There is an old joke much beloved of CEOs everywhere. “What do you call a hundred lawyers mown down by a runaway bus?” The answer, of course, is, “A good start!” Lawyers are those curious beasts: The aspirational career of so many mothers for their errant children, but ranked alongside traffic wardens and tax officers in popularity.
For businesspeople, lawyers are a double-edged sword: Fine when they are your lawyers, less welcome when they are someone else’s.
This is true, particularly in the US where – despite the growth of the compensation culture in Europe – the climate of litigation is severe. No self-respecting CEO in the US is properly dressed without a lawyer by their side.
However, too many companies still limit their legal attention to conventional elements of business, such as contract negotiations or defending their employers from shareholder lawsuits.
In the technology-dependent business climate of the 21st century, such limitations are foolish. For years, the Holy Grail of users and vendors has been the bringing together of business and IT; to that goal companies should now add the bringing together of business, IT and the law.
“With the way IT is so ingrained in the way business operates, there needs to be a close relationship between the legal department in its regulatory role and the IT department in making sure the corporate systems are sufficiently up-to-date to cope with these requirements,” says Roger Bickerstaff, head of the IT law practice at London law firm Bird and Bird.
Some companies have re-engineered their structures to bring IT and the legal teams closer. “My role in Somerfield is to join legal, business and IT requirements together,” says Colin Clark, finance officer at UK supermarket chain, Somerfield. “Everyone has different roles to play. The lawyers manage our data protection compliance, human rights, corporate governance and compliance. They know all about our requirements in law, but have less idea about how those requirements are likely to impact on the business as whole.”
For Denis Orme, chief executive of Bartercard in New Zealand, focusing on the legal implications of IT projects is imperative for networked enterprises. “It is part of risk management.”
For Bartercard, which hosts an online trading community where goods are offered between cardholders based on a credit system of trading dollars, there is no other way. IT is a vital part of the enterprise. “It is our core business, it is that simple.”
Orme’s experience in another organisation with a vendor on the preparations for Y2K shows why it is vital to work with a legal partner prior to a project.
One software vendor, among hundreds his then organisation dealt with, did not deliver the product as agreed, saying the software was not yet Y2K compliant and wanted an additional US$900,000 to make this possible. Orme was ummoved. “You knew about year 2000, so your software should be able to operate through year 2000,” he firmly told the vendor.
He also had a weapon to make the vendor comply – a contract with a service level agreement – that the product to be delivered had to address the impact of Y2K on the enterprise networks. “I held them to their contract.” The software vendor delivered without Orme’s company shelling out additional dollars – and the case did not reach the courts.
Indeed, Orme is too keenly aware of how an oversight in a vital part of managing business projects with IT components, could backfire. “I spent 20 years in America, [where] most people sign off and get into disputes afterwards,” he says. Orme moved back to New Zealand after working with various networked organisations for the then Price Waterhouse and his own consulting group.
“It’s the same with the IT department,” says Colin Clark, finance officer at Somerfield. “If you’re an IT guy, then you’re not likely to understand all the ins and outs of the law. But then, who in the legal department is going to be an IT expert? If they don’t all work together, then companies will be trying to comply with the law but not understanding all the aspects and implications of it.
“A perfect example is email management. We took a decision not to monitor emails within the company, but we do archive them. When they’re archived, we don’t look through them unless we require information contained in a specific email. Now, to agree a strategy like that and enforce it requires legal, human resources, finance and IT to work together.”
In common with most large organisations, Somerfield retains its own internal legal team, which then taps into external expertise for specific issues or specialist areas. “Our internal team manages the external relationships,” says Clark. “Any given task that needs to be looked over by legal will go to the legal department for review. If it’s a specialist area, then they might decide to contract some external firm. Which firm we use will be dictated by the nature of the task at hand.”
At Bartercard, a legal counsel is always present or consulted right from the start. Bartercard does not have an in-house legal team but one of the legal firms it works with has a partner, Wayne Hudson of Bell Gully, who is also president of the New Zealand Software Association.
The lawyer is always present or consulted right from the initial discussion of each project. During this period, says Orme, it is important to “start on the business relationship side at first”.
“If you are going on a joint venture with someone, be a business partner. So you agree on what is fair and reasonable before you start a relationship. Otherwise, there wouldn’t be a business relationship.”
For Orme, this thoroughness is important. “We are in a long-term partnership, so we’d rather come to a joint agreement, an SLA, on what are the expectations. What are you going to deliver as part of that joint venture opportunity? That’s very important; it is not a one-sided agreement. On the other side, if they don’t deliver, we have penalty clauses related to lost revenue.”
He adds: “Establish the credibility of the vendor before you start specifically talking about the product. We always go through that process.”
As part of the vetting process, Orme asks for a “full client list” from the vendor, not just a list of references. “You would want a full client list; you know it is easy to cherry pick the ones that are successful.
“Once you have established they are a credible business partner, that’s the time you go through an RFP and an SLA,” he says.
All new developments in society demand legislation of some form and the introduction of new technologies is no exception.
For example, if companies are more dependent on acquiring and manipulating customer data in order to win a competitive edge over their rivals, then they need to have technology that will enable this. So we see the widespread implementation of relational database technology and customer relationship management (CRM) applications to gather, store and manage such data for sales and marketing purposes.
But while knowledge is power, abuse of that knowledge can be dangerous. There is a need for having a legislative framework in place to protect the rights of the individual whose data is being used. Inevitably, such a framework is going to be complex and because of the need to cover as many bases as possible, probably lengthy and daunting in form. Someone is going to have to translate it for the business and tell business managers and IT people alike what checks and safeguards are going to have to be put in place to ensure compliance.
Bartercard, for instance, says its database of customers is not sold to external parties. “It’s absolutely sacrosanct,” says CEO Denis Orme of this policy.
Compliance is a fashionable word in the post-Enron climate and mention of Enron brings us to a problem. The law can be an ass and technology-related laws are no exception.
There is a danger sometimes that not all laws are given due consideration before being put on the statute books.
The perennial cry that ‘something must be done’ about dubious content
on the internet has led to a number of highly contentious moves to enforce mostly unenforceable laws on ISPs and website owners alike.
The Enron situation and the subsequent fiscal skeletons that tumbled from corporate closets across the US provide classic examples. The collapse of companies such as Enron and the exposure of the fiscal corruption at their hearts was an enormous embarrassment to US capitalism in general and to the Republican administration in particular. The result was the hurried creation of Sarbanes-Oxley, a knee-jerk reaction to the ‘something must be done’ brigade and, as such, a highly-flawed piece of legislation.
While it is true something must be done, it can be argued something done badly is worse than nothing being done at all. The result is US corporates are struggling to understand the full implications of Sarbanes-Oxley and its impact on their business strategies, never mind the longer term impact that will be felt on their systems’ roadmaps.
The legislation is also so new it has yet to be tested in any robust way, so it remains a moving goal and amendments are inevitable as companies provide feedback on its effectiveness.
It is clear the links between IT and the law are set to become stronger in the future. The boom in outsourcing is the latest new growth area, but there are many new laws coming along that require IT support, ranging from human rights legislation, regulatory and investigatory powers, through to forthcoming freedom of information laws.
“There are laws that will affect how a company’s IT strategy grows,” says Martin Cotteril of UK law firm Latham and Watkins. “A lot of them won’t directly affect IT. Basel II is one of the few examples of one that explicitly does. But there is a hell of a lot of general legislation that has a pervasive impact on IT, such as regulatory powers legislation and human rights laws.”
The conclusion is self-evident. “You need to be on top of what changes are made to laws. It’s worth companies commissioning a law firm to give them a briefing every so often to keep up-to-date,” advises Cotterill. “Today, you really cannot separate IT from the law.”
This shift is affecting the roles – and additional functions – of IT executives.
Josephine Dunstan, IT manager at Bartercard, observes awareness of legal implications for IT projects is higher now. One indication is some legal firms have contacted her and informed her of their practice in the field of IT and the law. This was not common, she says, two or three years ago.
Dunstan has observed how a company could be affected when legal issues surrounding technology rollouts are not factored into the planning. She relates the experience of a national company that had entered into an agreement with a software vendor, but no IT or legal people were involved during the negotiation. Various modules were requested. One of the business unit’s software was to replace the existing software, as it needed the software to be Y2K compliant and the company chose at this time to move to a new platform with a new vendor.
By mid-2000, the software was still not delivered, and the company had to go back to the original vendor for the new system. In the meantime, the business unit had to revert to a paper-based system for six months, until the new system was ready. It was only at this point that the company brought in someone to deal with the legal implications. An IT manager became involved in the project and helped to “pick up a lot of the pieces”.
What exacerbated the situation was a lot of the people involved in the original planning had left the company and the project had little documentation. The case was almost brought to court, and Dunstan thinks with hindsight, things would have turned out differently if IT and legal counsel were involved from the start of the project.
A costly disconnect
Dunstan says this kind of disconnect between IT and the rest of the business units, which include the legal team, is not the case at Bartercard. “I don’t have to convince anybody that they need IT, that IT is really important to the business. So therefore, if IT is important, the legal side of it and making sure we don’t run into any problems is all tied up nicely at the beginning, and therefore ensures we don’t run into these types of problems.”
However, she adds this working environment is new to contemporary IT directors. “That is not what we specialise in, so we need to seek out the professionals in this field and use their expertise.” In her case, Dunstan keeps abreast of legal developments that could affect the IT department by reading relevant case studies in IT management magazines and the internet. She likewise confers with colleagues about their experiences during industry conferences and gatherings. “I think IT managers used to only need to be concerned about operations. However, this is no longer the case. You have got to be involved in strategic planning so much more now than ever before, and aligning IT with business,” she points out. “We have to think about many things outside of our main field, and have 10 strings to our bow.”
IT no longer demands just good technical expertise, but the ability to be a good all rounder and communicator who is business savvy is equally as important and highly valued. For her, this search for additional knowledge can only be beneficial. “I think it is great, it makes the job more enjoyable, more challenging and ultimately provides one more opportunities.”