Feature

Can you access critical source code?

If it was reported that your mission-critical software supplier had called in the receivers would you break into a cold sweat? Could you stay in business without support and maintenance from your supplier? As recession bites, IT and legal directors should be reviewing what protection they would have if their software suppliers went bust, writes Teja Picton Howell.

Most purchasers investigate their software supplier's financial strength before making a purchase decision, but they should also consider other ways to reduce risks. Has the supplier licensed any third parties to provide support and maintenance for their software? Could you replace the software with a competitor's system at short notice?

If the answer to one or more of these questions is "yes" or your supplier has handed over a copy of the source code - subject to you agreeing to use it only in defined circumstances - then a source code escrow contract with the software supplier and an independent escrow agent is vital.

Under an escrow contract the supplier deposits the software source code and supporting technical information with a third party, the escrow agent, which agrees to make the material available to the customer if the supplier breaches its contractual support and maintenance obligations or becomes insolvent.

Make sure that the escrow agent has a direct contractual obligation to you and not just to the supplier. You need to have the right to the source code to support and enhance the software program. The owners of the copyright in the software can prevent anyone else from altering it.

Although European law allows changes to be made to software that are "necessary for the use of the computer program by the lawful acquirer in accordance with its intended purpose, including for error correction", this right is limited and can be excluded under the terms of the software licence granted to the user.

Make sure that the original supply agreement or source code escrow agreement clearly sets out your rights to maintain and enhance the software yourself or that it permits you to authorise someone else to do so if the original supplier fails to do so or becomes bankrupt.

But do source code deposit escrow contracts have any value in practice?

You already have contractual rights and remedies under the support and maintenance contract. It is important to look beyond the legal obligations on the supplier under the escrow contract and see what practical remedies you have.

Check not only that the contract has been properly drafted and signed, but also that the supplier has really carried out all its obligations.

Has the supplier deposited everything that it is required to with the escrow agent?

Most contracts require that the agent to notify the customer when material is deposited. Is the material sufficient to enable you to understand and use the computer program, fix bugs and make enhancements?

It will be near impossible to do this with only the source code, so what other technical documentation will you need to understand and make use of it?

The names and contact details of the original authors and support technicians can be valuable.

As few software products remain static, it is important to ask whether the contract requires the supplier to deposit all updates and enhancements with the agent. Do you have the systems in place to check that this has been done?

When you have checked that the suppliers have signed the escrow contract and chased them up to deposit all the right material with the escrow agent, you need to know whether that material will work.

Some professional escrow agents offer verification services. These range from simple integrity testing to check that the media deposited is readable and contains accessible, virus-free source code, to a full verification to test that the source code deposited can be used to create the working application of the software as licensed to the customer.

In an ideal world you would require re-verification with every modification to the software to make sure that the amended version of the source code has been deposited. However, verification is not cheap so inevitably some risk/cost compromises have to be made. Nonetheless, how comfortable do you feel unless at least one version of the software has undergone full verification?

Five areas of risk to monitor

1.
Access to the source code is a last resort. Also think of other ways to reduce risk

2.
The source code alone is not enough. What other material will you need to be able to make use of the source code?

3. Don't rely just on your legal remedies after the event. Check that the software supplier has actually deposited the required material with the escrow agent

4. Do you have systems in place to monitor whether all changes to the source code are also being deposited?

5. Ideally, get the escrow agent to carry out a full verification of the material. If you only find out that the material doesn't work after the supplier has gone bust, it's too late.

Teja Picton Howell is a corporate and commercial lawyer with IT specialist Picton Howell solicitors

www.pictonhowell.com/

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in November 2001

 

COMMENTS powered by Disqus  //  Commenting policy