Outsourcing—The New Pitfalls To Avoid Watch out for legal snags in data privacy, Intellectual Property and More By Dr. Shan Nair, Nair & Co. Even the most resilient strategic planners are not immune to dangers of a business left exposed by a thirdparty supplier - and as countries change their regulatory frameworks, exposures in Intellectual Property laws can threaten competitive advantage with the risk of data leaks becoming more significant and frequent. There can never be a 100% bullet-proof plan for ensuring the security of an overseas operation, but there is always a risk-minimisation approach, especially when outsourcing core business and Information Technology processes. For management, careful review of regulatory, IT/data security and process integrity risks can mean the difference between a successful outsourcing relationship that reduces costs, and an expensive legal mess that has all the makings and costs of a bad divorce. Where is the Data Going? Where data is held and what controls are built around the data are two of the biggest strategic questions for Chief Information Officers and IT managers. Privacy, piracy, loss, security breaches, and theft can erode the value of brands, intellectual property, and other intangible assets that companies have earned and heavily invested in. It is also mandatory to carefully consider privacy laws of the target countries, and weigh them against the cost benefits when outsourcing data storage. Also, additional IP protection can be assured if an IT architecture or working practice can be designed and implemented that makes an act of piracy hard to perpetrate. In Europe, businesses have the benefit of tightly worded contract terms as well as a clearly defined legal framework. It is also a more secure environment as there are civil and criminal penalties for enforcing data privacy where “sensitive personal data” are concerned. Similar IP and data protection legislation exists in countries like Canada, Australia, Hong Kong, New Zealand and Japan, but in many other countries laws are weaker and offer less protection. In the U.S., data privacy is not guaranteed, as security legislation allows authorities access to any data stored in the country. In India, there is a burgeoning level of legislation relating to data privacy. Also, while the legal process is generally slow, it is relatively easy to obtain quick injunctive relief for clear cut breaches of IP for most technologies outside of the health/medical arena. A key pitfall faced by companies arises when they do not effectively marry their own system of internal control with the vendor or BPO entity’s system of internal control. The contractual clauses should encompass a Service Level Management Framework with a high transparency to compliance monitoring -a missing link in many outsourcing agreements today. Provisions need to be made for legal issues arising due to the nature and location of the data. Compliance will also be required with both U.S. laws and local country laws and regulations. 1
Executives can get thinking in the right direction by asking questions like does the service-provider have a comprehensive information security control environment in place and how is the operational effectiveness of this control monitored or audited? Is my Intellectual Property safe? In an outsourcing relationship, any kind of an Intellectual Property (IP) asset– trade secrets, trademarks, industrial designs, patents, copyright and related rights, software, etc. – may be involved at the different levels of the process. Distinct national laws generally govern the IP assets. And as the laws vary country-by-country, so do the headaches of the executives and managers dealing with their protection. Managers need to account for multiple risks including: Challenges in monitoring and/or dealing with various types of breaches of contract clauses, theft or misappropriation of trade secrets Enforcement of IP rights, parallel imports and grey-market issues. Ownership of IP is a critical concern. It is essential to identify, account for and clarify ownership issues of IP assets improved or created during the relationship. More often than not, many companies overlook or pay inadequate attention to this very important aspect in their initial contractual arrangements. Clear terms must be laid out for ownership of IP created by a company’s employees or independent contractors, ownership of the customized features, improvements, new technology and product in outsourced work, ownership of a company’s IP when it wants to switch vendors (i.e., transfer rights) or terminate a contract. IP can sometimes be protected by subdividing a manufacturing process into parts and locating each part in a different country or location, each with its own ring fenced management structure. This will make the act of piracy much harder to implement as nobody other than the owner of the IP will have access to all of the technology. A critical concern is the inadvertent, accidental or willful disclosure of confidential information and trade secrets. Once a trade secret is made public, it enters the public domain and is invariably lost. Non-Disclosure Agreements (NDA) can provide broad protection, but may this may not be sufficient should litigation arise. Am I ready for a contingency? The basic risk in any business endeavor is that it will fail to deliver at some point of time. The stakes are higher when functions outsourced are of strategic importance, and problems with delivery could threaten the reputation or even financial viability of the organization. A service provider can have delivery and infrastructural issues, for e.g. a supplier in China to a service provider suffers a supply interruption, delaying implementation of a key application in the service provider’s customer - a U.S. bank. Does the bank absorb the monetary loss it suffered or is the service provider accountable or is the supplier accountable? Potential losses can be averted with informed projections for possible contingencies, and pre-empting answers to questions like if the service is interrupted how rapid and severe can the impact be? Who pays? Is there insurance protection available for compensating the service disruption? What is the likely quantum of loss? What are the liabilities for both parties? In case of multi-sourcing does the master agreement entail that one service provider can manage the responsibilities of the other in an emergency?
The assessment should be holistic, encompassing both risks caused by actual interruption to supply as well as risks that could cause reputational damage to the organization.
Whose law is it? A company in San Francisco wants to sue a service provider in England over a dispute. Where should the company file the case? Which countries laws are applicable? Either party can refuse to file the case in the other’s legal system as applicable laws in both differ unless their agreement specifies which country’s laws and courts have exclusive jurisdiction. Equally, sometimes non-exclusive jurisdiction may be preferred to enable one party to be able to more easily serve proceedings on the other. For example, it is not uncommon for cases to be heard in a CA court under English law! All offshore contracts should specifically highlight the system of dispute settlement. Although there are international dispute settlement groups situated in London, Brussels and Geneva, it is essential to clarify the legal aspects of dispute settlement in the outsourcing contract itself. Final Thoughts Outsourcing does not need to be a roll of the dice or a patchwork of legal battles across continents. Carry out a “fault tree analysis” right at the beginning and ensure your contract, IT, security and IP protection arrangements adequately cover the adverse scenarios. Understanding how to avoid the pitfalls is important to ensure you gain a business advantage from the venture, thereby ending up in a winning position.
For more information, please visit www.nair-co.com or email firstname.lastname@example.org.
© Copyright Nair & Co. About the Author: Dr. Shan Nair, Co-founder, Nair & Co. Award-winning businessman Dr. Shan Nair is a highly sought after speaker on globalization, a contributing author for various publications and considered an expert in international expansion. Since first founding Nair & Co. in 1994, Dr. Nair now leads the strategic operations and global group expansion for the company and is driving the company’s strong focus on using IT to leverage business advantage. Today, Nair & Co., which is headquartered in the United Kingdom has offices in India, China, the United States and Japan and currently acts for 700+ foreign operations in over 40 countries. With the company at more than 350 employees globally, Dr. Nair’s success is evident in that nearly 75% of executives at the company have been seven years or longer at Nair & Co., excluding the most recent recruitment initiative. Also, under Dr. Nair’s guidance, Nair & Co. has been named as Top 100 Outsourcing Service Provider in the World by the International Association of Outsourcing Professionals (IAOP). Dr. Nair is an Oxford University Ph.D. nuclear physicist and was instrumental in developing a code which set the U.K. standard for calculating waste arising from spent nuclear fuel. When the Chernobyl accident occurred, he was one of the two U.K. technical experts selected to assist the European Commission in its post-accident response. Dr. Nair has received recognition for his success in business including the 2008 Outstanding 50 Asian Americans in Business Award, Asian American Business Development Center (AABDC), New York, NY. U.S.A; 2008 Bharat Samman Pravasi Award, NRI Institute, Delhi, India; 2008 Gulland's Excellence Award, NRI Institute, London, England; and 2009 Hind Rattan (Jewel of India) Award, NRI Welfare Society, Delhi, India.