Managed services – looking
beneath the surface
IPTC Webinars Thursday 15 March 2012
Presentation by:
Polling questions
•
does your organisation use cloud services or an IT service
managed by a third party (eg hosting, software as a service, or
managed desktops?)
•
has the service ever failed?
•
does your organisation negotiate the contracts with the suppliers of
managed services?
Speaker profile
Mark BaileyPartner, IP, Technology and Commercial (IPTC) T: 020 7427 6519
Mark is a highly experienced commercial, IP and technology lawyer, who provides advice on a variety of technology, infrastructure and commercial contract matters for clients ranging from growing
businesses to public authorities, consultants and major suppliers and buyers of IT services.
Mark combines in-depth commercial expertise, specialist technology know-how and a highly practical approach to advising clients on a range of matters including software licensing, internet and e-commerce issues, terms and conditions of business, IP protection, research and development and collaboration agreements, software developments and licensing. He also advises on supply chain contracting, agency distribution and supply agreements, data centre operation, outsourcing and facilities management and green IT and low carbon issues.
Mark works across a number of sectors but has particular expertise in advising on data centres and infrasrtucture and within the financial services field.
Introduction
•
Move to commodity IT where businesses are concentrating on
what they are good at but do not want (or now have to) run their
own IT – trend to outsourcing IT
•
Nearly all cloud and e-commerce services will rely on some sort of
managed service support – the risks apply to all businesses
Components of a managed services contract
•
Service provider is an aggregator of third party services and
solutions, namely:
– professional services
– service desk/help desk providers – telecommunications
– equipment e.g. telephones, devices, servers – COTS software e.g. Microsoft, Oracle
– internet and bandwidth
Typical managed services or cloud contract
supply chain
Customer’s users / clients Customer Service Provider Software provider / managed service providerData centre / host Other service
Compare managed services with traditional
supply chain (e.g. automobile)
•
Supply chain issues are covered
by product warranty repair or
replace
•
Product liability in certain sectors
e.g. automotive are strictly
controlled by industry specific
quality standards and processes
•
Product recall provisions are
common to control defects in
issued products
Manufacturer Subassembly supplier Component manufacturer Raw materialsWhat happens if a managed IT service goes
wrong?
•
Typically the service just fails and is not available or service
performance is adversely affected
•
Failures cannot be rectified by having stocks of components or
using up existing capacity
•
Product recall does not apply as there are no goods to recall; the
ability to transact the affected function or business just stops
unless there are appropriate business continuity or disaster
recovery plans in place which actually respond to the event
Components of a managed services
contract
• How much does the customer care? • How much should the customer care?
• What are the brand and reputational issues in providing managed services?
– for the supplier
• often uses well known brands as subcontractor
• is supplier brand guardian of the customer (as in traditional outsourcing)?
– for the customer
• risk of service failure (depends on business continuity arrangements) • brand risk
• bigger risk in regulated sectors e.g. fines for service failure
• Recent example – cloud service for major institutional client revealed
Understanding the cost of service failure
•
Examples are relatively
hard to find
•
Case law very rare
Understanding the cost of service failure
•
Ponemon Institute report (commissioned by Emerson Network
Power) September 2010
•
Increase in reliance on IT networks and data centre systems:
– seen as important in generating revenue and business growth – economic impact of data centre operations growing
•
Infrastructure vulnerabilities and misconceptions about IT failures
(ie frequency/cost) puts companies at risk for downtime events.
•
Large gaps in opinion exist between management and IT staff
about the frequency and cost impact of data centre downtime
Understanding the cost of service failure
• 71% of management-level respondents believe their company’s business model is dependent on its data centre to generate revenue and/or
conduct e-commerce. Only 58% of IT staff shared this belief
• Though respondents experienced an average of two downtime events over the two-year period studied, 62% of management-level respondents
agreed that unplanned outages did not happen frequently. Only 41% of
IT staff agreed with this statement
• 75% of management-level respondents feel their companies’ senior management fully supports efforts to prevent and manage unplanned
outages. 31% of supervisor-level employees agreed with this statement • Less than 32% of all respondents agreed that their company utilizes all
Understanding the cost of service failure
•
Second study by Ponemon Institute, 2011, United States: 41 data
centre facilities, each with a minimum square footage of 2,500sqft:
– average cost of data centre downtime approximately $5,600 per
minute
– average cost of a single downtime event was approximately $505,500 (based on average reported incident length of 90 minutes)
– residual, downstream effects of a data centre outage often far more costly than the costs to detect and remedy the cause of an outage after it has already occurred
– 29% of IT staff believe their companies have implemented the
technologies/best practices required to minimize the occurrence/impact of data centre downtime
Managing risk in the supply chain – an example
Take a managed e-commerce service e.g. an online SaaS service for hotel reservations
Hotel
Businesses with
business bookings Consumers
Package operators booking rooms
Software provider for
reservation platform Managed services company
Servers and
Managing risk in the supply chain – an example
• The service is only as good as the weakest link
- a subcontractor default may bring the house down
• Get behind the label
• If the service provider has certifications how far down the chain do these go?
e.g. ISO27001 – are data centres certified to this standard or just the provider?
• Imposing obligations to comply with standards EQUIVALENT to if these standards are not the subject of formal certifications or approvals • Don’t rely on the brand or reputation of the
service provider alone
Managing risk in the supply chain – an example
•
Typical service provider limitations:
– exclusion of direct loss
– exclusion of indirect and consequential loss – time limit on bringing claims
– restrictions on loss of data
•
Service Credits as sole remedy?
• Do not cover all damages
• Often totally inadequate
• Not covered by insurance
Disadvantages
• Can be set off against charges
• Readily calculated
• Convenient and easy to administer
Advantages
For Customer For Service Provider
Recent case law
GB Gas Holdings Ltd v Accenture (2010)
•
Increased importance of boilerplate in contract interpretation and
how the courts get to the right decision. Courts overwrite
inconvenient boilerplate:
•
GB Gas Holdings Ltd v Accenture (2010):
– Court of Appeal upheld High Court decision that a fundamental breach of warranty could be constituted by a series of individual breaches which in aggregate had a serious adverse effect on the customer’s business. Further, five items of loss claimed were held to be direct losses and as such were not excluded by the contractual exclusions of indirect and consequential loss.
– Exclusion clauses in contracts should be very clear about what items of loss are excluded.
Recent case law
GB Gas Holdings Ltd v Accenture (2010)
• Clause 15.4.3 provided:Upon being notified in writing by Centrica of a Fundamental Defect [a breach which causes a
severe adverse effect on the British Gas Business]. Accenture shall do what a commercial,
reasonable and prudent organisation using the System to carry on its business would do when acting in its own best interests… This shall constitute Accenture’s entire liability and Centrica’s sole and exclusive remedy for a Fundamental Defect. For the avoidance of doubt, the only situation in which Centrica shall have a claim for damages for a Fundamental
Defect shall be if Accenture does not promptly use the endeavours set out in this Clause 15.4.3 to correct the breach and nothing in this Clause 15.4.3 shall remove Centrica’s right to terminate this Agreement in accordance with its terms.
• Losses Recoverable
– Customer compensation (£8 Million)
– Gas distribution charges (£18.7 Million)
– Additional borrowing charges (£2 Million)
Protecting against third party claims
•
Claims in contract:
– Doctrine of privity of contract: only the parties to a contract acquire directly enforceable rights under it i.e. can sue or be sued on the contract.
– a third party may enforce a term in a contract if there is:
• an express provision in the contract (S.1(1)(a) Rights of Third Parties Act 1999); or
• A term which inadvertently purports to confer a benefit on a third party and which shows no intention to make that term
unenforceable by the third party (S.1(1)(b) and (2) Rights of Third Parties Act 1999).
– parties can expressly exclude or place conditions on the third party’s right to enforce a contract term when drafting.
Protecting against third party claims
• Claims in Tort:– Tort of negligence: exception to the doctrine of privity of contract. Contracting party can incur liability in tort by breaching a contract to which a claimant is not a party.
– Claimant must demonstrate:
• contracting party owed them a duty of care;
• Contracting party breached such duty of care (failed to exercise reasonable care); and
• Such breach of duty caused the claimant to suffer recoverable loss.
– The contracting party will not be liable for “purely economic loss” suffered by the claimant. However nb. Hedley Byrne & Co Ltd v Heller and Partners Ltd: where contracting party owes a duty to a claimant not to cause that claimant to sustain purely economic loss (e.g. due to an undertaking of responsibility), then
damages for pure economic loss will be recoverable.
– Evidence of indemnity cover sought by data centre hosts against direct claims by clients of their customer
Protecting against third party claims
•
Civil Liability (Contribution) Act 1978
– If a contracting party is liable to another party whether in tort, contract or otherwise, they may recover a contribution from any other person liable in respect of the same damage, regardless of the basis of their liability (s.1(1)).
•
Indemnities from customers against client claims – do they work?
“The Customer shall indemnify the Supplier for any and all claims that other
customers or third parties may bring against the Supplier save to the extent that such claims arise out of the Supplier’s negligence or breach of this Agreement or any related agreement between the Supplier and any of its customers.”
Managed services and insurance
•
Extent of professional indemnity cover
•
Insurance cover does not (most likely) cover service
credits/indemnities
•
Obligations to insure on sub-contractors – rights of subrogation
•
Should suppliers at the bottom of the supply chain require their
customers to obtain adequate insurance cover
•
Co-location
– insurance of customer equipment
– what if the servers blow up/cause a fire suppression, particularly in a multi tenanted environment?
