“It’s a small project. We don’t need an agreement for that.” Yeah, right.
If you forgo formal agreements for so-called “small projects”, then you are unnecessarily exposing your company to significant (and potentially company-ending) liability.
Let me tell you a few things about liability: It doesn’t care how much you’re making on a project. It doesn’t care how simple the job is. It doesn’t care how well you know your customer or how long you’ve been working with your customer. Liability operates independent of profit. Liability is both service and customer agnostic.
Small projects can create significant liability for your company. Let’s say, for example, you agree to perform a desktop installation for your customer. You’ve done it a hundred times before so it’s not a big deal, right? Maybe you’re charging a few hundred bucks or less—maybe you’re even doing it for free. Either way you think, “This is such a simple thing—I don’t want to bother with a statement of work or formal agreement. I’ll just get it done.”
As you’re hooking up the desktop, a crypto-virus hits the network. Now, you know that you had absolutely nothing to do with the issue, but I promise you that your client won’t know that and, in all likelihood, won’t agree with your denial of causation. The conversation will start off sounding something like this:
[You] “We only worked on a single desktop. We didn’t touch the firewall, we didn’t modify any of the end point security configurations, and we didn’t disable any of your anti-malware. This wasn’t our fault.”
[Client] “The system was running fine, you messed with it, and now we’re locked up! If you didn’t do this, who did? You’re telling me that this is a big coincidence? You mess with our network, then things go wrong, and you want us to believe that this is a big coincidence? My lawyer doesn’t think this was a coincidence.”
So what comes next? Your client might say, “Get this system running again. Get it done. And, of course, we assume you won’t be charging for this, right?” Ugh.
Think about what you’re going to be forced to do if you want to avoid the inevitable threat of litigation. At a minimum you’re going to have to (i) audit the entire environment, and (ii) determine what was crypto-locked, and (iii) determine how it got locked, and (iv) hope and pray that there was a backup from which you can recover the now-encrypted data. Assuming there was a backup, you’ll need to restore the entire system from the backup and then make sure that everything works correctly. If something doesn’t work after the restoration process, then you’re going to have to make it work—all on your dime. (Lord help you if there wasn’t a backup…let’s not even go there, right?)
Remember, all of this happened because you didn’t want to bother with a formal agreement. You could have offered something relatively simple that limited your liability and waived responsibility for events that were not directly tied to your activities. But you didn’t do that because, you know, you didn’t want to “delay” things. You didn’t want to bother your client with “formalities.”
Was it worth it?
Here’s the deal: Don’t touch a system until your customer agrees to your master service agreement (MSA). If your master agreement was written correctly, then it will limit your liability for all of your projects and services, regardless of the size of the job or the amount you charged.
Now I know some of you are thinking, “Brad, that won’t fly with a lot of our clients. Our clients will walk away and go somewhere else and our business will plummet.” Well, my response to your doomsday prediction is this: Get ready to write a check and, perhaps, several checks.
On average, it will cost you between $2500 and $7500k to hire a law firm to look into the matter described above. (Lawyers call this, “performance of due diligence.” You can call it, “a down payment on lawyers’ fees.”) Bear in mind, that’s just the initial fee to look into the matter, which might cover a short investigation, a few letters, and/or participating on one or two conference calls to talk about liability, etc. If litigation is actually required or commenced against your company, your additional retainer payment will be anywhere from $15k to $25k, and a lot of that will be held in escrow and applied toward your last bill. There are very few litigations that don’t hit six figures in attorneys’ fees, and you might not get any of those fees back, even if you win. (And remember, you might not win. Then what?) In short, you’ll be paying hourly rates and additional retainer deposits until your eyes bleed.
So I ask you again, was it worth it?
Look, if you don’t want to present a lengthy MSA to your customer, then consider incorporating your agreement by reference into your purchase order or statement of work. Incorporating an agreement by reference is generally permitted; however, you need to make sure that you clearly and conspicuously tell your client—in writing—that (i) your MSA exists, (ii) your MSA contains important terms that govern the business relationship and limit your liability, and (iii) your MSA is posted online at a specific location that you clearly list in your document. Remember, this must be clear and conspicuous—don’t hide it at the end of your document or use a typeface that’s virtually impossible to see.
Cover yourself at all times because liability can happen even in the absence of wrongdoing. Don’t be afraid of the momentary “pause” in your business relationship while your customer ponders your MSA or statement of work. In all likelihood, your customer has signed plenty of other agreements and will regard your agreement as a simple formality. On the other hand, if your client doesn’t want to sign your MSA or SOW, then you should seriously question whether the upside of the work is worth the potential downside of liability.
Brad Gross, Technology Legal Expert and IoTSSA Community Contributor
Great Article Brad, Im constantly asked if we will take on an “easy project” for a non comprehensive client. This is exactly why im hesitant. We actually ran into a situation where a client happened to get ransomware in the middle of an onboarding. The payload was already in place and when security tools started being added it rushed to deploy. Luckily we had a back up and were able to spend the night and recover but a good example of coincidence that would have looked as if we triggered it. We have a master agreement thanks to your team and I will be sure our sales team has one signed for any one off’s.
Great to hear that it worked out. Coincidences happen–and you are ready for them!