Is your MSA fit for purpose? Key legal issues for MSPs

At a glance

As a provider of technology services and solutions, how well do you understand the legal issues and risks that your Master Services Agreement, or other standard form contract document (MSA) should cover and protect you against? When was your MSA last updated? How often do you have to change clauses or positions as a result of a customer request?
In this article, we explore some of the key legal issues you should consider as a Managed Service Provider (MSP) selling IT services and solutions to your customers, and when you’re updating or renegotiating your MSA.

Legal risks and the key to risk management

There are numerous legal risks that an MSP can face in contracting for the provision of technology products and services – too many to mention in a short article. To take a few examples of common legal risks:

A contract scope or service specification which is vague, unclear or lacking in detail. This can lead to disputes with your customers if an engagement goes off track, or even litigation,
Failure to consider or negotiate liability provisions (limitation and exclusion of liability clauses and indemnities). This can lead to significant financial exposure (which may not be covered by insurance) if a customer makes a claim against you,
Ambiguous or overly complex contractual language. This can lead to confusion, disputes and a risk that clauses will not interpreted in such a way that they don’t mean what you think they mean, and
Failure to anticipate or manage the end of the contract term. This can lead to exit disputes including around any ‘transition out services’ and whether you’re entitled to be paid for them.

These are just a few of the legal risks that can arise in IT contract. So, this really demonstrates the importance of proactive risk management – understanding what the potential, significant legal risks are in a particular engagement, and considering how best to address them.

Your MSA (or other technology contract) is the is key to reducing your risk profile and limiting potential exposure or financial liability in the event of claims. It should be reviewed and updated on a regular basis to ensure the positions in it keep pace with what’s acceptable in the market, and to create the optimal risk posture for you as an IT service provider.

So, what is the MSA for?

The MSA serves two main functions. Firstly, it’s the ‘instructions manual’ which governs the relationship as a whole, and each engagement under it, and sets out what you’re selling and the customer is buying, how it’ll be delivered, what’s payable for it, and how the engagement will be run on a day-to-day basis.

That’s really why the MSA shouldn’t sit in a bottom drawer gathering dust, which, sadly, is often what happens once the ink is dry on the paper! Secondly, it’s the legal instrument which should, ideally, apportion the risk arising from the engagement fairly and reasonably, whilst making sure that your exposure as an MSP is not excessive, and the risk you’ve assumed is within acceptable parameters and consistent with your organisation’s risk appetite.

Best practices: MSA drafting and negotiation

There are a number of ‘golden rules’ to bear in mind when drafting or amending your MSA:

Always use plain English as far as possible. Whilst many legal concepts or positions are complex, the language describing them need not be. Drafting in plain English will reduce ambiguity and allow the contract to be understood by anyone in your, or the customer’s, organisation needing to refer to it,
Similarly, ensure that you use consistent terms and definitions across the entire document, the front end ‘legals’ need to match the back end Schedules, and this important alignment is often overlooked,
Always try and build in flexibility to ‘future-proof’ your document. Through good change management processes, and by having the ability to update certain terms (eg an SLA) by notice to the customer, and
Don’t agree to agree. Tempting though it can be to kick the can down the road, an agreement to agree is unlikely to be legally enforceable and if its subject matter is sufficiently fundamental, this can lead to the entire contract being void for uncertainty.

You should also be mindful to approach negotiations, which are often an inevitable step in agreeing a new MSA with a customer, in the right way:

Be sure to focus on the key risks and material issues, not wasting time on minor or low-risk areas,
Be reasonable and open to compromise, always looking for ‘win-win’ outcomes,
Don’t cling to untenable positions which are well outside of what the market will typically accept. This will just lead to fruitless or fractious negotiations, and
Always leave sufficient time and factor negotiations into the overall timeline, as often it can take a significant period of time for parties to reach agreement and sign on the dotted line.

How important is the liability regime?

It’s hard to overstate the importance of understanding the risks that can arise from having an unfavourable liability regime in your MSA, or where you have contracted on the customer’s paper (eg their standard form agreement) with little or no negotiation. What we’re talking about here is loss, and the extent to which the party suffering the loss can recover it from the party ‘causing’ the loss. That is what the liability and indemnity regime under the MSA regulates.

In selling technology solutions or services, that loss can arise in numerous ways. For example, a customer may suffer loss if software or a system it has procured doesn’t meet the specifications or requirements the contract stipulates, loss can arise as a result of vendor negligence, such as a failure to take the required level of care in performing certain services, or it can arise through third party action against a party, for example, where a third party alleges that the customer’s use of the technology the vendor has provided infringes the third party’s intellectual property (more on this below).

There is a clear tension insofar as the party which ‘causes’ the loss wants to ensure that its liability to the other party is limited to a reasonable amount, and that it’s not held liable for losses which are too remote. Conversely, the party that’s suffered the loss wants to be able to recover as much as possible. So how is this tension resolved? Through the negotiated liability regime.

Under limitation and exclusion of liability clauses, a party’s liability for loss suffered by the other party is capped at a certain amount (often a multiple of the fees paid), and liability for certain types of loss (such as ‘indirect or consequential loss’) is excluded altogether. However, this liability ‘cap’ and exclusion of liability are often subject to certain exceptions, ie the contract will provide for certain types of claims or losses for which liability may be uncapped, and/or the liability exclusion does not apply.

A party granting an indemnity is agreeing to make whole the other party if a particular event or circumstance occurs. An indemnity is essentially an agreement to cover loss and damage suffered by the other party without there being any breach of contract or negligence. As such, this alters the common law or statutory rights of parties: remoteness principles don’t apply, and there is no obligation to mitigate loss. It is therefore advisable to think long and hard before giving indemnities.

In our experience, many hours of negotiations can be spent whilst the parties thrash out a position on liability and indemnities that’s acceptable to both of them (underlining the importance of approach negotiations in the right way, as described above). Ultimately, the goal is to ensure the final contract deals with risk in a fair and reasonable way, and agreeing on a mutually acceptable liability and indemnities regime can go a long way to achieving this.

Intellectual property issues

For many IT service providers, their intellectual property (whether that’s software, methodologies, processes or know-how) is the ‘secret sauce’ they bring to the table, and allow them to differentiate themselves from their competitors. As such, it’s vital for vendors to ensure that ownership of this IP isn’t inadvertently transferred, or compromised through an overly broad licence, as a result of failing to adequately consider, or properly draft, the IP clauses in the MSA.

On the flip side, clients will also want to protect their existing IP which may be disclosed or licensed to their IT providers, and may seek to own new IP developed specifically for them under the contract (with a mindset of ‘I’m paying for it, so I should own it’). The thinking is often that any new IP which customers pay to have developed will offer them a competitive advantage in their field, so this advantage should be maintained by owning the new IP, or if only licensed to them, by imposing restrictions on the vendor’s ability to license to third parties or use that new IP for a specified period of time.

A typical IP regime in an MSA will distinguish between the customer’s and the supplier’s ‘background IP’, being IP which is pre-existing as at the contract date, or developed independently of the contract, and ‘developed IP’ (often called ‘Contract Material’, ‘Project IP’ or similar), and third party-owned IP. Each category will have its own treatment under the contract, which may be a broad, perpetual licence, a transfer of ownership from the vendor/creator to the customer, or a limited licence on applicable third party terms. The categories of IP and their treatment will, however, vary and must be considered on a case-by-case basis.

Importantly, a vendor will usually be required to grant a third party IPR infringement indemnity, which is triggered in the event of a third party claim against the customer that the customer’s use of any supplier-provided material infringes the customer’s IP. This requires careful thought and will likely involve negotiation, as the difference in potential exposure as between a full indemnity and a lesser, ‘defend and settle’ obligation in the event of a third party claim is significant.

Data protection, privacy and security

Many customers are acutely aware of the increasing supply chain risk of a third party data breach impacting their data as their reliance on IT service providers grows, especially where a provider or a solution may process large volumes of customer data including personal information. As such, customers can be laser-focussed on ensuring they comply with privacy and data protection laws, and can demand that the MSA adequately deals with data security, and includes vendor obligations under which customer data is subject to appropriate security protections. There is good reason for this, as non-compliance with legal and regulatory requirements can lead to fines, penalties and significant reputational damage.

The situation is further complicated by the fact that privacy laws in Australia are currently in a state of flux, the first raft of amendments to the Privacy Act passed into law last November, and many more changes are planned. Customers will likely seek to revisit their MSAs to ensure their providers are enabling them to comply with the updated privacy obligations. A key part of this may be customers seeking to impose robust and potentially onerous security obligations on their IT vendors.

The good news is, once you accept that you’re acting as a custodian of a customer’s data and will be expected to meet these stringent obligations, you can stand out from the crowd by agreeing to do your utmost to protect the customer from data breaches, thereby mitigating the customer’s cyber supply chain risk. This will likely mean agreeing to put in place administrative safeguards such as Security Management processes and Information Access Management protocols, technical safeguards such as backups, encryption, controls and authentication, and even requirements to obtain and maintain security certification (eg ISO 27001).

Finally, if you are hit by a data breach, expect to comply with obligations under your MSA to mitigate the damage to the customer and allow them to comply with their notification requirements.

Disputes, and how to avoid them

It is an unfortunate fact that in the course of selling IT services and solutions, disputes with customers can, and probably will, arise. Delivering technology is difficult, and there is a lot to go wrong, especially if the MSA falls foul of any of the common pitfalls already discussed in this article. However, in relation to these all-too-common disputes, the objective always has to be to avoid litigation. Litigation is costly, time-consuming, extremely stressful for all involved, and can lead to highly adverse outcomes, both financially and reputationally, if a finding goes against you. So, how can this objective be achieved?

A good place to start is the contract management regime. Does your MSA contain agile, stream-lined and effective contract management processes such as a change control procedure. Failure to update the contract documents when projects or engagements change (eg as to scope, pricing or the delivery timetable) is one of the main causes of disputes we see. It’s essential that any project variations are properly reflected in the documentation so that any agreed changes are faithfully recorded.

Secondly, good governance processes such as regular meetings of contract representatives, and putting the correct committees and forums in place (and empowering them accordingly), should allow for early visibility of where things may be going off track, enabling the parties to course-correct before a situation develops into a more serious and entrenched dispute.

Finally, remember to include the dispute resolution clause in your MSA, and follow the processes it sets out when a dispute does arise. This would typically involve internal escalation up various levels of representatives and management of the parties with a mandate to meet and resolve a dispute within a specified timeframe. If this doesn’t work, the next steps is usually an obligation to follow some form of alternative dispute resolution as a last resort to avoiding litigation.

We do see arbitration, a quasi-judicial process, provided for in the dispute resolution clause of some technology agreements (usually non-Australian ones) but in our view mediation is often a more effective means of dispute resolution, with a third party mediator who is well-versed in the field often bringing a different perspective and an unbiased approach to solving the problem in a way which both parties can accept.

Conclusion

Whilst it’s often the case that the MSA is given scant attention in the whirlwind of sales, relationships and delivery, there are numerous significant legal risks that the MSA can mitigate or even eliminate. The contract is a crucial tool in risk mitigation for your organisation, and allotting appropriate time, effort and commitment to drafting, negotiating and updating your MSA will stand you in good stead and should reduce the potential exposure to liability that is part and parcel of doing business as an MSP.

Our experienced Technology Law team can assist MSPs and other IT providers with tailored advice and strategies to optimise your position in IT contracting, including refreshing your MSA.

Get in touch with our author to discuss how we can support your business.

Register for Wotton Kearney’s Cyber, Privacy and Technology updates below.