Publications & Resources

September/October 2009
Focus: Information Systems & Security

 

Top 5 Mistakes in Software/IT Contracts

By Eli Mansour, Esq. and Chad Ensz, Esq.

Financial institutions have to hire out many IT functions to remain competitive and to effectively leverage their resources. The high level of risk inherent in such relationships requires careful review and negotiation of the contracts with the third party IT vendors. While the list below is not intended to be exhaustive, it highlights a few of the more common problems that can expose the institution to unnecessary risk. 

1.         Insufficient Confidentiality and Security Obligations

Financial institutions have very specific confidentiality obligations under applicable laws, including, the Gramm-Leach Bliley Act, the Fair Credit Reporting Act, and in California, the California Financial Information Privacy Act. The failure to comply with these laws could expose the financial institution to financial penalties, lawsuits and reputational damages.  Accordingly, it is critical to make sure that any vendor contract clearly defines the scope and content of the financial institution’s “Confidential Information”. It should also obligate the vendor to protect such information in full compliance with all applicable laws and regulations and to limit the vendor’s use only as required to perform the particular services for which it is retained. Additionally, the vendor should be required to maintain security and privacy procedures consistent with  the best industry practices, the requirements imposed on the institution by law and otherwise necessary to protect the information from disclosure. 

2.         Unclear Scope of Work/ Acceptance

To the extent that any development is being performed by the vendor, it is critical to have milestones clearly enumerated in a delivery and payment schedule and to condition payment on the successful delivery, to the institution’s satisfaction, of each corresponding milestone. If it is not clear what constitutes acceptance or when items will be delivered, an institution could get stuck with a delivery that does not meet its needs and may be unable to return it. Alternatively, if schedules are not clearly set forth, arguments could arise over when deliveries will be made and when payment is due. An institution should make sure give itself enough time after delivery to ensure the delivery meets its needs before the item is deemed accepted and should ensure that the delivery and payment schedules meet its needs as well.

3.         Leaving Ownership of IP Undefined

In addition, when development is being performed by the vendor, it is critical to clearly define who owns the underlying intellectual property rights. The financial institution should ideally own all right, title and interest to all developed materials, and to the extent that any vendor background material is used in or otherwise incorporated in a deliverable, the  institution should have an irrevocable license to use and modify such materials as necessary to use, modify and create derivatives of the developed materials. Absent such clear rights, the financial institution could find itself having to renegotiate with the vendor should it seek to upgrade or modify deliverables previously paid for.       

4.         Inadequate Warranties

It is important for the institution to consider what the vendor is warranting about itself, the contract and its product or service. Without warranties, an institution may not get the benefit of the deal it bargained for and may have no recourse under the contract. Although warranties vary by the type of contract, it is always a good idea to make sure the vendor has the authority to enter into the contract. A vendor should also warrant that the contract won’t conflict with any laws or other contracts applicable to the vendor and that it is a binding obligation of the vendor. A vendor should also be able to warrant that its services or products will comply with either the institution’s requirements or other specifications provided, and if for any reason they do not, the vendor will correct such problem. 

5.         Incomplete Indemnity/Liability Caps

It is important to set forth when the vendor will provide indemnification for the institution and to pay close attention to vendor’s trying to limit their liability. If the vendor does not provide indemnification to the institution, the institution could get stuck paying damages or defending itself against problems that were created by the vendor. Further, if the vendor limits its liability to a small percentage of the contract, the institution could be caused significant damages and only be able to recover a fraction of them. The vendor’s indemnity of the institution should almost always include any claim that the services or products infringe upon another party’s intellectual property rights, any breach of the confidentiality obligations, and, if a license is provided to the vendor, the vendor exceeding the scope of the license.  Including indemnification for the vendor’s agent’s negligence or willful misconduct in connection with the services or products should be included as a standard term as well. Although many vendors will try to limit their liability under the contract to a certain amount of damages, this limitation should not apply to the indemnities provided by the vendor, especially an indemnity regarding non-infringement for other’s intellectual property.     


This article has been prepared for informational purposes only. This Article is not intended to be a source of advertising, solicitation or legal advice. This Article is not intended to create, nor does it constitute, an attorney-client relationship. The reader should not take, or refrain from taking, action on the basis of this article without seeking the legal advice of competent counsel in the relevant jurisdiction. Luce Forward, Eli Mansour and Chad Ensz expressly disclaim all liability with respect to actions taken or not taken based on the contents of this article.

Eli Mansour and Chad Ensz are attorneys in Luce, Forward Hamilton and Scripps, LLP’s Carmel Valley office. They can be reached at 858-720-6336 and 858-720-6361 respectively, or emansour@luce.com or censz@luce.com.

Unauthorized reproduction of all or part of this material without the express written consent of the author is strictly prohibited. All rights reserved.