U.S. Data Protection: The Draft Commercial Privacy “Bill of Rights” Act of 2011
April 29, 2011 by Bierce & Kenerson, P.C.
On April 12, 2011, Senators John Kerry (D., Mass.) and John McCain (R., Ariz.) sponsored a Consumer Privacy “Bill of Rights” Act of 2011 to protect personally identifiable information (“PII”) and sensitive PII of U.S. consumers. If enacted, the bill would delegate regulatory authority to the Federal Trade Commission to regulate to all transactions (wherever processed) concerning U.S. consumers’ PII and sensitive PII where the data processor collects, uses, transfers or stores covered information concerning more than 5,000 individuals during any consecutive 12-month period.
Of the dozens of draft privacy statutes introduced into Congress in the last few years, this Consumer Privacy “Bill of Rights” Act of 2011 is the one most likely to be enacted. It offers a prudent balance of protections and procedures for data collectors (covered entities) and data processors (service providers). The penalties are very stringent.
Enterprise customers and outsourcing service providers should prepare for the enactment of this draft legislation as a law. It’s not too soon to begin developing compliance programs and practices. The following provides a summary of what is to come.
FEDERAL TRADE COMMISSION ROLE
FTC Regulatory Authority. This bill would appoint the FTC as a U.S. data protection authority (similar to DPA’s appointed in Europe under the Data Protection Directive). The FTC would have exclusive authority to establish and enforce the “unfair or deceptive acts or practices” relating to privacy protections for PII and sensitive PII. However, in promulgating such rules, the FTC would not be allowed to require the deployment or use of any specific products or technologies, including any specific computer software or hardware.
OVERALL SCOPE
Key Legal Definitions. The draft legislation contains complex definitions of PII and sensitive PII, as well as “covered information” that the FTC would have authority to regulate for privacy purposes. In summary, “covered entities” accessing “covered information” would be required to grant certain rights and adopt protections for the “PII” and “sensitive PII” of individuals.
PII. The term “personally identifiable information” would mean “only the following:
(A) Any of the following information about an individual:
(i) The first name (or initial) and last name of an individual, whether given at birth or time of adoption, or resulting from a lawful change of name.
(ii) The postal address of a physical place of residence of such individual.
(iii) An e-mail address.
(iv) A telephone number or mobile device number.
(v) A social security number or other government issued identification number issued to such individual.
(vi) The account number of a credit card issued to such individual.
(vii) Unique identifier information that alone can be used to identify a specific individual.
(viii) Biometric data about such individual, including fingerprints and retina scans.
(B) If used, transferred, or stored in connection with 1 or more of the items of information described in subparagraph (A), any of the following:
(i) A date of birth.
(ii) The number of a certificate of birth or adoption.
(iii) A place of birth.
(iv) Unique identifier information that alone cannot be used to identify a specific individual.
(v) Precise geographic location, at the same degree of specificity as a global positioning system or equivalent system, and not including any general geographic information that may be derived from an Internet Protocol address.
(vi) Information about an individual’s quantity, technical configuration, type, destination, location, and amount of uses of voice services, regardless of technology used.
(vii) Any other information concerning an individual that may reasonably be used by the party using, collecting, or storing that information to identify that individual.
Sensitive PII. The term “sensitive PII” would mean:
“(A) personally identifiable information which, if lost, compromised, or disclosed without authorization either alone or with other information, carries a significant risk of economic or physical harm; or
(B) information related to–
(i) a particular medical condition or a health record; or
(ii) the religious affiliation of an individual.”
Authorized and Unauthorized Uses of PII or Sensitive PII. An “unauthorized use” of PII or sensitive PII would be defined as “the use of covered information by a covered entity or its service provider for any purpose not authorized by the individual to whom such information relates.” Several exceptions would apply to permit “normal” commercial, regulatory or implied consent situations, namely, the use of “covered information” relating to an individual by a “covered entity” (or its service provider) as follows:
(i) To process and enforce a transaction or deliver a service requested by that individual.
(ii) To operate the covered entity that is providing a transaction or delivering a service requested by that individual, such as inventory management, financial reporting and accounting, planning, and product or service improvement or forecasting.
(iii) To prevent or detect fraud or to provide for a physically or virtually secure environment.
(iv) To investigate a possible crime.
(v) That is required by a provision of law or legal process.
(vi) To market or advertise to an individual from a covered entity within the context of a covered entity’s own Internet website, services, or products if the covered information used for such marketing or advertising was–
(I) collected directly by the covered entity; or
(II) shared with the covered entity (aa) at the affirmative request of the individual; or (bb) by an entity with which the individual has an established business relationship.
(vii) Use that is necessary for the improvement of transaction or service delivery through research, testing, analysis, and development.
(viii) Use that is necessary for internal operations, including the following:
(I) Collecting customer satisfaction surveys and conducting customer research to improve customer service information.
(II) Information collected by an Internet website about the visits to such website and the click-through rates at such website (aa) to improve website navigation and performance; or (bb) to understand and improve the interaction of an individual with the advertising of a covered entity.
The permitted uses may be only where the covered entity has an “established business relationship” under a “reasonable expectation” test. Uses of PII are only permitted where the individual could have reasonably expected, at the time such relationship was established, was related to a service provided pursuant to such relationship. If there is a material undisclosed change, then the permission would be deemed revoked.
Covered Entities. All “covered entities” would be subject to the new law. These are defined as any entity that “collects, uses, transfers, or stores covered information concerning more than 5,000 individuals during any consecutive 12-month period” and fits within subject-matter jurisdictional frameworks. Thus, for jurisdictional purposes, a covered entity is any entity conducting interstate or international commerce of the United States, Federal Trade Commission Act (15 U.S.C. 45(a)(2)), a telecom “common carrier” and any a non-profit organization. “Covered entities” would include service providers who receive PII on behalf of their enterprise customers. “Third parties” receiving information do not include any “service provider used by the covered entity to receive personally identifiable information or sensitive personally identifiable information in performing services or functions on behalf of and under the instruction of the covered entity.”
NEW REGIME FOR LEGAL PROTECTION OF PII AND SENSITIVE PII
The draft legislation would create certain “rights” of individuals. However, the individuals would not be able to enforce such rights by litigation. Individuals would only be represented by the FTC in an enforcement proceeding, leaving the FTC with exclusive authority to pursue civil and criminal remedies.
The Right of Data Security. The FTC would have to adopt a rulemaking to require each covered entity to carry out security measures to protect the covered information it collects and maintains. Three criteria would apply:
- Proportionality: The data security requirements would need security measures that are “proportional to the size, type, and nature of the covered information a covered entity collects.” This creates confusion and could result in test litigation.
- Consistency: The data security requirements would need to be consistent with guidance provided by the Commission and recognized industry practices for safety and security on the day before the date of the enactment of the proposed law.
- Technological Means. The FTC would not be able to require a specific technological means of meeting a requirement.
Duty of Accountability by each Covered Entity.
- Variable Rules according to Size, Type and Nature of Covered Information. The draft law would require each covered entity to undertake a data protection program that is not absolutely the same as each other covered entity. The FTC regulations under the law would define differences in “accountability” requirements “in a manner proportional to the size, type, and nature of the covered information” that each covered entity collects.
- Duty of Responsiveness. Each covered entity would be required to have “managerial accountability, proportional to the size and structure of the covered entity, for the adoption and implementation of policies consistent with” the draft law. Covered entities would need to have a process to respond to non-frivolous inquiries from individuals regarding the collection, use, transfer, or storage of covered information relating to such individuals. Finally, covered entities would need to “describe the means of compliance of the covered entity” with the draft law upon request from the FTC or an appropriate safe harbor program established under draft law.
Duty to Implement a Comprehensive Information Privacy Policy. Similar to its duty of “accountability,” each covered entity would be required, “in a manner proportional to the size, type, and nature of the covered information that it collects,” to implement a comprehensive information privacy program. There would be two minimum requirements for a legally sufficient privacy policy. First, this would require “incorporating necessary development processes and practices throughout the product life cycle that are designed to safeguard the personally identifiable information that is covered information of individuals” based on (A) the reasonable expectations of such individuals regarding privacy; and (B) the relevant threats that need to be guarded against in meeting those expectations. Second, the covered entity would need to maintain “appropriate management processes and practices throughout the data life cycle that are designed to ensure that information systems comply” with the draft law, “the privacy policies of the covered entity, and “the privacy preferences of individuals that are consistent with the consent choices and related mechanisms of individual participation” under statutorily mandated notification requirements.
Privacy Notices: Duty of “Transparent” Disclosure of Privacy Policy and Practices. While the FTC currently holds businesses accountable for complying with their self-described privacy policies, the draft law would require all notices of privacy policies to be “clear, concise and timely.” Privacy notices would need to notify individuals of “the practices of the covered entity regarding the collection, use, transfer, and storage of covered information; and the specific purposes of those practices.” Material changes to such practices could not be implemented without “clear, concise, and timely notice to individuals before implementation.” All such notices would need to be “readily accessible” to individuals. The FTC would be authorized to draft guidance for covered entities to use in designing their own notice and may include a draft model template for covered entities to use in designing their own notice. Such guidance could include “guidance” on how to construct computer-readable notices or how to use other technology to deliver the required notice.
Opt-Out Procedures. The new law would force covered entities to offer individuals a “clear and conspicuous mechanism” for opt-out consent for any use of their covered information that would otherwise be unauthorized use, except with respect to any use requiring opt-in consent.
Opt-In Procedures. “Opt-In” procedures would be required for the collection, use, or transfer of sensitive personally identifiable information other than (i) to process or enforce a transaction or deliver a service requested by that individual; (ii) for fraud prevention and detection; or (iii) to provide for a secure physical or virtual environment. “Opt-In” consents would also be required for the use of previously collected covered information or transfer to a third party for an unauthorized use of previously collected covered information, if (i) there is a material change in the covered entity’s stated practices that requires notice of change; and (ii) such use or transfer creates a risk of economic or physical harm to an individual.
Accessibility for Correction of Information by Data Subject. Similar to the EU Data Protection Directive, the draft law would require covered entities to provide any individual to whom the personally identifiable information that is covered information pertains, and which the covered entity or its service provider stores, appropriate and reasonable (A) access to such information; and (B) mechanisms to correct such information to improve the accuracy of such information.
Exit Process: Depersonalization or Termination of Service Provider’s Access. New access controls would be applied where (i) a covered entity enters bankruptcy or (ii) an individual requests the termination of a service provided by the covered entity to the individual (or termination of some other relationship with the covered entity). In such case, the individual would have to be provided with some “easy” means to request that–
(A) all of the personally identifiable information that is covered information that the covered entity maintains relating to the individual, except for information the individual authorized the sharing of or which the individual shared with the covered entity in a forum that is widely and publicly available, be rendered not personally identifiable; or
(B) if rendering such information not personally identifiable is not possible, to cease the unauthorized use or transfer to a third party for an unauthorized use of such information or to cease use of such information for marketing, unless such unauthorized use or transfer is otherwise required by a provision of law.
Data Controller’s Duty regarding Data Processor’s Operations. The new law would adopt a similar distinction to the rules under the EU Data Protection Directive governing “data controllers” and “data processors.” The wording would be different, but the core concept would be the same. The FTC would be required to issue a rule to provide that with respect to transfers of covered information to a “third party” for which an individual provides opt-in consent, the third party to which the information is transferred may not use such information for any unauthorized use other than a use specified in the covered entity’s stated privacy policy and “authorized by the individual when the individual granted consent for the transfer of the information to the third party.”
- Data Processors: Outsourcing to Service Providers. The draft law would enable covered entities to hire service providers.
- Automatic Authorization to Disclose PII to Outsourcing Service Providers. “The use of a service provider by a covered entity to receive covered information in performing services or functions on behalf of and under the instruction of the covered entity does not constitute an unauthorized use of such information by the covered entity if the covered entity and the service provider execute a contract that requires the service provider to collect, use, and store the information on behalf of the covered entity in a manner consistent with the requirements” of the draft law and the policies and practices related to such information of the covered entity.
- Transfers Between Service Providers For A Covered Entity. The disclosure by a service provider of covered information pursuant to a contract with a covered entity to another service provider in order to perform the same service or functions for that covered entity would not constitute an unauthorized use.
- Liability Remains With Covered Entity. A covered entity would remain “responsible and liable for the protection of covered information that has been transferred to a service provider for processing, notwithstanding any agreement to the contrary between a covered entity and the service provider.”
Duty of “Data Retention Minimization.” The new law would restrict indiscriminate collection of PII beyond what is needed for providing services to the individual. As a result, “covered entities” would be allowed to collect only as much covered information relating to an individual as is reasonably necessary for a permitted purpose. Generally, such purposes would be limited to contract performance, service delivery, security, fraud detections, criminal investigation or other law enforcement, marketing, product development, website administration and customer satisfaction.
Limited Retention Period. Covered entities would have to limit the holding period for the PII. They could retain covered information for only such duration as, with respect to the provision of a transaction or delivery of a service to an individual, is necessary to provide such transaction or deliver such service to such individual; or if such service is ongoing, is reasonable for the ongoing nature of the service. For R&D projects, the duration would be limited to what is necessary for such research and development. Cryptically, retention of PII would also be allowed as “is required by a provision of law.” This cryptic reminder of the other retention periods “required” by law will undoubtedly raise questions as to what is permitted by law, such as statutes of limitation for litigation (which are not requirements for retention, but only a prudent business practice).
MANAGEMENT OF DATA PROCESSORS (OUTSOURCING SERVICE PROVIDERS) AS “THIRD PARTIES” OR “SERVICE PROVIDERS”
Constraints on Distribution of Information. The “covered entity” would be responsible for how the “covered information” is used by third parties to whom it transfers such information. Third parties would have to use the information only for purposes consistent with draft law and as specified in the applicable data processing or outsourcing contract.
- Duty not to Combine Data. Third parties would not be able to combine information that the covered entity has transferred to it, that relates to an individual, and that is not personally identifiable information with other information in order to identify such individual, unless the covered entity has obtained the opt-in consent of such individual for such combination and identification.
- Due Diligence concerning Outsourced Data Processor. Before executing a contract with a third party, the covered entity would be required to “assure through due diligence that the third party is a legitimate organization.”
- Duty to Report Violations. In the case of a material violation of the contract, at a minimum, the covered entity would have to notify the Commission of such violation.
- Blacklisted Service Providers. Under the draft, a covered entity could not transfer covered information to a third party that the covered entity knows (i) “has intentionally or willfully violated a contract required by the law, or (ii) “is reasonably likely to violate such contract.”
- Application of Privacy Rules to Third Parties. Except for certain cases under FTC approval, a third party that receives covered information from a covered entity would be subject to the provisions of the draft law as if it were a covered entity. This goes beyond the EU Data Protection Directive and would likely be used to obtain U.S. regulatory jurisdiction over all foreign service providers. Exemptions would apply where the FTC decides that a “class of third parties” cannot reasonably comply with the law or compliance by such class would not sufficiently benefit the individual data subjects.
Data Integrity. Each covered entity would be required to “attempt to establish and maintain reasonable procedures to ensure that personally identifiable information that is covered information and maintained by the covered entity is accurate in those instances where the covered information could be used to deny consumers benefits or cause significant harm.” Exceptions would apply for direct communications with the individual or receipt of information from another entity at the individual’s request.
ENFORCEMENT; PENALTIES; PRIORITY OVER STATE LAWS
Enforcement would be effected by litigation by State attorneys’ general or by the FTC. No other person could bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating the draft law or a regulation promulgated under this Act.
Penalties for civil liability would be $16,500 per offense PER DAY, up to $3.0 million, adjusted for inflation.
PREEMPTION
The new law would supersede conflicting state laws. The new law would not be construed to preempt the applicability of (i) State laws that address the collection, use, or disclosure of health information or financial information, (ii) State laws that address notification requirements in the event of a data breach; or (iii) other State laws to the extent that those laws relate to acts of fraud.
The draft law would not supersede the existing federal statutory framework for data privacy and protection applicable to telecommunications, banking, insurance, securities brokerage, fair credit reporting, child on-line pornography and certain other laws.
SAFE-HARBOR (FOR EUROPEAN UNION AND OTHER FOREIGN LAWS)
The draft law establishes a framework for putting the “Safe Harbor” program (now operated by the Department of Commerce) under the FTC’s jurisdiction. The current Safe Harbor program arises out of an executive agreement, which is not a treaty. It does not have the force of law. The draft law would set up a statutory framework for such arrangements.
Foreign service providers that participate in, and demonstrate compliance with, a safe harbor program administered by the FTC would be exempt from enforcement by the FTC if the FTC finds that the requirements of the safe harbor program are substantially the same as or more protective of privacy of individuals than the requirements of the provision from which the exemption is granted.
SUMMARY
Of the dozens of draft privacy statutes introduced into Congress in the last few years, this Consumer Privacy “Bill of Rights” Act of 2011 offers a prudent balance of protections and procedures for data collectors (covered entities) and data processors (service providers). It’s not too soon to begin developing compliance programs and practices. However, the draft law would result in a regulatory framework that will certainly change and evolve, if enacted.
Business Intelligence and Industrial Espionage in Outsourcing
October 9, 2009 by Bierce & Kenerson, P.C.
Boeing Loses $1 Billion in Transactions as Punishment, Escapes Debarment
Summary.
“Business intelligence” refers to the practice of collecting and analyzing competitive information in the marketplace to assist an enterprise in self analysis and redirection of its resources to maintain and improve competitiveness. “Industrial espionage” refers to the clandestine methods of obtaining competitive information that is not publicly available. As a legal matter, this distinction can have serious consequences. This case study offers some suggestions for staying on the right side of the law not only in business intelligence but also for internal audit controls and business ethics.
Boeing Punished.
In July 2003, the U.S. Air Force hit Boeing Company with the harshest punishment on any major U.S. military contractor in decades. Boeing was found to have stolen thousands of pages of confidential technical documents of its archrival, Lockheed Martin Corp. Boeing reportedly used such industrial secrets in submitting proposals to the Air Force in 1998 to provide satellite launching services. As a result, the Air Force transferred to Lockheed the services of providing seven launches previously awarded to Boeing, and in addition awarded three more launches to Lockheed.
Boeing Escaped Debarment: “Too Big to Punish”?
Many commentators on the Boeing punishment have asserted that Boeing escaped debarment under the Federal Acquisition Regulations simply because it was too big to punish. The losses by other agencies would have been considerable. Instead, the punishment related to the Boeing business segment that had allegedly violated the law, rather than to all other Boeing divisions. This punishment reflects the difficulty of the Government’s use of the debarment process to protect Government interests when the supplier community is highly concentrated and consolidated.
The Economics of Business Intelligence.
Business intelligence serves a valid competitive purpose in the marketplace. Gathering publicly available information:
- sharpens the competition and increases opportunities for consumer and customer choice;
- enables competitors to restructure their offerings of services and goods, often by restructuring key business processes for improved efficiency, reduced cost, better quality, a more attractive suite of services and goods and a broader appeal to a wider range of customers;
- and improves the efficiency of markets, accelerating improvements in customer service and thereby improving the customer’s quality of life, integration of external services with in house services and other external services.
The Law of Business Intelligence.
The law of business intelligence is limited by common law and statutes that protect proprietary rights, privacy rights and intellectual property.
Debarment under the Federal Acquisition Regulations.
Causes of Debarment.
Debarment can occur based on conviction, violation of law or a serious or compelling cause. Debarment is a remedy available to the U.S. Federal Government under the Federal Acquisition Regulations. The purpose is to exclude “ineligible” contracts from new bidding.
Violations. The debarring official may debar a contractor for a conviction of or civil judgment for:
(1) Commission of fraud or a criminal offense in connection with-
(i) Obtaining;
(ii) Attempting to obtain; or
(iii) Performing a public contract or subcontract.
(2) Violation of Federal or State antitrust statutes relating to the submission of offers;
(3) Commission of embezzlement, theft, forgery, bribery, falsification or destruction of records, making false statements, tax evasion, or receiving stolen property;
(4) Intentionally affixing a label bearing a “Made in America” inscription (or any inscription having the same meaning) to a product sold in or shipped to the United States or its outlying areas, when the product was not made in the United States or its outlying areas (see Section 202 of the Defense Production Act (Public Law 102-558)); or
(5) Commission of any other offense indicating a lack of business integrity or business honesty that seriously and directly affects the present responsibility of a Government contractor or subcontractor.
Nonperformance; Violations of Public Policy.
In addition, a debarring officer my debar a contractor, based upon a preponderance of the evidence, for:
(i) Violation of the terms of a Government contract or subcontract so serious as to justify debarment, such as-
(A) Willful failure to perform in accordance with the terms of one or more contracts; or
(B) A history of failure to perform, or of unsatisfactory performance of, one or more contracts.
(ii) Violations of the Drug-Free Workplace Act of 1988 (Pub. L. 100-690
(iii) Intentionally affixing a label bearing a “Made in America” inscription (or any inscription having the same meaning) to a product sold in or shipped to the United States or its outlying areas, when the product was not made in the United States or its outlying areas (see Section 202 of the Defense Production Act (Public Law 102-558)).
(iv) Commission of an unfair trade practice as defined in 9.403 (see Section 201 of the Defense Production Act (Pub. L. 102-558))
Violation of Immigration Laws.
Additionally, debarment is available as a remedy against a contractor, based on a determination by the Attorney General of the United States, or designee, that the contractor is not in compliance with Immigration and Nationality Act employment provisions (see Executive Order 12989). The Attorney General’s determination is not reviewable in the debarment proceedings.
Lack of Present Responsibility.
Finally, debarment may be imposed against a contractor or subcontractor based on any other cause of so serious or compelling a nature that it affects the present responsibility of the contractor or subcontractor. Such a determination is more subjective than other reasons, and may include abuse of confidential information through industrial espionage or as suggested below, failure to maintain internal accounting records and a history of unethical business conduct.
Consequences of Debarment.
Debarment prevents an entity from being an eligible bidder on new contracts but does not terminate existing contracts. Contractors debarred, suspended or proposed for debarment are also excluded from conducting business with the Government as agents or representatives of other contractors, from acting as subcontractors and from acting as individual sureties. Exceptionally, an agency head or a designee determines that there is a compelling reason for contracting with the debarred supplier. This exception leaves open the choice of sanctions for misconduct, and leaves the affected agencies free to decide to ignore the debarment for their own internal purposes. FAR 9.404.
Non-Procurement Common Rule.
Also, under the “non-procurement common rule,” debarred contractors may be ineligible for nonprocurement transactions such as grants, cooperation agreements, scholarships, fellowships, contracts of assistance, subsidies, insurance and other government benefits.
Existing Contracts Not Abrogated.
Notwithstanding the debarment, suspension, or proposed debarment of a contractor, federal agencies may continue contracts or subcontracts in existence at the time the contractor was debarred, suspended, or proposed for debarment unless the agency head or a designee directs otherwise. In addition, the Governmental agencies may continue to order goods or services under purchase orders against existing contracts, including indefinite delivery contracts, in the absence of a termination. However, agencies may not renew or otherwise extend the duration of current contracts, or consent to subcontracts, with contractors debarred, suspended, or proposed for debarment, unless the agency head or a designee authorized representative states, in writing, the compelling reasons for renewal or extension.
Business Judgment and Evaluation of Factors in the Decision to Debar.
Under the Federal Acquisitions Regulations (Section 9-406(a)), before arriving at any debarment decision, the debarring official should consider a range of business judgment considerations and an assessment of the impact on the government factors. The list includes:
(1) Whether the contractor had effective standards of conduct and internal control systems in place at the time of the activity which constitutes cause for debarment or had adopted such procedures prior to any Government investigation of the activity cited as a cause for debarment.
(2) Whether the contractor brought the activity cited as a cause for debarment to the attention of the appropriate Government agency in a timely manner.
(3) Whether the contractor has fully investigated the circumstances surrounding the cause for debarment and, if so, made the result of the investigation available to the debarring official.
(4) Whether the contractor cooperated fully with Government agencies during the investigation and any court or administrative action.
(5) Whether the contractor has paid or has agreed to pay all criminal, civil, and administrative liability for the improper activity, including any investigative or administrative costs incurred by the Government, and has made or agreed to make full restitution.
(6) Whether the contractor has taken appropriate disciplinary action against the individuals responsible for the activity which constitutes cause for debarment.
(7) Whether the contractor has implemented or agreed to implement remedial measures, including any identified by the Government.
(8) Whether the contractor has instituted or agreed to institute new or revised review and control procedures and ethics training programs.
(9) Whether the contractor has had adequate time to eliminate the circumstances within the contractor’s organization that led to the cause for debarment.
(10) Whether the contractor’s management recognizes and understands the seriousness of the misconduct giving rise to the cause for debarment and has implemented programs to prevent recurrence
Proposed Debarment of MCI WorldCom.
Debarment may also be asserted for lack of adherence to internal controls over accounting and reporting systems and business ethics. This argument was asserted against MCI (formerly WorldCom) on July 31, 2003, subject to administrative determination.
The argument is based on the contractor not being “presently responsible” because in this case, the contractor was alleged to have been previously involved in one of the biggest shareholder frauds in U.S. history and still suffered ten “material weaknesses” in the company’s internal controls. In the case of the General Services Administration’s notification letter to MCI WorldCom assorting the proposed debarment, “A material weakness is a weakness found to be pervasive throughout an encore organization. Each individual weakness is considered to be a significant control deficiency. The acceptable standard is for a company to have no material weaknesses or of one is found for it to be promptly corrected.”
In MCI’s case, the GSA alleged that the company needed to implement “procedures and controls to review, monitor and maintain general ledger accounts. Implementing adequate controls on the general ledger is significant because that is where all of the company’s financial transactions are summarized for all of its accounts.” MCI has promised to comply with Sarbanes-Oxley Act of 2003 by June 30, 2004 one year earlier than the statute requires. MCI noted it is aware of the deficiencies and is cooperating with the GSA and investigating agencies.
What a Customer Should Know about an Outsourcer’s Key Personnel.
Concentration of Sellers in an Industry.
Ordinarily an enterprise customer should not have many concerns about the prior employment history of a major outsourcing services provider. After all, the services provider’s business is to maintain the confidentiality of its customers’ confidential data. Without the customer’s trust that its data will be protected, the customer will not engage in outsourcing. If the outsourcing service provider is engaged in a tightly competitive environment with only a few competitors, the customer could become concerned that its confidential information might float around the industry and become known to multiple outsourcing service providers, particularly those who service the customer’s competitors. Thus, the customer should be concerned about the normal employment and privacy protection polices practices and enforcement methods that the external services provider has adopted.
Employment Practices.
Employment practices are probably the most frequently abused methods of collecting competitive information in an illegal or wrongful manner. Hiring an experienced person from a key competitor has long been a method of gathering competitive information. If the person was in a position of trust and confidence, having had access to key competitive policy, strategy and tactical information, the newly hired employee is in a position to damage his or her former employer’s business. Outsourcing customers may properly inquire about a proposed contractor’s hiring process.