The Legal Aspects of Outsourcing IT

Hiring a vendor is hairy enough from a project perspective, but things get even dicier when you start the contract negotiation process. Outsource failures are the number-one cause of vendor termination. In fact, vendor/client divorce is so prevalent that most service level agreements (SLAs) contain termination clauses as a matter of course. Not exactly a stirring vote of confidence.

But beyond defining terms for termination, what can you do to protect your business and mitigate liability when hiring a vendor? The answer lies in expectation-setting. Clearly articulated contracts are not just protective documents, but also a way to express your project goals and vendor assumptions. And there are several provisions you can use to present your expectations with crystal-clear accuracy while protecting yourself from litigation.

To be clear, IT outsourcing contracts and SLAs are intensely complex documents, and it takes years to understand all the ins and outs (indeed, there are information technology lawyers who do just that). The post below is in no way an exhaustive list of the clauses and provisions included in contract negotiations. It’s merely an overview of some of the more impactful protective measures baked into modern SLAs. So, without further ado, here are six legal aspects you’ll want to explore during your SLA negotiations.


Outsourced IT often includes the work of international organizations, which introduces the problem of jurisdiction. Your contract with a foreign supplier should protect you in the event of a lawsuit, but it should also spell out the where and how of a trial should it be brought to court. That means you need to identify both the court location (in legalese, the “competent court”) and the governing law used in the trial (for instance, US federal law). Naturally, it’s in your best interest to get the home court advantage here and list both as your company’s country of origin — but both parties have to agree to it. If that doesn’t happen, most will name a neutral third country as the governing law; many contracts list British law, for instance.

Change Process

Projects change. Technologies change. Industries change. Good contracts acknowledge the evolution of relationships and goals with built-in measures designed to address them. Collectively, this is known as “change process,” and your contract should have one. The exact details of this mechanism will have to be worked out in contract negotiations. Most likely, it will depend on your business objectives and where you see yourself once the contract expires or renews.

Record Holding

Obviously, every business owner wants to avoid a lawsuit. But lawsuits do happen, and when they do, your outsourced vendor is legally obligated to comply with the litigation — even when it’s not in your best interest. IT vendors, in particular, have access to secure information that may form the basis of a dispute. If litigation is a possibility in your line of work (and honestly, where is it not?), it’s really in your best interest to include a record holding clause in your SLA. You can’t stop your vendor from providing data; that’s obstruction of justice. But you can require them to notify you of pending litigation and to inform you of the data-gathering method used. At least that way, you’ll be prepared in advance!

Security Benchmarks

Transmitting data to any client — even an IT specialist — opens you up to security vulnerabilities. Within your own network, you can largely control the security protocol, such as firewalls and permissions controls. But that’s not the case with an outside network. You may be hiring an IT business to handle these issues on your behalf, but you still need to know what you’re signing up for. To accomplish this, most SLAs establish security metrics as a benchmark for data protection. Just what metrics should you use? That depends on the type of data you’re sending (for instance, metrics might be much stricter for a doctor’s office than for a house painting company). Identifying metrics and getting both parties’ blessing is a crucial step in SLA negotiations, but ideally they should be both easy to measure and reflective of business objectives.

Client Privacy

In some cases, engaging an IT vendor may interfere with previously negotiated client contracts, especially when it comes to protecting their privacy. To avoid potential legal trouble and lost accounts, it’s absolutely vital that you check SLAs against current client privacy and security protections. SLA provisions must be at least as strict as whatever you’ve outlined for your existing clients. Ideally, they will comply with the highest industry standards, as well. The International Standards Organization (ISO) has set forth security management guidelines in the in the ISO/ISE 27000 series, although you may need to review security regulations outlined by the FTC and the EU, especially within industry-governing legislation like HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Fair and Accurate Credit Transactions (FACT) Act and the like.

Insolvency Provisions

Most vendors plan to stick around for a long, long time. Unfortunately, that hope doesn’t really reflect reality. Tech is so unpredictable and moves so fast that it’s impossible for businesses to guarantee their longevity. And if an IT vendor suddenly folds, it can have devastating consequences for your company, particularly if you’ve entrusted them with critical business functions. Insolvency provisions are your knight in shining armor here. These can include requirements that vendors send you periodic financial statements or stipulations guaranteeing access to source code if a vendor goes out of business. It’ll still be painful, but at least you won’t lose years of work.

Obviously, there are many other areas you’ll need to address, since technically, any provision you place in a contract automatically becomes “legal” by definition. Your best bet is to choose a vendor with plenty of experience — that will certainly make negotiation simpler. You’ll also want to have all contracts reviewed by a legal professional. Lastly, you can inspire a more harmonious relationship by ditching the outsourcing model completely and instead choosing to hire an all-in-one IT department. Partnering with a vendor in this manner ensures that they’ll put themselves on the line for your company, since their business and reputation is at stake if they fail. And that’s one security even the tightest contract in the world won’t guarantee.