TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

There are books out there that get into great detail and can be very useful in developing negotiating skills (one of our favorites is Never Split the Difference by Chris Voss). In our experience, though, many negotiators that we come across either have an inflated view of their skills and can’t be bothered with reading a book like this, don’t have the time to read a book like this, or read the book and just can’t make the techniques work.

There is an adage that basically says that businesses don’t do business—people do business. That might seem obvious, but it’s useful when one stops and thinks about the interplay between a contract, how that contract is negotiated, and whether the relationship between the people who will be doing business can survive the negotiations.

This plays into the deal work that many of us do because many of those deals are complex—and the parties will ultimately rely on each other to drive success. For example, to implement transformational software, like an ERP system, the systems integrator must bring a unique set of skills to the table. The contract can drive the vendor to bring those skills and they must be proficient, but for the project to be successful, the customer must also bring certain skills: knowledge of its business processes, the ability to assess and implement change, and more. In other words, for the project to work, the parties have to act as partners.

Nearly every form of service agreement contains a provision restricting the ability of one or both parties to subcontract their obligations. A typical provision (with a standard quick and dirty markup) might look like this:

“Vendor shall not subcontract any of its obligations under this Agreement without the express prior written consent of Customer, which such consent shall not be unreasonably withheld. The subcontractors set forth on Schedule X are hereby approved by Customer.

These limitations are often included as a standard part of the legal boilerplate without much thought, but can present significant problems, especially given the broad use and incorporation of third-party technologies and services.

It seems that there are many forces at play that are almost designed to create or exacerbate change anxiety. Professionals in industries whose business models depend on stoking our change anxiety bombard us with article after article on social media. Industry conferences that consistently display whichever adoption curve you’re supposed to be on at the moment—hinting that you’re seriously behind where you should be, with the looming possibility that you’re about to go out of business because of it. Yesterday it was the cloud, today it’s RPA and AI (or IA depending upon whom you ask), and tomorrow it will be something else.

But even with all of this change coming at us, perhaps most troubling is that feeling that if you just stop for a minute to think and reflect, you may be labeled as entrenched, unwilling to adapt, a dinosaur, or something worse.

The transformational programs that we work on tend to reveal many of the stresses that permeate our clients’ professional lives. In deal work, one of the first places you see this is when a request for proposal (RFP) is being drafted that is supposed to reflect a progressive vision.

European financial institutions (competent authorities, credit institutions, and investment firms as defined in EU Regulation No. 575/2013, collectively Institutions) have been instructed to comply with the European Banking Authority’s (EBA’s) recommendations when outsourcing to cloud service providers (Recommendations) as of July 1, 2018.

With cloud-based solutions offering new products geared to potentially reduce infrastructure costs and improve services, outsourcing to cloud-based services providers is becoming progressively more popular by Institutions. This trend has prompted the EBA to issue the Recommendations, with the expectation that Institutions will use their best efforts to comply.

When in-house lawyers start thinking about how to support a business client that is looking to implement a new or replacement enterprise resource platform (or more commonly known as an ERP system), we often suggest that they first discuss these 10 framework issues to get a sense of the scale, complexity, and timing of the potential transaction. While the below list certainly does not cover all of the issues that will need to be considered, it is intended to help in-house lawyers understand the objectives, parameters, and potential risk areas of a transaction.

We are seeing more merger and acquisition activity among technology services companies as European companies are seeking to expand their presence in US markets. Just this week, another acquisition of a growing US-based technology company by a global technology services leader headquartered in France was announced.

On July 22, French multinational company Atos—a global leader in technology services and digital transformation—announced that it entered into a definitive merger agreement with US-based Syntel. The acquisition, subject to regulatory approval, is scheduled to close by the end of 2018. Syntel, based in Michigan, is a global IT company specializing in cloud, mobile, analytics, and automation services. The purchase of Syntel is intended to strengthen Atos’s presence in the banking, financial services, and insurance (BFSI) industries, with Syntel generating a substantial portion of its revenue from BFSI and large global banks. The acquisition also will increase the North America presence of Atos and expand Atos’s workforce in India, adding 23,000 employees—18,000 of which are based in India—to Atos’s current headcount of about 97,000.

Authored by Barbara Murphy Melby, Christopher C. Archer, and Jay Preston

In Part 1 of this Contract Corner on Software as a Service (SaaS) agreements, we discussed ownership and use issues in SaaS transactions where the application is provided and hosted as a dedicated instance with common base software (sometimes with customization or variation) but running as a separate instance in a dedicated environment.

In this Part 2, we will look at ownership and use issues in transactions where the application is provided and hosted in a multitenant environment, with one common application layer and hosting environment that is logically partitioned by customer.

As noted in Part 1, when thinking about ownership and other intellectual rights in SaaS deals, we generally consider the following categories, discussed in more detail below. As with any solution there can be variations and customer-specific needs that drive different requirements.

Authored by Barbara Murphy Melby, Christopher C. Archer, and Jay Preston

In the typical SaaS scenario, the SaaS vendor provides, maintains, and hosts (either itself or through a hosting SaaS vendor) the desired application layer, and grants the customer and its authorized users access to the application functionality via the internet. At a high level, there are two variations of this scenario:

  • The application is provided and hosted as a dedicated instance, with common base software (sometimes with customization or variation) but running as a separate instance in a dedicated environment.
  • The application is provided and hosted in a multitenant environment, with one common application layer and hosting environment that is logically partitioned by the customer.

In this Contract Corner series, we will look at ownership issues in SaaS solutions in two parts, with different perspectives based on whether the solution utilizes a dedicated instance (Part 1) or a multitenant environment (Part 2).

Cybersecurity remains at the top of the list of risk concerns when organizations outsource IT and other functions leveraging cloud-based solutions. While there are no guaranteed methods to fully eradicate cybersecurity risks, companies should consider taking the following steps to mitigate the risk.

#1 – Diligence!

As a first step, it is helpful to define the minimal security controls that you will require your outsourcer to implement and adhere to, and then compare your organization’s own security requirements to the outsourcer’s solution. You can begin by forming a cross-functional due diligence team with stakeholders such as IT security, internal audit, compliance, and business owners to conduct robust and meaningful reviews of an outsourcer’s security solution and evaluate essential factors, including the following:

  • Types of data
  • How data is flowing and transferred
  • Location of data
  • How your organization’s privacy policies align with the outsourcer’s
  • Encryption requirements and access control processes
  • How remote access is handled
  • Whether the outsourcer follows industry best practices and regularly monitors and audits its controls
  • How the outsourcer uses subcontractors
  • Applicable laws and regulations