The age of predatory vendors is upon us. Businesses that fail to take the old Latin adage caveat emptor (“let the buyer beware”) seriously do so to their extreme peril. Even though many vendor engagements result in long term, close working relationships, thinking of vendors as “partners” is a very antiquated mindset. And, while vendors clearly use that term frequently in sales calls, the reality is something far different. A partnership implies an equal sharing of risk.
Try to recall the last vendor agreement that you negotiated that truly reflected the spirit of mutual risk sharing. Rather, today, we are seeing a growing number of vendors treating their customers with disdain, even openly making comments such as: “We choose our customers, they don’t choose us,” and “Our customers need us more than we need them.” Or, my personal favorite: “We can’t let our customers terminate for poor performance. If we did that, we could go broke if we have several months of truly bad performance.”
With margins narrowing, competition increasing, appetite for risk dwindling, a growing number of vendors seem to focus on taking advantage of their customers, with little view to the future.
Examples of vendors taking advantage of their customers:
- Vendors are moving the majority of key terms in their agreements (e.g., service or product functionality, service levels, support standards, etc.) to URLs, which can change at any time, generally without notice to the customer. In such cases, the customer seldom is even afforded the ability to terminate the agreement. Rather, they may be stuck with an irrevocable commitment to pay for a service that is largely undefined.
- Cloud providers are offering service levels that are so narrow and have such trivial remedies for failure to achieve them that the service levels provide no real protection. In many cases, it would be literally impossible for the vendor to ever fail to achieve the service levels it has promised. Worse yet, a number of cloud providers are now offering no service levels whatsoever, stating that they will simply use “reasonable efforts” to make the service available for use.
- Redefining availability of a cloud service as mere response to a ping, as opposed to actually providing the functionality the customer has purchased.
- An executive for a vendor in the healthcare space who had repeated, substantial overruns on its projects was overheard joking with another executive about how they nearly bankrupted a small healthcare provider.
- Vendors who include “land grab” clauses in their contracts that, for example, require the customer to forego ever asserting any of the customer’s intellectual property rights against the vendor – even if those rights have nothing to do with the services or products the customer is purchasing – even if the vendor has intentionally misappropriated the customer’s intellectual property. This essentially amounts to a free license to the customer’s library of intellectual property. In some cases, the waiver of rights extends not only to the customer signing the contract, but all of its affiliates.
- A well-known vendor is known for sun setting key system functionality and leaving their customers stranded.
- A professional service vendor who intentionally underbids projects with the clear intent that they will make up the differences by dozens, if not hundreds, of change orders.
- Vendors involved in hosting highly sensitive personal information for businesses in regulated industries offer extensive documentation about their “world-class” security measures, but actually offer little, even trivial liability if they fail to comply with those measures.
- Vendors conducting excessive, overly-intrusive, very time-consuming audits of their customers to detect even the most minute non-compliance and then saddling them with excessive audit costs (sometimes many times the value of the non-compliance) and payments to remediate the non-compliance.
Please do not misunderstand the foregoing comments. They relate to a minority of vendors, but the number is increasing. Fortunately, there are still outstanding vendors that realize the golden rule of doing unto others as you would have done to you. They work hard to negotiate reasonable agreements and truly understand the value of growing long term clients. It is those vendors that businesses should actively seek out and reward with business, as opposed to the type of vendors discussed in this blog entry.
A few top tips for avoiding predatory vendors:
- Conduct adequate due diligence of vendors, particularly their existing customers. Reject using customers the vendor offers as references and locate your own. Ask about customers who didn’t renew contracts in the preceding year.
- Do an appropriate risk assessment of the engagement. Is this a critical business function? Will highly sensitive data be placed in play? Is this a customer facing application?
- Beware vendors who evidence a clear disdain for the customer, is uncooperative during negotiations, etc. If a vendor behaves in that manner during the sales cycle, imagine how they will act after contract execution.
- Identify major risk issues as early as possible during the contracting process (e.g., vendor won’t offer material service levels, vendor refuses substantial liability, etc.). Share those issues with senior management and obtain their buy-in or explore other options. All too often, businesses wait until far too late in the process before identifying key risk issues and escalating them.
- Use competitive processes, whether an RFP or, even, RFQ, in acquiring key services and products.
- There are very few instances in which there is only one vendor of a particular type of product or service. Always try to have an alternative vendor in mind if adequate protections cannot be negotiated with the primary vendor.
- Avoid long term contracts, but always negotiate unilateral rights to renew for at least a few years. For example, instead of a five year contract, negotiate a two or three year initial terms with two to three one year renewal terms.
- Negotiate appropriate termination rights for poor performance of a vendor. In some cases, the vendor may refuse any real responsibility. In which case, there may be no means of declaring a breach and terminating. In such cases, a termination for convenience right should be negotiated.
All too often, the primary driver for vendor decisions is cost. The lower the price, the more attractive the vendor. As discussed above, however, there are hidden costs in vendor engagements that must be factored into the overall “buy” decision. Neglecting those hidden costs could cause substantial harm to your business.
This article was written by Partner Mike Overly and was originally published on his blog, Crossroads of Cybersecurity and the Law, which is hosted by CSO. CSO, from IDG, provides news, analysis and research on a range of security and risk management topics. Areas of focus include information security, data protection, social media security, social engineering, security awareness, business continuity and more.
Read this specific article on Mike’s CSO blog here.
[Disclaimer: The information on this blog or article is provided without any warranty or guarantee, does not provide legal advice to the reader, and does not create an attorney-client relationship with the reader. Any opinions expressed in this blog or article are those only of the author and do not necessarily reflect the views of the author’s law firm or any of the author’s or the law firm’s clients. In some jurisdictions, the contents of this blog or article may be considered Attorney Advertising.]