Who's Got Your Back?

Your corporate counsel should leap to mind, especially given the legal risks CIOs must manage today. Cultivate this critical relationship now.

Your corporate counsel is your legal guardian. But only the right relationship will ensure you get the advice, and protection, you need. Here's how to make your lawyer a partner on contracts, compliance and more.

It's not easy to love your lawyer, especially when you're a CIO. After all, more than a few lawyers have been known to let business opportunities shrivel up and die while they spent weeks finagling the finer points of a contract.

Consider one of Larry Bonfante's worst memories: For an outsourcing contract at a previous employer, Bonfante, the IT director, says he and the vendor negotiated 95% of the deal in three months. Then he brought in the company's lawyer to make it official and "button up the contract," as Bonfante puts it. Instead, his lawyer engaged the other lawyer in a protracted battle.

"They were getting stuck in the weeds on things that didn't matter that much to the business, on minutiae, [service-level agreements] that didn't amount to a hill of beans," Bonfante says, such as, "What is the penalty for the kind of outage that might happen once in a millennium?"

Bonfante worried that his lawyer was ruining relations with his vendor. Determined to salvage the deal, he turned to his chief executive for help. The CEO forced the lawyer to finish up, and the deal finally closed -- six months after the lawyer got involved.

Most CIOs can tell some version of this tale from personal experience. Some are so afraid of their lawyers that they do whatever they can to avoid them, including signing their own contracts. In past years, that could work. No more. Today's IT organization is fraught with new risks. It exposes the company to lawsuits and crippling fines if it runs afoul of Sarbanes-Oxley or other regulations, if it can't produce subpoenaed documents, if it compromises customer data, or if it fails to monitor what employees do online and somebody needs to find out.

Vendor contracts can be more complicated, too. Consider hosted service applications. An IT organization that rents applications for on-demand usage needs to lock down service levels and penalties for problems that can arise from these types of contracts. CIOs shouldn't cut corners here, but some do. Instead of hiring a lawyer to write up a contract that covers hosted applications, CIOs who don't know any better dust off their traditional software licensing agreements and try to mark them up to fit.

All this means that CIOs need to protect their companies -- and their careers -- by getting to know their lawyers and engaging them early on, before a contract is down to the wire on a deadline or a subpoena has been sitting on a desk for a week. Yet it rarely happens. Most CIOs talk to lawyers "because they're already being sued or because the vendor has already breached contract," says Laurie Orlov, Forrester Research vice president and research director. "Generally speaking, CIOs have not been proactive."

We asked CIOs and lawyers how IT executives can build the right relationships with their counsel and get the legal expertise they need, especially for vendor contracts. Here's what they told us.

Overcoming Bad Blood

Helen Moure knows how hard it is to get the IT and legal departments to understand each other. As a lawyer who specializes in electronic discovery for Preston Gates & Ellis, an international law firm based in Seattle, she has spent more time studying technology than most lawyers. She serves as a consultant to a company that developed document mapping software. Currently, much of her job requires translating back and forth between IT and legal departments, especially during the discovery phase of a trial, when all parties try to gather as much evidence as they can from one another.

When opposing counsel subpoenas truckloads of documents, a company's lawyers go to the CIO and ask him to turn them over. The lawyers figure this is an easy task. "There is a general tendency among all nontechnology people to assume that all technology is simple to operate," Moure says. They think, "Just press a button. It's not that hard."

On the other hand, many CIOs don't fully appreciate the importance of retrieving the documents. Moure recalls that at one client "there was a lot of resistance from the IT staff in helping the lawyers out" during discovery. The IT staff "just didn't understand."

So Moure brought both sides together to reintroduce them and explain each side's motives to the other. She gave the IT department a primer on electronic discovery and the consequences of not producing subpoenaed documents. She cites last year's $1.45-billion judgment against Morgan Stanley, which stemmed from the brokerage's failure to produce documents sought by investor Ronald Perelman. She also explained to the lawyers what it takes to sift through terabytes of data housed in hundreds of servers around the world.

"The immediate feeling in the room was, 'Oh, I get it,'" Moure says. That feeling wasn't restricted to the meeting; it improved relations across the board, Moure later learned from her client.

The best time for a CIO to get to know his legal team, of course, is before he needs it. When Jon Payne joined as vice president of information technology two years ago at $1.1-billion Wild Oats Markets Inc., a Boulder, Colo.-based retail grocer that specializes in organic foods, he made a point of introducing himself to his new lawyers. With many contract negotiations ahead, "I knew I needed their help. I said, 'Hi, I'm the new guy. I'm here in IT,' and they're going, 'Oh, thank God. Someone who understands our world and isn't going to try to run off and do stuff'" without legal advice.

Wild Oats has a legal department of eight, so Payne asked the chief counsel if he should work mostly with certain lawyers on the team. He advises other CIOs to ask questions about how the old regime worked and how the new one should. "What's gone well, and what's been a train wreck? If you were me, what would I do to make your life easier? What's your orientation toward risk?" Payne says. "Just start a dialogue." And when questions arise, "even if you know the answer, go ask them anyway so they know you're engaged."

Payne notes that lawyers and CIOs are not so vastly different. "We share a common trait, which is that we both want to mitigate risk. They just approach the problem from a different discipline than we do."

Probably the easiest way for a CIO to get to know his counsel is to offer him technology solutions. In many companies, the legal department feels "ignored in the greater technological scheme of the company. They don't always get the attention they might like to get," says Dennis Kennedy, an IT lawyer in St. Louis. Kennedy says in-house lawyers work better with CIOs who take the trouble to chat them up on their needs for caseload management software and other technology. "A new laptop this year makes a big difference," he jokes.

Investigations Call for Legal Aid
An area where CIOs cross paths with lawyers is during an internal investigation -- an uncommon albeit a serious one. If an employee is suspected of stealing secrets or insider trading, his manager may ask the CIO to turn over the employee's emails and other electronic records.

Most CIOs would probably comply, especially if their companies have policies that say they have the right to review an employee's electronic communications at any time. But in these cases, Rob Baxter, vice president and CIO at Shamrock Foods Co., recommends proceeding hand in hand with a lawyer.

And he should know.

In September 2002, Baxter joined Phoenix-based manufacturing company EaglePicher Holdings Inc. for a six-week interim assignment as CIO. "Within eight days, things started to smell very fishy," he says. To wit, he discovered fraudulent bills for IT goods and services that the company had never received. One suspicious contract was from a one-man shop posing as a large company; it ran for five years with no possibility of cancellation. "Having run a $600-million service company, I had never even seen a contract like that," Baxter says.

Although the prospect of digging out more evidence on his own was alluring, Baxter knew better than to proceed solo. He didn't want to be accused of "going and reading everyone's email" or snooping through databases "because I thought it would be neat to find out how much the other guy was getting paid."

So he alerted his chief executive and told him that he needed another C-level approval before he would dig further. He wanted something in writing. He got it and then collaborated with the chief counsel and director of security on how to proceed. After a lengthy investigation by almost a dozen different law enforcement agencies, EaglePicher's former manager of information technology, John Franklin Brock, pled guilty to billing the company's pension plan for more than $400,000 worth of goods and services that really went to an aviation company that Brock owned.

CIOs should never access employee email or other data without a lawyer even if the company has a policy saying they can, says Kennedy, the lawyer. "This is one where you want to go to the corporate counsel and say, 'This one is in your domain. I'll wait until you tell me what to do.'"

Even if a company has a policy that gives it the right to spy, there are plenty of gray areas, Kennedy points out. "Does that mean that I can turn the data over to law enforcement? What if the story gets out in the public? What if I'm on the front page of the newspaper because we're revealing information about our employees?" he says.

If a CIO ends up on the witness stand, he does not want to be stammering, "I thought I understood what the law was," says Kennedy. Instead, he should be able to say, "On the advice of a lawyer, here's what I did."

--J.I.R.

A Collision Over Contracts

When it comes to vendor contracts, CIOs often make two key mistakes that irk their lawyers. First, they wait until the vendor sends over their first version of the contract. That means the CIO's lawyer is stuck working from a draft that favors the other side. Second, the CIO often throws the contract at the lawyer without reading it and sometimes without even knowing what he wants from the proposed deal. Then the lawyer, who might be neck-deep in an acquisition or a sexual harassment suit, might put it on the back burner, unaware of the importance of the hardware or software. Tensions boil over.

Rob Baxter, now vice president and CIO at Shamrock Foods Co., a food wholesaler based in Phoenix, learned a lot about contract negotiation when he ran a $600-million business for Honeywell Inc. in the late 1990s. His advice: It's helpful to work with your legal department ahead of time to develop templates for various types of contracts. That way, when a deal is in the offing, you can get your contract out first. "The first one to the chair gets to sit down. The other one has to negotiate," Baxter says.

Payne is also a big fan of templates. When it's time to start negotiating a contract, he can suggest to his lawyers, "I'm going to use template number six." If they agree, he ships the contract off and the negotiations go from there.

If the contract is too complex for a template, Kennedy suggests that a CIO invite the vendor to get together to write a letter that outlines the terms of the contract. Then say, "I'll volunteer my lawyer to draft that. That will save you a little money on legal fees," Kennedy says. "That way, you get control of the draft." (But make sure it's not too one-sided. That could breed distrust or even kill the deal, Kennedy notes.)

If the CIO is working from the vendor's contract, he should know it well enough to be able to say to the lawyer, "Here are all of the points I agree with," says Shamrock's Baxter.

CIOs should also be prepared to outline the business terms in a contract. For instance, they shouldn't expect their lawyer to figure out issues like how much uptime is required, what triggers will terminate a contract or what happens if the vendor can't deliver. Instead, they should look to counsel for help on legal issues, like which state's laws should govern the agreement and how to resolve disputes, Kennedy says.

The more involved the CIO is, the better the contract negotiation will go, Baxter says. "The CIO's job is to engage the lawyer to get help, not to give the contract to the lawyers and say, 'Can we sign this?'"

The Engagement Issue

Once the CIO does bring in legal help, he should explain the value of the proposed purchase to the company. "Give them context. Give them meaning as to what they're participating on for a business value. Lawyers enjoy it. Tell them what they're helping you on and why you're trying to work through this stuff," Baxter says. Payne's chief counsel, Freya Brier, loves the fact that Payne does his homework in advance of handing her team a contract. "They know where there will be trouble spots. And we work with them to identify on the legal side where there will be problems. It's not like they hand it off, and we negotiate in a vacuum," Brier says.

In retrospect, Bonfante says that although he thought he informed his lawyer of the importance of the contract languishing in his lawyer's office for six months, "obviously I was not as successful [at explaining] as I thought I was." Now CIO at the United States Tennis Association, which has annual revenues of about $225 million, Bonfante says he makes a big point of helping his legal team understand the business value of his deals, as well as his deadlines.

"The CIO needs to own the contract," Bonfante says. Sometimes that means daring to suggest that a complex IT contract is beyond the purview of the in-house counsel who focuses primarily on, say, real estate.

It's easiest to do that if you've already taken steps to educate your lawyer in the business needs for IT. Then, if a contract seems too complex, you can always ask, "Is this something that you're comfortable with? If you're not comfortable with it, is this the kind of thing where we bring in an IT lawyer who focuses on IT law?" Kennedy says.

Bonfante has had to ask his in-house lawyer to retain outside counsel. His in-house lawyer could have handled the matter but was too busy. "It's a delicate question," Bonfante says. He handled it by explaining his business needs. "That makes them reprioritize or recognize that you have a need to engage outside counsel," he says.

Brother in Arms

By the time a contract is in its final stages of negotiation, most CIOs are focused on one thing: getting a signature. They often forget that the reason they're working with a lawyer is that they want him to poke holes in the contract. CIOs should want lawyers to think of problems they may have overlooked: What happens if a vendor gets acquired or swaps out a representative who knows the CIO's business for one who doesn't? Sometimes, when lawyers point out unanticipated risks, "my eyes will get as big as dish plates" at the thought of what could go wrong, Payne says.

On the other hand, some attorneys simply like to fight. Payne knows this and has some advice: CIOs should never let their lawyers fight unattended. When there's a sticking point on a contract, he intervenes. Payne says he'll ask his lawyer, "'How big of a deal is this point we're arguing? Is this something that's life or death?' So we'll educate each other on what [the risk] is. When the odds are one in 10 million that we're going to lose $1.29 if this happens," for example, the lawyer agrees to drop the point.

Baxter controls bickering by leveraging an old technology: the telephone. "When you have issues, you want to have your lawyers and their lawyer get on the phone together. The last thing that you want is to have document diarrhea, where they start getting natty at each other," he says. And make sure the business people are on the call too, he adds.

"You have to manage the lawyers," he insists. If you don't, "they'll make a career out of these contracts. Engage them, make it part of them. Just don't give it to them. If you give it to them, who knows what's going to happen?"

For more on the CIO-attorney relationship, see this month's CIO Habitat.

Joan Indiana Rigdon was a contributing writer for CIO Decisions. To comment on this story, email editor@ciodecisions.com.

This was first published in August 2006

Dig deeper on Security and risk management for Small Business

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

Close