Legal Tips to Help Avoid MSP Pitfalls

1 2 3 Page 2
Page 2 of 3

The application service provider business model, in which an enterprise hosts an application and charges users for use of it, is becoming more common. In a business-to-business environment, engaging a service provider to host applications can provide businesses, particularly small businesses, with a number of advantages. One major benefit is that the business doesn't need to concern itself with data-backup or document-retention policies, since those policies are often set by or negotiated with the ASP.

However, when negotiating a service contract with an ASP, thought must be given to the type of data that will be processed by the ASP and that due care will be exercised by the ASP in ensuring that the privacy of personal and financial data is protected. There are a number of state statutes that may apply to such data, and relevant state statutes should be consulted when negotiating a service contract with an ASP. There are also federal statutes that protect the privacy of data, two of which pose direct problems during the negotiation of an ASP service contract: the Graham-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA).

Graham-Leach-Bliley is applicable to a wide variety of financial institutions and applies to information about a consumer that has been either provided by the consumer to obtain a financial product or service, results from any transaction involving a financial product or service between a consumer and a financial institution, or is obtained by the financial institution in the course of providing a financial product or service to a consumer.

HIPAA protects the privacy of health information relating to the past, present or future physical or mental health or condition of an individual, the provision of health care to the individual, or the past, present or future payment for the provision of health care. Under HIPAA, an entity must adopt appropriate administrative, technical and physical safeguards to protect the privacy of health information and the level of safeguards that must be employed depends on the entity's size and sophistication. Failure to comply with HIPAA can result in civil liability with fines from $100 per person per violation to $25,000 per person per violation.

Careful consideration of the protections that must be observed in connection with data processed by an ASP is necessary for any company entering into such a service contract.

Lanza is a partner in the intellectual property and litigation groups at Choate, Hall & Stewart in Boston. He can be reached at

Hidden Traps in MSP Agreements

By Lawrence R. Robins, Finnegan, Henderson, Farabow, Garrett & Dunner LLP

The managed service provider model offers companies the option of outsourcing operations, maintenance and security. While offering cost savings and operating efficiencies, outsourcing applications presents a number of legal risks. In addition to standard contract-drafting issues such as warranties, service levels, response times and compatibility with legacy applications, companies should address these issues:

Privacy. Where customer and/or employee information will reside on the provider's servers, responsibility for improper disclosure must be apportioned. Since the customer/employee will look to the client company for relief, the contract must provide sufficient warranty and indemnity protection if disclosure results from a failure by the provider.

Confidentiality. Disclosure of confidential information can occur in at least two ways. First, the information may escape as a result of a security breach. Thus, the contract should address responsibility in the event of such a breach. Clients should look out for form agreements that place the risk entirely with the client, even where all hardware, software and network connections reside with the provider. Second, confidential information is at risk when the provider receives a subpoena or other legal request for disclosure. To prevent inadvertent release of confidential information, clients should require notice of receipt of a subpoena or other request for information and sufficient time to challenge the request prior to disclosure.

Intellectual Property Rights. If the relationship involves custom development, define in advance the ownership rights thereto. If the custom work incorporates the confidential information or business practices of the client, then client ownership may be appropriate. If the development is generic and reusable for other clients, ownership rights vesting in the provider may be preferred.

Specificity. As with all IT contracts, the parties should strive for as much specificity as possible in the service-level agreement. Define all performance parameters, escalation procedures and maintenance obligations. If the client seeks interactivity between the hosted application and legacy applications at the client site, define performance parameters specific to those expectations.

Attention to these issues at the contract-drafting stage could well prevent significant problems down the road.

Robins is a partner at the intellectual property law firm of Finnegan, Henderson, Farabow, Garrett & Dunner LLP, and is resident at the firm's office in Cambridge, Mass. Copyright Finnegan, Henderson, Farabow, Garrett & Dunner, LLP. This article is for informational purposes and is not intended to constitute legal advice. This memorandum may be considered advertising under applicable state laws.

Negotiating a Managed Services Deal

By Ann Tardy, Law Office of Ann Tardy

Companies that hire managed-service providers to host their applications must carefully consider four key issues: uptime, scalability, pricing and performance.

Uptime. When a company hires an MSP, the standard is 100% uptime. However, this shouldn't be considered an insurance policy. The MSP's liability is limited to what it can control. For example, let's say the MSP has a procedure for implementing new revisions of software. If the client company fails to follow protocol, then the MSP can't guarantee 100% uptime.

Scalability. Clients should expect that MSPs will own, maintain and scale customer systems to accommodate growth. The specific requirements should be managed via a mutually agreed-upon performance metric. Both the MSP and the client should periodically evaluate the underlying architecture's scaling assumptions. This will ensure that the metrics continue to be appropriate.

Pricing. The notion of success-based pricing is an innovation in the MSP world, particularly for the software-as-a-service model. This pricing requires client companies to begin with a minimum monthly commitment and a percentage of revenue. Clients are often allowed to increase their monthly minimum commitment in order to decrease their percentage of revenue. Typically, clients are locked into a monthly commitment for a period of time. Clients often negotiate a two-year contract, but want the option to terminate within 30 days at any time; however, the pricing will reflect a 30-day contract with 30-day pricing, not two-year pricing.

Performance. Interestingly, most clients are so concerned about limiting their exposure under a contract that very little thought is given to how the two companies will work together on a day-to-day basis. The contract simply defines a client company's rights, such as how to get out of the contract if something goes wrong. But business relationships rarely run on contracts. Clients need to ask the MSP, "What exactly happens if something does go wrong? What will you do for me?" It's often too expensive to terminate the contract, so client companies should require service credits. The MSP should agree to performance standards regarding customer service response time. The last thing client companies want is to terminate an arrangement with an MSP when its entire operation has become dependent upon the MSP.

Tardy is an attorney in private practice in the San Francisco Bay area.

Pros and Cons in Your MSP Deal

By Jerry O'Connor, Foley Hoag

Managed service providers are an increasingly important part of the IT executive's strategy for managing the company's technology resources. When establishing a relationship with an technology managed service provider, however, it pays to be aware of the legal risks as well as the benefits that the company can expect from the relationship. Here are some suggestions for how to look at these questions and avoid potential problems.

Be Clear About What You're Getting. The term managed service provider can refer to any expert outside party hired to provide a product or service. For example, almost every business needs electricity, but few produce their own. Instead, most purchase the services of the local utility, which not only supplies power more cheaply and dependably, but will also address issues such as downed lines and blackouts. Electricity is thus a service; provided along with management resources directed toward optimizing performance and resolving problems, it would be an example of a managed service.

The benefits of applying this model to the task of managing technology applications -- leveraging the know how developed by an expert provider across a broad spectrum of development experience and customer relationships -- are numerous and obvious. But how much like the electric company do you think your technology managed service provider is? How much like the electric company does the MSP see itself as being? In the difference between these two perspectives lies potential for legal risk.

Many of today's MSPs are the same entities that last year (or last month) were licensing their products under traditional software licenses. They're used to thinking about how to protect their proprietary innovations. For example, the MSP may resist escrow agreements, source-code delivery triggers and such provisions. However, you should get some reasonable rights to the software as well as any data maintained by the MSP, if it can't or won't provide the services.

Have an Exit Strategy.A merger or other exit event can also raise issues. Remember, the electric company keeps the electrons flowing as long as the bill gets paid, regardless of who owns the company. If you read your MSP contract, you might see, way in the back of the agreement, a sentence stating that you "may not assign this contract without MSP's consent." This provision could cause problems if the company finds itself negotiating to be acquired. Depending on the specific language and how the acquisition is structured, the transaction could be deemed an "assignment" of the contract. The acquiror may balk at proceeding without the MSP's consent, and disclosing the pending agreement to the TMSP before it is signed may be inadvisable. You might avoid this impasse if, when negotiating the agreement, you ask whether the MSP has a legitimate concern about a change of control. If so, a more narrowly-drawn solution might be appropriate.

O'Connor is a partner at the Boston law firm of Foley Hoag LLP. He advises technology companies ranging from start-ups to publicly-traded companies on a wide range of corporate, securities and intellectual property matters.

Four Legal Questions to Ask

By Peter S. Vogel

If you are preparing to enter into a contract permitting a vendor to host your critical applications, take the time to read the contract closely and be prepared to ask critical questions. And when you get those answers, make sure that the contract clearly spells out every one of those responses before you sign. A handshake agreement is never sufficient, because the last thing you want to happen is to end up at the courthouse before a judge acting as the referee in a you-said, we-said argument.

What things you specifically look for in a contract will be unique to your business requirements, but here some critical questions that need to be addressed:

Who Owns the Data? And will the vendor provide you access to your data? If the contract isn't specific on this question, it's likely that the vendor will be able to hold you hostage. So the contract should be absolutely clear that you own the data, and when the contract ends, the vendor has an absolute obligation to give you all the data in the electronic format that you have specified.

Can You License the Software? You will become dependent on the software over time, and every services agreement ends. Since you know these facts prior to entering into an agreement, go ahead and get a license for the software at the time you sign the services contract. If you already have the software license agreement in place, when your contract ends, you will have the right to bring the processing in-house or let another vendor process your data with a minimum of disruption to you.

Does the Vendor Have Backup Contracts? Make the vendor show you its backup Internet service provider contracts. Otherwise, you are running a great risk for serious downtime if the vendor either doesn't have a backup Internet service provider or uses a backup provider that relies on the same backbone.

Is the Contract Consistent with Promises Made? Since it's more likely than not that the vendor representatives with whom you negotiated your contract won't be around a year later, every vendor promise made in letters and in conversations during negotiations should be included in the contract. Even if the same vendor representatives are around, you don't want the challenge of trying to prove to a judge that you had an oral agreement for something not included in the written contract.

Look closely at the vendor's contract and make sure that everything important to you is included and that it's spelled out in plain English that you understand. If you can't understand the contract, it may not be a good idea to sign it.

1 2 3 Page 2
Page 2 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon