Managing Legal and Operational Risk in IT Agreements

Similar documents
Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP Senior Manager, Wipfli Risk Advisory Services OBJECTIVES

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference

How to Choose a Managed Services Provider

VENDOR MANAGEMENT 101

FREE REPORT: 5 Critical Facts Every Business Owner Must Know Before Moving Their Network to the Cloud

REGULATORY HOT TOPIC Third Party IT Vendor Management

RELIABLEIT. How to Choose a Managed Services Provider. Finding Peace of Mind

Moving ERP Systems to the Cloud

UNIVERSITY STANDARD. Title UNIVERSITY OF NORTH CAROLINA AT CHAPEL HILL STANDARD ON ENTERPRISE DATA GOVERNANCE. Introduction

INTELLECTUAL PROPERTY MANAGEMENT ENTERPRISE ESCROW BEST PRACTICES REPORT

a physicians guide to security risk assessment

Best Practices: Vendor Risk Questionnaires PROCESSUNITY WEBINAR SERIES

Managed Governance Services

VENDOR RISK MANAGEMENT FCC SERVICES

SELECTION CRITERIA AND PROCESS

ASC 606 For Software Companies: Step 5 - Recognizing Revenue. August 16, 2018 MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Contract Review and Negotiation Strategy HealthShare LMS for RMC

Will Your Company Pass a Privacy Audit?

This is agreement is governed by the PSC Master Services Agreement (MSA) (named Master Services Agreement ) found at:

Strengthening Vendor Risk Management Program

IBM WATSON CAMPAIGN AUTOMATION SUPPORT AGREEMENT

IBM Emptoris Services Procurement on Cloud

UNIVERSITY OF OKLAHOMA Campus Payment Card Security Standard Norman Campus

Managing the Business Associate Relationship: From Onboarding to Breaches. March 27, 2016

Vendor Management Challenges and Expectations An Open Discussion April 13, 2017

A PRIMER on GDPR and MARKETING DATA PROTECTION BEST PRACTICES

IBM Emptoris Strategic Supply Management on Cloud

How Much Will Serialization Really Cost? AN INTRODUCTION TO THE TOTAL COST OF OWNERSHIP

Securely Access Data. Reduce Costs. Focus on Care, not IT. NextGen Managed Cloud Services

Switching from Basic to Advanced Accounting Software

Evaluating Cloud Based Software Offerings

Drive Your Business. Four Ways to Improve Your Vendor Risk Program

Internet of Things and Privacy Issues

Guardian Support and Guardian Support + Repair for Portable Analyzers and Online Systems

IT Service Delivery And Support Week Seven: SLA. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

How to Select a Certified EHR

Choosing The Right EHR For You: Best Practices In Vendor Selection & Contracting

NTT DATA Service Description

Data Reliability - Internet

HOW TO DRIVE A TRANSACTION WITHOUT IT DRIVING YOU (CRAZY)

Enterprise Content Management and Business Process Management

Report to: General Committee Meeting Date: May 07, 2018

Guardian Support and Guardian Support + Repair for Portable Analyzers and Online Systems

USER GUIDE GLOBAL CUSTOMER SUCCESS. CA Technologies New User Guide. Get the most out of your CA experience

Navigating the New Health Economy

CONTACT CENTERS OF THE FUTURE

Top 5 Reasons Your Business Needs the Cloud

LEVERAGING YOUR VENDORS TO SUPPORT DATA INTEGRITY:

An Employer s Guide to Payroll Cards

PCI Data Breach Preparedness How To Prevent Your Organization From Becoming the Next Data Breach Headline

What are the key considerations for choosing cloud or on-premise budgeting software? How to determine what's the best for your organization.

Third Party Vendor Management and FDR Compliance

Tech & Cloud Contract Management. A Small College Perspective

LEGACY DECOMMISSIONING: GOOD FOR THE BUDGET, GOOD FOR COMPLIANCE

ONLINE OR ON PREMISE?

Solution Support Base Module for SAP HANA on Power Systems (SOW SSS - TS SAP HANA) - Acquired from an IBM Business Partner -

OpenText RightFax. OpenText RightFax OnDemand. Product Brochure. Benefits

ERP Selection for Multi-faceted Higher Education Systems in the Software-as-a-Service Era

Is Your Credit Union at Risk? Five Key Due Diligence Questions to Ask Your Vendors

IBM Facilities and Real Estate Management on Cloud (TRIRIGA)

Choosing The Right EHR For You: Best Practices In Vendor Selection & Contracting

Outsourcing Governance. Part 2 Using the Contract Tools

Top 2018 Considerations for IT Budget & Planning. Joe McIntyre & Brad Sprague

Contract Change Management

Getting In and Getting Out: Practical Tips for Engaging and Disengaging from Technology & Business Process Outsourcings

What Contract Risks are Hiding in the Cloud?

IBM Business Process Manager on Cloud

IBM Business Process Manager on Cloud

The Quality Payment Program in 2019: What to Know About Upgrading Your EHR

Payment Terminal Services Description

Moving to the cloud: A guide to cloud business management technology

Background Verification. Request for Proposal Guide

Buyers Guide to ERP Business Management Software

4 Critical Facts Every Business Owner Must Know Before Moving Their Network To The Cloud

Ensuring Organizational & Enterprise Resiliency with Third Parties

Not-for-Profit but Rich in Data: The Unique Privacy Needs of Nonprofits

Software Comparison Series Comparing Cloud & On-Premise Solutions

IBM Clinical Trial Management System for Sites

SYSTEM SOFTWARE MAINTENANCE AND SUPPORT SERVICES (Premium 24x7)

Customer FIRST Program Guide. Best-in-Class Software Maintenance, Support and Services Getting Maximum Value from Your Wonderware Software

Hosted UC: the Total Cost of Ownership

WHITE PAPER. How Startup Businesses Can Maximize Human Capital 10 Principles for building an effective human capital plan

Total Support for SAP HANA Appliances

Building an IT Roadmap. Planning for technology initiatives aid in successful and timely implementation of IT projects

Software Zix Resale Service Agreement. 1.0 Terminology. 3.0 Service Options. 4.0 Service Delivery. 2.0 Service Description

Meaningful Use Audit Process: Focus on Outcomes and Security

Vol. 2 Management RFP No. QTA0015THA A2-2

Emerging Technology and Security Update

IT Alignment and The Cloud. How Cloud Computing Can Help Your Organization s Technology Management

Building a Business Case for Office 365. Making the case for providing your workers with increased accessibility to Office applications while

From the Front Lines: Navigating the OCR Phase 2 HIPAA Audits

Security Monitoring Service Description

USING FREVVO S CLOUD FOR SECURE APPROVAL WORKFLOWS

A Guide to Building a Healthy Dental Practice. technology mistakes that can damage or destroy 7 your dental practice - and how to avoid them

IBM Tealeaf Customer Experience on Cloud

Service Level Agreement (SLA)

IBM Facilities and Real Estate Management on Cloud (TRIRIGA)

Compliance Case Studies

Transcription:

Managing Legal and Operational Risk in IT Agreements Presented by: Donna Pond, Senior Director, Lead Counsel, Shire Pharmaceuticals Evan J. Foster, Partner, Saul Ewing LLP

Agenda: Special issues in: Conventional Software Licenses Application Service Provider (ASP), Software as a Service (SaaS), and Cloud Subscription Agreements Software or Content Development Agreements Professional Services Agreements (Installation or Implementation) Hardware Purchase Agreements

TECHNOLOGY SKILLS You need to understand basic functions of what s being purchased or licensed, plus terminology But again less than you might think. Know an ASP from an ISP Some basic questions to ask, as to both technology and data : Who is creating/supplying/using? What is being created/supplied/used? Why is it being created/supplied/used? When and Where will it be created/supplied/used? How will it be created/supplied/used? What If something goes wrong?

Special Issues in Conventional Software Licenses Confirm that the boundaries of the right to use the software match expectations and reality: Where? Global vs. campus vs. single computer For what? Mission critical vs. Solitaire How much? One time fee vs. periodic vs. per use/user How long? Perpetual vs. limited term What form? Source code vs. object code

Special Issues in Conventional Software Licenses Cont d. Will the vendor perform the installation, implementation and/or configuration? What hardware, software, infrastructure and expertise are required to install, run and support this software? Does this software need to interact with other company systems (e.g., HR)? What does the company need in terms of maintenance (e.g., updates, upgrades, patches), and support (e.g., phone support, onsite service). Are there ongoing fees required to keep the license in force? Is this software generally available or is it a beta or trial version? Is this an appropriate situation for software escrow?

Special Issues in Application Service Provider (ASP), Software as a Service (SaaS), and Cloud/Subscription Agreements Many of the same issues found in conventional software licenses Additional issues raised by software, content, data and environment being outside of the company s control: availability/uptime backups/disaster recovery data/network security data privacy what if vendor goes dark? what if there is a dispute?

Special Issues in Application Service Provider (ASP), Software as a Service (SaaS), and Subscription Agreements Cont d. Response time and Availability/uptime: Usually contained in a Service Level Agreement (SLA) Response time: System must provide a meaningful response within a minimum time even at full user load Meaningful response is not an hourglass, system is busy or 404 File Not Found message System Availability: All system functions are accessible for a minimum period of time Usually measured as a percentage of the total time period (e.g. 99.99% of time in a given month) Beware of carve-outs for scheduled maintenance and force majeure (e.g., failures of the vendor s infrastructure providers) Failure to meet a service level should result in a credit of fees. Multiple or repeated failures should allow the company to terminate.

Special Issues in Application Service Provider (ASP), Software as a Service (SaaS), and Subscription Agreements Cont d. Backups/disaster recovery: How often are backups made? Onsite or Offsite? Ability to make your own backup? Does the vendor have a disaster recovery plan? Get a copy! How often is the full plan tested? Get the results! How long will it take vendor to the company s data back online?

Special Issues in Application Service Provider (ASP), Software as a Service (SaaS), and Subscription Agreements Cont d. Data/network security: Increased focus due to security breaches Vendor needs to secure systems, software, data and its own premises Security audit rights? Certified compliance with published standards? SSAE 16 and ISAE 3402 audits (replaced SAS 70 in June 2011.) Type 1 auditor s opinion on service organization s description of controls in operation and suitability of the design Type 2 auditor s opinion on whether controls are actually operating effectively ISO 27000, Open Web Application Security Project (OWASP), NIST, etc.

Special Issues in Application Service Provider (ASP), Software as a Service (SaaS), and Subscription Agreements Cont d. Data privacy is a hot-button issue with U.S. and EU lawmakers and regulators. Numerous state data breach notification laws Gramm-Leach-Bliley, FERPA, HITECH expansion of HIPAA privacy rules other statutes Industry regulation (e.g., Payment Card Industry (PCI)) Proposed changes to EU Data Protection Directive may mean additional scrutiny The Services shall comply, and Vendor shall comply, with all applicable federal, state and local laws and regulations, including, without limitation, all restrictions relating to the privacy of any personally identifiable information or other information. Without limiting the foregoing, the Services shall comply, and Vendor shall comply, with the Family Educational Rights and Privacy Act of 1974 (20 U.S.C. Section 1232(g)), the Gramm-Leach-Bliley Act (15 U.S.C. Section 6809), the Federal Trade Commission (FTC) Standards for Safeguarding Customer Data (16 CFR Part 314), the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ), the regulations promulgated thereunder by the U.S. Department of Health and Human Services (45 CFR Parts 160, 162 and 164, the HIPAA Regulations ), the Health Information Technology for Economic and Clinical Health Act of 2009 (the HITECH Act ) and the implementing regulations of the foregoing, and the requirements of the Payment Card Industry Data Security Standards Council.

Special Issues in Application Service Provider (ASP), Software as a Service (SaaS), and Subscription Agreements Cont d. Enhanced B2B scrutiny of data flows to subcontractors and outsourcing providers. If you are handling other people s data, your data protection/privacy obligations to those people need to flow through to data centers and cloud services providers. Need to pay attention to processes, not just physical systems. Need to align your privacy commitments with actual behavior

Special Issues in Application Service Provider (ASP), Software as a Service (SaaS), and Subscription Agreements Cont d. What if vendor goes dark? What if there is a dispute? Establish contract mechanisms to: Require the vendor to provide data regardless of the nature of the dispute or issue Provide for self-help or ability to mitigate risks (e.g., ability to download or export data) Allow for escalation and resolution of disputes Facilitate vendor s cooperation with transition to another provider Allow for continued use of the software (e.g., escrow?)

Special Issues in Software or Content Development Agreements Ownership of work product Work made for hire - must be in writing or else author retains ownership Assignment- work made for hire is limited Residual rights Bayh-Dole Act issues for development using federal funding

Special Issues in Software or Content Development Agreements Cont d. Development Agreements may involve an element of subjectivity and/or the unknown A clear and comprehensive Statement of Work: Defines deliverables/milestones/schedule/resources Establishes functional requirements and expectations May include checkpoints in the process Avoids scope creep and change orders It is almost always better to have a completed Statement of Work prior to execution of the agreement

Special Issues in Software or Content Development Agreements Cont d. What entitles the vendor to payment? Contract signing? Delivery? Milestone acceptance? Payment for performance/ holdbacks? Incentives for early delivery? A formalized testing and acceptance process is always a good idea, but is especially important when software is to exchange data with other systems or must be compatible with existing software or hardware.

Special Issues in Professional Services Agreements (Installation or Implementation) Successful project management starts with a project plan. Should identify company and vendor responsibilities, resources and dependencies. Statements of work (again!) Time & materials or fixed fees? Who eats overruns? Consequences of delays (by company or by vendor) Stipulated incentives/deductions for early/late performance Compliance with company policies for onsite work or remote access to company systems

Special Issues in Hardware Purchase Agreements Acceptance test the total package of hardware, software and services as an integrated unit Maintenance/support consider a supply of spare parts vs. onsite repair, whether refurbished parts are acceptable, and passthrough warranties Obsolescence understand the vendor s product lifecycle and negotiate for free upgrades Embedded software can software be updated without changing hardware? Delivery terms, transfer of title & risk of loss

Some Thoughts on the Art of Negotiation Need to figure out roles of business & legal team Think ahead Aim high Understand your leverage Don t be afraid to ask Don t be afraid to say no

Some Thoughts on the Art of Negotiation Cont d. Vendor tricks End of month/quarter/fiscal year deals Revenue recognition RFP just marketing PDF d documents Nobody ever asked for that Our policy is When I said, Here are my prices, what I really meant was My price is totally flexible and within reason I ll probably say yes to lowering them because we need your upfront money and recurring revenue more than I need my pride. - From Confessions of an Ex- Enterprise Salesperson

Tips to Remember Don t just use a form Read every word Ask questions Seek the advice of other subject matter experts within the company (e.g. IS/IT, HR, Risk Management) Put it in writing Start early

DISCLAIMER The content of this webinar and the presentation materials have been prepared by Saul Ewing for information purposes only. The provision and receipt of the information in this webinar and the presentation materials should not be considered legal advice, does not create a lawyer-client relationship, and should not be acted on without seeking professional counsel who have been informed of the specific facts. Should you wish to contact a presenter to obtain more information regarding your company's particular circumstances, it may be necessary to enter into an attorney/ client relationship.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback