SourcingSpeak Blog

Posted May 20, 2013
By David C. Johnson and Joshua Konvisser

In Part 3 of "It's 2013. Do You Know Where Your BYOD Policies Are?" we will address developing BYOD trends and best practices. Please check out Part 1 and 2 of this 3-part series addressing employee and employer concerns, respectively.

Recent Findings: Widespread Adoption, Lagging Management
Recent studies show that security practices and corporate policies are struggling to keeping pace with the popularity of BYOD. As mentioned in Part 1, a recent Cisco study found that 90% of full-time American workers use their personal smartphones for work purposes. Surprisingly, widespread adoption is reported in industries handling highly sensitive and regulated data: banking at 83.3%, and healthcare at 88.6%.

Given that BYOD has become the norm even across sensitive industries, it is troubling to learn from the Cisco study that 40% of workers do not use even basic password protection, and 50% report accessing unsecured Wi-Fi networks. These loose security practices may be the result of lax management. A recent report commissioned by the Logicalis Group showed that only approximately 30% of BYOD users in the U.S., and 20.1% worldwide, signed a mobile device policy. Unconstrained digital activity poses a real threat to an organization for all of the reasons described in Part 2 to this series. A properly enforceable and enforced corporate BYOD policy may be the best strategy to balance corporate security interests with the privacy interests of employees and third parties.

Overriding Theme: Security-Privacy Balance
Appropriate BYOD policies must strike a balance between security and privacy interests. This balance can be achieved, for example, by requiring segregation of personal data from work data on a device, selective wiping, and requiring employees to frequently back up device content. Security measures should be proportional to the security risk and target corporate, not private, content whenever possible. Finally, privacy provisions of a BYOD policy must be clearly communicated to employees, and their consent obtained. An employee's reasonable expectation of privacy can only be overcome with clear notice. Clear notice is more important than ever when BYOD blurs the line between personal and work spaces.

Posted May 16, 2013
By Steven P. Farmer and Rafi Azim-Khan

Rafi Azim Khan and Steve Farmer recently published an article in World Data Protection Report titled "Personal Data Transfers from the European Economic Area: Time to Consider Binding Corporate Rules 2.0."

What exactly is the '"best" solution for an international business needing to handle and transfer personal data across borders?

This has become an increasingly important and common question as business becomes more global and companies grow, reorganise or merge.

There has been a lot of discussion, not least in the context of the European Commission's proposal for the new EU regulation to replace the EU Data Protection Directive and the EU Article 29 Data Protection Working Party's push towards ''privacy by design'', about the best way for companies to adequately safeguard personal data which is transferred out of the European Economic Area, thereby ensuring that their transfers are compliant with EU data protection laws relating to extra-EEA transfers.
Many commentators, including some of the key EU regulators, have noted that there remains a lot of confusion, and a fair amount of misinformation, surrounding the pros and cons of the various routes used to ensure that extra-EEA transfers are compliant. It is certainly true in the authors' experience that even quite sophisticated companies and knowledgeable data protection officers can many times have an out of date view, and better solutions are indeed available.

This article looks at some of the common misconceptions and takes a fresh look at the key routes to ensuring compliance. As will be seen, for various reasons, Binding Corporate Rules 2.0, as we might call them, are worthy of fresh consideration, even where they may have been overlooked or discounted as a way to ensure compliance only very recently.

Posted May 13, 2013
By David C. Johnson and Joshua Konvisser

In Part 2 of "It's 2013. Do You Know Where Your BYOD Policies Are?" we will discuss employer BYOD concerns. Check out Part 1 to learn more about employee interests; Part 3 will present developing trends and suggest best practices for BYOD policy drafting and implementation.
The Employer's Perspective on BYOD
While BYOD provides employees with enhanced user experience, their employers welcome BYOD for cost savings, increased productivity, and improved employee satisfaction. Yet, these benefits come with certain costs, primarily data security risk, as well as regulatory compliance risk.

Why BYOD Keeps CIOs Awake at Night
Security management becomes much more difficult the less control an IT department has over the relevant data and hardware. BYOD by its very nature makes control a challenge. Security breaches may result from inadvertent action. For example, sensitive information could be accessed by unauthorized individuals who are using a friend's iPad, or sensitive data may be inadvertently placed in a shared cloud folder. The proliferation of cloud-based services such as Dropbox and Siri make this accidental leakage all the more concerning. A security breach can also result from active external penetration, through theft, hacking, malware, or espionage. Finally, intentional leakage of information by authorized employees poses a third category of information security risk.

Information Security Strategies
To prevent the various types of breaches described above, IT departments will generally employ a range of tools and practices. Security tools include password protection, forced disabling of certain applications, and remote wipe controls. A growing number of companies provide mobile device management (MDM) solutions to help manage BYOD programs. These solutions typically manage devices by enforcing security policies, managing password controls, controlling the installation of applications, and remotely wiping a device. In addition to these technology-based controls, policies and practices may prohibit or require certain activity from employees.

Security Strategy Example: Cloud-Application Risks
As an example of a BYOD security strategy, IBM prevents its employees from using many cloud-based applications, including Apple's Siri. In response to concern by IBM and others, Apple revealed this Spring that user data generated through the use of Siri remains in cloud storage for 2 years. Dropbox and similar cloud-based storage services are frequently used by employees even though the risks have been widely reported. If employees will be handling sensitive information regularly, then tools and policies must be in place to ensure that this information is not sitting unprotected in a cloud environment.

Posted May 6, 2013
By David C. Johnson and Joshua Konvisser

Imagine you grab your phone only to find it locked, with all of your applications, pictures, and contacts permanently deleted. Imagine your employer's IT department remote-wiped your phone because they mistakenly believed it was stolen. Better yet, imagine your Angry-Birds-obsessed child triggered an auto-wipe with too many failed password attempts (don't laugh - it's based on a true story!). Can your employer really do this to your phone?

Imagine instead that you are the CIO responsible for protecting sensitive corporate and third party information. How can you ensure information security when your employees carry sensitive data in their pocket everywhere they go, and let their friends and family play with these devices?

The use of user-selected personal mobile devices for work (often called "Bring Your Own Device" or "BYOD") is undoubtedly delivering benefits for employers and employees alike. Yet, competing employee-employer interests and related risks must not be ignored. Remarkably, only 20.1% of companies surveyed globally have implemented signed BYOD policies according to a recent study (Ovum Research Shows U.S. Ahead of Other Countries in Asking Employees to Sign BYOD Agreements). This three-part series will outline competing interests and risks, and will suggest that the best way to manage these risks is through the drafting and enforcement of proper BYOD policies.

This Part 1 will consider employee interests related to BYOD; Part 2 will focus on the employer's perspective; and Part 3 will present some developing BYOD trends based on recent reports, and suggest some best practices for drafting and implementing a BYOD policy.

Posted April 12, 2013
By Roger C. Roy Jr.

Many years ago, I walked through a client's IT development organization where all the "Onshore" resources from the client's ADM provider sat in a sea of cubicles. I was there to identify the causes of some issues that had been troubling the relationship and recommend solutions. Having reviewed the contract before the walkthrough, I wasn't surprised to see a large supplier team present at the client. What did surprise me was how all of the "Onshore" resources appeared to be from the same offshore location where the supplier was based.

Prior to this encounter, my previous experience was that "Onshore" rates typically applied to the client's former US-based, rebadged resources or other U.S. based employees assigned to the client's account by the supplier. But something was different this time. It turned out to be my first introduction to "Landed" resources - foreign workers performing onsite work under short term visas.

Given the cost of transportation, visas and temporary living arrangements, I assumed that in order to compete with U.S. Based resources, the supplier must be paying a lot less for these resources. Otherwise, why would 100% of the resources be from offshore? When I asked about the salary cost differential, the supplier said that there wasn't any and that "by law" they had to pay a prevailing comparable salary.

Fast forward many years and the idea of Landed resources is well recognized (though probably no less controversial). Outsourcing suppliers do it all the time. "Onshore" and "Landed" have become interchangeable terms for many suppliers.

Some suppliers have implicitly acknowledged that the cost of their Landed resources really is lower than U.S. Based resources as they offer their clients a three tiered rate structure: U.S. Based, Landed and Offshore. The rate differential between the U.S. Based and Landed resources can be significant. For example, it is not unusual to see hourly rates for U.S. Based developers offered at $80 to $90 or even over $100, while the same supplier provides Landed developers in the $60 to $70 range.

Now, according to an article by Peter Wallesten in The Washington Post, a bipartisan group of eight senators working on the immigration bill have "tentatively agreed to impose stiff fees on some outsourcing companies that hire H1B workers." Further, the article goes on to say that while there was a push "to increase the lowest wage levels permitted by the visa program, it's likely that only certain firms would be required to pay more."

Perhaps that means the rate differential between U.S. Based resources and Landed resources is about to come to an end and that could result in outsourcing customers that have benefited from the three tier rate structure seeing their costs move up as the rate gap closes.

Some outsourcing firms could benefit from changes that put Landed and U.S. Based resources on the same footing. Those firms that really do pay their Landed offshore resources compensation equal to their U.S. Based peers could face less rate pressure compared to those suppliers who today offer the lower Landed rate structure.

One can debate the real merits of using offshore resources to do work in the U.S., but outsourcing customers that currently benefit from Landed resource pricing should be aware of the potential changes coming.

Posted March 27, 2013
By Amina Adam

In a previous post, TUPE: Service Provision Change, we discussed that the UK Government had issued a Call for Evidence to review the current Transfer of Undertakings (Protection of Employment) Regulations 2006 ("TUPE 2006") as part of its wider review of reforms to UK employment laws. The Call for Evidence concluded in 2012 and the UK Government has now launched a consultation on its proposal to amend TUPE 2006, which it believes will improve and simplify the regulations for all parties involved.

The Proposed Changes
The Government's proposed changes to TUPE 2006 include:
1. Removal of the Service Provision Changes ("SPC"). As a result, outsourcing, in-sourcing and re-tendering wouldnot be brought expressly within the scope of TUPE.
2. Removal of the requirement to provide Employee Liability Information at least 14 days before a transfer and replace this with an obligation that the parties disclose information necessary for the parties to comply with their duties under TUPE.
3. Enabling pre-transfer consultation under TUPE to count towards collective consultation on redundancies and to allow smaller businesses to inform and consult with employees directly where there are no recognised trade union or existing employee representatives.
4. Allowing greater flexibility for employers to make changes to terms and conditions of employment post transfer. However, the Government will not introduce an express provision allowing parties to agree changes in order to harmonise terms and conditions of employment .Changing the wording of the provisions giving protection against dismissal so that dismissals will only be automatically unfair where they are by reason of the transfer itself. As a result dismissals for a reason connected with the transfer (which is currently automatically unfair) may potentially be fair, subject to the employer satisfying the normal test for a fair dismissal.
5. Limiting an employee's right to resign in response to a material detriment to their working conditions or to claim unfair dismissal as a result.
6. Expanding the definition of Economical Technical and Organisational (ETO) reasons to include changes in the location of the workforce. This would benefit employers who, depending on the facts, might be able to argue a broader range of ETO reasons for making a fair dismissal. The Government is also seeking views on whether a transferor can rely on the transferee's ETO reason to legitimise pre-transfer dismissals.

The effect of the proposed changes
Some of the proposed changes will be welcomed and will ease the burden on business, such as greater flexibility in making changes to terms and conditions of employment post transfer or being able to make employees redundant where there is a change in the location of the workforce. On the other hand, there is likely to be a wave of new legal challenges if the proposals are implemented. The repeal of the SPC provisions is a likely hot button. The UK Government view is that the SPC provisions impose unnecessary burdens on businesses and go beyond the requirements of the ARD. Supporters of the SPC provisions argue that they give needed clarity that TUPE applies to outsourcing, insourcing and re-tendering and thereby provide a level playing field. Businesses have also embraced the general assumption that TUPE will apply to service provision changes and factor the costs into their pricing model. The proposed elimination of the SPC provisions would once again bring unwanted uncertainty, much like the uncertainty that surrounded the application of TUPE 1981, with multiple criteria being applied inconsistently in European case law.

Next steps
The consultation will end on 11 April 2013 and any reforms (with the exception of the repeal of SPC provisions) are expected to come into force in October 2013. Although the Government has indicated that there will be a significant transitional period before the SPC provisions are repealed, when negotiating contracts going forward, it will be prudent for businesses to bear in mind that TUPE may not automatically apply on exit.

Posted March 6, 2013
By Rafi Azim-Khan

Why do you need to act urgently even if you feel your data handling is compliant?

If you are a US headquartered company do you need to bother with these new EU laws and significant changes proposed?

2013 has already seen the frenetic pace of change from last year continue regarding new data laws and fines that will affect how all companies, regardless of business sector, use employee or customer data. The European Union, confirmed in the January 2013 Albrecht report, is indeed planning to dramatically amend its EU Data Protection Directive with a new Regulation.

This will tackle recent developments in social media, mobile apps and cloud computing as well as deal with a perceived serious lack of compliance thus far, particularly over use of customer data, lack of proper consents and more invasive marketing and advertising.

Some were hoping that after much discussion and lobbying some of the more serious proposals might be further watered down or deleted, such as the "nuclear" 2% of global turnover/revenue fine for serious breaches of EU data law. However, the recent report from the EU Parliament's Jan Philipp Albrecht confirms the perceived need for even tougher fine levels and more aggressive enforcement. This is all on top of recent changes which saw fines dramatically increased in a number of EU countries, for example in the UK with new powers to issue fines of up to £500,000 (approx $800,000) per breach, and increased fine levels being pursued in France, Spain and so on. These major fines are not theoretical or proposals. They have already come into force and are being used. The "nuclear" option will be in addition.

Other hopes from some in industry that new proposed rights such as that "to be forgotten" might fade away were also dashed. Businesses will have to consider seriously what the impact will be of such changes and also note that such proposals have also highlighted existing requirements, such as not holding onto data for longer than necessary, which are already law and which enforcers are looking to more closely. This, along with the new Binding Corporate Rules (BCRs) for data processors that took effect on 1 January 2013, are just some of the recent changes with respect to privacy in the EU that need immediate attention and consideration even if the business is not EU based.

This week many stakeholders are meeting in Washington DC to take part in a major conference (as is your author) on such issues and it will be interesting to see if the feedback from industry sessions makes its way into deliberations and further fine tuning of the proposed new Regulation. Some further twists and turns are likely but the core new elements will almost certainly not be going away. What is certain is that companies cannot assume they are fully on top of what is arguably the fastest moving area of the law currently. A review of where the business is now and identification of what needs addressing is without doubt a current business imperative.

For an overview of some of the recent changes click here to see a recent Legal Week article.

Posted February 26, 2013
By John L. Barton

2013 began with a flurry of articles about companies insourcing work or rethinking their sourcing strategies. The reasons for this vary by company, but often include a perception that outsourcing has not delivered the cost savings, innovation or other value the companies had hoped to realize, particularly in information technology outsourcing (ITO). In contrast, we continue to see high levels of satisfaction among companies that have outsourced facilities management and other real estate functions. This makes us think the ITO industry might benefit from some of the best practices used in FMO deals.

Posted February 20, 2013
By Mario F. Dottori

In Stephanie Overby's recent CIO.com article, 9 Tips for How to Use Operating Level Agreements in MultiSourcing, Bob Zahler was quoted on his perspective on the importance and appropriate use of OLAs in multi-sourced environments.

He says:

It has become more and more important for the ultimate customer to know that the relationships and interactions among these multiple parties are well-known, documented in clear and precise language, and reflected in binding agreements that can be enforced-if necessary-by the customer.

Customers often fall into the process by first executing multiple outsourcing contracts, and only then recognizing that they need to coordinate and integrate activities across these various outsourcing contracts," says Zahler. "OLAs should not be used after-the-fact to document relationships that have just developed over time. Rather, OLAs should provide the roadmap for how those relationships should be established in the first instance

Posted February 14, 2013
By Mike Beasley

When customers decide to outsource part of their operations there are many factors to be considered and decisions to be made over the course of the initiative. Getting to the "right price" is obviously one of the key objectives in any outsourcing transaction. Nobody wants to pay too much for a particular service and, while it might seem nice at first blush, nobody really wants to pay substantially below market price for a service because of the problems that will ensue later in the relationship. However, once the right price has been determined, then a decision must be made as to how to structure the payment of this right price.

Posted February 7, 2013
By Brooke L. Daniels

A recent special report in the Economist focused on the general state of the offshore outsourcing industry, with a particular focus on the emerging trend of companies relocating the performance of IT services from offshore locations to locations closer to home in the United States (known as "re-sourcing"). The report cites a number of reasons for this trend, such as the increase in wages in offshore locations, performance issues by offshore service providers, and the inherent challenges posed by the distance between a U.S.-based customer and the offshore service provider. The Economist isn't the only one to take notice, a recent article on CIO.com cited a number of similar factors contributing to the new attractions in keeping outsourced resources stateside.

The Economist notes that 67% of American and European outsourcing contracts have some element of offshore outsourcing, so most customers with any sort of outsourcing agreement are impacted by the changing landscape of the offshore outsourcing industry. However, deciding to move services back from an offshore location isn't as simple as flipping a switch (or sending a notice of termination). There are major risks in terminating and transitioning IT services, and the service provider, having been notified that their services are no longer required, is hardly in a motivated position to help mitigate those risks.

Posted February 5, 2013
By Tim Wright

The UK government has issued a consultation on proposed changes to the Transfer of Undertakings (Protection of Employment) Regulations 2006 (SI 2006/246) (TUPE).

TUPE is the UK's implementation of the Acquired Rights Directive (2001/23/EC) (ARD) and, broadly speaking, protects employees when the business or undertaking for which they work transfers to a new employer. Critics of TUPE (which revoked the 1981 TUPE regulations) have raised concerns that it 'gold plates' the ARD (i.e. it does more than is strictly required by the Directive) and is too bureaucratic. They also cite a number of practical difficulties. In November 2011, the UK government responded by publishing a Call for evidence on the effectiveness of TUPE, subsequently concluding that the gold plating aspects of TUPE should be removed and the operation of the regulation be made more practical.

Posted January 31, 2013
By Brooke L. Daniels

We have written before on this blog about the visa issues that offshore service providers face when bringing talented resourced to the U.S. from other countries. Since there are a finite number of H1-B visas that can be issued each year, some service providers have sidestepped the limit by obtaining B-1 visas, which contemplate a more short term engagement than most outsourcing contracts envision.

In response to a host of immigration issues, the Senate has recently introduced a bill that would not only increase the number of H1-B visas that can be issued each year, but would also include an automatic increase to a maximum of 300,000 visas annually if there is sufficient demand. Currently, the United States has an H-1B visa cap of 65,000, and the proposed legislation would increase the cap to 115,000, with the potential to rise to 300,000.

The proposed legislation would certainly ease the visa restrictions on offshore service providers that are seeking to bring top talent to the United States. A recent report in the Economist has noted that there is an increasing trend in customers bringing offshored services closer to home in the United States, and this proposed legislation would make it easier for offshore suppliers to staff in the U.S. using foreign workers. In particular, the Economist noted that Infosys has opened new offices in the U.S. in order to accommodate its customer's requirements for on-shore offices. With the trend of customers moving IT services back closer to home, the relaxed visa restrictions will put offshore service providers in a better position to win business with their top talent located in the U.S.

However, celebration for service providers is a bit premature, as the new bill is part of a much larger immigration overhaul and is likely to undergo substantial modification over the coming months.

Posted January 28, 2013
By Lisa C. Earl

It pays to closely read the payment terms in your software license. Or rather, it costs if you don't read them closely enough.

I was reviewing a software license for a client recently and came across this term:

"We may increase the license fee in a renewal term by giving you notice at least 60 days prior to the commencement of that term by an amount considered by us to be reasonable if we determine that the existing license fee does not give us an appropriate return when compared to returns from other of our customers, but in no event will any such increase be greater than 10% of the renewal License Fee."

I'm not joking. That was in the contract. On my reading, it's a 'Most Unfavorable Customer' clause. If we have another customer who pays more, then we get to put your prices up. And that was additional to a CPI increase, an increase for any additional users and an increase passing on higher charges imposed by the licensor's third party suppliers. A license to print money.

What about the principal that the cost of technology should diminish year-on-year. How is it that software vendors get to reap more profits year-on-year? Do they demonstrate any additional costs to provide the software to their customers? Does the price bear any relationship to the actual research, development and production costs of the software? Are they giving you more for the additional price you are paying? Probably not. More likely, it's based on a simple supply and demand curve - "how much can we get away with charging for this product before customers turn elsewhere". Software houses will have done the number crunching and determined what they can charge while still maximizing sales.

Software is not something that is in limited supply. Software licensing is not, for example, like real estate where, in a tight market, landlords can raise rents. Real estate is a limited resource; software isn't. The licensor can generally license as many versions of the software as it can find customers willing to take it. The theory of scarcity doesn't come into play in the software market - the licensor isn't going to run out of copies of the software. Apart from their selling, general and administrative (SG&A) expenses of selling more licenses, it's not likely that the licensor incurs any significant costs to produce more copies of the same software. Having a customer continue to use the software for another year probably incurs little or no SG&A expense, yet the licensor usually demands more money.

For example, software license fees that are charged on a periodic or annual basis (rather than as a one-off fee) will often include an annual price escalator. It's generally not the Most Unfavorable Customer clause above - it's more likely to be a fixed escalator (perhaps 5%), or a set amount plus maybe a little extra (3% plus CPI increases). It doesn't seem a lot, and many Customers therefore don't take too much notice of it. It would attract much more attention if it was set at 25%. Customers would be asking the licensor to justify a price increase of that magnitude, but don't often ask for justification of a smaller increase. However, as a customer, you should be asking that question no matter how much the increase is. Why are you paying more for the same thing if nothing else has changed?

Pay attention to those clauses, and ask that price escalators be removed. Some licensors will agree without too much protest, while others will hold firm. Obviously, the size of your business and other factors will come into play, but the basic principle applies here - you won't get what you don't ask for.

Posted January 25, 2013
By Benjamin M. Dean

As customers continue to embrace Software as a Service (SAAS) solutions that are hosted in the cloud, rather than traditional software solutions that are loaded onto and hosted on the customer's own environment, they should closely review the contract that will govern their relationship with their SAAS provider. Frequently, we see SAAS contracts that are missing certain basic (and key) requirements that serve to protect SAAS customers.

In Part 2 of our two-part series, we continue our list from Part 1 of the critical contract protections that SAAS customers should keep in mind, before signing any SAAS agreement. Alternatively, if a customer already has a SAAS agreement that omits any of the following terms, the customer should explore amending its current agreement to include these protections, during its next contract renegotiation.