Reader ROI\n\nUnderstand how IT litigation can undermine your position in the company\n\nIdentify litigious situations developing right under your nose\n\nLearn how to defuse problems before they come to a headCIO and Senior Vice President of Operations Edward Nesta, had no idea that a language barrier could cause so much trouble until his company, The Leading Hotels of the World (LHW), nearly got hauled into a Japanese court over a contract dispute with an outsourcer.LHW, a New York City-based marketing and reservations service for exclusive hotels across the globe, hired a Tokyo computer-support company to hook up the local-area network in its Tokyo office with its wide-area network. Midproject, the Japanese-speaking vendor misinterpreted a series of casual English-language e-mails from Nesta\u2019s IT personnel in New York as a go-ahead to perform extra services. Suddenly Nesta got hit with a $50,000 bill for services he never asked for. Naturally, he refused to pay. Naturally, the vendor threatened to sue\u2014in Japan. "Considering we didn\u2019t have a lawyer over there, it would have cost four or five times the amount in question just to deal with the case," says Nesta. "We would have had to find local counsel and develop some understanding of their system."Nesta resolved the dispute without a lawsuit by expanding the outsourcer\u2019s labor-support role, which meant more money for the vendor in the long run. But he dodged a bullet, because IT-related litigation\u2014whether it\u2019s your company doing the suing or getting sued\u2014is the ultimate failure for the CIO. Be it a vendor, a partner or a competitor who\u2019s really at fault, the other executives will be coming to you for answers. And as the company spends hundreds of thousands of dollars\u2014if not millions\u2014litigating the case, everyone will blame you for putting the company in this situation in the first place. In the end, it can cost you time better spent on important projects, hard-earned influence in the boardroom and even your job."It\u2019s just not good for your career," says Robert Collins, CIO and vice president of information services at Cognos, a business intelligence company in Ottawa. "It all comes down to the fact that you didn\u2019t set out to achieve what you started. It\u2019s a credibility issue, and you\u2019ve hurt the business."In Nesta\u2019s case, even the threat of litigation created a huge headache that he\u2019d love to forget. When the situation broke, he had to back-burner everything else for a week so that he could deal with anxious senior execs and pool together enough data and documentation to refute the outsourcer\u2019s claims. So now he forces himself to remember the situation as a guidepost. Whenever his staff deals with vendors in other countries, he makes sure their e-mails are succinct and leave no room for misinterpretation. He also relies more on his onsite staffers, who understand the local language, to act as go-betweens. And when the project carries significant costs, he deals with the vendor directly.CIOs should take particular note. Colleen Young, who researches IT litigation for the Gartner Group in Stamford, Conn., describes the typical IT department as "a black hole for litigation." This doesn\u2019t just mean contract disputes with vendors. You could also have invasion-of-privacy, trade-secret misappropriation, software-pirating and patent-infringement claims on your hands. As a CIO, you have to detect potentially litigious situations and defuse them before they blow up. Here are a few potential horror shows to look out for and some steps to take that could save your job.Creep ShowAny smart CIO will take steps to avoid the phenomenon of scope creep. This monster surfaces when people in your IS department begin to request services from the vendor that weren\u2019t specified in the contract. Gradually the project begins to take on a life of its own until you inevitably wind up in court for one of two reasons. First, additional demands on vendors create delays in the original project, and your CEO will decide she\u2019s left with no choice but to sue over the time lag. Or worse, the vendor might sue, demanding payment for all the extras. Either way, you lose. To avoid scope-creep problems, experts recommend the following tactics: Have a project manager track requests and vendor progress.You should appoint someone from the IS department who determines at the time of the request whether or not it falls within the contract. "By documenting what\u2019s being asked of them, you\u2019re forced to address the issue," says Franklin Blackstone, a technology law partner at Mintz, Levin, Cohn, Ferris, Glovsky & Popeo in Reston, Va. "Circulating an e-mail through the IS department ordering people not to make individual requests helps, too."Organize project-status meetings.You should hold these meetings once a week to hash out what\u2019s being done and whether it goes beyond the contract, says Blackstone. Maintain a site on your intranet.For major projects, you should keep a centralized spot on your intranet where you and your vendor can catalog potential out-of-scope activities and perform regular reviews to avoid conflicts, says Stuart Kliman, director of Vantage Partners, a consultancy specializing in relationship management in Cambridge, Mass. "This helps you keep track of things so that at the end of the month you won\u2019t be surprised when a bill comes due," says Kliman, a former practicing attorney.Establish clear, written project parameters within the contract.Of course nothing prevents scope creep or other contract disputes as much as well-articulated project parameters written in the contract itself, says Bruce F. Webster, a director at PricewaterhouseCoopers (PWC) in Washington, D.C., and author of a recent PWC study on IT systems-failure litigation. Webster adds that you can only achieve this via a multidisciplinary approach. You need a lawyer on the contract team who understands the pitfalls of an IT project, but you also need a trusted IT project manager on the team who can serve as a reality check on the mechanics. "A lawyer isn\u2019t necessarily going to understand all the things that can go wrong," says Webster. "And often you, as a CIO, won\u2019t have the same down-in-the-trenches, \u2019been there, done that\u2019 level of expertise with the technologies and challenges of project development [as a good IT manager]."DeliveranceWebster\u2019s survey catalogues 25 years of IT systems-failure litigation, and he says a large chunk of what he\u2019s seen revolves around a vendor\u2019s failure to deliver a working system on time\u2014or to deliver a working system at all. Either the schedule keeps slipping or the vendor installs a bug-ridden system. Eventually the user refuses to pay, the vendor threatens to sue, the user threatens to countersue and everyone ends up in court, spending more in legal fees than the contract was worth in the first place.As with scope creep, it all comes back to what was in the contract. In some cases, the CIO has placed unrealistic expectations on the vendor. "I\u2019ve seen cases where the CIO says, \u2019Look, they want this system in place in four months. I know you can\u2019t do that, you know you can\u2019t do that, but let\u2019s go ahead anyway\u2014I\u2019ll deal with the problems later,\u2019" says Webster. "Nine months go by, and the CFO says, \u2019We\u2019re canceling the contract.\u2019 And the vendor can argue that you knew all along it would take longer, which doesn\u2019t help your company\u2019s position or your own."Again, the key here is taking a multidisciplinary approach and formulating realistic contractual terms, says Donald J. Kunz, a technology lawyer with Honigman, Miller, Schwartz & Cohn in Detroit. But beyond that, Kunz suggests having a testing procedure written into the contract to determine whether an acceptable product has been delivered and building in financial incentives for early delivery and financial penalties for delays.On particularly large projects, you should consider having a third-party expert to act as a "building inspector" to determine whether the system is meeting its goals on time, says Nicolas Barzoukas, a partner at Howrey, Simon, Arnold & White in Houston. This guards against litigation over whether or not delivery has occurred in the first place. Typically, you\u2019d use a consultant who charges by the hour. Other delivery cases involve vendors that exaggerate their systems\u2019 capabilities and deliver results far short of expectations. Blackstone tells of a case where he represented a manufacturer that contracted with a software vendor to install manufacturing application software. The vendor delivered a bug-ridden system that, despite continuous maintenance, was never fully functional. Eventually Blackstone\u2019s client got fed up and sued the vendor.Blackstone secured a pretty good settlement for his client, but the CIO lost his job. Why? He didn\u2019t take the one crucial step that could have prevented him from falling victim to sales puffery: investigating the vendor. As it turned out, the vendor, a highly respected database software developer, was a neophyte in the manufacturing application market, and very few companies had used its manufacturing software before Blackstone\u2019s client entered into the contract. "The CFO [who fired the CIO] figured he should have been in a position to have analyzed whether these products were ready or not," says Blackstone. "Sometimes it\u2019s tough for a CIO to do all the work, but he could have assigned a point person to do all the due diligence."Blackstone adds that while most CIOs do at least a rudimentary background check, few go far enough. In addition to checking customer references, and company finances and history, you need to meet with members of the vendor\u2019s development team, present them with a sophisticated RFP and hash out every conceivable need.PossessionLitigation-averse CIOs should also be on the lookout for stolen or illegally copied software. For example, an employee might bring in a disk or download a game or an executable file from his e-mail. Chances are, he has no license. Next thing you know, he\u2019s shouting to his buddy in the next cube, "Hey, I\u2019ve got a copy of such-and-such on my PC\u2014I\u2019m gonna send it over. It\u2019s free!"Well, it\u2019s not free, and your company inevitably pays. It can be as easy as a disgruntled ex-employee calling up the "software police"\u2014either the Business Software Alliance (BSA) or the Software Publishers Association (SPA)\u2014and saying, "By the way, these guys have unlicensed copies of Quake all over their computers. Just so you know." All of a sudden, the software cops are at your door, accompanied by a subpoena and a couple of Justice Department agents demanding to audit all your PCs forthwith. "Now talk about a freakin\u2019 headache," says Blackstone. "That\u2019s not the kind of phone call you need to get from your receptionist."The next step for the BSA or SPA is suing you in federal court on behalf of their member software companies. As for settling with them before they bring suit: "Good luck," says Blackstone. "They really trumpet these suits; they do it with great fanfare. They want to put this to a stop."The best way to avoid this situation is through vigilant internal auditing of your systems. There are tools available to help you. "We use Microsoft SMS," says Cognos\u2019s Collins. "And from our central server, we can inventory everything. We keep track of what\u2019s on everybody\u2019s PCs and look for what\u2019s not supposed to be there. Since we\u2019re also a vendor, it\u2019s important to us to be purer than pure."Trade secrets are another big issue, particularly if you employ in-house software developers. They may be embedding or reusing software routines that they\u2019ve developed for another employer. If they haven\u2019t taken explicit steps to retain ownership, they\u2019ll very likely find themselves in court, with you sitting right there alongside them at the defendants\u2019 table. "I can\u2019t think of a single company I\u2019ve talked to that has any formal process in place to prevent this type of occurrence," says Gartner\u2019s Young, noting that hundreds of trade-secret suits are brought each year.The good news is that an effective management process is not difficult to design. The first step is to incorporate a policy into your employment agreements that in essence says that if it wasn\u2019t invented here, either lose it or prove the right to use it. And if you employ reusable pieces of code, you should maintain them in a library of reusable objects. "You need a management process around that library to ensure that anything that goes in has appropriate ownership," says Young.Similarly, if you outsource your software development, you must be sure your vendor has the right to use any technology it\u2019s employing on your behalf. An angry third-party patent holder isn\u2019t going to sue just the vendor\u2014he\u2019s coming after you, too. So you must vigorously manage the project, even if the vendor\u2019s doing the work. Collins suggests appointing someone from your team, perhaps your IS director, to closely monitor how the software is being built. Unfortunately, it\u2019s impossible to cross-reference every patent in the world with each line of code your vendor writes. Since you can\u2019t catch everything, you need to negotiate an IT indemnity clause into your vendor contract, saddling the vendor with full responsibility for any third-party IP claims. Hands OffMany people think of sexual-harassment issues as human resources turf. Don\u2019t buy into that. It\u2019s your problem, too, particularly when an outsourcer\u2019s employees are working on a job in your IS department. Blackstone says he\u2019s seen too many cases in which a vendor\u2019s employee made improper sexual advances toward a user\u2019s employee or vice versa. If the problem goes unchecked, the consequences are obvious: enormous monetary payments to the victim (sexual-harassment cases have gone well into the six figures), horrible publicity for your company and a perception that you have no control over your department.Even worse, you might find yourself individually named as a defendant in the suit. Blackstone says this happened to a CIO in a case he defended. A female employee accused the CIO of doing nothing when she came to him to complain of a vendor employee\u2019s lewd conduct toward her. In this case, the plaintiff dropped her claim against the CIO when he agreed to have a letter of reprimand placed in his personnel file. Though it\u2019s impossible to prevent every incident of harassment ahead of time, there are precautionary steps CIOs can take to manage the situation. First, you should distribute a formal antiharassment policy to your employees and to vendor employees who will be visiting your facility. Additionally, you should have a contractual clause giving you the authority to remove any problem vendor employee. "This gives weight when you come to the vendor and say, \u2019We need to talk,\u2019" says Blackstone.The Towering InfernoYour litigation watch shouldn\u2019t be focused on just the acts of hackers, vendors, competitors and employees. You need to look out for acts of God, too. We all remember the mad scramble to become Y2K-compliant in order to avoid liability for data loss last year. The same concept applies in case of fires, hurricanes, earthquakes and other disasters. Gary R. Baxter, vice president and CIO of Maine Employers Mutual Insurance Co., says this issue is of real concern to him. "If we lose data on injured workers, it would be a true disaster with potential legal implications," he says. "They\u2019d be left without funds."In order to prepare for this, Baxter runs a disaster-recovery preparedness test twice a year. "We physically take our entire set of data and application programs, go to another site, load it up and run our business," he says. "Unless you do that, you don\u2019t know if your plan is workable. If it\u2019s not workable, that\u2019s unthinkable."And if there\u2019s one glaring weakness in the IT industry, he says, perhaps speaking not just about disasters, but about litigation as a whole, "it would be lack of preparedness for the big event."