It's no secret that vendors like to get close to CIOs in hopes of influencing them to buy products and services. Vendors also like to get chummy with CIOs to better understand what buyers are thinking and how buyers like to be approached. The closer vendors get to CIOs, the better their chances of making an immediate sale, the better they can adapt their sales approach to the general population of CIOs, and the better they understand the overall market.

Getting close to vendors can be good for CIOs too. CIOs benefit from understanding how vendors operate and CIOs learn about the latest and greatest technology through vendors. Getting chummy with vendors is good for CIOs - as long as they can avoid stepping out of bounds. The stakes are high. At best, a misstep can result in upsetting other vendors, or damaging the reputations of the CIOs and their companies. At worst, a misstep can amount to breaking the law.

To find out more about the boundaries CIOs need to watch out for, I talked to Dr Sam De Silva, partner at UK law firm Penningtons Manches LLP, head of that firm's IT & Outsourcing practice, and board member of the Chartered Institute of Purchasing and Supply (CIPS).

Pat Brans: When CIOs get too close to vendors, what kinds of problems might arise?
Sam De Silva: Public sector procurement in the UK is governed by quite strict rules driven by the EU public sector procurement regulations. That effectively means procurement has to comply with certain transparency standards, which are designed to put everybody on a level playing field.

In the public sector the risk of getting too close to vendors is much higher. In many cases, public sector CIOs can't do what private sector CIOs do. There is a big potential for problems when public sector CIOs go out to play golf or attend events with a particular vendor. Other vendors can challenge the procurement if they consider that one vendor is being favoured.

Private sector procurement has no specific laws to govern how the actual procurement is undertaken. Obviously you can't participate in corruption, but I think that's a separate issue.

Private sector procurement is a bit more flexible in terms of how close CIOs can get. In terms of legal issues, they need to be aware of anti-bribery legislation. And bribery doesn't have to take the form of payment. There could be other things that induce somebody to enter into a contract.

There is also the PR risk if the market sees that a CIO is getting too close to a particular vendor. That has to be managed.   

PB: I think this might be a difficult area, but can you elaborate on what constitutes a bribe?
SDS: Under the Bribery Act, a person is guilty of an offence where they offer, promise or give a financial advantage to another person in two cases. The first case is where that person intends the advantage to bring about an improper performance of a relevant function or an activity by another person or to reward such improper performance.

The second case is where that person knows or believes that the acceptance of the advantage offered, promised or given, in itself constitutes the improper performance of a relevant function or activity.

I should clarify three things. First, "financial or other advantage" is not defined and is likely to be construed widely. Second, "relevant function or activity" includes all functions of a public nature, all activities connected with a business, any activity performed in the course of a person's employment. and any activity performed by or on behalf of a body of persons. Finally, "improper performance" is defined as performance or non-performance which breaches the expectations of good faith or impartiality.

Different companies will have different practices and policies for this. It depends on the risk appetite of  the company. I know certain companies who say that even if you go out to coffee you need to document that. These are obviously very risk averse companies. Other organisations are a lot more flexible.

PB: What advice do you have for CIOs to help them avoid falling into traps?
SDS: I guess just common sense really. Most people know when they're getting too close. If what they're doing doesn't feel right, it probably isn't right.

There are some CIOs who go on trips, such as golf outings, with a particular vendor. That could be seen as getting close. It also depends on if you have an existing relationship with a vendor.

If it can be shown that a CIO always prefers a particular vendor, procurement after procurement, it's evidence that limits have been passed, but it's not conclusive proof. There's also the case where a CIO moves from one organisation to another. Then all of the sudden the incumbent vendor in the second organisation gets shoved aside. That's evidence as well, but also not conclusive.

PB: Can you think of clauses you would recommend CIOs put into vendor contracts?
SDS: In terms of re-procurement, what helps is on the exit phase if you can have an obligation for the incumbent to provide assistance during the vendor procurement process. Everybody is treated on a level playing field. The incumbent can pitch for the job, and they obviously have intimate knowledge, which gives them some advantage. So if you can have them assist and cooperate in the procurement process it could level the playing field.

The challenge there is that the vendor will say they have commercially sensitive information they don't want to disclose to other vendors. This needs to be managed.

I would also recommend the inclusion of anti-bribery clauses in contracts.

PB: Are non-disclosure agreements (NDAs) helpful?
SDS: Because of the general law of confidence, which exists in common law, you don't strictly need an NDA.

There are three basic elements to establishing a breach of confidence has occurred. First the information must not be publicly known. Second the information must have been communicated in circumstances importing an obligation of confidence. Third there must have been unauthorised use or disclosure of the information.

Even though the law of confidence provides the necessary protection, NDAs do have their place. An NDA documents the understanding, so it's easier to prove a breach. And you could also go beyond what is covered in the law of confidence in the NDA and include things that are not inherently confidential.

A formal written NDA can provide a disclosing party with a greater level of protection of its sensitive technical or commercial information than that offered at common law. It also provides certainty around the extent of protection by setting out in detail the conduct the disclosing party expects from the recipient.

An NDA establishes a simple contractual obligation which, as well as being easier to enforce, will assist a claim for breach of confidence because it confirms that the relationship is one of confidence, which can otherwise be difficult to establish. As such, in the event of unauthorised disclosure of confidential information, an action may be brought for breach of confidence at common law and for breach of contract.

A further benefit of an NDA is that it enables the parties to tailor the rights and responsibilities of both parties to the particular circumstances, and to include other contractual provisions such as mechanisms for dispute resolution.

Vendors may ask a CIO to sign an NDA; and if you're disclosing confidential information about your own business, you may want to have the vendor also sign an NDA with your company as the discloser.

One other point is that while it's not strictly necessary to add text at the bottom of slides indicating that the slides are confidential, it does help establish that this particular information was intended to be confidential.

PB: I've never heard of an NDA being enforced. How often are they really enforced?
SDS: Cases where a party has sued on an NDA are surprisingly rare, given how commonplace NDAs are. Claims generally only arise where the disclosures in question lead to significant losses. For example, the one of the leading cases, Vercoe v Rutland Fund Management Ltd, was brought when a party to an NDA used confidential information obtained under the NDA to gazump the other party in a bid to acquire a company. Claims in the arena of procurement - in other words, "discussions only" NDAs - are much more thin on the ground.

Specifically in relation to CIOs, there haven't been any reported cases in which a CIO was the one who entered into the NDA, or where a CIO breached the NDA. This does not necessarily mean that such cases do not exist, only that none have been reported. Generally only high value or legally novel cases make their way into the law reports. Also, it is likely that cases may well have been settled prior to the parties going to court.

PB: In the US - especially in Silicon Valley - I know of CIOs who are on non-executive directors on the boards of vendor organisations. Of course they have to watch out for conflicts of interest. Does this occur in the UK? Do you know of cases where a UK CIO is on the board of a vendor organisation?
SDS: No, I don't know of any cases. It doesn't mean it doesn't happen, but I don't think it's a common thing here in the UK.

That in itself could be a conflict of interest. If you're on the board of a vendor and they try to sell into your organisation, it means you were involved in the decision making of the vendor and you are very much involved in the decision making of the buying organisation as well. At a very least the CIO should disclose his interest to the Board of the buying organisation. There will also be issues of confidentiality. For example a CIO is likely to know the technology roadmap of the buying organisation and this would be very valuable information for a vendor.

I am not saying that conflicts of interests will always arise in this situation, but it needs to be carefully considered and managed.