“Change happens.” Sometimes it happens elegantly, with all parties agreeing. But change can be mismanaged, resulting in legal disputes on pricing, service level performance, duty to perform and impact on performance milestones Change mismanagement happens too.
Change as a Matter of Choreography. Contracts for business services resemble complex choreography for artistic dance, where each dancer minimizes effort and intertwines and exits from the scene according to a musical score. “Work flows,” “flow charts” and “algorithms” define the dance steps, the dancers and the music.
In business process management (BPM), “change management” choreographs the changes in the scope of work, pricing, scheduling, service levels and other essential commercial terms of the outsourced services. By contract, the parties can establish a predictable process for permitting such changes to ongoing contracts, without resulting in breach or termination.
Change Mismanagement. Sourcing and procurement procedures must define procedures for managing changes that will not break the contract. Experience shows that both the enterprise customer and the service provider are capable of mismanaging the change process. Such mismanagement results in litigation, waste (investment in the procurement process, startup costs and unwinding costs that may compensate the other party for unamortized profit).
Change Management Mistakes by the Enterprise Customer. Customers can make mistakes in planning that impact eventual operations:
- Inadequate financial analysis of the anticipated impact of the sourcing upon the operation, including neglect of costs of contract administration, price changes in the spot market over time.
- Inadequate “base case” that overestimates baseline demand, underestimates volatility in demand or fails to require internal procedures for governance of internal demand (such as charge-back pricing methodology for transparent allocation of costs of the services and contract administration).
Mistakes can occur in customer’s change management as well. For example, when the customer’s own clientele or consumers witness a severe decline in demand or transaction volume, the minimum monthly fees paid to the outsourcer might weigh heavily on costs. Of course, scalability in such volumes should have been anticipated, and the customer might have decided that the “price” of such minimum monthly fees was a safe bet in avoiding other capital investment that would otherwise have been necessary for continuing to offer the “services” in-house.
Severe volatility in such demand or transaction volumes can be very costly to the enterprise customer in a major outsourcing. For example, a supplier of mobile military equipment hired an IT service provider to ensure a high level of service that anticipated the government customer would be well-served. Then the military procurement strategists decided that the particular mobile equipment was not suitable for the next phase in the war. They wanted more mobility, less protection. So they canceled further purchases and continued only in “repair” mode for the existing fleet of such equipment. When the equipment supplier approached the IT service provider to reduce or redeploy the resources implied in the minimum monthly fees, the IT service provider refused, saying that such a change was too drastic and that the contractual termination fee was therefore due and payable upon presentation of an invoice. When the customer refused, the IT service provider sued. The matter was quickly settled with a substantial payment to the IT services provider and the customer’s loss of its upfront investment in the procurement process (lawyers, accountants, operations personnel and startup transition costs).
Change Management Mistakes by Service Providers. The biggest sin for a service provider is to invest additional time, effort and expense in providing services that are not paid for. Such change mismanagement can easily occur:
- Failure to notify the customer in advance of the need to change pricing due to customer requests for different services, different methods for service delivery or reduced or increased volumes of services.
- Failure to maintain records of changes in the services.
- Failure to obtain customer approval to changes in prices or pricing methodology.
- Failure to obtain customer approval for certain types of changes that have an impact on the smooth internal workflow of the customer’s in-house operations or the customer’s other service providers, and thus hamper the productivity of the enterprise customer.
For example, in 2005, Phoenix Signal and Electric entered into a contract with the New York State Thruway Authority to install cameras and signs along a toll highway. The contractor performed “extra work,” or “extras,” and claimed additional compensation. It claimed the extra work was justified because of the mutually unforeseen difficulty of performance, requiring an additional stage of work to provide sufficient cement foundations for the cameras and signs. Upon judicial review of the contractor’s claim for payment, the Court of Claims and the appellate court found that the additional stage was not an “extra” but was part of the base charges. Further, the courts rejected the contractor’s demands for payment of additional monies because the contractor had failed to meet two conditions precedent to payment: notice to the customer and adequate recordkeeping to enable the customer to audit the need and scope for the additional work. Phoenix Signal and Elect. Corp. v. N.Y.S. Thruway Auth., ___ N.Y.S. 3d ____, Dkt 512433 (Dec. 22, 2011, 3rd Dept App. Div.), NYLJ Jan. 3, 2012, dec.nylj.com/1202536924950. In short, depending on how the contract is written, the customer may refuse payment when the service provider mismanages the “change management” process.
Best Practices. All services agreements should define the parameters, processes and conditions for permitting changes. When the parties fail to plan, they plan to fail, and disputes will arise. A well-drafted Change Management procedure, implemented by regular reviews of performance against the contract terms, can avoid such mistakes.
In May 2011, the Indian Ministry of Communications and Information Technology issued a press release clarifying the rules framed under Section 43A of the Information Technology Act, 2000. This clarification is important for companies that handle sensitive personal information in India. For more, click here.
Section 43A of the Information Technology Act, 2000, deals with disclosures by Indian governmental bodies (a “body corporate”) of sensitive personal information to other Indian governmental bodies. Under rules adopted under such law, each Indian “body corporate” must adopt and provide a policy for privacy and disclosure of information. The “clarification” notes that “Any such disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission of the provider of the information.” Inter-agency disclosures must be for lawful purposes to pursue statutory mandates of the requesting agency (e.g., detection and prosecution of cybercrime) and the receiving agency must give an undertaking that the information obtained will not be published or shared with any other person.
This clarification sets forth a “best practice” in Indian governmental protection of sensitive personal information. The subject is relevant to outsourcing lawyers because such information that is transmitted from non-Indian sources to Indian ITO and BPO service providers becomes subject to the jurisdiction of the Indian government. In exercising such jurisdiction, the Indian government theoretically has access to information of foreign individuals.
Outsourcing agreements normally address issues of force majeure and cooperation in resolving governmental investigations. The “clarification” discussed above gives some comfort to those engaged in processing where sensitive personal data is accessible in India by Indian service providers. But the clarification also raises the visibility of the issue of cross-border data protection.
Belt and Suspenders, and From SOX to SOC’s: Changes in Service Audit Standards on the Service Organization’s Risk Management, Security and Process Controls
It’s Halloween 2010. We’re spooked by “security controls from the dead” (or the moribund).
How do you know your service provider is providing a secure environment for processing your transactions? Do you trust your service provider? Can you certify your outsourcing relationship can withstand a shareholder lawsuit claiming you lack the necessary audit and control functions? Do you want a report on the description, design and operational effectiveness of controls at a service organization, and what do you get under current and future auditing, attestation and accounting “standards.”
SAS 70 Type II audits have become the de facto standard for publicly traded companies to meet their SOX 404(b) “audit and control” disclosure requirements. SAS 70 audits are big business for audit firms. Now, as the U.S. “generally accepted accounting principles” face convergence into new international accounting standards (IAS), enterprise customers risk losing familiar comfort letters. The emerging accounting standards suggest it’s time to think about “belt and suspenders” for security and process controls. This article considers the new approach to mitigating and managing risks through “control objectives” as “attested” in “service organization control” (SOC) reports for service organizations and subservice organizations in the services supply chain. This new approach comes into effect for fiscal years ending after June 2011. Important procedural details for the U.S. will be promulgated soon.
These changes in how “security” and “process control” are measured are certain to give a boost to consultants, auditors and lawyers. It will give shot in the arm to
o business analysts, BPM analytics software designers and sourcing consultants, who make a living on assessing and mitigating risk;
o sourcing lawyers, who make a living integrating, sharing and shifting risks in the global service supply chain; and
o service auditors, who will pursue a different profile (perhaps more complex) for service audits and will also enjoy reduced risk of professional liability.
The New Standards.
International Standards. In December 2009, the International Auditing and Assurance Standards Board of the International Federation of Accountants adopted International Standard on Assurance Engagements No. 3402 (ISAE 3402) as an “attest” procedure for assessing service organizations’ compliance with IT and process controls. Unlike an “audit,” an “attestation” (or “attest”) involves an audit professional’s attestation to subject matter (or an assertion about something) other than the fairness of the presentation of financial statements. An attestation is less rigorous than an audit.
U.S. Standards. In April 2010 the AICPA’s Auditing Standards Board (ASB) issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. Unlike an audit (such as under Statement of Auditing Standards 70), SSAE 16 is an “attest” report.
New SOC’s for Old SOX. In anticipation of implementing SSAE 16, the AICPA has adopted three new SOC’s to expand the scope of issues examined by CPA’s as service auditors. This helps companies gain more trust in service delivery processes. Under the SOC label, there are three separate categories of such service audits, designed to allow service organizations to meet specific needs. They are also intended to allow service auditors to refocus on niche risks.
SOC 1 Report – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting.
SOC 2 Report— Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.
SOC 3 Report— Trust Services Report for Service Organizations.
Value of Control Reports. The value of service audit reports depends on your role in the service supply chain.
Value to Service Organizations. Third-party reports on internal controls in service organizations describe the control processes in services provided by a service organization. Such reports give users information for purposes of assessing and address the risks associated with an outsourced service. If a service organization is compliant with SAS 70 Type II (or the new standards), the service organization has greater credibility that is essential to be able to meet the accounting and regulatory compliance needs of customers. Audits of service providers are necessary to a customer enterprise’s ability to certify that it has appropriate audit and control procedures to manage its business under Section 404(b) of the Sarbanes-Oxley Act of 2002.
Value to Users (Enterprise Customers). Users have been relying on SAS 70 Type II reports for comfort that their outsourcing contracts meet SOX 404(b) standards. However, the new “attest” reports will remove a layer of comfort for users, since the service auditors will not be exercising as much in the way of “critical judgment” and “we could have done better” analysis as under SAS 70 Type II. In short, the user will now have to exercise its own judgment of the acceptability of the “attest” reports and maybe ask for special “attest” report on user-defined “control objectives.” Users will now have to rely more on the service organizations to do the risk analysis, and the users will need to spot gaps in the service organization’s risk analysis.
Control Objectives. Audit and control procedures identify “control objectives,” that target identified risks and seek to mitigate or control such risks. The outsourcing customer needs to understand the scope of the control objectives, since these are generally defined by the service provider. Traditional “control objectives” include security, change management, data integrity, completeness and timeliness. If the customer has any special needs, it needs to get a special “control report.”
Service Organization’s Definition of Control Objectives. Under the new regime, it is the service organization’s responsibility to identify “the risks that threaten achievement of the control objectives stated in the description of its system, and designing and implementing controls to provide reasonable assurance that those risks will not prevent achievement of the control objectives stated in the description of its system, and therefore that the stated control objectives will be achieved.” SOURCE: ISAE 3402, Para. 13(b)(4). In other words, the service provider needs to define the risks it faces and how it plans to mitigate those risks.
From the enterprise customer’s perspective, such analysis should confirm existing documentation and procedures in existing business continuity plans (“BCP”) or disaster recovery plans (“DRP”).
User–Defined Control Objectives. This is a tremendously valuable sales tool for service providers. However, enterprise customers need to know whether their own legal environment needs any different control objectives. This means that outsourcing customers need to identify “every aspect of the service organization’s system that each individual user entity and its auditor may consider important in its particular environment.” SOURCE: ISAE 3402, Para. 17(c).
Downgrade: From “Audit” to “Attest.” The change in 2011 from SAS 70 audits to SSAE 16 “attest” procedures will reduce the professional liability of auditors from high-value, high-risk audit services by converting their role to that of an “attest” function. In an “attest” function, the “auditor” (inspector) does not “audit” all material processes and functions, but merely relies upon the service provider’s assertion that its control system works in the manner described by the service company’s management.
Thus, under SSAE 16 and ISAE 3402, the auditing profession only checks on management’s description. The higher level of “audit” is reduced to merely to “attest” to what management describes. The new objectives of the “attest” inspection are limited to “attest” whether:
o The service organization’s description of its system fairly presents the system as designed and implemented throughout the specified period (or in the case of a type 1 report, as at a specified date).
o The controls related to the control objectives stated in the service organization’s description of its system were suitably designed throughout the specified period (or in the case of a type 1 report, as at a specified date).
o Where included in the scope of the engagement, the controls operated effectively to provide reasonable assurance that the control objectives stated in the service organization’s description of its system were achieved throughout the specified period. SOURCE: ISAE 3402, Para. 8(a).
For Type 2 assessments, the report will provide assessments of whether:
a. The service organization management’s description fairly presents the service organization’s system as designed and implemented throughout the specified period;
b. The controls related to the control objectives stated in the service organization’s description of its system were suitably designed throughout the specified period; and
c. The controls related to the control objectives are operating effectively as stated in the service organization’s description of its system. SOURCE: ISAE 3402, Para. 9(k).
The key element is the “assertion-based engagement,” requiring the service organization’s management to describe their control objectives and procedures.
Audit Period vs. Audit Point. The new SSAE 16 rules will make some changes in the period covered by the assessment. In a Type 2 assessment under SAS 70, the description of the service organization’s control system was determined as of a specified date, rather than for a period. In a Type 2 assessment under SSAE 16, the description of the service organization’s system and the service auditor’s opinion on the description will cover a period (the same period as the period covered by the service auditor’s tests of the operating effectiveness of controls). SOURCE: AICPA.
Carve-Outs v. All-Inclusive Process Audits: Downgrade the User’s Rights in “Subservice Providers.” In the service supply chain, an outsourcing provider might subcontract some services to a “subservice provider.” In the new “attest”-based “assertion-reliant” assessment of controls, the outsourcing service provider can choose between an all-inclusive assessment (that includes subservice provider controls) or a “carve-out” assessment (that expresses no opinion on the suitability of design of controls or the operational effectiveness of subservice provider controls. Buyers of outsourcing services should know the difference and get assessments to cover the entire outsourced function. This issue arises at all sub-levels in the service supply chain.
Service Auditor’s Reliance on Service Provider’s Description and Representation Letter. The new accounting standards allow the “auditor” (“attest”-based inspector) to rely upon the service organization for a description of the control objectives and particular mandates. The service organization thus must specify the source of each control objective, such as by a particular law or regulation, or by another party (for example, a user group or a professional body). In essence, this shifts to the service provider a duty to define its regulatory environment by name and thus allows the assessment report to say there is “reasonable assurance” that the service provider complies with that legal environment.
In addition, the service organization must provide, in effect, description of the types of services it performs (such as SOW’s), the transaction processing and procedures manual (including procedures by which transactions are initiated, recorded, processed, corrected as necessary, and transferred to the reports and other information prepared for user entities), transaction reporting manuals). This approach reflects a maturity in the outsourcing industry, since every high-value service provider adopts such protocols as a core marketing strategy.
The service organization will now have to give a “representation” letter to the service auditor. This letter will disclose information that the auditor would normally have sought to identify using audit techniques. Such disclosures must include all information “of which it is aware” about:
(i) Non-compliance with laws and regulations, fraud, or uncorrected deviations attributable to the service organization that may affect one or more user entities;
(ii) Design deficiencies in controls;
(iii) Instances where controls have not operated as described; and
(iv) Any events subsequent to the period covered by the service organization’s description of its system up to the date of the service auditor’s assurance report that could have a material impact upon the report SOURCE: ISAE 3402, Para. 38.
Effectively, as a matter of fraud prevention, the new accounting standards (“attest” standards) will shift liability from the service auditor (for negligent discovery of lapses in the control environment) to the service provider. This puts the liability where the cash flow is deep, not where it is shallow.
Service Auditor’s Reliance on Internal Auditor’s Function. The new “attest” standards will allow the service auditor to rely not only on management’s description of the processes, but also on the service provider’s internal auditors. In a Type 1 assessment, the service auditor does not need to mention whether it relies on the work of internal auditors. In the Type 2 assessment:
if the work of the internal audit function has been used in performing tests of controls, that part of the service auditor’s assurance report that describes the service auditor’s tests of controls and the results thereof shall include a description of the internal auditor’s work and of the service auditor’s procedures with respect to that work. SOURCE: ISEA 3402, Para. 37.
In short, the “independent” service auditor can rely, if tested for reliability, on internal audits for Type 1 assessments without disclosing such reliance. Only in Type 2 assessments must such reliance be disclosed. Even then, however, it is not an “audit” but merely a compilation of information received from the service organization and the application of some “attest” procedures to review that work.
Suddenly, outsourcing customers will now need to know more about how internal auditors work and whether there are any special requirements for the customer to investigate. It’s a new world, with customers needing to fend more for themselves in audit and control processes.
Investors will need to make further assessments of their own, based on the changes in the intensity and level of “assurance” that outsourcing will not encounter excessive risks to the portfolio enterprise as an outsourcing customer.
Belt and Suspenders: New Challenges for Enterprise Customers. SAS 70 audits might still survive by special request from enterprise customers. The new SSAE 16 / ISAE 3402 “attest” model will challenge enterprise customers to become more familiar with security, BCP, DRP and other core control issues directly. Enterprise customers can thus begin to prepare a checklist for deal documentation, including both “attest” assessment reports and function-specific documentation that the enterprise customer must evaluate. Attest will be the belt, and direct documentation review will be the suspenders.
“Attest” Reports in the Cloud: A Good Time to Stop the Music. This shift in service auditor roles comes at a time when global enterprises are increasingly exploring data virtualization, software virtualization, platform-as-a-service (PaaS) and software-as-a-service (SaaS). Cloud computing creates a “perfect storm” showing the weaknesses of an “attest-based” “audit and control” function under SOX 404(b).
The new “attest” rules will encourage service providers to use “carve-out” principles to exclude subservice organizations from the scope of such security audits. Certainly in Web-based public cloud services a “carve-out” approach is the only feasible one, since, in Internet-based services, an “all-inclusive” service audit model fails. It is inherently impossible to do a service audit of all possible servers on the Internet.
Steps to Take Now. Whether you are a service organization or an enterprise customer, it’s time for a review of your “audit and control” rights and obligations relating to outsourcing.
o Impact Analysis and Assessment. Analyze and understand the impact of the shift from SAS 70 to SSAE or ISAE 3402 upon your company’s process audits, as well as all service delivery and transaction reporting processes.
o The impact affects your entire service supply chain, including you, your service customers, your service providers and all subservice providers who support you directly or who support your outsourcing service providers.
o Discuss with your auditors the anticipated impact of SSAE 16 and ISAE 3402 on their own audit report, particularly whether they will want to make any exceptions to their fairness opinion.
o Requirements for Type of Report. Decide whether you want an “inclusive” or “carve-out” approach to reporting on process controls.
o Accounting and Compliance Criteria. Identify the criteria for your organization’s evaluation of the sufficiency of your service provider’s description of its processes and its internal audit functions.
o Identify issues affecting design of the control objectives.
o Identify evaluation criteria.
o Identify gaps between:
o control objectives and the evaluation criteria.
o control objectives and the most recent risk assessments.
o Scheduling and Planning. Time your rollout according to when the new SSAE 16 standard will apply. Fiscal years beginning on or after July 1, 2010 are affected. Consider the benefits and costs of adoption of SSAE 16 on your costs, marketing, customer service delivery mechanisms, process and procedure manuals, recruitment and training procedures and on audit and financial reporting.
o Subservice Organizations: Identify Impact, Define Requirements. Evaluate subservice organizations under the new SSAE 16 (or ISAE 3402).
o Explore their own compliance intentions.
o Determine whether they will issue SOC’s, and which type.
o Discuss what type of “description” they will issue to a service auditor.
o Identify whether they will use a “carve-out” or an “inclusive” scope for service audit, and consider the impact on your organization and how to mitigate the negative impact of a “carve-out” or an “inclusive” report for Tier 1 suppliers but a “carve-out” report for Tier 2 (and N+2) suppliers in your service supply chain.
o Consider how that will assist or impair your own marketing and compliance efforts.
o Conduct a customer survey to determine your customers’ needs.
o Legal Review. Review your existing outsourcing contracts.
o Identify your audit rights.
o Amend your contracts to ensure you can obtain the type of audit rights and reports that you may need under the new “attest” models.
o Change Management. Engage in change management for audit as part of the global sourcing process.
o Communicate with all key stakeholders internally and externally.
o Changes in requirements.
o Change in risk assessment process to take into account the new gaps and structures of SSAE 16 and ISAE 3402.
o Changes in procedures.
o Redefine internal and external roles and responsibilities.
o Training of affected personnel.
o Changes in manuals.
o Changes in contract management procedures.
o Develop a procedure for being “audited” and for requiring “audits” under the new “attest” standards.
Time to get started. Even before Halloween!
OUTSOURCING LAW & BUSINESS JOURNAL (™) : Strategies and rules for adding value and improving legal and regulation compliance through business process management techniques in strategic alliances, joint ventures, shared services and cost-effective, durable and flexible sourcing of services. www.outsourcing-law.com. Visit our blog at http://blog.outsourcing-law.com.
Insights by Bierce & Kenerson, P.C., Editors. www.biercekenerson.com
Vol. 10, No. 10 (October 2010)
Editor’s Note: Happy Halloween, Happy Election Day (USA)! This month’s article spooks us by helping us wonder whether we are getting all the data protection and integrity we thought we were entitled to. This should make us feel somewhat better about life, since the “robo-signers” and “robo-justice” mills for real estate foreclosures make ITO and BPO look like the solution to the evils brought about by sloppy (if not fraudulent) business practices. We are also pleased to announce a special webinar (full disclosure, the speaker is the Editor of this newsletter).
“LLC Toolkit for Designing Collaborative Business Models: Sweat-Equity, JVs and Global Services Businesses”
December 9, 2010, 11am – 12:20pm, EST US
Speaker: William B. Bierce, Esq., – Bierce & Kenerson, P.C.
This is an advanced seminar for experienced corporate and commercial lawyers as well as entrepreneurs, CEOs and COOs, investors, bankers, and venture capitalists looking for a different perspective on how LLC’s can be structured and governed. This webinar will address the fundamentals of structuring LLCs for use in special purpose environments, such as service-oriented and Web-based businesses in the US and globally. It will help lawyers understand key legal and tax issues in such environments for tax-efficient operations. This webinar is free and application for Accredited Provider status for CLE credit in New York is currently pending. To obtain more information, please contact Laura Sanfiorenzo and to register, click here.
1. Belt and Suspenders, and From SOX to SOC’s: Changes in Service Audit Standards on the Service Organization’s Risk Management, Security and Process Controls.
1. Belt and Suspenders, and From SOX to SOC’s: Changes in Service Audit Standards on the Service Organization’s Risk Management, Security and Process Controls. How do you know your service provider is providing a secure environment for processing your transactions? Do you trust your service provider? Can you certify your outsourcing relationship can withstand a shareholder lawsuit claiming you lack the necessary audit and control functions? Do you want a report on the description, design and operational effectiveness of controls at a service organization, and what do you get under current and future auditing, attestation and accounting “standards.”
SAS 70 Type II audits have become the de facto standard for publicly traded companies to meet their SOX 404(b) “audit and control” disclosure requirements. SAS 70 audits are big business for audit firms. Now, as the U.S. “generally accepted accounting principles” face convergence into new international accounting standards (IAS), enterprise customers risk losing familiar comfort letters. The emerging accounting standards suggest it’s time to think about “belt and suspenders” for security and process controls. This article considers the new approach to mitigating and managing risks through “control objectives” as “attested” in “service organization control” (SOC) reports for service organizations and subservice organizations in the services supply chain. This new approach comes into effect for fiscal years ending after June 2011. Important procedural details for the U.S. will be promulgated soon.
For the complete article, click here.
Robo-Justice, n. (1) fast-track system in Florida courts for adjudication of foreclosures at the rate of 20 per hour, 7 hours a day, 5 days a week, per judge, unless service levels degrade for non-essential activities such as extra time for hearing evidence; (2) the swift and decisive hand of justice, meted out to fight the swift and decisive hand of the Robo-Signer.
Robo-Signer, n. (1) a person appointed by a bank or mortgage origination service company to sign thousands of loan documents per week; (2) phantom performing fiduciary duty in a totally automated, human-free mechanism, with computer-generated rubber-stamped documents and corresponding human signatures; (3) human automaton approving computer outputs. See “Robo-Justice.
December 7-8, 2010, IQPC presents 10th E-Discovery Conference, New York, New York. The 10th eDiscovery Summit is the key meeting of the year for eDiscovery experts. The universe of ESI is continually expanding as the costs associated with eDiscovery are on the rise. This unique eDiscovery event brings together in-house counsel, IT experts, document management, outside counsel, solution providers, Judges and regulatory experts. You will learn how to improve your eDiscovery processes and save time and money despite the onslaught of litigation. Some highlighted topics include:
- Incorporating advanced search technology and protocol into your eDiscovery processes
- Tackling the complexity of legal holds in light of the Pension Committee case
- Gaining insight from our Judges panel analyzing important 2010 eDiscovery case law
- Effectively managing the ever-increasing universe of social media content
- Implementing a proactive approach where litigation preparedness enables you to significantly cut costs and time in eDiscovery
Outsourcing Law contacts can receive 20% off the standard all access price when they register with the code OSL20. Register by calling 1-800-882-8684. View the program brochure for more details.
February 14-26, 2011, IQPC follows up with the 4th E-Discovery Finance Conference, New York, New York, focusing exclusively on the financial services industry. The Dodd-Frank bill is the most comprehensive legislative overhaul of the financial services industry since the Great Depression, and financial corporations must respond and adapt immediately. Changing technology creates quickly moving targets for corporations to reach. The burden falls on legal, information security, record retention, and IT departments to ensure the best review, retention, and destruction policies and procedures. A successful e-discovery team can mitigate the costs of e-discovery, reduce the volume of extraneous data, and avoid sanctions and other judicially imposed penalties. Highlights include strategies to:
- Keep costs down while maximizing efficiency.
- Comply with stricter, more expansive regulations.
- Implement and adapt to new technologies in order to “future-proof.”
- Stay out of the headlines for non-compliance or sanctions.
To obtain more information, click here.
February 14-26, 2011, Legal Process Outsourcing Conference, New York, New York. With advanced technology and tight budgets in a downturn economy, companies are exploring more cost-efficient alternatives for high quality legal work. CEOs and CFOs are putting tremendous pressure on their employees to cut spending and given the exorbitant cost of legal spend, in-house counsel are feeling the pressure more than most. Although legal outsourcing is not a fit for every law firm and in-house legal department, the legal community simply cannot ignore the expansion of the LPO market. This event will take an honest look at all sides of LPO and address the challenges, ethics, implications, and strategies of legal outsourcing. Attending this Summit will help decide where your company fits into this new outsourcing dynamic. For more information visit their website.
FEEDBACK: This newsletter addresses legal issues in sourcing of IT, HR, finance and accounting, procurement, logistics, manufacturing, customer relationship management including outsourcing, shared services, BOT and strategic acquisitions for sourcing. Send us your suggestions for article topics, or report a broken link at: firstname.lastname@example.org. The information provided herein does not necessarily constitute the opinion of Bierce & Kenerson, P.C. or any author or its clients. This newsletter is not legal advice and does not create an attorney-client relationship. Reproductions must include our copyright notice. For reprint permission, please contact: email@example.com . Edited by Bierce & Kenerson, P.C. Copyright (c) 2010, Outsourcing Law Global LLC. All rights reserved. Editor in Chief: William Bierce of Bierce & Kenerson, P.C. located at 420 Lexington Avenue, Suite 2920, New York, NY 10170, 212-840-0080.
Case Study for Legal Risk Management for “Cloud Computing”: Data Loss for T-Mobile Sidekick® Customers
Telecom providers are increasingly outsourcing IT functions for “cloud computing.” A widespread data loss in mid-October 2009 by an IT outsourcer to a mobile telephony provider underscores the practical limitations of using the Internet as a data storage platform.
In this episode, subscribers to T-Mobile Sidekick® mobile devices were informed that their personal data – contact information, calendars, notes, photographs, notes, to-do lists, high scores in video games and other data – had almost certainly been lost. T-Mobile (a service of Deutsche Telekom AG) had outsourced the management of the “cloud computing” function for the Sidekick® devices to Microsoft’s subsidiary, Danger, Inc. While T-Mobile has offered a $100 freebie in lieu of financial compensation and some data was recovered, the case invites legal analysis of the liability of the any service provider – whether for mobile telephony or enterprise backup and remote storage – for “software as a service” (“SaaS”) or “cloud computing.”
Technological Framework for “Cloud Computing. “ “Cloud computing” means simply that data are processed and stored at a remote location on a service provider’s network, not on the enterprise’s network or a consumer’s home computer. Such data could be any form of digital information, ranging from e-mail messages (such as those stored by Google and Yahoo!) to databases, customer records, personal health information, employee information, company financial information, customer contracts and logistics information.
“Clouds” come in two flavors: public and private.
- In a public cloud, the general principles of the Internet apply, and data transmissions can flow between many different third-party computers before reaching the service provider’s servers. Amazon offers hardware in variable computing capacities in its “Elastic Compute Clouds” (or “EC2”) services. Similarly, Google offers an “Apps Engine.”
- In a private cloud, one service provider (alone or with its subcontractors) controls the entire end-to-end transport, processing, storage and retrieval of data.
Cloud computing exposes users to some key vulnerabilities and added costs:
- The user depends on a high-performance Internet connection. Service level performance cannot be guaranteed except in private clouds.
- ‘Single points of failure” (“SPOC”) in data transmission, processing and storage, for which special security measures and redundancy may be required. Heightened security risks require extra resources.
- Loss of control over the public portion of a “public cloud” can impair performance through delays and data loss resulting from uncontrolled environments.
- Delays in data restoration may occur due to interruptions in data transmissions.
- Business continuity, resumption and data protection require special solutions.
- Passwords could be guessed at using social networking tools, but if the user accounts are maintained internally in a controlled network, the systems could use techniques to detect and eradicate misuses and abuses from users based on aberrational access profiles and unauthorized territorial access. In a public cloud, security tools such as data leak prevention (“DLP”) software, data fingerprinting, data audit trail software and other tools might not be effective.
Such vulnerabilities explain why “cloud computing” needs special controls if used as a platform for providing outsourced services.
In the October 2009 T-Mobile debacle, users relied on the telecom service provider to store and backup the data. Mobile telephony devices (other than laptops) were seen as tools for creating but not storing, significant volumes of data. Remote data storage was a unique selling proposition, or so one thought.
T-Mobile’s Technological Failure. In its website, T-Mobile exposed the technological sources of the failure of its “cloud computing” for mobile devices. It explained:
We have determined that the outage was caused by a system failure that created data loss in the core database and the back-up. We rebuilt the system component by component, recovering data along the way. This careful process has taken a significant amount of time, but was necessary to preserve the integrity of the data. SOURCE: T-Mobile Forums, Oct. 15, 2009 update.
Mitigating Damages: Public Relations Strategy for Restoring Customer Confidence and Maintaining Brand Goodwill. After some delay, without admitting any liability or damages, T-Mobile adopted a “damage control” strategy adopted from the usual “disaster recovery” process models:
Compensation. It offered any affected customers a $100 gift card for their troubles in addition to a free month of service.
Communication Outbound. It created and updated a Web forum for Sidekick users to get information about the nature of the problems, whether the data loss was irretrievable and the time to resume operations.
Communication Inbound. It provided an e-mail contact address so that it could respond to inquiries and thus identify and counteract rumors that might have been spreading.
Compliance. T-Mobile notified the public media since the “disaster” exposed it to the possibility that more than 5,000 consumers in any particular state might have had their personally identifiable information (“PII”) exposed to unauthorized persons such as hackers. Such notifications (along with other notices to individual customers and designated government officials) are mandated by state law in over 40 states.
Corrections and Control. It focused on remediation first, deferring problem resolution with any claims against its service provider Microsoft’s subsidiary Danger, Inc..
Confidentiality. It kept its communications with its failing provider confidential and focused on remediation.
Escaping Liability for Damages. Generally, telecom service providers disclaim liability in excess of a small amount. Further, service contracts contain exclusions of liability for consequential damages as well as force majeure clauses. Generally, such disclaimers and exclusions are enforceable. However, various legal theories might prevent a service provider from escaping liability for failed service delivery.
Legal Risks for Providers of “Cloud Computing” Services. T-Mobile consumers might assert various legal theories against T-Mobile for damages if their data are not fully restored, or if T-Mobile fails to act promptly and reasonably to mitigate damages to consumers.
False Advertising; Unfair and Deceptive Practices. State and federal laws prohibit false or deceptive advertising and unfair and deceptive practices. Enforcement of these laws is generally restricted to governmental agencies such as the Federal Trade Commission, the Federal Department of Justice and the state Attorneys General. Deception is a term of art and depends on the facts. In this case, the question is how solidly did T-Mobile portray the benefits of “cloud computing,” and did it warn against loss of data. If T-Mobile can show that it warned users of potential data loss and recommended that they back up their own data, such a warning might relieve it from liability. If T-Mobile represented that it would use reasonable security, backup and business continuity services, subscribers with lost data might have a claim of negligence or gross negligence.
Consumer Fraud. Under common law and state consumer protection laws, generally, a fraud occurs when the seller knowingly misleads or makes a false statement of fact to induce the consumer to make a purchase.A massive fraud is subject to a class-action claim in Federal court under Federal Rules of Civil Procedure.
Magnuson-Moss Warranty Act. Normally, an outsourcing services contract is not one that is associated with the maintenance of a product such as a telephone or a computer. If the service provider were also selling any equipment to the customer, and the customer were a “consumer,” and the service provider’s agreed to maintain or repair the consumer product, then the Magnuson-Moss Warranty Act, 15 U.S.C. § 2301 et seq. would apply. This risk explains why sellers of consumer products (mobile telephones) offer only limited warranties. The Magnuson-Moss Warranty Act is probably not a source of potential liability for T-Mobile, but that depends on the customer contracts.
Privacy Violations. Cloud computing providers may become liable to consumers or enterprise customers for failure to comply with applicable privacy statutes. Such statutes protect personal health information (under HIPAA), personal financial information (under the Gramm-Leach-Bliley Act), personally identifiable information (state and federal laws), financial information of a plan fiduciary under ERISA or other or simply confidential information that could be a trade secret or potentially patentable idea of an enterprise or its customers, suppliers or licensors. Export control laws and regulations governing trade in arms and “defense articles” are thus not good candidates for “cloud computing” except for “private clouds.”
Enterprises hiring third-parties to remotely process and manage their operational data are liable to third parties if any protected data is mishandled, depending on the exact wording of the law. Allocation of liability for privacy and security violations is typically a negotiated element of any outsourcing agreement.
Protecting Consumers in Cloud Computing. The legal framework for “cloud computing” needs to be well defined before it can become a reliable business model replacing networks or local workstations. Regardless of disclaimers in consumer contracts, providers of “cloud computing” services will need to adopt reliable, resilient storage backups, disaster recovery and business continuity services. Moreover, when hiring a “cloud computing” service provider (as T-Mobile did when it hired Microsoft/Danger, Inc.), the seller must ensure high standards by its subcontractors. Telecom outsourcing to IT providers requires special technical and legal controls to protect the consumer and the telecom carrier.
In making the classic “buy vs. build” decision in relation to services to manage sophisticated business processes, enterprises may elect to establish a captive enterprise to perform “shared services” for affiliates. The “shared services captive” is an alternative to buying outsourced services. But it is also an alternative to internal administration of a business process separately by individual departments, divisions or lines of business. Shared services captives can provide key advantages for diversified multinational enterprises, particularly as a cost-reduction technique when sales and sales margins might be eroding in a global economic downturn.
Captive Internal Bank.
Sony Corporation, the Japanese-based electronics and entertainment group, announced in June 2003 that it was planning a major expansion of intercompany banking services to help reduce financing charges and manage currency risks for all affiliates.
According to Sony’s managing director for Global Treasury Services, Mr. Hiro Kurihara (as quoted in an interview with the Financial Times), the London-based shared services operation will generate cost savings of approximately $30 to $40 million per year.
In addition, Sony projected reduction of risks of changes in currency in connection with the settlement of intercompany transactions. Sony plans to offset foreign exchange risks with services — normally offered by money-center banks — of “automatic cashless settlements” and “automatic sweeping.” This requires investment in information technology and integration with others in financial services markets.
Centralization, Specialization and Scale.
Sony’s Global Treasury Services acts like a clearing bank for all affiliates. In this centralized function, the shared services affiliate can aggregate volumes of transactions that are generic, but whose handling requires specialized skills. As a result, economies of scale can reduce per-unit costs and increase focus on specialized transactions that internal financial executives in operating affiliates might not have, or might find difficult, time-consuming or costly to acquire. The Sony shared services affiliate reportedly manages 95% of the enterprise’s financial derivatives and exchange swap transactions.
Transition and Transformation.
The transition to an internal financial services captive is part of a global restructuring that will result in accounting charges of approximately $1.2 billion. Restructuring to include new, enhanced shared-services affiliates may help multinationals such as Sony to transform their services models by increased efficiency and cost management.
Integration with Insourced Transactions.
Establishment of a shared services affiliate requires careful attention to integration with other internal processes. The shared services affiliate must define its “services offerings” and enable managers in affiliated lines of business to use the services with minimal cost and delay. As a result, virtually all “shared services” are digitally integrated. The degree of integration may range from the use of telephones and e-mails to a web-enable Internet-accessible portal. As a result, shared service affiliates generally are purchasers of services and technology from third parties.
Integration with Outsourced Transactions.
Indeed, shared services providers may be the largest purchasers of outsourced transactions. For example, Proctor & Gamble was negotiating for a complete sale of its shared services affiliate to a global outsourcing services provider in 2002. When P&G was unable to obtain its desired sales price at for the services charges that it wanted, P&G chose instead to hire Hewlett-Packard to provide selective outsourced services to support its insourced “shared services” operation.
Advantages in Shared Services.
Shared services affiliates, or “captive” service companies, have many of the advantages of an outsourcing without any loss of ownership and control over business processes, technology, intellectual property and personnel. Shared services captives can develop and retain knowledge capital involving sophisticated business transactions that individual affiliates cannot acquire due to smaller volume of similar transactions. As the business process involved becomes more subjective and susceptible to business judgment, shared services captives retain an advantage over outsourcing because that very subjectivity might be a core competitive advantage and might not be scalable.
Risk Management in Shared Services.
Adoption of a “shared services captive” approach involves a number of risks that can be managed by treating the captive as an external service provider of outsourced services. Such techniques include:
- adoption of “service level agreement” obligations, with financial incentives and consequences for failure, applicable to the management and employees of the shared services affiliates;
- details concerning the integration of the captive’s services with those of the other operating companies or lines of business;
- suitable insurance coverages;
- suitable contracting procedures for outsourcing of certain perfunctory tasks of the shared services captive to independent outsourcing services providers;
- human resources and intellectual capital management techniques for aggregation and accumulation of related processes and improvement in business processes, quality of service and optimal alignment with the key performance indicators of the core business’s mainstream operations.
Shared Services on the Continuum of Insourcing and Outsourcing.
In conclusion, shared services companies, or captives, perform roles that run along the continuum of fully vertically integrated insourced operations to a skeleton of core competencies supported by a network of outsourced operations. If a business process can be outsourced, it can also be insourced after the outsourcing. If it has been insourced, it could be structured more efficiently as a captive to look like an outsourcing. And once structured as an outsourcing, it could become a true outsourcing service provider to support non-affiliated customers, and could even be spun off to shareholders or sold to a strategic buyer. Thus, the captive shared services organization can mutate according to trends affecting customers, suppliers, corporate strategies, changing processes and changing marketplaces. In establishing internal captives, the lessons of outsourcing can improve performance and flexibility.
Suddenly, outsourcing benefits come to financial planners. But reports of the advantages may be too good to be true.
What is Outsourced, and to Whom.
In a lead article, The Wall Street Journal announced in April 2003 that a small number of financial planner are adopting an outsourcing model in their business, hiring “independent contractors” to manage tedious tasks. Such tasks might include:
- credit checks and reference verifications for new clients;
- data entry for investment statistics and record keeping;
- cash flow analysis;
- retirement planning strategy;
- preparation of financial plans.
Financial planners who outsource such back-office business processes claim that it allows them to devote more time to their basic business of consulting and counseling. The independent contractors, most of whom work from their homes, need little training to perform the functions, yet the outsourced functions are the time-intensive components of financial planning.
Legal Issues for Home-Based Workers.
Many issues arise in outsourcing to home-based workers.
Employment Relationship (vs. Consulting Relationship).
The Internal Revenue Service has proposed a list of 20 questions used to determine whether an individual who is a service provider is an employee or an independent consultant. Properly structured, the relationship can be proven to be independent, thereby saving the customer (financial services planner, for example) in Social Security and Medicare taxes.
Negligent Selection and Recruitment.
In an employment relationship, the employer is potentially liable under the tort theories of:
- respondeat superior (vicarious liability for the tortious acts of one’s employee) or,
- for certain intentional misdeed by the employee, negligent selection and hiring without due diligence.
In an outsourcing context, virtually the same principle applies because the financial planner is liable as “general contractor” for the mistakes of the subcontractor. But, unlike an employment relationship, the contractor (financial planner) is generally not liable for malfeasance or intentional conduct of the outsourcing service provider.
Pension Plans and ERISA.
If the financial planner is deemed to be an employer, then the outsourcing services provider might be deemed covered by the Employee Retirement Income Security Act of 1974. Any pension, medical or profit sharing plan of the financial planner might have to cover the services providers, under penalties for any failure to comply.
Accidents on the Home Front.
Financial planners or others hiring home-workers should identify the respective liabilities of the parties in case of any accident while the home-worker is engaged in performing services. This is potentially a greater risk for an employer than an outsourcing customer, but it poses risks to both.
Any outsourcing transaction should be governed by appropriate confidentiality commitments to protect the information of the financial planner. But this raises a question whether the financial planner’s client is willing to have such subcontractors see the relevant confidential financial information.
Client Engagement Letter.
Accordingly, if third parties are to receive and review confidential or proprietary information, the client must approve the process. This principle applies, as a statutory requirement, in case the financial planner is affiliated with a financial institution under the Graham-Leach-Bliley Act or if the information includes confidential medical information protected by the Healthcare Improvements Portability and Accountability Act of 1996.
The financial planner will still need to manage the service provider. The costs and time of such management can be high if the financial planner does not have a well-organized plan of his or her own to use appropriate collaboration tools and review the work done by the service providers.
The best financial planners who outsource any function will follow the rules set forth above. In addition:
Outsourcing customers, having learned the uses of e-mail, now are learning the uses of Web-enabled collaboration tools that permit close collaboration. Such tools do not require any immediate presence of the service provider on site, or the use of the financial planner’s assets, inventory, rental space or other facilities.
Centralized Security and Storage.
Data security and storage must be managed effectively.
By outsourcing substantial portions of a business, the business manager risks losing the competitive advantage of controlling a niche specialty. This is a classic challenge for outsourcing customers generally. Like other risks, it requires a balancing of business, legal and commercial requirements with the perception that the business manager lacks the essential tools. So the marketing of such operations requires a continuous compelling reason for the clients to buy the services. Effective supervision and integration of outsourcing service providers adds value by providing teamwork and leverage.
By Ed Agar, primesourcingadvisors.com
October 27, 2003 – The drama surrounding Cable and Wireless’ US hosting business remains an unresolved story for its approximately 1,500 clients. Since declaring its intention to exit the U.S. market in early summer, C&W has yet to deliver a clear update with regard to its business direction. C&W seems to be avoiding the inevitable.
Fundamentally, C&W was viewed to have two alternatives: sell the assets and existing contracts to an interested suitor, or declare bankruptcy. Andrew Schroepfer, founder and President of IT Infrastructure research firm Tier 1 Research (tier1research.com), says there may be a third hybrid option on the table. “We believe there is a buyer at the table for some of the marginally profitable data centers and the customer base where C&W would pay the costs to close down some of the other sites. Such an option would save C&W from the bankruptcy issues and save it several hundred millions of dollars from the option to pay to merely close the entire business.”
Most customers of the firm appear to have remained loyal thus far, which confuses Danny E. Stroud, former CEO of managed hosting firm AppliedTheory. “I don’t understand why CIOs, COOs and in-house counsel are not heads-down working on alternative service strategies – why executives are subjecting their valuable IT assets to significant risk exposure is irrational,” he says. “Since the financial shakedown of the last couple of years, there are now many quality providers. Further, with the availability of hosting vendor rankings like the PrimeSourcing Index there is a multitude of data to help buyers make informed decisions.”
The ‘wait and see’ attitude of C&W customers may be attributed to two factors: 1) customers have remained loyal due to renegotiated flexible terms and distressed pricing offers, and 2) transition efforts to a new provider are time consuming, costly, and rife with execution risks for resource-strapped IT departments.
Outsourcing lawyer Bill Bierce of Bierce&Kenerson PC and publisher of outsourcing-law.com (outsourcing-law.com), thinks current customer indifference is a highly risky approach. He recommends that CIOs review their agreements for termination and transition rights in case of bankruptcy. Should C&W opt for bankruptcy and the sheriff padlock the front doors, customers may be facing some nasty surprises:
- Assets could be locked down, forcing customers to petition the court to move their assets out. It would be expected that IT assets would be frozen a period from several days to several weeks, which is longer than the period of the typical disaster recovery service contingency plan.
- Bankruptcy could deprive C&W of the flexibility to service its customers in compliance with service level agreements. For managed services, the bankruptcy courts have the right to terminate executory contracts and not pay damages for wrongful termination.
- Customers may need to get a license to continue to use software licensed by C&W. The US Bankruptcy Code allows the bankrupt service provider to terminate a service but does not require it to allow the user to get access to any software that was used in providing the service.
- Where a bankrupt managed service provider abuses its credit lines with its own suppliers, paying customers have no assurances that funds will flow downstream to subcontracted suppliers or even if subcontractors will be retained by the bankruptcy courts. As the cash cycle stops, the services may stop, too.
How C&W will respond to its obligations will be played out in the coming months. The experience of Exdous, Intel Online Services, WiTel, MFN, PSInet, Genuity, Northpoint, Rhythms, Network Plus, Winstar and others exiting the data center market has been mixed. In some situations, there have been documented examples of looting, destruction of property, stranded customers, and total withdrawal of services accompanying a dark data center. “Some customers were forced to take extraordinary steps under duress to insure service continuity, while other customers sustained revenue loss and productivity hits,” Stroud says. “Further, costs and performance degradation during a hasty transition to a new provider are generally significant.”
Stan Lepeak, VP of Meta Group Inc. (metagroup.com), a research firm, says the best hope for customers “is a prepackaged bankruptcy that allows the customer relationship to be bought by a ‘white knight’ with the court’s blessing. This process allows the shedding of liabilities.” There must be reasons why suitors have not already grabbed C&W’s US assets for pennies on the dollar. In simple terms, this would seem to indicate the business does not appear to be salvageable and that a clean buyout seems unlikely.
Given the above scenarios, it is recommended that prudent executives start to invoke contingency plans. According to Schroepfer, “aside from acknowledging that avoiding a migration is a good thing, we would move our own operations out of C&W if we were there.”
It is recommended that exit strategies be planned with the assistance of independent hosting consultants and specialized attorneys. Such trusted advisors are needed to understand the ramifications of outsourcing contracts. A critical element that hosting advisors are now assessing in selecting new providers is the vendors’ implementation of quality initiatives like ISO 9001, IT Service Management or Carnegie Mellon’s e-Sourcing Capability Model.
As a next step, Global 2000 firms should identify their degree of risk exposure to their internal audit committees in order to determine applicability for disclosure in SEC filing as part of Management’s Discussion and Analysis forms in compliance with the Sarbanes Oxley Act.
C&W is due to report its mid-year financial results in November, and it is also expected that they will communicate their future direction and intentions at that time. One can anticipate that the competition will feature attractive incentives and deeper price discounting in order to woo prospective C&W clients.
As an observer, it will be interesting to see if C&W clients will be enticed by price incentives or if there will be a ‘flight to quality’. Time alone will tell.
About the author
Ed Agar is co-founder and Principal of PrimeSourcing Advisors, an IT advisory firm. For more information, visit primesourcingadvisors.com.
Patents in Outsourcing: Strategy and Practice for Business Process Patents and International Trade in Services
Should a service provider develop a patent portfolio? In performing outsourced services, the service provider performs certain business processes that range from information technology to office procedures. Since U.S. courts have interpreted patent laws to make business processes eligible for patent protection, the patent law has played a small but growing role in business process outsourcing. This article addresses some key issues in patent law in outsourcing, including validity, infringement, extraterritoriality and the role of patents in outsourcing.
What is a Patent?
A patent is a statutory monopoly that allows the inventor to practice an invention, to allow others to use the invention under terms and conditions that the inventor considers acceptable and to prevent unlicensed persons from using the invention. Under U.S. law, an invention must be novel, useful and non-obvious to one skilled in the existing “art” (science). It is the specific claims in the specification of the invention that are entitled to the statutory monopoly. In patent applications, claims are written as independent (and therefore unrelated to any other claim) or dependent (and therefore viable only if the related independent claim is valid).
Impact on Competition.
Quite simply, patents stifle competition. For this reason, courts and regulators have adopted limitations on abuses of patents, such as tying the use of non-patented goods or services to patented goods or processes.
The patent application must set forth the “specification” that describes the exact scope of an invention and its method of “manufacture” in sufficient detail that it describes what is left to the public outside the scope. Markman v. Westview Instruments, Inc., 116 S. Ct. 1384, 517 U.S. 370, 373 (1996). The specification consists of two parts:
- a detailed “written description of the invention and of the manner and process of making and using it, in such full, clear and concise, and exact terms as to enable any person skilled in the art … to make and use the same.” 35 U.S.C. 112, para. 1.
- a conclusion “with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.” 35 U.S.C. 112, para. 2.
General Definition of Patentable Processes.
Patentable process “inventions” must involve a “process, art or method, and include… a new use of a known process, machine, manufacture, composition of matter, or material.” 35 USC 100(b). “Whoever invents or discovers any new and useful process, machine, manufacture or composition of matter, or any new and useful improvement thereof, may obtain a patent therefore,” subject to the patent law’s other provisions. 35 U.S.C. 101.
Software patents have been issued in the United States since 1982, when Merrill Lynch patented a financial transaction software application that links securities brokerage accounts with” cash management accounts.” U.S. Patent No. 4,346,442. While early judicial decisions quibbled that the processing of data was not an eligible process, the courts and the U.S. Patent and Trademark Office have generally accepted the patentability of software.
Business Process Patents.
Business methods are the sequence of steps that are undertaken to engaged in a specific business activity. Until 1998, a business method was considered to be an idea, and business methods as ideas were not patentable. In July, 1998, the U.S. Court of Appeals for the Federal Circuit did away with that interpretation of the U.S. patent law. The case, State Street v. Signature Financial, legitimized the patentability of software that Signature had written to enable it to administer mutual funds more efficiently. The software merely embodied a business process. The court’s language was broad enough to embrace any business process (as long as it was new and “nonobvious” and had a “useful, concrete, and tangible result”). Congress has done nothing to restrict this judicial interpretation.
Once issued by the U.S. Patent and Trademark Office, a patent is presumed valid. 35 U.S.C. 282. The party who seeks to invalidate a patent or any individual claims has the burden of establishing invalidity. To meet this burden of proof, the party seeking to invalidate must prove the invalidity by “clear and convincing evidence,” a standard that is very high. Helifix Ltd. v. Blok-Lok Ltd., 208 F.3d 1339, 1346 (Fed. Cir. 2000). In making its proof, the party seeking to invalidate may rely upon a variety of arguments. Such arguments may include an assertion that the patent holder engaged in “fraud on the patent office” by failing to disclose relevant “prior art” that would have prevented the issuance of the patent in the first place.
In litigation seeking to invalidate a patent, the first issue is one to be decided by the judge: what is the scope of the claims in the patent? The second issue is one for the jury: has infringement occurred? Markman v. Westview Instruments, Inc., 116 S. Ct. 1384, 517 U.S. 370, 384-391 (1996).
Enforcement of Patent Rights.
Enforcement of patent rights presents problems both for the patent holder and for the alleged infringer. The patent holder risks invalidation of the patent, thereby losing the right to claim royalties from all licensees. The alleged infringer (who may include an unhappy licensee unwilling to pay future royalties) may risk heavy damages.
Doctrine of Equivalents.
Judicial interpretation of patent claims adopt two approaches: literal and interpretive. Under historical case law, the monopoly of a patent claim extents beyond the literal description and covers “equivalents” as well. Applying some judicial discretion in the interpretation of the literal scope, the doctrine thus allows an infringement claim where the differences between the accused device or process and the patent claim are “insubstantial” and represent only “trivial changes.”
Prosecution History Estoppel.
Affirming this principle, the U.S. Supreme Court has restricted it by noting that the patent applicant’s modifications to its application forms a “prosecution history” that can serve as estoppel for any purpose under the patent law, not merely relating to eligibility (by narrowing it to deal with prior art). Festo Corp. v. Shoketsu Kinzogo Kogyo Kabushiki Co., Ltd., 535 U.S.722 (2002). At common law, the equitable principle of estoppel serves as an enforceable bar to assertion of a right or claim of right. The Festo decision permits alleged infringers to review the file history and rely upon any concessions or limitations made by the patent applicant as a basis for limiting the scope of the patent claims. Prosecution history estoppel under Festo thus opens the flood gates for competition who read the file history and look for concessions made by the applicant.
In Honeywell Int’l Inc. v. Hamilton Sundstrand Corp., 2004 WL 1202997 (Fed. Cir. June 2, 2004), the Court of Appeals for the Federal Circuit ruled that, in the patent prosecution process, the applicant is deemed to have waived the full breadth of a broad independent claim when it re-writes the claim to be more specific. Historically, patent prosecution involves the normal process of writing a “stand-alone” (independent) claim followed by a subsequent dependent claim (relying on the “stand-alone” claim’s basic premise). When the patent examiner rejects the stand-alone claim and asks the applicant to rewrite it to convert the dependent claim into a new stand-alone claim, the applicant may do so. In doing so, the applicant is deemed to abandon the full scope of the original stand-alone claim, and to rely only on the dependent claim.
Under the Festo decision as interpreted in Honeywell, rewriting the dependent claim into an independent claim form, accompanied by abandonment of the original broad independent claim, creates a presumption of “prosecution history estoppel” that nullifies the “abandoned” claim. As a result, patent applicants will probably be more prudent and narrowly focused when considering use of broad independent claims.
For outsourcing, this means that only narrowly defined claims will pass muster. Outsourcing services providers hoping to rely on patent protections will therefore be exposed to greater risks of competition due to lack of broad patent monopoly.
Defenses by Alleged Infringers.
The alleged infringer may allege various defenses, such as:
- absence of liability for infringement
- invalidity of the patent or any claim for substantive or procedural reasons. 35 U.S.C. 282
Extraterritoriality in Patent Law.
Patent law is a creature of the national law. Each country applies its own rules. U.S. patents do not cover the business processes or manufacturing process used in another country. John Mohr & Sons v. Vacudyne Corp., 354 F. Supp. 1113 (N.D. Ill. 1973).
However, goods made abroad using processes patented in the United States are subject to exclusion, upon importation, unless licensed by the U.S. patent holder. Exclusion requires registration of the patent with customs services. Enforcement of exclusion is hardly 100% effective.
Services performed abroad that result in delivery of information in the United States are generally not subject to U.S. patent protection. In that case, where a portion of the services are rendered in the United States, a U.S. business process patent will cover the U.S. portion of the services.
A number of international conventions, beginning with the Paris Convention of 1886, accords certain procedural rights in countries that adhere to them. The World Trade Organization’s Agreement on Trade-Related Intellectual Property requires participating countries to comply with the Paris Convention and certain other intellectual property conventions. WTO members must treat foreign nationals on a non-discriminatory basis in respect of the patent laws. The Patent Cooperation Treaty provides a mechanism by which an applicant can file a single application that, when certain requirements have been fulfilled, is equivalent to a regular national filing in each designated Contracting State. There are currently over 112 PCT Contracting States.
Relevance to Outsourcing.
Patent protection — or the lack of it — can affect the service provider’s ability to perform the scope of work under the outsourcing services agreement. Patents may be relevant to outsourcing, but not necessarily.
In the field of business process outsourcing, the service provider can achieve competitive advantage by having a patented process, since it allows that provider to perform that process without paying royalties and without patent infringement claims or litigation.
Having a pool of patents can be useful to avoid having to pay costs of infringement litigation and infringement damages. Without any patents, the service provider has nothing to barter in a cross-licensing transaction that could be proposed as a settlement.
One service provider uses part of the title to a U.S. patent as the phrase that defines its service brand: “On Demand Process….” [U.S. Patent No. 6,370,676] Public relations consultants and business developers might review the service provider’s patent portfolio for similar defining clues to brand development. Conversely, branding strategists should be consulted for strategic nomenclature of patent applications.
Termination for Cause.
Ordinarily, the enterprise customer relies upon the service provider’s indemnity against infringement in lieu of adopting a right to terminate for cause in the event of infringement. Such indemnities are customary. Enterprise customers might wish to consider whether reliance on such indemnification is sufficient as a remedy in case the service provider’s business process is determined to be infringing on some third party’s rights. Similarly, service providers should engage in appropriate research to determine whether their method of performing or delivering the services infringes, or risks infringing, a valid U.S. patent. In either event, the issuance of new patents to cover existing processes could be problematic for the business relationship.
BPO Patent Strategy in Practice: Who Actually Patents What?
We conducted a search of U.S. patents issued to leading outsourcing service providers in information technology, human resources and manufacturing. The results were not surprising.
- ITO and Consulting.
Outsourcers that specialize in managing IT and in consulting services do not hold many patents. Such service providers generally engage in “ordinary” and “well known” business processes that are ineligible for patenting, such as installing, configuring, fine-tuning, hosting and maintaining current versions of some commercial “off-the-shelf” software. Where the customer requires extensive customization, the work product normally belongs to the customer as a special project for a separate fee. Alternatively, the parties agree that the service provider will own and market the work product under agreed financial and operating conditions.
To the extent that ITO service providers do apply for patents, the patents tend to be in:
- a niche area (e.g., a system for cashing checks for persons without bank accounts where the customer must engage in some self-service task, U.S. Patent No. 6,038,553), or
- a generic function (e.g., data processing apparatus and corresponding methods for the retrieval of data stored in a database or as computer files, notably, methods and systems to facilitate refinement of queries intended to specify data to be retrieved from a target data collection, U.S. Patent No. 6,678,679).
Outsourcers that specialize in human resources management generally do not hold any patents. For example, a search of two HRO industry leaders showed that neither owns any U.S. patent.
- Business Process Outsourcing.
Business process outsourcing that relies upon software may be a good candidate for patent protection, but only for patenting the software. At this stage, the difference between a software developer and a service provider gets murky. Generally, BPO outsourcers do not pursue patent strategies but use other methods for protecting intellectual property and competitive advantage. Exceptionally, they may patent their software to defend against third party software developers.
- Original Equipment Manufacturing.
Outsourcers that serve as contract manufacturers logically focus energy on preserving their rights to conduct “contract manufacturing” in the United States and other countries. Companies such as Celestica, Jabil Circuit, Sanmina-SCI and Solectron have each developed some patents that relate to generic operations, not to specific product designs or manufacturing processes unique to their customers. As to the latter, the contract manufacturers require their customers to license any customer technology used in the manufacturing process, or at least refrain from suing over the contract manufacturer’s use of such process or any equivalents.
Factors Affecting an Outsourcer’s Patent Strategy.
Limitations of a Patent Strategy in Outsourcing.
Patent strategies depend on obtaining global monopoly through global patenting. The limitations on patenting of business methods in a global digital economy suggest that patenting is not the solution for protecting a service providers proprietary processes.
- Costs of Global Patenting.
Assuming that a service provider wished to achieve global exclusivity, it would have to file patent applications in at least the 112 countries that are members of the Patent Cooperation Treaty, in addition to dozens more. The cost of prosecuting and maintaining patents is high, and could be worthless if “copycat” service providers were to infringe virtually all claims except for a few.
- Costs of Prosecuting Patent Infringers.
A “plain vanilla” patent infringement lawsuit costs an estimated $750,000 as a minimum. To such out-of-pocket costs, the patent holder must add the opportunity cost of the executive and technical personnel whose time is diverted towards the litigation process, the portion of their salaries, benefits and overhead allocable to the litigation process, and the costs of enforcing a judgment.
- Uncertainties of Patent Scope and Validity.
The patent application process contains many uncertainties. As to scope, under the Festo doctrine, any concession made by the applicant can be used as an “admission against interest” by a defendant. Patent holders making a concession to the patent examiner in any country may be deemed to have made the same concession in all other countries. Alleged infringers will scour the patent prosecution files in all relevant countries and look for such concessions. As to validity, any prior art (including customary usages of the trade, the technical literature and other pre-existing patents) that is not disclosed to the patent office could jeopardize the entire patent.
- Risks of Counterclaims of Patent Abuse.
In any litigation, the plaintiff risks counterclaims by the defendant. In patent cases, the counterclaims could include antitrust violations subject to triple damages under U.S. law or for simple damages as “abuse of dominant market position” under European Union law. For market leaders, the costs of defending counterclaims can be greater than the costs of pursuing a basic infringement claim. Also, where patent applications fail to disclose substantial prior art the use of the patents to monopolize a field of business activity could arguably constitute patent abuse.
- Inconsistencies of Law, Legal Systems and Results.
Given the exclusive right of each country to adopt its own patent rules, service providers considering a patent strategy must accept the fact that what is patentable in one country might not be patentable in another country. “Whipsaw” in application of legal principles leads to unpredictability and inequity.
- Loss of Secrecy.
Because patents must be published to be enforceable, the inventor immediately loses all secrecy. (Exceptionally, a few patents are not published where interests of “national defense” apply.) Thus, pure “software” or pure “business method” might not be patentable in countries where competitors could use the software or method to perform the same service and export the results to the country that grants patent protection. Given the availability (and advisability) of encryption technologies and privacy methods, the foreign use of the software or method would likely go undetected, with no resulting enforcement of patent rights.
- Gambling with “Best Embodiment” Rules.
Sophisticated businesses -whether service providers or enterprise customers – engage in a game of hiding trade secrets and patenting a business process. The rules of this game are limited by the principle that the patent application must disclose the “best embodiment” of the full process.
- The Business Process Paradox in the Outsourcing Life Cycle.
Both parties in an outsourcing contract should understand the implications of what we call “the business process patent paradox.” Patents owned by the service provider make it stronger against competition and may enable the enterprise customer to enjoy the benefits of the service provider’s innovation investments. Yet, upon termination the customer would need to be converted to a non-infringing process or be given an evergreen patent license usable by the customer or its successor service provider. Perversely, this patent paradox may inhibit the basic efficiencies of outsourcing, namely, scalability, portability, transparency, audit ability and periodic renewal or replacement. One exception applies. In contract manufacturing, the customer might wish to patent its processes in the countries where infringement is most likely, such as by the contract manufacturer at the end of the OEM manufacturing agreement.
Advantages of Trade Secrecy.
Many outsourcing service providers prefer to retain their comparative advantage by using trade secrets. Trade secret protection does not protect against patent infringement. Trade secrets do not provide adequate protection where the trade secret becomes generally known. This risk is high in a digital global economy where information can be copied and stored in many ways that are not traceable to the authorized recipient of the trade secret. Optimally, the service provider will develop and use proprietary software covered by patents. Even then, the patents might not disclose the full process.
Patents could play a pivotal role in the competitiveness, viability and continuity of services provided by a service provider.
- Enterprise’s Own Proprietary Processes.
An enterprise customer that wants its service provider to perform “proprietary” business processes will need to consider the impact of that contractual requirement on its own risk profile, its willingness to indemnify the service provider appropriately and its ability to do, or hire others to do, alternative processes that are not infringing. Hiring a service provider to perform such processes might contradict other commercial policies, such as not outsourcing “core” business processes and maintaining certain processes confidential as a competitive advantage, even though such confidentiality is customarily protectible under a non-disclosure agreement.
- Due Diligence and Selection Process.
Enterprise customers should ask the service provider for a description and list of all patents that the service provider owns or has pending.
The customary solution to patent infringement is to require the service provider to indemnify the enterprise customer in case of any alleged or actual infringement by the service provider of third-party patents and other intellectual property rights.
- Termination of Contract.
Historically, intellectual property infringement is not an event of default in outsourcing contracts. This situation will probably continue. Other contractual solutions exist that may allow the customer to enjoy the benefit of the contract or to terminate.
- Due Diligence.
The service provider should ask the enterprise customer about any patents and other protect able intellectual property that the customer would require the service provider to use (or that might be needed to perform the agreed services). As a defensive measure, the service provider should understand the applicability of any customer-owned patents and its impact on its own intellectual property strategies.
- Contract Provisions.
The infringement indemnity may extend to the interaction between the customer and the service provider’s business methods and processes. Appropriate allocation of liability and indemnification should be considered to avoid extending the infringement indemnity beyond processes that the service provider controls.
Litigation involving providers of software or services for the peer-to-peer file sharing on the Internet highlights the risk for service providers under the theories of contributory infringement and vicarious infringement of copyright. Napster, Aimster and Grokster file sharing systems and Gnutella software provide some analogies for Internet hosting services.
A review of these decisions suggests that the developers of software might be able to escape liability if they fail to have the capability of controlling the uses of the software. But a service provider runs the risk of liability for its customer’s copyright infringement if the service provider uses software or systems that enable contribute to copyright infringement by a “customer.” As a result, service providers need to clarify their roles and responsibilities in respect of copyright matters.
Privacy issues are also related/considered in a Verizon case involving a subpoena to a telecom service provider to disclose customer identities in a potential copyright infringement case.
Customer’s Infringing Activity.
In the famous Napster decision, Napster offered a service via the Internet allowing users (“customers”) to engage in sharing of files of music and other copyrighted works. Napster controlled the access rights to the system, so it was found to be liable for contributory infringement.
Contributory Copyright Infringement.
Under the doctrine of contributory copyright infringement, a service provider is liable for contributory infringement of copyrighted works if, with knowledge of the infringing activity, he or she “induces, causes or materially contributes to the infringing conduct of another.” A&M Records Inc. v. Napster Inc., 239 F.3d 1014, 1019 (9th Cir. 2001).
But if a manufacturer’s systems could be used for “substantial non-infringing uses,” as the Sony video cassette recorder was found to offer, the manufacturer’s generalized knowledge that some users might use the systems for infringing purposes is not sufficient to warrant liability for contributory infringement. Sony Corporation of America v. Universal City Studios Inc., 464 U.S. 217 (1984). In that sense, the manufacturer only had “constructive knowledge” of the infringement.
Where the defendant has “actual knowledge” of the infringement and the defendant materially contributes to that infringement, then the defendant is liable for contributory infringement, according to a California court scrutinizing a peer-to-peer file sharing system. If the defendant does nothing to facilitate the infringement, and is technologically powerless to stop it, the defendant is not liable for contributory infringement. Metro-Goldwyn-Mayer Studios v. Grokster Ltd., __ F.3d ___, C.D. Cal, No. CV 01-08541-SVW (C.D. Cal. Apr. 25, 2003); Metro-Goldwyn-Mayer Studios inc. v. Consumer Empowerment BV, __F.3d __, C.D. Cal. No. CV 01-09923-SVW (C.D. Cal. Apr. 25, 2003) (hereinafter, “Grokster Decision”).
Critical to “contributory infringement” is the defendant’s substantial knowing support for the infringement by its users (customers):
As an initial matter, the record indicates that Defendants have undertaken efforts to avoid assisting users who seek to use their software for improper purposes. More critically, technical assistance and other incidental services are not “material” to the alleged infringement. To be liable for contributory infringement, “[p]articipation in the infringement must be substantial. The authorization or assistance must bear a direct relationship to the infringing acts, and the contributory infringer must have acted in concert with the direct infringer.” Marvullo v. Gruner & Jahr, 105 F. Supp. 2d 225, 230 (S.D.N.Y. 2000) (citation omitted); accord Arista Records, Inc. v. MP3Board, Inc., 2002 U.S. Dist. LEXIS 16165, at *16 (S.D.N.Y. Aug. 28, 2002). Here, the technical assistance was rendered after the alleged infringement took place, was routine and non-specific in nature, and, in most cases, related to use of other companies’ software (e.g. third-party media player software). [Emphasis in original text]. Grokster Decision, slip op., p. 25.
Vicarious Liability for Infringement.
Vicarious liability arises from the agency doctrine of respondeat superior under common law. Under the legal theory of vicarious liability for copyright infringement, a defendant will be held liable for contributory infringement when it is found that the defendant both:
- “has a right and ability to supervise the infringing activity” and
- “has a direct financial interest in such activities.” A&M Records Inc. v. Napster, 114 F.Supp. 2d 896 (N.D. Cal. 2000). This could be satisfied even by a free “service” since financial interest could be shown where the increased traffic to the defendant’s website would generate financial gain, even if the actual supervision of the infringing activity did not.
“As opposed to contributory infringement, one can be liable for vicarious infringement without knowledge of the infringement.” Grokster Decision, p. 27-28, citing Adobe Systems Inc. v. Canus Prods., Inc., 173 F. Supp. 2d 1044, 1049 (C.D. Cal. 2001) (“Lack of knowledge of the infringement is irrelevant.”).
In Napster, the “service provider” provided the central indices of files of copyrighted works being shared and exchanged. Similarly in the Aimster decision, the defendant managed a peer-to-peer file sharing network in which the defendant had the ability to terminate users and control access to the system. In re: Aimster Copyright Litig., 2002 U.S. Dist. LEXIS 17054, at *50-*51 (N.D. Ill. Sept. 4, 2002).
In contrast, in Grokster, the “service provider” merely issued software and started the chain reaction of granting access to some “starter files” that users could then disseminate without any control by the service provider. The Grokster service provider lacked the ability to block infringers’ access to a particular computer environment for any reason. The lack of control saved the Grokster service provider from vicarious liability for infringement.
Impact for Service Providers.
Taken together, the Napster and Grokster cases underscore the risk of contributory liability or vicarious liability for copyright infringement.
Statutory Protection – Copyright Infringement.
Certain statutes protect the service provider. For example, the Digital Millennium Copyright Act of 1998 has a procedure for allowing aggrieved copyright owners to seek to enjoin or stop an ongoing infringement.
Statutory Protection – Privacy.
Copyright is distinct from privacy law. However, a similar concept exists in privacy legislation, for protection of the data processor from liability for wrongful disclosure by its customer of confidential information. See, e.g., pending legislation (e.g., the “Consumer Privacy Protection Act of 2003, H.R. ____, 108th Cong., 2d Sess.) (proposed regulatory regime under Federal Trade Commission for mandatory privacy policies and securities policies and voluntary self-regulation programs.) And, according to one court,
if an individual subscriber opens his computer to permit others, through peer-to-peer file-sharing, to download materials from that computer, it is hard to understand just what privacy he or she has after essentially opening the computer to the world. In re: Verizon Internet Services, Inc., Civ. No. 03-MS-0040 (JDB), __F.3d __ (D. D.C. Apr. 24, 2003).
Thus, courts may hold the user liable and without protection from anonymity.
These cases highlight the importance of suitable intellectual property clauses in the outsourcing contract.