Update from Capitol Hill – Information Technology And Outsourcing Implications

In our ongoing effort to provide our clients and friends of the firm with updated information and insight on developments related to legislation to support the financial markets, the Foley & Lardner LLP Financial Crisis Response Team is pleased to provide the following summary of today’s events in Washington.

Information Technology And Outsourcing Implications

Many vendors of software and technology services (e.g. providers of services such as outsourcing, remote systems hosting and application development), will be affected by the crisis in the financial markets. In light of the changed economic environment, we recommend a review of contractual relationships with your technology vendors. To assist in this review, we provide the following list of key issues and concerns:

1. “Extraordinary Event” Changes in Price. Many outsourcing agreements include provisions that permit a re-examination or renegotiation of fees and scope of services in the event of “economic change” or other extraordinary events affecting the business or operations of the customer. The current financial markets crisis may independently trigger certain valuable rights on the part of the customer to open up negotiations on price or the scope of services.

2. Assess Price Escalation Provisions. While it is not possible today to predict the long-term effect of the current crisis on the Consumer Price Index (CPI), Employment Cost Index, and other indices of economic change commonly used in contracts for technology-based goods and services, it certainly is a time to re-examine the enterprise approach to negotiating such provisions. Existing contracts should be reviewed to determine if the current financial environment is likely to trigger any price increases or other adjustments. For new agreements, consider whether CPI (or other relevant index) adjustment thresholds, a sharing of CPI increases, and/or a CPI increase cap are appropriate protections to include.

3. Determine Where Your Data Is Located and How to Get it Back. Contractual clauses regarding the possession, use and return of data, especially for contracts where this information is hosted by the vendor, should be reviewed. If a vendor falls victim to the financial crisis, a customer may find it difficult or impossible to identify the data that is in the possession of the vendor or where the data is located. This problem is made more complex where the vendor uses and holds the data in one or more countries. Accordingly, it may make sense to require more frequent data backups (with at least one of the backup locations within the United States) and/or requiring the vendor to perform certain mission critical services on shore or in near shore locations to make it easier to recover data in the event of a problem. Consider exercising available audit rights, if any, to assess the current data situations and plan a risk mitigation strategy. It is critical that the vendor’s possession, use and recovery of data that is subject to various data privacy legislation both within the United States and elsewhere remains in compliance with applicable laws and applicable corporate policies. Regardless of whether a vendor is at risk because of the financial crisis, consider requiring all vendors who have critical data and information to backup that data now before there is a problem.

4. Review Your Source Code Escrow Clauses. Many software license and outsourcing agreements contain source code escrow provisions that permit the customer to access the source code for certain software used or developed by the vendor. Often, the “release conditions” which trigger the customer’s right to access the source code are narrowly defined. However, in most cases, the release conditions include the bankruptcy of the vendor. Customers should review the source code escrow provisions in their important vendor contracts to assess whether the “release conditions” are adequate and consider adding new release conditions to permit access to the escrowed source code in the event the vendor has financial difficulties. Further, customers would be well advised to ensure that the vendor has complied with its contractual obligations to update the source code held in escrow. For critical systems, the customer should consider engaging an independent third party to assess the status of the deposited code to ensure the code is properly commented, all files necessary for compilation are present, and that the code can be understood by someone reasonably skilled in the relevant subject area.

5. Impact of Financial Degradation. As to new or renegotiated contracts, given the uncertain credit markets and the risks posed by a vendor that is no longer financially stable, consider including a termination right in the event of the financial instability of the vendor. For vendors that have publicly traded debt or equity, a useful metric is to track the long term credit rating of the vendor and impose a floor which, if exceeded, triggers a right for the customer to terminate the agreement or exercise other remedies such as step-in rights. Other possible triggers for both public and privately held vendors could include a “going concern” qualification from the vendor’s auditor or a clause to permit termination if the customer has a reasonable basis to doubt the vendor’s continued financial stability and the vendor fails to provide the customer with adequate assurance of its continued ability to perform. Finally, consider requiring performance/indemnity guarantees from the vendor or its parent company as a hedge against the vendor’s failure to perform as required in the agreement.

6. Audit. Assess current agreements with key vendors to determine whether the agreement permits financial or other audits of the vendor and, if so, whether an audit would be prudent now to help identify whether there is a likelihood of financial distress and to ensure that data, intellectual property, confidential information, and other key assets can be recovered quickly if needed. If your contracts have audit or other rights permitting visibility into the vendor’s financial wherewithal or if the vendor is publicly traded, now is the time to conduct a review of the ongoing financial viability of your key vendors. Where appropriate demands for further assurances of the vendor’s ability to continue performance should be considered. In addition, identifying contingency vendors and potentially pre-negotiating “fail-over” contracts may be appropriate.

7. Reassess Minimum Purchase and/or Revenue Commitment Language. Contractual requirements for the customer to make certain minimum levels of purchases should be reviewed carefully and tempered with “economic downturn” language or with sole remedy (termination) language that limits the customer’s exposure if it fails to meet purchase commitments generally.

8.  Danger of Long-Term Agreements. In the current environment, long-term contracts pose greater risks than short-term contracts with short- renewal terms because of the difficulty of moving to a new vendor quickly. All long-term agreements should be identified and financial due diligence and other audits may be warranted with respect to those vendors. Long-term agreements should be considered very carefully, as the underlying financial case for any given deal is more susceptible to change. Moreover, if the contracts do not contains adequate protections in the event of financial distress, consider opening up negotiations to add the desired provisions.

9. Increased Pressure to Offshore Services. As technology budgets constrict, customers may consider outsourcing business functions to offshore vendors. While offshoring can be more cost-effective in certain instances than on-shore work, specific protections should be required in your vendor agreements to address the unique issues presented by these engagements and to ensure your continuing compliance with regulatory obligations. In structuring these new relationships, conduct rigorous due diligence on the vendor and ensuring the contract adequately addresses the unique issues presented by these transactions (e.g., intellectual property ownership under local law, information security, control over personnel and contractors, etc.). Instead of new relationships, you may consider broadening an existing relationship. In such cases, the existing contract should be reviewed to ensure the level of protection is appropriate for the new areas of work. Finally, if you are a financial institution, contracts with offshore vendors should be measured against the guidance provided in the Federal Financial Institutions Examination Council’s (FFIEC) “IT Examination Handbook,” including Appendix C relating to Foreign-Based Third Party Service Providers. The Handbook is readily available on the FFIEC Web site.

10. Due Diligence on New Vendors is Critical. For the duration of the crisis, extra emphasis should be placed on financial and operational due diligence activities that routinely take place as part of the vendor selection and management processes.

11. Evaluate the Vendor’s Insurance Coverage. Now is a good time to determine whether key vendors comply with current contractual requirements with respect to insurance coverage. In addition, a review of each vendor’s insurance portfolio to determine whether coverage gaps exist and whether additional coverage can or should be obtained to address the risks associated with a loss, theft, or breach of data by a financially troubled vendor. In professional service engagements, a performance bond may also be appropriate for key engagements.

12. Review Termination Assistance and Knowledge Transfer Provisions.  Most agreements for technology-based services include a requirement that the vendor assist the customer with the transition of the services to the customer or another vendor at the end of the agreement. Often, these provisions are very vague and do not contain even the basic building blocks necessary to protect against an interruption in the affected business function, avoid problems related to the recovery of the customer’s data, confidential information, and other assets, or the knowledge transfer activities necessary to move to the new vendor. These issues should be investigated and if not addressed, contingency plans should be considered.