IT Services Agreements: Liability of Outsourced IT Services

September 07, 2014

Over the years, technological advances have allowed many companies to outsource much of the creation, maintenance and support of their information technology (“IT”) systems.  Today, there are many IT service providers providing managed network services, hosted services, cloud based services and software-as-a-service.  Pricing models have shifted more and more to plans that have an affordable monthly fee.  With more outsourcing, customers demand that their systems work nearly perfectly and without downtime, and they may require that the IT service provider assume more of the risk in providing the service.  IT service providers must take precautions to address the risk assumed under their IT services agreements.

Today, companies have a choice between maintaining an in-house information technology team and outsourcing the entire operation, or they can choose a middle ground solution.  In the case of a managed network services scenario, the service provider is responsible for creating and maintaining the information technology systems for the customer.  The IT service provider may assume responsibility for computers and systems that already existed before it was engaged to provide the managed network services.  In the case of a cloud based service provider, an IT service is provided that may include receiving and maintaining personal data and business data on behalf of the customer.  If these IT systems do not operate as required, the customer’s business operations will be significantly, and in some cases, severely impacted.  For many businesses, a shutdown of email or a document server will nearly completely cease operations, and a breach of business or personal data can be detrimental.

IT service providers are typically aware of many of the technical risks associated with providing the IT services.  However, the IT service provider must understand the legal tools available to protect its company from these risks.   Beyond operating and contracting as a legal entity with limited liability, a well-crafted IT services agreement can provide the next level of protection. The limitation of liability provision is a key provision of the agreement.  The limitation of liability provision can many times be quite one-sided in favor of the IT service provider.  The provision may limit the maximum amounts of liability to the amounts paid by the customer under the agreement for a specified prior period of time before a claim, for example, six months.  When a customer simply agrees to the agreement, this provision can apply.

In many cases, especially under an affordable monthly fee plan, the amount paid during such period is not large enough to cover the total costs of issues with the IT systems. Accordingly, a customer may request that the limitation of liability provision be removed, placing nearly all liability on the IT service provider.  However, if the IT service provider had unlimited liability on all services, a single issue would likely bankrupt the entire company and services for multiple customers would likely cease. Instead, when a customer desires to negotiate the terms of the IT services agreement, then the IT service provider can offer to increase the maximum amount of liability to a multiple of the amounts paid during the specified period, for example, three times the amounts paid during the prior six month period.  At some point, the IT service provider may even consider increasing its pricing to cover the increase in liability, but the customers may find this change unacceptable, especially if the competition does not do the same.

Some customers may further desire that the maximum liability provision not apply to situations including negligence and misconduct.  Others may desire that the maximum liability provision not apply to situations of intellectual property infringement. The vast majority would want the IT service provider to take nearly all liability for data breaches.  Clearly, the IT service provider intends to provide the services without negligence or misconduct and without infringement or data breach.  But even with the best intentions and operational policies, these situations may occasionally arise, and the damages resulting from such situations will likely be in excess of the contractual amount of maximum liability from which these situations were excluded.

Recognizing these contractual gaps in liability protection, a solid insurance policy can provide protection beyond the contractual provisions. The IT service provider will typically have the commercial liability insurance carried by many businesses.  It should also have a technology errors and omissions policy for its technology work.  A data breach that is not a part of the service being provided and some forms of infringement may not be addressed by these policies and would have to be dealt with separately.  The errors and omissions policy will likely have an annual limit for coverage that applies in the aggregate to all of the IT service provider’s customers.  Understanding the policy’s exclusions and its coverage limits is critical to addressing the risks of providing the service. IT service providers should assess the magnitude of the damages that can result for each specific customer.  In some cases, the customer should be contractually required to purchase an insurance policy to address its unique issues.

In conclusion, a well-drafted IT services agreement should be the starting point for negotiations that divide the risk of liability between the IT service provider and the customer.  An insurance policy with adequate scope of coverage and coverage amounts should address contractually negotiated gaps.

¹ Vasilios Peros is founder and principal of Law Office of Vasilios Peros, P.C. His practice is focused primarily on business, technology and intellectual property law. He can be reached at (410) 274-2053 and VPeros@PerosLaw.com.

² This article is provided for informational purposes only and should not be construed as a legal opinion or legal advice. The reader should not rely on this article in making business, legal or other decisions on any matter without first consulting an attorney regarding any such decision or undertaking.