No one anticipated the challenges that the spring of 2020 had in store. In March, tornadoes devastated communities in Nashville, Wilson County, Cookeville, and other parts of Tennessee, causing fatalities and leaving more than one billion dollars in property damage in their wake.[1]  Adding insult to injury, the COVID-19 arrived at a time when it affected not only health, but also the disaster recovery efforts underway. The pandemic has taken a human toll and forced the Volunteer State to rethink how to safely manifest the volunteer spirit in ways that limit exposure to illness. 

 

The impact of COVID-19 has been visible not just as a public health emergency but also in the context of the law, the economy, and every other facet of life in Tennessee.  In an effort to slow transmission of the virus, countless businesses, government entities, and nonprofits took the leap from reliance on 20th century holdover practices to full implementation of a virtual workforce and 100% electronic workflow.  Some accomplished this task gracefully, or at least with a commendable degree of agility. Others struggled with discrete issues such as implementing electronic signatures or establishing clear expectations about employee availability and responsiveness. 

In the context of this race to embrace 21st century practices, the increasing importance of cloud-hosted services has come into sharp focus. Yet many businesses, nonprofits and other organizations are unfamiliar with industry standards regarding cloud hosted services. And many attorneys who represent organizational clients seeking such services are willing to help but have little practical experience building the foundation that characterizes every successful business relationship in this service area: a good cloud hosted services contract.

           

THE NATURE OF THE DATA

For the attorney representing an organizational client that seeks to implement a hosted services solution involving data management, it is worthwhile to consider several points at the earliest stage of the process. As the client will own the data but entrust its storage to the hosted services provider, it is critically important to consider the nature of the data.  This is true because the nature of the data impacts virtually every standard in a hosted services agreement. Data security, confidentiality concerns, timeliness standards for notice in the event of a potential or actual unauthorized disclosure, and allocation of risk in the event of a data breach — the legal analysis of all of these points will materially differ depending on the type of data at issue. The contractual terms governing these issues should likewise vary from one agreement to another depending on the nature and sensitivity of the data. For example, one Tennessee statute requires notification of affected Tennessee residents no later than 45 days after discovery of a breach of system security.[2] But this timeframe is not applicable in instances where the data breach affects an information holder that is subject to HIPAA as expanded by Health Information Technology for Clinical and Economic Health Act;[3]  federal law requires a covered entity to notify each individual whose unsecured protected health information was disclosed or acquired no later than 60 calendar days after discovery of the breach.[4]  By working closely with the organizational client to ascertain the nature of the data that will be hosted, the attorney can ascertain the appropriate requirements to include in the contract on a broad range of critically important subjects.

The nature of the data is also relevant in determining the adequacy of the contractor’s hosted environment.  It may be necessary for the environment to comply with a specific set of security standards, such as those established by the Federal Risk and Authorization Management Program. Alternatively, the data may be such that it is advisable to require the contractor to be subject to annual external audit, such as a System and Organization Controls for service organizations Type 2 audit. It is possible for an attorney to ascertain the applicability of these and other standards on the front end of the project through analysis of the data to be hosted, and to use the contract to allocate cost — such as the cost of engaging a third-party auditor — in a manner favorable to his client. This type of planning can help an organizational client avoid bearing these expenses in the future, or at least make the allocation of these expenses a deal point addressed in the contract negotiation. Including a covenant for the contractor to ensure that its environment complies with an external standard is a helpful means of reaching a clear agreement about technical specifications that the contractor must meet. 

 

STATING THE STANDARDS: FLEXIBLE v. FIXED

Encryption of the hosted data is also a matter that should be addressed in the hosted services contract. Articulating the encryption standard in explicit contractual terms presents a challenge that is in fact a recurring theme in contracts for cloud hosted services (and IT contracts generally): the need to draft with specificity must be balanced against the inherent need for “room to evolve” that is characteristic of IT work. By traditional legal standards, the best approach to contract drafting is to state in the contract a fixed, clear standard that the contractor must meet. This provides clarity, ensures that both parties’ expectations are coextensive, and maximizes enforceability as a clear indication of meeting of the minds. But the traditional approach can actually be detrimental to the organizational client in the IT context, since it allows the contractor to continue to provide services at the contractually fixed standard even if later during the term a new industry standard has developed on a particular issue — like encryption. Consequently, the contractor may expect or require an additional fee for such upgrades in services — even when external market pressures would dictate that the contractor must provide the upgrades to other clients (in new contracts) in order to remain competitive and relevant. 

In light of this dynamic, one practical solution is to set a minimum encryption standard in the contract but explicitly acknowledge that it is just that — a minimum standard. A further refinement of this approach would be to stipulate that the contractor shall provide either the minimum encryption described in the contract or the same encryption that the contractor offers to other clients — whichever is more robust. This drafting strategy — a minimum contractual standard coupled with a right to updates and more advanced services as the contractor makes them available to other parties — is, in hosted services contracts, a pragmatic and workable solution. Coupled with a fixed fee arrangement, it offers a compromise that resolves much of the tension between the need for specificity in drafting and potentially losing value due to fixed performance standards. Moreover, this strategy leverages business realities and pressures that are several orders of magnitude more powerful than the terms of a single contract: in order to succeed in the broader context, a hosted services firm must provide relevant, evolving deliverables that are on par with those of its competitors. It is the market, then, that pressures the hosting firm to adopt and offer ever higher standards of performance; the contract merely ensures that the client firm has a right to those enhanced services without an additional fee throughout the term as the contractor makes them generally available. In addition to explicitly stating data safeguarding standards in the contract, it can also be helpful to include a means of monitoring the hosting firm’s adherence to those standards. Certifications as part of the invoicing process, quarterly reports, and external audit requirements are among the tools that are available to keep the organizational client apprised of the hosting firm’s compliance.        

Importantly, however, including contractual references to external safeguarding standards should not be construed as a substitute for an adequately detailed description of the substantive functionality that the contractor must deliver.  While a discussion of source code issues is beyond the scope of this article, it is worth noting that affirmatively allocating ownership of software developed under the contract (and distinguishing it from any preexisting software owned by the hosted services firm) is certainly possible at the contract drafting stage and helps avoid subsequent disputes. If the client firm will be engaging the hosting firm to deliver a new hosted solution, a provision that accomplishes this purpose and also gives the organizational client access to the code throughout the term can offer considerable risk mitigation value while clearly delineating which party will own intellectual property created under the contract.

The business attorney seeking to protect his client’s interests in a hosted services contract will also likely turn his attention to the technical support that the client needs. Issues such as the hosted solution crashing or problems relating to specific reports or extracts are often overlooked at the contracting stage due to a tendency to rely on the specialized expertise of hosted services firms. But these matters are appropriate to address in the contract itself. By setting contractual standards for technical issues like the accuracy of reports, permissible system down time, advance notice requirements for maintenance, and concrete timeliness standards for the IT firm’s remedial actions in response to specific categories of problems, the attorney can ensure that from the very outset of the business relationship, his organizational client and the IT firm will have clearly defined responsibilities in the event of technical setbacks. The attorney’s efforts to set expectations — and allocate the costs between the parties — at the time of contracting can help his client avoid unforeseen expenses and disputes about technical standards later in the contract term, ultimately setting the stage for a stronger and healthier business relationship. 

 

ACCOUNTABILITY AND RISK MANAGEMENT

In addition to discrete issues like data security and system availability, the attorney will likely give careful consideration to allocation of risk in the broader sense. As technology contracts move ever farther away from implied warranty and other risk allocation paradigms characteristic of contracts for goods, organizational clients increasingly rely on contract lawyers to proactively distribute risk in a manner that makes business sense. Indemnification provisions can be helpful in this area but are not a panacea. Apportionment of obligations and stipulating which party will bear costs such as credit monitoring services for individuals whose personal information is compromised by a breach improves the clarity of the agreement. Incorporating cyber liability insurance minimum coverage requirements into the contract can likewise offer risk management value. When coupled with a clear warranty provision and specific standards for response to unauthorized disclosure of information and notification of affected individuals and organizations, this can form the foundation of a successful risk management strategy in a hosted services agreement.

The attorney can also add value to the contract drafting and negotiation process by establishing clear financial consequences for the contractor’s failure to meet contractual standards. Contractual liquidated damages provisions are enforceable under Tennessee law and are one means of proactively quantifying loss in the event of breach.[5]  Typically, sophisticated parties readily concede during contract negotiation that some equitable fee adjustment is warranted when one party has not performed up to contractual standards. The attorney’s challenge during the drafting and negotiation stage is to help the parties set the parameters of such equitable fee adjustments in terms that adequately protect his client, are fair enough that both parties can agree to them, and are comprehensive enough that future litigating the calculation of damages for breach is largely unnecessary. Setting contractual standards for specific, reasonable fee reduction in the event of particular performance failures reduces the business cost of uncertainty. And this effort to eliminate uncertainty is consistent with the purpose of proper liquidated damages contract provisions – to provide a reasonable means of compensation in the event of a breach where damages would be indeterminable or otherwise difficult to prove.”[6] It also accords with Tennessee law’s prospective approach to determining whether a damages provision constitutes a penalty, which focuses on the estimation of potential damages at the time of contract formation.[7] 

Liquidated damages fill a specific role relating to litigation risks and costs.  But they are by no means the sole method to memorialize equitable fee adjustments in relation to contractual performance standards. A fee-at-risk payment structure can be used in a comparable (although not identical) way and is typically associated with a less granular itemization of contractual risk. Importantly, though, while partial or complete fee-at-risk payment provisions provide meaningful fiscal protection to an attorney’s organizational client in the event of reduced performance on the part of the IT contractor, they also shift a degree of control to the contractor. (If you have ever intentionally chosen to strive for only a “B” in an elective in order to use additional time studying toward an “A” in a course that counts toward your major, then you already understand this dynamic.) Assume that a contract features a fee structure divided into three bands based on meeting specific contractual performance standards at a rate of 100% to 90%, 89% to 80%, and 79% to 70%.  If subsequent to contract formation an IT firm lands a new, second client under more advantageous fee arrangements, the IT firm might decide that only earning the mid-tier fee on the first contract is acceptable in order to focus time and effort on work for the second client. 

In practical terms this can have a particularly significant impact if the hosting firm’s elective reduction in effort bears on timeliness. Often IT projects involve a focus on the timing of access to functionality or the timeliness of the “go-live” of a new hosted solution. In such cases, a fee-at-risk provision that does not properly address the timeliness metric can result in the frustration of the client’s core purpose. The attorney should also examine the relation between this type of fee structure and common law principles. In Tennessee, the common law imposes a duty of good faith in the performance of contracts.[8] Good faith in performance is measured by the terms of the contract.[9]  Consequently, by explicitly contemplating acceptance of varying degrees of performance and corresponding predetermined fee reductions, a defendant could conceivably argue that a tiered fee-at-risk arrangement colors the implied duty of good faith. By contrast, liquidated damages provisions cannot reasonably be said to have this effect. 

Another tool available to address the issue of financial protection is contractual service credit.  Under a service credit provision, the party that failed to meet contractual performance standards would not reduce its fee but would provide the harmed party with a predetermined amount of service credits. The harmed party could then use those service credits to “buy” additional services later during the term without paying any additional fee. This can be a substantial, albeit somewhat complex, benefit to an organizational client that might need additional services not contemplated in the contract itself, such as development of separate software, modifying a service bus to improve integration of multiple systems, etc. And this form of relief is particularly appropriate where the IT firm is a recognized industry leader with a solid track record of competence and quality. The use of a service credit provision is probably most appropriate as a remedy for relatively minor variances from contractual performance standards. This is because an intrinsic weakness in service credit provisions: the value of such a provision is contingent upon the diligence and competence offered by the IT firm.  An organizational client gains little practical value from a contractual right to additional services from an IT firm that missed the mark on major deliverables under the contract.

           

AGENCY, REMEDIES AND GOVERNING LAW

The relation between the organizational client and the hosted services firm is also a question of significance that requires attention not only to the terms of the hosted services contract but also agency principles in the jurisdiction whose law will govern. For example, consider one recent class action suit stemming from the disclosure of certain information about individual customers and decided under Michigan law by the Federal District Court for the Southern District of New York. There, the client maintained a database of its current and former customers, including individual customers’ mailing addresses and other demographic information.[10]  The client firm owned or licensed all the information in this database, but paid monthly service fees to an IT firm for the hosting, maintenance, and operation of the database.[11]  The contract between the parties explicitly disclaimed an employment or agency relationship and provided that the IT firm was an independent contractor.[12] Notwithstanding this contract provision, the court held that the IT firm was an agent of the client firm.[13]  

While the result in that case was favorable to both the client firm and the IT firm, it was contrary to their intentions as expressed in the contract on the issue of independent contractor status. Under Tennessee law, by contrast, while a number of factors should be considered when determining whether on party is the independent contractor of another[14], our Supreme Court has noted the first task of a court is to look to the contract between the parties for the intention expressed in it.[15]     

In addition to raising interesting questions in areas such as agency, litigation involving hosted services agreements demonstrates the significance of the parties’ selection of governing law in the contract.  Because of the possibility of the Copyright Act preempting state law claims, selection of governing law in the contract directly bears on the remedies available to the client firm if the hosting firm deletes, misuses, or “holds hostage” its data. Typically the Act does not preempt state law breach of contract claims, since those claims necessarily require different elements than a claim under the Act.[16] However, if an aggrieved client firm brings action against the hosting firm under theories other than breach of contract, those other claims may well be preempted. For instance, in one recent case a client firm entered into a service agreement with a hosting firm but subsequently failed to make a quarterly payment under the contract.[17]  Allegedly the hosted services firm then copied the client firm’s data, shared it with a competitor of the client firm, and deleted the client firm’s data from the hosted environment.[18] The client firm sued the hosted services firm in federal district court.[19]  However, despite the existence of a written agreement, the client firm brought action under Virginia state law theories of conversion, embezzlement, larceny, and computer fraud instead of suing for breach of contract.[20] After analyzing the elements of the state law claims in comparison to the Copyright Act, the U.S. Court of Appeals for the Fourth Circuit determined that the client firm’s conversion, embezzlement, larceny, and computer fraud claims were all preempted by the Copyright Act.[21]

 

CONCLUSION

Helping organizations understand issues such as these and address them as fully as possible during the contract formation stage is the province of the attorney. The aforementioned cases demonstrate that as the trend toward ever-increasing integration of technology into business continues, attorneys representing organizational clients must step outside the comfort zone of clearly defined traditional roles. An attorney who assimilates into his organizational client’s operations and develops a deep understanding of the role of hosted solutions in its business practices is better able to ensure that the client’s needs are met in the contracts that underpin its work. By learning about and understanding issues such as data migration, customization of software, data ownership, and patterns of data breach and liability, an attorney can help his client leverage cloud hosted solutions to improve the organization’s performance, agility, and relevance going forward.