I spend most of my work week writing, reviewing, discussing and executing contracts between my company and clients, and have pretty much done so since 2005. In those 12 years, the contracts I typically receive from clients, as well as our contract template, have changed considerably, for a number of reasons: the parties better understand both that many choices can be made in drafting contracts and the consequences of those choices, and the number and shape of factors involved in such contracts has grown as e-discovery has. In this month's article, I will discuss those choices and factors as they pertain to contracts in which you may be entering, regularly or sporadically, or for the first time.

Whose Contract Is It Anyway?

Typically, contracts are offered by one (or more) of three sources: the vendor; the law firm; or, the law firm's client. Each one is typically structured to satisfy what the source believes are its needs. This does not mean that all sources fail to take into account the needs of the other party; many sources, having presented numerous contract drafts, only to see certain sections of them invariably rewritten by the other sources, eventually adopt the rewritten language (assuming they can live with it) so as not to waste time with each contract.

There are several issues which, typically, are addressed differently depending upon who is offering the template. We shall try to address the most important and common ones.

Signatory Parties

Perhaps the most basic issue in a contract is who the parties are. Generally, the parties (at least in the initial draft of the contract) are those who have talked about the matter. If the law firm approaches the vendor, they are the parties; if the firm's client approaches the vendor well, you do the math. Quite often, the firm or its client has an ongoing relationship with the vendor, and so will reach out to the vendor.

Regardless of who talks first to whom, the issue of who shall sign often boils down to who shall pay the vendor. Many firms disregard the issue, which usually leads the vendor to press that firm's client be the signatory or, at a minimum, a third signatory and that language expressly stating that it is firm's client's obligation to may payment be added to the contract. Many firms prefer the latter approach, wanting the agreement to be between firm and vendor, with the firm's client's role explicitly confined to making payment for services, so as to eliminate even a hint of the issue that communications arising from the relationship created by the contract does not fall under attorney-client privilege. Many firms will prohibit their clients from signing agreements and instead will prefer language that states that firm's client has provided firm with the authority to sign on the client's behalf to bind the client to the agreement's payment obligations.

It may be the best move to have all parties sign the agreement, but what typically prevents that is the practical reality with which firms are quite familiar: unless their client is comfortable with e-discovery, simply getting someone on the firm's client side to sign the agreement can be a long, drawn-out process. When the firm's client is not well-versed in e-discovery, internal discussions over who is the right person within the client's business to sign can drag on infinitum.

Agreements and RFI's

A client wants assurances from a vendor that the vendor can do the job. Unless such assurances are simply declarations from the vendor that they are capable, they would have to take the form of response to an Request for Information (RFI) attached as an exhibit to the agreement. Placing those assurances in an agreement, however, has its issues. Such an exhibit can lengthen the agreement so that it dwarfs “Ulysses.” Moreover, specific assurances must rely upon confidential Information from the vendor describing its methods, which puts the vendor in an untenable position, since the possibility that the agreement will have to be disclosed during the course of the litigation is a real one, and with that, the CI's confidentiality evaporates.

The best manner of handling this issue is to have the vendor respond to an RFI protected by a nondisclosure agreement. If the client is satisfied with the RFI's responses, it can enter into the agreement with no mention of the RFI or, if it desires, reference the RFI's responses as guarantees of performance incorporated into the agreement.

A compromise often seen in agreements is for a vendor to answer a survey which breaks down the services to be provided into their component steps and asks the vendor whether it can do each specific task but not how the Vendor can do the task. It will also ask who will perform those tasks—by title, location of office, etc.—and what training and experience each analyst has. The vendor can then answer all of those questions without revealing “know-how” or any other CI.

Information Security and Security Laws

The concern regarding Information Security (InfoSec) has certainly increased over time. There has always been a concern that data falling under the attorney-client privilege be protected, but other factors have grown in prominence as well. Large data breaches often make headlines. Laws requiring that proper InfoSec be in place have increased, particularly when the data needing protection is Personally Identifiable Information (PII), information about a person's health (protected by the Health Insurance Portability and Accountability Act (HIPAA) and bank and other financial information. As well, if the matter involves data stored outside of the United States, there are many other laws, such as the EU's General Data Protection Regulation (GDPR), set to take effect in 2018 but which will simply make more stringent laws already in effect in the EU, that protect data which we in the United States do not protect in close to the same manner. For example, an email from employee A to employee B within the email system of the employees' company, i.e., the firm's client, would be considered in the United States to be the firm's client's property regarding which neither employee could make a claim, while in the EU it would be considered information private to the employees.

Firms and their clients want vendor guarantees that all laws pertaining to InfoSec will be followed. This is more than understandable: it is crucial to both and, for firms, not getting such guarantees may rise to ineffectiveness. The issue is what language in an agreement is proper to address this need.

Many agreements will have language demanding that firms or their clients be allowed to audit the vendor's InfoSec controls. The problem with this demand is that is clashes with another, even more important demand, that vendor's InfoSec be certified as proper by a well-recognized body. Typically, certification from the International Organization for Standardization, or ISO, is the sought-after certification, but there are others. One of ISO's (and every other certifying body's) standards is that the entity seeking certification not disclose to anyone how its InfoSec functions. Thus, providing a firm or its client with access to the vendor's InfoSec (so as to be able to audit it) or even provide a description of such InfoSec would disqualify the vendor from ISO certification and thus undercut the very goal of the demand in the agreement.

There are a few solutions to this conundrum. One is for the firm or its client to ask for a generalized “description” of the vendor's InfoSec solutions. A second is for the firm or its client to engage a certifying organization (it can be the same one that certified the vendor but, obviously, need not be) to perform an audit. The organization can then keep the information secret and simply report to the firm or its client that the vendor's InfoSec is, or is not, secure to the organization's standards.

One issue that arises in agreements concerns the mutuality of data protection obligations. For a law firm, for example, protection of data falling within attorney-client privilege may be an obvious starting point when drafting a contract template and lead to the law firm's template containing a detailed section addressing the protection of confidential information. The template's drafters, however, may not even have contemplated that the vendor as well will have CI—explanations of vendor “know-how,” for example, to answer law firm questions as to how services will be provided—that it wants protected. If such law firm templates have been rewritten by vendors in sufficient number, the firm may decide to incorporate the best of those changes into its template, but that is the firm's decision. Firm templates without such language will invariably receive pushback from vendors, dragging out the process.

Indemnification

It would by no means be surprising that, if the agreement templates that firms, firms' clients and vendors were compared, all three would have indemnification provisions, with vendors seeking indemnification from their client and firms and firms' clients seeking the same from vendor. Some of these provisions are perfectly fair and present no problem. Firms and firms' clients, for example, typically demand that a vendor indemnify them if the vendor must go onsite somewhere as part of providing services and, while onsite, destroys property, injures someone, and so on.

What parties must be concerned with are provisions that require indemnification across the board, without regard to which party, in fact, would be the cause of the injury. Such clauses are not uncommon, and typically require pushback.

When analyzing the fairness of an indemnification clause, it is, of course, important to try to trace the injury at issue to its cause. As with any discussion of “proximate cause,” however, in many cases the issue becomes not what was “the” cause but whether the party seeking indemnification contributed to that cause. Indemnification for injuries putatively arising from the publication of data presents a good example of such an issue.

Often, vendors will present an indemnification clause in which the party with whom vendor is contracting (firm, firms' client or both) represents that it has the authority to instruct vendor to possess and access the data in question and to provide the services requested, which would include helping to publish the data by helping to provide it in discovery. Vendors, of course, who are simply contracted to do X to data Y, are in no position to verify that the contracting party offering the data has the authority to do so and ask that the services be performed. As well, they do not wish to take the time to make this verification and can never be sure that the verification is valid.

While vendors' desire for indemnification, then, may seem reasonable, it may be undercut not because it is wrong, but because everyone else involved wants the same thing, and no one wishes to provide it to another party when they themselves are not receiving it from whom they believe should provide it to them. firms, of course, have a closer relationship to their clients than do the vendors, but they do not know firsthand that the data provided can be done so properly. Indeed, even the firm's client, the ostensible owner of the data, does not wish to be a target of the same litigation should the plaintiff be the entity who provided the data to firm's client. Requests for indemnification, then, can create stalemates even when the request seems straightforward and merited.

Limitations of Liability and Guarantees of Insurance

It is not unusual for all parties to have clauses in their agreement templates that limit their liability under the agreement. The limitations can be a maximum amount of damages the party must pay, which is generally a give number or, if it is the template of the agreement offered by vendor's client (whether firm or firm's client), the amount paid by the client or some multiple thereof. Vendor's client's templates also generally require that the insuring party—usually the Vendor—have insurance at certain minimums for different types of coverage and aggregate limits. The templates usually also require that the insuring party present a Certificate of Insurance to the insured. Generally, vendors provide what is requested.
A trickier insurance limitation, popular in templates, is the removal of any responsibility for indirect damages, lost income and so on. It is by no means uncommon for a party that did not offer such a limitation nevertheless to agree to one when offered by the other contracting party. The reason for this is simple: before any services have been performed, it is a guessing game as to who might sue whom and for what, and so it is just as much to the benefit of all parties to agree to such limitation. The party reviewing the template, however, should be very careful that the limitation is not written so as to be one-sided in favor of the other party; should that be the case, the reviewing party will want to offer the template to its provider with the limitation amended to make it mutual.

Jurisdiction and Arbitration

Agreements typically have language setting what state's laws control the agreement, where jurisdiction lies should litigation pertaining to the agreement ensue, and should such “litigation” be confined to arbitration (and by which arbitration association). Equally as typically, whoever is offering the template will make these choices. What is agreed to, generally, decided simply upon the basis of bargaining power. If, in the vendor's eyes, the client is one the vendor has always wanted, the vendor will do what the client wants; similarly, if to the client the vendor is the perfect one for the job and no one else can do, the client may accede to the vendor's choices. As with all choices, if the party offering the agreement makes reasonable choices, it is less likely it will get pushback from the other party.

Master Agreements and Statements of Work

As should be clear from the discussions above, the terms of an agreement can involve the working out of so many factors that doing that work over and again is something all parties may wish to avoid. If the client is a repeat client, having it enter into a master agreement is a great way to avoid such repeated reviews of the same agreement. The master agreement would contain a service order template, which would specify the particulars of any engagement, from what is to be done, any timetable, pricing, jurisdiction and arbitration, and other factors which may change from matter to matter, whether the client at issue is a law firm or a business entity. As each matter arose, the service order would be completed, with the terms particular to that matter, and executed; any terms in the master agreement that do not work well in the particular matter can be modified for that matter in the service order, and if the same terms keep not working well over several matters, the master agreement can be amended. Using the master agreement/statement of work model allows for the client and vendor to come to terms as to several of the factors already discussed, while also affording the parties the flexibility to change or add terms, as desired.

There is only one drawback with the master agreement model: many clients simply have no one to sign one. Over time, many law firms and business entities have created e-discovery groups or divisions to oversee all aspects of the production and review of data. Those entities have personnel empowered to review and enter into master agreements on behalf of their concerns. Many entities, however, have no such divisions or anything comparable, and so the duty to contract falls upon the person in charge of the individual matter, and such person cannot sign an agreement binding others overseeing future matters. One would assume that the creation of e-dscovery groups within entities will continue and this problem will disappear but, despite all of the factors that make it a good assumption, it is simply just that.

Conclusion

Understanding the provisions in an agreement to provide e-discovery services helps everyone involved. The more knowledgeable bargainer has an advantage over the other parties. Thus, if all parties are highly knowledgeable, that will, in the long run, benefit everyone involved, as it will move the focus from the contract to the services provided. The agreement itself has evolved because practitioners on all sides have already become more knowledgeable. That continued increase in knowledge should lead to even better contracts and more efficient solutions for e-discovery issues.

Leonard Deutchman is vice president, Legal for KrolLDiscovery, which he helped build into the largest e-discovery provider in the United States. Before joining KrolLDiscovery, he was a chief assistant district attorney at the Philadelphia District Attorney's Office, where he founded the Cyber Crime Unit and conducted and oversaw hundreds of long-term investigations involving cybercrime, fraud, drug trafficking and other offenses.

I spend most of my work week writing, reviewing, discussing and executing contracts between my company and clients, and have pretty much done so since 2005. In those 12 years, the contracts I typically receive from clients, as well as our contract template, have changed considerably, for a number of reasons: the parties better understand both that many choices can be made in drafting contracts and the consequences of those choices, and the number and shape of factors involved in such contracts has grown as e-discovery has. In this month's article, I will discuss those choices and factors as they pertain to contracts in which you may be entering, regularly or sporadically, or for the first time.

Whose Contract Is It Anyway?

Typically, contracts are offered by one (or more) of three sources: the vendor; the law firm; or, the law firm's client. Each one is typically structured to satisfy what the source believes are its needs. This does not mean that all sources fail to take into account the needs of the other party; many sources, having presented numerous contract drafts, only to see certain sections of them invariably rewritten by the other sources, eventually adopt the rewritten language (assuming they can live with it) so as not to waste time with each contract.

There are several issues which, typically, are addressed differently depending upon who is offering the template. We shall try to address the most important and common ones.

Signatory Parties

Perhaps the most basic issue in a contract is who the parties are. Generally, the parties (at least in the initial draft of the contract) are those who have talked about the matter. If the law firm approaches the vendor, they are the parties; if the firm's client approaches the vendor well, you do the math. Quite often, the firm or its client has an ongoing relationship with the vendor, and so will reach out to the vendor.

Regardless of who talks first to whom, the issue of who shall sign often boils down to who shall pay the vendor. Many firms disregard the issue, which usually leads the vendor to press that firm's client be the signatory or, at a minimum, a third signatory and that language expressly stating that it is firm's client's obligation to may payment be added to the contract. Many firms prefer the latter approach, wanting the agreement to be between firm and vendor, with the firm's client's role explicitly confined to making payment for services, so as to eliminate even a hint of the issue that communications arising from the relationship created by the contract does not fall under attorney-client privilege. Many firms will prohibit their clients from signing agreements and instead will prefer language that states that firm's client has provided firm with the authority to sign on the client's behalf to bind the client to the agreement's payment obligations.

It may be the best move to have all parties sign the agreement, but what typically prevents that is the practical reality with which firms are quite familiar: unless their client is comfortable with e-discovery, simply getting someone on the firm's client side to sign the agreement can be a long, drawn-out process. When the firm's client is not well-versed in e-discovery, internal discussions over who is the right person within the client's business to sign can drag on infinitum.

Agreements and RFI's

A client wants assurances from a vendor that the vendor can do the job. Unless such assurances are simply declarations from the vendor that they are capable, they would have to take the form of response to an Request for Information (RFI) attached as an exhibit to the agreement. Placing those assurances in an agreement, however, has its issues. Such an exhibit can lengthen the agreement so that it dwarfs “Ulysses.” Moreover, specific assurances must rely upon confidential Information from the vendor describing its methods, which puts the vendor in an untenable position, since the possibility that the agreement will have to be disclosed during the course of the litigation is a real one, and with that, the CI's confidentiality evaporates.

The best manner of handling this issue is to have the vendor respond to an RFI protected by a nondisclosure agreement. If the client is satisfied with the RFI's responses, it can enter into the agreement with no mention of the RFI or, if it desires, reference the RFI's responses as guarantees of performance incorporated into the agreement.

A compromise often seen in agreements is for a vendor to answer a survey which breaks down the services to be provided into their component steps and asks the vendor whether it can do each specific task but not how the Vendor can do the task. It will also ask who will perform those tasks—by title, location of office, etc.—and what training and experience each analyst has. The vendor can then answer all of those questions without revealing “know-how” or any other CI.

Information Security and Security Laws

The concern regarding Information Security (InfoSec) has certainly increased over time. There has always been a concern that data falling under the attorney-client privilege be protected, but other factors have grown in prominence as well. Large data breaches often make headlines. Laws requiring that proper InfoSec be in place have increased, particularly when the data needing protection is Personally Identifiable Information (PII), information about a person's health (protected by the Health Insurance Portability and Accountability Act (HIPAA) and bank and other financial information. As well, if the matter involves data stored outside of the United States, there are many other laws, such as the EU's General Data Protection Regulation (GDPR), set to take effect in 2018 but which will simply make more stringent laws already in effect in the EU, that protect data which we in the United States do not protect in close to the same manner. For example, an email from employee A to employee B within the email system of the employees' company, i.e., the firm's client, would be considered in the United States to be the firm's client's property regarding which neither employee could make a claim, while in the EU it would be considered information private to the employees.

Firms and their clients want vendor guarantees that all laws pertaining to InfoSec will be followed. This is more than understandable: it is crucial to both and, for firms, not getting such guarantees may rise to ineffectiveness. The issue is what language in an agreement is proper to address this need.

Many agreements will have language demanding that firms or their clients be allowed to audit the vendor's InfoSec controls. The problem with this demand is that is clashes with another, even more important demand, that vendor's InfoSec be certified as proper by a well-recognized body. Typically, certification from the International Organization for Standardization, or ISO, is the sought-after certification, but there are others. One of ISO's (and every other certifying body's) standards is that the entity seeking certification not disclose to anyone how its InfoSec functions. Thus, providing a firm or its client with access to the vendor's InfoSec (so as to be able to audit it) or even provide a description of such InfoSec would disqualify the vendor from ISO certification and thus undercut the very goal of the demand in the agreement.

There are a few solutions to this conundrum. One is for the firm or its client to ask for a generalized “description” of the vendor's InfoSec solutions. A second is for the firm or its client to engage a certifying organization (it can be the same one that certified the vendor but, obviously, need not be) to perform an audit. The organization can then keep the information secret and simply report to the firm or its client that the vendor's InfoSec is, or is not, secure to the organization's standards.

One issue that arises in agreements concerns the mutuality of data protection obligations. For a law firm, for example, protection of data falling within attorney-client privilege may be an obvious starting point when drafting a contract template and lead to the law firm's template containing a detailed section addressing the protection of confidential information. The template's drafters, however, may not even have contemplated that the vendor as well will have CI—explanations of vendor “know-how,” for example, to answer law firm questions as to how services will be provided—that it wants protected. If such law firm templates have been rewritten by vendors in sufficient number, the firm may decide to incorporate the best of those changes into its template, but that is the firm's decision. Firm templates without such language will invariably receive pushback from vendors, dragging out the process.

Indemnification

It would by no means be surprising that, if the agreement templates that firms, firms' clients and vendors were compared, all three would have indemnification provisions, with vendors seeking indemnification from their client and firms and firms' clients seeking the same from vendor. Some of these provisions are perfectly fair and present no problem. Firms and firms' clients, for example, typically demand that a vendor indemnify them if the vendor must go onsite somewhere as part of providing services and, while onsite, destroys property, injures someone, and so on.

What parties must be concerned with are provisions that require indemnification across the board, without regard to which party, in fact, would be the cause of the injury. Such clauses are not uncommon, and typically require pushback.

When analyzing the fairness of an indemnification clause, it is, of course, important to try to trace the injury at issue to its cause. As with any discussion of “proximate cause,” however, in many cases the issue becomes not what was “the” cause but whether the party seeking indemnification contributed to that cause. Indemnification for injuries putatively arising from the publication of data presents a good example of such an issue.

Often, vendors will present an indemnification clause in which the party with whom vendor is contracting (firm, firms' client or both) represents that it has the authority to instruct vendor to possess and access the data in question and to provide the services requested, which would include helping to publish the data by helping to provide it in discovery. Vendors, of course, who are simply contracted to do X to data Y, are in no position to verify that the contracting party offering the data has the authority to do so and ask that the services be performed. As well, they do not wish to take the time to make this verification and can never be sure that the verification is valid.

While vendors' desire for indemnification, then, may seem reasonable, it may be undercut not because it is wrong, but because everyone else involved wants the same thing, and no one wishes to provide it to another party when they themselves are not receiving it from whom they believe should provide it to them. firms, of course, have a closer relationship to their clients than do the vendors, but they do not know firsthand that the data provided can be done so properly. Indeed, even the firm's client, the ostensible owner of the data, does not wish to be a target of the same litigation should the plaintiff be the entity who provided the data to firm's client. Requests for indemnification, then, can create stalemates even when the request seems straightforward and merited.

Limitations of Liability and Guarantees of Insurance

It is not unusual for all parties to have clauses in their agreement templates that limit their liability under the agreement. The limitations can be a maximum amount of damages the party must pay, which is generally a give number or, if it is the template of the agreement offered by vendor's client (whether firm or firm's client), the amount paid by the client or some multiple thereof. Vendor's client's templates also generally require that the insuring party—usually the Vendor—have insurance at certain minimums for different types of coverage and aggregate limits. The templates usually also require that the insuring party present a Certificate of Insurance to the insured. Generally, vendors provide what is requested.
A trickier insurance limitation, popular in templates, is the removal of any responsibility for indirect damages, lost income and so on. It is by no means uncommon for a party that did not offer such a limitation nevertheless to agree to one when offered by the other contracting party. The reason for this is simple: before any services have been performed, it is a guessing game as to who might sue whom and for what, and so it is just as much to the benefit of all parties to agree to such limitation. The party reviewing the template, however, should be very careful that the limitation is not written so as to be one-sided in favor of the other party; should that be the case, the reviewing party will want to offer the template to its provider with the limitation amended to make it mutual.

Jurisdiction and Arbitration

Agreements typically have language setting what state's laws control the agreement, where jurisdiction lies should litigation pertaining to the agreement ensue, and should such “litigation” be confined to arbitration (and by which arbitration association). Equally as typically, whoever is offering the template will make these choices. What is agreed to, generally, decided simply upon the basis of bargaining power. If, in the vendor's eyes, the client is one the vendor has always wanted, the vendor will do what the client wants; similarly, if to the client the vendor is the perfect one for the job and no one else can do, the client may accede to the vendor's choices. As with all choices, if the party offering the agreement makes reasonable choices, it is less likely it will get pushback from the other party.

Master Agreements and Statements of Work

As should be clear from the discussions above, the terms of an agreement can involve the working out of so many factors that doing that work over and again is something all parties may wish to avoid. If the client is a repeat client, having it enter into a master agreement is a great way to avoid such repeated reviews of the same agreement. The master agreement would contain a service order template, which would specify the particulars of any engagement, from what is to be done, any timetable, pricing, jurisdiction and arbitration, and other factors which may change from matter to matter, whether the client at issue is a law firm or a business entity. As each matter arose, the service order would be completed, with the terms particular to that matter, and executed; any terms in the master agreement that do not work well in the particular matter can be modified for that matter in the service order, and if the same terms keep not working well over several matters, the master agreement can be amended. Using the master agreement/statement of work model allows for the client and vendor to come to terms as to several of the factors already discussed, while also affording the parties the flexibility to change or add terms, as desired.

There is only one drawback with the master agreement model: many clients simply have no one to sign one. Over time, many law firms and business entities have created e-discovery groups or divisions to oversee all aspects of the production and review of data. Those entities have personnel empowered to review and enter into master agreements on behalf of their concerns. Many entities, however, have no such divisions or anything comparable, and so the duty to contract falls upon the person in charge of the individual matter, and such person cannot sign an agreement binding others overseeing future matters. One would assume that the creation of e-dscovery groups within entities will continue and this problem will disappear but, despite all of the factors that make it a good assumption, it is simply just that.

Conclusion

Understanding the provisions in an agreement to provide e-discovery services helps everyone involved. The more knowledgeable bargainer has an advantage over the other parties. Thus, if all parties are highly knowledgeable, that will, in the long run, benefit everyone involved, as it will move the focus from the contract to the services provided. The agreement itself has evolved because practitioners on all sides have already become more knowledgeable. That continued increase in knowledge should lead to even better contracts and more efficient solutions for e-discovery issues.

Leonard Deutchman is vice president, Legal for KrolLDiscovery, which he helped build into the largest e-discovery provider in the United States. Before joining KrolLDiscovery, he was a chief assistant district attorney at the Philadelphia District Attorney's Office, where he founded the Cyber Crime Unit and conducted and oversaw hundreds of long-term investigations involving cybercrime, fraud, drug trafficking and other offenses.