A Guide to IT Contracting

Michael R. Overly is a partner in the Information Technology & Outsourcing Practice Group in Foley & Lardner’s Los Angeles office. As an attorney and former electrical engineer, his practice focuses on counseling clients regarding technology licensing, intellectual property development, information security, and electronic commerce. Michael is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified in Risk and Information Systems Controls (CRISC), and Certified Information Privacy Professional (CIPP) certifications. He is a member of the Computer Security Institute and the Information Systems Security Association. Michael is a frequent writer and speaker in many areas including negotiating and drafting technology transactions and the legal issues of technology in the workplace, e-mail, and electronic evidence. He has written numerous articles and books on these subjects and is a frequent commentator in the national press (e.g., the New York Times, Chicago Tribune, Los Angeles Times, Wall Street Journal, ABCNEWS.com, CNN, and MSNBC). In addition to conducting training seminars in the United States, Norway, Japan, and Malaysia, Michael has testified before the US Congress regarding online issues. Among others, he is the author of the best-selling e-policy: How to Develop Computer, E-mail, and Internet Guidelines to Protect Your Company and Its Assets (AMACOM 1998), Overly on Electronic Evidence (West Publishing 2002), The Open Source Handbook (Pike & Fischer 2003), Document Retention in the Electronic Workplace (Pike & Fischer 2001), and Licensing Line-by-Line (Aspatore Press 2004). Matthew A. Karlyn is a partner in the Technology Transactions Practice in the Boston office of Cooley LLP. Matt regularly represents companies in technology transactions and outsourcing transactions and has experience in both private practice as well as in-house for two software companies. A sought after writer and speaker in the area of information technology and the law, Matt has published over 40 articles, written chapters in several books, and given more than 60 presentations on topics ranging from the latest developments in information technology to best practices for drafting and negotiating information technology contracts. In addition to his law degree, Matt also earned a MBA from the University of Chicago in economics and strategic management and regularly advises companies on the business aspects of IT including IT strategy, pricing strategies, RFP development, governance, relationship management and reporting structures, and transition planning and implementation. In 2010, 2011, and 2012 Matt was selected for inclusion in the Massachusetts Super Lawyers – Rising Stars list, an honor given to the top 2.5% of Massachusetts lawyers under the age of 40. Matt has served as Chair of the New England Chapter and the Legal Process Outsourcing Chapter of the International Association of Outsourcing Professionals, is currently a member of the Corporate Law Advisory Board for Stafford Publishing, and for several years served on the Board of Directors of the International Technology Law Association. Matt also served for two years as the Co-Chair of the Boston Bar Association’s Intellectual Property Section’s Computer & Internet Law Committee. For the last three years, Matt was named a judge for the CIO-100, an award program published by CIO magazine that recognizes organizations around the world that exemplify the highest level of operational and strategic excellence in information technology.

Nondisclosure Agreements
Checklist
Overview
Key Considerations
Essential Terms
Additional Considerations
Summary





Professional Services Agreements
Checklist
Overview
Preliminary Considerations
Key Provision
     Term and Termination 
     Acceptance Testing 
     Personnel 
     Subcontracting 
     Warranties 
     Indemnification 
     Limitation of Liability 
     Intellectual Property Ownership 
     Change Order 
     Confidentiality and Information Security 
     Force Majeure 
     Nonsolicitation 
     Insurance 
     Fees and Costs 
     Relationship to Other Agreements
Summary





Statements of Work
Checklist
Overview
Scope of Work and Business Requirements
Technical Environment
Acceptance Testing
Deliverables
Documentation
Roles and Responsibilities of the Parties
Project Management Processes
Issue Resolution and Escalation Procedures
Risks
Pricing and Cost
Service Level Agreements
Change Orders
Summary





Idea Submission Agreements
Checklist
Overview
Key Risks of Submissions
Key Provisions for Idea Submission Agreements
Beware Reverse Submissions
Summary





Cloud Computing Agreements
Checklist
Key Considerations
Service Levels
     Uptime Service Level
     Response Time Service Level
     Problem Resolution Service Level
     Remedies for Service Level Failure
Data
     Data Security
     Disaster Recovery and Business Continuity
     Data Redundancy
     Use of Customer Information, Data Conversion, and Transition
Insurance
Indemnification
Limitation of Liability
     The Limitation of Liability Should Apply to Both Parties
License/Access Grant and Fees
Term
Warranties
Publicity and Use of the Customer Trademarks
Notification for Security Issues
Assignment
Pre-Agreement Vendor Due Diligence
Conclusion





Joint Marketing Agreements
Checklist
Overview
Key Issues and Guiding Principles
     Determine the Scope of the Engagement
     Marketing Obligations
     Referral Arrangements
     Confidentiality
     Intellectual Property Issues
     Warranties and Disclaimers
     Term and Termination
Summary





Software Development Kit (SDK) Agreements
Checklist
Overview
Key Issues and Guiding Principles
     Determine What Should Be Included in the SDK
     Scope of License
     Ownership
     Confidentiality
     Compatibility Testing
     Support
     Warranty Disclaimers
     Limitations on Liability
     Indemnification
     Export/Import
     Acquisition by Federal Government
     Term and Termination
Summary





Original Equipment Manufacturer (OEM) Development Agreements
Checklist
Overview
Key Issues and Guiding Principles
     Joint Development Agreements
     Development and Professional Services Agreements
     Exchange of IP
     Confidentiality
     Compensation/Fees/Revenue Share
     Change of Control
     Assumptions/OEM Customer Obligations
     Marketing
     End User License Agreement
     Audit Rights
     Warranties
     Support and Maintenance
     Limitations of Liability
     Indemnification
     Termination
     Contract Negotiations
Summary





Health Insurance Portability and Accountability Act (HIPAA) Compliance
Checklist
Overview
     Key Issues and Guiding Principles
Who Are BAs?
What Can Happen to BAs That Fail to Comply with HIPAA?
BA Requirements Under the New Security Breach Notification Requirements
BA Requirements for Compliance with HIPAA Security Rule
Statutory Liability for Business Associate Agreement Terms
BAA Compliance with HITECH Act Requirements
Other New HIPAA Requirements
Steps for Compliance for Breach Notification
Steps for Compliance with HIPAA Security Rule
Amendment of BAAs
Considerations for Inventory HIPAA-Related Policies
Summary





Key Issues and Guiding Principles for Negotiating a Software License or OEM Agreement
Checklist
Key Issues and Guiding Principles
Initial Matters
Scope of License/Ownership
Pricing
Audit Rights
Limitations of Liability
Warranties
Support and Maintenance; Professional Service Rates
Payment
Term and Termination
Infringement Indemnification
Summary





Drafting OEM Agreements (When the Company is the OEM)
Checklist
Key Issues and Guiding Principles
Determine the Scope of the Engagement
Customer Terms
Territory
Hardware Products
Exclusivity
Supplier Product Changes
Support and Training
Confidentiality
Intellectual Property Issues
Warranties and Disclaimers
Limitations of Liability
Indemnification
Term and Termination
Summary





Collecting Basic Deal Information
Checklist
Overview
Key Considerations
Performance
Intellectual Property Issues
Personal Information Privacy and Security
Information Security
Other Unique Issues
Summary





Reducing Security Risks in Information Technology Contracts
Checklist
Best Practices and Guiding Principles
Trade Secret Considerations
Copyright Considerations
Joint IP Considerations
Policy on Embedded Open Source
Internal Procedures
Policies Following Infringement
Employees
     Employee Training and Communication
     Contractual Protections
     Nonemployees and Subcontractors
Software Distribution
     Object Code vs. Source Code
     Language for License Agreements
     Nondisclosure Agreements
     Audit Rights
     Foreign Jurisdictions
Source Code Licenses
     Escrow the Source Code
     Language for Source Code License Agreements
Summary





Website Assessment Audits
Checklist
Overview
Key Issues and Guiding Principles
     Evaluate Your Website
     Domain Names
     Use of Third Party Trademarks
     Hyperlinks
     Content
     Visitor Uploads?
     Applicable Internet Specific Laws
     Terms and Conditions
     Data Security and Privacy
     Insurance
     General Considerations
Summary





Critical Considerations for Protecting IP in a Software Development Environment
Checklist
Overview
Key Issues and Guiding Principles
     Vendor Due Diligence
     Treatment of Data
     Physical Security
     Administrative Security
     Technical Security
     Personnel Security
     Subcontractors
     Scan for Threats
     Back-up and Disaster Recovery
     Confidentiality
     Security Audits
     Warranties
     Limitation of Liability
     Destruction of Data
     Additional Considerations
Summary





Click-Wrap, Shrink-Wrap, and Web-Wrap Agreements
Checklist
Overview
What Is a "Shrink-Wrap" License?
Products Purchased Under Shrink-Wrap Agreements—Common Elements
Methods of Purchasing Shrink-Wrap Products
Typical Shrink-Wrap Terms and Conditions
Key Risks of Shrink-Wrap Products
Mitigating Risk
Conclusion


Transactions Involving Financial Services Companies as the Customer
Checklist
Overview
Three Tools for Better Contracts
Key Considerations
Summary





Maintenance and Support Agreements
Checklist
Overview
Scope of Support and Maintenance
Predictability of Fees
Support Not to be Withheld
Term
Partial Termination/Termination and Resumption of Support
Specifications
Availability
Support Escalation
Service Levels
Summary





Source Code Escrow Agreements
Checklist
Overview
What Does It Mean to Escrow Source Code?
Types of Escrow Agreements
Release Conditions
Key Issues for Escrow Agreements
Conclusion





Integrating Information Security into the Contracting Life Cycle
Checklist
Overview
Due Diligence: The First Tool
Key Contractual Protections: The Second Tool
Information Security Requirements Exhibit: The Third Tool
Conclusion





Software Development Kit (DSDK) Agreements
Checklist
Overview
Key Contracting Concerns From the Perspectives of Both Parties
     Licensor Concerns
     Licensee Concerns
Conclusion





Distribution Agreements
Checklist
Overview
Key Issues for Distribution Agreements
     License Grant
     End User License Agreement
     Development of the Product
     End User Data
     Obligations of the Parties
     Product Pricing
     Additional Considerations
Summary





Data Agreements
Checklist
Overview
Key Contractual Protections
Conclusion





Service Level Agreements
Checklist
Overview
Service Level Provisions Commonly Found in the Terms and Conditions
Root Cause Analysis, Corrective Actions Plans, and Resolution
Cost and Efficiency Reviews
Continuous Improvements to Service Levels
Termination for Failure to Meet Service Levels
Cooperation
Service Level Provisions Commonly Found in a Service Level Agreement or Attachment
Measurement Window and Reporting Requirements
Maximum Monthly at-Risk Amount
Performance Credits
Presumptive Service Levels
Exceptions to Service Levels
Supplier Responsibilities with Respect to Service Levels
Additions, Deletions, and Modifications to Service Levels
Earn-back
Form of Service Levels
Conclusion





Critical Considerations for Records Management and Retention Checklist
Introduction
Avoiding Spoliation Claims
Impact on Litigation/Discovery Costs
Developing the Policy
Litigation Discovery Procedures
Developing The Retention Schedule
The E-Mail Problem
Authorized Storage Locations
Confidentiality and Security
Third-party Vendors
Proper Destruction





Website Development Agreements
Checklist
Overview
Initial Issues to Think About
What Are the Basic Objectives of the Website and the Development Agreement?
Intellectual Property Ownership
Software Requirements
Schedules and Timetables
Term and Termination
Fees and Charges
Project Management
Acceptance Testing
Warranties
Indemnifications
Content of the Website
Linking Issues
Insurance
Reports, Records, and Audits
Training/Education/Troubleshooting
Additional Provisions to Consider
Summary





Social Media Policies
Checklist
Introduction
Policy Scope and Disclaimers
No Expectation of Privacy
Right, But No Duty, to Monitor
Conduct in Social Media
Social Networking and Weblogs
Employee Questions and Signature
Conclusion





Software License Agreements
Checklist
Introduction
Four Critical Questions
License and Restrictions
Acceptance Testing
Third-party Software
Fees
Warranties
Indemnification
Limitation of Liability
Specifications
Confidentiality and Security
Maintenance and Support
Announcements and Publicity
Term and Termination
Additional Contract Terms
Conclusion


Glossary


FFIEC Booklet


Index