CEM INSIGHT, IT | Engaging with information technology (“IT”) vendors is an essential aspect of modern business operations. Whether it’s software development, cloud services, hardware procurement, or managed IT solutions, organisations increasingly rely on third party vendors to meet their technology needs. However, these engagements also present inherent risks that can have significant legal and financial implications.
[READ ALSO] Non-contractual Risks with Poor IT Selection.
In this article, we outline some of the key risks that arise in engagements with IT vendors and provide insights on how you can mitigate these risks through contractual provisions.
Privacy and security
Data is the life-blood of companies, and as businesses leverage more and more data, their risk for data breaches and privacy violations increase. This risk is increased tenfold when a third party is introduced to the environment and is able to access and process company data. To mitigate these risks, contracts with IT vendors should specify stringent security and data protection requirements. Privacy laws may also prescribe what clauses need to include in vendor contracts. For example, under South Africa’s Protection of Personal Information Act, 2013, responsible parties have to impose certain contractual obligations on any third party who processes personal information on their behalf – nine times out of ten, IT vendors fall into such “third-party” category. Privacy laws are often extraterritorial in nature so companies must be mindful of which privacy laws apply to their contracts. Clauses in the contract should be proportionate to risks: i.e. the riskier the engagement, the more robust the obligations in the contract should be, the more stringent the security measures, and the greater care must be taken when negotiating clauses that deal with liability, warranties and indemnities in respect of personal information and security.
Service quality and performance
Service interruptions, downtime, or subpar performance can materially disrupt business operations. Take the example of an e-commerce mobile app that has been developed and is being maintained by a third party: if that app is unavailable for a significant period of time, customers will be unable to use the app to process orders, which in turn affects sales figures. It is critical to establish clear service levels in contracts that are measurable and which outline performance standards and response times. It is also important to ensure that remedies for non-compliance or non-achievement of service levels (these are often referred to as service credits or penalties) are built in. Service credits or penalties should be an additional contractual remedy on top of all other remedies under the agreement, whose principal aim is to incentivise proper performance. Watch out for those vendors who are not willing to commit to service levels or accept the remedy of service credits. This is often a very hot topic for negotiation.
Intellectual property and ownership
Determine the ownership of intellectual property (IP) created during the engagement, if this is applicable to the agreement. Clearly define which party retains rights to any software, code, or materials produced. Be cautious of vendor claims to IP ownership, especially where this involves bespoke development as this may cause a company to lose its competitive edge in the market if other similar companies are able to benefit from their ideas and concepts. If ownership for bespoke development is not available, ensure that the company is either guaranteed exclusivity and/or has a wide licence to use the IP. On a separate but related note, to the extent that the vendor is relying on its own or a third party’s IP to provide the services to the company, ensure that the company has watertight warranties, indemnities and preferably uncapped liability (although this is becoming less and less market standard with caps or supercaps becoming the norm) dealing with IP infringements.
Vendor financial stability
Assess the financial stability of the IT vendor – this should in any event have been done during the RFP phase. The contract should include provisions for periodic financial audits, as well as performance bonds or parent company guarantees to safeguard against vendor insolvency or inability to otherwise perform under the agreement.
Specify a dispute resolution mechanism in the contract. Mediation and arbitration can be more efficient and cost-effective than going to court. Many disputes over an IT agreement are often settled in mediation or arbitration without needing to go to court.
Depending on the industry, there may be specific regulatory requirements that the IT vendor must meet. For example in the banking industry, there are directives and guidance notes issued by the SARB that apply to material outsourcing contracts. Ensure that the contract includes clauses requiring compliance with relevant industry regulations and standards.
Termination and exit strategy
Establish clear termination procedures, including the return of company data, software, or equipment. Include a notice period and conditions under which termination can occur, protecting both parties’ interests. Ensure that the contract includes provisions that allow for an easy exit strategy in case the vendor relationship sours or should the business require change. It is very common to ensure that a contract includes transition services (also known as termination assistance or disengagement services) to assist with the migration to a new vendor. There may be cost implications for this, but this is negotiable, and what is important is the ability to transition and be assisted by the vendor to do so.
Engaging with IT vendors offers numerous benefits but also exposes organisations to various risks. Legal counsel should play a pivotal role in mitigating these risks through well-drafted contracts. By addressing data security, service quality, IP ownership, termination procedures, and other critical aspects in contracts, IT lawyers can help protect their clients from potential legal and financial pitfalls in IT vendor engagements.