Good chief executive officers pay close attention to every aspect of the business they are charged with running, from yesterday’s sales and production numbers, to the look and feel of next winter’s advertising campaign. As well they should: After all, the board, shareholders, employees and even the public hold the CEO accountable for the success or failure of the entire enterprise.

Yet the number of malicious and accidental data leaks and privacy abuse scandals seems to be expanding exponentially. Just in the past few days, organizations ranging from the neurology department of Massachusetts General Hospital in Boston to the Mastercard operation in Germany and Capital One in the U.S. experienced breaches.

The reasons behind the various incidents are being exposed though corporate announcements, government filings and investigative reporting. So, it is becoming apparent to us as data security and privacy attorneys that under all of the technical or operational reasons lies one essential fact: Too few CEOs and boards of directors are taking ownership of both their company’s policies and procedures and how the business responds when the unthinkable happens.

Some Things CEOs Cannot Delegate

“That’s why we have an IT department,” seems to be the attitude of many in the corner office. “It’s their job to deal with data security.”

In the days when protecting information mostly meant keeping viruses from infecting the servers, this sort of hands-off delegation was acceptable. It was the job of IT. But as Facebook and Equifax have discovered, not only are incidents front-page news but the company’s brand can suffer even more than the size of the fines and class action lawsuits.

As a result, it is increasingly important for both CEOs and members of the board to take ownership of how their company protects its data. It is distressing that a survey published earlier in 2019 in Corporate Board Member magazine found that less than half of public company directors thought their meetings spent enough time on security and privacy matters.

There are five broad questions each CEO and director needs to be asking in this area.

1 – What data do we hold? This is a basic who, what, where and why question. If the head of the company doesn’t know what information it has or who is responsible for protecting the data on a daily basis, then you won’t be able to respond quickly when there is an incident. Having a good grasp on the information environment inside a business is not only good in the event of a breach or incident, it also enables the CEO to direct a response to the legal and regulatory requirements that come into play.

2 – What threats exist to the data we hold? Identifying and addressing any vulnerable security spots provides the basis for knowing the likelihood of one occurring as well as the potential damage that may result from a breach or incident that may threaten a critical system. Obtain information on what steps are in place to assess and deal with these risks. The details on implementing the resulting policy can be given to IT but the person in charge needs to set the priorities.

3 – Who uses our data? In a broad sense, the chief executive must know which vendors and others outside the company have access to the data, why they need it and how they use it. We recommend to our clients that they have a written agreement with every outside party that details their responsibility if a breach or other incident occurs. The agreement should require the third party to indemnify the company if they were responsible for whatever caused a breach. The CEO also needs to be assured by IT that vendors are maintaining their own security controls.

4 – How do we control data access? The military and intelligence agencies have used a “need to know” approach to security for a century. Only employees who need to have access to data necessary for them to do their jobs should be given access to it. It is the CEO’s job to ensure that threats are minimized. As a matter of policy, access needs to be limited even if it is up to IT and department heads to implement the policy.

5 – How are we protecting our information? The chief executive doesn’t need to know the details but he or she does need to ask what steps the company takes to secure its data, especially if the information is being sent to any outside third parties or even carried outside the company by employees on their devices. There is one basic question to ask: Is all of our data encrypted? If the answer is no, then make sure there is a valid reason. Just as important, often encryption is viewed as a safe harbor under the breach notification laws in some jurisdictions.

Controlling Expanding Risks

The number of ways in which data and privacy can be compromised seem endless. For instance, in August 2019, Palo Alto, California’s Unit 42 security function reported that it found very few businesses are doing very much to protect security in the cloud.

At the same time, all of the Big Tech firms say they are joining the Confidential Computing Consortium to help with security issues as businesses move into the cloud and edge computing.

Every CEO has countless issues, problems and opportunities filling their desk every day. But with business being conducted electronically, the risks are real and a chief executive owes it to their employees and shareholders to mitigate the risks as much as possible.

This means asking questions and getting solid answers.

If you are a CEO or general counsel and want to have a conversation about ways to control data security and privacy risks in your organization, please call. We’ve worked in this area for a long time and can help you develop an appropriate strategy and take the necessary steps such as setting internal policies and drafting agreements with third party entities that have access to your information.

The general counsel at any sized company knows how to draft everything from employment contracts and leases to complicated sales agreements. But few are familiar with what Enterprise Resource Planning (ERP) software systems actually do, let alone the traps lurking in these types of contracts.

This isn’t surprising given that the lifespan of most ERP systems can be 15 years or longer. So, chances are a general counsel may only see one or two such contracts in their entire career.

Because the ERP implementation and software licensing contracts are as complicated as the software itself, there are a number of key things for general counsel to keep in mind as they review these contracts. While this is not an all-inclusive, “how to DIY” guide, as an attorney who’s devoted his career to negotiating and drafting contracts for ERP software systems, these are the seven main areas where we have seen companies slip up most-frequently.

1 – Specify the vendor as the expert. No matter how qualified the internal IT department might be, the contract has to spell out that the vendor is making representations based on their knowledge of the product and experience in the user’s industry, and that the user is accepting their word. If there is a failure down the road, this will help document the vendor’s responsibility.

2 – Detail liability and warranty limits. The template contract given to the company will contain one-sided and onerous limitations on liability and warranty disclaimers. The agreement with the vendor and any third-parties it or the company uses must include detailed language on liability and warranty limitations along with specifying what remedies will exist in the event of an ERP implementation “train wreck.”

4 – Define everyone’s responsibility. Your company will have responsibility for certain activities during the software integration as will the software vendor and integrator. These must be carefully negotiated and drafted into the agreement so no one can say later “Didn’t think that was our job.”

5 – Put everything in the contract. We have seen numerous situations where assertions made in marketing material and proposal responses are filled with generalities and vague promises that have little bearing on what the product will actually do. We always try to insist that all of these materials are included as part of the contract so that if there is an issue later on the user has it in writing and the vendor or integrator are bound to what they’ve presented when trying to close the deal.

6 – Watch out for contractual remedies. In template contracts provided by vendors and integrators, usually there are onerous provisions specifying what the user’s company must do to exercise its rights under the contact with respect to warranty remedies and indemnification. Review these provisions carefully and, ensure that they are followed to the letter.

7 – Have a Mechanism for Controlling Scope. Ensure that no one involved in the project on the company side says or does anything that, later, could be construed as narrowing or expanding the project’s scope. Negotiating a detailed change control process can be critical to keeping the project on track and the scope manageable.

Protecting Management

Too often, senior management sees their ERP vendor and integrator as their partner. In many instances, that’s the case, but in a growing number of situations – especially when the vendor and integrator are among the behemoths in the ERP business – the opposite turns out to be true. It’s the job of general counsel to protect management against itself in case you have to enforce the contract down the line.

We’ve spent our career as lawyers focusing on negotiating and drafting ERP software system contracts, as well as litigating disputes when things go horribly wrong. If you’re an in-house attorney whose management is planning to replace a legacy ERP system or is considering one for the first time, we’ll be more than happy to share what we’ve learned over the years. Feel free to call us.

 

Taft Chicago Intellectual Property attorneys Adam Wolek and Rashad Simmons contributed, “A District Court Split on Curing Copyright Timing Defects,” to Law360 on Aug. 15. The article discusses the differing opinions of district courts on whether parties can file copyright suits before the copyright registration is issued. Read the full article here.

Wolek protects the intellectual property of some of the world’s largest companies, including those in the wireless, internet, agriculture and manufacturing industries. He has successfully litigated and negotiated numerous patent, copyright and trademark infringement, trade secret and business disputes for his clients. Wolek also assists clients with intellectual property licensing.

Simmons concentrates his practice on complex civil and commercial litigation, including intellectual property, employment litigation, products liability, personal injury and class action matters.

Taft was a co-sponsor with the Third Stage Consulting Group of the Digital Stratosphere Conference 2019, which was held in Chicago on August 7-9, 2019. The conference was an independent educational and peer-networking event for organizations about to embark on a digital transformation or ERP/CRM/HCM implementation. Attendees learned real-world lessons, shared battle scars and heard best practices that will equip project teams for success. Learn more about the conference by clicking here.

On the opening day, Chicago partner Marcus Harris and Indianapolis partner Jeff Kosc spoke on best practices of negotiating with your ERP software vendor and system integrators.

If you are a foreign company or foreign attorney used to directly filing U.S. trademark applications from overseas, be prepared for a big change on August 3. The United States Patent and Trademark Office (USPTO) has announced that, effective as of August 3, 2019, all foreign-domiciled trademark applicants, registrants, and parties to Trademark Trial and Appeal Board proceedings must be represented by a U.S-licensed attorney.

To read the full law bulletin authored by Indianapolis partners Zach Gordon and Russell Menyhart, click here.

We often write about the mounting number of failed digital transformations, especially those involving an ERP software system. More often than not, the underlying cause of the failures involve either the vendor or integrator biting off more than they can chew. They misrepresent the capability of their ERP system or their experience at integrating a system into the user’s existing software and hardware.

But seldom is management blameless when there is a failure.

One common mistake we see as ERP contract litigation attorneys is that the executives along mahogany row see the ERP software acquisition as only a technology project. It isn’t. ERP software systems are a technology solution to an overriding management issue. The issue might vary from one company to another. In some, it might focus on how the business is run; in other’s, its manufacturing processes; while still others might want to include employee matters or financial concerns.

By thinking of ERP software systems strictly as a bit of complex, if costly, technology not worthy of much more attention than approving an upgrade in Microsoft Windows, CEOs, COOs and CFOs can easily lose track of the project.

When this is the starting point, a failure of the system installation and integrations might not be far behind.

Compounding the Problem

Making matters worse, many integrators are quite happy to lull executives into this false sense of inattentive security. After all, they bid on and won a contract that can be worth tens of millions of dollars. So, they are likely to be reluctant to shout “Fire!” at the first whiff of smoke.

Many, especially among the large integrators and consultants such as Accenture, even try to shoulder other advisors with specific expertise out of the way even though these third parties might be able to rectify the situation before the project becomes a total disaster.

Then, when the head of technology in the company sees an issue spiraling out of control and alerts top executives, often they get blamed for the unfolding disaster. Using the outdated management notion that “somebody has to take the fall and it won’t be me,” these CEOs and COOs fail to recognize that if they had been paying closer attention from the outset, the problem might have been entirely avoidable.

Often, problems can be traced back to management not really knowing what it is they want an ERP software system to accomplish for the business. This is an offshoot of thinking they are acquiring a technology solution, not a business process.

As New York Yankees hall of fame catcher Yogi Berra used to say, “If you don’t know where you’re goin’ you won’t know if you got there.”

Fox in the Hen House

The second major mistake happens when senior corporate leaders assume that because they have an integrator, that resource will take care of monitoring progress. But since when have foxes been any good at guarding the chicken coop?

By not retaining an independent consultant to monitor the vendor and the integration, users can leave too much to chance. Yes, a consultant can be expensive but so, too, is the digital transformation project. Adding a few hundred thousand dollars to the cost of a multi-million dollar ERP implementation project is a small price to pay when the overall impact on the entire company of an ERP failure is considered.

The next error made when a problem appears is that the software itself is blamed. Admittedly, many vendors over-promise and under-deliver on the capability of their product and its applicability to the user’s business and industry. But a smart CEO is going to take a deep look to find if there is any reality behind the bold assurances.

Again, this is where independent consultants will pay for themselves. They bring experience with businesses in many different sectors, and have a comprehensive understanding of the product offered by each vendor. So, a consultant is in a good position to tell the CEO, “They’re blowing smoke” or “This will work for you.”

We have seen countless situations where the vendor and integrator must shoulder the bulk of the burden of an ERP software system failure. We’ve written about many transformation projects, such as the system sold by IBM to Lufkin Industries LLC, Revlon’s massive problems that cost the company tens of millions or when a system sold to the State of Maryland couldn’t do what was promised.

Many times management shares part of the blame in ERP implementation failures. Just as often, had the C-suite been doing its job the problem may not have existed in the first place.

If you are considering upgrading a legacy ERP software system or installing one for the first time and would like to discuss ways to avoid getting off on the wrong foot, feel free to call us. We’re always happy to answer questions and can refer you to some of the industry’s most highly respected consultants.

Three court cases reveal the importance of ensuring that contracts for an ERP software system and other digital transformations be carefully negotiated to remove the possibility that a lawsuit over a failure can be blocked by, seemingly harmless clauses that vendors and integrators insert as a matter of routine in their template agreements.

The first case involves an ERP software system sold by IBM to Lufkin Industries LLC (Int’l Bus. Mach. Corp. v. Lufkin Indus., LLC, No. 17-0666 (Mar. 15, 2019)). The system failed and Lufkin sued, claiming IBM had promised an “out of the box” solution that didn’t exist. At trial, a jury awarded the user a total of $27-million in damages. IBM appealed and the Texas Supreme Court ruled that even though fraud was committed, the contract blocked Lufkin from collecting damages and overturned the lower court’s jury award.

The second also involves a Texas lawsuit between Mercedes Benz and a franchise dealer (Mercedes-Benz USA LLC, et al. v. Carduco, Inc. d/b/a Cardenas Metroplex, Case No. 16-0644). The dealer sued the automaker when it claimed it has been assured during discussions that it could move the location of the dealership to another city. After the contract was signed, Mercedes blocked the move which led to the lawsuit.

The Texas Supreme Court upheld the defendant’s argument that the contract specified “no representations outside of the contract were made by (Mercedes).” As a result, the plaintiff lost their case.

In the third situation, recently we wrote about car rental giant Hertz Corp. suing equally large integrator Accenture over the failure of Hertz’s website rebuild project. A few weeks ago, Accenture asked a federal court to narrow the scope of the lawsuit. It asked a federal judge to remove claims of consumer protection and damages, saying they don’t belong in a breach of contract dispute.

The judge has not yet ruled on the Accenture motion,

Fighting Chance

The Accenture filing and the Texas case provide an important object lesson for all buyers of ERP software systems: Never sign the vendor’s or integrator’s template contract without negotiating and redrafting key provisions – even the boilerplate ones. Failing to do so may restrict your ability to sue for damages in the event of a failure.

To prevent this from happening, we usually insist that any marketing materials and proposals presented to a prospective user during the sale process be included as an appendix to the contract. This makes the sometimes-extravagant claims made by a sales team trying to land the deal binding on the vendor or integrator.

More to the point, if a vendor is willing to brazenly lie to a potential customer during the sales process, they are going to fight from letting you use that lie as the basis for a lawsuit later on. It’s not good business but at that point the defendants are more concerned with their potential liability than in acting appropriately.

Users need to give themselves a fighting chance in court.

Be Specific, Be Detailed

For instance, in each of the three examples we cited the plaintiffs relied on various representations made by the vendors, whether verbally or in the sales material that was given. Yet by not including this material in the contract, the users were left holding the bag after it unravelled and everything fell out.

This means being very specific and detailed to ensure that all parties to the agreement understand and acknowledge their responsibility and obligations – including those made when the supplier is desperate to get you to buy their product or service and is willing to say anything to get you to sign.

We have worked with ERP software system contracts for our entire career, from both sides of the table. One of the key things we know is that almost every clause in a contract from a vendor or integrator needs to be negotiated and rewritten. Not doing so puts the vendor and integrator in the cat bird seat and hangs the customer out to dry.

If you are considering a new ERP software system, or are about to upgrade a legacy system, feel free to call us with any initial questions you might have about the deal or the contract. We will be happy to let you know where the potential pitfalls and hidden traps might be waiting for the unsuspecting.

It’s been said that to succeed in today’s digital world, every company must be a technology-first organization that also specializes in another industry. Cloud computing is the operating model that’s fueling the digital transformation, modernizing IT platforms around the globe. It involves software and other hosted services rented from sources like Microsoft Azure and Amazon Web Services (AWS) and delivered over the Internet.

Chicago partner, Marcus Harris was part of an industry expert panel who shared their views on the game-changing model with Crain’s Content Studio.

To access the full discussion, click here.

 

After retiring from a wildly successful career running Ford and then saving Chrysler from bankruptcy, Lee Iacocca was asked by an interviewer how American automakers could have allowed their globally dominant position in the market to be eroded by foreign car companies. Iacocca replied, “There is nothing more vulnerable than entrenched success.”

It’s not just car manufacturers where hubris has cost a business its market position.

Who remembers that photocopiers were invented by 3M using a sticky, coated paper and the company ignored the advent of plain paper copying machines because it had a lock on the market?

Or that cameras were being sold long before Kodak made them, and photography, simple, cheap and easy for anyone to use, pushing many of its competitors out of business who didn’t think Kodak’s Brownie camera would catch on? Indeed, Kodak met a similar fate by not finding a way to take advantage of the advent of digital photography.

A similar day of reckoning may be coming for the major developers, vendors and integrators of Enterprise Resource Planning (ERP) software systems.

Entities such as SAP, Oracle and Microsoft, and the humongous system integrators such as Accenture, may feel snugly entrenched in the market. After all, combined they have been the dominant players for a long time. Yet their arrogance coupled with the often-high-handed way they deal with customers may be creating a situation in the ERP sector that mirrors what happened to Detroit, 3M and Kodak.

Holding Users Hostage

Not to stretch a point but in some respect the big players act like commercial terrorists when dealing with their users.

True, vendors all have user groups and discussion forums. These give the veneer of soliciting feedback and responding to concerns and complaints. But the reality is that, for the most part, vendors give no real evidence of actually caring about a user beyond making tweaks here and there in the coding to fix a problem.

If they did genuinely care about their customers, after a contract is negotiated and signed they would not upsell anything and everything they can come up with including  functionality and upgrades that may be not be needed for years – if ever, or software that is a questionable fit for the customer.

A supplier who was genuinely concerned about its customers would not arbitrarily require all of them to migrate their systems to the vendor’s cloud – and pay an additional fee – by a set date even if a company’s own servers and infrastructure are secure, perfectly serviceable and have years of useful life left in them.

The vendor who truly had the best interest of their customer in mind would not load its sales teams with economic incentives to upsell as much as it can for as long as it can without any regard for whether there is a benefit to the user buying the service.

An integrator who put their clients first would not do everything possible to shoulder other consultants out of the way during an implementation, even if the integration was in a tailspin heading for a crash landing.

Climbing Mountains

Because the cost of entry to the ERP development market is so high, the existing goliaths may feel that they’ll never face any meaningful competition that might make inroads into their market position and market share.

This is precisely what Detroit thought about Volkswagen’s Beetle and the first Toyota’s, and nothing bad happened to the Big Three automakers as a result of ignoring the threat.

Certainly, entering the ERP business as a competitor going up against a Microsoft, Oracle or SAP is not easy. It takes a very deep pocket and a willingness to invest tens of millions into creating a product. Yet ERP software system users are becoming increasingly restless and dissatisfied with how they are being treated by companies the buyers thought – hoped – were their partners in addressing a management issue with a sophisticated technology solution.

It’s a steep mountain to climb but as an ERP attorney who has been in the business for a very long time, we are starting to hear of attempts to ascend the rockface.

Meanwhile, users have to be much more aggressive in dealing with vendors and integrators, which starts with negotiating and drafting contracts that hold the vendors and integrators to account.

If you have concerns about either an ERP vendor or ERP integrator, feel free to call us. We’ll be happy to answer any questions, refer you to highly-respected consultants, or assist you in dealing with any issues you might be facing with you acquisition or implementation

When an ERP software system implementation fails, sometimes it’s because the vendor told a potential buyer that its round peg would fit into the user’s square hole in order to make the sale. But maybe even more often, the failure is because the integrator either did not fully understand the user’s industry or business, the client’s relationship with its supply chain, customers and employees, or how the digital transformation was intended to improve corporate performance.

As an ERP software system attorney who has litigated disputes between users and integrators, we’ve learned from experience that many of the larger integrators are very good at selling their services but are not nearly as good at delivering what is in their marketing material, sales pitches and proposals. Sometimes, they oversell their capability.

Choosing the right ERP integrator is as important as selecting the correct ERP vendor. As is the case with vendors, price seldom should be the ultimate determining factor. Here are the six critical criteria every company needs to keep in mind when considering which integrator will be involved in upgrading a legacy ERP software system or installing one for the first time.

1 – Define the Critical Criteria. Know what you want to buy. Some integrators take the approach that they alone are qualified to tell you what you need to purchase. Know whether a global partner is needed to support and work in multiple countries or if a boutique firm with deep but specialized knowledge is more important.

2 – Find the Right People. Beyond merely reading the bios on a website or in a proposal, see if the people used by the integrator have the methodology and tools needed for the size and scope of your project. Don’t neglect looking for what is repeatable from their other assignments that will mesh with the needs and requirements of your specific implementation.

3 – Experience in Your Industry. It is extremely beneficial for the integrator to have handled successful projects in your industry or sector, or in businesses close enough to what you do to have acquired transferrable knowledge. When reviewing proposals, look hard for challenging projects they’ve handled and how they dealt with unexpected problems when the implementation project required changes.

4 – Depth of Their Resources. A deep reservoir of reserve talent is important but this is available to many integrators, not simply the large entities such as Accenture. While you need to know the strength of the bench, also ask about how often and for what tasks the integrator brings in third-party subcontractors, what access you’ll have to both staff working on the project day-to-day as well as to upper echelon executives when you have a question or concern. Finally, make sure that there’s a good cultural fit between the integrator and your organization.

5 – Approach to ERP Implementation. Different integrators take different approaches to their assignments. Beyond whether your integration will be done by a dedicated, full-time team or be accomplished by part-time resources depends partly on the size of your project. More important are things such as including a change management package, using a certified Project Manager through the implementation, having an industry-specific model to drive key metrics, providing critical reports during the process, and your participation in the design, data conversion and integration phases.

6 – Post-Implementation Support. Frequently, this is overlooked yet post-implementation problems can result in production downtime, accounting or payroll issues and day-to-day business operations. Know how many people will provide support after “go live” and whether they’re inhouse or contract personnel. What kind of ongoing information will be provided about performance data? What service level is appropriate the needs to be negotiated and written into the contract with the integrator.

Key Differences in Integrators
A simple fact-of-life is that not all integrators are created equal, and some are less equal than others.

An effective way to choose an integrator is employing an outside consultant to help you create an RFP, weigh the various proposals and sit at the table asking hard questions as you interview finalists.

 

If you want some referrals to the better consultants and integrators, feel free to contact us. We’ll be pleased to point you in the right direction.