It’s difficult these days to find a single facet of a business that doesn’t, in some way, touch IT. Every department, including sales, customer service, marketing, and HR, is now dependent on software programs for day-to-day operations. As every IT leader can attest, this has vastly increased the number of vulnerabilities from which the IT departments must protect the company.
Case in point: software contracts. Each service your company signs up for brings with it a number of liabilities, risks, and costs, and if your IT department isn’t vigilant about guarding against these threats, then you could find yourself vulnerable to everything from data breaches to IP lawsuits.
That’s why companies hire people such as Gregg Fouch, who manages all the U.S. IT procurement sourcing for Bayer, an innovation-driven Life Science company, and co-chairs the Society for Information Management’s IT Procurement Working Group. Fouch spent over a decade in IT sourcing, during which time he has reviewed and negotiated hundreds of contracts.
Fouch, like most IT procurement professionals, is able to quickly scan contracts and identify weaknesses and potential legal landmines. The key to reviewing any contract, he said, is to first recognize that it’s designed to benefit the entity that wrote it. “The first thing anyone must realize is that if it’s written by the supplier, it is favorable to the supplier,” he explained. “It takes out as much risk on the supplier side as possible and places it on you. They’re in the business to make money, not to look out for your best interests. If it is on their paper, you should be aware of this risk .”
Over the years, Fouch has developed a keen eye for contract red flags that need to be addressed. Here are four of the most common problems he encounters:
Limitation of liability
As we saw with Target’s $300 million data breach, the potential cost for a software flaw or a flaw in the security measure of a Software as a Service (the newest form of “purchasing” software) engagement can be significant. So who bears the weight of that burden if things go wrong? The way many software contracts are written, that burden falls on you, the license purchaser. “What we do in negotiating is take the stance: ‘We will 100 percent stand behind our actions, and we want you, the supplier, to stand behind your actions,’” said Fouch. “What we argue is that, if you are in full control of something and we don’t have any input or factor into it, then you should not be limited in your liability.”
[LIKE THIS ARTICLE SO FAR? GET THE LATEST IT LEADERSHIP NEWS BY SIGNING UP FOR OUR NEWSLETTER OVER HERE]
It’s also important for the contract to specifically state which security precautions the vendor should take in order to decrease the likelihood of a breach. “You should lay out what kind of protections they have to take, how often you have the ability to investigate those protections, and include a clause saying that if they are breached you have the ability to walk away from the contract,” said Fouch. “They should also be required to inform you if your customers’ data is at risk, because that’s a PR issue. So you want to make sure that you have a very robust data security clause so that you can appropriately respond to any misstep by your supplier.”
Limitations of use
Because software is a form of intellectual property, signing a contract merely grants you access to it, not ownership. This means that if a use case isn’t specifically spelled out in the contract, then you’re barred from executing on that use case. “In a software license agreement, it’s not uncommon for it to say ‘this can only be used on one computer,’” explained Fouch. “Well, if you were planning for this to be used on a central server which can now be accessed by the thousands of computers in your business, you have a real issue. So you clearly need to spell out what you need to do and how you plan on using it. Do not leave any gray areas in the ‘right to use’ clause.”
Fouch recommends interviewing every employee who plans to use the software about every potential scenario in which they’ll use it. And then once you’ve developed a list of those use cases, make sure they’re spelled out in the contract.
No infringement indemnification
When you license software, you do so with the assumption that the vendor licensing that software owns it and has the full rights to it. But given that we live in a country that has copyright laws, it’s possible that another company could come along claiming it owns the intellectual property of the software you licensed and, as such, they will sue you. “If there is no language that states the supplier you’re contracting with will defend your organization if someone sues you for their infringement, then they’re not liable for your defense,” said Fouch. “If there’s no clause that says they will defend you, that’s should be a cause for concern. Another serious concern is if they put a limitation of liability on how much they will defend you if there is an infringement.”
The possibility for a “kill switch”
With most software agreements requiring the vendor to perform regular maintenance, the software company will often be granted remote access to your servers. This not only opens up the potential for security breaches, but it also could allow the vendor to insert a “kill switch” that it can deploy as a form of punishment. “If something goes wrong in the engagement, the supplier has the right to electronically turn off the system,” said Fouch. “If they’ve determined that you’ve breached the contract, they can say, ‘Fine, you’re not using our software’ and kill it without first litigating it in court. But if that’s a mission critical software for your business, then you cannot afford to let that happen. So you have to specifically write into your clause something to the effect of ‘You will not have the right to remotely disable the software.’”
The Society for Information Management (SIM) is the world’s premier organization for IT leaders. Follow us on Twitter and LinkedIn. Visit us at simnet.org.
