OUTSOURCING LAW & BUSINESS JOURNAL™ : Strategies and rules for adding value and improving legal and regulation compliance through business process management techniques in strategic alliances, joint ventures, shared services and cost-effective, durable and flexible sourcing of services. www.outsourcing-law.com. Visit our blog at http://blog.outsourcing-law.com.
Insights by Bierce & Kenerson, P.C. Editor. www.biercekenerson.com.
Vol. 11, No. 8, October 2011
Join our expert panel on Wednesday, October 26, 2011 at 11AM EST for a Webinar on The Future of Law and the Impact of Outsourcing. This will be a timely global debate on the future of the legal profession and the growth in delivery of legal support services via outsourcing and cloud technology. Cerebra LPO, together with Bierce & Kenerson, P.C. (Full disclosure: Bill Bierce, the Editor-in-Chief, will be on the panel) and PA Consulting and expert panel guests will convene an interactive webinar to discuss the implications of cloud, change and outsourcing in the legal sector. For more information and to register click here.
1. Impact of “America Invents” Patent Law on Global Sourcing.
2. Federalizing Data Security Breach Rules.
1. Impact of “America Invents” Patent Law on Global Sourcing. On September 16, 2011, President Barack Obama signed the Leahy-Smith “America Invents Act,” H.R. 1249, 112th Cong., 1st Sess. The first major patent reform since 1952, this law restructures the processes for obtaining and maintaining the validity of U.S. patents. Given the troubles with certain business method patents, particularly those used in software for financial services, the law opens new avenues for challenging business method patents. This brief article will focus on the impact of the changes on domestic and international trade in technology-enabled services. For the complete article, click here.
2. Federalizing Data Security Breach Rules. Virtually all U.S. states have adopted “data security breach notification” laws to alert individuals and local governmental officials of possible identity theft. In California, victims of such breaches can sue for damages. On September 22, 2011, Senator Richard Blumenthal (Democrat, Connecticut) introduced a draft federal law on data protection: Personal Data Protection and Breach Accountability Act of 2011, S. 1535, 112th Cong., 1st Sess. It would create a new federal crime of intentionally failing to disclose a security breach. It would also coordinate breach reporting with criminal investigations. It would create federal standards that could effectively supersede state laws on security breach notification and repair of an individual’s identity.
The draft law would apply particularly to financial institutions under the Gramm-Leach-Bliley Act and HIPAA-covered entities. Each would need to implement a comprehensive personal data privacy and security program that includes administrative, technical and physical safeguards “appropriate to the size and complexity of the business entity and the nature and scope of its activities.” While the draft law identifies certain criteria for the design, risk assessment and risk management and control, the sufficiency of any security program will depend on the facts and therefore invites litigation. For more, click here.
Prior art, n. (1) in patent law, technical knowledge of others that pre-dates the date of your invention; (2) in copyright law, another master’s masterpieces that pre-dates yours; (3) in trademark law, someone else’s gorgeous logo that has acquired secondary meaning in the marketplace; (4) in warfare, the cunning of a master warrior, studied for fighting the next war under new conditions; (5) in life, what you always knew but were too stupid or shy to claim it as your own original, novel, useful invention or as your own masterpiece. See “invalidate.”
Invalidate, v. (1) to find a convenient technicality; (2) to enact a new law with a new convenient technicality; (3) to liberate yourself from the oppression and economic enslavement of someone else’s prior art. See “prior art.”
Infringe, v. (1) to identify as yours that which an imposter claims is his prior art. See “Prior Art” and “Invalidate.”
Appropriate, adj. (1) the minimal effort that meets the “raised eyebrow” standard of judicial review; (2) the lowest common denominator of least “best” practices; (3) convenient judicial standard for ascertaining criminal neglect of statutory duty.
Safe Harbor, n. (1) a small pond surrounded by raging storms; (2) a temporary refuge; (3) an opportunity for misguiding a stranded sailor into the maelstrom; (4) a legal framework that is unsafe until so adjudicated; (5) legalized “trick or treat.”
October 20-21, 2011, ACI presents its 6th Annual Forum on Reducing Legal Costs, Philadelphia, Pennsylvania. ACI’s 6th Annual Forum on Reducing Legal Costs has been uniquely tailored to provide in-house counsel and legal sourcing managers, as well as private practice attorneys and law firm marketing/business development specialists who are serious about working with their clients to reduce legal costs, with the practical guidance, key insights, expert knowledge, and proven strategies that they need in order to successfully implement cost-reduction initiatives both internally and externally. For more information, click here.
November 17, 2011, Global Sourcing Council’s Annual Meeting, South African Consulate, New York, New York. Join this non-profit organization, focused on helping organizations from all sectors, buyers and sellers, achieve their economic goals without sacrificing sustainability, at their annual meeting; network and meet George Monyemangene, South Africa’s Consul General and other professionals with a keen interest in this educational mission. To register, click here.
FEEDBACK: This newsletter addresses legal issues in sourcing IT, HR, finance and accounting, procurement, logistics, manufacturing, customer relationship management including outsourcing, shared services, BOT and strategic acquisitions for sourcing. Send us your suggestions for article topics, or report a broken link at email@example.com. The information provided herein does not necessarily constitute the opinion of Bierce & Kenerson, P.C. or any author or its clients. This newsletter is not legal advice and does not create an attorney-client relationship. Reproductions must include our copyright notice. For reprint permission, please contact: firstname.lastname@example.org. Edited by Bierce & Kenerson, P.C. Copyright (c) 2011, Outsourcing Law Global, LLC. All rights reserved. Editor-in-Chief: William Bierce of Bierce & Kenerson, P.C., located at 420 Lexington Avenue, Suite 2920, New York, NY 10170, 212-840-0080
In May 2011, the Indian Ministry of Communications and Information Technology issued a press release clarifying the rules framed under Section 43A of the Information Technology Act, 2000. This clarification is important for companies that handle sensitive personal information in India. For more, click here.
Section 43A of the Information Technology Act, 2000, deals with disclosures by Indian governmental bodies (a “body corporate”) of sensitive personal information to other Indian governmental bodies. Under rules adopted under such law, each Indian “body corporate” must adopt and provide a policy for privacy and disclosure of information. The “clarification” notes that “Any such disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission of the provider of the information.” Inter-agency disclosures must be for lawful purposes to pursue statutory mandates of the requesting agency (e.g., detection and prosecution of cybercrime) and the receiving agency must give an undertaking that the information obtained will not be published or shared with any other person.
This clarification sets forth a “best practice” in Indian governmental protection of sensitive personal information. The subject is relevant to outsourcing lawyers because such information that is transmitted from non-Indian sources to Indian ITO and BPO service providers becomes subject to the jurisdiction of the Indian government. In exercising such jurisdiction, the Indian government theoretically has access to information of foreign individuals.
Outsourcing agreements normally address issues of force majeure and cooperation in resolving governmental investigations. The “clarification” discussed above gives some comfort to those engaged in processing where sensitive personal data is accessible in India by Indian service providers. But the clarification also raises the visibility of the issue of cross-border data protection.
OUTSOURCING LAW & BUSINESS JOURNAL™ : Strategies and rules for adding value and improving legal and regulation compliance through business process management techniques in strategic alliances, joint ventures, shared services and cost-effective, durable and flexible sourcing of services. www.outsourcing-law.com. Visit our blog at http://blog.outsourcing-law.com.
Insights by Bierce & Kenerson, P.C. Editor. www.biercekenerson.com.
Vol. 11, No. 3, April 2011
Editor’s Note: Bierce & Kenerson, P.C. is following the legislation for the Consumer Privacy “Bill of Rights” Act of 2011 (featured in this newsletter issue) and may announce a webinar on this matter as it moves forward in the legislative process. If you would like to hear more on this subject, click here to send us a quick e-mail.
1. U.S. Data Protection: The Draft Commercial Privacy “Bill of Rights” Act of 2011.
1. U.S. Data Protection: The Draft Commercial Privacy “Bill of Rights” Act of 2011. On April 12, 2011, Senators John Kerry (D., Mass.) and John McCain (R., Ariz.) sponsored a Consumer Privacy “Bill of Rights” Act of 2011 to protect personally identifiable information (“PII”) and sensitive PII of U.S. consumers. If enacted, the bill would delegate regulatory authority to the Federal Trade Commission to regulate to all transactions (wherever processed) concerning U.S. consumers’ PII and sensitive PII where the data processor collects, uses, transfers or stores covered information concerning more than 5,000 individuals during any consecutive 12-month period. For more, click here.
May 23-25, 2011, SSON’s 11th Annual Shared Services for Finance & Accounting, Dallas, Texas. This event brings togther industry leaders to provide the fundamentals of efficiency, quality and service and show innovative ways to grow you shared service center:
- Drive efficiency: Build a value proposition outside of just productivity to further improve quality and decrease costs.
- Current trends: Debate in-house vs. outsourcing strategies and make sure you choose the right model and technologies for your business
- Process ownership: Continually improve your shared service center to enable growth
- Accelerate improvement: Re-engineer processes to move beyond labor arbitrage
Create a clear strategy for your business with case studies presented by ING< Goodyear Tire & Rubber Company, PepsiCo, Walmart, Wendy’s/Arby’s Group, Kraft and many more! To register, visit www.SharedServicesFA.com, call 1-800-882-8684 or email email@example.com. Mention code SSFAOL20 for an exclusive 20% discount available to outsourcing-law.com subscribers.
May 23-25, 2011, SSON presents its 9th Annual HR Shared Services and Outsourcing Summit, Chicago, Illinois, which focuses on Trends in HR Transformation dn HR Shared Services for the Next Decade. This conference will look back at what’s worked and provide you with a look forward to new trends in operations, models, globalization, virtualization, enabling technologies, staffing and much, much more. Whether you are in the beginning, middle or mature stages of your HR transformation – or creation of HR Shared Services – the trends o this next decade will have an enormous impact on your success. For more information, please visit their website.
June 27 – 28, 2011, IQPC presents eDiscovery Strategies for Government, Washington, D.C. IQPC’s eDiscovery Strategies for Government will offer key insights to stay on top of emerging challenges and how to craft thorough, cost-effective and defensible eDiscovery. Additionally our expert faculty will provide key benefits for government organizations. Join IQPC’s eDiscovery Strategies for Government Summit to network and learn from your peers on how to proactively establish a protocol for preserving and gathering electronically stored information. Join members of the U.S. Dept. of Justice, U.S. Commodity Futures Trading Commission, Department of Justice- Antitrust Division, Federal Trade Commission, Securities and Exchange Commission, United States Department of Agriculture and more. Visit their website for more information.
September 20-22, 2011 SSON presents Finance Transformation 2011, Dallas, Texas. This conference is targeted to owners, controllers, procurement leads, sourcing strategists, shared services and global finance leads who want a complete view of transformation, incorporating holistic vision and operating strategy, end-to-end process optimizations, technology enablement, business performance management and sourcing strategy, whether that strategy is shared services, outsourcing or a combination of the two. Click here to get more information.
FEEDBACK: This newsletter addresses legal issues in sourcing IT, HR, finance and accounting, procurement, logistics, manufacturing, customer relationship management including outsourcing, shared services, BOT and strategic acquisitions for sourcing. Send us your suggestions for article topics, or report a broken link at firstname.lastname@example.org. The information provided herein does not necessarily constitute the opinon of Bierce & Kenerson, P.C. or any author or its clients. This newsletter is not legal advice and does not create an attorney-client relationship. Reproductions must include our copyright notice. For reprint permission, please contact: email@example.com. Edited by Bierce & Kenerson, P.C. Copyright (c) 2010, Outsourcing Law Global, LLC. All rights reserved. Editor-in-Chief: William Bierce of Bierce & Kenerson, P.C., located at 420 Lexington Avenue, Suite 2920, New York, NY 10170, 212-840-0080
On April 12, 2011, Senators John Kerry (D., Mass.) and John McCain (R., Ariz.) sponsored a Consumer Privacy “Bill of Rights” Act of 2011 to protect personally identifiable information (“PII”) and sensitive PII of U.S. consumers. If enacted, the bill would delegate regulatory authority to the Federal Trade Commission to regulate to all transactions (wherever processed) concerning U.S. consumers’ PII and sensitive PII where the data processor collects, uses, transfers or stores covered information concerning more than 5,000 individuals during any consecutive 12-month period.
Of the dozens of draft privacy statutes introduced into Congress in the last few years, this Consumer Privacy “Bill of Rights” Act of 2011 is the one most likely to be enacted. It offers a prudent balance of protections and procedures for data collectors (covered entities) and data processors (service providers). The penalties are very stringent.
Enterprise customers and outsourcing service providers should prepare for the enactment of this draft legislation as a law. It’s not too soon to begin developing compliance programs and practices. The following provides a summary of what is to come.
FEDERAL TRADE COMMISSION ROLE
FTC Regulatory Authority. This bill would appoint the FTC as a U.S. data protection authority (similar to DPA’s appointed in Europe under the Data Protection Directive). The FTC would have exclusive authority to establish and enforce the “unfair or deceptive acts or practices” relating to privacy protections for PII and sensitive PII. However, in promulgating such rules, the FTC would not be allowed to require the deployment or use of any specific products or technologies, including any specific computer software or hardware.
Key Legal Definitions. The draft legislation contains complex definitions of PII and sensitive PII, as well as “covered information” that the FTC would have authority to regulate for privacy purposes. In summary, “covered entities” accessing “covered information” would be required to grant certain rights and adopt protections for the “PII” and “sensitive PII” of individuals.
PII. The term “personally identifiable information” would mean “only the following:
(A) Any of the following information about an individual:
(i) The first name (or initial) and last name of an individual, whether given at birth or time of adoption, or resulting from a lawful change of name.
(ii) The postal address of a physical place of residence of such individual.
(iii) An e-mail address.
(iv) A telephone number or mobile device number.
(v) A social security number or other government issued identification number issued to such individual.
(vi) The account number of a credit card issued to such individual.
(vii) Unique identifier information that alone can be used to identify a specific individual.
(viii) Biometric data about such individual, including fingerprints and retina scans.
(B) If used, transferred, or stored in connection with 1 or more of the items of information described in subparagraph (A), any of the following:
(i) A date of birth.
(ii) The number of a certificate of birth or adoption.
(iii) A place of birth.
(iv) Unique identifier information that alone cannot be used to identify a specific individual.
(v) Precise geographic location, at the same degree of specificity as a global positioning system or equivalent system, and not including any general geographic information that may be derived from an Internet Protocol address.
(vi) Information about an individual’s quantity, technical configuration, type, destination, location, and amount of uses of voice services, regardless of technology used.
(vii) Any other information concerning an individual that may reasonably be used by the party using, collecting, or storing that information to identify that individual.
Sensitive PII. The term “sensitive PII” would mean:
“(A) personally identifiable information which, if lost, compromised, or disclosed without authorization either alone or with other information, carries a significant risk of economic or physical harm; or
(B) information related to–
(i) a particular medical condition or a health record; or
(ii) the religious affiliation of an individual.”
Authorized and Unauthorized Uses of PII or Sensitive PII. An “unauthorized use” of PII or sensitive PII would be defined as “the use of covered information by a covered entity or its service provider for any purpose not authorized by the individual to whom such information relates.” Several exceptions would apply to permit “normal” commercial, regulatory or implied consent situations, namely, the use of “covered information” relating to an individual by a “covered entity” (or its service provider) as follows:
(i) To process and enforce a transaction or deliver a service requested by that individual.
(ii) To operate the covered entity that is providing a transaction or delivering a service requested by that individual, such as inventory management, financial reporting and accounting, planning, and product or service improvement or forecasting.
(iii) To prevent or detect fraud or to provide for a physically or virtually secure environment.
(iv) To investigate a possible crime.
(v) That is required by a provision of law or legal process.
(vi) To market or advertise to an individual from a covered entity within the context of a covered entity’s own Internet website, services, or products if the covered information used for such marketing or advertising was–
(I) collected directly by the covered entity; or
(II) shared with the covered entity (aa) at the affirmative request of the individual; or (bb) by an entity with which the individual has an established business relationship.
(vii) Use that is necessary for the improvement of transaction or service delivery through research, testing, analysis, and development.
(viii) Use that is necessary for internal operations, including the following:
(I) Collecting customer satisfaction surveys and conducting customer research to improve customer service information.
(II) Information collected by an Internet website about the visits to such website and the click-through rates at such website (aa) to improve website navigation and performance; or (bb) to understand and improve the interaction of an individual with the advertising of a covered entity.
The permitted uses may be only where the covered entity has an “established business relationship” under a “reasonable expectation” test. Uses of PII are only permitted where the individual could have reasonably expected, at the time such relationship was established, was related to a service provided pursuant to such relationship. If there is a material undisclosed change, then the permission would be deemed revoked.
Covered Entities. All “covered entities” would be subject to the new law. These are defined as any entity that “collects, uses, transfers, or stores covered information concerning more than 5,000 individuals during any consecutive 12-month period” and fits within subject-matter jurisdictional frameworks. Thus, for jurisdictional purposes, a covered entity is any entity conducting interstate or international commerce of the United States, Federal Trade Commission Act (15 U.S.C. 45(a)(2)), a telecom “common carrier” and any a non-profit organization. “Covered entities” would include service providers who receive PII on behalf of their enterprise customers. “Third parties” receiving information do not include any “service provider used by the covered entity to receive personally identifiable information or sensitive personally identifiable information in performing services or functions on behalf of and under the instruction of the covered entity.”
NEW REGIME FOR LEGAL PROTECTION OF PII AND SENSITIVE PII
The draft legislation would create certain “rights” of individuals. However, the individuals would not be able to enforce such rights by litigation. Individuals would only be represented by the FTC in an enforcement proceeding, leaving the FTC with exclusive authority to pursue civil and criminal remedies.
The Right of Data Security. The FTC would have to adopt a rulemaking to require each covered entity to carry out security measures to protect the covered information it collects and maintains. Three criteria would apply:
- Proportionality: The data security requirements would need security measures that are “proportional to the size, type, and nature of the covered information a covered entity collects.” This creates confusion and could result in test litigation.
- Consistency: The data security requirements would need to be consistent with guidance provided by the Commission and recognized industry practices for safety and security on the day before the date of the enactment of the proposed law.
- Technological Means. The FTC would not be able to require a specific technological means of meeting a requirement.
Duty of Accountability by each Covered Entity.
- Variable Rules according to Size, Type and Nature of Covered Information. The draft law would require each covered entity to undertake a data protection program that is not absolutely the same as each other covered entity. The FTC regulations under the law would define differences in “accountability” requirements “in a manner proportional to the size, type, and nature of the covered information” that each covered entity collects.
- Duty of Responsiveness. Each covered entity would be required to have “managerial accountability, proportional to the size and structure of the covered entity, for the adoption and implementation of policies consistent with” the draft law. Covered entities would need to have a process to respond to non-frivolous inquiries from individuals regarding the collection, use, transfer, or storage of covered information relating to such individuals. Finally, covered entities would need to “describe the means of compliance of the covered entity” with the draft law upon request from the FTC or an appropriate safe harbor program established under draft law.
Opt-Out Procedures. The new law would force covered entities to offer individuals a “clear and conspicuous mechanism” for opt-out consent for any use of their covered information that would otherwise be unauthorized use, except with respect to any use requiring opt-in consent.
Opt-In Procedures. “Opt-In” procedures would be required for the collection, use, or transfer of sensitive personally identifiable information other than (i) to process or enforce a transaction or deliver a service requested by that individual; (ii) for fraud prevention and detection; or (iii) to provide for a secure physical or virtual environment. “Opt-In” consents would also be required for the use of previously collected covered information or transfer to a third party for an unauthorized use of previously collected covered information, if (i) there is a material change in the covered entity’s stated practices that requires notice of change; and (ii) such use or transfer creates a risk of economic or physical harm to an individual.
Accessibility for Correction of Information by Data Subject. Similar to the EU Data Protection Directive, the draft law would require covered entities to provide any individual to whom the personally identifiable information that is covered information pertains, and which the covered entity or its service provider stores, appropriate and reasonable (A) access to such information; and (B) mechanisms to correct such information to improve the accuracy of such information.
Exit Process: Depersonalization or Termination of Service Provider’s Access. New access controls would be applied where (i) a covered entity enters bankruptcy or (ii) an individual requests the termination of a service provided by the covered entity to the individual (or termination of some other relationship with the covered entity). In such case, the individual would have to be provided with some “easy” means to request that–
(A) all of the personally identifiable information that is covered information that the covered entity maintains relating to the individual, except for information the individual authorized the sharing of or which the individual shared with the covered entity in a forum that is widely and publicly available, be rendered not personally identifiable; or
(B) if rendering such information not personally identifiable is not possible, to cease the unauthorized use or transfer to a third party for an unauthorized use of such information or to cease use of such information for marketing, unless such unauthorized use or transfer is otherwise required by a provision of law.
- Data Processors: Outsourcing to Service Providers. The draft law would enable covered entities to hire service providers.
- Automatic Authorization to Disclose PII to Outsourcing Service Providers. “The use of a service provider by a covered entity to receive covered information in performing services or functions on behalf of and under the instruction of the covered entity does not constitute an unauthorized use of such information by the covered entity if the covered entity and the service provider execute a contract that requires the service provider to collect, use, and store the information on behalf of the covered entity in a manner consistent with the requirements” of the draft law and the policies and practices related to such information of the covered entity.
- Transfers Between Service Providers For A Covered Entity. The disclosure by a service provider of covered information pursuant to a contract with a covered entity to another service provider in order to perform the same service or functions for that covered entity would not constitute an unauthorized use.
- Liability Remains With Covered Entity. A covered entity would remain “responsible and liable for the protection of covered information that has been transferred to a service provider for processing, notwithstanding any agreement to the contrary between a covered entity and the service provider.”
Duty of “Data Retention Minimization.” The new law would restrict indiscriminate collection of PII beyond what is needed for providing services to the individual. As a result, “covered entities” would be allowed to collect only as much covered information relating to an individual as is reasonably necessary for a permitted purpose. Generally, such purposes would be limited to contract performance, service delivery, security, fraud detections, criminal investigation or other law enforcement, marketing, product development, website administration and customer satisfaction.
Limited Retention Period. Covered entities would have to limit the holding period for the PII. They could retain covered information for only such duration as, with respect to the provision of a transaction or delivery of a service to an individual, is necessary to provide such transaction or deliver such service to such individual; or if such service is ongoing, is reasonable for the ongoing nature of the service. For R&D projects, the duration would be limited to what is necessary for such research and development. Cryptically, retention of PII would also be allowed as “is required by a provision of law.” This cryptic reminder of the other retention periods “required” by law will undoubtedly raise questions as to what is permitted by law, such as statutes of limitation for litigation (which are not requirements for retention, but only a prudent business practice).
MANAGEMENT OF DATA PROCESSORS (OUTSOURCING SERVICE PROVIDERS) AS “THIRD PARTIES” OR “SERVICE PROVIDERS”
Constraints on Distribution of Information. The “covered entity” would be responsible for how the “covered information” is used by third parties to whom it transfers such information. Third parties would have to use the information only for purposes consistent with draft law and as specified in the applicable data processing or outsourcing contract.
- Duty not to Combine Data. Third parties would not be able to combine information that the covered entity has transferred to it, that relates to an individual, and that is not personally identifiable information with other information in order to identify such individual, unless the covered entity has obtained the opt-in consent of such individual for such combination and identification.
- Due Diligence concerning Outsourced Data Processor. Before executing a contract with a third party, the covered entity would be required to “assure through due diligence that the third party is a legitimate organization.”
- Duty to Report Violations. In the case of a material violation of the contract, at a minimum, the covered entity would have to notify the Commission of such violation.
- Blacklisted Service Providers. Under the draft, a covered entity could not transfer covered information to a third party that the covered entity knows (i) “has intentionally or willfully violated a contract required by the law, or (ii) “is reasonably likely to violate such contract.”
- Application of Privacy Rules to Third Parties. Except for certain cases under FTC approval, a third party that receives covered information from a covered entity would be subject to the provisions of the draft law as if it were a covered entity. This goes beyond the EU Data Protection Directive and would likely be used to obtain U.S. regulatory jurisdiction over all foreign service providers. Exemptions would apply where the FTC decides that a “class of third parties” cannot reasonably comply with the law or compliance by such class would not sufficiently benefit the individual data subjects.
Data Integrity. Each covered entity would be required to “attempt to establish and maintain reasonable procedures to ensure that personally identifiable information that is covered information and maintained by the covered entity is accurate in those instances where the covered information could be used to deny consumers benefits or cause significant harm.” Exceptions would apply for direct communications with the individual or receipt of information from another entity at the individual’s request.
ENFORCEMENT; PENALTIES; PRIORITY OVER STATE LAWS
Enforcement would be effected by litigation by State attorneys’ general or by the FTC. No other person could bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating the draft law or a regulation promulgated under this Act.
Penalties for civil liability would be $16,500 per offense PER DAY, up to $3.0 million, adjusted for inflation.
The new law would supersede conflicting state laws. The new law would not be construed to preempt the applicability of (i) State laws that address the collection, use, or disclosure of health information or financial information, (ii) State laws that address notification requirements in the event of a data breach; or (iii) other State laws to the extent that those laws relate to acts of fraud.
The draft law would not supersede the existing federal statutory framework for data privacy and protection applicable to telecommunications, banking, insurance, securities brokerage, fair credit reporting, child on-line pornography and certain other laws.
SAFE-HARBOR (FOR EUROPEAN UNION AND OTHER FOREIGN LAWS)
The draft law establishes a framework for putting the “Safe Harbor” program (now operated by the Department of Commerce) under the FTC’s jurisdiction. The current Safe Harbor program arises out of an executive agreement, which is not a treaty. It does not have the force of law. The draft law would set up a statutory framework for such arrangements.
Foreign service providers that participate in, and demonstrate compliance with, a safe harbor program administered by the FTC would be exempt from enforcement by the FTC if the FTC finds that the requirements of the safe harbor program are substantially the same as or more protective of privacy of individuals than the requirements of the provision from which the exemption is granted.
Of the dozens of draft privacy statutes introduced into Congress in the last few years, this Consumer Privacy “Bill of Rights” Act of 2011 offers a prudent balance of protections and procedures for data collectors (covered entities) and data processors (service providers). It’s not too soon to begin developing compliance programs and practices. However, the draft law would result in a regulatory framework that will certainly change and evolve, if enacted.
Cyber Security Threat Management in Outsourcing: The Coming National Security Regulation of ITO, BPO and KPO
Imminent national regulation of Internet-based services will impact all companies that use the Internet for project management, collaboration, and remote transaction processing. Google and China have precipitated a showdown that may cause the extension of a web (!) of national of Internet regulations, with many consequences on the freedom and costs of running a global business or servicing customers remotely. The showdown highlights the fact that cybersecurity threats come from many sources, including foreign nation states, domestic criminals and hackers and disgruntled employees.
On January 12, 2010, Google Inc. announced by blog that it had been the target of concerted attacks from Chinese hackers, that its intellectual property had been compromised and that the attacks targeted the identities of its subscribers. See press release, http://www.sec.gov/Archives/edgar/data/1288776/000119312510005667/dex991.htm . Google’s blog revealed that “at least twenty other large companies from a wide range of businesses—including the Internet, finance, technology, media and chemical sectors” were affected. The Wall Street Journal reported that 34 U.S. companies were targets, including Adobe Systems Inc. and Juniper Networks Inc. Other companies such as Symantec acknowledged they are under constant siege of cyberattacks. Cyber warfare attacks have been reportedly used in Iran to ferret out political dissidents and in Georgia to overload telecommunications during military exercises. China filters Internet content through registration and regulation of Internet services.
Cybersecurity is a critical foundation for any country’s national security and economic security and, indirectly, global trade in IT-enabled services and in the global supply chain. Information networks support financial services, energy, telecommunications, transportation, health care, and emergency response systems, as well as ordinary commerce, employment, education, civil liberties and social and family cohesion. The security of private information networks, such as Google, Yahoo, Symantec and Juniper Networks and the underlying software such as Adobe Systems and Microsoft, are the foundation for today’s global economy.
In global sourcing, cyber security is an essential commitment by anyone business seeking to acquire and be a trusted custodian of personally identifiable information (“PII”). If enterprises (“data controllers” under the European Union Data Protection Directive) are going to gather PII and contract with service providers (“data processors”) to process it, the risk of cyber attacks frames the debate on risk allocation, roles, responsibilities, pricing and process integration.
For all participants in the outsourcing industry, it’s time to fresh look at legal structures and financial implications of cybersecurity.
Existing General U.S. Cybersecurity Laws. Current U.S. legislation and regulations already require cybersecurity compliance, audit, certification and compliance generally. Special cybersecurity mandates arise under the Health Insurance Portability and Accountability Act (“HIPAA”) of 1996, the Sarbanes-Oxley Act of 2002 (“Sox”), state security breach notification legislation and credit card rules applicable to banking transactions (the “PCI rules”). The Computer Fraud and Abuse Act, 18 USC 1030, protects against unauthorized disclosure of most computer data. In addition to securities regulations on insider trading, common law also imposes cybersecurity mandates on lawyers and others receiving confidential financial information. Other cybersecurity rules exist in other legislation:
(1) the Privacy Protection Act of 1980 (42 U.S.C. 2000aa);
(2) the Electronic Communications Privacy Act of 1986 (18 U.S.C. 2510 note);
(3) the Computer Security Act of 1987 (15 U.S.C. 271 et seq.; 40 U.S.C. 759);
(4) the Federal Information Security Management Act of 2002 (44 U.S.C. 3531 et seq.);
(5) the E-Government Act of 2002 (44 U.S.C. 9501 et seq.);
(6) the Defense Production Act of 1950 (50 U.S.C. App. 2061 et seq.);
(7) any other Federal law bearing upon cyber-related activities; and
(8) any applicable Executive Order or agency rule, regulation, guideline.
But there are no laws mandating that small business or individuals adopt cybersecurity standards (other than general rules).
Public and Private Assets: “Critical Infrastructure” and “Protected Systems.” Already, the cybersecurity jurisdiction of the Department of Homeland Security applies to both “critical infrastructure” and “protected systems.” The concept of “protected system” would extend the more restrictive concept of “critical infrastructure” to virtually any private computer network. A “protected system” would mean “any service, physical or computer-based system, process, or procedure that directly or indirectly affects the viability of a facility of critical infrastructure.” It would include “any physical or computer-based system, including a computer, computer system, computer or communications network, or any component hardware or element thereof, software program, processing instructions, or information or data in transmission or storage therein, irrespective of the medium of transmission or storage.” Homeland Security Act, Sec. 212. In short, national security and economic security mean that public and private assets will be managed as one suite of assets at risk.
Special Purpose Legislation: Electrical Grids. According to legislation proposed in April 2009, “According to current and former national security officials, cyber spies from China, Russia, and other countries have penetrated the United States electrical system in order to map the system, and have left behind software programs that could be used to disrupt and disable the system.” Proposed “Critical Electric Infrastructure Protection Act,” H.R. 2195, An Act to amend the Federal Power Act to provide additional authorities to adequately protect the critical electric infrastructure against cyber attack, and for other purposes, 111th Cong, 1st Sess. The proposed law would require the Secretary of Homeland Security, working with other national security and intelligence agencies, to “conduct research and determine if the security of federally owned programmable electronic devices and communication networks (including hardware, software, and data) essential to the reliable operation of critical electric infrastructure have been compromised,” including “the extent of compromise, identification of attackers, the method of penetration, ramifications of the compromise on future operations of critical electric infrastructure, secondary ramifications of the compromise on other critical infrastructure sectors and the functioning of civil society, ramifications of compromise on national security, including war fighting capability, and recommended mitigation activities.” Preamble. In short, the new law (if enacted) would amend the Homeland Security Act of 2002 (6 U.S.C. 133(i)) to require special studies to “ensure the security and resilience of electronic devices and communication networks essential to each of the critical infrastructure sectors.”
Pending General Cybersecurity Legislation: Cybersecurity Act of 2009. In April 2009, Sen. Jay Rockefeller (D., W. Va.) introduced a draft Cybersecurity Act of 2009, S 773, 111th Cong., 1st Sess. The bill’s long-form name is “An Act To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes.” The draft focuses on the commercial impact of cyber espionage: “Since intellectual property is now often stored in digital form, industrial espionage that exploits weak cybersecurity dilutes our investment in innovation while subsidizing the research and development efforts of foreign competitors. In the new global competition, where economic strength and technological leadership are vital components of national power, failing to secure cyberspace puts us at a disadvantage.” S. 773, Sec. 2 (2). The drafters warned that the nation is unprepared for “a massive cyber disruption [that] could have a cascading, long-term impact without adequate co-ordination between government and the private sector.” S. 773, Sec. 2 (6).
Cybersecurity Advisory Panel. The draft law contemplates the appointment of a panel of advisors to include “representatives of industry, academic, non-profit organizations, interest groups and advocacy organizations, and State and local governments who are qualified to provide advice and information on cybersecurity research, development, demonstrations, education, technology transfer, commercial application, or societal and civil liberty concerns.” S. 773, Sec. 3(b)(i).
Cybersecurity Dashboard. The bill would also “implement a system to provide dynamic, comprehensive, real-time cybersecurity status and vulnerability information of all Federal Government information systems and networks managed by the Department of Commerce.” S. 773, Sec. 4.
Cybersecurity Institute. Under the bill, the Secretary of Commerce would provide assistance for the creation and support of “Regional Cybersecurity Centers” for the promotion and implementation of cybersecurity standards. Each Center would be affiliated with a United States-based nonprofit institution or organization, or consortium thereof, that applies for and is awarded financial assistance. Such centers would seek to enhance the cybersecurity of small and medium sized businesses and industrial firms in United States through the dissemination and transfer of cybersecurity standards, processes, technology, and techniques developed at the National Institute of Standards and Technology (“NIST”). www.nist.gov. S. 773, Sec. 5(a). This approach reflects other draft legislation, such as the Cybersecurity Enhancement Act of 2009, HR 4061, 111th Cong., 1st Sess., for cybersecurity research, development, education and technical standards for identity management technologies, authentication and security protocols, expanding on the existing Cyber Security Research and Development Act (15 U.S.C. 7401).
Licensing of Cybersecurity Professionals. The draft law would require a national licensing, certification, and periodic recertification program, under the aegis of the Department of Commerce, for cybersecurity professionals (defined as “providers of cybersecurity services”). Such licensing would effectively submit all outsourcing service providers to U.S. federal jurisdiction and enforcement of cybersecurity compliance standards. S. 773, Sec. 7.
Federal Standards. Within a year after enactment, the NIST would be required to “establish measurable and auditable cybersecurity standards for all Federal Government, government contractor, or grantee critical infrastructure information systems and networks.” These would include standards for
(1) security controls that are known to block or mitigate known attacks;
(2) the software security, including a separate set of such standards for measuring security in embedded software such as that found in industrial control systems;
(3) standard computer-readable language for completely specifying the configuration of software on computer systems widely used in the Federal Government, by government contractors and grantees, and in private sector owned critical infrastructure information systems and networks;
(4) standard configurations for security settings for operating system software and software utilities widely used in the Federal Government, by government contractors and grantees, and in private sector owned critical infrastructure information systems and networks; and
(5) sniffer standards to identify vulnerabilities in software to enable software vendors to communicate vulnerability data to software users in real time.
The NIST would establish a standard testing and accreditation protocol for all software built by or for the Federal Government, its contractors, and grantees, and privately owned critical infrastructure information systems and networks. The testing would occur during the software development process and on acceptance prior to deployment of software.
International Standards. The draft Cybersecurity Act of 2009 would require the U.S. to participate in setting international standards for cybersecurity. But it stops short of any hope for an international law on cybersecurity. It does not call for a convention on cybersecurity. Certainly any negotiations for such a convention could lead to a “least common denominator” of weak standards and political excuses. In light of the impact on trade in services, certainly cybersecurity would be a subject that might fall under the mission of the World Trade Organization, www.wto.org, or the Organization for Economic Development, www.oecd.org. As it is, the International Standards Organization, www.iso.org, would be the probable forum for any such discussions. Also, the bill would require the President to “work with representatives of foreign governments” to develop norms, organizations, and other cooperative activities for international engagement to improve cybersecurity and to encourage international cooperation in improving cybersecurity on a global basis. S. 773, Sec. 21.
Further Legislation. The United States already has several laws governing cyber security. The draft Cybersecurity Act of 2009 would require the President to review and propose changes in existing cybersecurity laws.
“Pulling the Plug” on Impaired Cyber Infrastructure. The Cybersecurity Act would set up a framework for national regulation of the Internet, which currently is controlled by ICANN, a California-incorporated non-profit organization. www.icann.org. One of the most controversial provisions in the bill would allow the President to shut down the Internet during a time of crisis. The President would be authorized to declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network. S. 773, Sec. 18(2). The President “may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security.” S. 773, Sec. 18(6). This police power would be generally without judicial review.
Insurance and Risk Disclosure and Mitigation. The bill invites Presidential reports to Congress on ways to manage commercial risks of cyber attacks. Such reports would seek to identify the feasibility of:
(1) creating a market for cybersecurity risk management, including the creation of a system of civil liability and insurance (including government reinsurance); and
(2) requiring cybersecurity to be a factor in all bond ratings. Sec. 15.
Identity Management; Identity Theft; Civil Liberties. The bill requires the President to present a report on the “feasibility of an identity management and authentication program, with the appropriate civil liberties and privacy protections, for government and critical infrastructure information systems and networks.” This provision creates a balance between national security and civil liberties guaranteed by the Constitution.
Investment in Security. The current appropriations bill for the Department of Homeland Security, for the fiscal year ending September 30, 2010, contemplates a small budget for infrastructure security on the scale contemplated in the draft Cybersecurity Act. See, Pub. L. 111-83, H.R.2892, Department Of Homeland Security Appropriations Act, 2010, 111th Cong., 1st Sess. (Oct. 28, 2009).
Implications for Outsourcing.
New Opportunities for Outsourcing of Cybersecurity. As cybersecurity becomes more complex, new opportunities will emerge for service providers that deliver protected processes complying with new regulatory standards.
Industry Sectors; “Verticals.” Outsourcing services (including shared service centers and captive processing centers) manage many “critical infrastructures” that are essential to national security and economic security. Certain sectors are generally included in the definition of “critical infrastructures”: banking, financial services and insurance (“BFSI”), public utilities (water, telecommunications, transportation, oil and gas and electricity supply), emergency services and government. See John Motoff and Paul Parfomak, “Critical Infrastructure and Key Assets: Definition and Identification,” Cong. Research Service (Oct. 1, 2004), http://www.fas.org/sgp/crs/RL32631.pdf. The current statutory definition (established in the USA PATRIOT Act of 2001, Sec. 1016(e) and referenced in the Homeland Security Act of 2002) states:
Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating effect on the security, national economic security, national public health or safety, or any combination of those matters.
Under this sweeping definition, virtually all of outsourcing and the economic supply chain of goods and services could be seen as a “critical infrastructure” for regulation, protection and ultimately potential control by the federal government for purposes of security of the government, economy, health and safety.
Covered ITO and BPO Service Providers. The Cybersecurity Act of 2009 would apply new standards to government contractors and grantees and private sector “critical infrastructure systems and networks.” However, in due course, such standards could be applied to all “protected computers” and private computers as well.
Vendor Selection. By adopting national cybersecurity standards, any new federal legislation would impact the selection of competing outsourcing vendors, based on compliance and risk assessments. Smaller vendors, that might comply today with ISO 27000 but not the PCI credit card security standards or any new federal cybersecurity standards, might not be competitive. Their market value might decline, and their selling prices in an acquisition might be lower on the basis of earnings multiples or other valuation metrics.
National Regulation of Cybersecurity. In short, all business and personal computers would be “protected systems” subject to national security protections, including registrations, licensing, compliance and verification. It is clear that the draft law would superimpose itself on all outsourcing contracts that involve the use of any computers. In short, it would apply to all sourcing contracts.
Allocation of Risk for Compliance with Applicable Law. Generally, outsourcing contracts require service providers (including software developers and IT infrastructure support providers) to comply with applicable U.S. law. The draft Cybersecurity Act of 2009 would be implicit in all applications development and maintenance contracts. It would apply to software developed outside the United States.
Extraterritorial Application of National Laws. Currently, the United States and other countries have laws intended to regulate conduct of persons outside their borders that have an impact inside their borders. Such extraterritorial laws include the Foreign Corrupt Practices Act, the Export Administration Act and the International Trade in Arms Regulations. Outsourcing service providers already are expected to comply with such legislation. Service providers should anticipate the extension of national cybersecurity regulation to their operations outside the United States (and other countries where outsourcing customers receive the services). Further, the U.S. Homeland Security department might conduct inspections on foreign territory, subject to local governmental authorization, similar to historical inspections conducted by the Federal Aviation Administration for maintenance and repairs done abroad to U.S. registered aircraft.
Reciprocity between Governments. Protecting outsourcing as an economic process will require governments to collaborate on cybersecurity management. One can easily foresee a new dialogue between the U.S. government and the Government of India, a key source of talent for software development, ITO and BPO, for the mutual adoption of cybersecurity standards, registration, licensing and compliance procedures. A similar dialogue may eventually arise with China, which hopes to promote its technology centers and “software technology parks” as centers of excellence and sources of employment for engineers servicing non-Chinese global enterprises. Similarly, cybersecurity “best practices” are likely to evolve under the aegis of the OECD for economic regulation and NATO for military use.
For related topics:
OUTSOURCING LAW & BUSINESS JOURNAL (™) : Strategies and rules for adding value and improving legal and regulation compliance through business process management techniques in strategic alliances, joint ventures, shared services and cost-effective, durable and flexible sourcing of services. www.outsourcing-law.com. Visit our blog at http://blog.outsourcing-law.com for commentary on current events.
Insights by Bierce & Kenerson, P.C., Editors. www.biercekenerson.com
Editor’s Note: As we welcome 2010, we continue to develop our newly re-launched Outsourcing-Law.com™ website and e-newsletter! We invite your feedback on the new Beta site as well as your contributions of content on international jurisdictions or legal issues in governance, risk management and compliance. Please contact us.
Vol. 10, No. 1 (January, 2010)
1. Cyber Security Threat Management in Outsourcing: The Coming National Security Regulation of ITO, BPO and KPO.
2. Social Security Tax Agreements: The Cost of Expatriate Workers.
1. Cyber Security Threat Management in Outsourcing: The Coming National Security Regulation of ITO, BPO and KPO. Imminent national regulation of Internet-based services will impact all companies that use the Internet for project management, collaboration, and remote transaction processing. Google and China have precipitated a showdown that may cause the nationalization of Internet regulation, with many consequences on the freedom and costs of running a global business or servicing customers remotely. The showdown highlights the fact that cybersecurity threats come from many sources, including foreign nation states, domestic criminals and hackers and disgruntled employees….
Cybersecurity is a critical foundation for any country’s national security and economic security and, indirectly, global trade in IT-enabled services and in the global supply chain….In global sourcing, cyber security is an essential commitment by anyone business seeking to acquire and be a trusted custodian of personally identifiable information (“PII”). If enterprises (“data controllers” under the European Union Data Protection Directive) are going to gather PII and contract with service providers (“data processors”) to process it, the risk of cyber attacks frames the debate on risk allocation, roles, responsibilities, pricing and process integration.
For all participants in the outsourcing industry, it’s time to fresh look at legal structures and financial implications of cybersecurity. For the complete article, click here.
2. Social Security Tax Agreements: The Cost of Expatriate Workers. Whenever citizens of one country set up operations or perform services in another country, they face the challenge of dual taxation. Dual taxation can be particularly oppressive where two countries tax the same income, or require payments of some form of tax on the same business activities. To avoid such burdens, model income tax treaties and estate tax treaties have evolved under the aegis of the OECD. Other treaties may apply to allow workers from one country to avoid paying social security to the government of another country. This article addresses the question whether bilateral social security tax agreements have a material impact on mobility of technical service workers moving between a service delivery center (such as India) and a service recipient’s facilities (such as in the United States). Click here to see the entire article.
Cybersecurity, n. (1) a locked door; (2) an open door with pass key; (3) trust; (4) hope.
January 22, 2010, Webinar on How Can You Leverage An Economic Development Group In Your Global Sourcing Strategy? Presented by Global Sourcing Council. Eric Hochstein of the Ontario Ministry of Economic Development and Trade will discuss the pros and cons of near-shore sourcing and the socially responsible aspects of sourcing to Canadanderstanding how successful and growing partnerships between companies in the United States and Canada have strengthened businesses on both sides of the border and around the world. To register, please click here.
January, 24-26, 2010, IQPC Business Process Outsourcing and Shared Services Exchange 2010, San Diego, California. This is an invitation-only gathering for VP and C-Level senior Shared Services and Outsourcing executives made up of highly crafted, executive level conference sessions, interactive “Brain Weave” discussions, engaging networking opportunities and strategic one-on-one advisory meetings between solution providers and delegates. With a distinguished speaking faculty from McGraw-Hill, Ingram Micro and Pfizer, amongst others, the seats at the 2010 Exchange are limited and filling up quickly. We have limited complimentary invitations available for qualified delegates for a limited time. Please give us your reference ‘Outsourcing Law’ when inquiring. There are solution provider opportunities also available for companies who want to be represented. You can request your invitation at firstname.lastname@example.org, call at 1866-296-4580 or visit their website.
January 28-29, 2010, Global Services Conference, Jersey City, New Jersey. Through the entire episode of the global economic meltdown, the global outsourcing services industry has seen the rise of a group of suppliers who are redefining many traditional management practices; changing the long-standing model for contracting offshore services; collaborating with clients in new ways; and gaining more control over outsourcing strategies. This conference focuses on these changes in the global services model and the learning from this period. OSL subscribers qualify for a special rate. Use code GSCOLJ for free/ complimentary registration to buyers. Buyers include buyers of outsourcing and offshoring services in IT and BPO. For more information, visit their website.
February 15-17, IAOP’s 13th Annual 2010 Outsourcing World Summit, Lake Buena Vista, Florida. This event is designed for outsourcing executives from across the industry and around the world who are seeking the very latest insights and ideasand is themed as “Using Outsourcing to Emerge as a Leader in the New Global Economy”. Educational sessions deliver specific actionable solutions to current challenges faced by experienced professionals. Case studies feature actual experiences and the lessons learned, feature new ideas, approaches and opportunities. For more information, click here.
February 22-24, 2010, SSON and IQPC 8th Procure-to-Pay Summit, Miami, Florida focuses on “Fostering Smart Partnerships to Optimize Cash Flow and Deliver Positive Business Outcomes from End to End.” This Summit is all about making the most of your smart partnerships to increase cash flow and improve business outcomes as companies move away from a reactionary mode toward sustainable practices. While we may not yet be out of the woods, so to speak, it is clear that the economic landscape in 2009 has created opportunities for companies to create new synergies with their P2P partners to help promote growth for 2010 and beyond. For more information, click here.
February 24-25, 2010, IQPC’s 3rd E-Discovery for Financial Services Conference, New York, New York. Learn the Best Review, Retention and Destruction Procedures to Cut Costs and Response Time During a Financially Troubled Economy. This event examines, from the unique perspective of high-level financial executives, how the challenges of each financial sector intersect with e-discovery proceedings and processes. View the complete program agenda at www.ediscoveryevent.com/finance.
March 22-26, 2010, SSON presents the 14th Annual North American Shared Services & Outsourcing Week, Orlando, FL. This event includes speakers from top companies: Aramark, Arbys/Wendy’s, AstraZeneca, Chevron, Coca-Cola, Conagra Foods, General Motors, Kellogg, Kraft, Microsoft, Monster, NASA, Northrop Grumman, Oakley, Perdue Farms, Schering Plough, Warner Brothers and more. It will include new and enhanced features:
* G8: Global Sourcing Think Tank Eliminating the White Noise: The first ever neutral platform to help shape a common industry agenda in the US
* Under the C-Suite Spotlight with Rene Carayol, An Exclusive Onstage CXO Interview: Board-room revelations regarding shared service & sourcing model strategy
* New, Strong, Business Outcome-Focused Content: 8 content-intense tracks, from Planning & Launching and BPO Evolution to IACCM’s Contracting to Collaboration
* Enhanced Annual Features: Quick Wins Energizers, Speed Networking, Blue Sky Innovation Room for Mature SSO’s, and more.
Please contact Kim Vigilia directly at 1-212-885-2753 or at email@example.com with your special code IUS_OSL_#1 to get a 20% discount off the all-access pass. You can also visit the website at www.sharedservicesweek.com.
March, 25-26, 2010, American Conference Institute’s 4th National Forum on Reducing Legal Costs, Dallas, Texas. This essential cross-industry benchmarking forum gathers together more than 30 senior corporate counsel and legal sourcing managers responsible for cost-reduction success stories, as well as leaders from law firms who are pioneers in the alternative fee world, to guide those in attendance on the complexities of keeping legal department costs in check. Now in its fourth installment, this event also offers unique networking opportunities with senior practitioners in the field, includingin-house counsel across a wide spectrum of companies and industries. For more information, visit their website.
FEEDBACK: This newsletter addresses legal issues in sourcing of IT, HR, finance and accounting, procurement, logistics, manufacturing, customer relationship management including outsourcing, shared services, BOT and strategic acquisitions for sourcing. Send us your suggestions for article topics, or report a broken link at: firstname.lastname@example.orgThe information provided herein does not necessarily constitute the opinion of Bierce & Kenerson, P.C. or any author or its clients. This newsletter is not legal advice and does not create an attorney-client relationship. Reproductions must include our copyright notice. For reprint permission, please contact: email@example.com. Edited by Bierce & Kenerson, P.C. Copyright (c) 2010, Outsourcing Law Global LLC. All rights reserved. Editor in Chief: William Bierce of Bierce & Kenerson, P.C. located at 420 Lexington Avenue, Suite 2920, New York, NY 10170, 212-840-0080.
E-Discovery and Legal Process Outsourcing: ESIM Process Design and Choices between Outsourcing vs. Insourcing
State and federal rules of civil procedure and emerging common law of the discovery process impose significant costs on businesses that are engaged in litigation. Pre-trial “discovery” serves to narrow the issues in dispute by forcing the disclosure of records, including electronically stored information (“ESI”) for judicial economy, to narrow the scope of disputed issues for adjudication (such as through motions for partial summary judgment, admissions and prior inconsistent statements), and to speed the actual trial process. E-discovery has become a daily challenge for the General Counsel, the CIO, the COO and the Risk Management Department. They face a choice of policies, procedures and technologies for insourcing (such as by using forensic software and employed staff) or outsourcing for electronic records discovery management. This article explores some of the differences between insourcing and outsourcing in terms of ESI records management, legal requirements for protection and production of electronic records, project management in forensic record examination, litigation readiness, knowledge management, risk management, ethics and legal compliance.
I. E-DISCOVERY AS A SUB-PROCESS OF RECORDS MANAGEMENT.
Record and Information Management (“RIM”) Policies and ESI Management (“ESIM”). The demands of e-discovery highlight the challenges of developing and managing effective governance policies and procedures for information of all kinds, including ESI, and the challenge of adopting and updating an ESI management (“ESIM”) plan for “business as usual.” The International Standards Organization has developed a records management standard (ISO 15489-1, at www.iso.org). ARMA International (www.arma.org) has identified eight standards for records and information management (“RIM”), namely, accountability, integrity, protection, policy compliance, retrievability/ availability, retention, disposition and transparency.
Memory-storage devices have proliferated, challenging the company’s records custodian. In addition to computers, there are cell phones, cameras (stand-alone or in cell phones), scanners, facsimile machines, USB “key” drives, backup hard drives and other storage devices. All pose a challenge for a fully compliant response to an e-discovery request.
Legal Requirements for Protection and Production of E-Records. Federal and state rules of civil procedure have evolved to include electronic records. See F.R.Civ. P. 26(b), 34 and 45 (subpoenas) and F. R. Evid. 901(a) (authenticity). State procedural rules have been adopted to implement the Uniform Rules Relating to Discovery of Electronically Stored Information issued by the National Conference of Commissioners on Uniform State Laws. [Copy available at http://www.law.upenn.edu/bll/archives/ulc/udoera/2007_final.htm]. Basic common law, statutory and civil procedure rules in e-discovery start with similar requirements:
- Protection: preservation of ESI through a “litigation hold” to prevent inadvertent loss when a third party demand has been made, or it has become reasonably foreseeable that such a demand will be made, and ensuring that the in-house attorney’s instruction is actually implemented (for example, avoiding the inadvertent over-writing of storage and backup tapes).
- Accountability: identifying the scope and “proportionality” of the e-discovery requirements in relation to the overall scope of the dispute.
- Cost allocation: allocating costs that are reasonable to the producing party and costs that are unreasonable to the requesting party.
- Cost management: using search terms and other cost-effective automated search technologies to get the reasonable or “agreed” coverage for the initial triage, fulfilling the approach that information technology can solve the problem of searching massive records databases using search technologies. See, e.g., Zubulake v. UBS Warburg, LLC, 2004 WL 1620866 (SDNY July 20, 2004, Judge Scheindlin) and other rulings in the same case, at 217 F.R.D. 309 (SDNY 2003), 216 FRD 280 (SDNY 2003) and 2003 WS 22410619 (SDNY Oct. 22, 2003).
- Integrity (authenticity and identification of the e-record): identifying appropriate methods and procedures for ESI production, including the appropriate level and nature of legal supervision of forensic inspections, to ensure authentication under F.R.Evid. 901(b) by using circumstantial information such as the file access permissions, file ownership, dates when the file was created and when it was modified, other metadata and hash values for the record when copied to a forensic computer for analysis.
- Accessibility: under the rules of evidence: identifying and managing risks of loss of evidentiary privileges by the mere use of electronic e-discovery tools and procedures.
- Accountability for Non-Compliance: identifying the sanctions for culpable conduct, mainly, “spoliation” (intentional or negligent destruction of evidence) or negligent collection done by the record custodian rather than by an automated process, such as:
judicial issuance of an instruction to the jury that the jury may validly draw a “negative inference” (or “adverse inference”) from the fact that the offending party could not produce the normally available documents in support of its legal arguments, resulting in a conclusion that, if the “lost” or “destroyed” records had been introduced into evidence, they would have supported a negative conclusion as to disputed factual matters; and judicial sanctions including an order to pay the reasonable expenses, including attorney’s fees, caused by the violation of discovery rules, where, for example, the adverse party incurred expenses to overcome the inability to access the “lost” or “destroyed” (spoliated) records.
Project Management in Forensic Record Examination. Within a holistic approach to ESIM, e-discovery tools and techniques can be identified along the continuum of “cradle-to-grave” (or more appropriately, “cradle to judge and jury”) progress. As a sub-process of electronic records management, an e-discovery process model can be used to identify the particular role or function of third-party software, in-house resources and an outsourcer’s resources. By looking holistically at the end-to-end chain of processes leading to satisfactory e-discovery compliance, under such a paradigm, the end-result, production and presentation of ESI, can be managed by effectively adopting either a total control at the “information management” level (when records are initially created and stored). The following is our own view of electronic discovery records management (“EDRM”) as a subset of an enterprise-wide holistic ESIM resource management paradigm for governance, risk management and compliance in e-discovery:
Litigation-Readiness: Converting “Business as Usual” IT into Information Management Operations for E-discovery. Information technology plays a strategic role in the enterprise’s ability to comply with e-discovery mandates. The enterprise’s legal department should team up with the IT department, the records management department and the line-of-business management to participate in the design – or re-design – of the enterprise’s information management operations and records management. E-discovery compliance features are now available through software that can troll the enterprise’s entire ESI, search for information according to a myriad of legal and business terms, technical parameters. In conjunction with the CIO and the records management department, the legal department can:
- Gap Analysis: Conduct a “gap analysis” to identify which features are missing from those that are recommended or required under the applicable rules of civil procedure and common law, particularly those policies and procedures that involve data collection, classification, accessibility, storage, retention and destruction.
- Strategic Access Plan: Develop a strategic access plan for the full life-cycle of “business as usual” and custody and control, including audit, of the company’s information and litigation-relevant information.
- Process Design using an ESIM Paradigm: Apply the e-discovery records management sub-process of the enterprise’s holistic ESIM model to identify and segregate functions that will be performed by in-house or captive resources and those for outside legal counsel and outsourcing service providers.
- Cross-Border Considerations: Integrate multinational and cross-border legal mandates into the design of the information technology and information management systems, at an early stage in the e-discovery process, to avoid breaches of foreign data protection and privacy laws when complying with U.S. judicial rules of procedure.
- Integration of Internal and External Resources: Develop policies and procedures for use of outside litigation support services providers and an array of personnel and technology resources both domestically and internationally to fulfill e-discovery compliance mandates, without adversely impacting the ongoing business operations.
Litigation-readiness must be added to the selection criteria for new IT initiatives such as “cloud computing” (here, the “software as a service” model, not the “variable IT computing-power as a service” model), internal and external social networks, Twitter and internal and external collaboration platforms such as wikis, e-rooms and Google Wave.
Knowledge-Management Readiness: Managing and Protecting Corporate Knowledge. “Knowledge management” refers to policies, procedures and technology that enable an enterprise to capture, organize, identify, re-use and protect the confidentiality of its trade secrets. Knowledge management (“KM”) procedures must also enable the enterprise to distinguish among sources of confidential information that may be trade secrets, copyrights or patents of third parties (including “freeware” and “open source” software) as well. Accordingly, CIO’s must adopt KM planning strategies that, in conjunction with legal and compliance departments, also serve regulatory and legal requirements. The IT infrastructure needs to identify all such trade secrets during the e-discovery process so that, if disclosable, they are subject to non-disclosure and non-use under appropriate protective orders.
II. RISK MANAGEMENT
Risk of Spoliation by Employees and Contractors. According to one e-discovery service provider, a large majority of all corporate litigation is employment-related. If employees have access to change ESI, disgruntled or negligent employees pose a major risk of spoliation. Employees can unknowingly or intentionally destroy ESI evidence. Such actions can range from concealment (through downloading pirated software that deletes files on the employee’s web surfing history) to sabotage (actually deleting documents).
As a result, the legal department and the CIO need to develop IT-enabled solutions to prevent such acts. This article does not address this particular issue, but it highlights the need for appropriate design of the overall information management architecture as a preventive measure.
Risk Management. From the risk-management perspective, a proper defensive strategy will require an alliance between the company’s Legal Department, its Risk Management department and its IT department.
- IT Role. The IT department needs to work with the Legal Department to ensure a proper chain of custody and proofs of authenticity.
- Insurance. The Risk Management Department needs to help design and review the e-discovery process. Sanctions for spoliation have implications for coverages for directors and officers, employment practices, errors and omissions and general liability. The records manager needs to understand how the company’s Records Management (destruction) Policy meets e-discovery requirements.
- Legal Department. The in-house Legal Department must not only manage the e-discovery process. It must design and manage effective records management policies, educate all employees about the e-discovery process and its role in management of risks, knowledge and records.
III. BUSINESS MODELS: INSOURCING, CAPTIVES AND OUTSOURCING
Business Models for Insourcing. Before comparing outsourcing and insourcing, it is helpful to consider the different business models in which an internal e-discovery operation can be financed. These models can be summarized:
- Infrastructure Investment in a Complete e-discovery Toolkit. At the “high end,” the enterprise can make a capital investment in the essential tools of a fully “in-sourced” e-discovery operation. Such an investment will have significant payback for enterprises having a high volume of litigation with predictable volumes of e-discovery demands. Such enterprises will need to invest in all the people, process and technology necessary for the operation. If the operation is highly automated, it can be effectively managed onshore. If it requires substantial human review, part of the operation may be handled in offshore locations with remote access, security controls and other measures to prevent loss of confidentiality, competitive advantage and effectiveness. This leads to consider a captive e-discovery service delivery center. In this case, outsourcing can be a viable solution for that portion of the e-discovery process that requires supervised human review and analysis.
- Pay-Per-Use Pricing. Where litigation is more volatile in terms of volume and timing, a “pay-per-use” pricing for insourced use of third-party technologies can prove cost-effective. This pricing model provides some benefits to enterprises that have very few litigations, but a large volume of ESI for assembly, analysis, protection and disclosure.
- Consumption-Based Pricing. Consumption-based pricing reflects the volume of ESI being sorted and analyzed. This pricing model provides benefits for enterprises that want to allocate litigation costs to individual lines of business or affiliated companies, as a charge-back accounting principle that effectively rewards litigation-free business managers for staying away from the judicial system.
Relative Advantages of Insourcing.
- Industries Affected by Persistent Litigation. Several software tools exist that allow in-house counsel and the CIO to conduct the full forensic discovery using staff employees. Internalization of the discovery process makes economic sense where the company is constantly involved in litigation. Such companies typically include insurance companies, banks, consumer products manufacturers, and can include food service chains and franchisees. Other companies that are subject to class action claims for torts or securities law violations can fall into this category as well, impacting virtually any publicly traded company that has a volatile stock price.
- Control of Records Management; Cost Management. Software and IT services companies argue that insourcing can significantly reduce the costs of e-discovery. They argue that, by taking control of the forensic search, collection, analysis and processing of a company’s electronic records, companies have more flexibility and control over the manner in which these critical discovery processes are conducted. This control can translate into cost savings by enabling a closer supervision on-site by the internal lawyers.Cost savings must be compared to comparable external services.Cost savings that might arise from an easier ability to make small changes in the search criteria, for example, may result in a loss of the hard-wired “e-discovery plan” that serves as the basis of justifying to the court that the discovery disclosures comply with civil procedure to locate and disclose all relevant records.
- Protection of Trade Secrets and Intellectual Property. Insourcing, or using captives, can provide a significant level of additional protection for knowledge management, trade secrets and intellectual capital. Such protection comes at the cost of maintaining internally controlled resources. Outsourcers will claim that their security levels are higher than those in many global enterprises. Outsourcers offer personal non-disclosure covenants by individual employees. But there is always a risk, whether through insourcing or outsourcing, that the personnel having access to trade secrets, for example, might abuse their positions of trust through tipping a securities investor, selling the ideas to a competitor of the enterprise or other tortious conduct. Even a non-disclosure agreement does not constitute a valid non-competition covenant, and even non-competition covenants are unenforceable as a matter of public policy unless strictly limited in time, territory and scope, and (in California and some other jurisdictions) they may require additional payments of consideration. In short, neither insourcing nor outsourcing appears to have a clear advantage in this field, except that e-discovery managers who are employed by the enterprise might offer an advantage by having ongoing knowledge of what is (and is not) a trade secret for faster, better, “cheaper” claims to a protective order.
- Effectiveness of Coordination and Collection of ESI. The use of skilled internal people who know the company’s operations may be able to provide better collection and coordination of ESI. However, “professional” e-discovery service providers may have the advantage in skills at the beginning as the company’s internal personnel become familiar with the processes and technology of e-discovery. Hence, insourcing might follow outsourcing until the processes can be internalized.
- Reduction of Risks of Noncompliance with e-discovery Rules. Well-trained, well-supported internal personnel might be able to reduce risks of non-compliance in the typical e-discovery process.
Relative Advantages of Outsourcing e-discovery. Outsourcing of e-discovery processes may be costly, but it may be the best solution for several reasons. This requires an analysis of the relative merits. This “gating analysis” should include appropriate considerations of staffing, quality, ethical risks and speed.
- Staffing. One of the key benefits of outsourcing, and one of the key parameters in selecting the right outsourcing service provider, is the service provider’s staff. The best outsourcers have developed a methodology for human capital management in the specialized field of e-discovery and related disciplines. The outsourcer designs a service delivery platform, recruits, trains and tests its staff in generic functions (including project management, information technology and security) and then offers this staff for custom-training on the litigating company’s particular process and e-discovery requirements.Using a business company to provide litigation support can run afoul of ethics and disciplinary rules applicable to the litigating company’s (or its law firm’s) lawyers. Law society rule in England will be changed if and when a pending draft law is modified to permit competent non-lawyers to perform tasks that might be considered the practice of law. Under applicable ethics opinions of the American Bar Association and various city and state bar associations, the in-house lawyer or outside law firm cannot escape certain core ethical duties:
- to supervise the work of the outside service provider;
- to avoid assisting in the unauthorized practice of law (“UPL”)
- to ensure the protection of client confidences;
- to avoid waiving any rule permitting a claim of legal privilege (and to rectify innocent or mistaken disclosures, see e.g., Fed. R. Evid. 502);
- to avoid conflicts of interest;
- to protect against data loss, theft or other act or omission that might constitute sanctionable spoliation;
- to comply with the rules of court relating to e-discovery and management of ESI at all stages.
- Vendor selection involves finding the right fit for the particular litigating company’s legal, regulatory, compliance, privacy, legal ethics and security requirements.
- Service Level Metrics and Quality Considerations. Few internal employees want to live by performance metrics. Outsourcers live by “guaranteeing” service metrics and other quality parameters.
Offshoring Issues. In considering an offshore captive or an offshore LPO outsourcing, the company’s lawyers must evaluate special cross-border legal issues.
- Export Controls. By transferring any U.S. data abroad, the company may require a license from one or more branches of the U.S. government. While commercial information may be subject to a general export license that does not require any notification, filing or administration, some information (such as software or design information that may have dual civilian and military uses) may require a specific license. Similar issues arise where the company’s ESI includes trade secrets, pending patent applications and other information that is subject to a required export license.
- Data Protection. Data protection rules under HIPAA and other legislation may apply to the data being processed. Foreign LPO service providers must ensure compliance.
- Privacy. Privacy rights arise from many legal sources and different jurisdictions. Depending on the source of any personally identifiable information (“PII”), any transfer of company records to a foreign LPO service provider may violate applicable rules. This issue suggests a proactive approach in the design and implementation of the company’s overall information management systems.
- Third-Party Consent. The information in a company’s database may include information that is licensed under restrictive disclosure conditions or where a third-party’s consent is required by an applicable law. Third-party consent may be required.
- Client Consent. The information in a company’s data base may also require the client’s consent
- Political Risk. Foreign service providers come with a suite of political risks that could impair service quality, timeliness of service, confidentiality and other custody and control issues for the ESI and the foreign nationals accessing such ESI.
IV. PROJECT MANAGEMENT
Most effective e-discovery procedures will require effective integration of internal and external resources. The design, planning, implementation, performance, intermediate re-balancing and supervision of all resources remain, of course, in the hands of the company, and, in particular, in-house attorneys. The Legal Department (which is ultimately responsible) may wish to consult with “outsourcing lawyers” not merely with litigation counsel on achieving a flexible, cost-effective, efficient design, vendor selection and supervision, review of compliance with ethics rules and project management.
Evaluation Process. Companies evaluating an LPO solution for e-discovery (or any other LPO) should therefore carefully explore all relevant implications, design the program for compliance and quality of service, address special issues involving any cross-border data flows and other commercial, judicial rules, legal and ethical requirements.
Project Management Roles. Each LPO project requires thoughtful and careful attention to ensuring that all responsibilities of the different parties are aligned with their roles. Within the outsourcing model, there is room for designing and allocating roles and responsibilities to give in-house attorneys control of the process so that they can manage the ethical responsibilities. The introduction of the LPO service provider raises new questions whether the cost-controlling measures will impair (or improve) the quality of the outcome. External lawyers could also manage the service providers.
V. BUSINESS MODELS
- Business Models. Currently, most LPO e-discovery services are conducted under business models of insourcing (including contract attorneys), captives and outsourcing.
- New Models. Over time, companies and their legal counsel will become more familiar with the tools, alternatives and strategies for effective LPO, including identifying and assessing risks and evaluating a risk-benefit matrix. With greater maturity in capabilities, new business models for identifying and managing e-discovery processes, tools and personnel may evolve. The impact of cloud computing, platform-as-a-service, software-as-a-service, virtualization of both servers and client computing and mobile computing will challenge enterprises and their technology and legal service providers to integrate a holistic and global ESIM process to incorporate the EDRM subset as “business as usual.”
In the United States, layoffs during the downward economic cycle following the dot.com bubble and then the 9/11 attack have had a severe impact on the local economies. In the resulting legislative debate over the impact of outsourcing, some state legislators have proposed a reversion to the “Buy American” principle that conflicts with international trade under the World Trade Organization. This issue underlines an emerging internal public policy debate on the desirability of international outsourcing.
NOTE: Posted in 2003, this seminal article could be updated for more recent manifestations of xenophobia in outsourcing.
“Buy American” in State Government Contracting.
In March 2002, a New Jersey State Senator, Shirley Turner, introduced a bill that would impose a “Buy American” rule on all purchases in the state.
“The Director of the Division of Purchase and Property and the Director of the Division of Property Management and Construction in the Department of the Treasury shall include, in every State contract for the performance of services, provisions which specify that only citizens of the United States and legal resident aliens in the United States shall be employed in performance of services under the contract or any subcontract awarded under the contract.”
N.J. Sen. No. 1349, 210th Legislature, intro. Mar. 21, 2002, passed in the Senate (40-0), Dec. 16, 2002.
The bill was inspired by the fact that “Recent published reports have indicated that telephone inquiries by welfare and food stamp clients under New Jersey’s Families First Program were being handled by operators in Bombay, India after the contractor moved its operations outside of the United States as a cost-cutting measure.” The bill was intended to ensure that State funds are used to employ people residing in the United States and to prevent the loss of jobs to foreign countries.
As a “mini-Buy-American” Act, this legislation does not provide any exception for:
- a determination that a domestic procurement is “not in the public interest,”
- a determination that the cost of a domestic procurement is “unreasonable,” or
- a determination that the particular goods or services being procured are not available in such commercially available quantities or quality as are available abroad.
All of these are exceptions under the federal “Buy American” act.
If enacted, such laws would apply only to government procurement. But such legislation could have repercussions on the image of offshore outsourcing throughout the United States.
The bill does not address issues of cost, or availability of local American services in the particular procurement.
Legality for Governmental vs. Private Purchases of Foreign Services.
As a matter of law, “Buy American” (or “Buy Local”) laws are illegal under the World Trade Organization’s General Agreement on Trade in Services (“GATS”) when they relate to purchases by private buyers. But for governmental buyers of services, the GATS allows such favoritism to local service providers.
Impact on International Outsourcing by Private Customers.
Legislation limiting government procurement to local service providers should not have any impact on the right of private companies, as customers, to hire any service provider worldwide to render any service.
- Freedom of Contract.
In our view, nothing in the various laws of individual states in the United States that currently are in consideration could validly overcome such freedom of contract.
In case of a war involving Iraq or other country, the United States federal government could validly adopt rules to safeguard its economy from foreign interests. As discussed below, this raises risks for contracting parties, but such risks may be surmounted through customary technical means for security, business continuity planning, redundancy and disaster recovery.
Buy American – Revival of the Past.
The “Buy American” legislation was originally adopted by the Federal government as a means of promoting local business. This legislation, at 41 U.S.C. 10a, is limited to the purchase of goods:
Sec. 10a. – American materials required for public use
Notwithstanding any other provision of law, and unless the head of the department or independent establishment concerned shall determine it to be inconsistent with the public interest, or the cost to be unreasonable, only such unmanufactured articles, materials, and supplies as have been mined or produced in the United States, and only such manufactured articles, materials, and supplies as have been manufactured in the United States substantially all from articles, materials, or supplies mined, produced, or manufactured, as the case may be, in the United States, shall be acquired for public use. This section shall not apply with respect to articles, materials, or supplies for use outside the United States, or if articles, materials, or supplies of the class or kind to be used or the articles, materials, or supplies from which they are manufactured are not mined, produced, or manufactured, as the case may be, in the United States in sufficient and reasonably available commercial quantities and of a satisfactory quality. This section shall not apply to manufactured articles, materials, or supplies procured under any contract the award value of which is less than or equal to the micro-purchase threshold under section 428 of this title.
This law has been rendered largely moot by the Government Procurement Agreement adopted at the Uruguay Round of the General Agreement on Tariffs & Trade. See Agreement Establishing World Trade Organization, Annex 4, Plurilateral Agreements, Government Procurement Agreement.
More recently, state legislatures in the United States have considered imposing some restrictions or prohibitions on the use of foreign service providers for contracts involving payment of state or local funds. In New Jersey, State Senator Shirley K. Turner introduced a bill that would prohibit any contracting or subcontracting to foreign service providers where the work could be done by American citizens or lawful permanent resident aliens. Similar legislation is reportedly under consideration (as of February 2003) in Connecticut, Maryland, Missouri and Wisconsin.
Policy Debate: Validity vs. Wisdom of Xenophobia.
As a matter of public policy, we must distinguish between law and policy. Would such legislation be lawful? Under the World Trade Organization (WTO) General Agreement on Trade in Services (“GATS”), it would appear valid for government procurement of services. As a “beggar-thy-neighbor” policy of keeping jobs at home, such legislation would help generate employment at a time of economic decline, reducing the costs of public welfare and other social costs.
Would such legislation be good public policy? Such legislation would deprive local governments of purchasing services at the cheapest price. It would hurt local taxpayers as consumers of government services.
World Trade Organization: No “Non-Tariff Barriers” for Private Trade.
Free trade under the World Trade Organization (formerly known as the General Agreement on Tariffs and Trade, or GATT) is based on certain fundamental principles:
- national treatment of foreign suppliers of goods and services, where each member state must “accord to services and service suppliers of any other Member, in respect of all measures affecting the supply of services, treatment no less favorable than that it accords to its own like services and service suppliers.” General Agreement on Trade in Services, Art. XVII(1), MTN/FA II-A1B, p.19).
- transparency of the laws and regulations governing international trade (subject to the supervening principle that disclosure is not required where it “would impede law enforcement or otherwise be contrary to the local public interest or would prejudice the legitimate commercial interests of particular enterprises, public or private.” See, e.g., Agreement on Trade-Related Investment Measures, Art. 6, MTN/FA II-A1A-7, p. 3.)
Market Access to Foreign Services Providers under GATS.
The WTO’s General Agreement on Trade in Services embodies the principle that, in sectors where a member state undertakes to grant market access to service providers from another member state, that market access cannot be restricted either nationally or regionally. Specifically, it is a violation of GATS for a member state to impose any restriction on market access in any of the following forms:
- Number of Service Providers: limitations on the number of service providers (such as in the form of numerical quotas, monopolies, exclusive services providers or the requirement of a “economic needs” test as a condition of market access).
- Value of Service Transactions: limitations on the total value of service transactions or assets (in the form of numerical quotas or the requirement of an “economic needs” test).
- Quantity of Services Provided or Service Operations: limitations on the total number of service operations or on the total number quantity of service output expressed in terms of designated numerical units, in the form of quotas or the requirement of an “economic needs” test.
- Number of Employees: limitations on the total number of natural persons who may be employed in a particular service sector or that a service provider may employ and who are necessary for, and directly related to, the supply of a specific service in the form of numerical quotas or the requirement of an economic needs test.
- Type of Legal Entity or Joint Venture: measures that restrict or require specific types of legal entity or joint venture through which a service supplier may supply a service.
- limitations on the participation of foreign capital in terms of maximum percentage limit on foreign shareholdings or the total value of individual or aggregate foreign investment.
General Agreement on Trade in Services, Art. XVI(2), MTN/FA II-A1B, p.18.
Exceptions to GATS Protections.
Several exceptions expressly permit a member state to disregard its obligations on trade in services.
Services Supplied in the Exercise of Governmental Authority.
By definition, the GATS does not apply to “services supplied in the exercise of governmental authority.” General Agreement on Trade in Services, Art. I(3)(c), MTN/FA II-A1B, p.14). In some countries, “governmental authority” involves the performance of functions that are considered commercial or otherwise not “in the exercise of governmental authority.”
In the United States, for example, in November 2000, President George W. Bush’s administration adopted regulations requiring that all governmental functions be evaluated and classified as governmental or non-governmental, and non-governmental functions are to be contracted out to outsourcers (or possibly even privatized).
National and international security considerations take precedence over trade in services under GATS. In particular, member states may take actions that they may deem necessary to protect “essential security interests” relating to services for provisioning military establishments, nuclear fuels or their materials, or any other action “taken in time of war or other emergency in international relation.” As a procedural matter, the member state must notify the WTO’s Council for Trade in Services when such “security exceptions” have been adopted and when they have been terminated. General Agreement on Trade in Services, Art. XIV bis, MTN/FA II-A1B, pp.16-17.
As a “national security” measure, a member state might impose an embargo on trade in services with one or more other WTO member states during a time of war. The exception applies “in time of war.”
This “war” exception leaves open a number of vital questions about the legality and viability of discrimination, trade embargos and other acts normally prohibited by GATS. The “war” exception does not specify that the embargo must only apply to another member state that is at war with the buying member state. But it is not clear whether the right to impose an embargo applies to a country that is perennially in a “state of emergency” or has never entered into a formal cessation of armed hostilities with a particular other member.
In a sense, this exception could arguably serve as the basis for a member state’s attempt to circumvent the WTO principles of free trade in services. In our view, such an attempt could invite trade reprisals and dispute resolution before a WTO dispute tribunal.
Deceptive and Fraudulent Practices; Contract Default and Enforcement of Rights.
Under GATS, member states may adopt and enforce measures of a general, non-discriminatory nature relating to “the prevention of deceptive or fraudulent practices or to deal with the effects of a default on service contracts. Accordingly, laws governing enforcement of rights and remedies under contract breach are not subject to GATS rules, so long as the laws are “not applied in a manner that would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on trade in services.” General Agreement on Trade in Services, Art. XIV(c)(i), MTN/FA II-A1B, p.15.
Similarly, under GATS, member states may adopt and enforce non-discriminatory laws for “the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of the confidentiality of records and accounts.” General Agreement on Trade in Services, Art. XIV(c)(ii), MTN/FA II-A1B, p.15).
Laws governing safety are also generally exempt from the rules of GATS, except if they are discriminatory or disguised trade restrictions. General Agreement on Trade in Services, Art. XIV(c)(iii), MTN/FA II-A1B, p.15.
Collection of Taxes.
Laws for the “equitable or effective imposition or collection of direct taxes,” or for the avoidance of double taxation under a tax treaty, may be somewhat discriminatory against foreign service providers. General Agreement on Trade in Services, Art. XIV(d) and (e), MTN/FA II-A1B, p.15).
Exceptionally, under GATS, the WTO principles of most-favored-nation treatment, market access and national treatment do not apply for governmental procurement of services. General Agreement on Trade in Services, Art. XIII(1), MTN/FA II-A1B, p.14). (The other principles, such as the “transparency” duty to publish applicable laws and regulations, remain unaffected.) The Government Procurement Code, adopted prior to the GATS, relates to trade in goods and does not require any treatment different from GATS.
Safeguard the Balance of Payments.
This exception allows a government to escape from GATS requirements to open its economy to free trade in services in order to safeguard the country’s balance of payments “in the event of serious balance-of-payments and external financial difficulties or threat thereof.” General Agreement on Trade in Services, Art. XII(1), MTN/FA II-A1B, p.12). This exception is not directed at measuring bilateral trade imbalance between two countries that are trading partners. Rather it focuses on multilateral trade and generalized imbalances in the balance of payments.
Conclusions for Outsourcing Services Providers.
If you are promoting the sale of your services from a foreign country, you should focus on the practical economic benefits of your service. This may include:
- abundant labor supply.
- rapid deployment of a large pool of skilled workers for early completion of a complex project.
- high quality standards, such as the Software Engineering Institute Capability Maturity Models for both software and services.
- low cost to the taxpayers whose governments are acting as purchasing agents.
- local presence in the host country, and the role of the host country employee pool for the service provider.
Conclusions for Purchasers of Transborder Services.
There are undoubtedly substantial risks of force majeure in outsourcing. But the WTO principles of national treatment for private-sector transactions and other fundamental protections of international trade in services are well established. Legislation by state legislators is not likely to have any impact on your ability to procure services at low cost under a clear outsourcing contract. Despite the risks and problems, using technological methods as well as legal contracts, you can protect your investment in foreign services.
Conclusions for National Governments.
The opening of borders to “free trade” under WTO principles leaves everyone exposed to the risk of loss of value of their knowledge in a rapidly changing information economy. Governments should focus on building a workforce that is skilled in knowledge tools.