The security community has been abuzz this week with the US. District Court of New Jersey's April 7 ruling in Federal Trade Commission v. Wyndham Worldwide Corporation, et al. (see http://www.adlawaccess.com/wp-content/uploads/sites/137/2014/04/Opinion.pdf). Wyndham had asserted in a motion to dismiss that the Federal Trade Commission ("FTC") did not have the authority to pursue enforcement actions against the hotelier related to data security. The District Court denied the motion and held that the FTC may in fact pursue claims related to data security under Section 5(a) of the FTC Act's prohibition on unfair or deceptive acts or practices affecting commerce (see 15 U.S.C. 45(a)). While the significance of the holding is being debated in the legal community, this week's decision highlights the Federal Government's increasing emphasis on requiring certain baseline cybersecurity practices by the private sector.
The background facts of the case are fairly straightforward. The FTC brought suit against Wyndham Worldwide, Corp. in the wake of three separate security breaches that occurred between 2008 and 2011 and resulted in the theft of guests' personal information (e.g., payment card account numbers, expiration dates, and security codes). The FTC alleges that after the initial two security incidents, Wyndham failed to implement reasonable and appropriate security measures which exposed consumers' personal information to unauthorized access and resulted in consumer injury. Specifically, the FTC alleges that there were several problems with the Wyndham's information security practices including wrongly configured software, weak passwords, and insecure computer servers.
So what does the Court's holding mean for the private sector? Since, up until this case, the FTC's data security actions have been settled out of court, this case marks the first time that the courts have ruled on the merits of the FTC's authority related to data security actions. Fundamentally, the decision affirms that the FTC has the power to pursue enforcement actions for unreasonable cybersecurity practices under existing laws. The Court, however, cautioned that "this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked." It is also important to note that the Court's decision did not include a verdict on Wyndham's liability in the matter (interested parties should continue to watch as the matter continues).
One significant question that remains unresolved is what constitutes "reasonable" security in this context. It seems possible that we may be starting to see an intersection with cases like this and wider US cybersecurity policy...does "reasonable" equate to adopting a risk mitigation strategy akin to the NIST Cybersecurity Framework? Or, does it mean something even more? Ultimately, this ruling on the FTC's enforcement authority adds to the already dynamic cybersecurity legal landscape and should cause companies to take pause to examine whether their cybersecurity practices are defensible with regulators and in court.
business clients would rather be in the dentist's chair than sit through
negotiation of the indemnity and liability provisions of their agreement. Admit
it: your eyes glaze over, time appears to visibly slow down, and you wonder at
how the lawyers can find this stuff interesting enough to argue about.
dull as they appear to be, there are some significant issues that can arise
from the indemnity clause. One issue that I see more often than not is that
suppliers try to put a financial limit on their indemnification obligations.
Sometimes the supplier will agree to remove the limitation, but not always. What
are the consequences of having a limitation on an indemnification obligation,
and why should you be interested?
consider a software license agreement, which includes an obligation by the
software owner (the licensor) to indemnify you (the licensee) for third party
claims that the software infringes the third party's intellectual property. If
that happens, the licensor will conduct the defense of the claim - that is,
they will be the one to hire the attorneys, go to court, and argue why there is
agreement also includes a limitation of liability that limits each party's
liability to the annual software license and maintenance fees. The liability
provisions could be drafted so that the limit applies to the indemnity
obligation. Assume that you are paying $200,000 annually to the licensor, and
so that becomes the limit of the licensor's indemnity obligations.
can be used up pretty quickly in litigation. There will significant costs to
investigate and build a case to rebut the claim - reviewing IP registrations
and other documents, interviewing witnesses, researching related lawsuits etc. Legal
fees, and the fees of experts and consultants that may need to be retained,
quickly build. Then comes the discovery and interrogatory phases.You may not even be at the point of a court hearing
or close to settlement discussions when the amount spent has exhausted the
what will happen? Based on your agreement, the licensor could simply walk away
and leave you holding the baby. From a practical perspective, it would be
foolish for them to do that, as it's their software that is allegedly
infringing, and you have no reason to defend their product. The only thing that
you will want to do at that point is get out of the litigation as quickly and
cheaply as possible, and so handing the defense over to you would be commercial
suicide for the licensor. But in negotiating the indemnity clauses, many
suppliers and licensors don't consider the practicalities of dealing with the
litigation - they are only looking at the total risk profile of the agreement
that they are entering into.
the licensor wanted to enforce the terms of the agreement, they could do so,
leaving you in the position where you have to step into their role in defending
the case, or pay them to continue to do so. Doing either would be at
significant cost to you, not to mention the disruption defending the claim may
have on your business.
you are not able to negotiate out the limitation of liability from the
indemnity obligations, then you should do two things:First, try to exclude the costs of defense
from the liability cap.Second, pay
extra attention to the indemnification procedures.For example, how will the parties handle the
situation where the expected liability exceeds the liability cap? Are you free
to defend and seek contribution from the licensor up to the value of the
cap?And what if the licensor takes
responsibility for defending the claim and it later appears that the cap will
be exceeded?You should avoid that
scenario by negotiating a requirement for the licensor to waive its limitation
of liability in return for assuming full defense of the claim; the alternative
(short of having the licensee write a blank check) would be to give you some
level of involvement and/or control over defense and settlement, which would
quickly become unworkable.
no simple answer to this issue, but there are certainly some options that can
be explored in negotiations.
In a recent judgement, the Court of Appeal of England and Wales held that an electronic database was not a chose in possession or a chattel but a chose in action (see our earlier blog regarding the grant of leave to appeal in this case). In other words, a database is intangible property, not goods which can be possessed. This means that when the parties to a database hosting contract are silent about what happens to the database when the contract ends, the service provider cannot exercise a common law lien over the database so as to force full payment of its fees, and must return the database to its customer.
In giving the lead judgement in the Court of Appeal, Lord Justice Moore-Bick, quoted extensively from the judgment of Lord Justice Diplock in Tappenden v Artus (Tappenden v Artus  2 Q.B. 185). Tappenden is a case with which most first year law students in the UK will be familiar. In that case, a van owner allowed a customer to use the van pending the completion of a hire-purchase agreement. The van then broke down and was repaired by the defendant garage, but the price of the repairs was not paid. The question arose whether the garage could exercise a lien over the van against the owner. In finding that it could, Diplock L.J emphasised "actual possession of goods" as necessary for the self-help remedy of possessory lien to arise under the common law.
Referring to another leading case, Moore-Bick LJ went on to state that "[a]s OBG v Allan makes clear... the common law draws a sharp distinction between tangible and intangible property...", which leads to the conclusion that "it is [not] possible to have actual possession of an intangible thing ...[and that] it is [not] open to this court to recognise the existence of a possessory lien over intangible property ..."
So, in sharp distinction to the common law as it applies to tangible property (such as the van in Tappenden) a database service provider has no common law right which can be used to stop a customer from accessing its database until the service provider's fees are paid. Of course, there is nothing to stop the parties including such right in the database hosting contract.
Much has been said about the EU "Cookie" laws
introduced by an amendment to the Privacy and Electronic Communications
Directive in 2011.Companies with
European customers (including those in the US) have grappled with the law's requirement
to obtain informed consent from visitors to their websites before cookies can
Not only being the subject of much academic
debate, European regulators have also issued a series of guidance papers on the
issue, including recent publications from the UK's Information Commissioner's
Office and from the Article 29 Working Party, the group made up of
representatives from the various EU privacy regulators.These provide layers of at times arguably
conflicting commentary on how to comply with the law.
Whilst question marks hang over key issues (e.g.
what constitutes valid consent before cookies can be placed?), with the various
EU data protection authorities mooting and often disagreeing on the same, the
regulators across the EU appeared to be approaching enforcement actions for
breach of the new laws rather gingerly, no doubt a reflection of the wider
debates taking place.
Whilst the fines were not exactly earth-shattering
(3,500 Euros a piece) the fact that the cookies used were rather commonplace
and not particularly intrusive to individuals' privacy makes these cases more
worthy of note and acts as a stark warning to those who have taken a similar
relaxed attitude to compliance so far.
Furthermore, it's not as if the websites in
question didn't take any action after the new law was introduced.To the contrary, they reportedly made
attempts to comply with the law, but their measures didn't go far enough -
which should make those companies who have buried their heads in the sand even
The key point for business is not just the
fact we are seeing more enforcement now, nor the level of fine, but rather the
fact that cookie law breach is a highly visible "marker" that can
draw the attention of the regulators and increase the chances of a deeper
audit, which can potentially expose wider breaches and more serious enforcement
action. This is the greater consequence of these recent developments and more
reason to get one's compliance right
These cases underline how EU member states,
intrusive.Companies doing business in
Europe have had time since the passing of the Cookie law to take action.We expect to see a significant ramp up in enforcement
action across the EU; we hear reports of numerous warning letters coming from
regulators across the EU.For companies
that have not yet reviewed their cookie policies and procedures, compliance
should move to the top of the corporate agenda.
Rafi Azim-Khan, Partner and Head of Data Privacy, Europe at Pillsbury and Chair of the British American Business' Law Forum, was in Washington, DC yesterday to hear the important announcement of a key new data privacy initiative, blessed by regulators across the North America, Europe and Asia Pacific regions.
The initiative is aimed at assisting international businesses struggling to come to terms with increasingly complex global data privacy laws and increasing enforcement risks.
FTC Chairwoman Edith Ramirez and new EU Article 29 Working Party Chair Isabelle Falque-Pierrotin of CNIL were joined by UK Commissioner Christopher Graham, Ted Dean of the US Department of Commerce and Canadian APEC lead Daniele Chatelois in announcing publicly for the first time a new "Checklist" tool known as the "Referential", designed to assist companies who have to deal with and transfer consumer and other types of data internationally. It applies to all businesses and all sectors.
Azim-Khan, who discussed with the Commissioners the goals behind the initiative, commented, "Whether a social media company or a car manufacturer marketing via its website, businesses of all shapes and sizes have been crying out for some practical help and guidance regarding their use of data and what is or is not likely to land them in hot water. Many feel recent changes to the laws in the EU and beyond, as well as significantly increased fine levels and scrutiny, are making day to day operations much more difficult and risky."
"Given the world is becoming more connected, business more global and data use increasing, literally by the day, current laws and enforcement are proving very difficult to navigate without detailed analysis and a very careful approach. It can be time intensive and costly to get things right, and equally so if there is a breach, so anything which can help business deal with complex issues such as international data transfers and data use in multiple countries is to be welcomed. That said, this is very much just a first additional step and we will have to see what happens in terms of consultations and feedback."
"This new initiative is also not a "silver bullet," i.e. an "adequacy finding" nor "mutual recognition", for example of Asia's laws by the EU. Rather, it is one new tool worth exploring in the bigger scheme of compliance and given all the upheaval in the past year or so companies with significant global reach would still be advised to urgently audit what they are currently doing and seriously consider steps needed to bring their compliance up to date, for example considering the benefits of updated schemes such as Binding Corporate Rules".
Note: The EU and the US have locked horns in recent months over criticisms the US is not doing enough to enforce Safe Harbor breaches by large US companies and the EU is proposing new "atomic weapon" fines of 2 or 5% of global revenue fines for non-compliance as part of new Regulation proposals.
Asia is presenting a problem for international companies as the laws are hugely varied and some are also now adopting tougher EU-style laws which US companies do not like.
This initiative is the first time the differing parties have tried to put aside differences in such a joined up way.
This article was originally published on February 27, 2014 and is reprinted with permission from Corporate Compliance Insight.
Managing third-party suppliers presents significant compliance
challenges that often span an organization, raising legal, insurance, human
resources and technology concerns, to name just a few. Corporations will
continue to wrestle with these risks in the year ahead, but the convergence of
external threats, abundance of valuable corporate data and the current
regulatory environment has highlighted the importance of corporate
cybersecurity practices. Cybersecurity is perhaps one of the hottest topics
being discussed in boardrooms today. The Cybersecurity Framework,
anticipated legislation and litany of high-profile data breaches have resulted
in even more heightened scrutiny.
The landscape for corporate cybersecurity is rapidly changing and
outsourced services, including IT and business process services, all stand to
be impacted. Corporate stakeholders, particularly in the legal,
information security and information technology departments, should be keenly
focused on the current cybersecurity climate and the state of cybersecurity
across third-party outsourcing agreements.
A significant aspect of this heightened attention on cybersecurity is
not only how third-party outsourcing partners are managing security as part of
the service they deliver, but also the risk and cybersecurity exposure to an
organization from these third-party relationships. Attackers increasingly
exploit weaknesses in third-party suppliers' networks to access data and assets
from target companies. As a result, having in place the appropriate contractual
and governance safeguards with your third-party suppliers is paramount.
Efforts to integrate and manage cybersecurity in outsourcing
arrangements should start early. Detailed security assessments and internal
cybersecurity stakeholders should be included as part of initial due diligence
efforts with selected suppliers. It is important to understand the security
processes and tools that proposed suppliers will use as part of the outsourced
service, the supplier's vulnerabilities and plans to remediate gaps during the
term of the proposed agreement and the plan for the supplier to integrate with
existing corporate cybersecurity programs. Also, understanding how the
supplier has previously responded to past incidents and improved its operations
as a result is crucial.
Contract documentation should include meaningful cybersecurity
provisions related to liability and indemnification for incidents and identify
the security policies and procedures that the supplier will be expected to
comply with during the term. Ideally, contracts should support liability
and indemnification provisions that align with the value of the data exposed to
the third-party supplier, not simply derivatives of the contract value.
Including adequate audit and risk assessment provisions for regular risk
assessments and remediation plans (annual at a minimum), of the
supplier's operations is also highly recommended.
It is important to remain mindful of proposed cybersecurity legislation
- at both the federal and state levels - that may need to be accounted for in
outsourcing agreements. Compliance professionals should continue to monitor the
proposed landscape of legislative and regulatory changes. Accounting for
requirements in third-party agreements to accommodate new cybersecurity laws
will be critical.
Finally, and perhaps most importantly, governance models that allow
corporations to manage the security functions of individual suppliers as well
as the full portfolio of suppliers in a holistic fashion will become
increasingly important over the next year. The ability to respond quickly
to incidents but also make the appropriate strategic risk management decisions
related to cybersecurity will be a defining characteristic of a strong
corporate cybersecurity program.
Compliance managers and in-house counsel should remain keenly focused on
cybersecurity during the next year when negotiating new agreements, amending
existing contracts or participating in ongoing governance activities with
current service providers. Proactively addressing cybersecurity risks by
incorporating security considerations early in the contracting process and
defining more appropriate services descriptions, service levels and
interaction/governance frameworks can help limit cybersecurity exposures in the
theory, a multi-provider service delivery environment should not create
additional complexities in terms of liability. The contracts -- entered into
separately between the customer and each supplier -- should, if well
constructed, clearly delineate the liabilities between the parties," says Mario Dottori, leader of
the global sourcing
practice in Pillsbury's Washington, D.C. office.
tip offered is to create operation level agreements, "OLAs state how
particular parties involved in the process of delivering IT services will interact
with each other in order to maintain performance, and can help all parties 'see
the forest for the trees,' says Dottori. 'These
arrangements offer the opportunity for enhanced visibility of the service
regime as a whole and helps to reduce -- or better arm the parties with
solutions for -- missed hand-offs and finger pointing.' One caveat: Most
providers will not agree to take on additional liability in OLAs. But such an
agreement can be an effective preventative measure."
February 12, 2014, the National Institute of Standards and Technology ("NIST") released the
final version of its Framework for Improving Critical Infrastructure
Cybersecurity (the "Cybersecurity
Framework" or "Framework")
and the companion NIST Roadmap for Improving Critical Infrastructure
Cybersecurity (the "Roadmap").
The final version is the result of a year-long development process which
included the release of multiple iterations for public comment and working
sessions with the private sector and security stakeholders. The most
significant change from previous working versions is the removal of a separate
privacy appendix criticized as being overly prescriptive and costly to implement
in favor of a more general set of recommended privacy practices that should be
"considered" by companies.
Cybersecurity Framework marks an important step for U.S. cybersecurity policy
after an Executive Order from the Obama Administration called for its creation
in February 2013 (see Executive Order 13636 "Improving Critical Infrastructure
Cybersecurity", February 12, 2013).While use of the Cybersecurity
Framework is voluntary, the Federal government has been actively exploring
various measures to incentivize participation both universally and on a
sector-by-sector basis (see http://m.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecurity-framework.
See also Incentives Study Analytic Report, Department of Homeland Security,
June 12, 2013 available at https://www.dhs.gov/sites/default/files/publications/dhs-eo13636-analytic-report-cybersecurity-incentives-study.pdf).While the Framework is focused on the 16 sectors identified as critical
infrastructure (the 16 critical infrastructure sectors are chemical, commercial
facilities, communications, critical manufacturing, dams, defense, emergency
services, energy, financial services, food and agriculture, government
facilities, health, information technology, nuclear, transportation, and water),
companies outside those areas can use the Framework in their risk assessment
and enterprise security planning.
What is the Cybersecurity Framework?
The Cybersecurity Framework is a risk management tool to assist companies with
assessing the risk of cyber-attack, protecting against attack, and detecting
intrusions as they occur. According to NIST, it complements, but does not
replace, an organization's existing risk management processes and cybersecurity
program. It is organized into three parts - the Framework Core, the Framework
Implementation Tiers, and the Framework Profile. The Framework was developed by
leveraging existing cybersecurity standards, guidelines and practices.
Organizations are encouraged to use it as a tool to continuously assess and
improve (where appropriate) cybersecurity practices.
Framework Core is comprised of five key functions: Identify, Protect, Prevent,
Respond, and Recover. These functions are intended to organize companies' basic
cybersecurity activities at the highest level and represent a lifecycle for
managing cybersecurity across an organization. Each function is further broken
down into categories and subcategories that highlight the more detailed
processes and activities associated with managing cybersecurity. As set forth
in the Cybersecurity Framework, examples of the categories under each function
Identify: Asset Management, Business Environment;
Governance; and Risk Assessment Protect:
Access Control; Awareness and Training; Data Security; Information Protection
Processes and Procedures; Maintenance; and Protective Technology Detect:
Anomalies and Events; Security Continuous Monitoring; and Detection Processes Response:
Response Planning; Communications; Analysis; Mitigation; and Improvements Recover:
Recovery Planning; Improvements; and Communications
Cybersecurity Framework includes a maturity model that is characterized by
implementation "Tiers" for companies to use to assess their progress and
development across the various functions. The tiers involve characterizing an
organization's development as Partial, Risk-Informed, Repeatable, or Adaptive
behavior. Partial maturity is characterized by informal and occasional
implementation of the Framework, meaning that the organization is unlikely to
have processes in place to utilize cybersecurity information. Risk-Informed
entities will have formal, risk-aware processes defined and implemented. An
organization that has achieved the Repeatable stage of maturity will have validated
processes that are responsive to larger enterprise requirements and needs.
Finally, entities that are considered Adaptive will be able to anticipate
challenges, adapt rapidly and manage risk in conjunction with changes.
the Cybersecurity Framework, assessing an organization's functions in relation
to the maturity or implementation Tiers and risk tolerance results in its
Profile. NIST encourages companies to use the profile to identify gaps and
develop action plans to improve cybersecurity.
The Cybersecurity Framework has been criticized as being overly broad and
toothless. Some security professionals note that the Framework is not that
different from the checklists that chief security officers already regularly
implement. Most large organizations have already implemented a risk management
process similar to the Cybersecurity Framework to manage their cybersecurity
activities. And, in practice medium and smaller sized organizations may benefit
most significantly from this first version of the Cybersecurity Framework.
However, additional sector-specific iterations are anticipated and many
government analysts note that the Cybersecurity Framework has the potential to
become the de facto standard for managing cybersecurity risk.
What's next for U.S. Cybersecurity Policy?
The companion Roadmap to the Cybersecurity Framework outlines several planned
follow on activities. In the near term, NIST will continue to oversee and
coordinate the ongoing development of the Cybersecurity Framework including by
accepting informal comments on the recent release. Additionally, a workshop
will be held in the next six months for stakeholders to share feedback on their
use of the Cybersecurity Framework. Options for long term governance including
identifying the appropriate responsible partners(s) for overseeing the
Cybersecurity Framework are also being solicited. Finally, the Roadmap
identifies nine cybersecurity disciplines marked for further development and
discussion including: (i) authentication; (ii) automated indicator sharing;
(iii) conforming cybersecurity assessments; (iv) preparation of a skilled
cybersecurity workforce; (v) use of data analytics in cybersecurity; (vi)
Federal agency cybersecurity alignment; (vii) international coordination;
(viii) supply chain risk management; and (ix) technical privacy standards.
How Can Your Organization Use the Cybersecurity
Regardless of whether your company falls within one of the defined critical
infrastructure sectors, the Framework can be a valuable tool for cross-checking
and testing your existing cybersecurity risk management programs. The Framework
provides granularity that can be useful in each phase of your program.
services businesses covered by the Gramm-Leach -Bliley Act have guidance in the
form of the Standards for Safeguarding Customer Information (Safeguarding Rule)
and the Interagency Guidance on Response Programs that require implementation
of an information security program including conducting an annual risk
assessment, assess the sufficiency of any safeguards in place to control the
identified risks, training employees, reviewing information systems (network
and software as well as processing, storage, transmission and disposal),
detecting, preventing and responding to intrusions or system failures, and
overseeing vendors and service providers.
companies that are covered entities under the Health Insurance Portability and
Accountability Act (HIPAA) have fairly specific regulations governing security
of protected health information.
outside financial services and healthcare that comply with the Massachusetts
Standards for the Protection of Personal Information of Residents of the
Commonwealth (201 Mass. Code Regs. § 17.00) will have implemented a written
data security plan that meets the requirements of that regulation, including
designating a responsible employee, conducting a risk assessment, implementing
an employee security policy, enforcing the policies, addressing issues
surrounding terminated employees, overseeing and requiring compliance by
service providers, limiting the amount of information collected, limiting
retention of data, data mapping, restricting access to records, monitoring
performance, reviewing the program annually and implementing an incident
each of these businesses, the Cybersecurity Framework addresses additional
areas where threats may exist and additional specific steps that can be taken
to better protect the business. While the Framework is not designed to replace
an information security program, certain aspects of the Framework may trigger
improvements in a company's program that help meet the business' strategic
priorities: protecting assets and business viability against loss, achieving
the appropriate level of security commensurate with the security and scope of
the company's data, protecting company systems and data against threats to the
network structure and security, anticipating evolving threats to the company's
systems and meeting the company's regulatory compliance obligations.
In response to the financial crisis and recession in the United States that began in 2007, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (now commonly known as "Dodd-Frank"). Dodd-Frank created a vast array of new financial regulations, including the new and independent Bureau of Consumer Financial Protection designed to "regulate the offering and provision of consumer financial products or services under the Federal consumer financial laws."
Now known by its alphabet soup moniker, the CFPB has jurisdiction to enforce one of the simplest, yet most powerful, provisions in Dodd-Frank: "It shall be unlawful for any covered person or service provider to engage in any unfair, deceptive, or abusive act or practice." These "unfair, deceptive, or abusive" acts or practices have become commonly known in the legal and financial industries as "UDAAPs." The CFPB has not implemented formal rulemaking with respect to the prohibition on UDAAPs. Instead, it has made the conscious decision to largely implement its UDAAP rules via its enforcement actions and a series of guidance documents, including the "Supervision and Examination Manual," which articulates CFPB's expectations for how this law is to be enforced.
Much has been written about the impacts of Dodd-Frank, including the prohibition against UDAAPs. This blog, however, focuses solely on potential penalties to financial institutions based on the actions of their third party service providers. Because Dodd-Frank primarily holds the large financial institutions supervised by the CFPB responsible for service provider behavior, these institutions should be aware of and guard against the UDAAP trap.
Third Party Service Providers Can Create UDAAP Risk
Dodd-Frank defines "service provider" as "any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or person." A service provider also includes a party that "participates in designing, operating, or maintaining" financial products as well as one that "processes transactions" relating to financial products. Such a broad definition could capture almost every type of third party service provider with whom a financial institution has a relationship.
While the CFPB has not been explicit about which third party services are subject to scrutiny, the agency has given some high-level guidance on the topic. For example on July 10, 2013, the CFPB issued a bulletin in which it focused almost exclusively on a financial institution's debt collection practices. Based on this initial guidance, it appears that the CFPB is most concerned about those practices that directly interface with the institution's individual customers. Financial institutions have similar direct interactions with their customers through other activities, such as telemarketing services, loyalty programs, and other services that involve a customer's interaction with representatives in a customer service center. Many financial institutions outsource these functions, and such services would likely subject large financial institutions to similar CFPB scrutiny.
Because UDAAP enforcement is in a nascent stage, financial institutions should consider how other third party relationships may trigger UDAAP concerns. For example, if a provider servicing a bank's mortgage portfolios makes systemic errors that cause "substantial injury" to a group of the bank's consumers, it might trigger UDAAP violations, particularly if the bank failed to properly monitor those services. The same could be said for (i) payment card processors that handle customer credit card transactions; (ii) online bill pay service providers that handle bill payments, late fees, and credit reporting; (iii) ATM service providers that process retail banking transactions that are required to post in a timely manner; or (iv) remote deposit capture service providers that manage check scanning and posting.
One type of services, however, that is unlikely to impact directly the interaction between a financial institution and its customers are those services that provide backend IT functions. Examples could include traditional IT managed services, application development and maintenance services, system implementation services, and other back office support services.
Again, the CFPB has not expressly outlined the type of third party services that may subject a financial institution to the highest scrutiny, so each financial institution should carefully review and consider each third party service relationship on a case-by-case basis.
Mitigating the UDAAP Risk
Best practices dictate that each financial institution have in place robust policies and procedures to prevent the occurrence of UDAAP violations within its enterprise. Once such policies and procedures are in place, institutions should also train their employees to ensure maximum compliance.
Because its own policies and procedures are within its control, a financial institution can ensure a certain level of UDAAP compliance, but the behavior of its service providers can be a wild card. In Part 2, we will look at various approaches as to how financial institutions can leverage its third party contracts to mitigate its own UDAAP risk. We will also take a substantive look at some of the key terms that should be considered when negotiating such contracts with third party service providers.
"How does a large
software project get to be one year late? One day at a time!"
-Fred Brooks, former IBM employee and OS/360 developer
was not a stellar year for public sector outsourcing.As we reported in an
earlier blog article, Indiana is
appealing judgment in an ongoing court battle with IBM over a troubled
welfare claims processing project. Agencies
in Pennsylvania, Massachusetts and Australia also hit the news.
be sure, implementing any large IT project is difficult and risky.Publicity and politics further complicate contracting
in the public sector.And, as IBM quickly
out in response to Pennsylvania's announcement, "there is accountability on
both sides for system performance and service delivery." In other words, it takes two to mess up this badly.
spite of these challenges, there are many successful public sector IT programs
that benefit the government and their constituents as well as the service
provider.As we explained in an
earlier report, outsourcing can help state and local governments reduce
costs, improve services, and free up funds otherwise locked in IT assets.Successful programs are reported on as
frequently as are safe on-time flight arrivals.
the following examples show, public sector IT projects face unique challenges.If unmitigated, these projects can prove
disastrous to the government and taxpayers.
Pennsylvania Unemployment Claims
July 31, 2013 Pennsylvania decided
not to renew its contract with IBM to modernize the state's unemployment
compensation computer system, a project 42 months behind schedule and 56% over
budget. A report
by Carnegie Mellon's Software Engineering Institute concluded that even after
spending nearly $170 million there "is no high confidence estimate for when the
[system] will demonstrate the level of performance necessary."For the immediate term Pennsylvania will
revert back to an extremely inefficient, yet functional, 40-year old
unemployment compensation processing system.
Queensland Health Payroll Project
State of Queensland, Australia released a scathing
report in July 2013 detailing a multitude of failures that afflicted IBM's
program to replace Queensland Health's payroll system.This project has even been called "one
of the worst IT projects ever."When
the under-tested system was put in place in 2010, 80,000 staff went unpaid, or
received the wrong amount. In response, Queensland's
Premier Campbell Newman issued
a broad ban preventing IBM from entering into any new contracts with the
State "until it improves its governance and contracting practices," and declared
that IBM "took
the State of Queensland for a ride." The ride, quoted at A$6.19 million, will
reportedly cost the State A$1.2 billion, almost 200 times the original budget.
Massachusetts Unemployment and Revenue
fall the Commonwealth of Massachusetts held
a hearing to examine Deloitte's handling of projects for the Department of
Unemployment Assistance and the Department of Revenue. The unemployment benefits system was delivered
two years late and, at a total cost of $52 million, ran 13% over budget.The resulting software was reportedly
unusable. Earlier in 2013, Massachusetts
cancelled a separate Department of Revenue project with Deloitte, a project on
which the Commonwealth had already spent $114 million, because a test run of
the software revealed no fewer than 1,000 glitches. These
examples from Massachusetts represent just a few of numerous
disputes Deloitte is facing with public sector customers.
can public agencies avoid these failures?Here are some features of successful projects that all agencies should
keep in mind:
resources and care to the procurement process. Successful projects focus intently on
identifying and clarifying the functional, technical and business requirements
for the solution, and building the procurement process around those
requirements.The Queensland report
found that the original system scope "was seriously deficient and remained
highly unstable for the duration of the Project."Similarly, Carnegie Mellon's Pennsylvania
report pointed out major weakness in the procurement process, including
"unprioritized and often ambiguous requirements."Lacking sufficient experience, many
government agencies fail to fully comprehend what "it's
really going to take to get a project done right" until halfway through
contract completion.Devoting sufficient
resources and attention to scope and requirements definition, and leveraging
the experience of outside advisors early in the process can prevent costly
disasters down the road.
practices of the commercial sector.State
and local governments are subject to unique requirements (e.g., strict
competitive procurement procedures) and budget limitations, yet many of the
lessons from the commercial world still apply.Examples from the private sector and outside advisors can help bring
cutting edge best practices to public sector projects.The schedule and budget for the projects in
Pennsylvania and Queensland were allowed to escalate without apparent
governance controls.Consider employing
a governance and incentive structure that will monitor and respond to delays
and cost overruns sooner than later.
significant internal and external changes.Unforeseen changes can quickly derail a project.Specific events, such as an economic crisis and
resulting increase in unemployment claims, may be unforeseeable.But, by ensuring that the contract accounts
for change these events will not ruin the intent of the parties.The agreement should include a method to
incorporate change into the contract that requires the service provider to meet
their obligations through the change and have a mechanism that allows for
redirection and/or expansion of the scope as necessary.
·Negotiate contractual provisions
that allow for termination if necessary.Ensure that the contract can be terminated for cause in response to a
range of performance failures.Termination
rights provide a means of exit.Perhaps
just as importantly, the threat of termination gives a customer additional
contract renegotiation and/or enforcement leverage.For more information on how a state or local
government can protect against poor performance through explicit performance
based termination rights, a meaningful service level credit mechanism, and a
right of election, see our
earlier article on Indiana vs. IBM.
·Seek protection from
high turnover within the service provider's workforce.The Carnegie Mellon report on Pennsylvania's
failed project concluded that high turnover in IBM's workforce created
instability and knowledge gaps at critical stages in the process.Consider negotiating provisions that prevent
the unauthorized removal from the project of certain key personnel, and
including a requirement that a certain percentage of overall personnel within a
given timeframe must remain on the account.
internal resources to governance, management, and performance of retained
functions.According to the
Carnegie Mellon report, insufficient management by the state meant that no one
"was accountable and responsible for the administration of the program."It is critical to remember that not all costs
and responsibilities can or should be delegated to the service provider.The program will only be successful if the
customer devotes sufficient resources to governing the project, and performing
any retained functions on which service provider's performance depends. The customer should be prepared to have (and
budget for) a retained organization to oversee the relationship.Towards this end, the customer and the
service provider should each assign an executive-level primary representative to
manage the relationship, efficiently address disputes, and generally serve as
the principal point of contact for all matters pertaining to the Agreement.
In previous posts (Proposed
Changes to UK's TUPE will impact outsourcing deals, The
UK Government consults on proposed changes to the TUPE regulations) we
highlighted the UK Government's proposed changes to the Transfer of
Undertakings (Protection of Employment) Regulations 2006 ("TUPE 2006"). The UK Government has now finalised these changes,
resulting in the Collective Redundancies and Transfer of Undertakings
(Protection of Employment) (Amendment) Regulations 2014 ("Amended TUPE Regulations").The Department for Business, Innovation and Skills (BIS) also published useful
guidance which helps to explain the changes made to TUPE 2006.Generally speaking, the Amended TUPE
Regulations brought into effect the changes discussed in our previous post,
which will apply to business transfers or service provision changes taking
place on or after 31 January 2014.
There are two exceptions to this implementation date, the first relates to the
provision of Employee Liability Information; the second to information and
consultation obligations for micro businesses. These are discussed in the Key
1.Definition of Service
The Amended TUPE Regulations has clarified that a "service provision change"
occurs where the services provided post-transfer are "fundamentally the same"
as the services provided previously.
2.Change in workplace
A dismissal on the grounds of a change in workplace location will be an
"economically, technical or organisational" (ETO) reason making such dismissal
potentially fair, subject to complying with the usual rules of fairness when
dismissing an employee.
3.Changes to Terms and
Condition of Employment
The provision in TUPE 2006 that changes to terms and conditions of employment
that are made in connection with a TUPE transfer are unlawful has been removed.
Changes made to terms and condition of employment where the "sole or principal
reason" is the transfer itself will still be void unless there is an ETO
reason.Agreed changes to terms and
condition of employment where the employment contract permits the variation
(for example mobility clauses) or the change is unrelated to the transfer are
Collective Redundancy Consultation
If the transferee will be making any redundancies post-transfer, the transferee
can make one election to undertake pre-transfer collective redundancy
consultation obligations pre-transfer with the transferor's written agreement.
There will be a "static" approach to collective bargaining agreements so that
any changes that are made post transfer where the transferee has not been
involved in the negotiations will not be binding on the transferee.From one year following the transfer, the
transferee can make agreed changes to the collective bargaining agreement
provided the new terms are "no less favourable" to the employees when
From 31 May 2014, the transferor must provide the Employee Liability
Information at least 28 days before the transfer.
On or after 31 July 2014, micro businesses with fewer than 10 employees can conduct
consultation with the employees directly rather than with employee or trade
steps to consider
The Amended TUPE Regulations may allow more
scope to argue whether TUPE applies, particularly in an outsourcing
situation.This may or may not be
helpful depending on the circumstances. Disputing whether TUPE applies can be
time consuming during negotiations and could escalate costs and increase the
risks of claims being made by an employee who claims TUPE did apply. Where
there is a dispute as to whether TUPE applies the parties will need to consider
recent case law.
Existing outsourcing agreements should also
be reviewed to ensure that they comply with the Amended TUPE Regulations,
particularly in relation to the provision of Employee Liability
The Amended TUPE Regulations provide some
flexibility for the new employer to make some changes to terms and condition of
employment and collective bargaining agreements provided it has the employee's
agreement and the reason for change is not the transfer.This remains a difficult area and legal
advice should be sought on the risks of making any such change.
If redundancies are being contemplated post-transfer,
consider whether pre-transfer collective redundancy consultation will be
helpful.If so it may make sense to
include the election and the terms of the arrangements in the applicable agreement.
a look forward at 2014, Joe Nash commented in Stephanie Overby's CIO.com
article on what to expect in the year head. He said:
At the very least, expect an increase in
automation generally. 'With the cost benefits of labor arbitrage being largely
harvested and labor costs inevitably on the rise, CIOs will need to look for
alternative opportunities to reduce or contain operating costs,' says Joe Nash,
principal in Pillsbury's global sourcing group. 'That means looking for ways
through automation to reduce the amount of work it takes to complete an IT
function or service, not the cost of the labor to do it.'
Labor arbitrage has long been a feature of ITOs . With off-shore to on-shore staffing ratios in the 65:35 to 75:25 range, suppliers have long used arbitrage to deliver significantly lower pricing. IT organizations have made many a CFO happy when recommending deals featuring 20%+ savings, especially done under the pressure of corporate "blood" drives to cut costs. Unescapably, however, corporate "blood" drives are a lot like the girl scout cookie sales season, just when you think you gotten everyone happy, here comes the next guy trying to boost his kid's financial performance.
Unfortunately, our one trick pony is also a one-time pony, especially with deals where off to on shore ratios have been maximized. When the CFO next comes calling, our pony is fresh out of tricks; there is no more arbitrage to be had -- at least not from the same delivery market. What is next? Shall we pack our bags in Bangalore and head off to a Chinese Model City or perhaps see what kind of benefit stream enrichment can be had in Ghana or Mauritius? Most buyers, we suspect, will not find this an appealing prospect when viewed through an operating risk management lens.
Maybe it is time for a change in approach. Instead of continuing to try to derive benefit from pushing on the P lever, maybe some answer can be found by putting pressure onto the Q factor in the equation. Rather than buying cheaper labor, how about we find a way to use less labor. One way to reduce labor demand is to gain leverage through standardization (ala Google and Amazon), but heterogeneous installed bases, which reflect most of our clients' environments, are notoriously resistant to standardization efforts. Good idea, best practice even, just not responsive to the CFO demand for results sooner rather than later. So then why not turn to the reason why we have computers in the first place -- to do things faster and cheaper than people can do them. How about the shoemaker's children taking some of their own medicine and using their own technology on themselves? Why not use technology to automate IT business processes and reduce the number of people needed to operate these complex infrastructure configurations? Assuming we can keep labor rates in roughly the same range, fewer people equals a lower labor cost, which equals lower prices, which means happier CFOs. And happier CFOs are a good thing for CIOs.
New deals should include both elements of labor arbitrage and automation and it should be reflected in lower and sustainable managed services unit prices. The challenge is to scrape a reasonable amount of the benefit onto the customer's side of the ledger in the face of the supplier's desire for "margin enhancement". More difficult are existing deals; the client's need to pledge to the corporate "blood" drive is real and imminent. The supplier's desire to please their investors with better margins is equally real. In the long term, automation will drive services up the efficiency curve and down the pricing curve. The new trick for the customer is to extract at least some share of the benefit in the short-term.
Third-Generation Deals Enter Uncharted Territory
It was true that many of the latest generation of outsourcing deals were more complex. But the advantage did not go to the incumbents. Quite the opposite came to pass. "Incumbents are always 'sticky' because of high -- or perceived high -- barriers to exit," says Mario Dottori, partner in the global sourcing practice at law firm Pillsbury. "However, we have seen more movement away from incumbents where there are lower barriers to exist. Customers are balancing the switching costs and risks with significant improved service delivery and meaningful reduction in spend."
The High Court of England and Wales has recently decided that a contract can, in principle, be made in two separate jurisdictions at the same time if the contract does not include choice of law and jurisdiction clauses. In this situation, either party could seek to enforce the contract in its home jurisdiction.
In Conductive Inkjet Technology Ltd v Uni-Pixel Displays Inc  EWHC 2968 (Ch), the court considered a dispute between two parties, one based in England and the other in Texas. The agreement in question was a non-disclosure agreement, which did not include a choice of law and jurisdiction clause as the parties were not able to agree on one during negotiations. The parties agreed the contract in an email exchange, and it was then signed by Conductive Inkjet Technology (CIT) in England and by Uni-Pixel Displays (UPD) in Texas. CIT then claimed that UPD made use of certain proprietary information in breach of the agreement and sought permission to serve claims on UPD in England. UPD challenged this by arguing that English courts did not have jurisdiction in the matter.
To recap the English law position on contract formation, the general rule is that a contract is made at the time and place where acceptance of the relevant offer is communicated to the offeror. There are two main rules as to when acceptance is communicated:
The reception rule applies to relatively instantaneous forms of communication, and provides that time and place of contract is when the acceptance is received by the offeror. This was established in Entores Ltd v Miles Far East Corporation  EWCA Civ 3 and confirmed in Brinkibon Ltd v Stahag Stahl G.m.b.h.  2 AC 34 (both cases involving telexes). In Brinkibon, Lord Wilberforce commented that: "In the case of successive telephone conversations it may indeed be most artificial to ask where the contract was made..." but he concluded that the courts simply have to do their best with the test.
The postal rule applies to delayed forms of communication, with acceptances being deemed to be effective at the time of sending, provided the offeree correctly addresses and stamps the letter (Adams v Lindsell (1818) 1 B & Ald 681).
However, the High Court in this instance applied the reasoning of Mann J in the High Court case of Apple Corps Ltd v Apple Computer Inc  EWHC 768 (Ch). Whilst Mann J's comments on this point were obiter, Mann J expressed the view in the Apple case that it is possible, as a matter of principle, for a contract to be made in two places at once. Mann J noted: "Where completion takes place at a distance over the telephone, it might well be possible to construct an offer and acceptance analysis (indeed, each party has sought to do so in this case) but it might equally be thought that that analysis is extremely forced and introduces a highly random element. The offer and acceptance may well depend on who speaks first and who speaks second, which is likely to be largely a matter of chance in closing an agreement of this sort. It is very arguably a much more satisfactory analysis to say that the contract was made in both places at the same time."
Mann J also commented that holding the contract to have been made in both places would coincide more closely with the clearly expressed intentions of the parties, namely not to give the other an advantage in terms of governing law and jurisdiction, than would "introducing the somewhat random element of offer and acceptance".
In the CIT and UPD case, Roth J similarly found that the parties had expressly agreed not to incorporate a choice of law and jurisdiction clause, and that it would be wholly artificial to determine the place of the contract by applying the tradition postal rule, depending on which party happened to send the fully executed document. The English Civil Procedure Rules establish the principle that English courts should be able to exercise jurisdiction over foreign defendants where the subject matter of the dispute has a sufficient connection to England, and it would be arbitrary to make a decision as to the connection to English jurisdiction simply on the basis of the order in which a document was signed.
Exclusive jurisdiction clauses in agreements may not be entirely watertight. For example the courts may apply the forum non conveniens test to see whether there are any exceptional reasons for departing from an exclusive jurisdiction clause. However, having an exclusive jurisdiction clause and also a governing law clause in an agreement certainly does reduce the uncertainty that parties may face if a dispute arises and the contract that is silent on the matter.
Pillsbury Global Sourcing advises buyers on all aspects of outsourcing and complex technology acquisitions. We have architected and negotiated deals worth over a half a trillion dollars on behalf of Fortune 500 clients. Blog content taps the insight of our people based in London, New York, San Francisco, and Washington, DC.