HOW TO PROTECT YOUR COMPANY

FROM THE UNEXPECTEDSUSAN KOHLHAUSEN

DIRECTOR, LEGAL AFFAIRSCOASTAL FEDERAL CREDIT UNION

CONTRACT REVIEWS

Vendor On-Boarding Process

RFP (Request for Proposal)Due Diligence/Risk Assessment Vendor SelectionContract ReviewContract NegotiationContract Execution

Followed by:Ongoing Vendor Administration/Oversight

Vendor On-Boarding Process

RFP (Request for Proposal)Due Diligence/Risk Assessment Vendor SelectionContract ReviewContract NegotiationContract Execution

Followed by:Ongoing Vendor Administration/Oversight

Vendor On-Boarding Process

Does your company have a Vendor Selection Policy?

Coastal requires (in part) : 

Management will obtain at least two competitive bids for each Level 1-Critical and Level 2-Significant publicly held and privately held vendors at the time of initial review and selection to ensure that pricing is competitive and reasonable and commensurate with their demonstrated ability to meet Coastal's needs. While cost is one of many factors evaluated in vendor selection, it is expected that vendors selected offer fair financial value to Coastal.

What Is A Contract?

“A promise or a set of promises for the breach of which the law gives a remedy, or the performance of which the law in some way recognizes as a duty.”

- Restatement (Second) of Contracts

 = LEGALLY ENFORCEABLE AGREEMENT

Purpose Of Written Contracts

PerformanceDocuments expectations and

obligations of the parties and products/services to be provided

ProtectionProvides remedies for the

unexpected (i.e. breach)

Performance Clauses

ScopePerformance/Service LevelsReportsSubcontracting/Third PartiesDurationFees

Protection Clauses

AssignmentRight to AuditComplianceIntellectual Property RightsConfidentiality and SecurityBusiness Continuity/ContingencyInsurance

Protection Clauses (continued)

Warranties Liability/DamagesIndemnificationDispute ResolutionModificationTermination

Performance: Scope

Detailed description of product/services to be provided.

Specific obligations of all parties (including any subcontractors/third parties)

Performance: Service Levels (SLAs)

Plain language documenting specific minimum service levels, standard maintenance periods, response times for product (usually software) or service issues or failures, additional support (help desk) needs and measurement periods.

Usually included as an addendum/attachment

to contract

Performance: Service Levels (SLAs)

Examples include: Product/service will be fully functional not less

than 98% per day/month/quarter excluding standard maintenance periods

Vendor shall commence review/analysis of all Severity 1 (non-function) issues within 4 hours of company’s written/verbal notification.

Vendor will achieve and maintain a customer satisfaction rating of not less than 75% each calendar quarter

Performance: Service Levels (SLAs)

Recommend use of industry standards to develop service levelsMaintenance periods should be narrow and during customer’s

off-peak hoursInclude specific language addressing notification requirements

(specific personnel/communication channel (email/telephone)Often requires vendor to self report issues/failures (Audit may

be beneficial)Damages for failure to meet SLAs usually in form of a % credit

of fees with right to terminate for repeated failures within a certain measurement period or extreme failure to perform.

SLA terms are usually an exception/ stand-alone from general breach/right to cure language

Performance: Reports

Outline all reports needed from vendor.Include type and frequency of reports needed

(performance, security, business continuity, etc.) and specific information to be included.

Note any custom or external reports and related fees. Watch for upcharges. Recommend including “pass

through cost” language.

Performance: Subcontractors

Contract should specify whether parties are permitted to use subcontractors and the specific obligations they will perform.

Who has right to approve, remove or replace contractor?

Who is liable for subcontractor? Minimum qualification/background requirements?

Be sure that subcontractor use language does not conflict with the assignment clause.

Performance: Duration

Length of contract should be commiserate with the type of product/service being provided and within industry standards.

Be aware of auto-renewal (evergreen) clauses and termination notification requirements

Build in enough time between notice of termination and actual termination to find replacement vendor (if needed).

Include minimum notification period for any fee increases to allow time to find and contract with new (less costly) vendor prior to termination notification requirements. EXAMPLE: Vendor should provide notice of fee increase not less than

6 months prior to end of term where company is required to give 90 days notice of termination.

Performance: Fees

How calculated? (base payments, recurring services, activity charges, etc.)

Cost for product maintenance/upgradesResponsibility for state and federal taxesRight to dispute fees without penaltyLate payment penalties should be reasonable

Performance: Fees

Watch out for language:permitting vendor or party the right to

deduct from company accounts without adequate controls.

permitting vendor the right to deduct fees/penalties from any income it collects on behalf of company

requiring payment while in a force majeure (emergency) situation.

Protection: Assignment

Which parties (if any) have the right to delegate (in whole or part) its rights and obligations to a third party.

Prohibit assignment without consent. Exception: May see language permitting assignment

in case of purchase or merger or to an affiliate.

Protection: Right to Audit

Allows party (or third party agents) to audit company information/records to test internal controls or prove compliance with contract terms.

Watch for: Overly broad property/information access language.

Recommend including language limiting number of audits in a specific period without cause (i.e. not more than once annually), audit schedule (i.e. during company’s normal business hours) and scope of audit.

Who pays for cost of audit? (Under-reporting penalties)

Protection: Compliance

All parties should agree to comply with applicable laws (federal, state and local) and related guidance.

Be sure to include language that vendor will provide assistance/access as needed to company’s government regulators.

Protection: Intellectual Property Rights

Ownership, rights to and permissible use of company data, equipment, software

Property rights should generally remain with the property owner or licensor except in cases where there is work product specifically developed for another party

Includes right to name, logos, trademarks, copyrights, domains, etc.

Ensure contract grants license to use, sublicense, etc. all products/services as needed

Protection: Confidentiality & Security

Prohibit parties (and its subcontractors and agents) from disclosing or using certain company information except as necessary to perform pursuant to the contract.

Standard confidentiality exceptions: Previously known/becomes publicly available without

breach Developed independently Provided by a third party without restriction

Protection: Confidentiality & Security

WATCH! Disclosure for court order or authorized

government request should NOT be a confidentiality exception.

To remedy, include language where notification is required except where prohibited by law or court order

Protection: Confidentiality & Security

Return or destroy confidential information upon termination of contract or other designated time.

Adequate security within industry standards and not less than used to protect own confidential information

Require prompt notification and full disclosure of security breaches of confidential information or that will affect company or its customers

Specify necessary corrective action (Damages: credit monitoring?)

Protection: Business Continuity

Back-up and protection plan in case of disaster or other extraordinary event that prevents use of primary/standard systems.

Vendor should provide copy of plan. Updated and tested regularly. Provide results.

Include business recovery time frames and other metrics as needed

Consider interdependencies among all service providers

Watch! Overly broad “force majeure” clauses Any actions “beyond reasonable control”

Protection: Insurance

Consider types and amounts (liability, E&O, crime/fidelity, worker’s compensation). Minimums?

Additional insured or other endorsement needed?

Include language requiring notification of cancellation or material changes in coverage

Protection: Warranties

May include legal status of parties, authority to enter into agreement

Seek warranty of non-infringement for all intellectual property used or subject to the contract

WATCH! Recommend striking any disclaimer of implied warranties (workmanlike quality, merchantability and fitness for a particular purpose, title)

Protection: Liability/Damages

Generally limited to fixed amount, a service credit or a multiple of total amount paid for services under agreement or other identified term (# of months, quarter, etc.)

Lost data: limited to correction/reconstructionExclusion of indirect/secondary damages

(consequential, special, incidental)Assess whether damage limitation is commiserate

with amount of loss (current and future) as a result of breach of contract.

RECOMMEND: Make any limits reciprocal

Protection: Liability/Damages

Be ready to negotiate these common exceptions/carve-outs to liability protections: Gross vs ordinary negligence Breach of confidentiality/security Breach of warranties/representations Violation of law Death, bodily injury or physical damage to tangible

personal property

Protection: Indemnification

Be sure “hold harmless from liability” language is broad enough. Should include: arising from breach of contract; negligence of the other party or its agents; and intellectual property infringement (if applicable).

Include “defend” language? If so, include language for right to hire own attorney. If not, include language that vendor will pay all (reasonable) attorney fees and associated costs.

Limit to third party claims

Protection: Dispute Resolution

Mediation/arbitration clauses Be aware of who decision makers are and how

selected Jurisdiction and venue are important

Ensure continuation of products/services during any dispute period

Losing party responsible for costs/feesReserve right to seek injunctive relief

Protection: Modification

All contract modifications should be in writing and executed by all parties.

Be very cautious of carve-outs giving vendor the unilateral right to increase fees or change terms of services or even terminate agreement.

Protection: Termination

For convenience: Rare Usually seen low dollar contracts where there is no

minimum/base fees.For cause.

Right to cure? Time period and measurement? Does it conflict with SLA measurements and response

times?

Additional Considerations

AVOID or HANDLE WITH EXTREME CAUTION: multi-party agreements; “In it’s sole discretion” language

 CAPITALIZED TERMS should be defined!Include a MERGER CLAUSE. Contract language that states it

to be the complete and final agreement between the parties. Be sure to include language “attaching and incorporating” attachments,

exhibits, addendums and amendments (including RFP responses) into agreement

 MISSING TERMS: Be aware of what ISN’T in the contract. Use a CHECKLIST

ATTORNEYS: Unless they specialize in contracts, be cautious.  THROW AWAY TERMS: Be ready to give up some during

negotiations

SAMPLE CHECKLIST

 https://chapters.theiia.org/raleigh-durham/Events/Documents/SAMPLE%20Contract%20Review%20Checklist.docx

THANK YOU!

Questions/Comments?

Susan Kohlhausen(919) 420-8268

skohlhausen@coastalfcu.org