Articles Posted in Legal and Contracting Issues


Quantitative measures of supplier performance in the form of service levels are critical in any outsourcing relationship.   However, they provide an incomplete picture of how well the supplier is performing and meeting the client’s business and IT objectives.  A common complaint is that the service levels are green each month, but the client is dissatisfied with the supplier’s performance – typically due to the supplier failing in areas that are difficult to measure quantitatively.

To fill this gap, we recommend to our clients that a quarterly “key stakeholder satisfaction survey” be included in the outsourcing contract as a service level.  This service level is a subjective determination by the client of its level of satisfaction with the supplier’s performance.  A meaningful service level credit applies if the supplier fails to achieve an acceptable rating.

Continue reading


In Part 1, we noted that financial institutions could find themselves potentially liable for committing an alleged Unfair, Deceptive, or Abusive Act or Practice (UDAAP) as a result of the actions of certain types of external service providers, particularly those that interface directly with customers.  In this Part 2, we will discuss how financial institutions can mitigate the risk of UDAAP enforcement actions through their contracting strategies with their service providers.

A New Wrinkle of Risk

In some ways, the CFPB’s UDAAP authority resembles other regulatory regimes in that it places compliance obligations on both the issuer of the product as well as the third-party service provider that helps effectuate a transaction involving such a product.  For example, export control laws place Office of Foreign Assets Control compliance obligations on both parties to a transaction.  Data protection laws apply both to the controller as well as the processor of data.  HIPAA protections for health information apply to the covered entity and its business associates.


Most business clients would rather be in the dentist’s chair than sit through negotiation of the indemnity and liability provisions of their agreement. Admit it: your eyes glaze over, time appears to visibly slow down, and you wonder at how the lawyers can find this stuff interesting enough to argue about.

As dull as they appear to be, there are some significant issues that can arise from the indemnity clause. One issue that I see more often than not is that suppliers try to put a financial limit on their indemnification obligations.

Sometimes the supplier will agree to remove the limitation, but not always. What are the consequences of having a limitation on an indemnification obligation,


In a recent judgement, the Court of Appeal of England and Wales held that an electronic database was not a chose in possession or a chattel but a chose in action (see our earlier blog regarding the grant of leave to appeal in this case). In other words, a database is intangible property, not goods which can be possessed. This means that when the parties to a database hosting contract are silent about what happens to the database when the contract ends, the service provider cannot exercise a common law lien over the database so as to force full payment of its fees, and must return the database to its customer.

In giving the lead judgement in the Court of Appeal, Lord Justice Moore-Bick, quoted extensively from the judgment of Lord Justice Diplock in Tappenden v Artus (Tappenden v Artus [1964] 2 Q.B. 185). Tappenden is a case with which most first year law students in the UK will be familiar. In that case, a van owner allowed a customer to use the van pending the completion of a hire-purchase agreement. The van then broke down and was repaired by the defendant garage, but the price of the repairs was not paid. The question arose whether the garage could exercise a lien over the van against the owner. In finding that it could, Diplock L.J emphasised “actual possession of goods” as necessary for the self-help remedy of possessory lien to arise under the common law.

Referring to another leading case, Moore-Bick LJ went on to state that “[a]s OBG v Allan makes clear… the common law draws a sharp distinction between tangible and intangible property…”, which leads to the conclusion that “it is [not] possible to have actual possession of an intangible thing …[and that] it is [not] open to this court to recognise the existence of a possessory lien over intangible property …”


This article was originally published on February 27, 2014 and is reprinted with permission from Corporate Compliance Insight.

Managing third-party suppliers presents significant compliance challenges that often span an organization, raising legal, insurance, human resources and technology concerns, to name just a few. Corporations will continue to wrestle with these risks in the year ahead, but the convergence of external threats, abundance of valuable corporate data and the current regulatory environment has highlighted the importance of corporate cybersecurity practices. Cybersecurity is perhaps one of the hottest topics being discussed in boardrooms today.  The Cybersecurity Framework,

anticipated legislation and litany of high-profile data breaches have resulted in even more heightened scrutiny.


Mario Dottori is quoted in Stephanie Overby’s recent article discussing 8 Tips to Deal With Liability When Outsourcing to Multiple IT Vendors.

“In theory, a multi-provider service delivery environment should not create additional complexities in terms of liability. The contracts — entered into separately between the customer and each supplier — should, if well constructed, clearly delineate the liabilities between the parties,” says Mario Dottori, leader of the global sourcing practice in Pillsbury’s Washington, D.C. office.

One tip offered is to create operation level agreements, “OLAs state how particular parties involved in the process of delivering IT services will interact with each other in order to maintain performance, and can help all parties ‘see the forest for the trees,’ says Dottori.  ‘These arrangements offer the opportunity for enhanced visibility of the service regime as a whole and helps to reduce — or better arm the parties with solutions for — missed hand-offs and finger pointing.’ One caveat: Most providers will not agree to take on additional liability in OLAs. But such an agreement can be an effective preventative measure.”


On February 12, 2014, the National Institute of Standards and Technology (“NIST“) released the final version of its Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework” or “Framework“)

and the companion NIST Roadmap for Improving Critical Infrastructure Cybersecurity (the “Roadmap“).

The final version is the result of a year-long development process which included the release of multiple iterations for public comment and working sessions with the private sector and security stakeholders. The most significant change from previous working versions is the removal of a separate privacy appendix criticized as being overly prescriptive and costly to implement in favor of a more general set of recommended privacy practices that should be “considered” by companies.


The High Court of England and Wales has recently decided that a contract can, in principle, be made in two separate jurisdictions at the same time if the contract does not include choice of law and jurisdiction clauses. In this situation, either party could seek to enforce the contract in its home jurisdiction.

In Conductive Inkjet Technology Ltd v Uni-Pixel Displays Inc [2013] EWHC 2968 (Ch), the court considered a dispute between two parties, one based in England and the other in Texas. The agreement in question was a non-disclosure agreement, which did not include a choice of law and jurisdiction clause as the parties were not able to agree on one during negotiations. The parties agreed the contract in an email exchange, and it was then signed by Conductive Inkjet Technology (CIT) in England and by Uni-Pixel Displays (UPD) in Texas. CIT then claimed that UPD made use of certain proprietary information in breach of the agreement and sought permission to serve claims on UPD in England. UPD challenged this by arguing that English courts did not have jurisdiction in the matter.

To recap the English law position on contract formation, the general rule is that a contract is made at the time and place where acceptance of the relevant offer is communicated to the offeror. There are two main rules as to when acceptance is communicated:


As part of its UK Employment Law Review in 2012, the UK Government announced that it intended to remove the third-party harassment liability provision from section 40(2) of the Equality Act 2010. This provision was repealed on 1 October 2013. This post considers the impact of the repeal and whether employers are safe from claims made by their employees based on harassment by their outsourcing or other third party contractors.


In October 2010, section 40(2) of the Equality Act introduced the concept that employers could be liable for harassment of their employees by a third party where the harassment was persistent and based on a protected characteristic. Under this provision, employees could bring a claim against their employer if they had been subjected to discriminatory harassment by third parties during the course of their employment on at least two occasions and their employer had failed to take any reasonably practicable steps to prevent the harassment. This provision had potentially far reaching impact as employers became potentially liable for acts committed by third parties such as their suppliers, customers or visitors.


On 19 November, Datateam won permission to appeal from an unreported decision of District Judge Bell sitting in the Reigate County Court on 12 June. The facts of the case, which related to unpaid invoices for database maintenance services, are not of interest except to say that the services agreement did not establish a contractual lien over the customer’s data, that is, it did not contain an express term requiring the return of the data to the customer at the end of the contract period.) What is of interest is that when it hears the appeal, the Court of Appeal will consider “whether or not a service provider can claim a [common law] lien over electronic data which it manages.”

In English law, a common law lien normally arises in respect of tangible property but not in the case of intangible property such as intellectual property. The classic example is a mechanic who is entitled to exercise a lien over (hold onto) a customer’s car until the customer settles his bill. However, electronic data is intangible property. In granting Datateam permission to appeal, Lady Justice Arden commented that there is no English authority “which establishes that a [common law] lien is exercisable over intangible property.” She thought this was “a point of law… worthy of consideration… since it could have very considerable implications if there was no lien.”

The Court of Appeal’s decision is eagerly awaited.