| Booklet:
Development
and Acquisition Section: Acquisition Subsection: Software Development Contracts and Licensing Agreements |
|||||||||||||||||||||||||||
| |
|||||||||||||||||||||||||||
OVERVIEW
Contracts between an organization and a software vendor should clearly
describe the rights and responsibilities of the parties to the contract.
The contracts should be in writing with sufficient detail to provide assurances
for performance, source code accessibility, software and data security,
and other important issues. Before management signs the contracts, it
should submit them for legal counsel review.
Organizations
may encounter situations where software vendors cannot or will not agree
to the terms an organization requests. Under these circumstances, organizations
should determine if they are willing to accept or able to mitigate the
risks of acquiring the software without the requested terms. If not, consideration
of alternative vendors and software may be appropriate.
SOFTWARE LICENSES - GENERAL
Software is usually licensed, not purchased. Under licensing agreements,
organizations obtain no ownership rights, even if the organization paid
to have the software developed. Rather, the software developer licenses
an organization certain rights to use the software. Vendors typically
grant license rights for a specific time period and may require annual
fees to use the software. Vendors may also provide maintenance agreements
that assure they will provide new versions or releases of the software.
The most important licensing issue is the definition of the precise scope
of the license. Organizations should ensure that licenses clearly state
whether software usage is exclusive or not exclusive, who or how many
individuals at the organization can use the software, and whether there
are any location limitations on its use. Before negotiating a license,
organizations should accurately assess current and future software needs
and ensure the license will meet their needs.
The license should clearly define permitted users and sites. If an organization
desires a site license for an unlimited number of users at its facilities,
it should ensure the contract expressly provides for this. If the organization
requires other related entities to use the software, such as subsidiaries
or contractors, they should also be included in the license. Organizations
should also ensure they have an express license to retain and use backup
copies of any mission-critical software that they may need to carry out
disaster recovery or business continuity programs at remote sites.
Organizations should clearly understand the duration of the licenses to
prevent unexpected license expirations. If an organization desires a perpetual
license to use the software, it should ensure the contract explicitly
grants such a license. Organizations should not assume the failure to
specify a fixed term or termination date automatically provides them with
a perpetual license. At a minimum, organizations should specify in their
contract or license the time periods for a non-perpetual license and the
minimum amount of notice required for termination.
SOFTWARE LICENSES AND COPYRIGHT VIOLATIONS
Copyright laws protect proprietary as well as open-source software. The
use of unlicensed software or violations of a licensing agreement expose
organizations to possible litigation.
Management
should take particular caution when purchasing software for use on a network.
Some programs are not licensed for shared use and management may be required
to purchase individual copies for each network user. Additionally, some
network licenses only allow a predetermined number of persons to use the
programs concurrently.
Measures that organizations may employ to protect against copyright violations
include obtaining a site license that authorizes software use at all organization
locations, informing employees of the rules governing site licenses, and
acquiring a software management program that scans for unauthorized software
use or copyright violations. While these measures may help prevent copyright
violations, the best control mechanism is a strict corporate policy that
management and auditors communicate and enforce. Management should have
an uncompromising attitude regarding copyright violations. The organization’s
security administrator should be responsible for monitoring and enforcing
the policy.
SOFTWARE DEVELOPMENT SPECIFICATIONS AND PERFORMANCE STANDARDS
Contracts for the development of custom software should describe and define
the expected performance attributes and functionality of the software.
The contract should also describe the equipment required to operate the
software to ensure appropriate compatibility. Vendors should be required
to meet or exceed an institution's internal development policies and standards.
Therefore, before opening negotiations or issuing a request-for-proposal
on custom software development, organizations should have a clear idea
of the essential business needs to be addressed by the software and an
adequate understanding of the organization’s present and planned
system architectures.
Contracts should identify and describe the functional specifications that
operational software will perform and may identify functional milestones
that vendors must meet during the development process. The development
contract should also contain provisions that permit the modification of
specifications and performance standards during the development process.
Software development contracts should contain objective pre-acceptance
performance standards to measure the software's functionality. The contracts
may identify particular tests needed to determine whether the software
complies with performance standards. The contracts may also address what
actions a vendor will take if the software fails one or more tests.
DOCUMENTATION,
MODIFICATION, UPDATES, AND CONVERSION
A licensing or development agreement should require vendors to deliver
appropriate software documentation. This should include both application
and user documentation.
A license or separate maintenance agreement should address the availability
and cost of software updates and modifications. When drafting agreements,
organizations should determine if a vendor provides access to source or
object code. Regardless of whether vendors limit access to object code
or provide access to source code, the permission and willing participation
of the vendor may be necessary to make modifications to the software.
Modifications to source code may void maintenance agreements.
When negotiating a software license, organizations should anticipate they
might need to convert to a different software product in the future. The
license should enable and facilitate conversions. The license should not
restrict an organization's ability to convert data to a new format. If
possible, organizations should negotiate terms that would enable another
firm to access the software and assist them in the conversion without
violating license restrictions.
BANKRUPTCY
In addition to escrow agreements, organizations should consider the need
for other clauses in licensing agreements to protect against the risk
of a vendor bankruptcy. For mission-critical software, organizations should
consult with their legal counsel on how best to deal with Section 365(n)
of the Bankruptcy Code, which gives a bankrupt vendor discretion to determine
which of its executory contracts it will continue to perform and which
it will reject. Proper structuring of the agreement can help an organization
protect its interests if a vendor becomes insolvent.
REGULATORY REQUIREMENTS
Depending on the function of the specific software, organizations should
consider including a regulatory requirements clause in their licensing
agreements. The clause requires vendors to maintain application software
so that functions are performed in compliance with applicable federal
and state regulations.
PAYMENTS
Software development contracts normally call for partial payments at specified
milestones, with final payment due after completion of acceptance tests.
Organizations should structure payment schedules so developers have incentives
to complete the project quickly and properly. Properly defined milestones
can break development projects into deliverable segments so an organization
can monitor the developer's progress and identify potential problems.
Organizations should exercise caution when entering into software development
contracts that base compensation on the developer's time and materials.
A fixed price agreement with specific payment milestones is sometimes
preferable because it provides an organization more control over the development
process and total project costs.
Contracts should detail all features and functions the delivered software
will provide. If a vendor fails to meet any of its express requirements,
organizations should retain the right to reject the tendered product and
to withhold payment until the vendor meets all requirements.
REPRESENTATIONS AND WARRANTIES
Organizations should seek an express representation and warranty in the
software license that the licensed software does not infringe upon the
intellectual property rights of any third parties worldwide. Under some
state laws, non-infringement warranties are limited to the United States
unless otherwise specifically provided.
Vendors should also represent and warrant that software will not contain
undisclosed restrictive code or automatic restraints not specifically
authorized in the agreement. (See discussion under "Security".)
Licenses should also include appropriate warranties that software will
perform according to specifications and should state how a vendor will
respond in the event of problems. Warranties should distinguish between
mission-critical failures, which require an expedited response, and failures
that are not critical, which an organization can resolve in a routine
manner. Licenses should also specify the length of the warranty and how
the warranty relates to maintenance obligations and agreements.
DISPUTE RESOLUTION
Organizations should consider including dispute resolution provisions
in contracts and licensing agreements. Such provisions enhance an organization’s
ability to resolve problems expeditiously and may provide for continued
software development during a dispute resolution period.
AGREEMENT MODIFICATIONS
Organizations should ensure software licenses clearly state that vendors
cannot modify agreements without written signatures from both parties.
This clause helps ensure there are no inadvertent modifications through
less formal mechanisms some states may permit.
VENDOR
LIABILITY LIMITATIONS
Some vendors may propose contracts that contain clauses limiting their
liability. They may attempt to add provisions that disclaim all express
or implied warranties or that limit monetary damages to the value of the
product itself, consideration paid, or specific liquidated damages. Generally,
courts uphold these contractual limitations on liability in commercial
settings unless they are unconscionable. Therefore, if organizations are
considering contracts that contain such clauses, they should consider
whether the proposed damage limitation bears an adequate relationship
to the amount of loss the financial organization might reasonably experience
as a result of the vendor’s failure to perform its obligations.
For mission-critical software, broad exculpatory clauses that limit a
vendor's liability are a dangerous practice that could adversely affect
the soundness of an organization because organizations could be substantially
injured and have no recourse.
SECURITY
Organizations should develop security control requirements for information
systems and incorporate performance standards relating to security features
in their software licensing and development contracts. The standards should
ensure software is consistent with an organization's overall security
program. In developing security standards, organizations may wish to reference
the methodology detailed in the IT Handbook’s "Information
Security Booklet." Organizations may also refer to other widely recognized
industry standards.
Contracts should also address a vendor's ongoing responsibilities to protect
the security and confidentiality of an organization's resources and data.
The agreement should prohibit vendors and their contractors and agents
from using or disclosing an organization's information except as necessary
to provide contracted services. Further, organizations should seek a guaranty
from vendors that software does not and will not contain any back doors
or disabling devices that would permit unauthorized access to the application
or any of the organization’s systems or data. For mission-critical
software, contracts and licenses should explicitly state that the vendor
will not use software features that enable them to remotely disable software
in the event of a dispute with the purchaser. Additionally, contracts
and licenses should state that the organization may only be deprived of
its software use through a court order.
Software development packages may include significant update, modification,
training, operational, and support services that require a vendor’s
access to an organization's customer data. These aspects of the relationship
trigger service provider requirements under the federal banking agencies'
"Interagency Guidelines Establishing Standards for Safeguarding Customer
Information" that implement Section 501(b) of the Gramm-Leach-Bliley
Act. The guidelines expressly state that organizations shall require service
providers by contract to implement appropriate measures designed to meet
the security objectives of the guidelines.
SUBCONTRACTING AND MULTIPLE VENDOR RELATIONSHIPS
Some software vendors may contract third parties to develop software for
their clients. To provide accountability, it may be beneficial for organizations
to designate a primary contracting vendor. Organizations should include
a provision specifying that the primary contracting vendor is responsible
for the software regardless of which entity designed or developed the
software. Organizations should also consider imposing notification and
approval requirements regarding changes in vendor’s significant
subcontractors. Refer to the IT Handbook’s "Outsourcing
Technology Services Booklet" for additional subcontracting information.
Organizations should consider contract provisions that prohibit the assignment
of contracts by vendors to a third party without the organization’s
consent. Conversely, organizations that expect to be acquired or restructured
should determine whether their licensing agreements continue after the
transition. Some software license agreements contain change-of-control
or transfer limitations that inhibit use of the software after a merger,
acquisition, or change of ownership.
RESTRICTIONS ON ADVERSE COMMENTS
Some software licenses include a provision prohibiting licensees from
disclosing adverse information about the performance of the software to
any third party. Such provisions could inhibit an organization's participation
in user groups, which provide useful shared experience regarding software
packages. Accordingly, organizations should resist these types of provisions.