Address risk of software and data ‘lock out’ in supplier contracts

Cloud & Services Home IT Contract Management Risk & Audit

by | May 16, 2018

 A ruling earlier this year by the High Court in London should spur software customers to take steps to stop providers preventing them from accessing software and data critical to their business.

The High Court ruling  left a motor dealership in England, Blade Motor Group (Blade) without access to software it used to record, store, and manage information relating to its customers.

Software supplier Reynolds & Reynolds (R&R) applied a remote lock on the software to prevent Blade from logging into the software. It did so following a dispute over money allegedly owed it by Blade. R&R has claimed the money is owed for its performance of a contract it signed with Blade in 2014 which it has alleged Blade breached when switching to a new software supplier. Blade has disputed the claims.

Blade argued before the High Court that the remote lock was causing irreparable harm to its business. According to the ruling, while Blade holds the data on its own server, it cannot access the information “in a readable form” without using R&R’s software. Blade’s application for an interim injunction was rejected by the court, however. The High Court concluded that Blade had “not proved that the risk of injustice if an injunction is refused sufficiently outweighs the risk of injustice if the injunction is granted”.

The case demonstrates how software suppliers can use technology in their systems to lock-out customers from their business critical systems or access their data, both current and historical. The use of backdoors to access software is something that many developers use legitimately to provide support to customers or for testing. However, it can be misused by software suppliers to hold customers to ransom where there is a dispute between the parties.

A similar end-result can arise where a supplier disables a licence key, password or log-in details to a software-as-a-service (SaaS) or cloud platform following a dispute between the parties or a failure to pay on time.

In this case the customer’s request for the injunction to require the supplier to remove the lock was unsuccessful. It highlights the difficult circumstances that customers can find themselves in should suppliers seek to use technological means to restrict access to their software.

To reduce the risk of this happening, customers should ensure that their contracts with software suppliers include the following provisions:

An express provision that the supplier may not exercise a remote lock or backdoor to prevent the customer from accessing its software and/or data;

– A requirement on the supplier to provide replacement licence keys, passwords or any other information required to use the software within a specific timeframe following a request from the customer, or more quickly if the lack of access may have an adverse impact on the customer’s business;

– Where licence keys or log-in details are provided by the supplier, that the supplier cannot withhold the provision of these and that the keys and/or log-in details are issued with a validity of no less than 30 days to give a customer time to extract its data if required;

– Ensure that payment terms are clear and that the customer has a right not to pay any undisputed sums until they are agreed or found by a court to be due; and

– During any dispute, an obligation on the supplier that it is bound to continue to provide the services in accordance with the service levels.


Subscribe To Our Newsletter

Subscribe To Our Newsletter

ITAM Channel brings the best news and views from the ITAM industry. Sign up for the newsletter and get them straight to your inbox

You have Successfully Subscribed!