The BUSKLAW July Newsletter: Mitigating the Things that System Administrators Hate About IT Vendors



I just finished the excellent article "13 Things System Administrators Hate About IT Vendors" by Jeff James at Petri IT Knowledgebase. Here are those 13 pain points:

  1. Sales reps who don't know their own products.
  2. Over promise, meet under deliver.
  3. It's a software problem! No, it's a hardware problem!
  4. One size fits all documentation.
  5. Vanishing support after the sale.
  6. Putting down other vendors.
  7. Configuration fails.
  8. Outsourced telephone tech support.
  9. Customer-hostile online support.
  10. Abusing a monopoly position.
  11. Throwing [system] admins under the bus to make a sale.
  12. Getting what you pay for.
  13. Clueless consultants.
Good news! Well-drafted contract documents between the IT vendor and customer can mitigate many of these issues. Here's how:

First, the customer should base its selection of an IT vendor on the vendor's written response to a carefully-prepared Request for Proposal ("RFP"). In my experience, IT customers don't spend enough time in preparing their RFPs. The RFP should include a section that contains an itemized list of the customer's business requirements for the software (i.e., its features and functionality), followed by three fields (with the following headings) for the vendor to complete:
  • Yes (meaning that the software meets the stated requirement).
  • No (meaning that the software does not meet the requirement).
  • Will, as described, be part of a future release (give specifics).
The customer should reject any RFP returned by the vendor that doesn't have this section completely answered. And the RFP should include putting the vendor on notice that:
  • its answers in this section will be entirely incorporated into a contract; and
  • the vendor will comply with this section of the RFP, notwithstanding any other provision in the contract, the RFP, or the Statement of Work ("SOW"). 
If the vendor won't agree to so incorporate the RFP into the contract, the customer has a red flag that at least suggests a serious discussion with the vendor, if not consideration of the vendor's closest competitor for the solution. 

The RFP can also address some other issues that Mr. James identifies, including (i) the quality of the documentation (ask for it with the return of the RFP and clear up any gaps at an early stage in the relationship); (ii) support after the sale (the RFP should contain the customer's support requirements, including prohibiting off-shore support if appropriate); (iii) the vendor's going out of business after the deal is inked (have the vendor provide bank references and financial statements to determine its strength in the industry). 

And as part of the customer's due diligence, the vendor should be asked to provide several current customers who can be contacted to determine their experience with the vendor. Visits to these customers should be considered to tour their facilities running the vendor's software.   


Second, the customer should consider including a pilot or trial period in the contract, allowing the customer to test the software in its IT lab and accept or reject it for any reason after 30 to 90 days  This may be the best way to see if there are software configuration problems or incompatible hardware issues and try to resolve them and if not, the contract ends. The customer returns the software and its documentation to the vendor, the vendor returns (or destroys) the customer's confidential information, and the parties go their separate ways. Even if the vendor charges the customer a fee for this trial, the fee (and the customer's time investment) will be significantly less than if a permanent deal is inked and software configuration or hardware issues become evident.

Third, make sure that the parties hammer out a SOW that contains more than generalities. If the vendor has to configure or customize the software for the customer's unique data processing environment, specify how this is going to happen, when, and for how much. And for the vendor's configuration or other professional services, tie payment to the vendor with specific milestones evidenced by deliverables. And be sure to include appropriate change control provisions to reduce "scope creep." 

 Fourth, many large IT vendors are big players, Microsoft comes to mind. My response is "if you can't beat them, join them." So, larger customers should see if they can become Microsoft "reference clients" to gain business benefits, including free passes to user conferences, access to senior executives, input on new products, and the first right to try beta products. The trade-off in becoming a reference client is the time the customer's IT staff must spend in recommending Microsoft solutions to other potential Microsoft customers. If a customer goes this route, the benefits of being a reference client should be spelled out, including how long these benefits will last. In addition, there should be restrictions on how much the customer is required to show the Microsoft solution that it has adopted to its competitors. 

 Finally, customers shouldn't fall for the IT vendor's song and dance that there is no need for a RFP, Statement of Work, or definitive contract, or that the customer can just sign these documents prepared by the vendor. IT customers should never sign vendor-prepared documents without review by all of the customer's stakeholders, including qualified legal counsel. To do otherwise is just dumb.

Executive Summary:

To mitigate the pain points between an IT vendor and customer, consider having: 
  • A carefully-prepared, comprehensive Request for Proposal that itemizes the customer's specific business requirements for the vendor's software;
  • A pilot of the vendor's software in the customer's lab, with the customer's right to accept or reject the software for any reason at the end of the pilot; 
  • A detailed SOW that specifically addresses who is to perform what configuration and customization services; and
  • A definitive contract that, among other essential provisions, requires the vendor to comply with the RFP and the SOW. 
  • The customer may leverage an IT vendor's market power by becoming a "reference client" for the vendor, allowing the customer to obtain clearly-specified business benefits in return.

Those IT Contractors Working in Your Office - What Are They Up to? A Pub Tale in Two Parts: Part 2 - The Legal Side


When we last left our two IT professionals - Steve the IT manager at Beta Corporation and Bosco the IT lawyer - they were at Brewery Vivant, discussing the business precautions that should be taken when Acme Software's contractors are developing the Next Big Thing software program for Beta Corporation. After downing a modest number of Undertaker ales, the guys now talk about a contract between Acme (the software developer) and Beta (its customer)

 Bosco: I suggest that Beta have a Software Development and Services Contract with Acme.

 Steve: That sounds like big bucks in legal fees! And what if Acme refuses to sign it? 

 Bosco: If Acme is a reputable software development company and is interested in keeping Beta as a customer, they should have no problem signing a contract of this nature with a minimum of negotiation. They've probably signed similar contracts with other clients! About my fee to prepare this contract, because I've drafted similar contracts for other clients and don't have to "re-invent the wheel," I can charge you a reasonable fixed fee. 

 Steve: What if Acme has their own contract that they want us to sign?

 Bosco: No problem, we'll get their document in Microsoft Word format and make reasonable changes and additions  - and then send them a version that highlights our modifications. We can then close any gaps at a meeting or conference call. 

 Steve: OK, so what's going to be in the contract- besides holding Acme to the business provisions that we just discussed? 

Bosco: The key provisions will shift certain legal risks from Beta to Acme, such as requiring Acme as the developer to:

  • Deliver the software on-time, for the stated fee, and according to the specifications contained in the Statement of Work that you and Acme agreed to. We'll include a reasonable change control provision to prevent "scope creep." 
  • Warrant that the software contains no malicious code, malware, time-bombs, or other code that would interfere with the program's normal operation according to the specifications in the Statement of Work. 
  • Transfer all intellectual property rights to the software's source code and object code to Beta. Or if the quoted fee didn't include the transfer of these property rights, Acme must grant Beta a royalty-free, exclusive, and worldwide license to use the software within Beta's entire enterprise. And you should consider a source code escrow arrangement whereby Beta can obtain the application's source code from a reputable escrow agent if Acme should ever cease business or fail to support the software.  
  • Defend and indemnify Beta against third-party claims and liability concerning the software, including intellectual property infringement claims and claims for personal injury or property damage caused by the software.
  • Include Beta as an additional named insured on Acme's commercial general liability insurance (including contractual liability) and also require Acme to maintain data processing errors and omissions insurance. And if Acme is going to host the application or contract with a third party to do so, proof that the hosting service has a cyber-risk insurance policy and maintains industry-standard precautions to safeguard the application and its data from unauthorized intrusions. Acme should also provide Beta with service level guaranties so that the application is available to Beta's customers on a 7x24 basis, with reasonable downtime for scheduled maintenance. 
  • Agree that Acme won't list Beta as its customer in any advertising or public announcement (or on Acme's website) without Beta's prior approval. 
  • Agree that disputes between the parties (that can't be resolved by their senior executives) be decided only by arbitration in Kent County, Michigan, the location of Beta's corporate headquarters. And Michigan law controls.
  • Continue the previously-signed NDA or make sure that deal-specific confidentiality provisions are agreed to. 
  • Not perform similar services for a Beta competitor without Beta's prior consent.
  • To have no limitation or exclusion of damages provisions that unfairly restrict Beta's right to recover damages from Acme for breach of contract. 
  • Agree that if there is any conflict between the contract and the Statement of Work, the contract controls. 
  • To file suit against Beta for any cause of action under the contract within a 2-year period after the cause of action arose, or Acme loses its right to sue. 
Steve: These provisions sound complicated. How will I ever understand them? 

 Bosco: I'll explain them to you and your management team in detail. And I always draft (or revise, if reviewing the other side's contract) my contracts in plain English, avoiding legal jargon. And at no extra charge! Ha.  

Steve: That's great Bosco, you're hired  - and thanks! 

Bosco: Happy to help! But all this talk about the contract makes me hungry. How about going across the street to The Green Well for Otto's Chicken & Waffles?

Steve: Ah, comfort food! Sounds like a plan!
______________________________________________

Executive Summary:

A vendor hired to provide software development and related services should sign a contract with appropriate risk-shifting provisions, including:

Requirements that the vendor to deliver the software code on time, within budget, and in compliance with an agreed Statement of Work; 

Insurance and indemnity coverage; 

Intellectual property ownership or license provisions;
Safeguards to prevent the application and related data from unauthorized access if the vendor or its contractor hosts the application; and
Appropriate change order, dispute resolution, and governing law provisions. 


Those IT Contractors Working in Your Office - What Are They Up to? A Pub Tale in Two Parts: Part 1 - The Business Side



Here's the scenario. You're Steve, an IT project manager for Beta Corporation. You convinced your CFO to hire Acme, a local software development company, to embed four of their guys on your premises to help your overworked IT staff create the Next Big Thing software application. The application will use data from your network. But you're worried about giving Acme's guys access to your network! It has a lot of confidential business information, including customer data. You wonder about the business and legal precautions needed to protect your valuable data. The Acme CEO tells you that everything is fine without a contract (other than Acme's Statement of Work that you signed last week and the NDA that Acme signed when the project went out for bids).

Fortunately, you know a savvy information technology lawyer, Bosco, and decide to pick his brain during a few beers Friday after work at Brewery Vivant in Grand Rapids, Michigan. You are drinking  the Undertaker, a smoky Belgian-style dark ale with notes of chocolate and dark cherries. The choice of Undertaker makes sense because the brew pub is located in a former mortuary chapel. The feeling that you are observed by the dearly departed is palpable. 

Here's how the conversation goes:

Steve: What about Acme doing the Next Big Thing project?

 Bosco: I'm concerned about giving Acme's guys access to your network - with its valuable and proprietary data - without some business and legal precautions.

 Steve: What business precautions do you think are necessary?

 Bosco: Well, what do you know about Acme's programmers who will be at your offices?

 Steve: They are really smart and have a lot of experience! Two of the guys are from India; the others are local. We save a lot of money because they are Acme's independent contractors, not its employees. 

 Bosco: Do you know if the Indian programmers have received permission to work here from U.S. Citizen and Immigration Services? 

 Steve: I assume that Acme took care of this. But this topic didn't come up when we negotiated the deal. 

 Bosco: Assumptions can be dangerous. You should ask Acme for proof that the Indian programmers have the appropriate U.S. work visa. If they don't and the authorities catch them, your company could face unfortunate legal and business consequences. Wal-Mart got into trouble over this several years ago. Also, have you asked Acme for background checks on the four programmers?

 Steve: Why would I do that?

 Bosco: You said that the programmers would have access to your network, but they will also be at your offices for several weeks. For practical (but not legal) purposes, they will be Beta employees. Don't you want to know if they have any felony convictions within the last seven years? 

 Steve: Well, that's a good idea! We already run background checks on our IT employees having network access. 

 Bosco: And let's talk about what kind of network access the guys will have. Are there any restrictions on what data they can get to? 

 Steve: They will need access to a lot of network files to program the Next Big Thing. We don't know exactly what. 

 Bosco: I think that you and Acme should try to narrow down the data that Acme will need, and then place these files in a secure "DMZ" that Acme's guys will access. And they should have access only to the DMZ. If they need any additional data, they can ask you for it, and you can place that data in the DMZ as well. That way, Acme's programmers won't be able to access your entire network!

 Steve: That makes good sense. What other business safeguards do you recommend? 

 Bosco: I bet that Beta has an employee Code of Conduct that includes confidentiality provisions. 

 Steve: That's right. We make our employees sign it every year! 

 Bosco: That's great. But I think that you should revise it for Acme's programmers to sign, too. 

 Steve: But we already have a NDA with Acme. 

 Bosco: That's good, but those provisions may not be not legally binding on the Acme programmers because they are not Acme employees. So, each Acme programmer should sign a code of conduct that includes confidentiality provisions. It should also cover other items, such as Beta's no-smoking, dress code, non-compete, and no-solicitation policies. 

 Steve: That's a great idea, Bosco! Now what about those legal safeguards? We already have a signed Statement of Work with Acme. It's two pages of really great stuff about what Acme will do to create the Next Big Thing

 Bosco: IT statements of work usually contain just the business guts of the deal without essential legal protections. So, let's order a few more Undertakers and get down to the legal stuff!


Executive Summary:
Vendor-furnished contractors who access your network call for certain business precautions, including:

· Proof that the contractors are authorized to work in the U.S. if they are not U.S. citizens.

· Background checks.

· Contractors should sign the appropriate code of conduct containing confidentiality, non-compete, and no-solicitation provisions.

· Consider allowing the contractors only restricted access to your network by creating a secure "DMZ."

· The vendor’s Statement of Work or Proposal - even if negotiated - isn’t a sufficient contract for the project because that document usually contains only the business side of the deal. It doesn’t address essential legal elements.

Stay tuned for Part 2, in which the Undertaker keeps flowing - and Steve and Bosco get down to the basic legal provisions that should be in the application development contract between Acme and Beta!