Database marketing outsourcing is a strategic transaction for retailers. This type of outsourcing can facilitate the integration of diverse marketing channels e.g., web, social media, catalog and in-store sales) and enable more targeted and effective marketing to consumers.
Database marketing encompasses a potentially broad array of services, including:
We recently completed a major renegotiation of a very large, longstanding infrastructure outsourcing contract. As is typical with renegotiations, there were areas of the contract that required changes and areas the client wanted to leave alone. In this case, scope (and the presumed current solution) was to be left alone as the focus of concern was thought to be on other areas of the relationship. However, the need to update a seemingly simple exhibit – the Key Supplier Personnel list – told the client they had reason to be a lot more concerned about the supplier’s current solution.
Like most IT outsourcing contracts, this one had the typical provisions around Key Supplier Personnel (KSP) (e.g., full-time,
employees of the supplier, rules about replacing the KSP, commitments to tenure on the account, etc.). When asked to update the KSP exhibit, the supplier came back with three names – the Account Executive, Deputy Account Executive and the Business Manager (yep, the person in charge of billing the client). That was it. Not a single person with technical knowledge of the client’s critical systems or technologies. Nobody involved with actually running the client’s IT environment on a day-to-day basis.
The security community has been abuzz this week with the US. District Court of New Jersey’s April 7 ruling in Federal Trade Commission v. Wyndham Worldwide Corporation, et al. (see http://www.adlawaccess.com/wp-content/uploads/sites/137/2014/04/Opinion.pdf). Wyndham had asserted in a motion to dismiss that the Federal Trade Commission (“FTC”) did not have the authority to pursue enforcement actions against the hotelier related to data security. The District Court denied the motion and held that the FTC may in fact pursue claims related to data security under Section 5(a) of the FTC Act’s prohibition on unfair or deceptive acts or practices affecting commerce (see 15 U.S.C. 45(a)). While the significance of the holding is being debated in the legal community, this week’s decision highlights the Federal Government’s increasing emphasis on requiring certain baseline cybersecurity practices by the private sector.
The background facts of the case are fairly straightforward. The FTC brought suit against Wyndham Worldwide, Corp. in the wake of three separate security breaches that occurred between 2008 and 2011 and resulted in the theft of guests’ personal information (e.g., payment card account numbers, expiration dates, and security codes). The FTC alleges that after the initial two security incidents, Wyndham failed to implement reasonable and appropriate security measures which exposed consumers’ personal information to unauthorized access and resulted in consumer injury. Specifically, the FTC alleges that there were several problems with the Wyndham’s information security practices including wrongly configured software, weak passwords, and insecure computer servers.
So what does the Court’s holding mean for the private sector? Since, up until this case, the FTC’s data security actions have been settled out of court, this case marks the first time that the courts have ruled on the merits of the FTC’s authority related to data security actions. Fundamentally, the decision affirms that the FTC has the power to pursue enforcement actions for unreasonable cybersecurity practices under existing laws. The Court, however, cautioned that “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” It is also important to note that the Court’s decision did not include a verdict on Wyndham’s liability in the matter (interested parties should continue to watch as the matter continues).
Most business clients would rather be in the dentist’s chair than sit through negotiation of the indemnity and liability provisions of their agreement. Admit it: your eyes glaze over, time appears to visibly slow down, and you wonder at how the lawyers can find this stuff interesting enough to argue about.
As dull as they appear to be, there are some significant issues that can arise from the indemnity clause. One issue that I see more often than not is that suppliers try to put a financial limit on their indemnification obligations.
Sometimes the supplier will agree to remove the limitation, but not always. What are the consequences of having a limitation on an indemnification obligation,
In a recent judgement, the Court of Appeal of England and Wales held that an electronic database was not a chose in possession or a chattel but a chose in action (see our earlier blog regarding the grant of leave to appeal in this case). In other words, a database is intangible property, not goods which can be possessed. This means that when the parties to a database hosting contract are silent about what happens to the database when the contract ends, the service provider cannot exercise a common law lien over the database so as to force full payment of its fees, and must return the database to its customer.
In giving the lead judgement in the Court of Appeal, Lord Justice Moore-Bick, quoted extensively from the judgment of Lord Justice Diplock in Tappenden v Artus (Tappenden v Artus [1964] 2 Q.B. 185). Tappenden is a case with which most first year law students in the UK will be familiar. In that case, a van owner allowed a customer to use the van pending the completion of a hire-purchase agreement. The van then broke down and was repaired by the defendant garage, but the price of the repairs was not paid. The question arose whether the garage could exercise a lien over the van against the owner. In finding that it could, Diplock L.J emphasised “actual possession of goods” as necessary for the self-help remedy of possessory lien to arise under the common law.
Referring to another leading case, Moore-Bick LJ went on to state that “[a]s OBG v Allan makes clear… the common law draws a sharp distinction between tangible and intangible property…”, which leads to the conclusion that “it is [not] possible to have actual possession of an intangible thing …[and that] it is [not] open to this court to recognise the existence of a possessory lien over intangible property …”
Much has been said about the EU “Cookie” laws introduced by an amendment to the Privacy and Electronic Communications Directive in 2011. Companies with European customers (including those in the US) have grappled with the law’s requirement to obtain informed consent from visitors to their websites before cookies can be used.
Not only being the subject of much academic debate, European regulators have also issued a series of guidance papers on the issue, including recent publications from the UK’s Information Commissioner’s Office and from the Article 29 Working Party, the group made up of representatives from the various EU privacy regulators. These provide layers of at times arguably conflicting commentary on how to comply with the law.
Whilst question marks hang over key issues (e.g.
This article was originally published on February 27, 2014 and is reprinted with permission from Corporate Compliance Insight.
Managing third-party suppliers presents significant compliance challenges that often span an organization, raising legal, insurance, human resources and technology concerns, to name just a few. Corporations will continue to wrestle with these risks in the year ahead, but the convergence of external threats, abundance of valuable corporate data and the current regulatory environment has highlighted the importance of corporate cybersecurity practices. Cybersecurity is perhaps one of the hottest topics being discussed in boardrooms today. The Cybersecurity Framework,
anticipated legislation and litany of high-profile data breaches have resulted in even more heightened scrutiny.
Mario Dottori is quoted in Stephanie Overby’s recent CIO.com article discussing 8 Tips to Deal With Liability When Outsourcing to Multiple IT Vendors.
“In theory, a multi-provider service delivery environment should not create additional complexities in terms of liability. The contracts — entered into separately between the customer and each supplier — should, if well constructed, clearly delineate the liabilities between the parties,” says Mario Dottori, leader of the global sourcing practice in Pillsbury’s Washington, D.C. office.
One tip offered is to create operation level agreements, “OLAs state how particular parties involved in the process of delivering IT services will interact with each other in order to maintain performance, and can help all parties ‘see the forest for the trees,’ says Dottori. ‘These arrangements offer the opportunity for enhanced visibility of the service regime as a whole and helps to reduce — or better arm the parties with solutions for — missed hand-offs and finger pointing.’ One caveat: Most providers will not agree to take on additional liability in OLAs. But such an agreement can be an effective preventative measure.”
On February 12, 2014, the National Institute of Standards and Technology (“NIST“) released the final version of its Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework” or “Framework“)
and the companion NIST Roadmap for Improving Critical Infrastructure Cybersecurity (the “Roadmap“).
The final version is the result of a year-long development process which included the release of multiple iterations for public comment and working sessions with the private sector and security stakeholders. The most significant change from previous working versions is the removal of a separate privacy appendix criticized as being overly prescriptive and costly to implement in favor of a more general set of recommended privacy practices that should be “considered” by companies.
Background
In response to the financial crisis and recession in the United States that began in 2007, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (now commonly known as “Dodd-Frank”). Dodd-Frank created a vast array of new financial regulations, including the new and independent Bureau of Consumer Financial Protection designed to “regulate the offering and provision of consumer financial products or services under the Federal consumer financial laws.”
Now known by its alphabet soup moniker, the CFPB has jurisdiction to enforce one of the simplest, yet most powerful, provisions in Dodd-Frank: “It shall be unlawful for any covered person or service provider to engage in any unfair, deceptive, or abusive act or practice.” These “unfair, deceptive, or abusive” acts or practices have become commonly known in the legal and financial industries as “UDAAPs.” The CFPB has not implemented formal rulemaking with respect to the prohibition on UDAAPs. Instead, it has made the conscious decision to largely implement its UDAAP rules via its enforcement actions and a series of guidance documents, including the “Supervision and Examination Manual,” which articulates CFPB’s expectations for how this law is to be enforced.
