The dangers of patio thinking
- Subtitle: The IT Girl
The siren call of favourable pricing sometimes makes the most rational businessperson ignore even the most critical deal red flags. Some vendors count on this and act unscrupulously, declaring that the transaction must be signed by the end of a particular month or else the promised deep-deal discounts will be lost. Critical representations, warranties, indemnities and other key contractual clauses, including service levels, are sacrificed in the name of “business efficiency.”
I have seen clients sign the “wrong” type of legal agreement just to make certain there is a signature on a piece of paper somewhere by midnight of the deadline date. After all, the contract can always be amended, right? Three words come to mind here: Don’t do it. Better vendors don’t resort to these cheap ploys, and if a company is rushing you to sign something without allowing adequate negotiation time, there is probably a (bad) reason.
When I negotiate for a client facing a difficult vendor that has very one-sided, unfavourable legal agreements, I sometimes (politely) ask: What made you choose this particular vendor? Was it because of its stellar reputation in the marketplace? Market share? References? The answers sometimes surprise me: Because someone in the IT department once worked there. Because someone at the board table is related to the vendor’s CEO. Because of the (usually mistaken) conviction that there is absolutely “no one else who can provide this service, bar none.”
From my perspective, none of the above is a good reason. Unless there are other compelling reasons, conducting effective vendor due diligence can prove highly advantageous in critical technology deals. It is true that this process can take considerable time and effort if the purchaser enters into a detailed procurement process, complete with applicable risk assessments, of its prospective vendors in order to ensure that its business and regulatory requirements can be met. Some clients find this process difficult given that they even have trouble formulating objective criteria. However, it’s much better to spend the time at the front end of a deal to objectively evaluate and chose an effective vendor than to rely on the connection of your brother-in-law twice removed to provide guidance as he may no longer be around if the vendor fails to perform. And, yes, reviewing the short-listed vendors’ standard legal contract(s) should also form part of this due diligence effort since choosing a vendor with very unbalanced commercial agreements as an initial starting position will often be a harbinger of difficult negotiations to come.
Related to the above, before a client can purchase a new technology solution and choose the right vendor, it needs to have a very firm understanding of the problems it is trying to solve by acquiring the new technology system, its budget and risk tolerance. For example, if a client is looking to leverage the efficiencies of cloud computing services, it needs to research and decide upon the appropriate cloud model (private, public, hybrid), service offering (SaaS, PaaS, IaaS), the nature (and appropriateness) of the company data it wishes to put into the vendor’s cloud, and any legal (provincial, federal, international, industry-specific) regulatory requirements applicable to its industry/channel and data, all of which will by definition impact its choice of vendor. For example, is the cloud vendor expected to support critical customer operations and will direct access to client information be required? If so, the customer will likely require a sophisticated cloud vendor with appropriate security policies in place, incident response and disaster recovery procedures and strong compliance programs. Financial institutions and regulated health-care custodians will require a different kind of cloud vendor rather than some smaller not-for-profit entities. A client that wishes to put very sensitive personal health information or financial data into the cloud must understand that that the least expensive option may not be appropriate given potential security risks and cyber-liability concerns.
Purchasers also have to have a detailed understanding of any solution that they wish to acquire. Where will system/data be located? Will the vendor use third-party contractors and subcontractors to manage key elements? Does the prospective vendor currently possess a comprehensive security program including physical controls, logical controls, vulnerability management and threat assessment/intelligence monitoring? Does the vendor meet certain cloud privacy and security standards such as ISO/IEC 27018:2014 or other standards? There must be alignment between what the customer is expected to pay and what it is looking for from its cloud provider regarding security, 24-7 support, privacy protections, etc. Remember, your chosen vendor is not your psychiatrist — you cannot expect it to solve all of your organization’s problems, and certainly the more services that you ask for the more it will cost.
It appears that snappy presentations and slick power point presentations do sometimes appear to play a decisive role in the choice of a vendor, and some purchasers unduly rely on vendor promises, whether oral or written (but not within the deal documents themselves), without asking sufficiently detailed delivery questions (and seeking additional backup information). I think of this as “magical thinking” — the idea that everything is just somehow going to “work out,” largely based on perceived deal “goodwill,” without having to get too much into the weeds.
Thinking of choosing an American vendor located in Texas or Arkansas to provide a multilingual platform and helpdesk? Just how will this company ensure that these language requirements will be met? Does the vendor have experience delivering on these requests or will this be a custom job where those requirements may lead to actual delays in practice?
What about support services? Yes, the slides mention that the vendor already has a robust helpdesk service in place and will be providing support, but does this support automatically include Level 1 (basic) support services or is there actually an unspoken expectation that this duty will fall upon the purchaser, necessitating additional costs for the client? If the purchaser is national, what time in Newfoundland or British Columbia can it expect support services to begin if the service is not 24/7? Where will support services be provided? If they are going to be provided outside of Canada by third-party contractors and subvendors, what are the privacy/security implications? Will these third-party contractors and subvendors be sufficiently bound through a contract to meet the purchaser’s regulatory and legal requirements vis-à-vis privacy and security, not to mention service levels? Will prices quoted for support be impacted by currency fluctuations and hedging requirements? Can the client leverage the vendor’s existing support structures or will separate teams be required for the client? If the technology implementation includes a customization/configuration build phase, will the vendor expect the client to pay the full spectrum of support fees during the pre-build phase? If the proposed vendor’s solution is built on top of another vendor’s existing technology platform, how much responsibility will the proposed vendor take for meeting certain response/resolution times, overall service levels and performance requirements given its inherent dependencies on the other vendor’s underlying technology and systems? The devil really is in the details.
Keep cool, stay hydrated and have a great rest of the summer.
Lisa R. Lifshitz is a partner in Torkin Manes’ Business Law Group, specializing in technology and privacy law and is the leader of the firm’s Technology, Privacy and Data Management Group. Lisa has been nationally and internationally recognized for her technology law expertise and enjoys writing and speaking on technology law issues. She is the immediate past president of the Canadian IT Law Association and can be reached at firstname.lastname@example.org. The views presented here are the author's alone.
Column: The IT Girl