You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

July 26, 2013

Legal Issues in Technology Outsourcing Arrangements

Subscribe to Updates
Bangkok Post, Corporate Counsellor Column

Technology outsourcing arrangements are becoming more and more widespread. Commercially, they can allow businesses to save money while at the same time improving the quality of IT services.

But these arrangements also raise a number of legal issues for both vendors and customers. Depending on the specifics of the outsourcing, the contracts may involve agreements for consulting, software development, licensing, implementation, and maintenance, among others. The following are some of the issues that may be of concern when negotiating technology outsourcing agreements.

When the outsourcing involves a licensing component, attention must be paid to precisely what is being licensed and the rights and obligations of the licensor and licensee. For example, regarding a software license, the customer should consider whether the terms of the license are sufficient to allow him actually to use the licensed software for the intended purpose.

If the customer will need to make improvements or other modifications to the licensed software, he should ensure the license terms allow for that. On the other side, the vendor will want to make certain the agreement includes provisions that sufficiently protect the intellectual property being licensed.

In situations where the vendor is to provide maintenance or other support, service-level agreements are important. Among other standards, these stipulate the times within which the vendor is contractually obligated to respond to requests to fix bugs or deal with other problems that may arise. Often, the specified response time frames differ, depending on the severity of each problem.

Service-level agreements are helpful to both parties in that they function to achieve a mutual understanding on response times and what actions the vendor will take when problems are reported. The agreement may also specify liquidated damages to be payable when the vendor is late or otherwise fails to meet these obligations.

Another issue involves modifications and enhancements a customer may request that go beyond the scope originally agreed. While there are a number of commercial arrangements that can deal with these, it is generally important to agree, from the beginning, that such modifications and enhancements shall be made only pursuant to a written change order signed by both parties.

The change order should clearly describe the scope of the modification or enhancement to be made and should clearly set out the price to be paid for the change. This helps to ensure both parties have a common understanding regarding deliverables and costs.

When contracting with a vendor’s local subsidiary, some customers are concerned about the ability of the subsidiary to fulfill its contractual obligations. Some of these concerns can be addressed by a letter of guarantee from the parent company of the local subsidiary.

The wording typically provides that the parent company will perform, or cause to be performed, the obligations of the local subsidiary in the event the local subsidiary fails to do so.

Following a failure to perform, the customer will give notice to the local subsidiary to perform, and if the local subsidiary still fails to perform, the customer will then make a demand on the parent company, under the letter of guarantee.

In some outsourcing arrangements, there are major barriers to switching vendors. When significant development and customization is required to put a new system in place or significant time or expense is otherwise involved in switching to a new vendor, the incumbent vendor is in a good position to demand price increases in future years.

For this reason, it is important to agree in advance how pricing adjustments in future years will be handled. Some contracts are written to include a numeric percentage increase to be applied on a particular schedule—perhaps at the beginning of each calendar year or the start of every three contract years, for example. Others are written to be adjusted in alignment with a particular consumer price index.

On a related issue, careful consideration should be given to termination clauses. While the parties may easily agree that either party should have the right to terminate the agreement following a party’s failure to cure a material breach, there may be concerns about a party’s ability to terminate for convenience.

Whether it is appropriate to allow termination for convenience depends largely on the nature of what is being outsourced. In mission-critical installations, presumably the customer will not want the vendor to be able to terminate so easily. On the other hand, the customer will likely want some ability to terminate for reasons other than breach—for example, in the event of selection of a replacement vendor.

A related issue is the amount of notice to be required in the event of termination. At the very least, the agreement should be written to provide notice that gives sufficient time to arrange for a new vendor to put in place a replacement system.

Thought should also be given to what will happen if the vendor goes out of business or otherwise stops supporting the technology. In installations that are critical to the customer’s ability to operate, a lack of support could be quite problematic. For this reason, many customers opt for source code escrow agreements. In arranging these, particular attention should be given to the terms of release and the identity of the selected escrow agent.

These are but a few of the important issues that may need to be addressed in contracts that provide for technology outsourcing. Of course, the specific issues of concern will vary, depending on the nature of what is being outsourced. For this reason, both customers and vendors should take the necessary steps to ensure they have a full understanding of the legal issues and their options for structuring the transaction.

Download Full Article
Related Professionals

Industries

Technology

Practices

Corporate/M&A

Location

RELATED INSIGHTS​

April 4, 2024
On March 18, 2024, the president of the Supreme Court of Thailand announced the establishment of a specialized Technology Crime Division within the Criminal Court of Thailand. This represents a significant commitment to cybercrime within the Thai judiciary and a step forward in Thailand’s ability to investigate cybercrime. The rise in cybercrime investigations in recent years has made it increasingly difficult for Thailand’s traditional criminal courts to consider and issue enforcement orders in support of ongoing investigations in a timely manner. The new Technology Crime Division addresses this challenge. This new division has jurisdiction over cybercrime and technology-related crime, fraud or extortion using computers, and criminal offenses relating to personal data protection laws. In addition, this new division has jurisdiction over all requests from competent law enforcement officers seeking court orders under the Computer Crimes Act B.E. 2550, the Personal Data Protection Act B.E. 2562, and the Cybersecurity Act B.E. 2562. The Technology Crime Division will have trainees and judges with expertise in technology and cybercrime—not only to facilitate expert prosecution of cybercrime but also to offer critical and time-sensitive support to law enforcement investigations of alleged cybercrime. The Technology Crime Division is not yet operational. The president of the Supreme Court is expected to announce the division’s opening date in the coming months. For more details on Thailand’s measures for dealing with cybercrime, please contact Michael Ramirez at [email protected] or Piyawat Vitooraporn at [email protected].
Read More
March 29, 2024
Thailand’s Cybersecurity Regulating Committee (CRC) released a notification under the Cybersecurity Act on February 22, 2024, setting key operational obligations for critical information infrastructure (CII) organizations. The notification takes effect on June 20, 2024. CII organizations are state or private entities that carry out services related to national security, public services, banking and finance, information technology and telecommunications, transportation and logistics, energy and public utilities, or public health. CII organizations will be identified by the National Cyber Security Committee (NCSC) and notified of their status. The key obligations of CII organizations are laid out below. Reporting to the National Cyber Security Agency (NCSA) CII organizations must provide the following to the NCSA: A list of executive and operational staff, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list within 15 days following any changes. A list of internal departments or individuals who are the responsible persons, owners, and holders of the computer systems, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list at least 7 days prior to any changes (or within 15 days after the change if there is a necessary reason). Policies, Guidelines, and Procedures As specified in the National Cyber Security Committee (NCSC) guidelines, CII organizations must prepare the following internal documents by June 20, 2025: Cybersecurity practice guidelines, consisting of an inspection plan, risk assessment, and incident response plan. Cybersecurity standards framework, consisting of measures for risk identification, risk prevention, threat detection and monitoring, incident responses, and resilience and recovery. CII organizations must also prepare the following: Mechanisms, procedures, and steps for monitoring and detecting
Read More
March 29, 2024
Vietnam’s Ministry of Public Security (MPS) is drafting two reports to present to the government in May 2024 to advocate for the development and adoption of a Law on Personal Data Protection. These reports include an assessment of the policy impact of the proposal to develop a personal data protection law, and an assessment of the current state of social relations related to personal data protection. Decree No. 13/2023/ND-CP on Personal Data Protection (PDPD), adopted in April 2023, became the first comprehensive legal instrument on data protection in Vietnam. When the National Assembly was debating its text and adoption in 2022 and 2023, questions were raised as to the status of this new regulation and the legality to adopt a decree before a law. In accordance with the public announcements made throughout the development of the PDPD assuring that a law would be developed at a later stage, the MPS is now advocating for the development of a Personal Data Protection Law and has drafted the two reports pursuant to the Law on the Promulgation of Legal Documents. The main arguments advanced by the MPS in the two reports are as follows: As the right to privacy is enshrined in the Constitution, any restrictions thereof must be made through a law and not a decree. The MPS is notably referring to the lawful basis for processing and limited exceptions to consent under the PDPD. This may be a sign that the MPS intends to widen the exceptions to consent under the new law. The definitions of “personal data” and “personal data protection” need to be harmonized to consolidate the regulatory framework. The MPS indicates that there are 69 legal documents directly related to “personal data protection” in Vietnam with more than 10 different definitions, while “personal information” appears in
Read More
March 28, 2024
Recently, Vietnam has witnessed a dramatic increase in cyber fraud, causing significant financial losses and posing a grave threat to both Vietnamese and foreign entities. With the increasing reliance on digital technology and the widespread adoption of online platforms, the country has become fertile ground for cybercriminals to exploit vulnerabilities and conduct various fraudulent activities. This article aims to present an overview of addressing cyber fraud in Vietnam and offers practical advice for businesses to safeguard themselves from becoming victims of such illicit activities.
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2023 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice