by David Adler

5 key terms to know for vendor contracts

Opinion
May 10, 2016
Cloud ComputingIT StrategyLegal

Vendor and third-party contract management is a challenge for every organization. Focus on key contract areas to address risks from effects of mobile, social, cloud and big data on employee, vendor and customer access and use of digital information and services.

cloud contracts thinkstock
Credit: Thinkstock

Mobile, social, cloud and big data, each a disruptive force, together change everything related to how employees, vendors and customers access and use information. The risk around these touch points is best mitigated when you understand five key areas of contract negotiation. CIOs, CISOs, CTOs, and other risk and security professionals should familiarize themselves – or refresh their recollections – around Price and Payment, Proprietary & Confidential Info, Changes in Scope and Deliverables, Termination and Remedies, Disclaimers and Indemnifications. Properly negotiating these terms can reduce risk and positively influence business decision making.

Several obstacles affect and often limit successful negotiations in this area. The risk itself can be a moving target. For example, in the acquisition of an IT services subscriber base (regardless of industry), how will customer attrition, revenue projection revisions, and loss of key personnel affect the price paid (value)? Some sectors like professional services, credit unions, software licensing and cybersecurity have specific additional business rules. Some entire industries face additional regulations that govern access and use of customer data by an imposing array of agencies: HHS, FINRA, SEC, FTC, FCC and state Attorneys General. All four areas: mobile, social, cloud and big data have the added complexity of additional parties (consultants, vendors) in the conversation, each with their own set of risks, rules and procedures. Lastly, advisers and service providers may simply lack the knowledge of the unspoken internal business rules that come from regular, intimate interaction among a management team.

One way to prepare for and better engage in such negotiations is to develop a contract negotiation playbook. While each set of tactics and strategies will necessarily reflect the internal business rules of the individual company, the five areas discussed here should form a part of any playbook. Once developed, the management team can empower mid-level management to stream-line decision making.

1. Proprietary & confidential info

It is extremely important to consider proprietary and confidential information before the start of a relationship. Determining ownership scope of foundational materials, resulting work product, and the attendant rights, as well as obligations to safeguard that information and those rights, will have a material impact on costs and pricing.

Companies commit significant resources to developing proprietary information and attempting to protect its confidentiality. Due to the large number of middleware (platforms, OSes, software developers, ad networks, cellular carriers), mobile, social, cloud and big data applications and services are gathering, storing, distributing and modifying a rapidly increasing amount of digital proprietary information and assets. Sadly, unauthorized access, disclosure, misuse and conversion of confidential and proprietary information is an unfortunate reality for many firms.

A company should create and maintain an IP Checklist (example here) that creates a roadmap for addressing risks and obligations.

The trend toward added cybersecurity discussions should also be addressed here. The simple act of asking “Why,” such as “Why does that data set need to be exposed/shared?” or “Why does that person/application need access to that data?” can go a long way in strategically thinking about how to address weak links in data sovereignty.

2. Price and payment

One of the first things they teach you in Law School Contracts class is that price is almost always negotiable and reflects what a willing buyer agrees to pay a willing seller. Obviously, as the size, scope and value of a project or series of projects increases, so does the price structure, including the room to adjust some pricing. Pricing risks should be mitigated by including caps for increases in license fees and costs of labor, materials, enhancements, upgrades.

Negotiating payment terms accounts for the “time value of money” meaning that whoever in the relationship holds the money gets the benefit and leverage. Payment terms for services may be “Net 30,” while software licenses may be pre-paid, in full, in advance for a year or more. What you lose by a shorter payment term, you want to be offset by paying a reduce price. When fees are prepaid, the risk of non-fulfillment should be addressed in the termination and remedies section.

3. Changes in scope and deliverables

It is inevitable that a need to change or modify the scope of services performed or the nature of the deliverables provided. This section should be considered carefully to provide a clear set of exceptions and a mechanism for addressing certain changes that are likely to be expected given the nature of the services performed or software licensed.

A good place to start is agreeing on a detailed budget with items, costs, deadlines. Address elements within the scope that require licensure or additional regulatory compliance verification. Built-in approval process and authority will streamline ministerial changes.

4. Termination and remedies

Every time I look at an agreement for services such as software development, data licensing, or even mergers and acquisitions, the first question I ask is can we get out of this contract if we have to? If so, how, and under what circumstances. For example, unilateral immediate termination for breach of material obligation sounds great, unless you’ve already pre-paid for two (2) years of services. Termination rights should be crafted with the idea of honoring the value in the original bargain. This is not to say, however, that egregious conduct should not be punished.

Because contract law rights and remedies vary by state, it is important to understand the limitations in any of the states in which you operate. Shockingly, there are 47 different state data breach notification laws and, in some cases, federal requirements as well.

Most states recognize many types of “monetary” damages including consequential, incidental, special, punitive, exemplary, indirect, and lost profits. However, states may differ on when consequential damages can be recovered (they were foreseeable) versus what kinds of damages are consequential.

In addition, you should consider the need for non-monetary “equitable” relief that may come in the form of court restructuring of an agreement, or injunctive obligations. Although injunctive relief has become the principal remedy for breach of obligations of confidentiality and non-disclosure, enforcement has been primarily confined to preventing the continued misuse of confidential information and not recovery of materials copied from confidential and proprietary information.

5. Disclaimers and indemnifications

Disclaimers. One of the most important functions of a contract is to reduce uncertainties and mitigate risks. That is why almost all contracts contain “Disclaimers” that limit liability. Although they may seem like densely-worded, “boilerplate” provisions, and often overlooked, these provisions broadly affect a party’s ability to bring a claim, show liability, and prove damages that can be recovered. It is important to note that enforcement of limitation of liability provisions vary from state to state. The general rule in contract law is that in the commercial context, many states have found these clauses to be a mere shifting of the risk and enforce them as written.

In general, Disclaimers” are good where scope and amount of liability are uncertain, but Not as good in construction related contracts. Scope is often affected by relative bargaining power. Since the terms “indemnify,” ”hold harmless,” and “defend” have distinct and separate meanings, consider using collective definitions.

If found to be enforceable, a limitation of liability clause can “cap” the amount of potential damages to which a party is exposed. The limit may apply to all claims arising during the course of the contract, or it may apply only to certain types of claims. Limitation of liability clauses typically limit the liability to one of the following amounts: (i) the compensation and fees paid under the contract; (ii) an sum of money agreed in advance; (iii) available insurance coverage; or (iv) a combination of the above.

Caps. Parties can and typically do agree in their contract that liability is capped at some dollar amount. If liability exists and if damages can be proved, then the aggrieved party recovers those damages, but only up to the agreed cap. Sometimes these are mutual; other times they are one-sided. Sometimes the cap is a fixed sum (e.g., “the amounts paid for the services”). Other times, the parties may choose to tie the cap to the type of harm, (e.g. personal injury, property damage, violations of confidentiality obligations).

In more sophisticated contracts, “baskets” protect a party by providing a dollar threshold that aggregate losses must meet before it is liable to the other. Baskets can be tipping baskets, meaning that once the basket is “full,” the obligated party must indemnify the other from the first dollar of the its losses, or deductible baskets, meaning that the indemnification covers only claims above the threshold amount.

By approaching these challenges by setting objectives, determining scope, allocating resources, and developing agreements that will efficiently and effective manage risks, while keeping pace with the business.