The central theme of this year’s Conference is risk in the contexts in which IT lawyers typically operate, for example the development of new systems, products and services, systems integration or outsourcing. ‘Risk’ provides a relevant but flexible ‘common denominator’ for discussion and debate about what’s happening in our market, and how best practice is developing or needs to develop.
This year has provided many instances of how well known risks associated with IT are still with us, and how great the impact can be. By way of an example, Auto Windscreens, the second largest windscreen repair business in the UK collapsed into administration in February. The administrators, Deloittes, stated that the company was in the midst of a turnaround plan, but delays in implementing a new IT system was a significant factor in its demise.
In the public sector, the report of the Public Accounts Committee this August has been scathing in its criticism of a failure to manage risks effectively in public sector IT projects. Dramatically titled: Government and IT- ‘a Recipe for Rip-Offs’: Time for a New Approach’, the introduction notes that ‘despite the breadth and depth of IT’s use in government, the public sector seems to make less effective use of IT than the private sector’.
The report identified six underlying causes of failure including an over-reliance on a small number of large suppliers and the virtual exclusion of small and medium sized suppliers, a failure to integrate IT into the wider policy and business change programmes, and a tendency to commission large, complex projects which struggle to adapt to changing circumstances.
One of the most heavily criticised public sector projects has been the Department of Health’s ‘National Programme for IT in the NHS’ (NPfIT). The PAC argues that £2.7 billion of taxpayers’ cash has been wasted by the programme because it believes that the Department of Health has very little to show for that huge amount of cash.
So the traditional risks of delay and overspend are long known and still with us. At the same time the risk profile of the environment in which we operate changes as technology and business models change, and so new risks are added all the time. Outsourcing, the movement from product to service based computing, and the adoption of ‘cloud’ approaches all bring new risks ‘to the party’.
A stark example of the risk of going off-site and offshore was demonstrated earlier this year when the FBI raided a data centre in Reston Virginia and seized equipment from DigitalOne, a Swiss-based hosting company. After the event the FBI explained that the raid related to an action it is bringing against certain fake antivirus software distributors, one of whom happened to be a client of DigitalOne. It appears that the FBI agents removed entire racks containing the servers of interest. Unfortunately these racks also included many servers not related to the investigation and as a result their removal adversely affected several well-known sites whose equipment happened to be on those racks, including Curbed.com, Pinboard and Instapaper. A number of on-line companies services were taken down entirely without warning or were severely affected and only able to offer a restricted service. Most of DigitalOne’s customers are sub-providers which host hundreds and thousands of smaller customers, many of whom were affected for several days by this unexpected turn of events.
These examples demonstrate that some of the risks in IT seem like hardy perennials while others can sneak into the border unobserved and spring up to surprise us. It is important that as lawyers we understand that risks, and the factors giving rise to risks, are not always fixed and familiar, but are continually evolving and changing. IT lawyers with the right skill sets and training ought to be able to help clients identify and manage such emerging risks. This year’s conference should help with that challenge. I look forward to seeing you there.