Articles Posted in Legal and Contracting Issues


In the early days of outsourcing IT as a managed service, it was not at all unusual for a managed services price to be all inclusive of assets, services and facilities. That bundle of services and assets usually came with a “black box” style pricing that was devoid of transparency and created a myriad of challenges from changes in technology to addressing equipment refresh. Worst of all, these “all in” deals made it virtually impossible to fire your service provider because of the challenges of removing the assets from the supplier upon termination. Despite these challenges, there are times when a customer’s asset strategy still calls for acquiring assets from their service provider. In those circumstances, customers should be aware of the inherent risks in including IT assets in an IT managed services agreement and structure the transaction to minimize the risks.

Assets could be included for just about any service category of a managed services agreement. For the purpose of this discussion we are going to focus on the Servers and Storage assets that comprise the central compute services for a company.

Margin Expansion


We previously reported on the Massachusetts computer services tax that became effective on July 31st after the legislature overturned Governor Deval Patrick’s veto of An Act Relative to Transportation Finance. Facing strong opposition from the state’s technology sector the Massachusetts legislature retroactively repealed the tax by passing An Act Repealing the Computer and Software Services Tax, which was signed into law on September 27th. Now, customers who paid the repealed tax should take steps to ensure they are promptly repaid or credited the appropriate amount by their vendors.

The Massachusetts Department of Revenue (DOR) has issued guidance to vendors regarding how to address the repeal. If a vendor collected but did not remit the taxes to the Massachusetts DOR, it is required to make reasonable efforts to return the taxes to the customers from whom they were collected. If a vendor collected and remitted the taxes to the Massachusetts DOR, the vendor may file an abatement application. Vendors should be keenly aware that abatement applications related to the repealed computer services tax are due by December 31, 2013. Furthermore, although Vendors may repay or credit customers prior to receiving an abatement, they must do so “within 30 days of receiving said abatement.” Although the Massachusetts DOR guidance is helpful, Vendors should consult their tax attorneys to determine their particular obligations.

Customers may consider reviewing applicable invoices for periods (a) from July 31, 2013 through September 27, 2013 to determine the repayment or credit amount they are owed, if any, and (b) after September 27th to ensure the vendors have updated their invoicing practices to account for the repeal. Customers should then contact their applicable vendors to ensure they are promptly repaid or credited the appropriate amount. If a vendor already remitted the taxes to the Massachusetts DOR, the customer should encourage the vendor to promptly file an abatement application. If the vendor resists, the customer may want to review the agreement between the parties to determine whether the vendor has a contractual duty to comply with the request. Last, customers should be aware that if (i) a vendor repays or credits a customer after filing an abatement application and (ii) the government’s refund to the vendor is delinquent, then the customer is entitled to any interest earned from the government.


Customers increasingly are taking advantage of Software as a Service (SAAS) and other cloud-based solutions available in the marketplace. There are of course many legal and commercial issues that customers should consider when evaluating contracts provided by suppliers of these solutions. This post focuses specifically on issues arising when SAAS or other cloud solutions will be provided from an offshore location. For example, data hosting, help desk/service desk, implementation, and disaster recovery services are often provided from India, the Philippines and other offshore locations in support of solutions that are delivered in North America and Europe.

  • Transfer of Customer Data Offshore. Customers should consider whether there must be restrictions on the transfer of data offshore (whether due to internal security policies, industry standards, obligations within downstream customer contracts, or applicable laws and regulations). If the data contains personally identifiable information (PII), protected health information (PHI) or similar types of data covered by data privacy laws, the data most likely should remain onshore. A customer may decide that other data may be transferred offshore, but only if additional safeguards, contract restrictions or liability provisions are added to the contract with its service provider.
  • Access to Customer Data or Systems from Offshore. This issue turns the item above on its head, a bit: even when customer data and systems remain onshore, customers should consider whether personnel from the SAAS or cloud service provider should have access to such data or systems from offshore. For example, offshore personnel who are accessing service desk records or performing break-fix services may request the ability to access a customer’s onshore systems. This may or may not be acceptable in any case, or it may be acceptable only if certain agreed-upon restrictions are followed.


Google has figured out that I shop for a lot of children’s clothing online, as my two children grow like weeds. Every time I launch a search, my banner ads link to brands that I have bought previously or similar brands that other consumers may have purchased. That is Big Data at work, as it is being used to identify other brands that I might be interested in purchasing based on shoppers with similar consumer profiles to mine. But let’s say that the next banner ad I receive isn’t for children’s clothing, but is instead for an all-inclusive Caribbean vacation. Well, I have never searched for Caribbean vacations, why would this be turning up? Again, this is Big Data at work, because patterns in human behavior have informed Google that people with small children are likely good targets for a quick getaway vacation. This is an example of the value of Big Data in predicting individual consumer behavior based on the behavior of many.

“Big Data” is the somewhat uncreative but accurate term for the process of collecting, culling, and categorizing of data from diverse sources on a massive scale. Through the application of algorithms, companies are analyzing Big Data in order to see patterns in human behavior, and (most commonly) using it to develop targeted, individualized marketing. The primary goal of Big Data is to learn from a large body of information things that we could not comprehend when we used only smaller amounts. Recent trends point to an increase in the use of Big Data, but there are several cautionary points from a legal and privacy perspective to consider.

What are the uses of Big Data, and who uses it? The potential benefits are wide ranging, but can be categorized as follows:


Most outsourcing contracts that I see contain a step-in right for the customer. Generally, a step-in right allows the customer to take over the outsourced operations if the supplier cannot or does not perform, and then “step out” when the supplier demonstrates that it will meet its contractual obligations.

How realistic is it that a customer can ever exercise those rights, and are they worth the additional time and angst to negotiate?

Outsourcing contracts are not the only type of agreements in which you will find step-in rights. They are used in many other commercial agreements, including construction, project finance and development agreements. In those relationships, step-in rights are generally more straightforward and easier to exercise than in an outsourcing relationship, where it may be impossible to “step-in” and perform the supplier’s obligations.


Let’s quickly revisit the scenario we’ve been following through our first two installments. That is, you are a CIO faced with a decision on whether or not to enter into an “enterprise” or an “unlimited” license arrangement with a major software publisher. With the first installment, we explored the scope of the deal (What does “enterprise” or “unlimited” really mean?“). And, with the second installment we discussed the prospect of a long-term relationship with the publisher (Do we really want to be doing business with this publisher?“).

Let’s assume you’ve gotten yourself a little more comfortable with the idea of the deal after looking at your team’s responses to the first two questions. Even so, there are additional risks to understand and address, which brings us to the third question:

“Does the deal reflect and account for the long-term nature of the arrangement and relationship with this publisher?”


We recently posted a three-part series on BYOD issues in this blog. A primary theme was the inherent tension between employer control and employee privacy in a BYOD environment. In a recently reported case out of the Northern District of Ohio (Lazette v. Kulmatycki), the courts had an opportunity to clarify how to walk this tightrope. Unfortunately, in struggling with existing (and somewhat inadequate) laws, the result seems to have made the rope even more fine rather than clarifying a path across the divide.

Background of a BYOD Case
The case begins with a corporate-liable Blackberry device of a former employee (Lazette) being turned into the employer upon separation. Lazette dutifully deleted her personal email account from the device before returning it to her employer – or so she thought. For whatever reason, her personal email account remained, and her former boss (Kulmatycki) proceeded to read some 48,000 personal emails over the course of the ensuing months.

The headline from the case is that the boss was at fault for reading the emails. This result “feels” right. After all, Lazette no longer worked there, so why was Kulmatycki reading her personal emails – even if he may have had the right to do so when she was still an employee and had personal email on a corporate-liable device.


This article was originally published in the July 22, 2013 issue of Texas Lawyer.

The constant threat of cyberattacks presents many and varying challenges for businesses. Insurance provides one way to deal with them. Because the market for insurance covering these risks and the law interpreting these policies both continue to develop, this is an area in which attorneys can help clients by maximizing their opportunity to secure the broadest possible coverage.

A look at federal and state action on cybersecurity risks provides some critical background. President Obama issued his Executive Order on Improving Critical Infrastructure Cybersecurity in February. In October 2011, the U.S. Securities and Exchange Commissions Division on Corporate Finance issued relevant guidance on financial-disclosure obligations concerning cybersecurity issues in CF Disclosure Guidance Topic No. 2 – Cybersecurity.


On July 24th, 2013 the Massachusetts legislature passed An Act Relative to Transportation Finance (“the Act”), which, among other things, makes “computer system design services and the modification, integration, enhancement, installation or configuration of standardized software” taxable services under the Massachusetts sales and use taxes. Under the Act, “Computer system design services” is defined as “the planning, consulting or designing of computer systems that integrate computer hardware, software or communication technologies and are provided by a vendor or a third party.” The Act passed despite Massachusetts Governor Deval Patrick’s veto, and the new tax becomes effective July 31st, 2013.

The Act makes Massachusetts one of four states that tax computer services. Maryland expanded its definition of taxable services to include computer services in November 2007, but the computer industry fought hard to reverse the decision. On April 8, 2008 the Maryland legislature repealed the tax before the changes took effect. Websites are already appearing to repeal the Massachusetts tax, but considering (a) the effective date and (b) that the legislature overturned the Governor’s veto of the Act, a similar repeal in Massachusetts seems unlikely (at least in the near-term).

Customers and service providers alike should consult their tax attorneys to determine whether and to what extent the expanded definition of taxable services in Massachusetts impacts them. For basic information and guidance regarding the tax changes, you can refer to the Massachusetts Department of Revenue (DOR) technical information release 13-10 (“TIR 13-10”). The DOR has not yet updated Regulation 830 CMR 64H.1.3 (Computer Industry Services and Products) to reflect the new scope of taxable computer industry services but TIR 13-10 states that it intends to do so. The current Massachusetts sales and use tax rate is 6.25%.


Jim Gatto, Meighan O’Reardon and James Chang recently published “Mobile Privacy Practices: Recent California developments indicate what’s to come” in the June issue of Computer Law Review International.

The use of mobile applications has seen huge growth in the past few years. As the use of apps become increasingly commonplace, social concerns such as the privacy of app users will increasingly need addressing. California is taking the lead in regulating this important issue. For more information, including an overview of mobile privacy, a summary of California’s stance on how to address the issue, an overview of the state’s principles regarding privacy, its best tips for complying with its principles, and an examination of the privacy related laws outside of California, please read the full article: Mobile Privacy Practices: Recent California developments indicate what’s to come.