Contract Basics at Indiana University Office of the Vice President and General Counsel Presentation adapted from materials from Lehigh University Office of General Counsel What Is A Contract? A contract is a legally enforceable promise. 2 A Contract May Be Written Or Oral It can have many names: • Agreement • Purchase Order • MOU • MOA • Ticket • It may have no name at all If it quacks like a duck . . . A binding contract can be formed via: • Letter • Telephone call • E-mail Elements of a contract: “What’s the Deal?” Offer Acceptance Consideration (legal value) Mutuality ("meeting of the minds") 4 Who Can Sign Contracts? Only the following individuals have the authority to sign contracts on behalf of Indiana University: Treasurer or specific unit officials who have received a written delegation of authority to sign specific kinds of contracts from the Treasurer Purchasing Agents If you don’t have written signature authority, do not sign contracts! Unauthorized individuals who sign contracts on behalf of the University expose themselves to possible personal liability. 5 Contract Review You should always read and understand all terms and provisions of a contract before you sign it (if you have signature authority) or before you send it on for signature (if you don’t have signature authority). If you do not understand a provision, strike it or seek explanation. - “Oh, that’s just boilerplate” is NOT an explanation. 6 Standard Provisions Data Security Insurance Assignment Merger Force Majeure No Waiver Severability Termination 7 Data Security “Never try to teach a pig to sing. It only frustrates you and annoys the pig.” We currently have a very extensive boilerplate Data Security Provision: Standards for Secure and appropriate use, handling and disposal of Confidential Data Each Party shall treat all data that it receives from the other Party , is otherwise exposed to within Confidential Data systems, or that is provided by an individual user of VENDOR’s service under this Agreement Confidential Data with the highest degree of confidentiality and in compliance with all applicable federal and state laws and regulations and IU policies. Each Party shall employ commercial best practices for ensuring the security of all Confidential Data, Confidential Data whether in electronic or paper form, which it accesses, uses, creates, maintains, disposes of, or otherwise handles (hereafter “data activities”) in the course of its performance under this Agreement. The responsibility for ensuring the security of Confidential Data extends to any subcontractors or other contractors, including but not limited to web hosts or other service providers, who may, in the course of such data activities, view, process, or otherwise have access to Confidential Data. Without limiting the foregoing, each Party represents and warrants that all machines, systems, and networking equipment that receive, process, interact with, transmit, or store Confidential Data shall meet or exceed the physical, network, and system security requirements specified in Indiana University’s University-wide IT Policies: IT-12, Security of IT Resources; IT-12.1, Mobile Device Security Standard; and DM-01, the Data Management Policy for Management of Institutional Data (http://protect.iu.edu/cybersecurity/policies); or otherwise conform to the standards identified by the National Institute of Standards and Technology (NIST) applicable to the type of data and activities covered by the Agreement (available at http://csrc.nist.gov/publications/PubsByLR.html). In the event of conflict between the requirements of IU’s policies and NIST’s standards, Indiana University’s requirements will apply. Data Security, continued Significant deviation from these standards or requirements must be approved by IU’s University Information Security Office. VENDOR will notify IU promptly of any nonconformity of its machines, systems, or networking equipment to applicable standards and requirements, whether such nonconformity exists at the time of execution of this Agreement or arises thereafter. Each Party represents and warrants to the other Party that it shall only use Confidential Data for the purpose of fulfilling its duties under this Agreement and shall not further disclose Confidential Data to any third party without the prior written consent of the other Party or as otherwise required by law. Confidential Data shall not be provided or made available for targeted marketing purposes; however, VENDOR may use aggregated and anonymized data that it derives from Confidential Data within the course and scope of its data activities to enhance the quality of its performance under this Agreement or the functionality of the service VENDOR provides, provided that such Confidential Data does not constitute protected health information (“PHI”), as that term is defined and used in the Health Insurance Portability and Accountability Act (“HIPAA”). Each Party acknowledges and agrees that all Confidential Data provided or made available to it by the other Party is and remains the property of the Providing Party. Upon termination or expiration of this Agreement, each Party will either return or confirm the destruction of all the other Party’s Confidential Data provided or made available to the Receiving Party under this Agreement, at the election of the Providing Party and in accordance with specifications for return or destruction that Providing Party shall specify at the time. Each Party represents and warrants that it shall employ sufficient administrative, physical, and technical data security measures to meet the requirements under the specific federal and state laws applicable to all such types of Confidential Data that received, which may include but are not limited to: Student Education Records: The Family Education Rights and Privacy Act (FERPA), 20 USC 1232g et seq., and related regulations at 34 CFR Part 99; Social Security Numbers: Indiana Code 4-1-10, 4-1-11, and 24-4-9; and As applicable, VENDOR shall also have a program in place, documented in writing, to identify, detect, and address warning signs of identity theft, pursuant to the FACT Act, 15 USC 1681 et seq., and corresponding “Red Flag Rules.” Immediately upon becoming aware of a breach of the VENDOR’s or any of its contractors’ or subcontractors’ security that reasonably may have resulted in unauthorized access to Confidential Data, VENDOR shall notify IU and shall cooperate fully with IU’s investigation of and response to the incident. Except as otherwise required by law, VENDOR shall not provide notice of the incident directly to the persons whose Confidential Data were involved without prior written permission from IU. To facilitate the investigation of security incidents, VENDOR will retain and provide to IU, upon request, all authentication and other relevant system logs, including relevant logs from any contractors or subcontractors, for a minimum of 60 days from the creation of such logs. Notwithstanding any other provision of this Agreement, and provided that the University has not modified the VENDOR’s software in any manner, VENDOR shall reimburse the University in full for all direct costs, expenses, and liabilities incurred by the University as a result of VENDOR’s failure to comply with the above data confidentiality and security requirements. This obligation shall include reimbursing the costs or expenses incurred by University in providing any notices to parties whose data may have been subject to unauthorized access as a result of VENDOR’s failure to comply with the above data confidentiality and security requirements, as well as defending, indemnifying, and holding the University harmless from any third-party claims or causes of action of any kind arising from or relating to the VENDOR’s use, maintenance, or handling of Confidential Data received in connection with its performance under this Agreement. These remedies shall be in addition to any other remedies provided within this Agreement or otherwise available under law. Each Party shall ensure that its employees who perform work under this Agreement have read, understood, and received appropriate instruction to as to comply with the foregoing data protection provisions of this Agreement. Any subcontractors used by VENDOR to perform work under this Agreement that involves access to or use, processing, maintenance, transmission, storage, or disposal of Confidential Data, must be approved in advance by IU, and their subcontracts must contain the same data protection provisions for Confidential Data specified above. Each Party reserves the right to require the other Party to provide the results of: *an audit of security policies, practices, and procedures on an annual or biennial basis, to be performed by a third party approved by the Receiving Party; * vulnerability scan, performed by a scanner approved by the Providing Party, of the Receiving Party’s systems that are used in any way, or that interact with systems used in any way, for the performance of this Agreement and/or receive, use, process, maintain, transmit, store, or dispose of Confidential Data; *a formal penetration test, performed by a process and qualified personnel approved by the Providing Party , of the Receiving Party’s systems that are used in any way, or that interact with systems used in any way, for the performance of this Agreement and/or receive, use, process, maintain, transmit, store, or dispose of Confidential Data. Remember What I Said About Boilerplate? “Oh, that’s just boilerplate” is NOT an explanation. Insurance INLOCC has a comprehensive insurance boilerplate exhibit identifying insurance requirements that may be needed for professional services agreements. Insurance requirements will vary based on the kind of contract. For example, if no one is driving, no auto liability is necessary. “Builder’s Risk” insurance is never needed in a professional services contract. Remember What I Said About Teaching Pigs to Sing and Boilerplate? “Never try to teach a pig to sing. It only frustrates you and annoys the pig.” “Oh, that’s just boilerplate” is NOT an explanation. Contract Provision Library Data Security FERPA HIPAA Credit Card Insurance Auto Workers Comp Dram Shop (alcohol service) Example—Catered Event, Cash Bar Data Security FERPA HIPAA Credit Card Insurance Auto Workers Comp Dram Shop (alcohol service) Assignment Sample: Neither party may assign this Agreement without the prior written consent of the other party. Rationale: Ensures that the party you contracted with will remain in place for duration of the contract; prohibits the other party from delegating (or selling) its duties (or rights) to a 3rd party 15 Merger, or “Integration” Sample: This Agreement sets forth the entire understanding between the parties relating to the subject matter hereof and supersedes all prior understandings and agreements, whether written or oral. Rationale: Prevents drafts of the Agreement, email correspondence, telephone calls, onsite conversations from being invoked when there is disagreement. 16 Force Majeure (“Superior Force") Sample: Neither party shall be liable for any failure to perform as required by this Agreement to the extent such failure to perform is due to circumstances reasonably beyond such party's control, including, without limitation, labor disputes …. acts of God, ….material shortages, disease, or other such occurrences. Rationale: Excuses performance for reasons outside of parties' control. Watch out for inclusion of circumstances that are fully within party's control. 17 No Waiver Sample: A waiver by either party of a breach or violation of any provision of this Agreement will not constitute or be construed as a waiver of any subsequent breach or violation. Rationale: Preserves the right to hold the other party accountable for breach of a provision, even if we didn't do so for an earlier breach. 18 Severability Sample: If any provision of this Agreement is declared to be invalid, illegal or unenforceable, such declaration shall not in any way affect the validity or enforceability of any other provision. Rationale: Preserves the operation of a contract in which one or more provisions might be found invalid. 19 Termination For cause (breach): gives aggrieved party the right to terminate because other party did something “wrong” Party in breach often given the opportunity to "cure" the breach and continue the contract For convenience: contract can be cancelled because we want to do so Usually at least 30 days’ notice is required 20 Frequently Negotiated Contract Provisions Choice of Law and Venue Indemnification Confidentiality Termination Dispute Resolution 21 Contract “Negotiations” Governing Law and Venue Sample: This Agreement shall be construed and governed in accordance with the laws of the State of Indiana, without giving effect to conflict of law provisions. Any suit arising out of this Agreement must be filed in the appropriate state or federal court in the State of Indiana and the parties submit to its jurisdiction without regard to rules governing conflicts of laws. Rationale: Allows parties to choose the state law they wish to govern their contract and where any lawsuit may be filed. 23 Choice of Law “Go-By’s” Indiana or silent is always good! If “Indiana or silent” fails, we will accept: Ohio, New York, Delaware We’re not thrilled about: Michigan, Maine We NEVER accept: California, Louisiana, or the “Commonwealths” : Kentucky*, Maryland, Virginia, Pennsylvania *Kentucky is “special.” If it’s a contract for IUS with the State of Kentucky, we’ll accept it. 24 Indemnification/Indemnify: Definition: To restore a party that incurs a loss, in whole or in part, by payment, repair, or replacement. To make good; to compensate Rationale: Allows parties to agree to shift and allocate risks between the parties, sometimes without regard to either party's relative degree of fault Watch Out for: • • • “except to the extent” “even if indemnify Party is negligent” “for gross negligence or intentional act of omission” 25 Indemnification Sample (Generic): “Each party (the "Indemnifying Party") agrees to defend, indemnify and hold harmless the other party and its respective directors/trustees, officers, employees, and agents (collectively, the "Indemnified Party") from and against any and all claims, actions, damages, liability, cost and expenses (including reasonable attorneys fees) including death, bodily injury or damages to property (collectively, a "Claim") arising from any negligent or intentional wrongful act or omission of the Indemnifying Party, except to the extent that such Claim arises from the negligent or intentional wrongful act or omission of the Indemnified Party.” ● Try to take these out – we can fight about it later. 26 Tort Claims Act Language Specific Language to Request for IU Agreements: PROVIDED, HOWEVER, that University’s obligations hereunder shall be limited in substance by statutes and constitutional provisions designed to protect the exposure and liability of University as an instrumentality of the State of Indiana (e.g., actions and conditions as to which Indiana University is immunized by the Indiana Tort Claims Act, dollar limits stated in such Act, exemption from punitive damages, the continued ability to defeat a claim by reason of contributory negligence or fault of claimant), so that its liability to indemnify, defend and hold harmless shall not exceed what might have been its liability to a claimant if sued directly in Indiana by the claimant and all appropriate defenses had been raised by Indiana University. Don’t make it a deal-breaker Confidentiality Requires one or both parties to keep the other party’s information confidential for a defined period of time. The challenge: IU is a public entity and cannot meet typical commercial expectations of confidentiality because of its obligations under the Indiana Access to Public Records Act. Open Records Language Consultant acknowledges and agrees that the University is a state agency subject to the provisions of the Indiana Open Records law, I.C. 5-14-et seq., and that disclosure of some or all of the information identified as “Proprietary Information” under this Article 6 of this Agreement, or of the Agreement itself, may be compelled pursuant to that law. In the event that the University receives a request for a disclosure pursuant to the Indiana Open Records Act, or any other law, of Consultant’s Proprietary Information, the University shall promptly notify Consultant, confer with Consultant regarding whether there are legitimate grounds to narrow or contest such disclosure, and only disclose that information that the University, in the opinion of the University’s legal counsel, is legally obligated to disclose. Dispute Resolution Negotiation: Parties work dispute out between themselves with no assistance/input from an outside 3rd party. Resolution can be in writing. Mediation: Parties agree to have an independent 3rd party assist the parties to agree on a resolution. Agreement to mediate does not bind the parties to reach resolution, but any resolution that is reached should be in writing. Arbitration: Parties can agree to either binding or non-binding arbitration. The dispute is put before a 3rd party decision-maker, often a panel of 3 arbitrators. The arbitrator will issue a written decision. Litigation: You know. 30