With the pandemic causing more business to be conducted online, nonprofit organizations need to carefully evaluate and understand the technology services, platforms, and systems they acquire and use. In a recent webinar, attorneys Nora Garrote and Chris Kim, from Venable's Intellectual Property Transactions Group, provided an overview of the contract considerations and other issues and risks nonprofits should consider when conducting technology transactions.
- Common IT Procurement Scenarios and Misconceptions. When procuring technology solutions, whether they are payroll systems, donor or member management systems, data warehouses, analytical tools, or network/back-end functions, it's important to understand the risks of each type of procurement in order to negotiate the correct contract terms. Any so-called standard contracts that a consumer might be offered for these types of procurements are pro-vendor arrangements that are not beneficial to the consumer and may not contain sufficient (or any) data security or service-level commitments. In order to negotiate the correct contract terms and ensure regulatory compliance obligations, it's imperative that consumers perform more involved due diligence, risk assessments, and technical evaluation of the vendor. Finally, to minimize risk and to hold vendors to account, consumers should carefully review order forms and statements of work.
- Development Arrangements. The type of technology being procured will significantly impact the contract terms. For instance, if a consumer requires a developer to create an app for its sole use, then the consumer needs to ensure certain criteria are covered under the contract terms. First, the development arrangement should require that the vendor will include all of the necessary notices and licenses to comply with App Store requirements; that the consumer has the right to test and accept the work; that there is a provision for knowledge transfer, so the consumer can understand how the app was built and how it functions; that the vendor warranty is sufficient or that there is an ongoing support contract where necessary; that the work is physically delivered to the consumer along with source codes and technical documentation; and, finally, that the consumer ultimately owns the work and has the right to do anything the law allows with respect to the work.
- Licensed-Based Procurements. These types of procurements relate to vendor technology that has been licensed to a consumer and configured for their use. In such arrangements, the consumer should focus on securing a strong Statement of Work and should be clear about the scope of the license – what technology is being licensed, what it can be used for, how long it can be used, and what the limitations are. If the consumer doesn't establish a sufficient license scope, the vendor may attempt to charge additional fees down the road. Consumers should also ensure that vendor commitments related to ongoing maintenance and support are clearly established in the licensing agreement. Finally, consumers should secure a commitment from the vendor that the license is applicable to updated or new versions of the vendor's product.
- Service-Based Procurements. These are the most common types of arrangements, and they allow a consumer to access and use a vendor's cloud-based or externally hosted software, application, or solution for a specified period of time. While, like other license-based agreements, these are existing solutions that will be configured and implemented by the vendor, a key difference is that the vendor will typically host the consumer's data or content (whether by itself or through a third-party host). For this reason, the most critical issue for consumers entering into these arrangements is to ensure they always have access to that data or content (a performance guarantee) and that the content is secure. At the very least, consumers should ensure that the contract clearly outlines the vendor's obligations to maintain the security of the networking environment, and to keep it upgraded and scalable.
- Data Issues. Recent regulatory developments have brought data issues to center stage in the IT industry. There is a lack of consensus on the vendor side, however, as to how much legal liability vendors should assume. Whether a consumer is procuring "data services" (where data is the product) or "data about the services" (where data is a by-product), almost every cloud hosting solution will involve some amount of vendor exposure to data. Thus, consumers should take care to ensure that contract provisions account for all types of data and that the provider is being up-front about collection procedures and security protocols. Furthermore, traditional IP concepts and laws don't adequately cover proprietary rights in data, so consumers should take care that the contract language specifically describes the parties' ownership, license, and other obligations regarding data. Finally, nonprofits should determine which data laws apply to their organization, and whether any data has regulatory implications or requires special handling under the laws.
- Common Data Provisions and Other Considerations. Consumers should take care that their contracts include data-specific provisions asserting ownership and security. Some common provisions include establishing standards for data security; specifying where data is stored; ensuring legal compliance during cross-border data transfers; minimizing vendor licensing permissions; establishing procedures and time frames for the return/destruction of data; ensuring vendors are complying with laws and regulations; establishing cyber insurance for data or security breaches; service-level commitments; and warranties.
- Confidentiality and Information Security. Consumers should be aware of the interplay between a general confidentiality section governing all confidential information exchanged between the parties and a data section containing data-specific notices and procedures. It's important also to establish permitted disclosures and policies related to the return or destruction of confidential information and surviving obligations. Finally, the contract should specify procedures for handling security breaches, indemnification specific to security breaches, and caps on liability for data loss and third-party claims.