Enterprise IT Service Customers: Managing the Impact of the Coronavirus on Vendor Provided Information Technology Services
The coronavirus (also known as COVID-19) has already had a significant worldwide impact. Many businesses are likely to encounter difficulties with at least some of their IT service providers, as broad-reaching stay-at-home orders (or vendor mandatory policies) are forcing service providers to perform work remotely. In other cases, businesses are experiencing service outages or service level failures, often caused by their IT vendors. In a time of limited resource availability, IT vendors may, potentially, make decisions to allocate those resources to the benefit of some customers and the detriment of others. Finally, businesses, themselves, may experience difficulties in their own performance of vendor agreements (e.g., unavailability of personnel resources to assist in software implementation engagements).
Below we discuss protections to consider in enabling your IT service provider to work remotely; immediate and longer-term steps to take in dealing with vendor-caused outages and service level failures; and protections to bear in mind when entering into your next IT vendor engagement.
Executive Summary
Businesses should keep these practices in mind when dealing with their IT vendors:
- Coronavirus can impact the delivery of software and IT services into fundamental ways: (1) Vendor personnel that were working at the vendor’s facilities may be forced to work from home, and (2) companies may have engaged IT vendors to perform implementation, consulting, training or other professional services at the companies’ facilities.
- When vendor personnel have to work at home, many new issues and risks arise such as data security, quality of performance, quantity of performance and service levels. In the event the new work environment impacts or may impact service, the customer company should determine the extent to which it has leverage, contractual or otherwise, to address the vendor commitments.
- As most vendors and businesses are not equipped to have all or substantially all of their workforce suddenly working from home, companies contracting for and using IT services need to anticipate potential disruptions to their operations.
- Many organizations today rely on cloud-based or Software as a Service (SaaS) solutions. For any number of reasons, the coronavirus can result in vendor-caused service outages and service level failures. Vendors will attempt to use force majeure and other defenses in an effort to avoid liability for such failures.
- In the event unavailability service level (e.g., 99.9%) is not technically breached due to the coronavirus being a force majeure event. The customer should insist on a reasonable adjustment in fees paid to reflect the duration and severity of the outages, although the success of such efforts will depend largely on the wording of the agreement.
- In the event a vendor invokes force majeure or similar defenses, at a minimum the customer should insist that the vendor take appropriate action to mitigate the impact to the customer. This may be required under the force majeure provision or applicable legal principles.
- When assessing whether a service provider has acted reasonably in preparing for events of this kind and responding in an appropriate fashion, the customer should obtain a copy of the service provider’s current disaster recovery / business continuity plan and ensure the service provider is complying with it.
- Ongoing or in-flight IT implementation or other professional service projects may also be impacted if access to the customer’s facilities is disrupted or prevented. In this case, the vendor, the customer, or both may seek to delay the project. In this case, negotiations should commence as soon as possible for an appropriate work around and/or mitigation plan for suspension of the project.
- Some IT vendor work on implementation or other professional service projects may be possible remotely. If so, it may materially increase the fees for the project, so budgets must be carefully managed.
- For current and future contract negotiations, customers should keep these risks in mind when drafting the contract language. In particular, the impact of the coronavirus on the software or services to be provided should be carefully negotiated and discussed in detail in the agreement.
Remote Work Protections
Remote working in the IT context manifests itself in two principal ways. First, the vendor’s personnel may be (or may have been) working on the customer’s premises, such as for implementation of an IT system or project, or for on-site consulting professional services.
Second, the vendor and its personnel may be providing services to your organization remotely from the vendor’s facilities, such as a Software as a Service (SaaS) cloud-based software service (e.g., Enterprise Resource Planning (ERP) or Customer Relationship Management (CRM) software) or “remoting in” to your facilities to provide remote IT infrastructure services, support, or other professional services. In this second circumstance, the vendor personnel are typically working from a secure and hardened facility (offices, data centers, and other secure facilities). The security risk profile changes significantly, however, if due to the coronavirus vendor personnel are no longer working at the vendor’s secure locations, but rather from home.
A well-established service provider will have technical, administrative, and physical safeguards at its locations to protect against the unauthorized access or disclosure of its and its customers’ data — often these service providers have high-level access to their customers’ systems as necessary to provide the services. However, with stay-at-home orders and policies quickly going into effect throughout the country and world, it may no longer be possible for IT vendors — even those with high-level system access to your business – to provide their services from the vendor’s secure facilities or on your premises. Many experts in the field indicate, for good reason, that data breaches are much more likely to occur in remote work environments.
If IT vendor personnel must work remotely in a manner that may impact service to the organization, the organization should determine the extent to which it has leverage, contractual or otherwise, to address the new work environment. For example, if feasible, companies should ensure contractual obligations are in place requiring sufficient data and system security protections. To draft effective contractual language, it is important to first understand where the vendor’s personnel will actually be performing the work.
In a more traditional remote-work situation, the vendor’s employees might provide services from satellite offices or other, presumably secure, office locations. With the stay-at-home orders and policies in place, the service provider’s employees are likely working at home. Accordingly, contractual language should be implemented to ensure a similar level of data and system security protections for personnel working from home as would be available in the service provider’s typical service locations.
For example, it is generally a best practice to require the service provider to issue work laptops and mobile devices to its employees, rather than allow personal device use, which are often more vulnerable devices. The agreement should also require the remote work equipment utilize sufficient security software, such as strong firewalls, virtual private network (VPN)-only access, multi-factor authentication, full disk encryption, and advanced malware scanning tools.
Additionally, if your company has a trusted VPN network in place, the contract should require that all remote access by your service provider be through the customer’s VPN solution. Each of these are important steps in protecting your sensitive data and systems.
Remember that it is not just about the “data,” which is clearly of great importance, but also the security of the systems on which that data resides. In many cases, the vendor will have direct access to customer production systems, including payment systems. That access, if not secured properly, could lead to a serious compromise of those systems.
At Foley & Lardner LLP, we recommend our clients implement contract language, typically in the form of a brief addendum to supplement their agreements, which both enables remote work for the service provider and contractually binds the service provider to a menu of security protections. Given the unique nature of the coronavirus and the resulting stay-at-home orders in place, your agreement with your service provider may not contemplate the provision of services remotely, and so an addendum or other supplement to your agreement may be necessary to allow such remote work, and in every case it should ensure proper data security protections.
Bear in mind that the overall remote computing environment is being heavily strained by large volumes of workers suddenly working at home. Most vendors and businesses are not set up to have their entire workforce accessing their systems remotely. Similarly, well-known web conferencing and screen sharing services are being stretched to their limits. Failures are likely. Disruptions should be anticipated.
Service Provider-Caused Service Outages and Service Level Failures
Businesses may also be encountering service provider-caused outages and service level failures. Service providers are likely to claim that the inability to conduct business normally because of the coronavirus caused the service outage or service level failure, and that the service provider is therefore excused from any liability or damage it may have caused. Vendors may claim that because the coronavirus is beyond their control, the circumstances constitute a “force majeure” event under the agreement, thereby relieving the vendor from its contractual obligations.
If the vendor is claiming a force majeure event is applicable, the customer should push its vendors to remediate the outage or failure, and restore full performance as soon as possible. Since force majeure outages and disruptions are generally excluded from service level obligations, the customer may not be due any service level credits or remedies as a result of the failures. In those cases and depending on the language of the agreement, the customer should insist on a reasonable adjustment in fees paid to reflect the duration and severity of the outages.
Force majeure clauses often contain language obligating the party claiming excuse to use commercially reasonable efforts to remediate the situation. It may be necessary to review the applicable agreement for this language and potentially remind the service provider of its remediation obligations.
Once the situation is resolved, it is then time to analyze the root cause of the outage or failure. If the outage or failure was caused by an event beyond the reasonable control of the service provider, and which could not have been avoided through reasonable precaution, the service provider may, in fact, be excused from liability.
For example, electrical grid outages may be occurring from the heavy taxing on new and different parts of the grid system that were not typically used as heavily and not built to withstand this pressure. This is as a result of the sudden change in work environments from the coronavirus, and likely constitutes a force majeure event excusing the service provider from an outage, if this were the cause.
Alternatively, if the outage or failure is caused because, for example, the service provider did not have proper remote work capabilities in place, or because it failed to pay its bills for its own services, the service provider is likely not excused as this is not an event beyond its reasonable control even if caused (albeit indirectly) by the coronavirus. It is therefore pertinent to understand the root cause of the outage or failure.
In assessing whether the service provider acted reasonably in preparing for events of this kind and is responding in an appropriate fashion, the customer should obtain a copy of the service provider’s current disaster recovery/business continuity plan and ensure the vendor is adhering to its provisions. Well-drafted plans should have specific provisions relating to remediation activities in the event of a pandemic.
Dealing with service level failures, as mentioned above, will be heavily dependent on the applicable contract language. Too often, service providers include highly qualified language which diminishes their obligations to actually meet their stated service levels, or to remediate service level failures properly.
For example, while customers often focus on the service level availability percentage offered by the service provider, an equally important aspect is whether that percentage is a “target” or “required” availability. Oftentimes, a service provider may boast its uniquely high service level availability, maybe even at 99.999%, however the percentage is simply a target for the service provider, and reading further in its SLA would reveal that the service provider only has to use reasonable or commercially reasonable efforts to try and hit that level of availability. Once it has used its efforts, it may be “off the hook,” even if it ultimately provides 0% availability.
Furthermore, it is important to analyze the service provider’s contractual remediation obligations under its SLAs. Does the service provider simply have to “respond” to an issue, or does it actually have to “resolve” the issue? This analysis of the contract language will be important to determine whether the service provider is excused from liability or not.
Impact on Software and Other IT Implementation Projects
The same issues relating to cloud-based software availability can arise in connection with ongoing or in-flight IT implementation projects. While cloud-based software (e.g., SaaS solutions) has grown exponentially over the last several years, there is still a significant amount of IT services, which are and have to be performed at the customer’s facilities. With vendor personnel subject to mandatory working from home orders or policies, the continuation of these projects may very well constitute a force majeure event that enables the vendor to suspend additional work on the project.
Similarly, customers facing work at home requirements may face the same issues. There could be situations where the vendor proposes a remote work around for some or all of the project, which may not be reasonable or practical for the customer. Permitting work at home as an alternative may also materially increase fees for the project. Budgets must be carefully managed. If the parties are unable to reach a mutually acceptable solution, the customer may need to invoke a force majeure clause, or other defenses such as impossibility or frustration of purpose. As noted above, the applicability of a force majeure clause depends largely on the wording of the provision as well as the facts and circumstances.
Impossibility and frustration of purpose are similar, but generally apply only to circumstances so disrupting that it makes continued performance of the agreement by one or both parties impossibility, for the fundamental purpose of the agreement can no longer be accomplished by one or both parties. We are helping many clients assess appropriate actions to take under the circumstances.
After the crisis
Looking down the line, it is important to learn from the coronavirus situation and know what to consider moving forward. Businesses should review contracts carefully and always consider whether the service provider may be excused from performance for events developing or occurring at the moment of signing. Businesses should review the force majeure language (and any other language involving excuse of performance) to ensure it does not allow the service provider to stop performing because of an event that it knew or should have reasonably known about when the deal was being made.
For example, if business enters into a new agreement today, and it allows for the service provider to consider the coronavirus a force majeure event, in essence, the business may sign the deal today, and tomorrow the service provider could stop performing and be excused from liability under the force majeure clause. Accordingly, it is critical to assess the near and longer-term ability of both parties to perform under the agreement, including in dire situations such as this one. Once the parties have reached an agreement on principal about dealing with the software solution or project in light of the coronavirus, the solution should be properly documented in the agreement.
For example, if a project is susceptible to remote working, then the agreement should contain provisions specifically addressing the relevant issues, such as security commitments on the part of the vendor regardless of vendor personnel working from home, service level commitments of the vendor regardless of the coronavirus and future events that are foreseeable (e.g. shelter in place orders in a state that does not currently have such an order).
It is also essential to include in the contract proper incentives for the service provider to perform, such that the service provider will not want to seek excuses for performance. Rather than paying large sums (or even the full amount) upfront, concepts like milestone-based payments, whereby the service provider is only paid upon satisfactory completion and delivery of certain deliverables, are some extremely effective incentives to motivate the service provider to perform, even in difficult situations, such as that of the coronavirus. It is always more difficult to recover amounts already paid than to withhold amounts not yet paid for incomplete or unsatisfactory performance.
Conclusion
In any difficult situation you face with your service provider, it is almost always best to begin with a constructive discussion, where each party works in good faith the other, rather than jump right into an adversarial approach. For remote work protections, it will often prove valuable to engage in friendly talks with your service provider about how you might execute a mutually agreeable addendum to your existing agreement that will both allow for the service provider to work remotely while requiring the essential safeguards.
For service outages or service level failures, we recommend first discussing prompt remediation efforts to be taken, and later determine the root cause of the issue. When negotiating a software implementation deal, a suitable approach is often to discuss current events and potentially foreseeable scenarios down the line, and then carve them out of any force majeure or other excuse-of-performance language.
If you are dealing with any of the aforementioned issues and would like further guidance, please do not hesitate to contact us at Foley & Lardner LLP. We have well-established and experienced attorneys who are here to help walk you through these unique situations and ensure your data and business are safe.
For more information about recommended steps, please contact your Foley relationship partner. For additional web-based resources available to assist you in monitoring the spread of the coronavirus on a global basis, you may wish to visit the CDC and the World Health Organization.
Foley has created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak is creating for stakeholders across a range of industries. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form.