How Significant is the Wyndham Case to the US Cybersecurity Legal Landscape?

Posted
By Meighan E. O'Reardon

The security community has been abuzz this week with the US. District Court of New Jersey's April 7 ruling in Federal Trade Commission v. Wyndham Worldwide Corporation, et al. (see http://www.adlawaccess.com/wp-content/uploads/sites/137/2014/04/Opinion.pdf). Wyndham had asserted in a motion to dismiss that the Federal Trade Commission ("FTC") did not have the authority to pursue enforcement actions against the hotelier related to data security. The District Court denied the motion and held that the FTC may in fact pursue claims related to data security under Section 5(a) of the FTC Act's prohibition on unfair or deceptive acts or practices affecting commerce (see 15 U.S.C. 45(a)). While the significance of the holding is being debated in the legal community, this week's decision highlights the Federal Government's increasing emphasis on requiring certain baseline cybersecurity practices by the private sector.
The background facts of the case are fairly straightforward. The FTC brought suit against Wyndham Worldwide, Corp. in the wake of three separate security breaches that occurred between 2008 and 2011 and resulted in the theft of guests' personal information (e.g., payment card account numbers, expiration dates, and security codes). The FTC alleges that after the initial two security incidents, Wyndham failed to implement reasonable and appropriate security measures which exposed consumers' personal information to unauthorized access and resulted in consumer injury. Specifically, the FTC alleges that there were several problems with the Wyndham's information security practices including wrongly configured software, weak passwords, and insecure computer servers.
So what does the Court's holding mean for the private sector? Since, up until this case, the FTC's data security actions have been settled out of court, this case marks the first time that the courts have ruled on the merits of the FTC's authority related to data security actions. Fundamentally, the decision affirms that the FTC has the power to pursue enforcement actions for unreasonable cybersecurity practices under existing laws. The Court, however, cautioned that "this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked." It is also important to note that the Court's decision did not include a verdict on Wyndham's liability in the matter (interested parties should continue to watch as the matter continues).
One significant question that remains unresolved is what constitutes "reasonable" security in this context. It seems possible that we may be starting to see an intersection with cases like this and wider US cybersecurity policy...does "reasonable" equate to adopting a risk mitigation strategy akin to the NIST Cybersecurity Framework? Or, does it mean something even more? Ultimately, this ruling on the FTC's enforcement authority adds to the already dynamic cybersecurity legal landscape and should cause companies to take pause to examine whether their cybersecurity practices are defensible with regulators and in court.

Why Indemnities Matter

Posted
By Lisa C. Earl

Most business clients would rather be in the dentist's chair than sit through negotiation of the indemnity and liability provisions of their agreement. Admit it: your eyes glaze over, time appears to visibly slow down, and you wonder at how the lawyers can find this stuff interesting enough to argue about.

As dull as they appear to be, there are some significant issues that can arise from the indemnity clause. One issue that I see more often than not is that suppliers try to put a financial limit on their indemnification obligations. Sometimes the supplier will agree to remove the limitation, but not always. What are the consequences of having a limitation on an indemnification obligation, and why should you be interested?

Let's consider a software license agreement, which includes an obligation by the software owner (the licensor) to indemnify you (the licensee) for third party claims that the software infringes the third party's intellectual property. If that happens, the licensor will conduct the defense of the claim - that is, they will be the one to hire the attorneys, go to court, and argue why there is no infringement.

The agreement also includes a limitation of liability that limits each party's liability to the annual software license and maintenance fees. The liability provisions could be drafted so that the limit applies to the indemnity obligation. Assume that you are paying $200,000 annually to the licensor, and so that becomes the limit of the licensor's indemnity obligations.

$200,000 can be used up pretty quickly in litigation. There will significant costs to investigate and build a case to rebut the claim - reviewing IP registrations and other documents, interviewing witnesses, researching related lawsuits etc. Legal fees, and the fees of experts and consultants that may need to be retained, quickly build. Then comes the discovery and interrogatory phases.   You may not even be at the point of a court hearing or close to settlement discussions when the amount spent has exhausted the $200,000 maximum.

So what will happen? Based on your agreement, the licensor could simply walk away and leave you holding the baby. From a practical perspective, it would be foolish for them to do that, as it's their software that is allegedly infringing, and you have no reason to defend their product. The only thing that you will want to do at that point is get out of the litigation as quickly and cheaply as possible, and so handing the defense over to you would be commercial suicide for the licensor. But in negotiating the indemnity clauses, many suppliers and licensors don't consider the practicalities of dealing with the litigation - they are only looking at the total risk profile of the agreement that they are entering into.

If the licensor wanted to enforce the terms of the agreement, they could do so, leaving you in the position where you have to step into their role in defending the case, or pay them to continue to do so. Doing either would be at significant cost to you, not to mention the disruption defending the claim may have on your business.

If you are not able to negotiate out the limitation of liability from the indemnity obligations, then you should do two things:  First, try to exclude the costs of defense from the liability cap.  Second, pay extra attention to the indemnification procedures.  For example, how will the parties handle the situation where the expected liability exceeds the liability cap? Are you free to defend and seek contribution from the licensor up to the value of the cap?  And what if the licensor takes responsibility for defending the claim and it later appears that the cap will be exceeded?  You should avoid that scenario by negotiating a requirement for the licensor to waive its limitation of liability in return for assuming full defense of the claim; the alternative (short of having the licensee write a blank check) would be to give you some level of involvement and/or control over defense and settlement, which would quickly become unworkable.

There's no simple answer to this issue, but there are certainly some options that can be explored in negotiations.  

Court of Appeal confirms that information is not property

Posted
By Tim Wright

In a recent judgement, the Court of Appeal of England and Wales held that an electronic database was not a chose in possession or a chattel but a chose in action (see our earlier blog regarding the grant of leave to appeal in this case). In other words, a database is intangible property, not goods which can be possessed. This means that when the parties to a database hosting contract are silent about what happens to the database when the contract ends, the service provider cannot exercise a common law lien over the database so as to force full payment of its fees, and must return the database to its customer.

In giving the lead judgement in the Court of Appeal, Lord Justice Moore-Bick, quoted extensively from the judgment of Lord Justice Diplock in Tappenden v Artus (Tappenden v Artus [1964] 2 Q.B. 185). Tappenden is a case with which most first year law students in the UK will be familiar. In that case, a van owner allowed a customer to use the van pending the completion of a hire-purchase agreement. The van then broke down and was repaired by the defendant garage, but the price of the repairs was not paid. The question arose whether the garage could exercise a lien over the van against the owner. In finding that it could, Diplock L.J emphasised "actual possession of goods" as necessary for the self-help remedy of possessory lien to arise under the common law.

Referring to another leading case, Moore-Bick LJ went on to state that "[a]s OBG v Allan makes clear... the common law draws a sharp distinction between tangible and intangible property...", which leads to the conclusion that "it is [not] possible to have actual possession of an intangible thing ...[and that] it is [not] open to this court to recognise the existence of a possessory lien over intangible property ..."

So, in sharp distinction to the common law as it applies to tangible property (such as the van in Tappenden) a database service provider has no common law right which can be used to stop a customer from accessing its database until the service provider's fees are paid. Of course, there is nothing to stop the parties including such right in the database hosting contract.

2014 Sees The First Fines For Violations Of EU Cookie Laws

Posted
By Steven P. Farmer

Much has been said about the EU "Cookie" laws introduced by an amendment to the Privacy and Electronic Communications Directive in 2011.  Companies with European customers (including those in the US) have grappled with the law's requirement to obtain informed consent from visitors to their websites before cookies can be used.

Not only being the subject of much academic debate, European regulators have also issued a series of guidance papers on the issue, including recent publications from the UK's Information Commissioner's Office and from the Article 29 Working Party, the group made up of representatives from the various EU privacy regulators.  These provide layers of at times arguably conflicting commentary on how to comply with the law.

Whilst question marks hang over key issues (e.g. what constitutes valid consent before cookies can be placed?), with the various EU data protection authorities mooting and often disagreeing on the same, the regulators across the EU appeared to be approaching enforcement actions for breach of the new laws rather gingerly, no doubt a reflection of the wider debates taking place.

Now, four years since the adoption of the Cookie laws, we have now have the first examples of companies being fined by a European regulator for non-compliance. The Spanish regulator fined two companies for failing to provide clear and comprehensive information about the cookies they used.  The two decisions can be found here: http://www.agpd.es/portalwebAGPD/resoluciones/procedimientos_sancionadores/ps_2014/common/pdfs/PS-00321-2013_Resolucion-de-fecha-14-01-2014_Art-ii-culo-5.1-LOPD-22.2-LSSI.pdf

Whilst the fines were not exactly earth-shattering (3,500 Euros a piece) the fact that the cookies used were rather commonplace and not particularly intrusive to individuals' privacy makes these cases more worthy of note and acts as a stark warning to those who have taken a similar relaxed attitude to compliance so far. 

Furthermore, it's not as if the websites in question didn't take any action after the new law was introduced.  To the contrary, they reportedly made attempts to comply with the law, but their measures didn't go far enough - which should make those companies who have buried their heads in the sand even more nervous.

The key point for business is not just the fact we are seeing more enforcement now, nor the level of fine, but rather the fact that cookie law breach is a highly visible "marker" that can draw the attention of the regulators and increase the chances of a deeper audit, which can potentially expose wider breaches and more serious enforcement action. This is the greater consequence of these recent developments and more reason to get one's compliance right

These cases underline how EU member states, driven by cultural sensitivities, consider the use of cookies to be intrusive.  Companies doing business in Europe have had time since the passing of the Cookie law to take action.  We expect to see a significant ramp up in enforcement action across the EU; we hear reports of numerous warning letters coming from regulators across the EU.  For companies that have not yet reviewed their cookie policies and procedures, compliance should move to the top of the corporate agenda. 

Important Announcement of a Key New Data Privacy Initiative

Posted
By Rafi Azim-Khan

Rafi Azim-Khan, Partner and Head of Data Privacy, Europe at Pillsbury and Chair of the British American Business' Law Forum, was in Washington, DC yesterday to hear the important announcement of a key new data privacy initiative, blessed by regulators across the North America, Europe and Asia Pacific regions.

The initiative is aimed at assisting international businesses struggling to come to terms with increasingly complex global data privacy laws and increasing enforcement risks.

FTC Chairwoman Edith Ramirez and new EU Article 29 Working Party Chair Isabelle Falque-Pierrotin of CNIL were joined by UK Commissioner Christopher Graham, Ted Dean of the US Department of Commerce and Canadian APEC lead Daniele Chatelois in announcing publicly for the first time a new "Checklist" tool known as the "Referential", designed to assist companies who have to deal with and transfer consumer and other types of data internationally. It applies to all businesses and all sectors.

Azim-Khan, who discussed with the Commissioners the goals behind the initiative, commented, "Whether a social media company or a car manufacturer marketing via its website, businesses of all shapes and sizes have been crying out for some practical help and guidance regarding their use of data and what is or is not likely to land them in hot water. Many feel recent changes to the laws in the EU and beyond, as well as significantly increased fine levels and scrutiny, are making day to day operations much more difficult and risky."

"Given the world is becoming more connected, business more global and data use increasing, literally by the day, current laws and enforcement are proving very difficult to navigate without detailed analysis and a very careful approach. It can be time intensive and costly to get things right, and equally so if there is a breach, so anything which can help business deal with complex issues such as international data transfers and data use in multiple countries is to be welcomed. That said, this is very much just a first additional step and we will have to see what happens in terms of consultations and feedback."

"This new initiative is also not a "silver bullet," i.e. an "adequacy finding" nor "mutual recognition", for example of Asia's laws by the EU. Rather, it is one new tool worth exploring in the bigger scheme of compliance and given all the upheaval in the past year or so companies with significant global reach would still be advised to urgently audit what they are currently doing and seriously consider steps needed to bring their compliance up to date, for example considering the benefits of updated schemes such as Binding Corporate Rules".

Note: The EU and the US have locked horns in recent months over criticisms the US is not doing enough to enforce Safe Harbor breaches by large US companies and the EU is proposing new "atomic weapon" fines of 2 or 5% of global revenue fines for non-compliance as part of new Regulation proposals.

Asia is presenting a problem for international companies as the laws are hugely varied and some are also now adopting tougher EU-style laws which US companies do not like.

This initiative is the first time the differing parties have tried to put aside differences in such a joined up way.

Remain Vigilant: Managing Cybersecurity Risks in Third-Party Outsourcing Relationships

Posted
By Meighan E. O'Reardon and Aaron M. Oser

This article was originally published on February 27, 2014 and is reprinted with permission from Corporate Compliance Insight.
lookout-300x187.jpg

Managing third-party suppliers presents significant compliance challenges that often span an organization, raising legal, insurance, human resources and technology concerns, to name just a few. Corporations will continue to wrestle with these risks in the year ahead, but the convergence of external threats, abundance of valuable corporate data and the current regulatory environment has highlighted the importance of corporate cybersecurity practices. Cybersecurity is perhaps one of the hottest topics being discussed in boardrooms today.  The Cybersecurity Framework, anticipated legislation and litany of high-profile data breaches have resulted in even more heightened scrutiny.

The landscape for corporate cybersecurity is rapidly changing and outsourced services, including IT and business process services, all stand to be impacted.  Corporate stakeholders, particularly in the legal, information security and information technology departments, should be keenly focused on the current cybersecurity climate and the state of cybersecurity across third-party outsourcing agreements.

A significant aspect of this heightened attention on cybersecurity is not only how third-party outsourcing partners are managing security as part of the service they deliver, but also the risk and cybersecurity exposure to an organization from these third-party relationships.  Attackers increasingly exploit weaknesses in third-party suppliers' networks to access data and assets from target companies. As a result, having in place the appropriate contractual and governance safeguards with your third-party suppliers is paramount.

Efforts to integrate and manage cybersecurity in outsourcing arrangements should start early. Detailed security assessments and internal cybersecurity stakeholders should be included as part of initial due diligence efforts with selected suppliers. It is important to understand the security processes and tools that proposed suppliers will use as part of the outsourced service, the supplier's vulnerabilities and plans to remediate gaps during the term of the proposed agreement and the plan for the supplier to integrate with existing corporate cybersecurity programs.  Also, understanding how the supplier has previously responded to past incidents and improved its operations as a result is crucial.

Contract documentation should include meaningful cybersecurity provisions related to liability and indemnification for incidents and identify the security policies and procedures that the supplier will be expected to comply with during the term.  Ideally, contracts should support liability and indemnification provisions that align with the value of the data exposed to the third-party supplier, not simply derivatives of the contract value.  Including adequate audit and risk assessment provisions for regular risk assessments and remediation plans (annual at a minimum), of the supplier's operations is also highly recommended.

It is important to remain mindful of proposed cybersecurity legislation - at both the federal and state levels - that may need to be accounted for in outsourcing agreements. Compliance professionals should continue to monitor the proposed landscape of legislative and regulatory changes.  Accounting for requirements in third-party agreements to accommodate new cybersecurity laws will be critical.

Finally, and perhaps most importantly, governance models that allow corporations to manage the security functions of individual suppliers as well as the full portfolio of suppliers in a holistic fashion will become increasingly important over the next year.  The ability to respond quickly to incidents but also make the appropriate strategic risk management decisions related to cybersecurity will be a defining characteristic of a strong corporate cybersecurity program.

Compliance managers and in-house counsel should remain keenly focused on cybersecurity during the next year when negotiating new agreements, amending existing contracts or participating in ongoing governance activities with current service providers. Proactively addressing cybersecurity risks by incorporating security considerations early in the contracting process and defining more appropriate services descriptions, service levels and interaction/governance frameworks can help limit cybersecurity exposures in the first place.

Pillsbury Bloggers in the News: 8 Tips to Deal With Liability When Outsourcing to Multiple IT Vendors

Posted
By Michael Murphy

Mario Dottori is quoted in Stephanie Overby's recent CIO.com article discussing 8 Tips to Deal With Liability When Outsourcing to Multiple IT Vendors.

"In theory, a multi-provider service delivery environment should not create additional complexities in terms of liability. The contracts -- entered into separately between the customer and each supplier -- should, if well constructed, clearly delineate the liabilities between the parties," says Mario Dottori, leader of the global sourcing practice in Pillsbury's Washington, D.C. office.

One tip offered is to create operation level agreements, "OLAs state how particular parties involved in the process of delivering IT services will interact with each other in order to maintain performance, and can help all parties 'see the forest for the trees,' says Dottori.  'These arrangements offer the opportunity for enhanced visibility of the service regime as a whole and helps to reduce -- or better arm the parties with solutions for -- missed hand-offs and finger pointing.' One caveat: Most providers will not agree to take on additional liability in OLAs. But such an agreement can be an effective preventative measure."

For the full article and all 8 tips, please see Stephanie Overby's article on CIO.com.

National Cybersecurity Framework Released - Has Your Organization Considered the Implications?

Posted
By Meighan E. O'Reardon

On February 12, 2014, the National Institute of Standards and Technology ("NIST") released the final version of its Framework for Improving Critical Infrastructure Cybersecurity (the "Cybersecurity Framework" or "Framework") and the companion NIST Roadmap for Improving Critical Infrastructure Cybersecurity (the "Roadmap"). The final version is the result of a year-long development process which included the release of multiple iterations for public comment and working sessions with the private sector and security stakeholders. The most significant change from previous working versions is the removal of a separate privacy appendix criticized as being overly prescriptive and costly to implement in favor of a more general set of recommended privacy practices that should be "considered" by companies.

The Cybersecurity Framework marks an important step for U.S. cybersecurity policy after an Executive Order from the Obama Administration called for its creation in February 2013 (see Executive Order 13636 "Improving Critical Infrastructure Cybersecurity", February 12, 2013). While use of the Cybersecurity Framework is voluntary, the Federal government has been actively exploring various measures to incentivize participation both universally and on a sector-by-sector basis (see http://m.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecurity-framework. See also Incentives Study Analytic Report, Department of Homeland Security, June 12, 2013 available at https://www.dhs.gov/sites/default/files/publications/dhs-eo13636-analytic-report-cybersecurity-incentives-study.pdf). While the Framework is focused on the 16 sectors identified as critical infrastructure (the 16 critical infrastructure sectors are chemical, commercial facilities, communications, critical manufacturing, dams, defense, emergency services, energy, financial services, food and agriculture, government facilities, health, information technology, nuclear, transportation, and water), companies outside those areas can use the Framework in their risk assessment and enterprise security planning.

What is the Cybersecurity Framework?
The Cybersecurity Framework is a risk management tool to assist companies with assessing the risk of cyber-attack, protecting against attack, and detecting intrusions as they occur. According to NIST, it complements, but does not replace, an organization's existing risk management processes and cybersecurity program. It is organized into three parts - the Framework Core, the Framework Implementation Tiers, and the Framework Profile. The Framework was developed by leveraging existing cybersecurity standards, guidelines and practices. Organizations are encouraged to use it as a tool to continuously assess and improve (where appropriate) cybersecurity practices.

The Framework Core is comprised of five key functions: Identify, Protect, Prevent, Respond, and Recover. These functions are intended to organize companies' basic cybersecurity activities at the highest level and represent a lifecycle for managing cybersecurity across an organization. Each function is further broken down into categories and subcategories that highlight the more detailed processes and activities associated with managing cybersecurity. As set forth in the Cybersecurity Framework, examples of the categories under each function include:

Identify: Asset Management, Business Environment; Governance; and Risk Assessment
Protect: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology
Detect: Anomalies and Events; Security Continuous Monitoring; and Detection Processes
Response: Response Planning; Communications; Analysis; Mitigation; and Improvements
Recover: Recovery Planning; Improvements; and Communications

The Cybersecurity Framework includes a maturity model that is characterized by implementation "Tiers" for companies to use to assess their progress and development across the various functions. The tiers involve characterizing an organization's development as Partial, Risk-Informed, Repeatable, or Adaptive behavior. Partial maturity is characterized by informal and occasional implementation of the Framework, meaning that the organization is unlikely to have processes in place to utilize cybersecurity information. Risk-Informed entities will have formal, risk-aware processes defined and implemented. An organization that has achieved the Repeatable stage of maturity will have validated processes that are responsive to larger enterprise requirements and needs. Finally, entities that are considered Adaptive will be able to anticipate challenges, adapt rapidly and manage risk in conjunction with changes.

Under the Cybersecurity Framework, assessing an organization's functions in relation to the maturity or implementation Tiers and risk tolerance results in its Profile. NIST encourages companies to use the profile to identify gaps and develop action plans to improve cybersecurity.

Criticisms
The Cybersecurity Framework has been criticized as being overly broad and toothless. Some security professionals note that the Framework is not that different from the checklists that chief security officers already regularly implement. Most large organizations have already implemented a risk management process similar to the Cybersecurity Framework to manage their cybersecurity activities. And, in practice medium and smaller sized organizations may benefit most significantly from this first version of the Cybersecurity Framework. However, additional sector-specific iterations are anticipated and many government analysts note that the Cybersecurity Framework has the potential to become the de facto standard for managing cybersecurity risk.

What's next for U.S. Cybersecurity Policy?
The companion Roadmap to the Cybersecurity Framework outlines several planned follow on activities. In the near term, NIST will continue to oversee and coordinate the ongoing development of the Cybersecurity Framework including by accepting informal comments on the recent release. Additionally, a workshop will be held in the next six months for stakeholders to share feedback on their use of the Cybersecurity Framework. Options for long term governance including identifying the appropriate responsible partners(s) for overseeing the Cybersecurity Framework are also being solicited. Finally, the Roadmap identifies nine cybersecurity disciplines marked for further development and discussion including: (i) authentication; (ii) automated indicator sharing; (iii) conforming cybersecurity assessments; (iv) preparation of a skilled cybersecurity workforce; (v) use of data analytics in cybersecurity; (vi) Federal agency cybersecurity alignment; (vii) international coordination; (viii) supply chain risk management; and (ix) technical privacy standards.

How Can Your Organization Use the Cybersecurity Framework?
Regardless of whether your company falls within one of the defined critical infrastructure sectors, the Framework can be a valuable tool for cross-checking and testing your existing cybersecurity risk management programs. The Framework provides granularity that can be useful in each phase of your program.

Financial services businesses covered by the Gramm-Leach -Bliley Act have guidance in the form of the Standards for Safeguarding Customer Information (Safeguarding Rule) and the Interagency Guidance on Response Programs that require implementation of an information security program including conducting an annual risk assessment, assess the sufficiency of any safeguards in place to control the identified risks, training employees, reviewing information systems (network and software as well as processing, storage, transmission and disposal), detecting, preventing and responding to intrusions or system failures, and overseeing vendors and service providers.

Similarly, companies that are covered entities under the Health Insurance Portability and Accountability Act (HIPAA) have fairly specific regulations governing security of protected health information.

Companies outside financial services and healthcare that comply with the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth (201 Mass. Code Regs. § 17.00) will have implemented a written data security plan that meets the requirements of that regulation, including designating a responsible employee, conducting a risk assessment, implementing an employee security policy, enforcing the policies, addressing issues surrounding terminated employees, overseeing and requiring compliance by service providers, limiting the amount of information collected, limiting retention of data, data mapping, restricting access to records, monitoring performance, reviewing the program annually and implementing an incident response plan.

For each of these businesses, the Cybersecurity Framework addresses additional areas where threats may exist and additional specific steps that can be taken to better protect the business. While the Framework is not designed to replace an information security program, certain aspects of the Framework may trigger improvements in a company's program that help meet the business' strategic priorities: protecting assets and business viability against loss, achieving the appropriate level of security commensurate with the security and scope of the company's data, protecting company systems and data against threats to the network structure and security, anticipating evolving threats to the company's systems and meeting the company's regulatory compliance obligations.

The UDAAP Trap: Avoiding CFPB Penalties for Financial Institutions Using Third Party Services

Posted
By James W. McPhillips and Craig J. Saperstein

Background

In response to the financial crisis and recession in the United States that began in 2007, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (now commonly known as "Dodd-Frank"). Dodd-Frank created a vast array of new financial regulations, including the new and independent Bureau of Consumer Financial Protection designed to "regulate the offering and provision of consumer financial products or services under the Federal consumer financial laws."

Now known by its alphabet soup moniker, the CFPB has jurisdiction to enforce one of the simplest, yet most powerful, provisions in Dodd-Frank: "It shall be unlawful for any covered person or service provider to engage in any unfair, deceptive, or abusive act or practice." These "unfair, deceptive, or abusive" acts or practices have become commonly known in the legal and financial industries as "UDAAPs." The CFPB has not implemented formal rulemaking with respect to the prohibition on UDAAPs. Instead, it has made the conscious decision to largely implement its UDAAP rules via its enforcement actions and a series of guidance documents, including the "Supervision and Examination Manual," which articulates CFPB's expectations for how this law is to be enforced.

Much has been written about the impacts of Dodd-Frank, including the prohibition against UDAAPs. This blog, however, focuses solely on potential penalties to financial institutions based on the actions of their third party service providers. Because Dodd-Frank primarily holds the large financial institutions supervised by the CFPB responsible for service provider behavior, these institutions should be aware of and guard against the UDAAP trap.

Third Party Service Providers Can Create UDAAP Risk

Dodd-Frank defines "service provider" as "any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or person." A service provider also includes a party that "participates in designing, operating, or maintaining" financial products as well as one that "processes transactions" relating to financial products. Such a broad definition could capture almost every type of third party service provider with whom a financial institution has a relationship.

While the CFPB has not been explicit about which third party services are subject to scrutiny, the agency has given some high-level guidance on the topic. For example on July 10, 2013, the CFPB issued a bulletin in which it focused almost exclusively on a financial institution's debt collection practices. Based on this initial guidance, it appears that the CFPB is most concerned about those practices that directly interface with the institution's individual customers. Financial institutions have similar direct interactions with their customers through other activities, such as telemarketing services, loyalty programs, and other services that involve a customer's interaction with representatives in a customer service center. Many financial institutions outsource these functions, and such services would likely subject large financial institutions to similar CFPB scrutiny.

Early enforcement actions have confirmed this approach. For example, the CFPB - sometimes in conjunction with other federal and state regulators - has ordered several banks to pay millions of dollars in restitution to consumers, as well as civil monetary penalties to the government, for "deceptive" marketing practices related to add-on products for credit cards and installment loans. In several of these cases, regulators concluded that telemarketers hired by bank service providers deceptively marketed the cost and coverage of the add-ons. In another enforcement action, the CFPB found that a bank engaged in "unfair" billing practices for credit card add-on products by charging consumers for credit-monitoring services they did not receive. Additionally, the CFPB obtained a judgment against a non-bank debt relief company for its alleged "abusive" practice of collecting advance fees from consumers who the company knew could not afford to complete the debt relief program.

Because UDAAP enforcement is in a nascent stage, financial institutions should consider how other third party relationships may trigger UDAAP concerns. For example, if a provider servicing a bank's mortgage portfolios makes systemic errors that cause "substantial injury" to a group of the bank's consumers, it might trigger UDAAP violations, particularly if the bank failed to properly monitor those services. The same could be said for (i) payment card processors that handle customer credit card transactions; (ii) online bill pay service providers that handle bill payments, late fees, and credit reporting; (iii) ATM service providers that process retail banking transactions that are required to post in a timely manner; or (iv) remote deposit capture service providers that manage check scanning and posting.

One type of services, however, that is unlikely to impact directly the interaction between a financial institution and its customers are those services that provide backend IT functions. Examples could include traditional IT managed services, application development and maintenance services, system implementation services, and other back office support services.

Again, the CFPB has not expressly outlined the type of third party services that may subject a financial institution to the highest scrutiny, so each financial institution should carefully review and consider each third party service relationship on a case-by-case basis.

Mitigating the UDAAP Risk

Best practices dictate that each financial institution have in place robust policies and procedures to prevent the occurrence of UDAAP violations within its enterprise. Once such policies and procedures are in place, institutions should also train their employees to ensure maximum compliance.

Because its own policies and procedures are within its control, a financial institution can ensure a certain level of UDAAP compliance, but the behavior of its service providers can be a wild card. In Part 2, we will look at various approaches as to how financial institutions can leverage its third party contracts to mitigate its own UDAAP risk. We will also take a substantive look at some of the key terms that should be considered when negotiating such contracts with third party service providers.

Public Sector Outsourcing: Events and Lessons from 2013

Posted
By David C. Johnson and Elizabeth Zimmer

"How does a large software project get to be one year late?  One day at a time!"  

-Fred Brooks, former IBM employee and OS/360 developer

 

2013 was not a stellar year for public sector outsourcing.  As we reported in an earlier blog article, Indiana is appealing judgment in an ongoing court battle with IBM over a troubled welfare claims processing project.  Agencies in Pennsylvania, Massachusetts and Australia also hit the news. 

To be sure, implementing any large IT project is difficult and risky.  Publicity and politics further complicate contracting in the public sector.  And, as IBM quickly pointed out in response to Pennsylvania's announcement, "there is accountability on both sides for system performance and service delivery."  In other words, it takes two to mess up this badly.

In spite of these challenges, there are many successful public sector IT programs that benefit the government and their constituents as well as the service provider.  As we explained in an earlier report, outsourcing can help state and local governments reduce costs, improve services, and free up funds otherwise locked in IT assets.  Successful programs are reported on as frequently as are safe on-time flight arrivals.

As the following examples show, public sector IT projects face unique challenges.  If unmitigated, these projects can prove disastrous to the government and taxpayers.  

Pennsylvania Unemployment Claims Processing Program

On July 31, 2013 Pennsylvania decided not to renew its contract with IBM to modernize the state's unemployment compensation computer system, a project 42 months behind schedule and 56% over budget.  A report by Carnegie Mellon's Software Engineering Institute concluded that even after spending nearly $170 million there "is no high confidence estimate for when the [system] will demonstrate the level of performance necessary."  For the immediate term Pennsylvania will revert back to an extremely inefficient, yet functional, 40-year old unemployment compensation processing system.

Queensland Health Payroll Project

The State of Queensland, Australia released a scathing report in July 2013 detailing a multitude of failures that afflicted IBM's program to replace Queensland Health's payroll system.  This project has even been called "one of the worst IT projects ever."  When the under-tested system was put in place in 2010, 80,000 staff went unpaid, or received the wrong amount.  In response, Queensland's Premier Campbell Newman issued a broad ban preventing IBM from entering into any new contracts with the State "until it improves its governance and contracting practices," and declared that IBM "took the State of Queensland for a ride."  The ride, quoted at A$6.19 million, will reportedly cost the State A$1.2 billion, almost 200 times the original budget.

Massachusetts Unemployment and Revenue Programs

Last fall the Commonwealth of Massachusetts held a hearing to examine Deloitte's handling of projects for the Department of Unemployment Assistance and the Department of Revenue.  The unemployment benefits system was delivered two years late and, at a total cost of $52 million, ran 13% over budget.  The resulting software was reportedly unusable.  Earlier in 2013, Massachusetts cancelled a separate Department of Revenue project with Deloitte, a project on which the Commonwealth had already spent $114 million, because a test run of the software revealed no fewer than 1,000 glitches. These examples from Massachusetts represent just a few of numerous disputes Deloitte is facing with public sector customers. 

How can public agencies avoid these failures?  Here are some features of successful projects that all agencies should keep in mind:

·         Devote sufficient resources and care to the procurement process.  Successful projects focus intently on identifying and clarifying the functional, technical and business requirements for the solution, and building the procurement process around those requirements.  The Queensland report found that the original system scope "was seriously deficient and remained highly unstable for the duration of the Project."  Similarly, Carnegie Mellon's Pennsylvania report pointed out major weakness in the procurement process, including "unprioritized and often ambiguous requirements."  Lacking sufficient experience, many government agencies fail to fully comprehend what "it's really going to take to get a project done right" until halfway through contract completion.  Devoting sufficient resources and attention to scope and requirements definition, and leveraging the experience of outside advisors early in the process can prevent costly disasters down the road.

·         Leverage best practices of the commercial sector.  State and local governments are subject to unique requirements (e.g., strict competitive procurement procedures) and budget limitations, yet many of the lessons from the commercial world still apply.  Examples from the private sector and outside advisors can help bring cutting edge best practices to public sector projects.  The schedule and budget for the projects in Pennsylvania and Queensland were allowed to escalate without apparent governance controls.  Consider employing a governance and incentive structure that will monitor and respond to delays and cost overruns sooner than later.

·         Prepare for significant internal and external changes.  Unforeseen changes can quickly derail a project.  Specific events, such as an economic crisis and resulting increase in unemployment claims, may be unforeseeable.  But, by ensuring that the contract accounts for change these events will not ruin the intent of the parties.  The agreement should include a method to incorporate change into the contract that requires the service provider to meet their obligations through the change and have a mechanism that allows for redirection and/or expansion of the scope as necessary. 

·         Negotiate contractual provisions that allow for termination if necessary.  Ensure that the contract can be terminated for cause in response to a range of performance failures.  Termination rights provide a means of exit.  Perhaps just as importantly, the threat of termination gives a customer additional contract renegotiation and/or enforcement leverage.  For more information on how a state or local government can protect against poor performance through explicit performance based termination rights, a meaningful service level credit mechanism, and a right of election, see our earlier article on Indiana vs. IBM. 

·         Seek protection from high turnover within the service provider's workforce.  The Carnegie Mellon report on Pennsylvania's failed project concluded that high turnover in IBM's workforce created instability and knowledge gaps at critical stages in the process.  Consider negotiating provisions that prevent the unauthorized removal from the project of certain key personnel, and including a requirement that a certain percentage of overall personnel within a given timeframe must remain on the account.

·         Devote sufficient internal resources to governance, management, and performance of retained functions.  According to the Carnegie Mellon report, insufficient management by the state meant that no one "was accountable and responsible for the administration of the program."  It is critical to remember that not all costs and responsibilities can or should be delegated to the service provider.  The program will only be successful if the customer devotes sufficient resources to governing the project, and performing any retained functions on which service provider's performance depends.  The customer should be prepared to have (and budget for) a retained organization to oversee the relationship.  Towards this end, the customer and the service provider should each assign an executive-level primary representative to manage the relationship, efficiently address disputes, and generally serve as the principal point of contact for all matters pertaining to the Agreement.

Amended TUPE Regulations Published in the U.K.

Posted
By Amina Adam and Tim Wright

In previous posts (Proposed Changes to UK's TUPE will impact outsourcing deals, The UK Government consults on proposed changes to the TUPE regulations) we highlighted the UK Government's proposed changes to the Transfer of Undertakings (Protection of Employment) Regulations 2006 ("TUPE 2006"). The UK Government has now finalised these changes, resulting in the Collective Redundancies and Transfer of Undertakings (Protection of Employment) (Amendment) Regulations 2014 ("Amended TUPE Regulations").  The Department for Business, Innovation and Skills (BIS) also published useful guidance which helps to explain the changes made to TUPE 2006.  Generally speaking, the Amended TUPE Regulations brought into effect the changes discussed in our previous post, which will apply to business transfers or service provision changes taking place on or after 31 January 2014. There are two exceptions to this implementation date, the first relates to the provision of Employee Liability Information; the second to information and consultation obligations for micro businesses. These are discussed in the Key Amendments below.

The Key Amendments

1.     Definition of Service Provision Change
The Amended TUPE Regulations has clarified that a "service provision change" occurs where the services provided post-transfer are "fundamentally the same" as the services provided previously. 

2.     Change in workplace location
A dismissal on the grounds of a change in workplace location will be an "economically, technical or organisational" (ETO) reason making such dismissal potentially fair, subject to complying with the usual rules of fairness when dismissing an employee.

3.     Changes to Terms and Condition of Employment
The provision in TUPE 2006 that changes to terms and conditions of employment that are made in connection with a TUPE transfer are unlawful has been removed. Changes made to terms and condition of employment where the "sole or principal reason" is the transfer itself will still be void unless there is an ETO reason.  Agreed changes to terms and condition of employment where the employment contract permits the variation (for example mobility clauses) or the change is unrelated to the transfer are permissible.

4.     Pre-Transfer Collective Redundancy Consultation
If the transferee will be making any redundancies post-transfer, the transferee can make one election to undertake pre-transfer collective redundancy consultation obligations pre-transfer with the transferor's written agreement.

5.     Collective Bargaining Agreements
There will be a "static" approach to collective bargaining agreements so that any changes that are made post transfer where the transferee has not been involved in the negotiations will not be binding on the transferee.  From one year following the transfer, the transferee can make agreed changes to the collective bargaining agreement provided the new terms are "no less favourable" to the employees when considered together.

6.     Employee Liability Information
From 31 May 2014, the transferor must provide the Employee Liability Information at least 28 days before the transfer.

7.     Micro businesses
On or after 31 July 2014, micro businesses with fewer than 10 employees can conduct consultation with the employees directly rather than with employee or trade union representatives.

Practical steps to consider

The Amended TUPE Regulations may allow more scope to argue whether TUPE applies, particularly in an outsourcing situation.  This may or may not be helpful depending on the circumstances. Disputing whether TUPE applies can be time consuming during negotiations and could escalate costs and increase the risks of claims being made by an employee who claims TUPE did apply. Where there is a dispute as to whether TUPE applies the parties will need to consider recent case law. 

Existing outsourcing agreements should also be reviewed to ensure that they comply with the Amended TUPE Regulations, particularly in relation to the provision of Employee Liability Information. 

The Amended TUPE Regulations provide some flexibility for the new employer to make some changes to terms and condition of employment and collective bargaining agreements provided it has the employee's agreement and the reason for change is not the transfer.  This remains a difficult area and legal advice should be sought on the risks of making any such change. 

If redundancies are being contemplated post-transfer, consider whether pre-transfer collective redundancy consultation will be helpful.  If so it may make sense to include the election and the terms of the arrangements in the applicable agreement.

Pillsbury Bloggers in the News: Outsourcing Trends to Watch in 2014

Posted
By Michael Murphy

In a look forward at 2014, Joe Nash commented in Stephanie Overby's CIO.com article on what to expect in the year head. He said:

At the very least, expect an increase in automation generally. 'With the cost benefits of labor arbitrage being largely harvested and labor costs inevitably on the rise, CIOs will need to look for alternative opportunities to reduce or contain operating costs,' says Joe Nash, principal in Pillsbury's global sourcing group. 'That means looking for ways through automation to reduce the amount of work it takes to complete an IT function or service, not the cost of the labor to do it.'

Check out the full article and our comments (and our 2013 predictions and, more recently, our grading of the 2013 predictions).

A One Trick Pony

Posted
By Joseph E. Nash

Labor arbitrage has long been a feature of ITOs . With off-shore to on-shore staffing ratios in the 65:35 to 75:25 range, suppliers have long used arbitrage to deliver significantly lower pricing. IT organizations have made many a CFO happy when recommending deals featuring 20%+ savings, especially done under the pressure of corporate "blood" drives to cut costs. Unescapably, however, corporate "blood" drives are a lot like the girl scout cookie sales season, just when you think you gotten everyone happy, here comes the next guy trying to boost his kid's financial performance.

Unfortunately, our one trick pony is also a one-time pony, especially with deals where off to on shore ratios have been maximized. When the CFO next comes calling, our pony is fresh out of tricks; there is no more arbitrage to be had -- at least not from the same delivery market. What is next? Shall we pack our bags in Bangalore and head off to a Chinese Model City or perhaps see what kind of benefit stream enrichment can be had in Ghana or Mauritius? Most buyers, we suspect, will not find this an appealing prospect when viewed through an operating risk management lens.

Maybe it is time for a change in approach. Instead of continuing to try to derive benefit from pushing on the P lever, maybe some answer can be found by putting pressure onto the Q factor in the equation. Rather than buying cheaper labor, how about we find a way to use less labor. One way to reduce labor demand is to gain leverage through standardization (ala Google and Amazon), but heterogeneous installed bases, which reflect most of our clients' environments, are notoriously resistant to standardization efforts. Good idea, best practice even, just not responsive to the CFO demand for results sooner rather than later. So then why not turn to the reason why we have computers in the first place -- to do things faster and cheaper than people can do them. How about the shoemaker's children taking some of their own medicine and using their own technology on themselves? Why not use technology to automate IT business processes and reduce the number of people needed to operate these complex infrastructure configurations? Assuming we can keep labor rates in roughly the same range, fewer people equals a lower labor cost, which equals lower prices, which means happier CFOs. And happier CFOs are a good thing for CIOs.

New deals should include both elements of labor arbitrage and automation and it should be reflected in lower and sustainable managed services unit prices. The challenge is to scrape a reasonable amount of the benefit onto the customer's side of the ledger in the face of the supplier's desire for "margin enhancement". More difficult are existing deals; the client's need to pledge to the corporate "blood" drive is real and imminent. The supplier's desire to please their investors with better margins is equally real. In the long term, automation will drive services up the efficiency curve and down the pricing curve. The new trick for the customer is to extract at least some share of the benefit in the short-term.

Pillsbury Bloggers in the News: Looking Back at 2013 IT Outsourcing Predictions

Posted
By Michael Murphy

In a look back at 2013, Mario Dottori commented in Stephanie Overby's CIO.com article on grading our initial 2013 IT Outsourcing predictions that we discussed last December.

Third-Generation Deals Enter Uncharted Territory
It was true that many of the latest generation of outsourcing deals were more complex. But the advantage did not go to the incumbents. Quite the opposite came to pass. "Incumbents are always 'sticky' because of high -- or perceived high -- barriers to exit," says Mario Dottori, partner in the global sourcing practice at law firm Pillsbury. "However, we have seen more movement away from incumbents where there are lower barriers to exist. Customers are balancing the switching costs and risks with significant improved service delivery and meaningful reduction in spend."

Check out the full article in CIO.com

Contract made in two places at once - a possibility under UK law

Posted
By Tania L. Williams

The High Court of England and Wales has recently decided that a contract can, in principle, be made in two separate jurisdictions at the same time if the contract does not include choice of law and jurisdiction clauses. In this situation, either party could seek to enforce the contract in its home jurisdiction.

In Conductive Inkjet Technology Ltd v Uni-Pixel Displays Inc [2013] EWHC 2968 (Ch), the court considered a dispute between two parties, one based in England and the other in Texas. The agreement in question was a non-disclosure agreement, which did not include a choice of law and jurisdiction clause as the parties were not able to agree on one during negotiations. The parties agreed the contract in an email exchange, and it was then signed by Conductive Inkjet Technology (CIT) in England and by Uni-Pixel Displays (UPD) in Texas. CIT then claimed that UPD made use of certain proprietary information in breach of the agreement and sought permission to serve claims on UPD in England. UPD challenged this by arguing that English courts did not have jurisdiction in the matter.

To recap the English law position on contract formation, the general rule is that a contract is made at the time and place where acceptance of the relevant offer is communicated to the offeror. There are two main rules as to when acceptance is communicated:


  1. The reception rule applies to relatively instantaneous forms of communication, and provides that time and place of contract is when the acceptance is received by the offeror. This was established in Entores Ltd v Miles Far East Corporation [1955] EWCA Civ 3 and confirmed in Brinkibon Ltd v Stahag Stahl G.m.b.h. [1983] 2 AC 34 (both cases involving telexes). In Brinkibon, Lord Wilberforce commented that: "In the case of successive telephone conversations it may indeed be most artificial to ask where the contract was made..." but he concluded that the courts simply have to do their best with the test.

  2. The postal rule applies to delayed forms of communication, with acceptances being deemed to be effective at the time of sending, provided the offeree correctly addresses and stamps the letter (Adams v Lindsell (1818) 1 B & Ald 681).

However, the High Court in this instance applied the reasoning of Mann J in the High Court case of Apple Corps Ltd v Apple Computer Inc [2004] EWHC 768 (Ch). Whilst Mann J's comments on this point were obiter, Mann J expressed the view in the Apple case that it is possible, as a matter of principle, for a contract to be made in two places at once. Mann J noted: "Where completion takes place at a distance over the telephone, it might well be possible to construct an offer and acceptance analysis (indeed, each party has sought to do so in this case) but it might equally be thought that that analysis is extremely forced and introduces a highly random element. The offer and acceptance may well depend on who speaks first and who speaks second, which is likely to be largely a matter of chance in closing an agreement of this sort. It is very arguably a much more satisfactory analysis to say that the contract was made in both places at the same time."

Mann J also commented that holding the contract to have been made in both places would coincide more closely with the clearly expressed intentions of the parties, namely not to give the other an advantage in terms of governing law and jurisdiction, than would "introducing the somewhat random element of offer and acceptance".

In the CIT and UPD case, Roth J similarly found that the parties had expressly agreed not to incorporate a choice of law and jurisdiction clause, and that it would be wholly artificial to determine the place of the contract by applying the tradition postal rule, depending on which party happened to send the fully executed document. The English Civil Procedure Rules establish the principle that English courts should be able to exercise jurisdiction over foreign defendants where the subject matter of the dispute has a sufficient connection to England, and it would be arbitrary to make a decision as to the connection to English jurisdiction simply on the basis of the order in which a document was signed.

Exclusive jurisdiction clauses in agreements may not be entirely watertight. For example the courts may apply the forum non conveniens test to see whether there are any exceptional reasons for departing from an exclusive jurisdiction clause. However, having an exclusive jurisdiction clause and also a governing law clause in an agreement certainly does reduce the uncertainty that parties may face if a dispute arises and the contract that is silent on the matter.