Managing IT risk - IT Escrow Agreements
How do they work?
The concept behind escrow agreements is relatively straightforward. It essentially revolves around the idea of a neutral and objective third party holding something in trust. A simple example will illustrate how escrow agreements operate and how they serve to manage risk effectively.
ABC (Pty) Ltd obtains a licence for the use of new custom-made stock management software from XYZ (Pty) Ltd, a software supplier. Due to the nature of its business the directors of ABC are acutely aware that any failure of the software will be disastrous, leading to an almost immediate inability to fulfill customer orders with a resultant loss of income and profits. They have undertaken a due diligence investigation of XYZ as a result but remain dissatisfied that they are properly managing the risk which has been created.
The directors are particularly concerned that, in purchasing the licence to use the software, they have imported a business and legal risk because they are now directly and crucially dependent on a third party supplier. The specialised nature of the software and the fact that it has been specifically designed for their business means that only certain employees within XYZ will be able to maintain it or restore it to full functionality.
In the event of XYZ going insolvent or for some reason refusing to fix bugs or update the software, the directors will not be able to resolve the matter because they do not have access to the source code of the software which XYZ has supplied to them. Access to the source code would allow ABC to contract with another supplier to remedy problems where XYZ refuses or is unable to do so.
In order to protect against such a disaster, ABC identifies an escrow agent (usually a legal firm or consultancy) and enters into an escrow agreement with XYZ and the escrow agent. The terms and conditions of the agreement cover, amongst other things:
- The circumstances under which XYZ as the software supplier will be obliged to lodge the source code in escrow with the independent escrow agent;
- The circumstances under which the source code will be released to ABC (referred to as "trigger events");
- The fact that all intellectual property rights in the software and the blueprint are retained by XYZ;
- Dispute resolution and the manner in which the escrow agent must act should a dispute arise;
- The maintenance and updating of the source code by the supplier; and
- Any unique concerns which the parties may have.
Once all the terms and conditions of the agreement have been negotiated, the source code to XYZ's software is securely stored with the escrow agent. ABC will not have access to this source code.
Hopefully, now, ABC's directors will be able to sleep a little bit better. In the event of XYZ not meeting its obligations under the escrow agreement, the directors of ABC can immediately notify the escrow agent who, under the escrow agreement, will then be obliged to notify XYZ. XYZ will then, in turn, have a set period within which to respond.
XYZ's response can take two forms. Either they will authorise the escrow agent to release the source code or they will notify the escrow agent that they intend disputing the notice given by ABC. In the latter case the dispute resolution provisions of the escrow agreement will kick in and the matter will be decided by arbitration, litigation or any other means that the parties have agreed upon.
Why should developers enter into escrow agreements?
South African law holds that, in the event of no real agreement existing between the supplier and licensee of software as to ownership of the software, the developer is regarded as the owner. The software supply industry is, however, characterised by a general failure to enter into properly drafted contracts and, as a result, there are often disputes as to the ownership of software and any rights which may exist in it.
Escrow agreements have value to developers in that they clearly set out the respective rights of the parties with regard to intellectual property. In the event of any dispute they will have clear evidence of their copyright in the source code and the date and time at which it was registered in the agreement.
Besides which, more and more clients are demanding that developers include an arrangement of this nature as part of their standard offering.
Can an escrow agreement be entered into between a number of users and a single developer?
Yes. Where a number of organisations obtain licences to use a particular software application an arrangement can be entered into under which the developer will lodge a copy of the source code with a single escrow agent. The licencees will all be parties to a single escrow agreement.
In general the costs of implementing an escrow agreement should represent a fraction of the cost of the risk of losing clients and reputation, not to mention potential legal liabilities. Those considering using such an agreement should also consider the costs incurred in developing and acquiring the system.
Is my business legally obliged to enter into escrow agreements?
"Business continuity" and "disaster recovery" are terms which have become extremely important when considering the risks posed to organisations by their use of and dependence on IT hardware and software. The terms encompass the plans put in place by management to deal with the inability to access or properly use IT resources and to ensure that the resultant disruption to the organisation is minimized.
While there is no direct legal obligation to have a business continuity or disaster recovery plan in place, we regard it as an essential piece of prudent risk management and it seems likely that, in the future, the law will develop to the extent that the failure to have such a plan (and the ability to implement it) will be an important consideration in establishing the liability of organisations to third parties such as suppliers and customers for damages occasioned by a failure of the organisation's IT systems.
It is already clear that having such a plan has become internationally recognized as good business practice. South African National Standard (SANS) 7799, adopted from ISO 17799 that was in turn adopted from the British Standard 7799, identifies business continuity as being one of the key aspects of information security risk management. The ISO standard has been adopted for use in a number of countries and an increasing number of organisations are seeking certification in terms of it.
What to look for in an escrow agent
There are a number of entities offering IT escrow services in South Africa. Due to the pivotal role that escrow agreements can play in managing risk, care should be taken to select a service provider with demonstrable integrity and technical expertise.
The escrow agent should offer services such as
- Validation, verification and certification of the source code
- Legal expertise in drafting the agreement and managing any issues which may arise under it
- A secure means of storing the subject of the escrow agreement.
If alarm bells are ringing (and if you are in ABC's position they should be) please do not hesitate to contact us and we will happily recommend an escrow agent with the necessary attributes to meet your needs.
30 May 2003
This article is intended to provide general guidance and does not constitute professional advice relating to specific instances. Should you wish to place any reliance on the information presented in this article we strongly advise that you consult your legal advisor or the Electronic Law Consultancy - firstname.lastname@example.org