business law and practice section mcle program webinar ......2020/11/19 · webinar november 19,...

Business Law and Practice Section MCLE Program Webinar

November 19, 2020

2:00 PM – 3:00 PM Welcome/Announcements and Introductions Oran Cart – Business Law and Practice Section Chair

Program IT Vendor Contracts – Avoiding Traps for the Unwary

Marilyn Lamar, Liss & Lamar, P.C. Speaker’s Bios – see attached Presentation Summary Technology is critical to many aspects of our clients’ businesses so it is important to help them understand the terms of the technology agreements they will be asked to sign and how those agreements are often structured to protect the IT vendor. This presentation will address possible pitfalls and negotiation strategies in a variety of IT contracts including SaaS (Software as a Service), cloud computing and software licenses. Specific examples of typical contract language and alternatives will be discussed to assist in negotiations. Language to address security risks and the importance of cyber risk insurance will also be discussed.

Link to Evaluation The evaluation must be completed in order to receive CLE credit. https://www.surveymonkey.com/r/BusinessLaw11192020

https://www.surveymonkey.com/r/BusinessLaw11192020

Next Meeting: December 8, 2020 – Post-election Tax Update, Karen Snodgrass, CPA – Cray, Kaiser Ltd.

DCBA Event: December 10th – Lawyers Lending a Hand Toy Drive – Bar Center

COVID Relief Fund

The DCBA and the DuPage Bar Foundation have established an assistance fund for lawyers facing personal hardship due to the downturn in work caused by the COVID-19 pandemic. Please help us promote the availability of this fund, and, if you are in need, please submit a confidential application at www.dcba.org/reliefapply. Donations to the fund are also welcome at www.dcba.org/reliefdonate.”

Earn CLE Online!

DCBA OnDemand CLE is Now Powered by IICLE The Illinois Institute for Continuing Legal Education (IICLE®) and the DuPage County Bar Association (DCBA) are excited to offer a new IICLE®Share collaboration to provide DCBA members a high quality and reliable online learning experience. Members can find the link to The Illinois Institute for Continuing Legal Education (IICLE) on the DCBA website under “Legal Community”OnDemand CLE Online CLE Catalog. You must be logged into your DCBA Membership Profile in order to view courses for free or at a reduced price.

View & Print CLE Certificates through the DCBA Website:

Manage Profile -> Professional Development (under content & features) and choose the icon to the left of each meeting to print your certificate directly or choose to have them emailed to you to save to your computer (you MUST be logged in to view this feature)

https://www.dcba.org/events/EventDetails.aspx?id=1447210&group=



http://www.dcba.org/reliefapply

http://www.dcba.org/reliefdonate

CLE PROGRAM PRESENTER INFORMATION

Marilyn Lamar

Liss & Lamar, P.C.

630.571.1643 (o)

630.915.9385 (m)

[email protected]

Marilyn Lamar is an attorney with more than twenty years of experience

in corporate and information technology law including licensing, SaaS

agreements, cloud computing, artificial intelligence, electronic health

record (EHR) agreements, data use agreements, and software

development. Her practice includes a broad range of regulatory advice,

licensing, outsourcing, and other technology transactions on behalf of

clients in the technology, finance and health care industries as well as not

for profit organizations.

Before joining Liss & Lamar, P.C., Marilyn was a capital partner at

McDermott Will & Emery LLP where her initial practice was in

corporate law negotiating mergers and acquisitions, joint ventures,

outsourcing arrangements and technology licenses. She later she chaired

the Health Law Information Technology practice group at the firm and

co-chaired its HIPAA practice group.

Marilyn is a past President of the American Health Lawyers Association

(AHLA) and served on its Board of Directors for nine years. She

previously chaired the Health Information and Technology Practice

Group of the AHLA and taught Legal, Ethical & Social Issues in Medical

Informatics at Northwestern University.

She joined McDermott Will & Emery LLP after serving as a law clerk for

the Honorable Richard D. Cudahy, United States Court of Appeals for the

Seventh Circuit. Marilyn is a member of the DuPage County Bar

Association, the AHLA, the Illinois Association of Healthcare Attorneys,

and HIMSS (Health Information Management Systems Society).

Marilyn Lamar

Principal Practice Areas:

Information Technology

HIPAA Privacy and

Security

Artificial Intelligence

Business Law

Education:

University of Chicago

Law School, J.D.

University of Illinois, B.S.

Board of Directors:

Glenview State Bank

Past President:

American Health Law

Association

mailto:[email protected]

IT Vendor Contracts –Avoiding Traps for

the Unwary

DuPage County Bar AssociationNovember 19, 2020

Marilyn Lamar, Esq.Liss & Lamar, P.C.

[email protected]

Agenda

• Getting grounded with your client• Pricing and payment terms• Warranties, covenants and assumptions• Indemnification, warranty disclaimers and limitation of liability • SLAs (Service Level Agreements) • Security, privacy and insurance provisions• Implementation and transition provisions

2Presented by Marilyn Lamar, Liss & Lamar, P.C.

Too many emails like this?

Time: The last Thursday of the Quarter at 4 pmTo: Overworked AttorneyFrom: IT Manager of Client

Hi! We’re doing a Really Important IT Project. Attached is the vendor’s standard contract – everyone signs it. Looks fine to me.

We got great pricing, but only if we sign by tomorrow. Hope that won’t be a problem – lucky that it’s only 2 pages. Please review ASAP. Thanks!


Getting Grounded with your Client

• Assumption: you are representing the customer, not the vendor. • Need basic information from your client:

• Type of technology – license, SaaS (Software as a Service), cloud storage or hosting, disaster recovery, software development?

• What are business needs and goals of arrangement? Priorities?• What risks need to be addressed – upfront and ongoing?

• Vendor form is typically one-sided to favor vendor. • Expect to negotiate!

4

This presentation provides general information and sample contract language but is not legal advice. The examples, issues and language provided will need to be tailored to the client’s particular circumstances and applicable laws and regulations. Due to limited time, not all issues are addressed.

Presented by Marilyn Lamar, Liss & Lamar, P.C.

Getting Grounded with your Client (cont.)

• Need an issues list or negotiation matrix with:• Key issues – including missing provisions that client needs. • Initial and fallback positions. • Any showstoppers or walk away points?

• What is client paying for and when?• Agree upon roles of attorney and client personnel – business,

finance and IT. Is anyone “in love” with vendor or technology?


Evaluating Leverage

Determine what leverage client has. • If commercial off the shelf (COTS) technology – not much leverage. • More leverage for client if vendor has less

market share and a less standardized product. • Amount of revenue to vendor?• Prestige of client? • Client may have more leverage when

end of vendor’s month/quarter/year. • If several possible vendors – delay

naming a “vendor of choice” to helpmaintain client’s leverage.

6This Photo by Unknown Author is licensed under CC BY-NC-NDPresented by Marilyn Lamar, Liss & Lamar, P.C.

https://edublognss.wordpress.com/2013/04/15/levers/

https://creativecommons.org/licenses/by-nc-nd/3.0/

Educating your Client

• Unless COTS, should not sign the standard agreement. Often missing:• Meaningful warranties and acceptance• Indemnification• Caps on fees with installments due only if milestones achieved• Security and insurance provisions• Transition provisions

• Price seldom increases if not signed by “deadline.”• Sales process is a bit like dating – often not the same level of attention

during and after implementation (once married).• Need to plan upfront for possible exit (like a pre-nuptial agreement).


Pricing and Payment Terms


Pricing Terms – Points to Understand and Negotiate

• Understand the metrics – what are the charges are based on?• Number of users – try for lower prices for part-time or lower level workers• Actual usage – what is basis of measurement? How to confirm / object?• Site license• Time and materials for installation – try for a cap• Extra charges for support outside of stated days/hours

• Plan for change • Negotiate cap on increases in renewal periods (e.g., not more than CPI or x% per year)• Fees if client usage increases – what if only temporary?• Possible decrease if client reduces staff or sells a portion of business• Agreements usually non-assignable. Impact if selling company or a segment?• Any concern if vendor is sold to a competitor of client?


Payment Terms – Timing can be Critical

• Many vendor contracts have:• Large amount due upfront• Later payments due on calendar dates regardless of project status

• Negotiate to reduce amount due upfront. • Critical to tie later payments to objective milestones – so not payable unless

progress has been achieved. Helps align vendor with your client’s goals. • Delaying the final payment until successful acceptance testing is also

important in many situations. • Include language that if a dispute, portion of payment related to dispute can

be withheld until resolved. Such non-payment is not subject to interest or late charges and does not provide a basis for termination.


Warranties, Covenants and Assumptions


Warranties and Covenants

• Standard - compliance with specifications and documentation.• Negotiate for compliance with RFP response and other documents.• Integration / interoperability / interfaces / APIs.• Disclose any third-party software. Evaluate different terms. • No viruses; security protection.• Compliance with law and regulations, including privacy. • No pending or threatened litigation / arbitration against vendor. • Financial condition of vendor (if not public).


Warranties, Covenants and Assumptions

• Ownership / right to use data and other IP; confidentiality. • Back up and disaster recovery – details of remote locations, time to restore.• Time period for initial support and renewal periods. Address sunset issues –

limit vendor’s right to not renew. • Be wary of last minute “assumptions,”

often in exhibits.• Exceptions to vendor’s requirement

to implement new releases?• Require both parties to continue

performance while dispute pending?• Quality of service and other points –

sample language in following slides.


Sample Warranty Language (Slide 1 of 2)

14

Vendor hereby represents, warrants and covenants as follows to Client:

(a) All services under this Agreement shall be performed in an accurate, professional, timely, competent and workmanlike manner;

(b) Vendor’s services hereunder shall maintain the integrity and accuracy of all Data provided by Client or generated using the Licensed Products;

(c) All hosting services (including backups) and copies of the Licensed Programs used in connection with the hosting services will be provided using a Tier __ facility that meets the requirements set forth on Schedule ___.

(d) Other than backup copies and disaster recovery , all Data and Licensed Programs will be maintained and services provided at the Vendor data center located at _____________, __.

(e) Vendor shall backup all Data and Licensed Programs as follows: _________ [describe frequency and other details] and backup copies of all Data and Licensed Programs shall be stored at Vendor’s Tier __ facility located at __________. (continued on the next slide)


Sample Warranty Language (Slide 2 of 2)

15

(e) Vendor has provided Client with true and correct copies of its Business Continuity Plan dated ________ (the “2019 BCP”) which is currently in full force and effect without any amendments or modifications thereto. Vendor shall implement the 2019 BCP or its then current business continuity report if it is affected by a Force Majeure Event or under any other circumstances that make such implementation reasonable during the Initial Term and all Renewal Terms (if any); provided, however, that any business continuity plan that is in effect after the date hereof shall provide at least as much protection for Client as the 2019 BCP.

(f) Vendor has provided Client with a true and correct copy of its SOC for Service Organizations Report for the Period of January 1, 2019 to December 31, 2019 prepared by __________ (the “2019 SOC 2 Type II Report”) and there have been no amendments or other changes to it since it was issued. During the Initial Term and all Renewal Terms, Vendor shall operate its business and provide the services hereunder using controls that provide the same level of protection as the controls that were the subject of the 2019 SOC 2 Type II Report.


Indemnification, Warranty Disclaimers and Limitation of Liability


Indemnification – An Overview

• Need indemnification from vendor against third party claims of infringement or misappropriation of copyrights, patents, trade secrets or other IP.

• Also need general indemnification which should be mutual regarding: • Damage to persons and property.• Violation of applicable laws and regulations. • Breach of the agreement.

• Confusing - but often see tort-like language - indemnity for negligence.• Address whether indemnification applies when both parties at fault. • Specify prompt notice of claim, whether a duty to defend and control of

defense, right to settle without consent and duty to assist in defense. • Negotiate exceptions to waiver of consequential damages and cap – for IP

indemnity, privacy, security, personal injury and damage to persons.


Warranty Disclaimers

• Implied warranties under the UCC are typically disclaimed. • May be acceptable if sufficient express warranties and indemnification

(e.g., IP indemnity may be sufficient if no IP infringement warranty).• Disclaimer of consequential, incidental, special and punitive damages is

typical so only direct damages available. Client needs to understand impact. • Should negotiate hard so other items are not disclaimed. Examples:

• Lost data (unless client is responsible for backup and recovery – rare).• Loss of use.• “Cover” – if vendor’s IT does not work and client needs to acquire a more expensive

replacement IT. Disclaiming cover might mean client cannot recover excess cost.


Limitation of Liability

• Standard contract will have a very low amount of direct damages that may be recovered from vendor – even if clear breach by vendor.

• Service agreements – may be only three (3) months of charges.• Sometimes limited to total amount paid to vendor for product but not

implementation fees. Also no compensation for client’s own costs. • Another limitation – to only the fees charged for the component or service

that did not satisfy the warranty, not fees for the entire project. But one component or service may make all of the IT useless to client.

• Negotiate to achieve a reasonable limit (with client input). • May need to have exceptions for certain indemnity claims.


Understanding and Negotiating SLAs (Service Level Agreements)


Basics of SLAs (Service Level Agreements)

• Typically not included in standard agreement – you need to ask.• Wording is often vague so you will need to carefully review and negotiate.• What types of functions may be subject to SLAs? Depends on situation:

• Cloud vendors focus on “uptime.” • If support provided, may have “response time” SLA – to measure how quickly

vendor responds to service requests. Speed depends on severity of problem. • Responsiveness of system – e.g., no more than 2 seconds to process a request.

Vendors resist this SLA - too much depends on factors the vendor cannot control. But you may be able to negotiate to measure in a controlled setting.

• Disaster recovery – if a problem, how quickly can the system be brought back online?


Common Cloud SLAs – Computed Annually or Monthly?

• How often is the SLA is measured? Consider “busy season” of your client.• Measuring more frequently usually favors the customer.


Common Language Issues in SLAs (cont.)

• Stated as only “goals” or “targets.” • Lack of financial consequences – should negotiate credits against future fees.

Much harder to get cash refund (unless at end of contract). • Credits may be exclusive remedy for problems so not a breach. • Negotiate right to terminate for continued failure

to meet SLAs – e.g., failed to meet a monthly SLA ___ times in a rolling 12 month period.

• Avoid “death by a thousand cuts” problem.

23

This Photo by Unknown Author is licensed under CC BY-SA


https://en.wikipedia.org/wiki/Throwing_knife

https://creativecommons.org/licenses/by-sa/3.0/

Common Language Issues in SLAs (cont.)

• Uptime measurement excludes downtime scheduled by vendor – needs to be limited so SLA does not become meaningless.

• Customer required to measure – but does not have tools. • Customer required to report very quickly to vendor. • For support response time SLA –

• Usually measures only the time it takes for the vendor to start responding.

• No SLA for when vendor will finish fixing the problem. • Review severity categories – what is impact on client’s business? • Does vendor get to determine how severe the problem is?


Security, Privacy and Insurance


Security, Privacy and Insurance Provisions

• Exact security and privacy requirements may depend on industry such as health care (HIPAA) or financial services.

• State laws protect consumer privacy regardless of industry.

• Third party vendor audits help – AICPA has standards for SOC 2 Type 2 audit.

• Vendor should have insurance in case insufficient funds to pay for consumer notices, credit reporting, fines, penalties and damages.

26

This Photo by Unknown Author is licensed under CC BY


http://giuseppeserafini.blogspot.com/2016/10/court-of-justice-of-european-union-case.html

https://creativecommons.org/licenses/by/3.0/

Sample Language for Security -Initial and Ongoing SOC 2 Type 2 Audits

27

SOC 2 TYPE 2 AUDIT. Vendor has implemented and shall maintain reasonable security measures andprocedures designed to protect against anticipated threats or hazards to the security or integrity of Data and theoperations of Client that are hosted by Vendor pursuant to this Agreement. No less than once per calendar year,Vendor agrees to undergo an annual SOC 2 Type 2 audit (or the then existing successor audit adopted by theAuditing Standards Board of the American Institute of Certified Public Accountants (“AICPA”)) of its datacenter operations and to implement and maintain any corrective action detailed in such review and reports asrequired by applicable law or that constitute then-current generally accepted SOC 2 Type 2 or disasterrecovery/business continuity plans. Upon request by Client, Vendor will (a) provide Client with a copy of themost recent SOC 2 Type 2 report, and the auditor’s report; and (b) provide Client with a Vendor officer’scertification affirming that the internal controls and information security measures in place at the time of itsmost recent SOC 2 Type 2 reports have not subsequently been diminished and are still in effect or have beenimproved.


Sample Insurance Language (Slide 1 of 3)

28

INSURANCE. During the Term of this Agreement and for twelve (12) months after the expiration or termination of this Agreement unless another length of time is indicated below, Vendor shall maintain all insurance and/or bonds required by law or this Agreement, including but not limited to the following types and amounts of coverage:

(a) Commercial General Liability, including contractual liability coverage, with limits of at least $__ million Per Occurrence Bodily Injury and Property Damage / $___ million Products/Completed Operations /$__ million General Aggregate;

(b) – (d) auto, employer’s liability, workers’ compensation and all risk property; [Abridged here for slide]

(e) Professional Liability covering the acts, errors and omissions of Vendor and Vendor’s liability for its employees, agentsand subcontractors with a limit of at least $__ million per claim. The definition of “professional services” within the policy of professional liability insurance must include the services provided by Vendor, its agents and its subcontractors under theterms of this Agreement. This policy also covers Personal and Advertising injury liability. Any retroactive date on the policy should be prior to commencement of this Agreement. Such coverage will be maintained by Vendor for a period of thirty-six (36) months after the end of this Agreement and any extensions thereof; (continued on the next slide)



29

(f) Cyber Liability with limits of at least $__ million for each claim and annual aggregate, covering liabilities arising from the following, to the extent they occur in connection with the services performed under this Agreement: (i) hostile action, or a threat of hostile action, with the intent to affect, alter, copy, corrupt, destroy, disrupt, damage, or provide unauthorized access and/or unauthorized use of a computer system, including, without limitation, exposing or publicizing confidential electronic data or causing electronic data to be inaccessible to its intended users; (ii) computer viruses, Trojan horses, worms, and any other type of malicious or damaging code; (iii) dishonest, fraudulent, malicious, or criminal use of a computer system by a person, whether identified or not, and whether acting alone or in collusion with one or more other persons, to affect, alter, copy, corrupt, delete, disrupt, or destroy a computer system or obtain financial benefit for any person, organization, or entity or to steal or take electronic data; (iv) denial of service for which the insured(s) is/are responsible that results in the degradation of or loss of access to Internet and/or network activities or normal use of a computer system; (v) loss of service for which Vendor is responsible that results in the inability of a third party, who is authorized to do so, to gain access to a computer system and conduct normal Internet or network activities; and (vi) access to a computer system or to computer system resources by an unauthorized person or persons, or by an authorized person or persons in an unauthorized manner. Such coverage will bemaintained by Vendor for a period of thirty-six (36) months subsequent to the end of this Agreement and any extensions thereof;

This policy shall include coverage for loss, disclosure and theft of data in any form; media and content rights infringement and liability, including but not limited to, software copyright infringement; network security failure, including but not limited to, denial of service attacks and transmission of malicious code. Coverage shall include the cost of notifying individuals of a security or data breach, the cost of credit monitoring services and any other causally-related crisis management expense for up to one (1) year. (continued on the next slide)



30

(g) Commercial Crime covering employee dishonesty in an amount of at least $__ million.

(h) Technology Errors and Omissions insurance covering liabilities, punitive damages, data breach regulatory fines and penalties and claim expenses arising from acts, errors and omissions, in rendering or failing to render all services and in the provision of all products in the performance of the Agreement, including the failure of products to perform the intended function or serve the intended purpose, with limits of at least $__ million per occurrence/aggregate.

Vendor shall have Client named as an additional named insuredon each of the policies described above except for the workers compensation insurance.

This Photo by Unknown Author is licensed under CC BY


http://zotoz.blogspot.com/2013/05/trading-risk-management.html

https://creativecommons.org/licenses/by/3.0/

Implementation and Transition


Implementation Provisions

• Implementation plan – initial plan should be agreed at contract signing. • Require written agreement of specific employees for changes. • Ideally specify all client tasks – and state that everything else necessary is

the responsibility of the vendor. • Avoid “blank check” implementation – unexpected vendor fees. • Input or right to select implementation staff. Avoid being a training ground

or a dumping ground. • Contract, change orders and SOWs – need to have a clear order of

precedence in case of conflicts.


Transition Provisions

• Critical to client but rarely addressed in standard vendor contracts. • Upon termination, client often needs vendor commitment to:

• Cooperate with client and its new vendor; • Provide transition services as requested by client for a price or rate set in advance; • Make client data available in a standard format (specify in advance if possible); and• Continue to provide some or all services if requested in a transition period (after

termination) for a set price or rate. Disaster recovery and SLAs are key.

• Consider negotiating to keep an archival copy of software or access to services if needed for later disputes between client and its customers.


Questions and Feedback?

Thank you!

Marilyn Lamar, Esq.Liss & Lamar, P.C.

[email protected]


business law and practice section mcle program webinar ......2020/11/19 · webinar november 19,...

Documents