Landmines In Poor Software Development -- Legal Risks from Sales through Support September 7, 2012 Southern California Software Process Improvement Network.

Landmines In Poor Software Development

--Legal Risks from Sales through

Support

September 7, 2012 Southern California Software

Process Improvement Network (SCSPIN)

John Cosgrove, P.E., Fellow NAFE

[email protected], www.CosgroveComputer.com

Michael Krieger, Esq., [email protected]

April 18, 20232

Our TouchstonesOur Touchstones

Seeing as expert consults a parade of bad processes from sales to support

Noting very big awards, i.e., many times (e.g., 5x and up) the value contracted)

Recalling the messages in “Why Software is So Bad” cover story

MIT TechReview, July 2002, “Software Engineering and the Law” IEEE

Software May/June 2001, John Cosgrove

Why Software is So Bad

MIT Technology Review July 2002

April 18, 20234

MIT TR and Cosgrove – The Fix

The fix is going to be lawyers inflicting enough pain on s/ware companies (or gov’t regulat’n)

NOTA BENE: Whether due to code or implementation, big sytem failure => Business Loss May Far Exceed Contract $

Failed system victim’s problem: computer contracts limit liability litigation is dreadfully expensive

directly and on internal resources

April 18, 20235

Sunshine Mills v Ross SystemsAlabama jury awards $61M for

ERP system where original s/w licence was $250,000 15 Dec. 2010

A pet foods company in the US alleged that its ERP supplier fraudulently misrepresented the capabilities of its software.

April 18, 20236

Headlines – InfoWorld etc.

University accuses Oracle of extortion, lies, 'rigged' demo in lawsuit

2011/12/14 Montclair State elaborates on case

against Oracle over ERP projectgone wrong Chris Kanaracus –IDG

April 18, 20237

Division of Labor

John Cosgrove – Avoiding danger

Pitfalls to Spot and to Avoid, Processes to Implement, etc in Major System: sales devl’ install’n -> etc

Michael Krieger – Legal vulnerability

Legal environment: outlines of law and litigation elements to reveal their application to cases of poor practices

April 18, 20238

Cosgrove Computer Systems Inc. 8

JC - Topic Outline How projects can fail Origins of Failure Deliverable Definition Unrealistic Expectations Defective Process Discipline Origins of Legal Risks Case Histories

Insurance Policy system Component Distributor Auto Mall SCM

Summary

April 18, 20239

MK – Topic Outline

Time v. Oracle – outline facts, big $$$ Life cycle of a lawsuit Contract v. Fraud theory of suit: why

care? How this played out in Trim. Summary Judgement Motion by D:

what-why? Lack of success => settle Look at cases John describes

April 18, 202310

American Trim v. Oracle American Trim = joint venture of Alcoa &

Superior Metal Prod’ – components for GM, Ford, etc.

Needed common system to interface with manufacturers; EDI was required (1996)

Oracle: we’ve got that – Trim: Let’s see. Mock up demo purported to be live Long delay as Oracle tried to implement Trim cancelled, sued to for $1.8 M paid Jury: $3M compensatory + $10M punitive

April 18, 202311

Life Cycle of a Lawsuit Complaint by Plaintiff – view#1 of facts,

theory of harm and damages Answer by Def – view#2 of facts etc.Discovery - Depositions, document

production, &&. Costly, contentious, protracted; computer=> experts

Summary judgment (and other) motions More of above Trial and possibly Appeal

April 18, 202312

Key complaint theories Breach of contractBreach of contract: parties make mutual promises,

one fails to fulfill obligations Contract: typically sets out remedy for various

breaches, i.e., mutually agreed limits on damages TortTort: breaching a societal obligation may entitled

Injured party to all reasonably foreseeable damages. E.g. neighbor cuts down your tree; unsafe premises Misrepresentation: may qualify as tort

BingoBingo: cast vendor failure as a tort to get all losses, not just amount paid

April 18, 202313

Key fraud/contract distinction

“Fraud,” i.e., misrepresentation involves mistating the present, or sometimes wholly unfounded claims about the future, not just promises about it.

E.g., as to capability; resources; existance of softwara in use, is in beta, planned, ??? Depth and availability of team.

All these subject to the spectrum from small exaggeration to fabrications of facts that the buyer relies on

April 18, 202314

BSkyB v HP(EDS) Comment "Payment of £318m [for] an IT

dev’t contract of £50m and which had a limitation of liability cap set at £30m is a very painful reminder to HP and others that the law of misrepresentation is alive and that senior management need to have processes in place [so] that they can take immediate action if there is any suggestion of fraudulent practices during the sales process or otherwise."

April 18, 202315

For litigators in failure cases

Docs and email: likely hold key to case, i.e., no need for dealing with bits/bytes Expert costs are much smaller Juries can understand incompetence, lying

and cheating, not hex, interrupts. Lawyer can understand his/her case!

Smaller cases become “litigatable, i.e, the cost doesn’t overwhelm the expected ROI

April 18, 202316

Plaintiff and defendant goals P: Include fraud, i.e., really bad misrep’

that was critical to the loss D: fight factual + legal basis of claim

Resist discovery Move for Summary judgment

M/SJ: your honor, facts so far show that a fraud claim has no legal basis. So toss the claim, no need to put the issue before a jury

April 18, 202317

Role of summary judgment

Defendant does not want the fraud claim and associated facts before a jury due to risk of big damages

Consequently, cases tend to settle if the court sustains the fraud claims

Note that a defendant can appeal as did Oracle in Trim, which is why we know about it. Question: why did Oracle even go to trial and let a jury see such an ugly set of facts?

April 18, 202318

American Trim v Oracle Appeal

Upheld trial court on fraud, high damages. Special note of “present” tense by Oracle Fraud reached well up management ladder Reviewed whether it was reasonable for

Trim’s people to believe the simulation was live, whether attendance at a convention should have clued them that s/w not in beta.

Upheld all lower court finding

The SW Development View Factors which affect the developers

legal risks. Mistakes the client makes

April 18, 2023 Cosgrove Computer Systems Inc.19

April 18, 202320

How Projects Can Fail

Cost – Quality – Schedule Getting too costly – Budget is ?? Causes major errors – Too risky Still not done – Schedule is ??

Unacceptable: don’t pay, sue (& replace) How to recover/replace system

Salvage or do-over Who pays for recovery?

April 18, 202321

Origins of Failure Defective definition of deliverable Unrealistic expectations Defective process discipline

Cosgrove Computer Systems Inc.

April 18, 202322

Deliverable Definition What is the deliverable?

Describing it in the contract Should include process requirements

Change management at least– Features, cost & schedule

Acceptance criteria & procedure

Define priorities–Independent Variable Cost, schedule or quality? Any cost or schedule OK with low quality

Cosgrove Computer Systems Inc.

April 18, 202323

Unrealistic Expectations Communicating expectations both ways Supplier

Promised too much, too soon, too cheap Competitive bids can set the stage

Client Short term decision criteria – cost &

schedule Failed to ID critical trade-off factors

Cosgrove Computer Systems Inc.

April 18, 202324

Defective Process Discipline Software is Invisible Disciplined process overcomes this Management only possible with process

elements suitable to the project Automated support must be suitable Size, complexity, risk elements, etc. Testing processes – explicit, recorded &

enforced Legal risks largely driven by process discipline

Cosgrove Computer Systems Inc.

April 18, 202325

Origins of Legal Risks Most litigation starts with project history

Artifacts start with the solicitation/sales stage Representations generated by both sides Definitions & obligations expressed in contract

– Features, cost/schedule & required process

Artifacts generated by development stage Absence of artifacts may become critical Project status, testing records, etc.

Artifacts generated by deployment stage

Cosgrove Computer Systems Inc.

April 18, 202326

Case Histories Insurance Policy System ERP System for Electronic Component

Distributor Auto-Mall SCM System

Cosgrove Computer Systems Inc.

April 18, 202327

Insurance Policy System -- I Off-shore developer’s quality was

unacceptable to insurance underwriter Design discipline & testing failed

System produced invalid policy documents– Customers sued citing financial risk

Code was fragile causing DB corruption and system crashes

Discovery document revealed internal review recommending system re-write

Cosgrove Computer Systems Inc.

April 18, 202328

Insurance Policy System -- II Developer’s quality assurance process

Design discipline & testing failed to detect policy data corruption from improperly designed terminal sessions.

Ineffective programmer supervision produced fragile code without error control.

Lack of independent QA ignored known defects risking client’s business survival

Cosgrove Computer Systems Inc.

April 18, 202329

Component Distributor ERP - I Business model – Next day delivery System promised < 1 Y, <$5M Allowed Go-Live with known defects after

cost & schedule exceeded Critical Operations failed with Go-Live –

bankruptcy followed Only assets are potential damages

against suppliersCosgrove Computer Systems Inc.

April 18, 202330

Component Distributor ERP -II Disciplined process promised but not

followed Supplier experienced two mergers during

project Supplier Management team restructured

& compromised Records show management

inconsistencies

Cosgrove Computer Systems Inc.

April 18, 202331

Auto Mall SCM System – I Multi-brand auto mall orders

replacement Auto-retailing SCM System was promised “turn-key” in 1

week Critical features promised for all brands

EDI inventory management Common lead management

Cosgrove Computer Systems Inc.

April 18, 202332

Auto Mall SCM System –II Promised turn-key is incomplete with

some features yet to be developed. Neither of 2 critical functions are

operational with multi-brand dealers SCM sales team was conflicted with

pressure to book sale by EOY.

Cosgrove Computer Systems Inc.

April 18, 202333

Development Summary Software Intensive Systems Fail “Trend” is for potential liability awards to

be measured by business loss Implicit “Duty of Care” requires

evidence of disciplined processes Software developers must observe

levels of care similar to professions