In part 1 (available here) of this two part series, we set the scene as to why it pays to carefully consider the terms governing your use of software solutions and things to look out for in relation to the initial implementation, the duration of your commitment, scope, fees and payment, and support and service levels.
In this second part of our two-part series, we address suspension and termination, managing risk, and how your data is handled – and why getting it right is important to your business:
Suspension and termination rights
One-sided suspension and termination rights in the supplier’s favour are common. If the solution is critical to your business operations, it would be advisable to try to ensure that the supplier’s rights to suspend the arrangement do not extend to where the reason for suspension or termination is the supplier’s own breach of the agreement or negligence.
If you are committing to a fixed initial term, it is usual for neither party to be able to terminate without cause during this period; usually, the only rights to terminate before the minimum committed period expires are for the other party’s breach or insolvency. You should ensure that you can at least terminate for these reasons during the initial term, but should also consider whether you need to push for a break clause during the initial term. However, note that if you do, the supplier may well try to increase the price of the licence.
Additional termination rights should be considered, particularly where you are concerned about the supplier’s track record or where the solution is critical to your day-to-day operations. Software licence agreements commonly include express termination rights for service level failures (as set out above).
A common tool for trying to hold the supplier to perform as you expect, but other rights, such as the right to terminate where the supplier changes ownership, can also be key if you need to ensure due diligence is carried out on your supply chain.
Other common termination rights include a right to terminate where the supplier misappropriates or infringes third party intellectual property and can’t cure this without degrading the standard of the service provided; or where something happens outside the supplier’s control (usually referred to as a “force majeure” event) which stops them from performing for a certain period.
You should consider whether you need these rights if they are not in your agreement with the supplier.
Winding down the arrangement following termination
The default position in software licence agreements is that the licence ends immediately on termination, and that there are some access rights to your data (either you can extract it yourself or ask the supplier for a data dump), but usually little if anything more than that.
If, however, the solution is critical to your day-to-day operations, you may need to line up a replacement solution (whether in-house or with a different provider) if the arrangement fails. Where this is the case, you should consider whether you need a grace period during which you will use (and pay for) the solution until you can migrate to an alternative or at least get some support from the supplier to do so.
How is your data handled?
Data sovereignty is key to protecting your confidential information, trade secrets, and intellectual property. If you are handing over any personal data to the supplier or allowing them to access or process it, you will also need to consider your obligations under data protection law.
Whilst compliance with data protection obligations should always be high on the priority list for any fashion business (as evidenced by the German data protection regulator fining H&M €35.3m for keeping excessive employee records in 2020), it should be noted that engaging a service provider to process (including by storing, however temporarily) personal data for you will not excuse you from your own compliance obligations.
You should ensure that you know where your data is kept, that it is kept securely, how and when you can retrieve it, and who is responsible for keeping backups (and the frequency for when those backups will be taken).
Consider also the amount and types of data you will share with your supplier; limit this as far as possible and wrap appropriate information security measures around it, as this will help mitigate the effects of any data breach, as suggested by VF Corp’s press releases following a 2023 major ransomware attack.
The importance of managing cybersecurity risk, through appropriate cybersecurity measures and the separation of core systems to reduce the risk of cross-contamination as a first line of defence may also help you prevent, or at least recover more quickly from sustained cyber threats, particularly in an age of ever-increasing ransomware attacks by well-organised and well-equipped criminal organisations.
The recent significant cyber attack on Marks & Spencer (“M&S”) shows that careful consideration must be given from the outset to adopting appropriate measures proportionate to your business and avoiding concentration risk, and ensuring this flows through your supply chain. Operational resilience and disaster recovery plans are therefore important to ensure that you can keep trading (at least in some capacity) to try to offset or mitigate accruing losses should your systems succumb to any such attack.
Ideally, it should also be made expressly clear that any data you provide to the supplier is your confidential information, which should benefit from appropriate obligations of confidentiality. Relying on obligations of confidentiality at law rather than detailed contractual protection is unlikely to provide you with adequate protection.
The supplier will likely need a licence to use your data to be able to provide its services. Any such licence should be carefully considered to ensure that it is only granted in respect of use of the data for the provision of the supplier’s services and doesn’t grant any additional rights to either your intellectual property or to use your data for any purpose with which you aren’t comfortable.
Managing and offsetting risk
In any software agreement (as with the overwhelming majority of commercial contracts), one of the most important issues is that of the allocation or limitation of liability between the parties. These provisions are usually imbalanced as the supplier is trusting its intellectual property to you and has little to no control over how you use it, but that imbalance often goes too far in favour of the supplier.
You should ensure that, wherever possible, the supplier gives you an uncapped indemnity for third-party claims relating to the infringement or misappropriation of intellectual property rights relating to the software.
This means that if the supplier takes, copies, or otherwise uses somebody else’s intellectual property rights and you face a claim by that person, the supplier has to reimburse you on as close to a pound-for-pound basis as possible. This is an important protection to have.
Suppliers will often seek to limit all their liability under the agreement, usually to an amount with some link to the fees paid (such as the fees paid by you in a 12-month period) and will seek to entirely exclude certain types of loss.
These provisions need careful consideration to ensure that you have the right to recover losses in the event a key risk arises. For example, if the solution will process sensitive confidential information or personal data (we have touched on the potential exposure to data protection fines and significant cybersecurity risk above), or large amounts of it, you may need to address exclusions of liability for loss of or damage to data and may need to hold the supplier to greater exposure for these key risks.
Context is king in this debate.
Is the software crucial to trading during busy periods?
What would the likely consequences and losses be to your business if the software were to be unavailable for an hour, or an evening, or a day?
What if a significant cyber attack affecting the systems or software provided by your supplier prevents you from taking online orders, such as in the case of M&S?
Is there a workaround that the business can use, or is this the core engine for trading?
Thinking through these issues will help you to come to a conclusion on what level of liability it is worth fighting for a software supplier to accept, even if this comes at a higher price on the licence. However, do not be blinded by the headline liability cap or its amount; also lend careful consideration to the exclusions of liability, particularly in certain high-risk situations such as a loss of ability to trade in some shape or form as a result of a supplier’s failure to perform. For example, if you are prevented from trading due to a system lockout (ransomware attack) arising from a vulnerability in your supplier’s systems and face an accruing loss of revenue, make sure you can claim against the supplier for those losses accordingly.
In relation to your liability under the contract, typically software providers will not (by default) include any limitation on this under their template agreement, and may seek an indemnity from you in either of the following guises:
- an indemnity for all use of the solution by you; or
- a third party claims indemnity relating to infringement or misappropriation of intellectual property rights in relation to the data you give to the supplier.
Each formulation should be considered on its merits and in the context of the arrangement with the supplier.
You might find it difficult to get the supplier to agree to limit your liability, but you should certainly try to, to reduce the risk of an uninsured loss arising. Most software suppliers will not, however, agree to cap your obligations to pay fees to them.
Summary
Any commercial contract can be a minefield, and software agreements are no different. Just because promises are made during the sales process does not mean that this is reflected in the actual solution or services you eventually receive. Careful consideration should be given to the supplier’s terms to ensure that there are contractual protections for your business in case all is not as it seems during the pre-contract phase or if you should be exposed to cybersecurity or data protection risks through your IT supply chain.
If your business has accepted IT suppliers’ terms with little or no legal support or is looking at renewing or replacing its IT agreements, now might be the time to give careful consideration to the terms governing those arrangements in order to take steps to safeguard your business.
