Cocky people are the worst. I’ll admit, like most attorneys AND most procurement people, sometimes I tend to fall into that category. But I try to catch myself and pull back. It’s tough because in both of my lanes I am expected to be the ultimate smaht guy. As a lawyer, we need to know everything and stakeholders tend not to question us because we have that esq in our signatures. As a procurement guy, I’m the big mean man who stands between project and execution (although sometimes it’s more like project and payment). It’s hard to notice our own faults.

There’s a big one though. More of us suffer from it than we realize…. It’s a real issue nobody discusses but I’m going to right now.

There’s a skill gap in legal and procurement that nobody wants to talk about out loud.

Why? Personally, I think it’s because companies don’t know what it’s costing them in labor cost to deal with the knowledge gap.

It’s not negotiation tactics. It’s not contract structure. It’s not even knowing the difference between indemnification and limitation of liability…

It’s this: too many attorneys, new and experienced alike, are reviewing contracts for things they don’t actually understand and you CAN’T redline what you don’t understand. More specifically, you cannot assess risk in something you don’t understand and, let’s be real, contract review, at its core, is risk assessment.

That’s it. That’s the whole job. ¹

If you don’t know what you’re assessing, you’re not doing risk assessment. You’re doing an off-Broadway theater production.

Here’s what contract review looks like in a lot of organizations…. legal gets handed an agreement, opens a clean copy, and starts marking it up. Liability caps. IP ownership. Termination provisions. Auto-renewal clauses. The usual suspects get flagged, the unusual ones get missed, and the whole thing goes back to the vendor looking busy.

Everybody feels good because it looks like work got done. A day well spent because a contract went from black to red.

The problem is, nobody asked the most important question first: What are we actually buying, and what can actually go wrong with it?

I’ve seen 30-year attorneys redline staffing agreements the same way they redline software licenses. I’ve seen junior associates spend three hours tightening up an indemnification clause in a contract for a service they couldn’t define if you put a billable hour on the line. The red ink flows. The deal moves forward and somewhere downstream, something breaks that a better question at the beginning would have caught.

The boilerplate indemnification that works fine when you’re buying marketing services doesn’t work the same way when you’re buying a SaaS platform sitting inside your network touching employee data. Neither of those works the same way when you’re buying a jet.

This isn’t a dig at attorneys….and as an attorney I am allowed to take shots at the group. It’s a dig at how I was trained … how we’re training them, or more accurately, not training them.

Let me give you a real example of what I mean.

At one point in my career, I had to buy a corporate jet. I want to be clear about my qualifications going into this: I know how to purchase a ticket, find my seat, and pick a movie. That’s the full extent of my aviation expertise. I’m also real good at booking the Uber and securing in-flight snacks on my corporate card.

So, I had to learn. Fast…

I had to understand who was actually flying, which executives, which clients, which routes, and map out the typical destinations. Why? Because the plane that gets you from a small regional airport outside Boston to a small regional airport outside Baltimore is not the same plane that gets you from Boston to LAX. And it’s definitely not the plane that gets you to Heathrow. Runway length. Range. Fuel capacity. Cabin configuration for long-haul versus short-haul. These are not minor details. They are the entire point.

Ironically enough, the most important detail was the inflight service and at what temperature the water would be served. One thing I learned is that services are a separate RFP.

I had to understand what I didn’t know, and then go learn it, because you cannot add things to a contract when you don’t know they exist. You can’t protect against a risk you haven’t identified. Brushing up the indemnification clause and adding standard insurance requirements doesn’t cover you when the specific aircraft can’t land at the specific airports your company actually uses. That’s not a legal problem. That’s a you-didn’t-do-your-homework problem.

The contract for a corporate aircraft has to address maintenance obligations, inspection schedules, crew qualifications, operational limitations, storage, and insurance that actually reflects aviation risk… deicing, storage, and so much more. None of which looks anything like what you’d put in a services agreement. If you open that contract thinking you can rely on your standard playbook, you are not protecting your client or your company. You’re coloring on a page and calling it contract review.

Now take staffing. It seems simple until you realize how many different things the phrase “HR vendor” can mean, and how dramatically different the risk exposure is depending on which one you’re actually buying.

Temp staffing, contingent search, and retained search all fall under the same general umbrella. They all involve bringing humans into your organization. They all have similar-looking commercial terms on the surface. Yet, they carry fundamentally different risk profiles, and if you’re reviewing them all the same way, you’re not doing your job.

This has been a pet peeve of mine for years. I’ve worked with so many attorneys who do this work but don’t understand it. They operate with such confidence. …typical.

Let’s talk about it … it’s a real good example…

With temp staffing, the worker is on the vendor’s payroll. You’re buying labor hours. The risk assessment here is not primarily about rates. It’s about co-employment liability. It’s about worker classification. It’s about what happens if that person is injured on your site and who is actually responsible for taxes, benefits, and wage compliance. ² It’s about replacing your temp employee as you see fit. Your indemnification language needs to clearly establish that this person is not your employee, and it needs to hold up when something goes wrong, not just read well when nothing has. Microsoft learned this the hard way when a class-action lawsuit over temp worker benefits took eight years to resolve and cost the company $97 million. ³ That is not a hypothetical risk. That is a real number attached to real language that somebody thought was adequate until it wasn’t.

Contingent search is a transaction. You pay a fee when a candidate gets hired. The vendor’s obligation ends at placement, kind of, but if you know what you’re doing you contract appropriately. The risk here lives in the guarantee period, specifically what “replacement” means, and what happens at day 89 when your guarantee runs 90. Because that candidate will be gone on day 91 and you’ll be back at square one arguing about contract language nobody thought hard enough about upfront.

Retained search is a relationship with a fee structure attached to process, not outcome. You’re paying the fee regardless which is really hard for some attorneys to rationalize. You’re paying regardless of whether someone gets hired. The risk calculus is entirely different: what do you actually get if the search fails? What does exclusivity mean and how is it enforced? What’s the recourse when the firm delivers three finalists you already knew about? What happens if you’re selected candidate joines and backs out in a few weeks?

Same general category. Same section of your vendor master. Completely different contracts. Completely different risks. If you pick up the pen without knowing which one you’re reviewing, you’re pattern-matching against language you’ve seen before and hoping for the best.

Now consider IT, which is where the stakes get genuinely frightening and botching it gets real expensive real quick.

Software agreements have become some of the most consequential contracts a company signs, and a lot of attorneys still review them like they’re boilerplate. They’re not. The risk in a bad software contract can be staggering, and almost none of it lives in the clauses you were trained to flag.

Before you touch a software or SaaS agreement, you need to understand what you’re actually buying AND how it will work in action. Not “it’s a project management tool.” You need to ask lots of questions… What data does it touch? What workflows does it sit in? How does it connect to your existing systems? And where does the data actually go?

That last question matters more than most attorneys realize. “The cloud” is not an answer. Whose cloud? What region? What do their subprocessors look like and do they change without notice? There is a meaningful difference between data sitting on a server in Virginia and data sitting on a server in Frankfurt, especially if that data is subject to HIPAA, GDPR, or your own contractual obligations to customers. GDPR violations alone can cost up to 4% of global annual revenue. ⁴ HIPAA penalties run up to $1.5 million per year per violation category. ^5. These aren’t edge cases. They are the predictable consequence of signing a contract without understanding what’s in the system.

And what kind of data is going in? There is a massive difference between a tool that stores project timelines and a tool that stores employee health information, customer financial records, or proprietary business processes. The average cost of a data breach in the technology and SaaS sector is now $5.3 million per incident. ⁶ Healthcare breaches average $9.77 million. ⁷ The limitation of liability cap that seemed reasonable for a productivity tool is laughably inadequate when you’re talking about a breach that exposes regulated data. Now you’re balancing liability cap and insurance.

If you don’t understand how the system works and what’s in it, your data security provisions are guesswork. Your SLA is measuring uptime on a system you don’t actually understand. Your audit rights might be perfectly drafted to cover the wrong things entirely. Now, you just wait until your vendor is hacked and your info, along with all their clients, is exposed.

Here’s the uncomfortable part. Law schools teach legal reasoning. That’s not wrong, it’s just incomplete. Somewhere along the way, firms and legal departments decided the answer was to bring in specialists or outside counsel when things got technical. Which means the attorneys doing first-pass review have never been told they need to understand the thing before they can protect against the risks in the thing.

The senior attorneys aren’t always helping. Some of the heaviest redliners I’ve seen are experienced lawyers who learned contract review when deals were simpler, or when the technical complexity could be safely ignored. They found the clauses they knew to look for, marked them up, and called it done. Then they trained the next generation to do exactly the same thing.

The result is a profession where contract review often means pattern-matching against known clauses rather than actually identifying risk in the specific transaction in front of you. That works fine, right up until someone hands you a jet purchase agreement and you reach for your standard services playbook.

Before any agreement gets reviewed, there needs to be a real conversation. Not a long one. But an honest one.

We need to teach attorneys to ask questions to understand what they don’t know….

What are we buying? Who asked for it? What does the business actually do with this thing? What happens if the vendor disappears tomorrow? What are the actual failure modes, not the theoretical ones, the real ones specific to this deal?

The attorney’s job is to translate those answers into contract language that protects against the real risks, not the theoretical risks, not the risks from the last deal that kind of looked like this one, but the actual risks in this specific transaction.

Gone are the days when all redlines are created equal. To be good at this job, you need to know what to add just as much as you know what to change in so many different circumstances.

Redlining is the easy part. Knowing what to protect is hard. And right now, we’re teaching the easy part and calling it contract review.

Sources

1. “The highest level of work is to assess risk associated with contract clauses and advise on solutions. This risk assessment work is highly contextual and depends on the industry, the business model, the risk tolerance and the priorities of a company.” CUAD: An Expert-Annotated NLP Dataset for Legal Contract Review, arXiv (2021). https://arxiv.org/pdf/2103.06268

2. Co-Employment Risk, CXC Global (2025). https://www.cxcglobal.com/glossary/co-employment-risk/

3. Vizcaino v. Microsoft Corp. co-employment class action; $97 million settlement. See: Randstad Enterprise / Staffing Industry Analysts coverage of SIA co-employment liability laws. https://www.randstadenterprise.com/insights/randstad-enterprise-insights/sia-understanding-co-employment-liability-laws-2/

4. GDPR penalties: up to €20 million or 4% of global annual turnover, whichever is higher. European authorities issued over €3 billion in GDPR fines since enforcement began. Secure Privacy, SaaS Privacy Compliance Requirements 2025 Guide. https://secureprivacy.ai/blog/saas-privacy-compliance-requirements-2025-guide

5. HIPAA penalty structure: up to $50,000 per violation and $1.5 million per year for willful neglect. Appinventiv, Cloud Compliance Requirements (2026). https://appinventiv.com/blog/cloud-regulatory-compliances-guide/

6. Technology & SaaS sector average breach cost: USD $5.3 million; cloud misconfiguration implicated in 29% of breaches. DataStackHub, Data Breach Statistics 2025–2026. https://www.datastackhub.com/insights/data-breach-statistics/

7. Healthcare data breach average cost: $9.77 million. Callidus AI, The Data Privacy & Security Clauses in SaaS Agreements Attorneys Can’t Overlook (2025). https://www.callidusai.com/data-privacy-security-clauses-in-saas-agreements/