From contract issues to liability to security requirements, the legal burdens have expanded for IT leaders.
IT is a technical discipline, but it also involves working with others, cementing contracts and managing agreements, purchasing equipment/services, and myriad other areas that involve legal issues. You might not be a lawyer, but if you're an IT manager--or aspiring to become one--you should know about the following legal concerns.
1: Boilerplate contracts
Most vendors will tell you that it's impossible to modify a vendor contract. That's because it costs money for a vendor to put its attorneys to work modifying what's already an industry-standard boilerplate contract. But a one-size-fits-all contract approach doesn't always work for clients. If you have specific requirements (like service level agreements) you expect your vendor to meet and these are absent in the boilerplate contract presented by the vendor, you or your attorney can draft your own addendum to the contract, along with a cover letter stating that the boilerplate contract together with your addendum are to be construed as the complete agreement--and that if there is a conflict between terms stated in the boilerplate contract and the addendum, the addendum will preside. The vendor doesn't have to go back to its legal staff and you have the guarantees in writing you're looking for.
A surprising number of vendors don't have stated service level agreements (SLAs) in their contracts, but you've probably promised your own service levels to your users. Minimally, your vendor should be able to meet these standards in areas like mean time to recovery, mean time to repair, uptime, speed of processing, and security. SLAs are one of the most common areas where companies draft addenda to the vendors' boilerplate contracts.
3: Liabilities of third parties
If you're considering using a cloud-based vendor, one of the first questions you should ask is whether the vendor owns its own data center. If the answer is no, and the vendor is leasing data center space from a third party to run the application it's selling you, this is a potential red flag. Why? Because the third party vendor with the data center that your application vendor is using has no direct contractual relationship (or obligation) with you. While there are legal theories that dispute this, it is certainly an item that can be argued either way. The best way to avoid the matter altogether is to look for cloud vendors that also own their own data centers.
4: Hiring business partner employees
Employee hiring always carries risk, because you never quite know if new hires can do the job until you see them perform for awhile. This is why many businesses look for new hires who are already known quantities--and it is a major reason why IT professionals are hired away by companies from their vendors or by vendors from their clients. If you're concerned about losing key performers to potential business partners, the best way to address the situation is to articulate some ground rules at the beginning of your business relationships. Often, companies do this by specifying that the vendor must work with the company a minimum of one year before it can solicit company employees for hire or that the vendor must pay a fee to the company for the loss of an employee. The same set of rules would apply in reverse.
5: Contractor liability
When a company hires outside contractors to do a job (e.g., to code a mobile app), they might be using the company's IT assets to do the work, but they're using their own methodology and expertise. This is relevant legally because people who are independently employed, since they are in control of their own expertise and work methodology, are therefore not liabilities to the company if something in their work goes awry. An exception to this is if a contractor is doing extremely dangerous work (such as programming a nuclear reactor) that the company should be maintaining its own control and supervision over, or that it should not be delegating.
6: Termination and liquidated damages clauses
Companies are eager to ink new contracts, but they often fail to perform due diligence when it comes to exit clauses. There have even been cases of open-ended contracts for IT services with no termination dates or with unreasonable liquidated damages clauses should the company decide to opt out of a contract. You and your attorney should carefully review the termination clauses/liquidated damages stated in vendor contracts before signing on the dotted line. If the vendor contract is lacking a termination clause/conditions, the clause should be added via addendum.
7: Data retention and ediscovery
Federal Rules of Civil Procedure Rules 26 and 34 define email, social media, texts, enterprise social communications and website content as electronically stored information (ESI) that companies are supposed to preserve for legal and evidentiary purposes. If corporate IT doesn't have this information, the company could be held liable for spoliation of evidence, which is "the intentional, reckless, or negligent withholding, hiding, altering, fabricating, or destroying of evidence relevant to a legal proceeding."
IT plays a major role in this process. A policy for data retention, to meet ediscovery and legal business requirements, must be written and agreed to by IT and other business units. Just as important, the company and especially corporate IT must show to outside auditors/examiners that the policy is being rigorously upheld. This adherence must include not only data safekeeping and retention practices, but also the safe disposal of hard drives and other storage media that are being phased out of service. The goal with outdated media is to ensure that it never leaves the building with any remnants of data on it.
8: Vendors that are acquired
It's your worst nightmare, but this has happened to companies more than once: A vendor that the company has an unsatisfactory business relationship with is abandoned and a new vendor that the company likes takes the old vendor's place. Everything goes along smoothly until the company receives notice that the old (and unsatisfactory) vendor is going to acquire the new vendor. This situation can easily be addressed legally by including language in your contract with the new vendor that you reserve the right to terminate your agreement should a change of management control (like an acquisition) occur.
9: Regulatory and security requirements
For most IT'ers, it goes without saying that your company is going to face legal repercussions if you don't keep IT in step with new regulations and security requirements for your industry. Nevertheless, the reality for many smaller IT shops is that they just can't afford the resources needed to keep up with every new regulation. If you're in this boat and concerned about the legal ramifications of falling behind, the best place to start is by going to the regulatory agencies themselves. In some cases (the financial industry is a good example) extensions for becoming compliant are granted, and in other cases smaller organizations are allowed to meet lower standards of compliance.
Unless they are absolutely needed, audits are often perceived as a discretionary expense that can be axed when it comes to budget cutting. Sometimes this is good strategy, but increasingly it isn't. Current levels of intrusions and security compromises are high. The bottom line legally is that audits should be treated as mandatory and not as discretionary expenses. They are your documentation from skilled third parties that you are capably performing your information stewardship responsibilities to your stakeholders.
What legal roadblocks have you run into as an IT manager? Has your level or focus of concern about legal issues changed in the past few years? Share your experiences with fellow TechRepublic members.
- Best practices for corporate data retention
- 10 things IT needs to do during a merger
- Electronic Data Retention Policy (Tech Pro Research)
- 10 IT risk management issues that are often overlooked
- The simple solution to managing complex or multiple cloud SLAs