Taft Partner Marcus Harris will moderate the panel “Safeguarding and Upholding Intellectual Property in Emerging Digital Landscapes” at ITechLaw’s 2025 World Technology Law Conference in San Diego. The panel is scheduled for May 15 at 1:10 p.m. PDT and will bring together legal professionals to discuss the evolving challenges of protecting intellectual property (IP) as digital technologies, including artificial intelligence, rapidly transform business and regulatory environments.

The ITechLaw World Technology Law Conference, taking place May 14–16, convenes leading practitioners, in-house counsel, and academics from around the world to explore global legal frameworks and trends in technology law. This year’s agenda highlights topics such as AI, cybersecurity, data protection, and IP law, providing insight into the legal issues shaping the digital economy.

Harris focuses his practice on technology and software law, including drafting and negotiating enterprise software licenses, SaaS agreements, and handling disputes related to failed software implementations. He regularly advises clients on IP strategy, data privacy, and the legal aspects of technology procurement. Before joining Taft, Marcus served as in-house counsel at major software companies, where he managed intellectual property portfolios and oversaw complex litigation. His experience includes representing clients in high-profile disputes with software vendors and advising on regulatory compliance and risk management in digital transformation initiatives.

Harris’s participation as moderator reflects Taft’s ongoing commitment to thought leadership in technology law and to supporting clients navigating the complexities of intellectual property protection in a rapidly changing digital landscape.

Make no mistake. If you are about to start a digital transformation, the cards are stacked against you.

  • As an ERP customer, you are at an incredible disadvantage when trying to successfully implement ERP software.

To some extent, that is by design.

  • ERP vendors and integrators act in their self-interest to maximize revenue.
  • They minimize the complexity of the implementation process, which can result in unreasonable expectations.

ERP software consultants and salespeople act in their own self-interest.

  • An entire ecosystem is built up around each of the major ERP providers.
  • Often, partner networks, self-dealing, and commissions drive recommendations more than objectivity.
  • Large consulting firms have entire practice areas devoted to implementing Oracle, SAP, or Infor.

This sets up unreasonable expectations and prevents you from devoting the appropriate resources to your ERP software project.

  • Unreasonable expectations cause ERP software project failure.

I discuss these issues in my latest video.

#erplawyer #erpcommunity #erpfailure #saps4hana #oraclecontracts #softwarelawyer #sapservices #saphanacloudplatform #saas #erpcloud #teamtaft #sapcontracts #oraclelawsuit #oraclefailure #oracletermination #saptermination

Software demonstrations are a key part of the sales cycle and your evaluation of competing software products.

  • Software vendors will wow you with features and functionality.
  • You need to step back and ensure you have an objective system to evaluate the software and functionality across competing product demonstrations.

Vendors will sometimes show specific demonstration software that has little resemblance to the software you will implement.

  • You need to question everything you see and ensure that what you are shown is real and represents the product you are going to buy.
  • How do you get the most out of software demonstrations, and how do you overcome the fundamental flaws of software demos?

I discuss these issues in my latest video.

#erplawyer #erpcommunity #erpfailure #saps4hana #oraclecontracts #softwarelawyer #sapservices #saphanacloudplatform #saas #erpcloud #teamtaft #sapcontracts #oraclelawsuit #oraclefailure #oracletermination #saptermination

Adopting technology for the sake of adopting technology rarely makes sense. This is true for Artificial Intelligence.

  • AI is the shiny new object right now.
  • ERP software vendors are rushing to incorporate AI functionality into their products.

To utilize AI, you must have a well-thought-out strategy for selecting, implementing, and using AI.

  • You need to ensure you have a business case for AI.
  • You must ensure you understand the risks and how to mitigate those risks.

If you don’t understand your business processes and how to utilize artificial intelligence functionality, you can’t have a strategy for using AI.

  • This makes it challenging to understand your risks and how to mitigate them.

I discuss these issues in this clip from my latest video.

Shelfware is software that you are no longer using or no longer need.

  • It can range from too many users.
  • It can be modules you no longer need or functionality that no longer meets your needs.

The first step is avoiding getting into this situation.

  • You can’t just rely on what your salesperson recommends or what your competitors are doing.
  • You need to understand your present state, your business processes, and what your future state will look like.

From a legal perspective, the goal is to ensure that the contract includes as much flexibility as possible regarding usage metrics and restrictions.

  • Ideally, you want the ability to swap unused functionality, licenses, and users for other functionality.
  • You want to include future options in the contract so that you can ramp up over time.
  • You also want to include the ability to remove users/licenses, etc., from the contract without penalty.

We have developed novel approaches that software vendors are likely to agree upon.

  • Focusing on change management and what your users need is one of the best ways to avoid shelfware.
  • Having the flexibility to swap users, modules, and functionality is great, but if your organization is reluctant (or refusing) to use the software, future options and swapping SKUs are not going to save you.

I discuss these issues in my latest video.

What are the advantages of using best-of-breed solution providers and deploying a multi-cloud implementation model?

  • Some of the advantages are choosing the best service/product for the job, optimizing different infrastructures, and maintaining flexibility.
  • But what are the risks?
  • Increased complexity and the need to manage multiple vendors increase the likelihood of an ERP implementation failure.

I discuss these issues in my latest video.

#saps4hana #saas #erplawyer

Your data is valuable and ERP vendors know this.

  • They are including language in their contracts giving them not only the right to use your data to train their AI models, but the right to extract fees if you want other software products to access the data you input into your ERP system.
  • What is worse is that they will find a way to charge you to access data that you have input into your ERP system.

How can you prevent this?

  • What strategies can you use to mitigate risk and lower costs?

I discuss these issues in this clip from my latest YouTube video.

#erplawyer #erpcommunity #erpfailure #saps4hana #oraclecontracts #softwarelawyer #sapservices #saphanacloudplatform #saas #erpcloud #teamtaft #sapcontracts #oraclelawsuit #oraclefailure #oracletermination #saptermination

With the change in administrations and the rapid evolution of technology, business leaders and their legal advisors now more than ever need information to help them navigate the constantly shifting technology landscape.

In this one-hour presentation, Taft Partners Jackie Benson, Scot Ganow, Zach Heck, and Bill Wagner discuss some key things to know in the first quarter of 2025.

  • Getting Your Arms Around Data Privacy and Protection in 2025. Just. Get. Started.
  • Strategies for Cyber Insurance: Getting (and Staying) Insured.
  • AI Regulation in 2025: National.
  • AI Regulation in 2025: Colorado.

1.00 hour of CLE credit pending for Arizona, Colorado, Indiana, Illinois, Kentucky, Minnesota, and Ohio.

In-Person Registration

Taft Denver: 675 Fifteenth Street Suite 2300, Denver, CO 80202. In-person attendees should kindly RSVP by March 6.

Webinar Registration 

The Google Threat Intelligence Group revealed a chilling reality: nation-states are weaponizing AI tools like Gemini for sophisticated cyberattacks. This new frontier of AI-powered fraud demands immediate attention from business leaders and general counsel, who stand at the confluence of technology, data security, and governance.

Recent Incidents and the Evolving Sophistication of These Attacks

Generative AI, like the tools used by these cybercriminals, can create highly convincing text, images, voice recordings, and even video interactions that are nearly impossible to distinguish from genuine content. In the report Adversarial Misuse of Generative AI, the Google Threat Intelligence Group explains how more than 20 countries have used Google’s generative AI tool named Gemini for nefarious purposes, including cyber espionage, destructive computer network attacks, and attempts to influence online audiences in a deceptive, coordinated manner.

The report explains how cyber criminals, especially in Iran, China, and Russia, are using Gemini to create impeccably real AI-generated content to facilitate advance phishing techniques and fraudulent wire transfer requests. The report states that criminals are using Gemini for research; content generation, including developing personas and messaging; translation and localization; and to find ways to increase their reach.

The criminals are also using Gemini to teach them how to deliver a payload to access a company’s network system, to move laterally within the network, to evade detection and privilege escalation, and to remove data.

AI-enabled social engineering has improved the ability of cybercriminals to create highly personalized and more sophisticated content than historical social engineering attempts. Cybercriminals are increasingly using AI to create realistic and interactive audio, video, and text that allows them to target specific individuals by email, telephone, text, videoconferencing, and online postings. Some recent examples are listed below.

Video

In February 2024, a Hong Kong finance worker was tricked into transferring $25 million to criminals after they set up a video call in which the other five people participating, including the company’s chief financial officer, was a video deepfake.

Voice Recordings

In August 2019, a senior executive at a UK-based energy firm was tricked into wiring approximately $243,000 based on an AI-generated voice deepfake that accurately mimicked the distinct German accent of the chief executive of the firm’s parent company, who requested an urgent wire transfer of funds.

Facial Recognition

In June 2024, criminals used deepfake technology to bypass facial recognition security measures allowing them to steal $11 million from a company’s cryptocurrency account.

Fake Resumes

In May 2024, the U.S. Department of Justice said more than 300 U.S. companies unknowingly hired foreign nationals with ties to North Korea for remote IT work, sending $6.8 million of revenues overseas in a sprawling fraud scheme that helped the country fund its nuclear weapons program.

Immediate Action Steps for Companies

To protect companies from falling victim to AI-generated wire transfer or other payment scams, take the following action steps:

  1. Designated Payment Account: Specify that payments to a vendor will only be made to a single, designated bank account, and any changes to this account must be made in writing and verified through a secure, pre-established process. The vendor must designate the bank account in the vendor’s contract or through a binding vendor payment agreement. Remind vendors of the designated payment account and verification process by disclaimers and statements in purchase orders.
  2. Verification Process: Establish a multi-step verification process for any changes to a vendor’s payment information. The process should include:
    • Written notice from the vendor requesting the change on official letterhead;
    • Verbal confirmation from two designated vendor representatives, whereby the company calls each vendor representative separately using pre-established phone numbers to confirm their authorization of the change;
    • Management review, confirmation, and approval of the payment information change; and
    • A waiting period of at least 48 hours before any changes are implemented.
  3. Regular Account Verification: Establish a schedule for regular verification of vendor’s payment information, such as annual confirmations of the authorized representatives and their phone numbers. Document the verifications. For companies with hundreds or even thousands of vendors, prioritize which are contacted by using the deductible as a cutoff. For instance, for a $50,000 deductible, make it a priority to verify the information of vendors who regularly receive payments in amounts of more than $50,000.
  4. Training Staff: Train employees to presume that any request to change a vendor’s payment information is fraudulent. Conduct regular cybersecurity training to alert employees, management, and IT staff to the threats posed by AI-generated wire transfer or other payment scams. Document the training.
  5. Risk Assessments: Conduct regular AI-focused risk assessments to measure how well employees are following established data security protocols. Consider conducting simulated attacks on the employees and management who have the authority to update a vendor’s payment information. Do those employees notice and act on banner warnings for emails that originate outside of the company or from email addresses from which they normally do not receive emails? Are they performing and documenting the call back requirements?
  6. Update Policies and Procedures: Keep up to date on the new ways in which cybercriminals are attacking their victims. Take those new attack methods into consideration when reviewing and updating payment verification procedures, which should be regularly and no less than annually.
  7. Confidentiality and Security: Require each vendor to represent and warrant that it will maintain strict confidentiality of vendor payment instructions, the identities and contact information of the vendor’s authorized representatives and follow best practices to maintain security measures to protect their email and other communication systems.
  8. Establishing Binding Authority: Clearly state in contracts or vendor payment agreements that only specific, named individuals designated by the vendor have the authority to request changes to the vendor’s payment information and that their actions are binding on the vendor.
  1. Liability Clause: Include a clause that states the vendor releases the company of any liability and agrees to hold it harmless from any losses, damages, and legal actions resulting from fraudulent wire transfer requests originating from the vendor’s compromised systems. Specify that the vendor bears responsibility for any losses resulting from compromised email accounts or false instructions originating from their end. This is especially important because there is case law holding the company remains obligated to pay its vendor if the vendor was unaware of the fraud and the company was in the best position to avoid the loss.
  2. Indemnification Clause: Include a clause that states the vendor agrees to defend and indemnify the company, from any losses, damages, and legal actions resulting from fraudulent payment requests originating from the vendor’s compromised systems and authorizations obtained following the verification process from the vendor’s designated authorized representatives who are contacted using the vendor’s designated phone numbers.
  3. Audit Rights: Include a clause allowing the company to audit the vendor’s security practices related to payment instructions, changes to payment instructions, and email communications. Include the right to review the vendor’s cyber insurance coverage to ensure that the insurance coverage is adequate and will actually protect the company in the event of a loss requiring indemnification. Again, prioritize which vendors to audit based on covering the deductible or the company’s tolerance for how much money it is willing to lose if the insurance coverage turns out to be inadequate.
  4. Dispute Resolution: Specify a clear process for resolving any disputes related to payment instructions, including governing law and jurisdiction.
  5. Termination Rights: Reserve the right to immediately terminate the agreement if there’s evidence of fraudulent activity or repeated suspicious requests from the vendor.

Incorporating these terms and conditions can significantly reduce the risk of falling victim to email scams and protect the company from potential losses due to fraudulent payment scams.

Conclusion

As AI technology rapidly evolves, so do the threats to companies’ financial security. Implementing robust safeguards against AI-generated fraud is no longer optional — it’s critical to businesses. In Taft’s upcoming articles, insurance coverage and legal remedies available to companies victimized by AI-generated fraud will be explored.

Software audits are never random. If you are being targeted, the ERP vendor believes there is a revenue opportunity with your use of the software.

  • ERP vendors take advantage of ambiguous terms in the contract governing the scope of use of the software.
  • They also have no incentive to be accurate in their audit of the software.

If you are facing an audit, you need to have a plan to push back.

  • The audit report they generate to justify the imposition of additional fees is almost always exaggerated, unreasonable and one sided.
  • You can never take it at face value.
  • If you suspect you are going to be audited (or are being audited), it makes sense to conduct a self-audit based on your own reasonable interpretation of the contract.

Having that baseline can be invaluable in pushing back on the software vendor’s allegations and demands for additional fees.

I discuss strategies for dealing with aggressive software audits in my latest YouTube video.

#erplawyer #erpcommunity #erpfailure #saps4hana #oraclecontracts #softwarelawyer #sapservices #saphanacloudplatform #saas #erpcloud #teamtaft #sapcontracts #oraclelawsuit #oraclefailure #oracletermination #saptermination