Rafi Azim-Khan, Partner and Head of Data Privacy, Europe at Pillsbury and Chair of the British American Business' Law Forum, was in Washington, DC yesterday to hear the important announcement of a key new data privacy initiative, blessed by regulators across the North America, Europe and Asia Pacific regions.
The initiative is aimed at assisting international businesses struggling to come to terms with increasingly complex global data privacy laws and increasing enforcement risks.
FTC Chairwoman Edith Ramirez and new EU Article 29 Working Party Chair Isabelle Falque-Pierrotin of CNIL were joined by UK Commissioner Christopher Graham, Ted Dean of the US Department of Commerce and Canadian APEC lead Daniele Chatelois in announcing publicly for the first time a new "Checklist" tool known as the "Referential", designed to assist companies who have to deal with and transfer consumer and other types of data internationally. It applies to all businesses and all sectors.
Azim-Khan, who discussed with the Commissioners the goals behind the initiative, commented, "Whether a social media company or a car manufacturer marketing via its website, businesses of all shapes and sizes have been crying out for some practical help and guidance regarding their use of data and what is or is not likely to land them in hot water. Many feel recent changes to the laws in the EU and beyond, as well as significantly increased fine levels and scrutiny, are making day to day operations much more difficult and risky."
"Given the world is becoming more connected, business more global and data use increasing, literally by the day, current laws and enforcement are proving very difficult to navigate without detailed analysis and a very careful approach. It can be time intensive and costly to get things right, and equally so if there is a breach, so anything which can help business deal with complex issues such as international data transfers and data use in multiple countries is to be welcomed. That said, this is very much just a first additional step and we will have to see what happens in terms of consultations and feedback."
"This new initiative is also not a "silver bullet," i.e. an "adequacy finding" nor "mutual recognition", for example of Asia's laws by the EU. Rather, it is one new tool worth exploring in the bigger scheme of compliance and given all the upheaval in the past year or so companies with significant global reach would still be advised to urgently audit what they are currently doing and seriously consider steps needed to bring their compliance up to date, for example considering the benefits of updated schemes such as Binding Corporate Rules".
Note: The EU and the US have locked horns in recent months over criticisms the US is not doing enough to enforce Safe Harbor breaches by large US companies and the EU is proposing new "atomic weapon" fines of 2 or 5% of global revenue fines for non-compliance as part of new Regulation proposals.
Asia is presenting a problem for international companies as the laws are hugely varied and some are also now adopting tougher EU-style laws which US companies do not like.
This initiative is the first time the differing parties have tried to put aside differences in such a joined up way.
This article was originally published on February 27, 2014 and is reprinted with permission from Corporate Compliance Insight.
Managing third-party suppliers presents significant compliance
challenges that often span an organization, raising legal, insurance, human
resources and technology concerns, to name just a few. Corporations will
continue to wrestle with these risks in the year ahead, but the convergence of
external threats, abundance of valuable corporate data and the current
regulatory environment has highlighted the importance of corporate
cybersecurity practices. Cybersecurity is perhaps one of the hottest topics
being discussed in boardrooms today. The Cybersecurity Framework,
anticipated legislation and litany of high-profile data breaches have resulted
in even more heightened scrutiny.
The landscape for corporate cybersecurity is rapidly changing and
outsourced services, including IT and business process services, all stand to
be impacted. Corporate stakeholders, particularly in the legal,
information security and information technology departments, should be keenly
focused on the current cybersecurity climate and the state of cybersecurity
across third-party outsourcing agreements.
A significant aspect of this heightened attention on cybersecurity is
not only how third-party outsourcing partners are managing security as part of
the service they deliver, but also the risk and cybersecurity exposure to an
organization from these third-party relationships. Attackers increasingly
exploit weaknesses in third-party suppliers' networks to access data and assets
from target companies. As a result, having in place the appropriate contractual
and governance safeguards with your third-party suppliers is paramount.
Efforts to integrate and manage cybersecurity in outsourcing
arrangements should start early. Detailed security assessments and internal
cybersecurity stakeholders should be included as part of initial due diligence
efforts with selected suppliers. It is important to understand the security
processes and tools that proposed suppliers will use as part of the outsourced
service, the supplier's vulnerabilities and plans to remediate gaps during the
term of the proposed agreement and the plan for the supplier to integrate with
existing corporate cybersecurity programs. Also, understanding how the
supplier has previously responded to past incidents and improved its operations
as a result is crucial.
Contract documentation should include meaningful cybersecurity
provisions related to liability and indemnification for incidents and identify
the security policies and procedures that the supplier will be expected to
comply with during the term. Ideally, contracts should support liability
and indemnification provisions that align with the value of the data exposed to
the third-party supplier, not simply derivatives of the contract value.
Including adequate audit and risk assessment provisions for regular risk
assessments and remediation plans (annual at a minimum), of the
supplier's operations is also highly recommended.
It is important to remain mindful of proposed cybersecurity legislation
- at both the federal and state levels - that may need to be accounted for in
outsourcing agreements. Compliance professionals should continue to monitor the
proposed landscape of legislative and regulatory changes. Accounting for
requirements in third-party agreements to accommodate new cybersecurity laws
will be critical.
Finally, and perhaps most importantly, governance models that allow
corporations to manage the security functions of individual suppliers as well
as the full portfolio of suppliers in a holistic fashion will become
increasingly important over the next year. The ability to respond quickly
to incidents but also make the appropriate strategic risk management decisions
related to cybersecurity will be a defining characteristic of a strong
corporate cybersecurity program.
Compliance managers and in-house counsel should remain keenly focused on
cybersecurity during the next year when negotiating new agreements, amending
existing contracts or participating in ongoing governance activities with
current service providers. Proactively addressing cybersecurity risks by
incorporating security considerations early in the contracting process and
defining more appropriate services descriptions, service levels and
interaction/governance frameworks can help limit cybersecurity exposures in the
theory, a multi-provider service delivery environment should not create
additional complexities in terms of liability. The contracts -- entered into
separately between the customer and each supplier -- should, if well
constructed, clearly delineate the liabilities between the parties," says Mario Dottori, leader of
the global sourcing
practice in Pillsbury's Washington, D.C. office.
tip offered is to create operation level agreements, "OLAs state how
particular parties involved in the process of delivering IT services will interact
with each other in order to maintain performance, and can help all parties 'see
the forest for the trees,' says Dottori. 'These
arrangements offer the opportunity for enhanced visibility of the service
regime as a whole and helps to reduce -- or better arm the parties with
solutions for -- missed hand-offs and finger pointing.' One caveat: Most
providers will not agree to take on additional liability in OLAs. But such an
agreement can be an effective preventative measure."
February 12, 2014, the National Institute of Standards and Technology ("NIST") released the
final version of its Framework for Improving Critical Infrastructure
Cybersecurity (the "Cybersecurity
Framework" or "Framework")
and the companion NIST Roadmap for Improving Critical Infrastructure
Cybersecurity (the "Roadmap").
The final version is the result of a year-long development process which
included the release of multiple iterations for public comment and working
sessions with the private sector and security stakeholders. The most
significant change from previous working versions is the removal of a separate
privacy appendix criticized as being overly prescriptive and costly to implement
in favor of a more general set of recommended privacy practices that should be
"considered" by companies.
Cybersecurity Framework marks an important step for U.S. cybersecurity policy
after an Executive Order from the Obama Administration called for its creation
in February 2013 (see Executive Order 13636 "Improving Critical Infrastructure
Cybersecurity", February 12, 2013).While use of the Cybersecurity
Framework is voluntary, the Federal government has been actively exploring
various measures to incentivize participation both universally and on a
sector-by-sector basis (see http://m.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecurity-framework.
See also Incentives Study Analytic Report, Department of Homeland Security,
June 12, 2013 available at https://www.dhs.gov/sites/default/files/publications/dhs-eo13636-analytic-report-cybersecurity-incentives-study.pdf).While the Framework is focused on the 16 sectors identified as critical
infrastructure (the 16 critical infrastructure sectors are chemical, commercial
facilities, communications, critical manufacturing, dams, defense, emergency
services, energy, financial services, food and agriculture, government
facilities, health, information technology, nuclear, transportation, and water),
companies outside those areas can use the Framework in their risk assessment
and enterprise security planning.
What is the Cybersecurity Framework?
The Cybersecurity Framework is a risk management tool to assist companies with
assessing the risk of cyber-attack, protecting against attack, and detecting
intrusions as they occur. According to NIST, it complements, but does not
replace, an organization's existing risk management processes and cybersecurity
program. It is organized into three parts - the Framework Core, the Framework
Implementation Tiers, and the Framework Profile. The Framework was developed by
leveraging existing cybersecurity standards, guidelines and practices.
Organizations are encouraged to use it as a tool to continuously assess and
improve (where appropriate) cybersecurity practices.
Framework Core is comprised of five key functions: Identify, Protect, Prevent,
Respond, and Recover. These functions are intended to organize companies' basic
cybersecurity activities at the highest level and represent a lifecycle for
managing cybersecurity across an organization. Each function is further broken
down into categories and subcategories that highlight the more detailed
processes and activities associated with managing cybersecurity. As set forth
in the Cybersecurity Framework, examples of the categories under each function
Identify: Asset Management, Business Environment;
Governance; and Risk Assessment Protect:
Access Control; Awareness and Training; Data Security; Information Protection
Processes and Procedures; Maintenance; and Protective Technology Detect:
Anomalies and Events; Security Continuous Monitoring; and Detection Processes Response:
Response Planning; Communications; Analysis; Mitigation; and Improvements Recover:
Recovery Planning; Improvements; and Communications
Cybersecurity Framework includes a maturity model that is characterized by
implementation "Tiers" for companies to use to assess their progress and
development across the various functions. The tiers involve characterizing an
organization's development as Partial, Risk-Informed, Repeatable, or Adaptive
behavior. Partial maturity is characterized by informal and occasional
implementation of the Framework, meaning that the organization is unlikely to
have processes in place to utilize cybersecurity information. Risk-Informed
entities will have formal, risk-aware processes defined and implemented. An
organization that has achieved the Repeatable stage of maturity will have validated
processes that are responsive to larger enterprise requirements and needs.
Finally, entities that are considered Adaptive will be able to anticipate
challenges, adapt rapidly and manage risk in conjunction with changes.
the Cybersecurity Framework, assessing an organization's functions in relation
to the maturity or implementation Tiers and risk tolerance results in its
Profile. NIST encourages companies to use the profile to identify gaps and
develop action plans to improve cybersecurity.
The Cybersecurity Framework has been criticized as being overly broad and
toothless. Some security professionals note that the Framework is not that
different from the checklists that chief security officers already regularly
implement. Most large organizations have already implemented a risk management
process similar to the Cybersecurity Framework to manage their cybersecurity
activities. And, in practice medium and smaller sized organizations may benefit
most significantly from this first version of the Cybersecurity Framework.
However, additional sector-specific iterations are anticipated and many
government analysts note that the Cybersecurity Framework has the potential to
become the de facto standard for managing cybersecurity risk.
What's next for U.S. Cybersecurity Policy?
The companion Roadmap to the Cybersecurity Framework outlines several planned
follow on activities. In the near term, NIST will continue to oversee and
coordinate the ongoing development of the Cybersecurity Framework including by
accepting informal comments on the recent release. Additionally, a workshop
will be held in the next six months for stakeholders to share feedback on their
use of the Cybersecurity Framework. Options for long term governance including
identifying the appropriate responsible partners(s) for overseeing the
Cybersecurity Framework are also being solicited. Finally, the Roadmap
identifies nine cybersecurity disciplines marked for further development and
discussion including: (i) authentication; (ii) automated indicator sharing;
(iii) conforming cybersecurity assessments; (iv) preparation of a skilled
cybersecurity workforce; (v) use of data analytics in cybersecurity; (vi)
Federal agency cybersecurity alignment; (vii) international coordination;
(viii) supply chain risk management; and (ix) technical privacy standards.
How Can Your Organization Use the Cybersecurity
Regardless of whether your company falls within one of the defined critical
infrastructure sectors, the Framework can be a valuable tool for cross-checking
and testing your existing cybersecurity risk management programs. The Framework
provides granularity that can be useful in each phase of your program.
services businesses covered by the Gramm-Leach -Bliley Act have guidance in the
form of the Standards for Safeguarding Customer Information (Safeguarding Rule)
and the Interagency Guidance on Response Programs that require implementation
of an information security program including conducting an annual risk
assessment, assess the sufficiency of any safeguards in place to control the
identified risks, training employees, reviewing information systems (network
and software as well as processing, storage, transmission and disposal),
detecting, preventing and responding to intrusions or system failures, and
overseeing vendors and service providers.
companies that are covered entities under the Health Insurance Portability and
Accountability Act (HIPAA) have fairly specific regulations governing security
of protected health information.
outside financial services and healthcare that comply with the Massachusetts
Standards for the Protection of Personal Information of Residents of the
Commonwealth (201 Mass. Code Regs. § 17.00) will have implemented a written
data security plan that meets the requirements of that regulation, including
designating a responsible employee, conducting a risk assessment, implementing
an employee security policy, enforcing the policies, addressing issues
surrounding terminated employees, overseeing and requiring compliance by
service providers, limiting the amount of information collected, limiting
retention of data, data mapping, restricting access to records, monitoring
performance, reviewing the program annually and implementing an incident
each of these businesses, the Cybersecurity Framework addresses additional
areas where threats may exist and additional specific steps that can be taken
to better protect the business. While the Framework is not designed to replace
an information security program, certain aspects of the Framework may trigger
improvements in a company's program that help meet the business' strategic
priorities: protecting assets and business viability against loss, achieving
the appropriate level of security commensurate with the security and scope of
the company's data, protecting company systems and data against threats to the
network structure and security, anticipating evolving threats to the company's
systems and meeting the company's regulatory compliance obligations.
In response to the financial crisis and recession in the United States that began in 2007, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (now commonly known as "Dodd-Frank"). Dodd-Frank created a vast array of new financial regulations, including the new and independent Bureau of Consumer Financial Protection designed to "regulate the offering and provision of consumer financial products or services under the Federal consumer financial laws."
Now known by its alphabet soup moniker, the CFPB has jurisdiction to enforce one of the simplest, yet most powerful, provisions in Dodd-Frank: "It shall be unlawful for any covered person or service provider to engage in any unfair, deceptive, or abusive act or practice." These "unfair, deceptive, or abusive" acts or practices have become commonly known in the legal and financial industries as "UDAAPs." The CFPB has not implemented formal rulemaking with respect to the prohibition on UDAAPs. Instead, it has made the conscious decision to largely implement its UDAAP rules via its enforcement actions and a series of guidance documents, including the "Supervision and Examination Manual," which articulates CFPB's expectations for how this law is to be enforced.
Much has been written about the impacts of Dodd-Frank, including the prohibition against UDAAPs. This blog, however, focuses solely on potential penalties to financial institutions based on the actions of their third party service providers. Because Dodd-Frank primarily holds the large financial institutions supervised by the CFPB responsible for service provider behavior, these institutions should be aware of and guard against the UDAAP trap.
Third Party Service Providers Can Create UDAAP Risk
Dodd-Frank defines "service provider" as "any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or person." A service provider also includes a party that "participates in designing, operating, or maintaining" financial products as well as one that "processes transactions" relating to financial products. Such a broad definition could capture almost every type of third party service provider with whom a financial institution has a relationship.
While the CFPB has not been explicit about which third party services are subject to scrutiny, the agency has given some high-level guidance on the topic. For example on July 10, 2013, the CFPB issued a bulletin in which it focused almost exclusively on a financial institution's debt collection practices. Based on this initial guidance, it appears that the CFPB is most concerned about those practices that directly interface with the institution's individual customers. Financial institutions have similar direct interactions with their customers through other activities, such as telemarketing services, loyalty programs, and other services that involve a customer's interaction with representatives in a customer service center. Many financial institutions outsource these functions, and such services would likely subject large financial institutions to similar CFPB scrutiny.
Because UDAAP enforcement is in a nascent stage, financial institutions should consider how other third party relationships may trigger UDAAP concerns. For example, if a provider servicing a bank's mortgage portfolios makes systemic errors that cause "substantial injury" to a group of the bank's consumers, it might trigger UDAAP violations, particularly if the bank failed to properly monitor those services. The same could be said for (i) payment card processors that handle customer credit card transactions; (ii) online bill pay service providers that handle bill payments, late fees, and credit reporting; (iii) ATM service providers that process retail banking transactions that are required to post in a timely manner; or (iv) remote deposit capture service providers that manage check scanning and posting.
One type of services, however, that is unlikely to impact directly the interaction between a financial institution and its customers are those services that provide backend IT functions. Examples could include traditional IT managed services, application development and maintenance services, system implementation services, and other back office support services.
Again, the CFPB has not expressly outlined the type of third party services that may subject a financial institution to the highest scrutiny, so each financial institution should carefully review and consider each third party service relationship on a case-by-case basis.
Mitigating the UDAAP Risk
Best practices dictate that each financial institution have in place robust policies and procedures to prevent the occurrence of UDAAP violations within its enterprise. Once such policies and procedures are in place, institutions should also train their employees to ensure maximum compliance.
Because its own policies and procedures are within its control, a financial institution can ensure a certain level of UDAAP compliance, but the behavior of its service providers can be a wild card. In Part 2, we will look at various approaches as to how financial institutions can leverage its third party contracts to mitigate its own UDAAP risk. We will also take a substantive look at some of the key terms that should be considered when negotiating such contracts with third party service providers.
"How does a large
software project get to be one year late? One day at a time!"
-Fred Brooks, former IBM employee and OS/360 developer
was not a stellar year for public sector outsourcing.As we reported in an
earlier blog article, Indiana is
appealing judgment in an ongoing court battle with IBM over a troubled
welfare claims processing project. Agencies
in Pennsylvania, Massachusetts and Australia also hit the news.
be sure, implementing any large IT project is difficult and risky.Publicity and politics further complicate contracting
in the public sector.And, as IBM quickly
out in response to Pennsylvania's announcement, "there is accountability on
both sides for system performance and service delivery." In other words, it takes two to mess up this badly.
spite of these challenges, there are many successful public sector IT programs
that benefit the government and their constituents as well as the service
provider.As we explained in an
earlier report, outsourcing can help state and local governments reduce
costs, improve services, and free up funds otherwise locked in IT assets.Successful programs are reported on as
frequently as are safe on-time flight arrivals.
the following examples show, public sector IT projects face unique challenges.If unmitigated, these projects can prove
disastrous to the government and taxpayers.
Pennsylvania Unemployment Claims
July 31, 2013 Pennsylvania decided
not to renew its contract with IBM to modernize the state's unemployment
compensation computer system, a project 42 months behind schedule and 56% over
budget. A report
by Carnegie Mellon's Software Engineering Institute concluded that even after
spending nearly $170 million there "is no high confidence estimate for when the
[system] will demonstrate the level of performance necessary."For the immediate term Pennsylvania will
revert back to an extremely inefficient, yet functional, 40-year old
unemployment compensation processing system.
Queensland Health Payroll Project
State of Queensland, Australia released a scathing
report in July 2013 detailing a multitude of failures that afflicted IBM's
program to replace Queensland Health's payroll system.This project has even been called "one
of the worst IT projects ever."When
the under-tested system was put in place in 2010, 80,000 staff went unpaid, or
received the wrong amount. In response, Queensland's
Premier Campbell Newman issued
a broad ban preventing IBM from entering into any new contracts with the
State "until it improves its governance and contracting practices," and declared
that IBM "took
the State of Queensland for a ride." The ride, quoted at A$6.19 million, will
reportedly cost the State A$1.2 billion, almost 200 times the original budget.
Massachusetts Unemployment and Revenue
fall the Commonwealth of Massachusetts held
a hearing to examine Deloitte's handling of projects for the Department of
Unemployment Assistance and the Department of Revenue. The unemployment benefits system was delivered
two years late and, at a total cost of $52 million, ran 13% over budget.The resulting software was reportedly
unusable. Earlier in 2013, Massachusetts
cancelled a separate Department of Revenue project with Deloitte, a project on
which the Commonwealth had already spent $114 million, because a test run of
the software revealed no fewer than 1,000 glitches. These
examples from Massachusetts represent just a few of numerous
disputes Deloitte is facing with public sector customers.
can public agencies avoid these failures?Here are some features of successful projects that all agencies should
keep in mind:
resources and care to the procurement process. Successful projects focus intently on
identifying and clarifying the functional, technical and business requirements
for the solution, and building the procurement process around those
requirements.The Queensland report
found that the original system scope "was seriously deficient and remained
highly unstable for the duration of the Project."Similarly, Carnegie Mellon's Pennsylvania
report pointed out major weakness in the procurement process, including
"unprioritized and often ambiguous requirements."Lacking sufficient experience, many
government agencies fail to fully comprehend what "it's
really going to take to get a project done right" until halfway through
contract completion.Devoting sufficient
resources and attention to scope and requirements definition, and leveraging
the experience of outside advisors early in the process can prevent costly
disasters down the road.
practices of the commercial sector.State
and local governments are subject to unique requirements (e.g., strict
competitive procurement procedures) and budget limitations, yet many of the
lessons from the commercial world still apply.Examples from the private sector and outside advisors can help bring
cutting edge best practices to public sector projects.The schedule and budget for the projects in
Pennsylvania and Queensland were allowed to escalate without apparent
governance controls.Consider employing
a governance and incentive structure that will monitor and respond to delays
and cost overruns sooner than later.
significant internal and external changes.Unforeseen changes can quickly derail a project.Specific events, such as an economic crisis and
resulting increase in unemployment claims, may be unforeseeable.But, by ensuring that the contract accounts
for change these events will not ruin the intent of the parties.The agreement should include a method to
incorporate change into the contract that requires the service provider to meet
their obligations through the change and have a mechanism that allows for
redirection and/or expansion of the scope as necessary.
·Negotiate contractual provisions
that allow for termination if necessary.Ensure that the contract can be terminated for cause in response to a
range of performance failures.Termination
rights provide a means of exit.Perhaps
just as importantly, the threat of termination gives a customer additional
contract renegotiation and/or enforcement leverage.For more information on how a state or local
government can protect against poor performance through explicit performance
based termination rights, a meaningful service level credit mechanism, and a
right of election, see our
earlier article on Indiana vs. IBM.
·Seek protection from
high turnover within the service provider's workforce.The Carnegie Mellon report on Pennsylvania's
failed project concluded that high turnover in IBM's workforce created
instability and knowledge gaps at critical stages in the process.Consider negotiating provisions that prevent
the unauthorized removal from the project of certain key personnel, and
including a requirement that a certain percentage of overall personnel within a
given timeframe must remain on the account.
internal resources to governance, management, and performance of retained
functions.According to the
Carnegie Mellon report, insufficient management by the state meant that no one
"was accountable and responsible for the administration of the program."It is critical to remember that not all costs
and responsibilities can or should be delegated to the service provider.The program will only be successful if the
customer devotes sufficient resources to governing the project, and performing
any retained functions on which service provider's performance depends. The customer should be prepared to have (and
budget for) a retained organization to oversee the relationship.Towards this end, the customer and the
service provider should each assign an executive-level primary representative to
manage the relationship, efficiently address disputes, and generally serve as
the principal point of contact for all matters pertaining to the Agreement.
In previous posts (Proposed
Changes to UK's TUPE will impact outsourcing deals, The
UK Government consults on proposed changes to the TUPE regulations) we
highlighted the UK Government's proposed changes to the Transfer of
Undertakings (Protection of Employment) Regulations 2006 ("TUPE 2006"). The UK Government has now finalised these changes,
resulting in the Collective Redundancies and Transfer of Undertakings
(Protection of Employment) (Amendment) Regulations 2014 ("Amended TUPE Regulations").The Department for Business, Innovation and Skills (BIS) also published useful
guidance which helps to explain the changes made to TUPE 2006.Generally speaking, the Amended TUPE
Regulations brought into effect the changes discussed in our previous post,
which will apply to business transfers or service provision changes taking
place on or after 31 January 2014.
There are two exceptions to this implementation date, the first relates to the
provision of Employee Liability Information; the second to information and
consultation obligations for micro businesses. These are discussed in the Key
1.Definition of Service
The Amended TUPE Regulations has clarified that a "service provision change"
occurs where the services provided post-transfer are "fundamentally the same"
as the services provided previously.
2.Change in workplace
A dismissal on the grounds of a change in workplace location will be an
"economically, technical or organisational" (ETO) reason making such dismissal
potentially fair, subject to complying with the usual rules of fairness when
dismissing an employee.
3.Changes to Terms and
Condition of Employment
The provision in TUPE 2006 that changes to terms and conditions of employment
that are made in connection with a TUPE transfer are unlawful has been removed.
Changes made to terms and condition of employment where the "sole or principal
reason" is the transfer itself will still be void unless there is an ETO
reason.Agreed changes to terms and
condition of employment where the employment contract permits the variation
(for example mobility clauses) or the change is unrelated to the transfer are
Collective Redundancy Consultation
If the transferee will be making any redundancies post-transfer, the transferee
can make one election to undertake pre-transfer collective redundancy
consultation obligations pre-transfer with the transferor's written agreement.
There will be a "static" approach to collective bargaining agreements so that
any changes that are made post transfer where the transferee has not been
involved in the negotiations will not be binding on the transferee.From one year following the transfer, the
transferee can make agreed changes to the collective bargaining agreement
provided the new terms are "no less favourable" to the employees when
From 31 May 2014, the transferor must provide the Employee Liability
Information at least 28 days before the transfer.
On or after 31 July 2014, micro businesses with fewer than 10 employees can conduct
consultation with the employees directly rather than with employee or trade
steps to consider
The Amended TUPE Regulations may allow more
scope to argue whether TUPE applies, particularly in an outsourcing
situation.This may or may not be
helpful depending on the circumstances. Disputing whether TUPE applies can be
time consuming during negotiations and could escalate costs and increase the
risks of claims being made by an employee who claims TUPE did apply. Where
there is a dispute as to whether TUPE applies the parties will need to consider
recent case law.
Existing outsourcing agreements should also
be reviewed to ensure that they comply with the Amended TUPE Regulations,
particularly in relation to the provision of Employee Liability
The Amended TUPE Regulations provide some
flexibility for the new employer to make some changes to terms and condition of
employment and collective bargaining agreements provided it has the employee's
agreement and the reason for change is not the transfer.This remains a difficult area and legal
advice should be sought on the risks of making any such change.
If redundancies are being contemplated post-transfer,
consider whether pre-transfer collective redundancy consultation will be
helpful.If so it may make sense to
include the election and the terms of the arrangements in the applicable agreement.
a look forward at 2014, Joe Nash commented in Stephanie Overby's CIO.com
article on what to expect in the year head. He said:
At the very least, expect an increase in
automation generally. 'With the cost benefits of labor arbitrage being largely
harvested and labor costs inevitably on the rise, CIOs will need to look for
alternative opportunities to reduce or contain operating costs,' says Joe Nash,
principal in Pillsbury's global sourcing group. 'That means looking for ways
through automation to reduce the amount of work it takes to complete an IT
function or service, not the cost of the labor to do it.'
Labor arbitrage has long been a feature of ITOs . With off-shore to on-shore staffing ratios in the 65:35 to 75:25 range, suppliers have long used arbitrage to deliver significantly lower pricing. IT organizations have made many a CFO happy when recommending deals featuring 20%+ savings, especially done under the pressure of corporate "blood" drives to cut costs. Unescapably, however, corporate "blood" drives are a lot like the girl scout cookie sales season, just when you think you gotten everyone happy, here comes the next guy trying to boost his kid's financial performance.
Unfortunately, our one trick pony is also a one-time pony, especially with deals where off to on shore ratios have been maximized. When the CFO next comes calling, our pony is fresh out of tricks; there is no more arbitrage to be had -- at least not from the same delivery market. What is next? Shall we pack our bags in Bangalore and head off to a Chinese Model City or perhaps see what kind of benefit stream enrichment can be had in Ghana or Mauritius? Most buyers, we suspect, will not find this an appealing prospect when viewed through an operating risk management lens.
Maybe it is time for a change in approach. Instead of continuing to try to derive benefit from pushing on the P lever, maybe some answer can be found by putting pressure onto the Q factor in the equation. Rather than buying cheaper labor, how about we find a way to use less labor. One way to reduce labor demand is to gain leverage through standardization (ala Google and Amazon), but heterogeneous installed bases, which reflect most of our clients' environments, are notoriously resistant to standardization efforts. Good idea, best practice even, just not responsive to the CFO demand for results sooner rather than later. So then why not turn to the reason why we have computers in the first place -- to do things faster and cheaper than people can do them. How about the shoemaker's children taking some of their own medicine and using their own technology on themselves? Why not use technology to automate IT business processes and reduce the number of people needed to operate these complex infrastructure configurations? Assuming we can keep labor rates in roughly the same range, fewer people equals a lower labor cost, which equals lower prices, which means happier CFOs. And happier CFOs are a good thing for CIOs.
New deals should include both elements of labor arbitrage and automation and it should be reflected in lower and sustainable managed services unit prices. The challenge is to scrape a reasonable amount of the benefit onto the customer's side of the ledger in the face of the supplier's desire for "margin enhancement". More difficult are existing deals; the client's need to pledge to the corporate "blood" drive is real and imminent. The supplier's desire to please their investors with better margins is equally real. In the long term, automation will drive services up the efficiency curve and down the pricing curve. The new trick for the customer is to extract at least some share of the benefit in the short-term.
Third-Generation Deals Enter Uncharted Territory
It was true that many of the latest generation of outsourcing deals were more complex. But the advantage did not go to the incumbents. Quite the opposite came to pass. "Incumbents are always 'sticky' because of high -- or perceived high -- barriers to exit," says Mario Dottori, partner in the global sourcing practice at law firm Pillsbury. "However, we have seen more movement away from incumbents where there are lower barriers to exist. Customers are balancing the switching costs and risks with significant improved service delivery and meaningful reduction in spend."
The High Court of England and Wales has recently decided that a contract can, in principle, be made in two separate jurisdictions at the same time if the contract does not include choice of law and jurisdiction clauses. In this situation, either party could seek to enforce the contract in its home jurisdiction.
In Conductive Inkjet Technology Ltd v Uni-Pixel Displays Inc  EWHC 2968 (Ch), the court considered a dispute between two parties, one based in England and the other in Texas. The agreement in question was a non-disclosure agreement, which did not include a choice of law and jurisdiction clause as the parties were not able to agree on one during negotiations. The parties agreed the contract in an email exchange, and it was then signed by Conductive Inkjet Technology (CIT) in England and by Uni-Pixel Displays (UPD) in Texas. CIT then claimed that UPD made use of certain proprietary information in breach of the agreement and sought permission to serve claims on UPD in England. UPD challenged this by arguing that English courts did not have jurisdiction in the matter.
To recap the English law position on contract formation, the general rule is that a contract is made at the time and place where acceptance of the relevant offer is communicated to the offeror. There are two main rules as to when acceptance is communicated:
The reception rule applies to relatively instantaneous forms of communication, and provides that time and place of contract is when the acceptance is received by the offeror. This was established in Entores Ltd v Miles Far East Corporation  EWCA Civ 3 and confirmed in Brinkibon Ltd v Stahag Stahl G.m.b.h.  2 AC 34 (both cases involving telexes). In Brinkibon, Lord Wilberforce commented that: "In the case of successive telephone conversations it may indeed be most artificial to ask where the contract was made..." but he concluded that the courts simply have to do their best with the test.
The postal rule applies to delayed forms of communication, with acceptances being deemed to be effective at the time of sending, provided the offeree correctly addresses and stamps the letter (Adams v Lindsell (1818) 1 B & Ald 681).
However, the High Court in this instance applied the reasoning of Mann J in the High Court case of Apple Corps Ltd v Apple Computer Inc  EWHC 768 (Ch). Whilst Mann J's comments on this point were obiter, Mann J expressed the view in the Apple case that it is possible, as a matter of principle, for a contract to be made in two places at once. Mann J noted: "Where completion takes place at a distance over the telephone, it might well be possible to construct an offer and acceptance analysis (indeed, each party has sought to do so in this case) but it might equally be thought that that analysis is extremely forced and introduces a highly random element. The offer and acceptance may well depend on who speaks first and who speaks second, which is likely to be largely a matter of chance in closing an agreement of this sort. It is very arguably a much more satisfactory analysis to say that the contract was made in both places at the same time."
Mann J also commented that holding the contract to have been made in both places would coincide more closely with the clearly expressed intentions of the parties, namely not to give the other an advantage in terms of governing law and jurisdiction, than would "introducing the somewhat random element of offer and acceptance".
In the CIT and UPD case, Roth J similarly found that the parties had expressly agreed not to incorporate a choice of law and jurisdiction clause, and that it would be wholly artificial to determine the place of the contract by applying the tradition postal rule, depending on which party happened to send the fully executed document. The English Civil Procedure Rules establish the principle that English courts should be able to exercise jurisdiction over foreign defendants where the subject matter of the dispute has a sufficient connection to England, and it would be arbitrary to make a decision as to the connection to English jurisdiction simply on the basis of the order in which a document was signed.
Exclusive jurisdiction clauses in agreements may not be entirely watertight. For example the courts may apply the forum non conveniens test to see whether there are any exceptional reasons for departing from an exclusive jurisdiction clause. However, having an exclusive jurisdiction clause and also a governing law clause in an agreement certainly does reduce the uncertainty that parties may face if a dispute arises and the contract that is silent on the matter.
As part of its UK Employment Law Review in 2012, the UK Government announced that it intended to remove the third-party harassment liability provision from section 40(2) of the Equality Act 2010. This provision was repealed on 1 October 2013. This post considers the impact of the repeal and whether employers are safe from claims made by their employees based on harassment by their outsourcing or other third party contractors.
In October 2010, section 40(2) of the Equality Act introduced the concept that employers could be liable for harassment of their employees by a third party where the harassment was persistent and based on a protected characteristic. Under this provision, employees could bring a claim against their employer if they had been subjected to discriminatory harassment by third parties during the course of their employment on at least two occasions and their employer had failed to take any reasonably practicable steps to prevent the harassment. This provision had potentially far reaching impact as employers became potentially liable for acts committed by third parties such as their suppliers, customers or visitors.
The UK Government's rationale for the repeal was that it recognised that imposing such a duty on employers was unworkable because employers have little or no direct control over the actions of a third party. During the UK Government's consultation process on the proposal to repeal this provision, the UK Government received 80 responses from individuals, public sector employers, unions, equality lobby groups, not-for profit sector employers and business organisations. Interestingly, only 20% of the respondents were in favour of the repeal and 71% were opposed to it. Nonetheless, the UK Government concluded that the provision should be repealed because there is "no evidence to suggest that the third-party harassment provisions are serving a practical purpose or are an appropriate or proportionate manner of dealing with the type of conduct that they are intended to cover."
Are Employers Safe from Claims?
While the repeal is helpful to employers, employers should be mindful that employees can still potentially rely on other provisions in the Equality Act 2010 or other legislation to bring claims against their employers. It is currently unclear whether the general harassment provision in the Equality Act 2010 will exclude acts by third parties. An employee could argue that the failure to prevent third-party harassment in itself amounts to "unwanted conduct" under the general harassment provision and there is a risk that a sympathetic Tribunal may find in the employee's favour. Similarly, an employee could argue that being placed in a situation where the employee is subjected to third party harassment amounts to direct discrimination. An employee could also claim that being subjected to such harassment and the employer failing to take any appropriate actions amounts to a breach of mutual trust and confidence entitling the employee to resign and claim constructive dismissal. It is likely that the Tribunals will now rely on case law that was established before the third party harassment liability provision existed in which the test for liability is whether the employer had control over the event and whether it could control if the harassment occurred or not.
It remains prudent and good employment practice for employers to continue to take any concerns or complaints from their employees about third-party harassment seriously and deal with it appropriately in accordance with the employer's grievance procedure, harassment and equal opportunities policies. Outsourcing agreements should continue to have adequate provisions and indemnities covering claims that may arise from such concerns or complaints.
On 19 November, Datateam won permission to appeal from an unreported decision of District Judge Bell sitting in the Reigate County Court on 12 June. The facts of the case, which related to unpaid invoices for database maintenance services, are not of interest except to say that the services agreement did not establish a contractual lien over the customer's data, that is, it did not contain an express term requiring the return of the data to the customer at the end of the contract period.) What is of interest is that when it hears the appeal, the Court of Appeal will consider "whether or not a service provider can claim a [common law] lien over electronic data which it manages."
In English law, a common law lien normally arises in respect of tangible property but not in the case of intangible property such as intellectual property. The classic example is a mechanic who is entitled to exercise a lien over (hold onto) a customer's car until the customer settles his bill. However, electronic data is intangible property. In granting Datateam permission to appeal, Lady Justice Arden commented that there is no English authority "which establishes that a [common law] lien is exercisable over intangible property." She thought this was "a point of law... worthy of consideration... since it could have very considerable implications if there was no lien."
The Court of Appeal's decision is eagerly awaited.
If the Court rules that a common law lien can arise over electronic data it will reflect the commercial reality of the day. Service providers often insist on payment in full as a precondition of returning data to a customer regardless of the actual contractual position. Establishing a common law lien could affect not just database maintenance services but a wide range of data-related services in this regard, including cloud services, where a customer hands over data to a service provider for hosting and/or processing.
If the Court instead decides that no such lien exists, a service provider faced with unpaid invoices and a demand to return a customer's data upon termination must be careful not to overstep its contractual rights.
Procurement says SAS70;
Finance says SSAE 16;
Audit says SOC 2;
IT says ISO27001;
Supplier says pay, pay, pay.
But there's one fact
That no one knows . . .
WHAT DOES THE SOX SAY?
Any negotiation for cloud and outsourced services undoubtedly ends up in a debate over what audits are appropriate, what are required, and who will pay for them. With numerous stakeholders, the business owner is often left with a cacophonous chorus of meaningless "gering-ding-dingeringeding" and "Joff-tchoff-tchoff." So, from the lawyers perspective, let's try to sort out what each of the audits are, which ones are required by or helpful for compliance with Sarbanes-Oxley and other laws, and where they might be appropriate.
As relevant here, the Sarbanes-Oxley Act of 2002 (SOX) relates to the accuracy of reporting of a company's financials. Among other things, SOX requires the CEO to sign off on those financials. Because in most enterprises the CEO is not able to personally track the entire financial reporting process, companies have implemented controls that allowed the CEO and other executives to be confident in the financials (thereby also protecting the investing public). The Statement on Accounting Standards No. 70 (SAS-70) audit grew up against this backdrop as an audit to validate that sufficient controls are in place to enable accurate financial reporting.
SAS-70 audits came in two flavors: Type I, validating that controls are in place; and Type II, validating that those controls are actually applied.
As outsourcing (and later cloud) grew in parallel with this trend, customers were rightly focused on being sure that the functions outsourced to the supplier were governed by adequate controls. Thus, it became common practice to require that a supplier provide a SAS-70 for the outsourced services. Of course, everyone got so focused on requiring SAS-70s and arguing over who would pay, that the industry lost focus on the relatively narrow scope of the SAS-70. Soon, the SAS-70 became a proxy for a ensuring the quality of many areas of the service that had nothing to do with financial controls. Customers demanded SAS-70s without focus on what they were offering, and Suppliers trotted out SAS-70s to avoid the more robust conversations about other audits that might be appropriate.
In June, 2011, the American Institute of CPAs (AICPA) replaced the SAS-70 with a SOC (Service Organization Controls) 1 Audit (also known as an SSAE 16 audit), in part to conform to the requirements of the international standard covering the same financial controls--the ISAE 3402. Just like the SAS-70, the SOC 1 (SSAE 16) covers only financial controls. Similarly, the SOC 1 comes in the same Type I and Type II varieties. Where it was appropriate in the past to use a SAS-70, it is now appropriate to use a SOC 1. Where it was inappropriate to use the SAS-70, it is still inappropriate to use a SOC 1 (which has become the most common offering by the supplier community).
However, with the SOC 1, also came the SOC 2. The SOC 2 audit goes beyond financial controls and covers the following areas: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Sounds perfect for cloud and outsourcing agreements. Of course, these audits only cover the principles that are included within the scope of the audit--that is, you can have a SOC 2 that covers any or all of the foregoing areas. Also, SOC 2 audits can be burdensome to complete, and have a price tag that is often not borne readily by the supplier (although in some industries, a supplier may voluntarily undertake a SOC 2 so as to avoid custom audit requests from its customers). Like SOC 1, the SOC 2 also comes in Type I (controls are in place) and Type II (controls are being followed).
But that's not all. The AICPA did not stop with 2 SOCs (which rhymes with, but should not be confused with, SOX). The SOC 3 is typically applicable in website context and can be applied as a seal on a website. Because this is less commonly implicated in cloud and outsourcing transactions, we will defer further discussion of the SOC 3.
Finally, in addition to all of the audits created by the auditors, there are also standards from the technology side. Most notably, the ISO 27001 provides standards (against which one can be audited) that include 11 standards relevant to IT (e.g., security policies, asset management).
When listening to multiple voices about what audit applies, typically the auditors voice may be controlling, but even then, the auditors need to be armed with the deal context that only the business can provide so that they give real and meaningful answers, rather than knee-jerk answers (that may tend toward over-inclusion with a cost implication).
With thanks to Ylvis for inspiring us with "What Does the Fox Say."
In the early days of outsourcing IT as a managed service, it was not at all unusual for a managed services price to be all inclusive of assets, services and facilities. That bundle of services and assets usually came with a "black box" style pricing that was devoid of transparency and created a myriad of challenges from changes in technology to addressing equipment refresh. Worst of all, these "all in" deals made it virtually impossible to fire your service provider because of the challenges of removing the assets from the supplier upon termination. Despite these challenges, there are times when a customer's asset strategy still calls for acquiring assets from their service provider. In those circumstances, customers should be aware of the inherent risks in including IT assets in an IT managed services agreement and structure the transaction to minimize the risks.
Assets could be included for just about any service category of a managed services agreement. For the purpose of this discussion we are going to focus on the Servers and Storage assets that comprise the central compute services for a company.
It goes without saying that anything being provided by a supplier will come with its attendant margin; nobody is going to do anything for free. Therefore, from a pure dollars and cents perspective, keeping the assets on the client's side of the ledger is more than likely to produce a lower cost alternative. If the overall deal is going to include the asset acquisition as part of an agreement with the managed services provider (presuming they sell equipment), at a minimum, consider unbundling the services and assets components of the agreement and acquire the assets as a separate transaction using the service provider's finance division or other department as it varies from one supplier to the next.
Firing the Maid without Selling the House
Another important consideration in keeping the assets out of the managed services pricing is the degree of flexibility to get out of the transaction. If the supplier is providing services on their equipment and in their data center, it's going to be a lot harder to fire the supplier if service levels are not meeting your expectations. Conversely, if you own the equipment - and even better have it housed in a 3rd party CoLo data center - then the transition to a new service provider is far easier and with a much lower operational risk.
If, for whatever business or tactical reasons, you still want the supplier to provide the equipment and services as an integrated managed services price, then require them to segregate the pricing such that you have a services price (i.e., $X for a Windows Image, $Y for a terabyte of storage), an assets price (by device and/or software title), and a facilities charge. Having this level of granularity will allow you to interrogate the pricing to ensure market competitive rates as well as gaining a clear understanding of the split between services, assets and facilities. You will also be able to test the asset pricing by having your VAR provide a quote for a similarly configured bill-of-materials.
Refresh and Future Hardware Acquisitions
Another consideration with regard to hardware being included is the problem of forward-pricing assets. In older deals, a contractual price for each element is established for the term of the agreement. The price suppliers used to forward price those assets is very likely not producing the best outcome for the client. If you are going to have the supplier provide the assets as part of your agreement, after the initial acquisition include a provision in the agreement that allows for the price to be determined for future purchases at the time of the purchase. This will give you the ability to independently determine what the market rate is for a particular device at the time of the future acquisition. The agreement should also allow for the client to purchase future equipment if the supplier is not able to match the market rate as determined by the client.
Changing Rules on Accounting for Assets
One other reason some clients had suppliers provide the assets as part of a transaction was to cause a particular accounting treatment of those assets to occur with respect to the client's books. Because of changes in accounting guidance over the last few years, make sure your accounting professionals are consulted with respect to any asset strategy you are intending to deploy in a managed services contract.
In summary, the lowest cost and most flexible solution will likely see the client retaining ownership of the assets in a managed services transaction. Having the supplier provide the assets not only increases the cost (margin on assets), but increases the difficulty of unwinding the transaction. If assets are to be provided by a supplier, ensure you obtain separate services, assets and facilities pricing in order to still obtain the best pricing possible (i.e., avoid "black box" pricing) both in the beginning of the contract and throughout the term.
Pillsbury Global Sourcing advises buyers on all aspects of outsourcing and complex technology acquisitions. We have architected and negotiated deals worth over a half a trillion dollars on behalf of Fortune 500 clients. Blog content taps the insight of our people based in London, New York, San Francisco, and Washington, DC.