Ever wonder how so many devices can operate together on a unified network like 4G or Wi-Fi? Ever stop to think about why you can send a selfie from your iPhone to someone else’s Galaxy halfway across the world without distorting your smile?

Smartphones can operate together with other smartphones because hundreds of the inventions powering those smartphones are covered by Standard-Essential Patents (SEPs).

And on Dec. 19, 2019, the United States Patent and Trademark Office (USPTO) joined the Department of Justice’s (DOJ) new policy permitting injunctive relief in SEP cases, giving SEP owners a lot more leverage when licensing their inventions to other companies.

To read the full law bulletin authored by Minneapolis associate Joey Balthazor, click here.

Over the years, we have written quite a bit about the many “train wrecks” that seem to plague a disturbing number of ERP software systems. We have also litigated many of these disputes on behalf of companies whose systems did not meet the promises made by software vendors or integrators during the software sales process.

But litigation is a costly, time-consuming, energy-draining and lengthy process. Receiving compensation for a failure years after it occurs does not replace anything that was lost in the meantime.

In our decades-long career of negotiating, drafting and litigating contracts for ERP software systems, we have come to understand how and why many of the train wrecks occurred. In fact, there are definite signs that an ERP software implementation or digital transformation is running into trouble. Knowing the signs and acting quickly to remedy it can keep a bad situation from spinning totally out of control.

Below are six common signs that indicate an organization’s ERP software system might be heading for trouble:

1 – Difficulty billing customers. Often, the invoicing process is the first to encounter difficulties. Either invoices can’t be generated in a timely fashion or they are inaccurate and customers start contacting suppliers because they are confused or angry.

2 – The supply chain is interrupted. An extreme example of this came when Revlon was unable to ship to retailers because it was getting late deliveries from suppliers. Shareholders filed three separate class action suits to recover the money they lost when Revlon’s stock price took a hit. If there are supply chain issues, it’s very likely rooted in an ERP problem.

3 – Inventory control is uncontrollable. When there are supply chain issues, it usually spills over into inventory control. Managing inventory is tricky at best: too much inventory and inventory is tied up; too little and production is slowed, meaning shipments are delayed. If inventory controls are not functioning properly, it is often a sign the ERP software system is not performing as needed.

4 – Problems moving data between divisions. The great strength of ERP is it assembles actionable data across many functions and facilitates management decisions. However, if silos begin to appear, or are not removed, it greatly inhibits comparing data streams. A business also loses the ability to spot correlations and patterns that can produce key insights. If this becomes a problem for the c-suite, they need to look for the root issue in their ERP.

5 – ERP isn’t integrating smoothly. For any ERP software system to generate value it must integrate seamlessly with an organization’s other systems, especially those involving payroll and finance. When this does not happen, it quickly snowballs into widespread inefficiency, to say nothing of employees’ irritation with incorrect paychecks.

6 – System agility is awkward. Because ERP technology is rapidly changing, the introduction of enhancements can happen before they are fully mature and bug-free. If an upgraded ERP software system does not integrate smoothly, it becomes more disruptive than beneficial. Difficulties loom when the system is not agile.

Benefits and Challenges

An ERP software system is a challenge to maintain due to its integrated nature. In a worst-case scenario, an undetected problem may cause it to shut down entirely, causing a massive disruption that ripples through an entire organization.

A system that does not integrate properly will create more disadvantages than advantages for an organization. Preventing a train wreck is possible, but senior people in a private or public sector business need to spot any early warning signals that trouble is brewing. Don’t rely on your vendor or integrator to do it for you.

Whether you are installing ERP for the first time, are upgrading a legacy system, or simply have concerns about what might be happening with your ERP software system, feel free to contact us. We’ve devoted our careers to working with clients on ERP-related matters and will be happy to share what we have learned.

When Elizabeth Kubler-Ross first described the five stages of grief, she was exploring how people deal with the death of a loved one. When she wrote her definitive work, ERP software systems were not even a gleam in anyone’s eye.

Yet as attorneys who have spent our careers working with ERP software systems and litigating many of the disputes that arise when the transformation goes haywire, we’ve seen clients go through many of Kubler-Ross’ stages of grief as they come to grips with their ERP loss.

Anyone who took an undergraduate sociology course at university probably remembers the stages: denial, anger, bargaining, depression and acceptance. We’ve seen many company executives go through each of these stages as a result of a digital transformation failure. But don’t despair. There is a way for the bereaved ERP user to cope with their loss and, more importantly, create a strategy that sidesteps having to deal with the five stages of grief, whether you are upgrading or just beginning the process of acquiring an ERP software system.

Denial and Anger in ERP Failures

By its very nature, every ERP transformation is a huge, complicated, time-consuming and expensive project that may involve reviewing proposals, selecting a vendor and integrator and preparing the organization for the massive changes that will be coming. Implementation can often take more than a year.

When the first hints of a problem appear, like a family member confronting the imminent death of someone close, often a company will first deny it is happening, and then believe the integrator who utters comforting words that things will get better. Yet the condition continues to deteriorate, as time, productivity and money are lost.

Disbelief turns to anger. Consultants are brought in and phone calls are made to attorneys. The user tries to bargain with their vendor and integrator. Yet the reality of the situation begins to sink in and anger turns to depression – which psychiatrists say often is the result of anger turned inward.

As we have written about frequently – most recently here and here – far too many ERP projects run into massive problems where acceptance is all that remains. Litigation is a last resort because users seldom get a second chance to get it right. The real answer is to have a strategy from the outset that will enable you to avoid coping with the five stages of grief.

A Strategy to Avoid Coping with ERP Grief

Whether you are undertaking your first ERP project or upgrading a legacy system, any public or private organization can undertake the following eight-step strategy. These are general guidelines and specific situations may require additional safeguards, but this list can help ward off Kubler-Ross’ grief and grieving stages.

1 – Senior management must own the project from the outset. An ERP software system is a management tool, not simply a tech solution. Do not sign the contract and then leave implementation to the IT department, even if you have a Chief Technology Officer. ERP is about how the business operates and runs just as your accounting system is a management tool rather than a technology matter. The likelihood of integrators telling you about an incipient problem are small so the CEO and COO need to stay on top of how the project is proceeding.

2 – Retain an independent consultant upfront. A qualified ERP consultant will help a user identify the key things the organization needs the ERP software system to do. They can also assist in writing a RFP and reviewing responses. A good consultant will also know when a vendor and integrator is being honest about his or her experience in your industry. Consultants are not inexpensive but can save millions of dollars down the road.

3 – Meet the entire team from the other side. For many large-scale ERP projects, it is entirely likely the vendor and integrator will be employing sub-contractors on different parts of the project. It is wise to interview sub-contractors to ensure what you were told they have done or can do is, in fact, within their expertise and background. If you decide they don’t fit with your needs or even your culture, ask the suppliers to find other candidates.

4 – Don’t sign the template contract. The contract given to you by the vendor and integrator you select is written entirely in their favor. Negotiate and redraft terms and conditions so the agreement works to the benefit of both parties. As lawyers who have spent several decades working on negotiating ERP contracts for clients from both the vendor and user side of the table, we know where there is flexibility on the part of the seller.

5 – Include sales material in the contract. Vendors and integrators are notorious for making assertions about their expertise and experience in a given industry because the goal of the sales team is to get the order. Along with the proposal response, the contracts need to include any written material given to a user in the course of their discussions with the vendor and integrator. In the event of an ERP train wreck, this will help document for a court what the user relied upon in making a buying decision.

6 – Specify roles and responsibilities. Template contracts are deliberately vague about what the vendor or integrator will be responsible for as the project unfolds. To protect all sides, the contract needs to be very specific about precisely what the user will be responsible for doing, as well as what your suppliers will be responsible for handling. This also helps short-circuit “scope creep” down the road because only designated individuals are authorized to modify what is detailed in the contract.

7 – Include an internal change management initiative. Adding or upgrading ERP makes a significant difference to how a company operates. It is nothing like uploading a new version of Windows to everyone’s computer. Many things inside the organization will have to be done differently for the system to add value. Jobs and roles are likely to change, or at least be different than they were prior to ERP. People need to understand what will happen and how it will affect what they do. We’ve seen transformations where the technical side went smoothly but the lack of a change management program failed the people side.

8 – Senior management must own the project. An ERP software system is a management tool, not simply a technology solution. Do not sign the contract and then leave oversight of the implementation to the vendor or integrator.

If your public or private sector organization is considering acquiring an ERP software system for the first time, or are on the threshold of upgrading a legacy system and don’t want to resort to grief counselling because of the death of the project, feel free to contact us. We’ve worked with ERP for a long time and can advise you on the contractual pitfalls to avoid. We can also refer you to independent consultants familiar with ERP who can work with you.

It seems a growing number of companies are coming to us to negotiate and draft contracts for an upgraded ERP software system. As part of understanding what we need to include in the contract, we ask the company’s CEO, COO, CTO or General Counsel why they are making the upgrade.

Frequently, the answer revolves around the following: “our vendor told us we are falling behind in technology and need to upgrade to stay current.”

While we appreciate companies’ confidence in asking us to handle the legal components of upgrades, a pattern seems to be emerging among ERP vendors and integrators: convince users to spend millions on an upgrade that may not be necessary. When this happens, it is being done not because the upgrade is in the best interests of the user but of the vendor and the integrator.

Yet many of the newer ERP software systems are not yet mature enough to work as well as a lot of legacy installations. Before succumbing to the siren call of the vendor, users in companies of every size need to conduct a thorough due diligence inside their organization to determine whether the enhanced system will actually benefit their organization.

ERP Upgrade Precautions

For companies opting to upgrade their ERP software system, there are some things the contract needs to include. Prime among these is a specific detailing of the stated or implied promises being made by the vendor and integrator as to the functionality and performance of the newer model.

If either the vendor or the integrator are reluctant or unwilling to include these warranties in the contract, it’s best to walk away from the deal. They’re signalling they know something you don’t. Yet if there is a problem down the line, these written assertions will become your best argument should the dispute end up in litigation.

Here is the crux of the issue.

Despite their largely successful track records with more mature systems, there is a legitimate question whether the newest generation of ERP software systems are up to the task. SAP’s S4/HANA, Oracle’s ERP cloud and Microsoft’s D365 lack the track record of their predecessor systems of supporting the complex needs of many businesses and other organizations in the private and public sectors.

Until they have demonstrated their ability to seamlessly take over from a more mature ERP software system, a user being urged to upgrade needs to proceed cautiously. If a careful, internal analysis makes a business case for upgrading, then do so. Just remember to include in the contract all of the specificity in the agreement for your legacy system.

Along with language that spells out the improvements an upgraded system will bring, some other points to cover include:

1 – Outlining all sales material as an appendix to the new contract.

2 – Detailing the specific responsibilities of the vendor, integrator and the user

3 – Drafting provisions that prevent “scope creep” without a senior person’s authorization.

4 – Removing or limiting binding arbitration clauses that may reduce your ability to recover damages from the vendor or the integrator if there is a problem.

There is an unfortunate history of ERP “train wrecks.” Take steps upfront to reduce the likelihood of your organization being involved in another one.

Buy the Steak, Not the Sizzle

In nearly every aspect of running their organization, executives and senior managers are incredibly disciplined. Yet when it comes to their ERP software system – often, the engine that is driving the entire business – we’ve seen too many decisions made for the wrong reason. Most common seems to be viewing ERP software systems as a technology tool, not a management solution.

This is likely to result in the transformation heading straight for the rocks, similar to where the Sirens lured Circes and his entire crew to their demise.

If you are looking at upgrading your ERP software system and want to discuss the pros and cons of the legal aspects, feel free to contact us. We’re happy to share our experience and knowledge, as well as refer you to highly respected independent ERP consultants who can help senior management navigate what can often be treacherous waters.

While the spread of Artificial Intelligence (AI) in the construction sector is expected to be modest in the immediate future, a shift is coming. Stakeholders can no longer afford to see AI as pertinent only to other industries – engineering and construction will need to catch up with AI applications. This is the only way to contend with incoming market competitors and remain relevant.

To read the full law bulletin authored by Cincinnati partner Joseph Cleves, Jr., click here.

Technology companies are notorious for believing the solutions they propose to a potential user’s pain points are the best possible answer. When it comes to ERP software systems, however, too often many developers, vendors and integrators ignore or overlook the reality that the technology they sell is actually a business solution, not simply a technology tool.

In the process of reviewing pitches and proposals from sellers, C-suite executives – including chief technology officers – need to remember that SAP, Oracle, Microsoft and all the rest are in the technology business – this is what they focus on selling. For an ERP software system to have a measurable, positive impact on an organization, whether it is installed in the private or public sector, it is important to remember that no matter how the sophisticated the software, it will still be used by people.

It is a company’s responsibility to ensure it has a plan to accommodate all of the change management aspects of an ERP software project so people are not only trained in how to use the new system, but also to understand how this system will change their jobs. This is important so that both the system and your people succeed.

However, this does not absolve the vendor and integrator from helping with the human aspect of their product.

ERP Means Change Management

As complex as an ERP software system may be, if the vendor and integrator understand the user’s business it is possible for everything to go smoothly (from a technical point of view) on the day the system goes live.

However, this is only half of the problem. The other half is understanding that the data being collected and distributed will be going to people. Since ERP means a major shift in an organization’s management, it also means a major shift in how employees work.

In many respects, the user experience with ERP is at least as important or perhaps more so than all of the coding that sits behind a terminal in someone’s office. This does not just mean easy-to-understand screens; it also means easy-to-understand work processes.

ERP change management can’t simply be handed off to Human Resources. It requires an effort that involves the vendor and integrator, as much as it does HR.

As a result, it is necessary for the contract with both the vendor and integrator of the ERP software system to specify what each entity’s role in the change management process will be. The contract provisions need to be specific, including detailing the seller’s experience in handling change management in similar organizations and sectors. If direct experience is weak in this area, it may signal a warning of other problems with the solution they are proposing you buy.

Serious Implications

Regardless of whether an organization is updating a legacy system or implementing an ERP software system for the first time, it needs to recognize it is acquiring a management solution that happens to use technology.

User experience and understanding of the human factors associated with digital transformation are as important to achieving success as is integrating the system with the organization’s existing processes and infrastructure.

As attorneys whose legal careers have focused on negotiating and drafting contracts for ERP software systems, we have advised clients on ensuring that change management is part of the process and should be incorporated into the agreement with a vendor and integrator. Executives and senior managers cannot lull themselves into thinking that the purchase decision is the end-goal of the process. Nor can they allow employees to undermine the use and effectiveness of the ERP software system because they do not grasp the changes it brings to their job or the organization.

If you have questions about the role of change management in a successful ERP software integration, feel free to call us. We would be happy to share our experience and offer suggestions.

It seems as if nearly every week, a major business or technology publication carries an article about migrating processes to the cloud. In many circumstances, this makes sense for a range of good reasons. However, for users of ERP software systems, migrating a very complicated and sophisticated management tool with countless “moving parts” to the cloud can easily become a nightmare.

This is becoming a serious issue, as some of the large software vendors and integrators are making a push to get users to move their ERP from a company’s private servers to the cloud.

For instance, SAP will require all S4/HANA users to do so by 2025. SAP says the migration will take users only three years, but many independent ERP consultants insist it will take much longer for large users, with many far-flung operating divisions, to make the transition without causing massive disruptions to their businesses.

Why the Rush?

A growing number of ERP software systems users face pressure by vendors and the large integrators to migrate to the cloud, even if doing so is not in the user’s best interests.

Users should not be in a rush, especially if they have built an extensive infrastructure that is secure, serviceable and well-suited to run ERP software. It strikes us that the real motivation is not what is best for the user, but what is best for the software vendor and integrator. Migrating to the cloud can be a complex proposition, which means big fees for service suppliers.

To complicate the issue when making a sales pitch, companies such as SAP, Oracle, Microsoft, Accenture and other large vendors talk about “best practices,” “next generation” and “good for your company” in an effort to convince executives that if they do not sign up, they’re somehow being negligent.

Much of the time, this is nonsense uttered because customers want to hear it. What is good for a supplier is not necessarily what is best for a user.

Beyond the sales pitch, the reality is that many of the new generation of ERP software systems have their own functional issues and problems. Migrating an immature system to an immature cloud risks compounding the potential for difficulty.

Pitfalls in Migrating ERP to the Cloud

There are a number of traps waiting for the unwary or the rushed. In negotiating and drafting contracts where a user of an ERP software system wants to migrate to the cloud, or is facing pressure to do so, we are seeing a number of places where clients are at risk of falling victim to sales pitches. Before you go too far down the road, keep these five points in mind.

1 – There’s more sizzle than steak. Do not get caught up in the hype about cloud migration. It is not an appropriate solution for every ERP user and despite what a sales team or account manager will tell you, few of the current generation of ERP software systems are ready to go in the cloud. As we do with an ERP contract, we always try to include all of the cloud-related sales material in the contract in case promises are not fulfilled.

2 – Don’t underestimate the costs. There are both hard and soft costs in migrating an ERP software system to the cloud. The hard costs are obvious, although we are seeing clients underestimate the downstream expense. The soft costs are more difficult because they involve a change management strategy that could take a year or more to rollout, depending on the size of the organization and the complexity of its ERP system.

3 – Specify security responsibilities in the contract. Since the user will not be operating or controlling the cloud infrastructure, the contract must specify in great detail the obligations and responsibilities of each party to maintain the security of the data being stored. It is one thing if a user’s employee forgets a tablet with access to your ERP system on a bus; it is another thing entirely if there is a breach of cloud files due to lax protections or security by the software vendor. The provider must ensure the safety of the data, protect it from being corrupted, hacked or otherwise accessed without authorization, and have experts on hand to react immediately if something goes wrong.

4 – Ensure there is an out. If the architecture of the provider’s cloud is not a clean fit with the ERP software system being migrated, it is vital to be able to step away from the contract when the problem appears and cannot be resolved to your satisfaction. Another deal breaker should be contract language that protects against cost overruns and completion delays – all too common with ERP.

5 – Before signing, ensure the system being migrated is cloud-ready. Despite what a vendor may say, few of the new generation ERP systems are cloud ready. Legacy systems may create issues for a user when they are migrated to the cloud. The cloud contract should include an assurance from the vendor that the ERP software system being migrated will, once completed, perform as it does now.

The bottom line? Be as careful with your cloud contract as you were with the contract for your ERP software system.

Implications of ERP Cloud Migration

The cloud offers many advantages, but it is not a magic potion – it is not right for every ERP user, despite what a vendor or integrator will say. Business decisions around cloud migration are as important to the future of your organization as was the impact of first acquiring ERP. The key to success is to remember that a cloud migration is a technology solution. Answer management questions first, before deciding to float in a cloud.

If you get calls from your vendor or integrator about migrating to the cloud and are unsure how to proceed, feel free to contact us. We will be happy to answer the questions you may have, as well as refer you to recognized independent consultants who can provide you with technical expertise when dealing with vendors.

The U.S. Supreme Court has granted certiorari for Romag Fasteners Inc. v. Fossil Inc., No. 18-1233, and trademark practitioners are hopeful that the ruling will finally adjudicate the long-standing issue of whether a plaintiff must prove willfulness in order to obtain an award of a trademark infringer’s profits for violating 15 U.S.C. § 1125(a) of the Lanham Act.

In Romag Fasteners Inc., Plaintiff Romag succeeded on its trademark infringement claim against Defendant Fossil for the infringing use of the ROMAG mark. Although Romag and Fossil had previously entered into an agreement to use Romag’s fasteners—which bore the ROMAG mark—on Fossil’s products, Romag discovered that Fossil had been using counterfeit fasteners bearing the mark on Fossil’s handbags. The jury verdict in the ensuing trial awarded Romag nearly $6.8 million based on Fossil’s profits. However, the district court struck the jury’s award, since Romag had not shown Fossil committed willful infringement and that “a finding of willfulness remains a requirement for an award of defendants’ profits in this Circuit.” Romag Fasteners, Inc. v. Fossil, Inc., 29 F. Supp. 3d 85, 109 (D. Conn. 2014).

The Federal Circuit affirmed the District Court’s holding on appeal, determining that willfulness was a prerequisite for an award of profits in the Second Circuit. Romag Fasteners, Inc. v. Fossil, Inc., 817 F.3d 782 (Fed. Cir. 2016). The Federal Circuit held that since Romag could not prove that Fossil had “willfully” infringed, an award of Fossil’s profits was unwarranted. However, the Court also acknowledged the split in Circuit authority, noting that “the willfulness requirement was not uniformly adopted” and that “the Fifth Circuit held that whether the defendant had the intent to confuse or deceive is simply a relevant factor to the court’s determination of whether an award of profits is appropriate.” Id. at 787 (internal citations omitted).

Along with the Second Circuit, the First[1], Eighth, Ninth, Tenth, and D.C. Circuits all require that “willful” infringement must occur before an award of the infringer’s profits is available for the plaintiff. By contrast, the Third, Fourth, Fifth, Sixth, Seventh and Eleventh Circuits do not require a showing of willfulness for the plaintiff to recover an award of the infringer’s profits.

Recovery under the Lanham Act seeks to combine and balance theories of compensation (i.e. assessing profits) and deterrence (i.e. assessing damage). See 15 U.S.C. § 1117. However, trademark monetary awards are challenging to establish due to the difficulty in assessing the actual damage to a brand. Through disgorgement of the infringer’s profits and by awarding the infringer’s profits that the infringer would not have earned but for the wrongful acts, trademark awards may be reasonably calculated.

The Supreme Court’s ruling, if it were to resolve the circuit split, will change the state of the law for several circuits by standardizing whether willfulness is a prerequisite for an award of damages based on the defendant’s profits. The ruling may also have far-reaching effects on other actions under the Lanham Act, since 15 U.S.C. § 1117 of the Lanham Act impacts recovery for other tangential areas of law such as claims for false advertising.

[1] The First Circuit only requires a showing of willfulness where the parties do not directly compete.  See Fishman Transducers, Inc. v. Paul, 684 F.3d 187, 196 (1st Cir. 2012).

Massive and costly failures of corporate ERP software system installations and integrations are becoming legendary. Nearly every week comes news of another train wreck. But as the public sector adopts ERP to serve a variety of purposes ever-more frequently, digital transformations are carrying a growing number of risks for government entities.

In July 2019, we wrote about Maryland’s lawsuit against IBM. While the matter involved a website that the state needed built so state residents could enroll for benefits under the Affordable Care Act, we noted that it stemmed from an IBM subsidiary overpromising and under-delivering on its capabilities.

A government department or agency faces the same risks in selecting, implementing and integrating an ERP software system as does a business, While the procurement process differs, the underlying issues – and need for caution – are the same that every business must confront.

Not Just Another RFP

Public procurement relies heavily on responses to a RFP. Yet the sales teams from SAP, Oracle, Microsoft and other industry players approach the first level of approval as they would any other potential user. While answering the detailed questions in the RFP, because if they aren’t, the proposal is discarded, inevitably marketing material is included.

When a problem arises in the public sector, it becomes a matter for scrutiny by reporters and politicians.

As a result, government units need to modify their typical procurement process. An ERP software system is totally unlike anything the government buys, with the possible exception of military hardware and systems used by intelligence agencies. Senior career officials and possibly even political appointees need to be involved from the outset rather than coming in when a final decision is about to be made.

There are two reasons for this.

First, the buying decision involves two steps: Selecting the vendor and then an integrator, followed by negotiating a contract with each one.

Second, there are numerous related issues that must be addressed at the outset, such as customizing the software to the specific requirements of the agency, who will be on the project team for both the suppliers and the government, and the process by which quality will be assured and the contract specifications met.

As attorneys whose entire careers have been focused on negotiating and drafting contracts for ERP software systems, we have seen the downstream impact of what happens when a public entity doesn’t deal with these up-front. In the event of a lawsuit because of defects, delays or cost overruns, when we litigate a dispute often we find the user did not address potential internal or supplier issues that were created long before the contract was signed.

Avoiding Public Sector ERP Problems

Beyond modifying the typical procurement process, there are some specific steps the public sector should borrow from private companies. They might need to be adapted somewhat to fit the specific situation bureaucrats face but, in general, we would provide the same advice to a government entity as we would to a private sector client.

The lessons for the public sector are applicable from the all-too-often bad experiences private companies have endured:

1 – The sales material you’re given will overstate the promises and underestimate the risks – The vendors aren’t necessarily lying to you but they are financially motivated to put the best face on what they claim to be able to provide. The goal of every vendor is to make it to the final selection process so you’re likely to be told what the suppliers think the agency or department wants to hear about the capability of the software, their experience in your specific area, the expertise of the team that will work on your project and how they’ll be able to meet all of the requirements of the RFP.

2 – Use an experienced ERP consultant – It’s unusual for a public entity to use a third-party advisor at this stage of any proposal review. But it’s money well-spent because a neutral consultant will know, for example, if vague language in marketing material or the proposal is there to fudge their lack of direct, hands-on experience doing what you are trying to accomplish.

3 – Ask tough, probing questions – As important, an experienced ERP consultant will know what questions to ask and whether the answers make sense. Given it is unlikely that a potential user in the public sector has ever dealt with this complex of a situation, it’s wise to have somebody who’s been there before working with you.

4 – Don’t Sign the Contracts You’ll be Handed – These contracts are written to benefit the service suppliers, not the user. If you are unfamiliar with an ERP software system contract or that of the integrators, seek outside help. The impact on your budget will be far less than the impact of a one-sided agreement in the event of a problem down the road.

5 – Make sure the contract details the responsibilities of the software vendor and integrator – The template contract is going to fudge who is responsible for what and when. As the user, it’s your job and duty to your stakeholders to ensure both sides of the agreement understand what they will do and specify remedies in the event there is a problem down the road with the software supplier – as well as the integrator who will make the system work.

6 – Watch for the responsibilities a vendor will try assigning to the user – Nearly every ERP contract we’ve seen places an obligation on the user to assign a sufficient number of its staff to the project. It’s a standard clause. But in the public sector, this can create an undue burden because of budget restraints and union work rules, among other things, that are very different than in private business. Ensure that the contract does not place unreasonable demands on the resources of an agency or department.

7 – Check the liability limitations – Generally, the standard contract limits the liability of a vendor for direct damages to fees paid. Effectively, this limits you to simply being reimbursed for any fees you paid for work or software products that were not as warranted. Yet in the public sector, an ERP failure can have far-reaching consequences with actual damages in the tens or hundreds of millions of dollars – just ask Maryland. Negotiating a limitation of liability provision that provides for meaningful recovery is critical.

If your state, county or municipal government department or agency sees a need for an ERP software system or any other digital transformation, feel free to reach out to us as you begin the selection process. We’ll be happy to share our experience and offer suggestions relevant to your situation. We can also refer you to highly-qualified, independent consultants who’ve worked with public and private ERP users.

Good chief executive officers pay close attention to every aspect of the business they are charged with running, from yesterday’s sales and production numbers, to the look and feel of next winter’s advertising campaign. As well they should: After all, the board, shareholders, employees and even the public hold the CEO accountable for the success or failure of the entire enterprise.

Yet the number of malicious and accidental data leaks and privacy abuse scandals seems to be expanding exponentially. Just in the past few days, organizations ranging from the neurology department of Massachusetts General Hospital in Boston to the Mastercard operation in Germany and Capital One in the U.S. experienced breaches.

The reasons behind the various incidents are being exposed though corporate announcements, government filings and investigative reporting. So, it is becoming apparent to us as data security and privacy attorneys that under all of the technical or operational reasons lies one essential fact: Too few CEOs and boards of directors are taking ownership of both their company’s policies and procedures and how the business responds when the unthinkable happens.

Some Things CEOs Cannot Delegate

“That’s why we have an IT department,” seems to be the attitude of many in the corner office. “It’s their job to deal with data security.”

In the days when protecting information mostly meant keeping viruses from infecting the servers, this sort of hands-off delegation was acceptable. It was the job of IT. But as Facebook and Equifax have discovered, not only are incidents front-page news but the company’s brand can suffer even more than the size of the fines and class action lawsuits.

As a result, it is increasingly important for both CEOs and members of the board to take ownership of how their company protects its data. It is distressing that a survey published earlier in 2019 in Corporate Board Member magazine found that less than half of public company directors thought their meetings spent enough time on security and privacy matters.

There are five broad questions each CEO and director needs to be asking in this area.

1 – What data do we hold? This is a basic who, what, where and why question. If the head of the company doesn’t know what information it has or who is responsible for protecting the data on a daily basis, then you won’t be able to respond quickly when there is an incident. Having a good grasp on the information environment inside a business is not only good in the event of a breach or incident, it also enables the CEO to direct a response to the legal and regulatory requirements that come into play.

2 – What threats exist to the data we hold? Identifying and addressing any vulnerable security spots provides the basis for knowing the likelihood of one occurring as well as the potential damage that may result from a breach or incident that may threaten a critical system. Obtain information on what steps are in place to assess and deal with these risks. The details on implementing the resulting policy can be given to IT but the person in charge needs to set the priorities.

3 – Who uses our data? In a broad sense, the chief executive must know which vendors and others outside the company have access to the data, why they need it and how they use it. We recommend to our clients that they have a written agreement with every outside party that details their responsibility if a breach or other incident occurs. The agreement should require the third party to indemnify the company if they were responsible for whatever caused a breach. The CEO also needs to be assured by IT that vendors are maintaining their own security controls.

4 – How do we control data access? The military and intelligence agencies have used a “need to know” approach to security for a century. Only employees who need to have access to data necessary for them to do their jobs should be given access to it. It is the CEO’s job to ensure that threats are minimized. As a matter of policy, access needs to be limited even if it is up to IT and department heads to implement the policy.

5 – How are we protecting our information? The chief executive doesn’t need to know the details but he or she does need to ask what steps the company takes to secure its data, especially if the information is being sent to any outside third parties or even carried outside the company by employees on their devices. There is one basic question to ask: Is all of our data encrypted? If the answer is no, then make sure there is a valid reason. Just as important, often encryption is viewed as a safe harbor under the breach notification laws in some jurisdictions.

Controlling Expanding Risks

The number of ways in which data and privacy can be compromised seem endless. For instance, in August 2019, Palo Alto, California’s Unit 42 security function reported that it found very few businesses are doing very much to protect security in the cloud.

At the same time, all of the Big Tech firms say they are joining the Confidential Computing Consortium to help with security issues as businesses move into the cloud and edge computing.

Every CEO has countless issues, problems and opportunities filling their desk every day. But with business being conducted electronically, the risks are real and a chief executive owes it to their employees and shareholders to mitigate the risks as much as possible.

This means asking questions and getting solid answers.

If you are a CEO or general counsel and want to have a conversation about ways to control data security and privacy risks in your organization, please call. We’ve worked in this area for a long time and can help you develop an appropriate strategy and take the necessary steps such as setting internal policies and drafting agreements with third party entities that have access to your information.