Thank you for sharing!

Your article was successfully shared with the contacts you provided.
The notion of getting software and tech services from an Application Services Provider (ASP) has immediate appeal. Some hospitals pay $1 million or more every few years to buy specialized billing and administration software programs, and then have to hire and house the IT professionals who keep it up and running. Big real estate operations are in a similar position. So obtaining the use of expensive software at a fraction of the purchase cost, and being able to buy the services of an outside tech staff on an efficient as-needed basis, is inviting on several levels. But potential difficulties abound. To deal with these unseen eventualities, both the ASP and its users need to consider, and come to terms that cover, the potential pitfalls. Regardless of the application, an ASP processes a customer’s valuable data offsite, using its own or a third party’s software. The customer initiates the processing and controls output production. The legal contract agreements used to set up ASP’s were originally relatively uncomplicated, often modeled after a content subscription services agreement. They grew to include provisions for software licensing and Web site hosting. While not routinely characterized as outsourcing contracts, that is essentially what they amounted to. And now, as ASP agreements grow more sophisticated, they are becoming more complex. This is driven by a need to increase revenue and profitability in difficult market conditions, adding a wider range of services. It’s no secret that ASP’s have had a rocky beginning. After first being smitten with the concept, Wall Street has issued negative financial forecasts for ASPs and their hosting services providers. These were based in part on a lack of interest from venture capitalists and several high-profile bankruptcies. Now things have calmed down. There seems to be a consensus that the ASP outsourcing model is viable. Furthermore, a number of niche applications are steadily prospering, such as CRM (Customer Relations Management), MSP (Managed Services Providers), SSP (Storage Services Provider) (collectively known as xSPs) and, particularly, healthcare industry applications. NEW WINE, OLD BOTTLE An ASP relationship resembles outsourcing. Both business relationships can be ways to provide IT services, network management, help desk, and accounting and H.R. functions. Many such agreements cover multiyear terms. ASP’s and outsourcing deals have many of the same advantages: lower costs, availability of highly skilled personnel, reduction or elimination of in-house support services, and enhanced access to the latest technology. Unfortunately, the disadvantages are also similar: loss of control over the outsourced function; third party possession of sensitive business data; provider performance concerns; data backup and disaster recovery capability; relationship management problems; and bankruptcy of the outsourcing provider. Two elements are critical — data control and services reliability. Ownership and control of a customer’s data is a serious matter. In addition to confidentiality and security concerns, there are questions about the purchaser’s rights and/or ability to obtain its data if the outsourcing provider files for bankruptcy or the services are temporarily disrupted or terminated due to natural disasters, changed economic conditions or, indeed, terrorist attack. Most outsourcing pricing models include a remedy if service quality falters, commonly known as Service Level Agreements, or SLAs. These are a form of liquidated damages that address the probability that the outsourcing services provider cannot perform at a the promised level, such as 99.7 percent uptime for the outsourced services. ASP PITFALLS Neither the ASP nor its customers seem to pay enough attention to the importance of the third party hosting entity. This is can be a serious problem, because the quality of the services negotiated with the hosting entity by the ASP directly affects the level of the services it can offer to its customers. Expansion can present tricky issues. For example, if the ASP offers both data input and “light” software customization services during implementation of the services, additional language should be added to the contract, because the services present legal issues substantially different from those addressed in a basic ASP access agreement. An ASP also could provide custom programming services to enhance software, or other consulting services, which adds additional complexity. If the ASP requires that “client” software be distributed to the customer and/or its third party users, the ASP’s services might be extended to include installation of that client software and systems integration services. Each additional service raises legal and business issues not present in a simple ASP contract. It’s worthwhile to hammer out clear agreements to cover deliverables (rather than services) performance warranties, different fee arrangements, software support services, changed liability allocations and limitations, project performance schedules and expanded insurance obligations. A third party hosting entity may control or actually hold the ASP customer’s data (and its customers’ data). It’s vital to spell out who owns what data, and how the data will be returned under the various scenarios of termination. As with Web site hosting agreements, an ASP may have economic interests in the data received through its services, and that ownership allocation has to be clearly described. In the typical IT outsourcing agreement, access to the provider’s services and output will be limited to employees of the purchaser. Depending on the nature of the ASP’s services, however, it is likely that the customer, as well as that customer’s customers, will access the ASP services. This raises a number of contract structure and marketing issues regarding the need for a “click-wrap” agreement or other contractual arrangement with third parties who can access the ASP services, even when there is password protection. Because ASPs operate in the Internet “space,” the application of foreign laws and the impact of foreign cultures is relevant. Domestic and foreign requirements need to be considered, including access by children, distribution of personal data covered by a European Union Directive, and healthcare information subject to the Health Insurance Portability and Accountability Act of 1996, which creates a broad range of security issues for the ASP and its customers. Currently, an ASP bankruptcy is a real possibility, complicated by third party hosting of the ASP’s software (or, possibly, the customer’s software), due to the three-way relationship of customer/ASP/hosting entity. A two-legged stool may be worthless. It may be a practical impossibility for the customer to utilize the ASP’s software, even if it were able to obtain the object and source codes. In a software licensing relationship, under � 365 of the U.S. Bankruptcy Code, access to the software of a bankrupt licensor can be obtained via the escrow of the licensor’s software source code. However, this bankruptcy protection may not be available in the ASP scenario, because if the ASP declares bankruptcy, the customer might not be in a software licensing relationship with the ASP. It undoubtedly will not have a software license with the hosting entity if both are in bankruptcy. There are also serious bankruptcy concerns relating to the customer’s ability to gain possession of its data and, in certain situations, the ASP’s ability to retrieve data and equipment located at a hosting entity. THE FINEST PRINT It is important that providers and purchasers of ASP services apply legal, operational and financial concepts common to other outsourcing transactions to the drafting, negotiation and management of an ASP services contract. Ignoring this reality by utilizing less complex consulting and other services forms of contract, or relying on a traditional product-oriented subcontract, will leave the ASP services provider, purchaser and, possibly, the purchaser’s customers with a variety of unaddressed and potentially detrimental risks. Allan P. Weeks is a partner with Mintz Levin Cohn Ferris Glovsky and Popeo PC in Boston. He specializes in computer systems and other technology transactions, with particular emphasis on health care and bioinformatics.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.