The increasing reliance on large software systems to perform crucial revenue-generating activities, emergence of mega-suite vendors, more use of the cloud and software-as-a-service applications, increases in data breach frequency, cost and litigation and regulatory actions, and big data privacy impacts make hospitality IT vendor arrangements more complex, and solid agreements between hospitality businesses and IT vendors, more important than ever. Addressing key legal and business issues during the RFP and contracting process reduces risks and helps minimize expensive problems.
Too often, even large IT service arrangements are negotiated only as to the top-level business terms, and the vendor-generated agreements are signed with little regard for their terms. Later, when vendor expectations are not being met or a company’s needs change, the company finds itself stuck in an unsatisfactory relationship without remedies or redress. Here are the top ten issues to consider in contracting for IT products and services:
1. Develop and follow an IT roadmap
A strategic IT roadmap will help in managing reservation, point of sale and payment processing, consumer relations management, customer service operations, loyalty programs, analytics and reporting systems and data processing and storage over time. This includes preparing for scalability and interoperability of systems.
2. Use the RFP process wisely
While time consuming, the RFP process is an opportunity to pre-establish vendor obligations, including material legal term expectations, as well as to undertake due diligence on the vendor. Having a second back-up supplier, or dual tracking negotiations, may provide needed leverage to close agreements on appropriate terms.
3. Detail fees, services, deliverables and dependencies
The scope of the services; deliverables specifications; interoperability, scalability and interface requirements; testing, acceptance, implementation and training terms; and permitted dependencies that limit the vendor’s responsibilities, need to be carefully articulated. The definition of key elements (including authorized users, facilities, supported equipment and material changes) are crucial. The fees for the various services and deliverables, including change, additional services and renewal fees, should be clearly established. Ideally, fees will be based on performance milestones, or subject to credits or pro rata refunds in the event of non-performance, failure to obtain approval or termination.
4. Build flexibility into licenses and consider ownership of new IP
The license should be as broad as may be needed, accommodate for future expansion, such as territories and number of users or facilities, at the hospitality business’ option, and should be applicable to affiliates and assignable in a change of control. If custom software is being developed, articulate who owns it and what the non-owner can do with the new intellectual property. Consider take over rights with software code and developer manuals held with a commercial software escrow for crucial software, especially if it is custom.
5. Plan for changes, transitions and termination
Obtain termination rights for material breaches, chronic service failures, subsequent compatibility and interpretability inadequacies, undesired vendor changes and changes in your own circumstances, like a merger, or legal obligations. Try for a termination for convenience right, even if it includes a reasonable kill fee. Provide for an orderly exit process on termination, including transition support and data delivery or destruction, and establish the cost thereof.
6. Address data
Hospitality IT programs generate and/or process, store and transfer data. Firstly, agreements need to establish who owns what data, as between the parties, and who can use what data for what purposes. This has contractual and regulatory data privacy, security and breach response implications, including under the Payment Card Industry Data Security Standards obligations and state data security breach laws. Specify what data is to be available, and on what basis, which will require consultation with all the company stakeholders that will depend on the IT system or services, or the data it generates, processes or stores. Information governance obligations should be specified, including data segregation, residency (U.S. only), redundancy and backup obligations and response times for providing access to or delivering stored data, and in what formats, and for its retention and destruction and certification of destruction. If the hospitality company, or the IT vendor, is other than solely domestic, international data protection and transfer laws need to be considered.
7. Address marketing services compliance issues
Hospitality is a marketing driven business, and marketing departments are heavy users of IT services. Much of IT-driven marketing has consumer protection implications that need to be addressed in the vendor engagements and the company’s privacy policies. For instance, programs enabling the text messaging of consumers are subject to complex notice and opt-in and opt-out requirements, the failure to comply with has generated many hundreds of expensive class action law suits, with settlements in the tens of millions of dollars not uncommon. Location locator tools used by retailers and hospitality companies on their web sites and mobile apps have been a favorite for patent troll litigation. Companies are responsible for the failures of their vendors and infringement by their systems. Contracts need to clearly outline each party’s compliance and liability obligations. In addition, the ability to use big data to track and target consumers, such as to deliver interest-based and retargeted ads and offer dynamic pricing offers, has legal and self-regulatory privacy implications.
8. Obtain guarantees and warranties, and provide for maintenance and service levels
Establish minimum service levels, other than during established regularly scheduled maintenance (during appropriate dates and times where usage is minimal), and provide for remediation, credits and termination for failures. Following a typically limited warranty period, a maintenance contract likely will be required to ensure continued performance consistent with expectations. Beware of exclusions to maintenance obligations. Include updates and enhancements.
9. Negotiate the liability, remedies, insurance and indemnity terms
Contracts need to clarify which party is responsible under what circumstances for what liability and harm. This can get nuanced depending on what each party is contributing and doing. Remedies limited to fees paid to the vendor (often for a partial look-back such as for six months) offer inadequate protection for data protection, compliance with law and intellectual property infringement risks, for failure to fulfill confidentiality obligations and for consumer harm arising out of failure of the vendor to meet a defined standard and/or certain defined obligations. Where the lines are drawn will depend on both circumstances and leverage, and accordingly setting expectations on these issues as part of the RFP can help minimize the negotiations.
Some intellectual property infringement and errors and omissions risk, and increasingly data privacy and security incident risk, maybe insured by vendors, and agreements can require certain specified types and levels of coverage and that the hospitality business be added as an additional insured.
10. Establish oversight
Oversight is essential to ensure vendor performance and compliance, and may be established by reporting, audit rights and self-assessment and certification.
Taking these considerations into account will help hospitality businesses codify its expectations and the parties’ respective obligations. Thereafter, IT vendor management should be employed to ensure that vendors perform and comply and that changes in the vendor’s or the hospitality company’s business or legal obligations are evaluated and mitigated as necessary. A strong and flexible agreement will make doing so easier.
Contributed by Alan Friel, BakerHostetler, Los Angeles