Business Continuity and Escrow Alternatives for SaaS Providers and Customers

March 7, 2013

I’ve always been skeptical of the value of source code escrow in the world of traditional installed software, and I’m clearly not the only one with that view. See this article from, Source Code Escrow: Are You Just Following the Herd?, in which the author states “Customers should be skeptical of expending valuable time and money on an arrangement that is largely ineffective at accomplishing the very purpose for which it was created.” Other writers with experience in this area have stated that they’ve never seen a customer successfully get source code out of escrow and be able to use it.

However, when traditional software is installed and running on servers under the control of the customer, even if the software provider is no longer around, the likelihood is that the customer will be able to continue running the software even if the customer isn’t able to access and use the source code.

The situation is completely different for applications hosted by the software provider. In the SaaS world, a problem with the application provider could leave a customer with no access to the application and, even worse, no way to access its data stored on the provider’s system. There’s a good discussion of these issues here, SaaS contingency plans need more than software escrow, and here, Business Continuity with SaaS.

With  more companies using applications in the cloud, the traditional escrow companies like Iron Mountain and EscrowTech have developed services designed for the SaaS world, including not only source code escrow, but also data escrow and business continuity options. E.g., from Iron Mountain, SaaSProtect Continuity Services, and from EscrowTech, SaaS Escrow. In theory it seems that these business continuity services are more likely to provide value to the customer than traditional source code escrow. Under the most robust (and expensive) business continuity options, the escrow company will be running a parallel system with up-to-date code and data that can be up and running almost immediately after a failure of the service provider or its systems.

This kind of business continuity service makes much more sense than an escrow of source code. If a SaaS customer has assurance that, no matter what happens to the SaaS provider, the customer will have almost immediate access to a running system with current data (with the possible exception of bankruptcy concerns), it should be in nearly the same situation it would be in if it were running the system on its own servers.

What I question is why should SaaS providers or their customers have to pay an escrow service for this kind of business continuity service? Most SaaS providers are not running their own data centers. They’re running their applications on the systems of a third-party hosting provider like Amazon Web Services or one of the many other hosting providers that are out there. These hosting providers are perfectly capable of providing backups of code and data, mirrored systems, or whatever other business continuity arrangements the escrow companies are providing. In fact, in most cases they are probably already doing many of these things as part of their normal hosting services. So why would anyone need to pay a third-party escrow service to do something the hosting company should be able to do better and at a lower cost?

I’ve spent quite a bit of time researching this subject and I find it surprising how little I was able to find. T. van de Zante and S. Jansen discuss it in their paper, Business Continuity with SaaS: “The next step towards a more complete business continuity agreement would be an agreement with the hosting provider, in such a way that they ensure they will continue hosting the application even when the SaaS provider gets into financial difficulties.” And the UK escrow company LE&AS talks about an “Access Assure Escrow Agreement” they’ve developed that involves the software vendor, the software user, and the third-party hosting provider. But other than those two references I haven’t been able to find much on this subject.

As counsel to a SaaS provider I understand that our customers have a legitimate concern about business continuity, and we want to be able to provide them with a reliable, practical, and cost-effective solution that would allow them to continue to access the service and their data even if we go out of business or stop supporting the service. It seems that there should be a way to craft a three-party agreement with our customer and our hosting provider that would provide our customer with an escrow-like solution that doesn’t require a separate escrow service, that gives the customer a very robust business continuity solution, and that is at least as bankruptcy-proof as a traditional source-code escrow. If anyone has done this or tried to do it I’d be very interested in your experience, advice, sample agreements, hosting providers that offer this service, etc.


Today’s GOAL Webinar: “Contract Intelligence: Drafting and Negotiating Contracts Smartly – Role of Legal Outsourcing”

February 6, 2013

Presented today in a webinar for GOAL, the Global Outsourcing Association of Lawyers, on “Contract Intelligence: Drafting and Negotiating Contracts Smartly – Role of Legal Outsourcing” with Tim Cummins of IACCM, Girija Raj of CAE Simulation Technologies, and Lucy Endel Bassli of Microsoft.

I think our discussion today went well. Many thanks to GOAL and the other panelists for their contributions. One thing we had talked about in case we had time was to offer some predictions on the future of LPO. We didn’t have time to cover it in the presentation, but here are my predictions:
1. Small general purpose LPOs will have a hard time competing and will essentially disappear, as they won’t be able to compete and attract clients based on cheap labor rates alone.
2. Larger, well-funded LPOs (e.g., Pangea3 with the resources of Thomson Reuters behind them) will continue to develop processes and technology that will allow them to standardize services and ease the barriers to entry and risks for mid-size companies wanting to use LPOs.
3. More work will move from offshore to onshore locations in the US and the UK as the labor cost gap shrinks and automation reduces the labor component of the services.
4. Automation (e.g., improved language processing and search and document automation technology) will reduce the need for people to do document drafting and contract abstraction, but there will still be a role for outsourcers to manage the technology (e.g., setting up and maintaining a workflow or document automation system is probably something an outsourcer can do better and more efficiently than an in-house staff). In other words, the skills LPOs need will shift from legal workers to “legal knowledge engineers.”—a-new-legal-career.html

Managing Confidential Information Disclosures

August 1, 2008

A question came up recently on an ACC (Association of Corporate Counsel) listserv about best practices in managing information received under a confidentiality obligation.

“We are trying to develop a ‘best practices’ process for NDAs i.e., how to keep track of info that is received and to who it is disclosed; how to preserve it/destroy it when the nda ends etc. Anything you have prepared in this regard would be appreciated. Thanks”

Several people on the listserv responded that they’d be interested in this information, but no one responded that they had developed such a process, so I thought people might benefit from this. Here’s my response, supplemented with additional information about the solution provided by my company, Pontus Global, Inc., that I didn’t feel I should provide on the listserv:

It’s interesting that no one responded to your posting with a solution, but that several people were interested in the information. In my experience this is something that few companies do well, and that many companies feel uneasy about. The responses seem to support my observations. Also, here’s what Eric Goldman had to say about it:

“Companies need to manage information they receive under an NDA. Specifically, employees must segregate restricted information from that which is unrestricted. Also, they need to know the applicable NDA restrictions, and manage their use and disclosure of information in accordance with those restrictions. Realistically, most people can’t do this.

Worse, few Internet companies have any information intake or management systems. Without such systems, it is very easy for a company to inadvertently breach its NDAs.”

Here are some thoughts on how companies should be doing it. (I need to disclose that the company I recently joined as GC provides platforms that helps companies manage these kinds of processes, so I’m trying to keep this information as generic as possible.)

1. The idea of establishing a “best practice” process is good, but it needs to be more than just a document, because policy documents tend to be ignored or forgotten. Rather, the process should be supported by systems that guide people through the process and help them to comply.

2. As soon as you allow employees to exchange confidential information by email you’ve lost control of the information (whether it’s information you disclose or information you receive). Unless all parties involved have and are diligent about using a very good document or content management system it’s too easy for emails to be misplaced or forwarded to the wrong people. As a result, you can never be sure that your company actually complied with a return or destroy requirement.

3. Instead, you should establish a secure central repository for information exchange where all employees involved in a project can upload information and make it available to the other party, and where the other side can upload information and your employees with a need for the information can access it. Access to the information should be controlled and auditable. The system would also inform all involved of their obligations with respect to the information, provide access to relevant sections of the NDA, and require people to agree to comply before they can access the information.

4. Once a project or relationship ends, the system should allow for the destruction or retention (with very limited access) of the information stored in the system. It should also make it easy to inform those who have downloaded information that they are required to return destroy it and require them to certify that they have done so.

5. Because everyone seems to like to use email so much, whatever alternative you provide (mandate) must be extremely easy to use. In fact, it should provide benefits that email can’t provide in order to make sure people actually use it and don’t revert to their old habit of using email.

I don’t know if there are other companies that provide something similar, but my company does provide a system to deal with this kind of information disclosure. We believe a system like this allows companies to easily adopt “best practices” for dealing with receipt of confidential information and is a huge leap beyond exchanging information through email, with all the associated risks and tracking problems that entails.

There are certainly other options. For example, your IT people could probably create this kind of a system using something like SharePoint. However, many companies that try to do this internally find it difficult to design and maintain the system, assuming you can even get your IT department to help. Also, it’s often easier to convince another party to use a system provided by a third party.

I didn’t think it would be appropriate to post specific information about my company’s solution on the listerv, but Pontus does provide a hosted contracts system that can manage not only contracts and contracts processes (including NDAs), but also the associated information disclosed under the NDA.

We provide a place where both companies (or more if more than two companies are involved) can upload the information they intend to disclose and limit access to selected users. We can control whether people can download the information or just view it. The system tracks who accesses the information and who downloaded information. Users can also easily link to the actual NDA to determine what their obligations are under the NDA. If information needs to be archived or destroyed we can remove it from the system or make it inaccessible, and we can provide a log of who has downloaded information so it can be tracked down and destroyed.

If anyone would like additional information or would be interested in seeing a demo of the Pontus system, please contact me or

Contracts Management Presentation for ACC’s Law Department Management Committee

May 14, 2008
Today Jason Mark Anderman, of Becton, Dickinson and Company, and I presented a “legal quickie” for ACC‘s Law Department Management Committee on the topic of “Contract Management Systems.” This is becoming a hot topic for law departments, as more forward-thinking general counsel are realizing that their departments can make a significant contribution to corporate performance (as well as Sarbanes-Oxley compliance) by implementing better systems and processes to manage their contracts, contract processes, and contract-related information. 
Jason described the steps that his company has taken to streamline their contracting processes, including flexible and comprehensive templates for procurement contracts and better processes and systems to manage the contract lifecyle and contractual information. 
But as impressive as Becton, Dickinson’s results have been, the kinds of processes Jason described can only take you so far. Any company with a significant volume of contracts or contract activity should be looking at a contract lifecycle management system (CLM — also known as an enterprise contract management system) to help manage and automate the entire contract lifecycle. A CLM system can be defined as:

An integrated system that applies business rules to manage contracts of the enterprise on a worldwide basis, from request, through contract creation, negotiation, approvals, distribution, and filing in a central, searchable repository, and that allows people and systems within the organization to access, analyze, and act on contract-related information to improve efficiency, consistency, reporting, and control.

Companies that have implemented CLM systems have reported significant improvements in these and other measures. Many companies have been able to decrease the involvement of their legal departments in routine contracts by using CLM systems to implement controlled self-service contract creation processes. There are many examples of revenue improvement through better management of contract renewals and escalation clauses that in some cases are enough to pay for the costs of the systems.
Finally, tangible benefits to corporate law departments include better control and visibility of contracts and contract-related risks, the ability to share contract-related knowledge across the enterprise, and the ability to allow highly paid legal resources to focus their efforts on higher-value activities rather than administrative tasks. Many of these systems also allow legal departments to measure and report on performance and performance improvements, something many general counsel struggle with.
We didn’t get a chance to discuss the latest trend in contract management, which is CLM systems that combine a technology platform with a team of offshore and/or onshore resources to help manage the often labor-intensive process of inputting information into the system (especially legacy contract information), configuring the system, and mangaging and maintaining it. More information on that topic is available here
For mor information on contract lifecycle management systems and a list of vendors, see
The International Association for Contract and Commercial Management (IACCM) is also a great source of information regarding contracting and contract management systems.
David Munn
Disclaimer: My company, Pontus Global, Inc., provides contract management systems and services using a combination of technology, processes, and people. This was an interesting call for me because I’m currently in Bangalore visiting the Pontus India team, which meant the call started at 10:30 pm Bangalore time. Although the cell phone system in India disconnected me from the call just as I was starting the presentation, I was able to reconnect fairly quickly and the rest of the call went off without a hitch.

IACCM Americas 2008

April 10, 2008

Another outstanding IACCM Americas conference concluded yesterday in Fort McDowell, Arizona. A record 400+ attendees heard more than 30 presenters on the theme of “Collaborate to Innovate.” This was my second IACCM Americas, and once again IACCM delivered a number of informative and thought-provoking programs.

If I were to summarize the themes of the conference in one sentence, it would be:

Companies are entering into sub-optimal relationships, stifling innovation, and leaving a lot of potential money on the table by spending too many of their contracting resources trying to shift risk to the other side, while focusing too few resources on how the parties could work together more effectively to create additional value from the relationship.

IACCM is unique in bringing together both buy-side (procurement) and sell-side contracting professionals, and IACCM Americas and IACCM EMEA may be one of the few times that happens outside of the contract negotiation context. In fact, judging from the comments of several people at the conference, it seems that even within many companies the buy-side and sell-side contracting people rarely talk with each other.

With contracting relationships seemingly becoming more confrontational all the time, it’s refreshing to see an organization addressing this issue and trying to make a difference.

Next Generation Contract Management Systems – more than software, more than LPO

March 13, 2008

Added May 14, 2008. Note: On April 16, 2008, I became general counsel of Pontus Global, Inc., one of the companies mentioned in this post.

David Munn

I’ve been following developments in legal technology for the past ten years or so.  During that time the slow pace of adoption of game-changing technology by the legal profession has been disappointing.

Yes, nearly everyone uses email now, and we all have at least a rudimentary understanding of Microsoft Word (massive overkill for most of what we do), but we’re still fundamentally doing things the same way lawyers have for years. Technology allows us to do certain things faster, but many of the fundamental processes we use haven’t changed much in the 25 years I’ve been practicing law. And instead of having secretaries we now get to do our typing ourselves. How much progress is that?

 So when something comes along that actually promises to fundamentally change the way we work I take notice. That’s the case with a new generation of contract management systems now coming on the scene.

Contract management systems (aka contract lifecycle management systems or enterprise contract management systems) have been getting more attention from legal departments recently. And rightly so. Most companies are terrible at managing their contracts. (See Contract Management Is More out of Control Than You Think.) Contract management is an area that’s crying out for process improvement and automation.

Contract management is something that’s almost entirely done in-house, so the skewed incentives of private practice don’t enter into the picture. In-house lawyers should have an incentive to adopt technology that will improve their processes and efficiency. Yet in spite of all the benefits promised by the providers of contract management systems, companies have been slow to adopt these kinds of systems. And according to anecdotal evidence, many companies’ contract management system implementations have fallen short of the promises or have been abandoned.

So what’s holding the legal profession (and particularly the in-house bar) back from adopting the kinds of technology that could make a real difference? According to Pontus Global, the problem is the fundamental model of expecting busy lawyers to adapt to technology that often causes the lawyers to feel that they have to do more work than they did without the technology.

A system that allows everything in the contract process to be tracked and reported on sounds great until you think about how the detailed information actually gets into the system. That’s where these systems often fall down. If you rely on busy lawyers to enter information into a system it’s almost bound to fail. In fact, that could be the primary reason there hasn’t yet been a true revolution in legal technology.

So the Pontus model goes beyond software. Pontus has a hosted contracts management platform, but they support it with a team of lawyers and technologists in India and processes designed specifically to take advantage of the technology and the offshore team.

The idea is that your in-house team doesn’t have to learn complex software and they don’t have to enter data. The Pontus team will do that for you. This model is very different from the pure software contract management systems that require your lawyers to do much of the data entry. And it’s different from the legal process outsourcers, (LPOs) that provide the labor, but not the integrated technology platform.

I’m familiar with Pontus because my company has been working with them over the past year or so to get our contracts under control. There’s at least one other company that I learned about recently (FirstDocs) that appears to have a similar approach. And I know that some of the big names in the legal industry are looking at this model as well.

Contract management is only one application where this model could work. Many companies are looking at outsourcing legal services or hiring their own offshore legal professionals, but neither of those approaches is ideal if you are still using outdated technology and inefficient processes. The convergence of technology, better processes, and offshore resources by new companies like Pontus and FirstDocs could finally be the key to getting the legal profession to truly take advantage of the promise of technology.

IACCM Americas Conference April 7-9

March 10, 2008

Last year I attended the IACCM Americas conference in New Orleans. I thought it was one of the best conferences I’d ever attended. Excellent speakers, thought-provoking discussions, and opportunities to network with people outside my normal sphere of corporate counsel made it an event I’d recommend to anyone involved in contracting.

This year I have the opportunity to participate as a discussion leader in the Academic Symposium that kicks off the conference. We’ll be exploring whether current approaches to academic training (both legal and procurement) result in more confrontational and less productive relationships.

Although the IACCM is not primarily an association for attorneys, Tim Cummins and the IACCM have recently been taking a leadership role in discussions about the legal profession. Tim recently wrote on his blog, Commitment Matters:

“I am observing a growing number of corporations – especially US-headquartered multi-nationals – where the Legal organization is gaining increased power. And they are exercizing that power with a renewed focus on standard terms and conditions that are blatantly unreasonable and confrontational. Some are doing this on the buy-side, others on the sell-side – and when these two perspectives meet in the market, the only people who are empowered to fix the problem are …. the lawyers.”

I’d like to think Tim is wrong about the role of lawyers in creating the problem, but I certainly agree with his observation about the increasing prevalence of unreasonable and confrontational contract terms. It will be interesting to hear the views of others involved in the contracting process.

Other programs will focus on issues of globalization, automation, negotiations, risk assessment, and the changing world of business and contracting.

If you can make it to Scottsdale in early April it promises to be another great conference.

IACCM Americas April 7-9

Sun GC’s updated “Reebok Rules”

March 9, 2008

Sixteen years ago I had just started a new job as Pella Corporation‘s first general counsel. Soon after that the ACCA Docket published an article by Reebok’s then-general counsel, Jack Douglas entitled Reebok Rules, in which he described twenty-three guidelines to help in-house lawyers “focus on the client’s objectives” and remember “the priorities which will keep us successful and challenged in our jobs.” That article was immensely helpful in understanding what I needed to do to be successful as a new general counsel. I keep a copy of that article handy and regularly recommend it to lawyers beginning their in-house careers.

Sun’s GC Mike Dillon recently posted his own updated list of ten rules to help guide in-house attorneys in Life is Different In-House. Not surprisingly, several of them mention using new technology that can help us to connect, collaborate, and be more efficient.

 I say not surprisingly because sixteen years ago email was still a new thing. One of our primary law firms actually loaned me a Mac that they used to send email to me since their system wasn’t compatible with Windows-based email. At that time I also had a Windows machine on my desk, so the Mac was set in a corner of the office. It was not an ideal situation, and I recall being ready to toss the Mac out the window on a number of occassions when it didn’t seem to be working properly (which could have been due to technology problems or operator error), which of course usually happened when important deadlines were looming.

 We’ve come a long way in sixteen years when it comes to technology. But most of Douglas’s and Dillon’s rules focus on relationships rather than technology. That’s something that doesn’t change.

One of the most striking differences between Douglas’s original Reebok Rules and Dillon’s updated rules is how lawyers’ attitudes toward the “n word” have changed. Of course I am referring to the word “no.” Douglas’s rules included “Eliminate the ‘No’ word from your vocabulary,” and I think many in-house lawyers took that to heart sixteen years ago. Unfortunately, following that rule also seems to have landed a number of GCs in jail. In light of the higher standards attorneys are now being held to, Dillon’s new rule is “Sometimes, you have to say ‘no’.”

Both the original Reebok Rules and Dillon’s updated rules should be required reading for in-house counsel.

David Munn

Will social networking work for in-house lawyers?

March 7, 2008

Ok. I’ll admit I’m a bit older than the typical Facebook user, and maybe that has something to do with my attitude, but I have to say I’m skeptical, at least in the short term, about all the social networking sites for lawyers that are springing up.

There are getting to be a fair number of sites that are directed at the legal profession.* Some of them look like they could be useful for corporate counsel (Legal OnRamp in particular). But the issue isn’t so much whether they offer something of value for us, it’s a question of how much time do we have for this stuff?  

There are a lot of things to like about the concept, and I think it has promise, but people only have so much time, and busy professionals in particular need to be careful about how they allocate that time.

I belong to a couple of professional organizations that I find especially valuable that have social networking components.

I would categorize the ACC, the Association of Corporate Counsel, as a social networking organization for corporate counsel. In addition to an extensive “virtual library” they have at least a couple of very active email listservs for members of their committees. I find that resource to be extremely valuable and worth spending time using and contributing to.  

IACCM, the International Association for Contract and Commercial Management, is a great resource for anyone involved in contracting. They also have an extensive library of resource materials and are adding more social networking-like features. I find myself spending more time there, as it directly relates to what I do on a day-to-day basis.  

But it’s impossible to keep up with the volume of valuable material that comes out of just these two organizations. I’m not sure how much more time there is to even explore and evaluate, let alone participate in, other social networking opportunities.  

So how are busy lawyers going to have enough time to do social networking? I think the answer is that we will eventually figure out how to get value out of social networking, but it’s going to take quite a while and will only happen after:

1.      It becomes clear which resources are truly valuable and worth our time and there is a shake-out that reduces the number of options to a manageable number.

2.      The social networking sites figure out how to target their audiences and target their offerings to make the best use of people’s valuable time.

3.      Lawyers become more comfortable with the concept and the technology becomes extremely easy to use. For corporate counsel that may happen more quickly as more companies start to use social networking as an internal knowledge management tool.

4.      Some law firms figure out how to give away information to corporate counsel while still making money.

5.      A younger generation of lawyers starts to take over.

I believe that social networking will eventually become an important part of how in-house lawyers work, but I think it’s going to be quite a while before it becomes a pervasive part of the legal profession. See also Social Networking Sites: Will they work for lawyers and other professionals? for some other challenges for social networking sites directed at lawyers.

David Munn

* A small amount of research yielded the following: 

Nearly everyone (lawyers and non-lawyers) seems to be on linkedin. 

General Social Networking Sites for Lawyers: An international law community designed for lawyers and law students. 

LawLink: The First Online Network Exclusively For Attorneys 

Legal OnRamp: “Legal OnRamp provides content, connectivity and execution services to help legal professionals deliver higher quality work in less time and lower cost.” 

Document sharing sites that have social networking characteristics:

DocStoc: “Find and share professional documents.”

JDSUPRA: “offers access to a constantly changing database of legal documents (filings, decisions, forms, documents) from the people whose work gives meaning to the law.”

Related Articles:

Inside Counsel: Net-Working – Web 2.0-enhanced sites get in-house counsel talking.

New location for blog!

March 1, 2008

After putting up with dozens of auto-generated spam messages every day on my previous blog I’m moving to WordPress (here).