There have been a few recent inquiries about forms to use for INFOSEC service contracts. The reason such forms are not readily available on the web is because form companies and lawyers make their money selling them so they are not in any big hurry to post them on the web for copying. That said, there are some general service contract issues for computer service providers, as well as some INFOSEC specific issues which should be addressed in your contracts. The following is NOT legal advice, but an overview of these issues. You should seek out an attorney experienced with computer service contracts. 1. Reduce your agreement to writing. The only time someone looks at your contract, generally, is when (1) your customer has not paid and you are looking to collect your account receivable, and (2) there is a problem with the services from the customer�s perspective and the customer is looking to (a) avoid paying you, (b) sue you because of a failure of the services (network penetration or performance issues). Most vendors have ongoing work from their best clients, and are so happy to have the work that they do not put an agreement in place as to general services work. Flying naked is a mistake because you never know when the guys you have a relationship with in MIS get pushed aside by the legal department when shit hits the fan. Your agreement should have a �merger� clause which says, in effect, the written agreement replaces any oral discussions which precede the signed agreement. Many topics are discussed before the job. The written agreement is where the rubber meets ! the road (See also Point No. 4). 2. Select a state�s law to apply. If a dispute arises, a court or arbitrator will attempt to interpret your agreement based on a choice of laws. Try to figure out which state�s laws apply to a Chicago company which hires a Los Angeles security firm to secure it�s server farm hosted by a third party web hosting service in Dallas, TX. By selecting a state�s laws to apply, an example here could be Ill., CA or TX, you avoid any dispute on this issue. 3. Think about arbitrating your disputes. If you elect to arbitrate disputes arising under the agreement, you avoid the likelihood of proceeding before a jury which (a) will not understand the issues, (b) will not relate to the computer culture and its workings, (c) may have an unrealistic expectation of the level of service you should have provided to your customers. By comparison, in an arbitration, the parties each select one arbitrator, and those two agree on a third. This process allows you to pick a seasoned admin to decide the dispute, not a senior citizen who has never touched a mouse. The one thing you want to watch out for is creating a carve out so you can still go to court, if needed, to collect for your services. Which leads me to: think about mutually waiving the right to a trial by jury even if you do not arbitrate. A judge is, generally speaking, far less likely to assess punitive (punishment) or speculative damages, than a jury. 4. Say what you do, and do what you say. The description of your services should be as specific as possible. If you are installing a specific product or service , make sure you specify the product or service. Especially with INFOSEC, you should have language which puts the customer on notice as to the scope of your services. a. For example, are you performing a top to bottom security audit? In most cases you are not, and your contract should say so. �Unless specifically provided in the description of Services, Company has not been retained to perform an evaluation of the security of the Customer�s network, and Company is not responsible for preexisting network configuration or preexisting violations of the Customer�s security policy.� b. What is your obligation to update/manage the job after installation? If you will be providing ongoing support/patching, say so in the scope of work. Again, if you are not, you should exclude a duty to do so: �Unless specifically provided in the description of Services, Company�s performance of the Services does not constitute an ongoing duty to update or further configure Customer�s network after acceptance of the Services.� A good way to bring this to the customer�s attention is a pre-work worksheet filled out by the customer before you meet about the job. The worksheet should be set up to allow the customer to check whether they want a one-shot deal, or ongoing service and support. 5. For most customers, the security of their network is not about life and death, it is about money. Exceptions of course are if you are doing security work for the FAA�s navigation system, etc. Your contract should exclude damages arising out of the Services you perform for personal injury as well as any consequential damages (lost business from down time, or data loss). Customers should represent to you that their network does not contain data, the compromise of which would cause death or personal injury of any person. 6. Mistakes get made. Assuming that at some point a customer will initiate a claim against you, commercial parties can shorten the period of time in which a claim must be asserted. In most jurisdictions, the statute of limitations governs the time by which a claim must be brought after it accrues, e.g. 1 to 6 years for breach of contract. Worse yet, Courts often apply a �discovery rule� that the statute of limitations is �tolled� until the customer has actual notice/reason to believe the contract has been breached. Commercial entities, however, are presumed to be competent to agree to whatever they want, and can agree to lessen the time set forth in applicable statutes of limitation, and can agree to eliminate the discovery rule. You should consider including a sign off by your customer creating an �acceptance� date of your services. You could then provide that any claim arising out of your contract and the services performed under the contract must be initiated within ! X years after the date of the customer�s acceptance of the services, notwithstanding any applicable statute of limitations or discovery rule. 7. Be mindful of UCITA. UCITA, where enacted, includes performance standards which apply to your vendor agreement even if not intended by the parties. As between two commercial entities, you can exclude UCITA�s duties, but you must do so expressly. Good luck and be careful out there. JP Turner ------------------------------------------------------------ --== Sent via Deja.com ==-- http://www.deja.com/ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
