by Saul Ewing for information purposes only. The provision and receipt of the information in this webinar and the presentation materials should not be considered legal advice, does not create a lawyer-client relationship, and should not be acted on without seeking professional counsel who have been informed of the specific facts. Should you wish to contact a presenter to obtain more information regarding your company's particular circumstances, it may be necessary to enter into an attorney/client relationship.

Documents

Managing Legal and Operational Risk in IT Agreementswebcasts.acc.com/handouts/1.21.15_NTI_Slides.pdfSubscription Agreements Cont’d. ... Confessions of an Ex-Enterprise Salesperson