Key legal issues to consider when drafting Internet-based outsourcing contractsApplication service providers (ASPs) and Internet-based business process service providers (BPSPs) are blazing the way for the e-outsourcing market. Forecasters predict that the ASP market, which often overlaps with, and is defined to include, BPSPs, will exceed $US22 billion by 2003. The GartnerGroup(US) has estimated that 40 per cent of all applications will be provided through ASPs within the same time frame. These are staggering predictions for an industry still in its infancy.
In emerging markets, people look to more established markets to identify risks and legal pitfalls. But these issues, while analogous, need to be re-evaluated and contracts need to be redrafted to address changes that come from using the Internet as an outsourcing platform. For example, data security issues may take on more weight in an Internet-driven deal than in a typical service offering. The trick for contract drafters and negotiators is to identify and allocate risk in a way that is equitable in light of the overall transaction and market.
We've outlined here some of the key legal issues that may arise in connection with e-outsourcing transactions. These issues - and the ways they are addressed - will be tested and shaped as the market itself evolves.
Standardised vs Negotiated Terms
Historically, few customers would accept a vendor's standard terms as a matter of course. In Internet-based outsourcing transactions, however, service providers have started using standard terms with little or no amendment. This trend is fuelled by several factors including customers' urgent need to become Internet-enabled, which does not allow time for lengthy negotiations. Furthermore, market leaders are leveraging their positions to require acceptance of their terms. In an immature market, many customers opt to go with the safest (and most recognised) alternative regardless of the contract terms.
Perhaps the most prevalent use of standardised terms is in connection with "packaged" services. Here, the customer may agree to a contractual relationship through a click-wrap agreement, which by its nature is not negotiated. While there seems to be a trend toward standard terms, negotiation is more likely in large transactions, transactions where the customer has significant clout and transactions for customised services. In order for standardised terms to work, the service provider must develop terms equitable to both parties.
Scope of Services
Service providers should be able to articulate, and customers should clearly understand, the scope and type of services to be provided. When defining the scope of services, consider:
* Points of responsibility: At what point, or points in the network, does the service provider assume responsibility? For example, most ASPs will not assume responsibility, and in fact they will seek to be excused for performance failures resulting from connectivity failures caused by a third-party provider.
* Integration and compatibility: To what extent is the service provider responsible for integrating its systems with the customer's systems or ensuring compatibility of systems? Is any application or data conversion necessary?
* Technology changes: What is the service provider's responsibility for knowing of, implementing and maintaining new technologies, including new releases, updates and upgrades?
* Support: Negotiators will need to iron out the types of support services to be offered (help desk, problem resolution, training), when such support will be available (normal business hours, 24/7) and how such support will be provided (an online help desk, onsite). The contract should outline standard problem-escalation procedures for handling service issues.
In a market where service providers may be eager to please in order to acquire market share, customers need to be careful to contract for service levels that the provider can practically meet. If it sounds too good to be true, it probably is. Contracts should also address under what circumstances the service provider should be excused from performance - such as third-party or customer-caused failures and force majeure events.
Contract negotiators should further evaluate the consequences of termination or expiration. For example, what types of assistance will the service provider offer on termination or expiration? Will the customer have any ongoing rights to use service provider-owned or licensed technology? Will the service provider incur any wind-down costs that should be borne by the customer, such as redeployment or termination of resources including people, machines and software?
Security and Data
With the increased potential for unauthorised access in Internet-based transactions, data and system security is a particularly hot topic. Customers need assurance that their data and systems will not be subject to unauthorised access or disclosure, or commingling with other's data. Many ASP sites now post security policies that describe the safeguards in place, as well as the procedures in the event there is a breach of data or system integrity.
Most sites also make affirmative statements regarding the use of customer information, particularly personal data. This is driven not only by customer expectations but also by privacy and confidentiality laws. The service provider should be restricted from using customer information, even for benchmarking or research purposes, unless expressly approved by the customer.
Limiting liability to discrete events and reasonable amounts in light of the value of the overall transaction is crucial. Vendors typically try to cap the amount of direct damages they may be liable for (often tied to a percentage of the fees for a certain number of months). Both parties should disclaim liability for any damages that they may have little or no control over.
In Internet-based outsourcing, there may be multiple providers where there has traditionally been a primary contractor/subcontractor relationship. For example, connectivity may be the responsibility of a third party and therefore out of the service provider's control. At this time, the marketplace is tolerating some disclaimer and delegation of responsibility for third-party acts and omissions. As the market matures and services are consolidated, service providers may have to step up to assume more primary responsibility.
Negotiators for both customers and service providers should work through potential scenarios in an effort to identify areas of liability and risk. It is prudent to have risk-management, audit and insurance experts analyse these risks and recommend ways to reduce potential exposure. The best approach is typically not to disclaim a risk but to assume risk that is fair and manageable in light of the overall business deal. A fair contract is the best contract, after all.