managed service provider contracts
TRANSCRIPT
Office Product Dealers Association – Spring 2013 MeetingDelray Beach, Florida
April 27, 2013
Randy WhitmeyerWhitmeyer Tuffin PLLC
www.whit-law.com
Managed Service Provider Contracts
About Whitmeyer Tuffin
• Corporate and commercial law firm based in Raleigh, NC
• Over 20 years legal experience, with a focus on IT contracts, mergers and acquisitions, intellectual property, privacy, and general corporate law
• Substantial experience representing MSP’s, cloud service providers, and IT service and product companies
• Partner with clients to provide practical, business-oriented advice.
• www.whit-law.com
Client Testimonials
“We have worked with Whitmeyer Tuffin on matters ranging from mergers and acquisitions, financings, corporate restructuring, and intellectual property matters. Their attorneys always are knowledgeable and responsive, and we are pleased to have them as advisors.” - Ted Mosler, President and CTO, Gilero BioMedical
“After initially working with two other law firms, we were thrilled to find Randy Whitmeyer and Amalie Tuffin at Whitmeyer Tuffin. They combine deep understanding of the software industry and corporate legal expertise with exceptional service.” - Mike Ary, President, Aceyus
"The attorneys at Whitmeyer Tuffin are not like other attorneys I have worked with. They provide business perspective and thoughtful, thorough, and insightful advice. Whitmeyer Tuffin is a valued partner to Farragut Systems.“ – Shail Jain, CEO, Farragut Systems
What is a Good MSP Contract?• Covers important topics in a clear fashion, especially “in-scope” and
“out-of-scope”• Is not overly formal or one-sided• Is tailored to the target customer (vertical focus, size) and
competitive environment• Has a master agreement structure• Reflects the values, business model, and risk profile of the MSP’s
owners and managers• Avoids “contract gap problem”, i.e., making promises to customers
without your suppliers making the same promises to you• Reflects input of legal advisor, accountant/finance advisor, and
senior technical management
Why is a Good MSP Contract
Important?• Minimize legal risk and liability based on
breach of contract
• Establish appropriate expectations and solid business relationships with your customers, leading to satisfied customers
• Enhance the value of your business when you look to sell your company
The Master Services Agreement
Structure• The MSA structure is almost always advisable• Avoid repeating legal terms in each Schedule• Schedules can be used for:
• Outlining actual services and pricing (can work for both managed services and one-time projects)
• Documenting managed devices• Service Level Agreements
• Form Schedules can aid in the sales process• Sign new Schedules when services are added(?)• Establish clearly who in your company can sign contracts
Typical Schedules
• Managed Services Schedule• Specify all options or just list what customer gets?• Which options deserve their own Schedule?• Gold/Platinum/Silver approach?
• Backup/Restore Services• Managed E-mail• Anti-Virus/Spam Filtering• Server Hosting• One-Time Projects• Block of Time
Handling Service Additions and Modifications
• Formal or informal approach?
• Adding new managed services• Synchronize term?
• Adding new managed devices• What about decrease in managed devices?
• One time projects/”out of scope” work• Block of time
• “Renewable” blocks of time
Third-Party Systems• Obligation is to provide reasonable services; do not
guarantee performance of third party systems
• Obligations are blurred when you are “OEM”-ing certain services; more difficult to disclaim liability
• May need to negotiate with suppliers to meet end user demands
• Managing “Cloud” services to grow in importance
• Avoid accepting terms and conditions for third party services and software on behalf of clients if possible
Term and Termination• Business drivers for longer term
• Duration of Contract (vs. Duration of Schedule)
• Termination rights• Convenience?
• Penalties?
• For breach with right to cure
• Data Rights upon Termination
• Suspension Rights
• Automatic Renewal
Intellectual Property and Confidentiality
• Protect the MSP’s software and methodologies
• Mutual confidentiality clauses give assurances to customers as well
• MSP’s need right to access client data
• Can (should?) MSP’s (and their cloud partners) use client data for aggregated or other purposes?
Customer-Oriented Privacy Terms
•Obligation to maintain reasonable and effective physical, technical and administrative security measures•Compliance with all applicable data privacy and security laws•Right to review security/disaster recovery policies•Right to audit and test security•Notification in the case of breach•Indemnification for breaches/payment of costs of required notices to customers•Require use of encryption•Restrictions on use of subcontractors and downstream sharing of information•Restrictions on where data can be stored•Business Associate Agreement
Service Level Agreements
• Uptime
• Response Time
• Security
• Performance Credits
• Use of Measurement Technology
• Notice/Reporting Obligations
Pricing Terms
• Setup fees
• Monthly service fees
• Per device
• Other parameters?
• When does it start?
• Add-on pricing
• Payment terms
• Caps on increase in fees
Employee Nonsolicitation
• Your employees are your most valuable asset, and clients sometime want to “poach”
• Strong non-solicit/non-hire clause along with liquidated damages are typically advisable
Limits on Liability
• Limit overall liability to revenue received over last X months
• Exclude lost profits and consequential damages
• SLA remedies should be exclusive
Disclaimers and Warranties
• Warranty to use reasonable skill in accordance with industry standards, and supply qualified and experienced personnel
• No performance warranties• No hardware warranties• No warranties that monitoring and monitoring
devices will be without error or will catch all issues• Exclude all other warranties
Data Issues
• What rights does MSP have to data?
• Disposition of Data on Termination
• Location of Data
• Legal / Government Request to Access Data
Additional Key Issues• On-site support: included? At MSP’s option?
• Assignment: Contract must be assignable to a successor if the MSP is acquired
• Access to Customer Devices:• Conditional or unconditional access?
• Contract should specify process
• Choice of Law and Jurisdiction• Alternate Dispute Resolution (Arbitration/Mediation?)
Updates in Privacy and Security Law• HIPAA Updates
• This month – 10 year anniversary for HIPAA• 2009 Hi-Tech imposed obligations on vendors (“Business Associates”)• New Omnibus Rule effective March 26, 2013; compliance required generally
by September 23, 2013. Enhanced obligations on Business Associates and increased penalties.
• Massachusetts Data Security Act• Effective March 2010; contract requirements effective March 2012• Requires contract terms with vendors; written security policy; and that
certain personal information to be encrypted
• New COPPA Regulations • Published December 2012; compliance required July 1, 2013• Now covers third-party plugins, ad networks• Expands what constitutes personal information (e.g. IP Addresses)
Updates in Privacy and Security Law• EU Data Protection Proposed Regulations
• In January 2012, detailed revisions proposed to make the law more uniform across the EU, and increases protections and possible penalties
• US companies seeking to transfer personal information from EU to US must follow a safe harbor certification/filing approach or other rules to comply with EU regulations
• FTC• Concerns have increased from use and sale of personal information, to
use of IP addresses, device identifiers, and other information not normally considered as personally identifiable
• Breach Notification Laws• Virtually all states have adopted statutes modeled on California’s
pioneering identity theft breach notification law
Security Policy• Legal Requirement to have a Written Information Security
Policy:• Mass. Data Security Act: organizations that handle information about Mass.
residents must have a comprehensive written information security program• HIPAA/Hi-Tech: Also requires a written information security program• Federal Trade Commission: Failure to protect personal information by using
reasonable security can be an unfair and deceptive trade practice• Other Good Reasons for a “WISP”
• Complying with breach notification laws• Assuring compliance with required privacy notices (e.g. California
requirement)• Protecting intellectual property• Satisfying officer and director fiduciary obligations• Complying with contracts• Increasing value of company to buyers• Dealing with subpoenas and related requests for electronic information in
discovery
