Managing Legal and Operational Risk in IT Agreements Presented by: Donna Pond, Senior Director, Lead Counsel, Shire Pharmaceuticals Evan J. Foster, Partner, Saul Ewing LLP
Agenda: Special issues in: Conventional Software Licenses Application Service Provider (ASP), Software as a Service (SaaS), and Cloud Subscription Agreements Software or Content Development Agreements Professional Services Agreements (Installation or Implementation) Hardware Purchase Agreements
TECHNOLOGY SKILLS You need to understand basic functions of what s being purchased or licensed, plus terminology But again less than you might think. Know an ASP from an ISP Some basic questions to ask, as to both technology and data : Who is creating/supplying/using? What is being created/supplied/used? Why is it being created/supplied/used? When and Where will it be created/supplied/used? How will it be created/supplied/used? What If something goes wrong?
Special Issues in Conventional Software Licenses Confirm that the boundaries of the right to use the software match expectations and reality: Where? Global vs. campus vs. single computer For what? Mission critical vs. Solitaire How much? One time fee vs. periodic vs. per use/user How long? Perpetual vs. limited term What form? Source code vs. object code
Special Issues in Conventional Software Licenses Cont d. Will the vendor perform the installation, implementation and/or configuration? What hardware, software, infrastructure and expertise are required to install, run and support this software? Does this software need to interact with other company systems (e.g., HR)? What does the company need in terms of maintenance (e.g., updates, upgrades, patches), and support (e.g., phone support, onsite service). Are there ongoing fees required to keep the license in force? Is this software generally available or is it a beta or trial version? Is this an appropriate situation for software escrow?
Special Issues in Application Service Provider (ASP), Software as a Service (SaaS), and Cloud/Subscription Agreements Many of the same issues found in conventional software licenses Additional issues raised by software, content, data and environment being outside of the company s control: availability/uptime backups/disaster recovery data/network security data privacy what if vendor goes dark? what if there is a dispute?
Special Issues in Application Service Provider (ASP), Software as a Service (SaaS), and Subscription Agreements Cont d. Response time and Availability/uptime: Usually contained in a Service Level Agreement (SLA) Response time: System must provide a meaningful response within a minimum time even at full user load Meaningful response is not an hourglass, system is busy or 404 File Not Found message System Availability: All system functions are accessible for a minimum period of time Usually measured as a percentage of the total time period (e.g. 99.99% of time in a given month) Beware of carve-outs for scheduled maintenance and force majeure (e.g., failures of the vendor s infrastructure providers) Failure to meet a service level should result in a credit of fees. Multiple or repeated failures should allow the company to terminate.
Special Issues in Application Service Provider (ASP), Software as a Service (SaaS), and Subscription Agreements Cont d. Backups/disaster recovery: How often are backups made? Onsite or Offsite? Ability to make your own backup? Does the vendor have a disaster recovery plan? Get a copy! How often is the full plan tested? Get the results! How long will it take vendor to the company s data back online?
Special Issues in Application Service Provider (ASP), Software as a Service (SaaS), and Subscription Agreements Cont d. Data/network security: Increased focus due to security breaches Vendor needs to secure systems, software, data and its own premises Security audit rights? Certified compliance with published standards? SSAE 16 and ISAE 3402 audits (replaced SAS 70 in June 2011.) Type 1 auditor s opinion on service organization s description of controls in operation and suitability of the design Type 2 auditor s opinion on whether controls are actually operating effectively ISO 27000, Open Web Application Security Project (OWASP), NIST, etc.
Special Issues in Application Service Provider (ASP), Software as a Service (SaaS), and Subscription Agreements Cont d. Data privacy is a hot-button issue with U.S. and EU lawmakers and regulators. Numerous state data breach notification laws Gramm-Leach-Bliley, FERPA, HITECH expansion of HIPAA privacy rules other statutes Industry regulation (e.g., Payment Card Industry (PCI)) Proposed changes to EU Data Protection Directive may mean additional scrutiny The Services shall comply, and Vendor shall comply, with all applicable federal, state and local laws and regulations, including, without limitation, all restrictions relating to the privacy of any personally identifiable information or other information. Without limiting the foregoing, the Services shall comply, and Vendor shall comply, with the Family Educational Rights and Privacy Act of 1974 (20 U.S.C. Section 1232(g)), the Gramm-Leach-Bliley Act (15 U.S.C. Section 6809), the Federal Trade Commission (FTC) Standards for Safeguarding Customer Data (16 CFR Part 314), the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ), the regulations promulgated thereunder by the U.S. Department of Health and Human Services (45 CFR Parts 160, 162 and 164, the HIPAA Regulations ), the Health Information Technology for Economic and Clinical Health Act of 2009 (the HITECH Act ) and the implementing regulations of the foregoing, and the requirements of the Payment Card Industry Data Security Standards Council.
Special Issues in Application Service Provider (ASP), Software as a Service (SaaS), and Subscription Agreements Cont d. Enhanced B2B scrutiny of data flows to subcontractors and outsourcing providers. If you are handling other people s data, your data protection/privacy obligations to those people need to flow through to data centers and cloud services providers. Need to pay attention to processes, not just physical systems. Need to align your privacy commitments with actual behavior
Special Issues in Application Service Provider (ASP), Software as a Service (SaaS), and Subscription Agreements Cont d. What if vendor goes dark? What if there is a dispute? Establish contract mechanisms to: Require the vendor to provide data regardless of the nature of the dispute or issue Provide for self-help or ability to mitigate risks (e.g., ability to download or export data) Allow for escalation and resolution of disputes Facilitate vendor s cooperation with transition to another provider Allow for continued use of the software (e.g., escrow?)
Special Issues in Software or Content Development Agreements Ownership of work product Work made for hire - must be in writing or else author retains ownership Assignment- work made for hire is limited Residual rights Bayh-Dole Act issues for development using federal funding
Special Issues in Software or Content Development Agreements Cont d. Development Agreements may involve an element of subjectivity and/or the unknown A clear and comprehensive Statement of Work: Defines deliverables/milestones/schedule/resources Establishes functional requirements and expectations May include checkpoints in the process Avoids scope creep and change orders It is almost always better to have a completed Statement of Work prior to execution of the agreement
Special Issues in Software or Content Development Agreements Cont d. What entitles the vendor to payment? Contract signing? Delivery? Milestone acceptance? Payment for performance/ holdbacks? Incentives for early delivery? A formalized testing and acceptance process is always a good idea, but is especially important when software is to exchange data with other systems or must be compatible with existing software or hardware.
Special Issues in Professional Services Agreements (Installation or Implementation) Successful project management starts with a project plan. Should identify company and vendor responsibilities, resources and dependencies. Statements of work (again!) Time & materials or fixed fees? Who eats overruns? Consequences of delays (by company or by vendor) Stipulated incentives/deductions for early/late performance Compliance with company policies for onsite work or remote access to company systems
Special Issues in Hardware Purchase Agreements Acceptance test the total package of hardware, software and services as an integrated unit Maintenance/support consider a supply of spare parts vs. onsite repair, whether refurbished parts are acceptable, and passthrough warranties Obsolescence understand the vendor s product lifecycle and negotiate for free upgrades Embedded software can software be updated without changing hardware? Delivery terms, transfer of title & risk of loss
Some Thoughts on the Art of Negotiation Need to figure out roles of business & legal team Think ahead Aim high Understand your leverage Don t be afraid to ask Don t be afraid to say no
Some Thoughts on the Art of Negotiation Cont d. Vendor tricks End of month/quarter/fiscal year deals Revenue recognition RFP just marketing PDF d documents Nobody ever asked for that Our policy is When I said, Here are my prices, what I really meant was My price is totally flexible and within reason I ll probably say yes to lowering them because we need your upfront money and recurring revenue more than I need my pride. - From Confessions of an Ex- Enterprise Salesperson
Tips to Remember Don t just use a form Read every word Ask questions Seek the advice of other subject matter experts within the company (e.g. IS/IT, HR, Risk Management) Put it in writing Start early
DISCLAIMER The content of this webinar and the presentation materials have been prepared by Saul Ewing for information purposes only. The provision and receipt of the information in this webinar and the presentation materials should not be considered legal advice, does not create a lawyer-client relationship, and should not be acted on without seeking professional counsel who have been informed of the specific facts. Should you wish to contact a presenter to obtain more information regarding your company's particular circumstances, it may be necessary to enter into an attorney/ client relationship.