Accreditation risk

A recent case involved a software firm suing the Government for setting accreditation criteria that allegedly put it out of business.

In Integrated Education Software Limited v Attorney General [2012] NZHC 837. The plaintiff company, IES, had provided school management software since the 1980s. By the 2000s, it was one of a number of software providers to New Zealand schools.

Around this time, the Ministry of Education decided to implement interoperability standards for school management software. As the judgment notes:

The overall market was … very fragmented. There were 37 software vendors providing software to the compulsory education market. Most were small. Some were one-man back shed operations. The school software market had grown organically over the decade since 1989 and, although it was almost entirely state-funded, there were no uniform standards or other controls in place to ensure product quality.

… there was also concern within MoE about the variable quality of software packages and after-purchase support. Lack of technical expertise at school management level meant school leaders were often unable to make good choices. Ultimately it was felt that this represented a risk to government in terms of wasted expenditure where software was not up to spec or the vendor company failed.

So the MoE decided to set an accreditation model whereby software packages that met certain requirements would be accredited. A financial incentive would be put in place for schools that used an accredited package.

After some refinement and teething problems with the accreditation criteria, testing was carried in 2005. Seven vendors received accreditation, but IES did not. Users of IES’s software began to migrate to other, accredited vendors.

As a result, IES claimed that the accreditation process had damaged its business:

Although MoE argues that IES was in fact losing clients before the second accreditation round, there can be no doubt that IES’ failure to achieve accreditation did have a significant impact on that company’s fortunes. This occurred at two levels. First, it made it harder for IES to retain existing clients in the face of monetary incentives to change and MoE’s aggressive change campaign. Second, and for the same reasons, it made it more difficult for IES to attract new clients from the pool of 300 schools hunting for a new provider.

IES brought claims against the Government for:

  • Negligence, on the basis that the accreditation process was misconceived and poorly carried out; and
  • Bias / breach of natural justice (s 27 Bill of Rights Act).

Both of these claims (and another) were rejected.

On the negligence claim, the Court found that MoE’s adoption of an accreditation model was a policy matter, in which Courts are traditionally reluctant to intervene:

 The means by which the government is to fund the provision of SMS services to schools so as to ensure proper interoperability and appropriate standards in an era of widespread computer usage is a policy matter… These are questions for officials and politicians not Judges.

It also found that the MoE had no duty of care to IES in formulating and carrying out the accreditation process (it is worth noting that the Court suggested that the “proper footing” for a claim of this nature would have been misfeasance in public office), and considered that key facts were not made out.

On the bias claim, IES pointed to evidence it said showed that the MoE’s accreditation criteria favoured another vendor. The Court disagreed, saying there was no evidence to support an allegation of bias.

Lessons

The case provides an example of regulatory risk for IT vendors, and confirms that the Government has a broad (though not unlimited) ambit to implement standards, accreditation regimes and other policies without judicial interference. It is logical and sensible for a Government agency such as MoE to implement baseline standards (e.g. interoperability requirements) for state-funded schools, and accredit providers meeting the standard to allow schools to make an informed choice. It is unfortunate that IES, for whatever reason, could not or did not get accredited in time (in 2005).

The case does not explain why IES could not alter its software to meet accreditation. Software development is often an expensive and time-consuming process, and many vendors would face financial or resource constraints to significantly update what may be a “legacy” package to meet new requirements (which they may consider to be flawed or inapplicable).

But if IES had been able to update its software before or during the accreditation process (over a period of some months and years), presumably it could have reduced it alleged losses. Whether this could have been alleviated by a different contracting model or business model is unknown.

Buyer beware… of getting what you ask for

A recent UK technology case gives a good example of “buyer beware” and “you get what you pay for” in technology procurement.

The case is London Borough of Southwark v IBM UK [2011] EWHC 599 (TCC). Computerworld has a good write-up of the facts.

In short, Southwark Council embarked on an ambitious systems integration project to build a Master Data Management (MDM) system. Such projects have been fertile ground for legal disputes. The Court noted (in typically understated fashion):

In practice, it has been found by a number of the London boroughs which have introduced or tried to introduce MDM systems that they are complex.

In March 2006, the council’s IT dept drew up a Project Brief. The next month, the council met with IBM, which proposed a solution to meet the Project Brief that would cost between £1.5 million and £2 million. However, Southwark had a budget of only £500,000. As a result, it was agreed that a more limited solution would be carried out, to meet the council’s budgetary constraints.

During 2007 the project got underway and some progress was made, but problems soon ensued (as detailed in the judgment). In October 2007, a council staffer notified the first complaint against IBM, alleging that “the MDM ‘solution’ procured from IBM is not fit for purpose”.

“Fitness for purpose” is a legally loaded term. In New Zealand, it is an implied condition of sale (via the Sale of Goods Act 1908) that goods known to be bought for a particular purpose must be fit for that purpose. This applies to business and consumer goods (and “goods” includes software). There is a similar provision in the Consumer Guarantees Act 1993, though importantly, that Act applies to services as well as goods, and (in the case of consumers) cannot be contracted out of.

It is interesting to see from the judgment that after significant problems emerged, the council simply blamed IBM for delivering software that was “not fit for purpose”, apparently without looking at whether it (the council) selected the right solution for its purpose. (The fact is, it compromised on its requirements from the outset in order to meet its budget.)

I have been involved in a number of major IT implementation disputes where this has happened, with remarkable similarity. Part of it, no doubt, is corporate CYA culture, but the bigger part of it was (once you reduce it all down) the simplistic mindset that “we paid you truck loads of money, and you’re the IT experts, so if anything’s gone wrong it must be your fault”. Given what actually happened in these projects, this is quite unbelievable.

IBM reasonably responded to the council as follows:

At the time of purchase [the council] chose not to take a total solution/system option due to the cost implications and decided to contract the individual software and services items separately. In addition, [the council] chose to project manage the MDM implementation with assistance from the IBM software services team … and to date the IBM services contract has had only approximately 50% utilisation.

In Court, the judge echoed IBM’s comment above, saying:

[IBM’s software] does “what it says on the box”. An analogy is the potential car purchaser who might want an off-road vehicle but, having looked at the brochure for an on-road vehicle, says to the salesman “that’s what I want” and buys that vehicle. There will be no cause of action against the garage that the car is no good off the road. The salesman will reply, with justification: “you got exactly what you asked for”. That is essentially what has happened in [the council’s] case.

In my judgement, [the council] got by way of [IBM] exactly what its then team knew that they were getting and what it decided that it wanted and needed within its budgetary constraints.

As a result, the council had its case against IBM thrown out, and was ordered to pay costs to IBM. Moreover, the judge awarded indemnity (full reimbursement) costs in favour of IBM because of the council’s failure to accept a reasonable “walk away” settlement offer before the trial, in circumstances when it should have seen that its case had serious defects.

In other words, the pre-trial evidence put forward by IBM should have made the council realise that neither IBM nor its software was to blame, but that the client had itself simply chosen a cut-down solution that was “unfit” for what it later said it wanted – a situation I have witnessed on a number of occasions (and all of which we successfully settled out-of-court on favourable terms, I might add).

Tech law update 23 August 2010

Preference vs protectionism

Labour MP Clare Curran has entered the Kiwi Jobs Bill into the private members’ ballot. The bill aims to “determine whether the NZ Government can have a policy that gives preference to local procurement without breaching our international trade obligations”. The bill would apply to IT procurement, which has prompted some differences of opinion from the industry. For something as universal as IT, anything that is simply protectionist would be irrational and detrimental. But an increase in transparency and the promotion of open standards (if the Bill does that) would be welcomed.

IT & the new Limitations Act

Under the Limitation Act 1950, the general rule is that a person cannot bring a claim in contract or tort more than 6 years after the cause of action arose. As a result, business records (including electronic data) should generally be kept for at least 6 years (although other acts impose specific rules, for example 7 years for certain accounting information under the Tax Administration Act). However, over the years many quirks and wrinkles have been introduced into the picture, resulting in some uncertainty.

A replacement Limitation Bill received its first reading earlier this month. The bill tidies up and simplifies limitation periods. Importantly, it proposes to introduce (for most matters) a “longstop” limitation period of 15 years. As a result, prudent businesses will want to keep some records for 15 years. This sounds like a very long time and, of course, raises some practical issues, but expanding storage capabilities mean disk/cloud space should not be burdensome for most businesses. However, there can be a downside to keeping records – in that they may be discoverable in litigation – so this rather dry subject does require some thought in each case.

Record keeping risk?

On a related note, a new survey shows that most Kiwi businesses do not have documented procedures for recovering from an IT disaster. Besides the business interruption risk, there could be significant third-party legal risks from a catastrophic data loss. For example, a firm that has assumed responsibility for holding records for clients (e.g. accountants, architects, engineers, lawyers, etc) could be liable in negligence for their clients’ business interruption following the record-holder’s data loss, in certain circumstances.

ISP search concerns

Is the Copyright (Infringing File Sharing) Bill a wolf in sheep’s clothing when it comes to secret surveillance? Civil liberties lawyer Michael Bott thinks so, and wants better notification requirements for electronic searches.

Open source in government tenders

Computerworld reports:

A requirement that a component of a government IT tender be open-source has sparked debate on whether such a specification is appropriate.

The relevant part of the RFP (for the State Services Commission) puts the requirement as follows:

We are looking for an Open Source solution. By Open Source we mean:

  • Produce standards-compliant output;
  • Be documented and maintainable into the future by suitable developers;
  • Be vendor-independent, able to be migrated if needed;
  • Contain full source code. The right to review and modify this as needed shall be available to the SSC and its appointed contractors.

The controversy is whether this is a mandate of open source licensing (which it isn’t). The government should not mandate open source licensing or proprietary licensing on commercial-line tenders. More precisely, it should not rule solutions in or out based on whether they are offered (to others) under an open source licence. The best options should be on the table.

The four stated requirements are quite sensible. As the SSC spokesman said, there is nothing particularly unusual about them in government procurement. These requirements (or variations on them) are similarly common in private-sector procurement and development contracts. In the public sector in particular though, vendor independence and standards-compliance help avoid farcical situations like the renegotiation of the Ministry of Health’s bulk licensing deal.

Open standards and interoperability in public sector procurement is gaining traction around the world. Recently, the European Union called for “the introduction of open standards and interoperability in government procurement of IT”. And in the recent UK election, all three of the main parties included open source procurement in their manifestos.

So why the controversy in this case? Most likely it’s the perhaps inapt use of the term “open source” in the RFP (even though the intended meaning is clarified immediately afterwards). The term “open source” is a hot-button word that means many things to many people, but today it generally means having code licensed under a recognised open source licence, many of which are copyleft. Many vendors simply could not (or would never want to) licence their code under such a licence, and it would be uncommercial and somewhat capricious for a Government tender to rule out some (or even the majority of) candidates based on such criteria.

However, it is clear that the SSC did not use the term in that context, and does not intend to impose such a requirement. An appropriate source-available licence is as capable of meeting the requirements as an open source licence (see my post on source available vs open source). The requirement for disclosure of code to contractors and future modification can be simply dealt with on standard commercial IP licensing terms.

A level playing field for open and proprietary solutions is the essential starting point, with evaluation – which in most cases should include open standards and interoperability – proceeding from there.

UK election 2010 – the technology vote

Technology policy and law is featuring prominently in the UK election campaign currently underway, with issues such as cloud computing, open source procurement and data protection finding their way into manifestos:

“The Liberal Democrats’ election manifesto published today (14 April) called for improved government IT procurement, including the use of cloud computing and open-source software.”

“The Conservative party has reiterated its plans to freeze major new IT spending and make changes in government procurement in its election manifesto… The Tories also pledged to create a “level playing field” for open source IT in government procurement, and to break up large IT projects into smaller parts to enable SMEs access to contracts.”

Labour repeatedly highlighted the importance of IT in its election  manifesto, which was launched today, but made few new IT-related promises.
The Labour Party stands on strengthening the digital economy, using open source in government IT …

“Despite the name, the Pirate Party isn’t just about file sharing. Yes, it wants to ensure a right to file share, as well as format shift – such as moving songs from CDs to iPods, which is currently technically illegal. It also wants to cut copyright from 70 years to 10 and put labels on products to warn of the “defect” of DRM… On top of that, the party would ban spying on communications, end “compulsory ID cards” and toughen up data protection laws.”

More links on tech policies from: the SNP and Plaid Cymru, and the Greens.

Clearly, IT is figuring much more prominently in the upcoming UK election than in New Zealand’s last election in 2008. One reason is that the UK has suffered a number of major IT project blow-outs in recent years (such as the disastrous £12.7 billion NHS National Programme for IT) that have basically become minor election issues.

There are signs that technology is featuring more prominently in New Zealand’s political scene, though hopefully this will not be due to scandals over failed government IT projects.

However, the cynical last word must go to the Inquirer:

In short if you want to vote for someone on the basis of their enlightened IT policy you would be better off spoiling your ballot.

Tech law update 22 April 2010

IT industry supports ban on software patents

InternetNZ, the New Zealand Computer Society and the New Zealand Open Source Society issued press releases yesterday in support of the ban on software patents:

The Labour Party also issued a press release supporting the decision and Minister Simon Power’s earlier endorsement:

Meanwhile law firm Chapman Tripp issued a press release criticising the decision:

Privacy Commissioner slams Google’s “experiment”

New Zealand’s Privacy Commissioner, Marie Shroff, has criticised Google Buzz as being a “commercial experimentation on New Zealanders and other internet users, involving the release of significant personal information”:

[Google’s actions] violated the fundamental, globally accepted principle that people should be able to control the use of their personal information.

The comments follow Ms Shroff’s signing of a joint letter to Google, stating:

It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise. Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world.

These comments, including constructive requests that organisaions collects and process “only the minimum amount of personal information necessary” and create “privacy-protective default settings”, are admirable. Ms Shroff does a great job in standing up for New Zealanders’ privacy rights.

The difficulty, as I have written previously, is that people happily trade privacy for functionality. Millions of people willingly pour personal information into different websites every day. To what extent can Google be criticised for finding new, creative uses of information it has been willingly given, in accordance with terms agreed to by users? And to what extent is it necessary or right for governments to intervene?

Open standards in Government procurement

Earlier this year I commented that “the Government must properly mandate open standards and multi-vendor capable solutions for future state-sector IT procurement”.

European Union ministers have now called for “the introduction of open standards and interoperability in government procurement of IT”. This comes as part of an ongoing development of procurement frameworks.

The report states that some groups claim the proposal has been “so watered down due to intense lobbying by the proprietary software makers, to such an extent that the document will have no impact on the market”. Other industry groups have praised the proposals as “well balanced”.