No business, regardless of size, can accomplish every part of its operations required for success on its own. Reliance on vendors and third-party service providers is necessary to keep businesses running smoothly and competitively. For in-house counsel, it is a daunting responsibility to identify all the risks associated with working with outside vendors. This is especially true when rapidly evolving technology is involved. Among other technological concerns, cybersecurity and artificial intelligence are very hot topics. In this article, I explore some of the considerations and pitfalls for in-house counsel when reviewing or drafting contracts between companies and third-party technology service providers.
Business Needs
Larger companies likely can form management teams and tailor methods to identify specific needs of all stakeholders. In contrast, in small companies, employees often wear many hats when working in and across several departments to accomplish shared goals. When resources are finite, priorities must be set to assess needs for business solutions. Because technology is changing so quickly and so profoundly, the need to figure out how to leverage technology is almost universal, regardless of a business’s number of employees or net worth.
With such significant changes in technology, managers and business leaders might experience FOMO (fear of missing out) and be tempted to plunge right in and experience, for example, the AI revolution for themselves. This is, perhaps, one of the first pitfalls for in-house counsel. It is quite possible that generative AI solutions are already built into a business’s existing technology.
Corey Garver, legal technology advisor at Meritas, writes, “I recently collaborated with a client that thought they needed a particular tech solution. After speaking with a vendor that provided such solutions, and discussing with the firm their specific needs, we discovered that the firm could solve its problem by using an application it already had purchased and was using…. Take stock of any new product integrations, what new features you have at your fingertips and how they can help you before assuming you need to find a brand-new option.”1
Learning how to use powerful technology applications already in place can save a business time and money and help avoid significant frustration.
Before Engagement – Duty to Perform Due Diligence
In-house counsel provide guidance on legal matters, including fact-finding and contract negotiations. “Due diligence” is a nebulous phrase, but definitions and explanations are offered by various authorities.2 Other states’ dizzying discussions of the due-diligence duty provide some direction for Wisconsin lawyers for factors to consider when selecting a third-party service provider for cloud computing.3
Wisconsin Formal Ethics Opinion 15-01 is directed toward lawyers selecting such providers for their own practices, but the factors have broad application for in-house counsel when a business is searching for outside vendors. The opinion notes that an exhaustive, specific list of factors to consider would not be useful because technology and lawyers’ duties are constantly evolving, thus requiring lawyers to continue to use their professional judgment.4
Some of the more relevant guidance from the opinion includes the following:
Have at least a base-level comprehension of the technology and the implications of its use. Such a cursory understanding is necessary to explain to the client the advantages and disadvantages of using the technology.
Thoroughly research a cloud-based service provider’s security measures and track record (number of clients and references) before using the service. Knowing the qualifications, reputation, and longevity of the cloud-based service provider is necessary.
-
Carefully review the cloud-based service provider’s terms of use or service agreement, particularly with regard to the following:
Ownership. Do the terms of use specifically state that the provider has no ownership interest in the information? What happens to the information if the provider goes out of business or if the user decides to terminate the business relationship or if the user defaults on payments?
Location of the Information. Is the information stored in data centers or servers in other nations with less stringent legal protections?
Security and Confidentiality of Information. What safeguards does the provider have to prevent security breaches? Does the provider agree to promptly notify the user of known security breaches?
Service Level. Is the provider available 24/7? Who are the provider’s key personnel?
Backups. How frequently does the provider back up information? What is the procedure to restore information from the backup?
Disaster Recovery. Does the provider have redundant storage if disaster strikes the server? What is the provider’s insurance coverage?
Lawyers who do not have the necessary understanding of a technology or service should consult with someone who has the requisite skill and expertise.5
Additional Contractual Considerations
According to Maggie Gloeckle and K Royal, there are additional contractual considerations in-house counsel should review and address. Gloeckle is chief privacy officer at Hewlett Packard, and Royal is global chief privacy officer and deputy general counsel for Crawford & Co. These include the following:
indemnification (negligence and gross misconduct cannot be indemnified against),
limitations of liability,
definitions of key terms,
audit rights and cost,
knowledge of and compliance with laws,
dispute resolution,
subcontracting or outsourcing,
onboarding process, and
termination.6
One of the factors worth highlighting is the onboarding process. (In this context, onboarding refers not to new-employee procedures but to introduction of the technology or service to a company’s employees.) Onboarding with a technology vendor establishes the foundation for a successful working relationship and implementation of new tools or services. It ensures a smooth integration of new technology into existing systems, workflows, and teams. A thorough onboarding process also allows for clear communication of expectations, customization according to specific needs, and comprehensive training for users. Effective onboarding not only accelerates the adoption of new technology but also establishes an ownership interest with employees, some of whom might be resistant to change.
Obligations During and After the Relationship
As Gloeckle and Royal point out, in-house counsel’s due-diligence obligations don’t end once the contract is signed. They describe vendor management in terms of responsibilities before, during, and after the vendor relationship. In addition to the factors to consider before an agreement is reached, it is essential to regularly review the vendor’s performance, manage the relationship with frequent communication, and be aware of “mission creep” (meaning that company employees or the vendor begin to stray from the relationship’s initial purpose, either by adding or reducing expectations and terms).7 If possible, the ongoing reviews should involve several employees, to ensure that the vendor’s products and services are accomplishing the company’s original goals.
In-house counsel should plan for what to do when the relationship ends, whether under good circumstances or bad. The terms of termination should be clearly spelled out before entering into the contract, and the steps required to accomplish the termination should be followed – for example, establishing and documenting grounds for termination, giving notice, transferring data, maintaining the security of data and company assets, and so on.8
When the split is unfriendly, it is important to take additional precautions. “[F]ollow through on any items that need to be changed – data inventories, subcontractors, upstream partners, documentation, and processes that might be impacted. Transitioning to a new vendor may not be easy or quick. Try not to be in a position of negotiating during a trauma – you are never in a strong bargaining place in emergency situations.”9
Conclusion
Don’t skip the due diligence! In-house counsel have pivotal responsibilities during negotiations of contracts with vendors for technology services. A comprehensive evaluation of the business’s needs and the vendor’s offerings, terms, and conditions helps advance a company’s interests.
By carefully reviewing a technology vendor’s capabilities, service levels, data security measures, and contractual obligations, in-house counsel can effectively mitigate potential legal, operational, and financial risks. Due diligence will promote a mutually beneficial contractual relationship and will set the tone for a successful partnership with a technology vendor, thereby protecting the organization’s objectives and creating a more secure and productive business environment.
Endnotes
1 Corey Garver, 5 Ways In-House Counsel Can Embrace Generative AI, Garver, ACC Docket (Oct. 2, 2023), https//docket.acc.com/5-ways-house-counsel-can-embrace-generative-ai.
2 See, e.g., Wis. Stat. § 401.202(6): “An organization exercises due diligence if it maintains reasonable routines for communicating significant information to the person conducting the transaction and there is reasonable compliance with the routines.” See also SCR 20:1.3 Diligence (“A lawyer shall act with reasonable diligence and promptness in representing a client.”); Wis. Formal Ethics Op. EF-15-01.
3 Wis. Formal Ethics Op. 15-01 app. A. It is noteworthy that EF-15-01 does not use the phrase “due diligence” to describe a Wisconsin lawyer’s duty under the Rules of Professional Conduct but adopts a “reasonable efforts to secure” standard. The phrase “due diligence” is used in many states’ ethics rules.
4 Wis. Formal Ethics Op. EF-15-01.
5 Id.
6 Maggie Gloeckle & K Royal, Your Vendor, Your Risk, ACC Docket (Oct. 2019), https://docket.acc.com/your-vendor-your-risk.
7 Id.
8 Id.
9 Id.
» Cite this article: 97 Wis. Law. 47-49 (February 2024).