TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

In cloud services, whether it is infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS), service availability is often a significant customer concern because the customer is relying on the vendor to provide and manage the infrastructure and related components that are necessary to provide the services. To address this concern, vendors will often provide a Service Level Agreement (SLA) containing a commitment that the service will be available for a percentage of time (e.g., 99.9%) during a certain period (e.g., week, month, or quarter). This is often referred to as an uptime or availability commitment. When reviewing and negotiating an SLA with an uptime commitment, it is important to consider the following issues.

Uptime Percentage

Given the different types of cloud services and how those services are used, there is no standard uptime commitment provided by vendors. Rather, uptime commitments can range from 99.999% to 97% or even lower. It is also not uncommon for vendors to provide different uptime commitments for different parts of the service. Ultimately, a vendor’s uptime commitment will depend on a variety of factors, including the type of service, how a customer will use the service, negotiating leverage, and vendor’s business model.

In a long-term outsourcing, software as a service (SaaS), or other services agreement, the customer will typically push for a termination right relating to the service provider’s breach, and perhaps for an insolvency event or change in control of the service provider. However, the customer should also consider including the right to terminate for its convenience (without cause), which could cover any of the following situations:

  • The customer is not satisfied with the service provider’s performance under the contract even though the provider is meeting its service level and other performance requirements under the contract.
  • Many alleged breaches by the service provider are initially “black and white” in the view of the customer, but they turn “gray” when the service provider pushes back and alleges nonperformance, nonresponsiveness, lack of cooperation, and the like on the part of the customer. Adding the customer’s right to termination for convenience can avoid the potential dispute over whether the customer has the right to terminate on other grounds.

Are you about to sign a service agreement with a third-party service provider under which it will access and use technology of your company? Have you checked your applicable third-party contracts to see if you need any consents? The contracts under which your company uses technology every day, from the mundane to the critical, may contain hidden restrictions on the third party’s access and use for your benefit under the services contract.

There is an endless number of arrangements a customer could have with its third-party service providers, but this Contract Corner will discuss the case where the customer authorizes a service provider to access and use licensed software either while remaining at the customer site, or by moving it to the service provider’s site. More specifically, it explores just some of the issues and language in the customer’s license agreements with those third-party software providers to be checked during pre-signing due diligence.

You signed a long-term deal. It would be embarrassing if, in a few years after signing, the pricing is significantly higher or your service levels are significantly lower than market. Benchmarking provisions are intended to provide a mechanism for ensuring that your pricing and/or service levels are within market (taking into consideration the unique factors applicable to your deal). Set out below are some of the key components of a meaningful benchmarking provision.

In this contract corner, we consider the concepts of “good faith” in commercial contracts under English law.

The General Position Under English Law

The notion of good faith is a complex and evolving concept under English law, and it has important implications for those drafting commercial contracts. In contrast to many other civil (e.g., France and Germany) and common (e.g., United States and Australia) law jurisdictions, there is no general doctrine of good faith either in negotiating or in performing a contract. Instead, parties are free to pursue their own self-interests, so long as they do not act in breach of contract. However, the notion of good faith can still impact commercial contracts in three main ways:

We have all heard the horror stories: system implementation deals costing 300% more than the original budget, go-live dates for development projects being way past the scheduled dates, and deliverables that do not meet the customer’s expectations. These are the stories that keep us lawyers up at night. So what can we do in the contract to incent timely, on-budget performance by the vendor? First, there is no substitute for a detailed and well-thought-out requirements document, which provides the roadmap that shapes the design, build, and deployment. Then, while there is no magic bullet, there are numerous contractual mechanisms to be considered that are designed to provide guideposts and checkpoints to enable success.

Set out below are 10 contractual mechanisms for providing meaningful performance commitments and consequences if the commitments are not met. Maybe you will not need to invoke these mechanisms, but having firm rules may help drive good behavior (you know the old adage, “good fences make good neighbors”). As is always the case, the appropriate mechanisms to be used are deal specific, and not all deals or relationships require the full spectrum of contractual commitments set out below (but some do!).

For years, there has been a persistent trend toward outsourcing retirement plan recordkeeping and other administrative responsibilities. Although historically more prevalent for defined contribution plans, this outsourcing trend has been accelerating for defined benefit plans thanks, in part, to the prevalence of frozen plans (i.e., no more benefit accruals) and the potential for administrative cost savings. But service providers will be quick to remind plan fiduciaries that lightening the administrative load does not include transferring fiduciary duties. When selecting and monitoring a service provider, one key issue facing retirement plan fiduciaries is their duty with respect to the privacy and security of plan participant data.

As we previously discussed, managing and administering retirement plans also mean managing and protecting an extensive trove of personal data. Although there is no overarching privacy law governing retirement plans, fiduciaries must adhere to the “prudent expert” standard of care in fulfilling their duties, and, in the current environment, it can be expected that courts will be sympathetic to assertions that privacy and security of plan participant data are within the scope of those duties. Given that fiduciaries are personally liable for their fiduciary breaches and considering the cost of a data breach can be in the millions of dollars, the sensible course of action for retirement plan fiduciaries is to be continuously diligent and attentive regarding data privacy and security. This extends to diligence and care in the structuring of the outsourcing agreement.

The Clearing House (the oldest banking association and payments company in the United States) recently released a model agreement as a voluntary starting point to facilitate data sharing between financial institutions and fintech companies.

The model agreement is intended to provide a standardized foundation that speeds up data access agreement negotiations; as the Clearing House notes, “[L]egal agreements between banks and fintechs have sometimes taken 12 months or more to be developed and finalized and have become a significant bottleneck to API adoption.” Additionally, the model agreement is designed to reflect the Consumer Financial Protection Bureau’s consumer protection principles on data sharing and aggregation, providing confidence to the contracting parties that the terms address key regulatory issues.

The importance of cybersecurity in the autonomous vehicle setting is well known, but nuance and complexity will be on our LiDAR (a pulsed laser that measures ranges) where the rubber meets the road.

The Challenging, Shifting Landscape

Cybersecurity is one of the key issues of the digital age, typically in the context of security and privacy of confidential or personal data. Cybersecurity is particularly challenging and important for technologies such as self-driving cars, where the real world and the digital, connected world meet and where cyber breaches could result in danger to life and property.

Autonomous vehicles are still in their infancy. Significant uncertainty surrounds this rapidly evolving ecosystem. Standards and regulations are still in a state of flux, and the “rules of the game” are still unclear: how, and how long, will human drivers/operators continue to be involved (along with their proclivity for risky, unpredictable and gullible behavior)? At this relative stage of immaturity, market participants are developing their own divergent solutions that will eventually need to seamlessly integrate, increasing the potential for cyber vulnerabilities. However, the opportunity (for both innovators and society at large) is clear, as smart, interconnected vehicles and systems promise remarkable improvements in efficiency and safety. The race is on.

When we represent customers in outsourcing and managed services transactions, we spend a significant amount of time drafting the exhibits for transition, which is typically a major project in and of itself. In order to help clients think about the major components of transition, we often provide the following checklist of common workstreams to facilitate our discussion.

  1. Governance – Governance is an overarching workstream that spans all phases of transition. A key component is the formation of a transition management office that is responsible for managing the overall transition (including performance and risk management) and coordinating with the company’s governance organization.
  2. Planning – Detailed design and implementation planning is critical to ensuring timelines are integrated and met, with all dependencies considered. Plans typically include the responsibilities of each party, anticipated completion dates, and acceptance criteria.