There’s an old adage that “the wise one waits when fools rush in”. Faced with the extraordinary commercial challenges of COVID-19, many organizations feel intense pressure to rush to implement teleworking, e-commerce, cloud services, and other means to facilitate business continuity and comply with physical distancing and isolation rules in a time of crisis. While these initiatives are urgent, organizations should still conduct basic IT due diligence before signing on the dotted line. The very centrality of these new IT services reinforces the need to ensure that the underlying IT contracts are acceptable in both the short term and the long run.
With that adage in mind, we outline below certain key legal issues with IT contracts that should be addressed even where there is a pressing need to move forward, and provide advice for each issue. This builds on the points raised in COVID-19 & Accelerated Digitization: Advice on Acquiring Emerging Technologies regarding accelerated digitization for emerging technologies, and applies a contract and procurement lens to similar issues arising even with well-known technologies.
The pandemic has affected the scale of the demand placed on many IT systems. Pre-pandemic teleworking systems might have accommodated 10% of an organization's workforce. Now, for many organizations, that number will need to be closer to 100%. New IT systems must be able to scale up in response to sudden changes in demand. But equally important is the ability to scale down after the crisis passes. It would make little sense to lock in fees for pandemic-level capacity over a five-year time frame if usage may revert to pre-pandemic levels, for example. Organizations should seek both upwards and downwards scalability and associated price certainty.
Service Levels and Service Credits
The ever-increasing pandemic demands on teleworking systems have led to performance issues with some service providers. Organizations will want to conduct due diligence on service level achievement during the pandemic, including reference calls with other customers of the service provider and appropriate representations regarding the capacity of the suppliers' system and its track record. Organizations would ideally want appropriate service levels with appropriate service credits that provide sufficient incentive for the supplier to comply with them. Organizations should consider whether they need the ability to quickly terminate the agreement, and transition to another service, if the service provider is unable to maintain a minimum service level. However, service providers are also facing difficult challenges, and may be looking for the right to address those challenges. This may include the right to, without penalty, temporarily eliminate non-critical service features, throttle bandwidth, limit hours of operation, or otherwise regulate service usage or vary system performance in order to help the service provider manage network operations.
Nature of the Legal Relationship
Many IT services will be offered by resellers and other intermediaries. In such cases, it is crucial to understand your organization's relationship with the ultimate service provider. Is there a direct contractual relationship, or is it indirect and only via the reseller (which can limit your recourse if something goes wrong)? Will any account or login credentials be opened in your organization's name or in the name of the reseller (with all the risks that can entail)? These are basic questions, but they should not be overlooked. It is best to assume the worst, being that the intermediary reseller's business will fail, when reviewing contractual provisions.
Integration and Development
A key part of many IT agreements is integration and development work to adapt off-the-shelf modules or solutions. A frequent problem in that context is the variation in members of the service provider team. This can lead to delays and mistakes because new members will not be up to speed. In the current circumstances critical implementations may require contractual provisions to prevent reassignment of team members and potentially investing in having larger standby teams to account for possible health issues affecting team members. If service provider personnel must visit the client's facilities, then the organization will want to include contractual assurances that the service provider will comply with the client's policies and practices while on site. Traditionally, the most important of these policies and practices were considered those around confidentiality and data security, but with the current pandemic, health and safety policies will likely be top of mind. Additionally, clients may also need to investigate, as an element of service provider's business continuity, the measures that service provider is taking to maintain its workforce safe from Covid-19 (including reviewing COVID-19 policies and practices) and to negotiate contractual provisions to make these binding.
A well-drafted IT contract will specify which support services are covered, including response time guarantees (and associated credits) and support hours (pay particular attention to time zones and statutory holidays, which may or may not match your local conditions). Out-of-scope IT support is often billed at an hourly rate, which means that clarifying the scope of support obligations early can save substantial costs in the long run. It is also important to review the exclusions to the support obligations and more general exclusions of liability to assess whether the provider can too easily avoid liability by placing the blame on the failures of its own third party service providers. For critical applications the provider should have some redundancy in its own supply chain and the failure of a single supplier in some cases should not be a valid excuse for the lack of continuity in the IT services and the operation of IT systems.
Termination and Exit Strategy
Paradoxical as it might seem, the best time to plan for termination and exit is at the very beginning of the IT contracting process. Basic questions that need to be addressed include: (1) Can the service provider terminate the contract, or only the client? (2) How much warning is required on either side before termination takes effect? (3) What steps will be taken to transfer client data, documentation, or other material back to the client? (4) If any custom development work or programming has occurred, is the client entitled to a copy of the custom code? (5) Is there a need for certain licenses of provider or third party intellectual property to transition to a new supplier? (6) Will any of the above termination and wind-down activities generate additional costs for the client?
Force Majeure and Business Continuity Planning
The force majeure clause should be carefully considered. It likely excludes breaches that are beyond the reasonable control of the service provider, and it may specifically exclude breaches that are caused by pandemics. But - in the middle of a pandemic - that is no longer appropriate, especially since many IT contracts are being signed precisely to manage the disruption caused by the pandemic. Organizations will want the service provider to warrant that its business continuity plan adequately addresses the foreseeable consequences of the current pandemic, which consequences should be excluded as force majeure. Clients will also want to review the service provider's business continuity plan to ensure that the warranty is accurate.
These are not the only important considerations in IT contracting, but they are some of the most fundamental to get right, no matter how urgent the situation. The more important and urgent the contract, the more foolish it would be to rush in without conducting basic contractual due diligence.
This applies even if a cloud service agreement is presented as a "take it or leave it" standard form contract with limited negotiability. Service providers may be more open to negotiating some clauses, or signing a "COVID-19 rider" which supplants the standard form agreement given these extraordinary circumstances. Failing flexibility, shorter term contracts could be prudent to allow the client to circle back later during less pressing times. As a related option, in order not to delay implementation, an organization should consider signing a short term agreement for initial more urgent deliverables while continuing to negotiate the terms of the agreement for the bulk of the work.
A wise organization will ensure that it has at least tried to address the above issues before signing on the dotted line.