Information Technology

As a customer, there are many advantages to commissioning bespoke or custom software for your business, including creating a tailored and efficient user experience and giving you a greater degree of control over the use of the software. From a legal perspective, however, IP rights in bespoke software that you commission may still remain owned by the software developer. It is far better that there is something in writing which clearly transfers the ownership of the IP rights in the bespoke software to the commissioning customer so as to remove any uncertainty.

Once ownership has transferred to you, you may issue licences and distribute the software in line with your business plans and objectives. You will, however, be responsible for updating and developing the software on an ongoing basis to ensure it retains its value and remains fit for purpose. For this reason, you may wish to continue engaging the developer under a separate maintenance contract to undertake this for you, if you do not have the capabilities in-house.

It’s important to have a clear set of terms and conditions relating to the use of your app or platform, so that users are required to accept these before being able to engage with the app or platform. The terms are usually known as End User Licence Agreements (EULAs) or Terms of Use. They will cover issues such as:

• Rules of behaviour to follow when using the app / platform
• Details of the software license under which the app / platform operates
• Disclaimers and limitations of liability for legal claims against you by users of the app / platform
• Content standards and restrictions on use of the app / platform and consequences for misuse

Not only will comprehensive terms and conditions protect the reputation of your business, once accepted by the end user they will provide you with a way to enforce the rules about how your app / platform is used. Bespoke terms will also ensure you are compliant with all relevant laws.

We provide specialist advice on the legal issues that arise around data protection law and practice, depending on the location of your business and of those who use your app / platforms. We draft and help you implement privacy policies, advise on cookie banners and policies, help word opt in clauses for marketing and help you comply generally with data collection and processing requirements.

If your business is required to comply with UK GDPR and related data protection legislation you should have appropriate procedures in place to deal with a data breach. We work with companies across all sectors to ensure GDPR compliance is embedded within the organisation, at all levels. First off, if a breach occurs you need to quickly make an urgent assessment of whether the nature of the breach means you are required to report it to the Information Commissioner’s Office (the ICO). This is important to meet the statutory timeframes for notifications to the ICO, under UK GDPR (or if you are acting as a data processor, any timeframes that you have agreed with the data controller and in any event to act without delay).  In your analysis you should consider the likelihood and severity of the risk to people’s rights and freedoms following the breach. If it’s likely there will be a risk, you should:

• Inform the ICO
• Follow your procedures for responding to a data breach (which are hopefully contained within a written policy or procedure)
• Preserve any evidence
• Take action to minimise the effects of the breach and any ongoing threats or vulnerabilities
• Investigate how the breach happened, including involvement of any relevant third parties as well as any appointed data processors or sub-processors, IT / hosting providers and the like
• Take any remedial action
• Document all the steps you have taken in relation to the above

Even if there is no severe risk to people’s rights and freedoms and you do not need to involve the ICO, you should still investigate how the breach happened and take any precautionary measures to prevent a reoccurrence.  You should also update your data breach policy to rectify any gaps in procedure or add in steps or processes that should be taken in the event of any future breaches.

IT disputes like this can severely impact all aspects of your business. Our dispute resolution team is widely experienced in handling all types of technology-related disputes. Often we can guide clients in dispute with a provider toward ADR and fast resolution of disputes so that you and the provider are able to maintain an ongoing relationship. A lot will depend on the terms of any agreement in place with the provider and whether there are restrictions on taking the proposed drastic action of cutting off access.

It depends on whether the breach is so severe as to amount to a material breach of the agreement you have with the provider and whether you may terminate the SLA (or overarching agreement) in such instance.

A well-drafted SLA should impose consequences on service providers if service falls below agreed levels, for example, a service credit system where the provider pays you a set amount or delivers extra services at no additional cost each time the service provider fails to meet the agreed service levels. This encourages the provider to meet the SLA requirements. Be wary of accepting service credits as your sole remedy for failure to attain required service levels.

If the service level is below what has been agreed in the SLA, then it may be possible to terminate the arrangement if there is a suitable termination clause in the SLA. This should also allow for you to claim for damages, subject to any contractual limitations, for any loss you have suffered as a business resulting from the poor service levels, provided service credits have not been specified as the sole remedy for breach of the service levels under an SLA.

The potential for issues like this to arise highlights the importance of having a well-drafted SLA that covers all eventualities. Where there is no service credit system or carefully worded termination clause you could end up being stuck with a poor performing service provider for longer than you wish.