Regulatory Settlement of Fraudulent Robo-Signing by Mortgage Servicing Companies
September 30, 2011 by Bierce & Kenerson, P.C.
Like a well-designed software package, BPO services offer the advantages of process uniformity and standardization, scalability, speed to completion, predictability and transparency. When BPO is abused, the advantages can quickly turn into disadvantages of equally grand scale. Such is the tale of “robo-signing” of affidavits of compliance with banking regulations that were based on common practice of non-compliance. This article addresses the settlement by Goldman Sachs with the New York State Department of Financial Services and New York Banking Department in early September 2011. For more click here.
The Business Services of Mortgage Loan Origination Management. The origination of mortgage loans is the first step in the syndication of bundles of mortgage loans for sales to investors, or for retention in a bank’s own loan portfolio of assets. Whether a loan is bundled into a package of collateralized debt obligations (“CDO’s”) or retained as a portfolio asset, the origination process must comply with applicable laws governing Truth in Lending and eligibility for loan guarantees. Such laws include full disclosure of applicable financing terms, consumer protection, due diligence and verification of due execution of the borrower’s promissory note, the mortgage securing the loan, title documents confirming the underlying assets are owned of record in the name of the borrower.
Robo-Signing. The phrase “robo-signing” arose in 2008-2009 when regulators discovered that many BPO service providers in loan origination services falsely provided affidavits of compliance with statutory requirements for bank lending.
The Sub-Prime Debt Crisis. Affidavits of compliance with loan origination requirements are an essential element of any loan origination program for a bank. In the 2000’s, many U.S. banks outsourced the compliance function to service companies. In the U.S. sub-prime mortgage crisis that began in 2008 and continues through at least 2011, the failure of the outsourcing companies to meet a service level of 100% compliance has triggered a tsunami of legal woes:
- Borrowers have alleged in court that they were defrauded (and therefore cannot be foreclosed).
- Investors have sued to rescind their investments in CDO’s because the underlying collateral was fraudulently obtained.
- The CDO market has become unsettled, impairing the free trade and circulation of CDO’s as a source of liquidity in the housing market (and thus a source of sustainability of higher prices).
- Housing prices have collapsed by 30% in many locations.
- Banks are not only prudent to ensure 100% compliance with loan origination laws, but they have been reluctant to lend to qualifying buyers, thereby depressing the housing market and increasing the immobility of homeowners seeking jobs elsewhere.
- Delinquent borrowers have been subjected to loan servicing fees that make it more difficult to repay the loan.
- Non-delinquent borrowers might have an escape from repayment obligations under principles of fraud and rescission, but they cannot escape due to the collapse of “normal” lending markets for residential real estate since 2007.
- Regulators have conducted investigations and sought penalties against banks using robo-signing practices.
Litton Loan Servicing: Goldman Sachs’ Alleged Robo-Signers. In September 2011, the New York State Department of Financial Services and New York Banking Department reached a settlement with Goldman Sachs, as owner of Litton Loan Servicing, as a condition of allowing Goldman to sell Litton to another mortgage servicing company, Ocwen Financial Corp. On September 2, 2011, Ocwen described the deal in its SEC filing:
On September 1, 2011, Ocwen Financial Corporation (“Ocwen”) completed its acquisition of (i) all the outstanding partnership interests of Litton Loan Servicing LP (“Litton”), a subsidiary of The Goldman Sachs Group, Inc. (“Seller”) and provider of servicing and subservicing of primarily non-prime residential mortgage loans (the “Business”), and (ii) certain interest-only servicing strips previously owned by Goldman Sachs & Co., also a subsidiary of Seller. These transactions and related transactions (herein referred to as the “Transaction”) were contemplated by a Purchase Agreement (the “Agreement”) between Ocwen and Seller dated June 5, 2011 which was described in, and filed with, Ocwen’s Current Report on Form 8-K dated June 6, 2011. The Transaction resulted in the acquisition by Ocwen of a servicing portfolio of approximately $38.6 billion in unpaid principal balance of primarily non-prime residential mortgage loans (“UPB”) as of August 23, 2011 and the servicing platform of the Business.
The purchase price for the Transaction was $247.2 million, which was paid in cash by Ocwen at closing. In addition, Ocwen paid $296.4 million to retire a portion of the outstanding debt on an advance facility previously provided by an affiliate of Seller to Litton. To finance the Transaction, Ocwen received a senior secured term loan facility of $575 million with Barclays Capital as lead arranger and also entered into a new facility with the Seller to borrow approximately $2.1 billion against the servicing advances associated with the Business.
The actual purchase price differed from the estimated base purchase price of $263.7 million disclosed in the current report on Form 8-K filed by Ocwen on June 6, 2011 as a result of certain adjustments specified in the Agreement for changes in Litton’s estimated closing date net worth, servicing portfolio UPB and advance balances, among others. The purchase price may be further adjusted as these estimated closing-date measurements are finalized after the closing date.
In connection with the Transactions, Ocwen, Goldman Sachs Bank USA, Litton and the New York State Banking Department have entered into an agreement (the “NY Agreement”) that sets forth certain loan servicing practices and operational requirements. No fines, penalties or other payments were assessed against Ocwen or Litton under the terms of the NY Agreement. We believe the NY Agreement will not have a material impact on our financial statements.
Settlement Terms. The “Agreement on Mortgage Servicing Practices” was consented to by Goldman, Ocwen and Litton. Goldman, which is exiting the mortgage servicing business with the sale of Litton, agreed to adopt these servicing practices if it should ever reenter the servicing industry.
According to the Banking Department, the settlement makes “important changes in the mortgage servicing industry which, as a whole, has been plagued by troublesome and unlawful practices. Those practices include: ‘Robo-signing,’ referring to affidavits in foreclosure proceedings that were falsely executed by servicer staff without personal review of the borrower’s loan documents and were not notarized in accordance with state law; weak internal controls and oversight that compromised the accuracy of foreclosure documents; unfair and improper practices in connection with eligible borrowers’ attempts to obtain modifications of their mortgages or other loss mitigation, including improper denials of loan modifications; and imposition of improper fees by servicers.”
“The Agreement makes the following changes:
- Ends Robo-signing and imposes staffing and training requirements that will prevent Robo-signing.
- Requires servicers to withdraw any pending foreclosure actions in which filed affidavits were Robo-signed or otherwise not accurate.
- Requires servicers to provide a dedicated Single Point of Contact representative for all borrowers seeking loss mitigation or in foreclosure, preventing borrowers from getting the runaround by being passed from one person to another. It also restricts referral of borrowers to foreclosure when they are engaged in pursuing loan modifications or loss mitigation.
- Requires servicers to ensure that any force-placed insurance be reasonably priced in relation to claims incurred, and prohibits force-placing insurance with an affiliated insurer.
- Imposes more rigorous pleading requirements in foreclosure actions to ensure that only parties and entities possessing the legal right to foreclose can sue borrowers.
- For borrowers found to have been wrongfully foreclosed, requires servicers to ensure that their equity in the property is returned, or, if the property was sold, compensate the borrower.
- Imposes new standards on servicers for application of borrowers’ mortgage payments to prevent layering of late fees and other servicer fees and use of suspense accounts in ways that compounded borrower delinquencies and defaults.
- Requires servicers to strengthen oversight of foreclosure counsel and other third party vendors, and imposes new obligations on servicers to conduct regular reviews of foreclosure documents prepared by counsel and to terminate foreclosure attorneys whose document practices are problematic or who are sanctioned by a court.
Notably, the adoption of new “best practices” does not release Litton from future claims or from being investigated in the future.
Lessons Learned. While Goldman might have been negligent in supervising its mortgage loan origination subsidiary, it learned the lesson by divesting the BPO service provider to a larger, more stable BPO service provider. The services provided by Litton had helped feed Goldman’s role as an originator and underwriter of CDO securities that it then packaged and sold into financial markets. The sale of Litton represents an unwinding of this financial chain and should improved the credibility, marketability and liquidity of the CDO markets.
On a broader level, the New York banking settlement underscores the importance of a BPO service provider’s “getting it right the first time.” This means that service supporting regulated businesses should anticipate that their functions will be supervised by regulators even if their function is only a slice of a regulated function. As a result, the risk profile for service providers can be expected to increase where the enterprise customer or the service provider fails to ensure 100% compliance with regulations. Master Services Agreements should be structured to ensure appropriate allocation of liability, together with risk management practices to limit the enterprise customer’s exposure to regulatory investigation and penalties.
Surprisingly, there were no regulatory penalties for Goldman. This may be attributable to good lawyering as well as the fact the “settlement” arose solely in the context of a divestiture, where the purchaser willing purchased a troubled asset.
To learn more about robo-signing click here.
Impact of UK Bribery Act, 2011 on Best Practices in Global Sourcing
July 14, 2011 by Bierce & Kenerson, P.C.
The package of documents for outsourcing contracts has grown to include a copy of the customer’s “code of conduct.” The service provider contractually agrees to respect the customer’s code of contract. Such codes of conduct pose tricky legal issues for both global business organizations and their service providers.
Such codes of conduct have immediate and compelling roots in the U.S. Sarbanes-Oxley Act of 2002. The “anti- bribery” component has roots in the U.S. Foreign Corrupt Practices Act of 1974 (“FCPA”), the United Nations’ Code of Conduct for Multinational Corporations and the OECD Convention on Combating Bribery of Public Officials in International Business Transactions. Like the U.S. FCPA, the U.K. Bribery Act, 2010, prohibits businesses from bribing foreign officials. The Bribery Act becomes effective July 1, 2011.
This article provides a brief overview of the core, generic principles of such legislation and recommends “best practices.” For enterprise customers hiring service providers, such practices should apply regardless whether the immediate services are to be rendered outside the customer’s country. For service providers, such practices will not only facilitate getting hired, but also avoiding painful surprises.
Business Compliance Mandates. Both the FCPA and the Anti-Bribery Act make it illegal to bribe a public official. The U.K. law goes farther than the U.S. law because the U.K. law also prohibits “private-to-private” commercial bribery (such as kickbacks and undisclosed payments to gatekeepers).
Bribery. There are different definitions of “bribery.”
- Under the FCPA, it involves the “corrupt” payment (money or any thing of value) to a foreign governmental official for the exercise of judgment. Illegal bribery does not include payments that are:
- “facilitation” payments (“grease” payments) that merely accelerate governmental approval of a right to which the service provider is entitled under local law; and
- not also illegal under foreign local law; and
- made in good faith for “promotion, demonstration or explanation of products or services” or “execution or performance” of a contract with a foreign government
- Under the UK Bribery Act, “bribery” offense include:
- “the bribery or attempted bribery” of a foreign public official to obtain business or to obtain an advantage in the conduct of business,” where such an “advantage” could include any inducements to secure business or to “help” the business; and
- The failure of a commercial organization to prevent bribes being paid by anyone “associated with” the organization, creating vicarious criminal liability for executives of UK companies for deeds of anyone performing services “for” the organization, including outsourcers, unless the business organization has adopted “adequate procedures” in a compliance program to escape strict vicarious liability for such deeds.
Bribable Persons. The Bribery Act defines a “bribable” person more broadly than the FCPA. In the US, a bribable public official must have sufficient authority to exercise discretion in the grant or denial of governmental action. In the UK, any level of public official is a bribable target.
Organizations Covered by the Laws; Extraterritoriality. Both laws cover foreign companies having a jurisdictional nexus within the UK or US borders, as applicable. Each law has extraterritorial conduct.
- For US purposes, the law applies to foreign companies with U.S.-listed securities. The 2010 Dodd-Frank law grants enforcement jurisdiction to the SEC and promotes whistleblowing. For monetary penalties over $1.0 million, a whistleblower can be entitled to a reward from 10% to 30% of the monetary sanctions actually recovered.
- For UK purposes, the law applies to any company that does business in the U.K., even if its securities are not listed on UK exchanges or if it conducts business there, regardless whether that UK business has any relationship to the non-UK bribery activity.
Lobbying Expenses. The entertainment and lobbying of governmental officials raises the most difficult issues. Hospitality in one setting might be considered bribery in another.
Penalties for Business Executives. Penalties under the UK Bribery Act exceed the penalties under the FPCA. Under the Bribery Act, executives are subject to criminal (with jail time of up to 10 years) but not civil liability. Under the FCPA, the liability is either civil or criminal. The amount of organizational liability is unlimited under the Bribery Act.
Best Practices in Global Sourcing after the UK Anti-Bribery Act. The UK’s Secretary of State for Justice has issued interpretative “guidance,” but the UK’s Serious Fraud Office has announced its commitment to fully enforce the new law. Such guidance adopts best practices under FCPA and Sarbanes-Oxley. All such laws do not specify specific tests but start with a culture of transparency, accountability and compliance. For the UK, such guidance includes:
- Tone at the Top: Liability of Leadership. Anti-bribery programs begin with the “tone” in the executive suite. Business executives (including the Board of Directors, officers and owners) must set that tone to assist subordinates in making appropriate decisions. A clear policy statement (Code of Conduct) must be communicated to all internal and external “resources.”
- Transparency and Enforcement. The procedures adopted by a business organization must be clear, practical, accessible, effectively implemented and enforce. This enforcement process imposes new burdens on global enterprise customers since merely adopting a Code of Conduct will not suffice.,/li>
- Risk-Assessment and Risk-Adjusted Proportional Procedures. The commercial organization should first identify the risks and then adopt anti-bribery procedures that are proportional to the risks. A balance must take into account the nature, scale and complexity of the commercial organization’s normal business operations.
- Risk Assessments – General. The risk-assessment process needs to be periodically re-done by persons having extensive understanding of the business organization’s risk profile. Risk reports are recommended. Such risk assessments should consider specific areas where bribery might be a problem. These include situations for obtaining governmental permits for new facilities, governmental certificates of compliance with local building, zoning and fire codes, obtaining new telecom circuits from governmentally owned telecom providers and other cases where “facilitation” or “grease” payments.
- Risk Assessments – Due Diligence. To mitigate bribery risks identified in the general risk assessments, the business organization must apply due diligence procedures to its internal and external resources and supply chain. It remains somewhat unclear how deep into the supply chain one must delve, since the “associated” business organization supplying goods or services may have its own issues.
- Risk Assessment – Compliance Officers. Risk assessment requires an ongoing role for a compliance officer.
- Implementation of Policies.
- Communication and Training. As with any other corporate policy, anti-bribery policies must be communicated to all employees. Periodic refresher training is suggested to update the policies and attune the employees (and external resources) to newly identified risks of bribery. As with the other forms of vigilance, the communications and training need not be exhaustive, but should be designed to be proportionate to the risks of bribery occurrences.
- Continuous Process Improvement. The business organization must engage in continuous review of the bribery risks, the anti-bribery policies and the procedures to prevent bribery by employees and others “associated with” the organization. In short, this invites a continuing dialogue with service providers, who should have answers and demonstrable programs that provide risk-adjusted assurances to the enterprise customer.
Examples of Some Best Practices. The critical path to compliance starts with steps to identify the business’s legal and social responsibilities that flow from doing business with, or in, the United States and/or the United Kingdom. These are key markets for any global services provider.
The “compliance checklist” will require policies, procedures and governance in the following areas, both for enterprise customers and for their service providers who wish to be “world class” in a world that includes serving U.S. and U.K. business organizations (or entities that are subject to such laws even if they are not based in such countries):
- Code of Conduct. “World class” companies need codes of conduct to embody the compliance component of their business mission.
- Contract Terms for the Supply Chain. Master services agreements need to include anti-bribery clauses that resonate with both US and UK laws.
- Managerial Guidelines. Bribery issues are now on a par with human resources and labor laws. Managers need effective guidelines.
- Chain of Command: Compliance Officers. World-class businesses need to designate individuals who have compliance roles for risk assessment, policy design and internal audit and enforcement. Governance models for relationship management in all sourcing contracts should reflect such roles.
- Financial Transparency and Controls. The FCPA requires companies with securities listed on the U.S. stock market to implement U.S. accounting principles. Such principles require accurate classification of payments including whether the payments are validly deductible for income tax purposes. (Under the U.S. tax code, bribes of government officials are not deductible). The FCPA’s legal requirements relating to “books and records” are easy to implement and enforce since there is no component of “criminal intent” (scienter).
- Audits of Service Providers. Remember SAS 70, Type II audits? The anti-bribery auditing business has just begun. The author and the publishers of this article can advise on how to identify and hire such new auditors, how to develop and implement effective, compliant audit programs (both for global enterprises and for world-class service providers).
Anti-Corruption Open letter by Wipro’s Chairman and Others: Corporation Social Responsibility in Outsourcing in India (and other Emerging Countries)
March 31, 2011 by Bierce & Kenerson, P.C.
Outsourcing has created a middle class and an educated wealthy elite in India and other emerging countries. The legal framework that promotes private industry and international trade in services also distributes the benefits unequally. In a January 2011 “open letter” to the Indian Government, business leaders of Wipro and Mahindra (and other Indian industry) asked the Indian government for more attention to civil rights, social equity and clean and responsible government.
Open Letter. The public letter calls on India’s government to reform “the widespread governance deficit almost in every sphere of national activity, covering government, business and institutions.” The key focus was to improve the quality of the rule of law through:
- attacking corruption “with a sense of urgency, determination and on a war footing,” including the establishment of anti-corruption special public commissioners.
- “creation of genuinely independent and constitutionally constituted regulatory bodies, manned by persons who are judicially trained in the field concerned.”
- elimination of excessive administrative discretionary decisionmaking that has been “routinely subjected to extraneous influences.”
- making governmental “investigative agencies and law enforcing bodies independent of the executive.”
- unrelenting action to pursue a national mission without dilution or digression from the challenges of achieving growth and alleviating poverty.
For the online version, see http://www.rediff.com/business/slide-show/slide-show-1-an-open-letter-to-our-leaders/20110118.htm
Globalization of “Governance” and “Compliance.” The inspiration from this Open Letter draws upon the governance and compliance mandates imposed by well-drafted outsourcing contracts on the service providers in countries such as India. Governance, compliance and transparency are:
- legal mandates under U.S. securities laws (Sarbanes-Oxley), the U.S Foreign Corrupt Practices Act (and similar non-US laws) and U.S. federal sentencing guidelines;
- accounting mandates under SAS 70, Type II audit guidelines;
- generally accepted “Business Process Management” principles that have evolved from ITIL software development guidelines and project management principles, and
- shareholder democracy as reflected in principles of fiduciary duty of directors and officers; and
- contingency planning and risk management for multinational enterprises seeking to concentrate back-office operations in a few specialized service centers.
Wipro’s Chairman Premji understands this linkage.
Social Impact, Legal Framework and Effective Sourcing. The January 2011 open letter highlights the social impact of global sourcing on India and, probably, other countries that have engaged in privatization and promotion of global entrepreneurship
Service Buyers. Enterprise customers now operate in an environment where “corporate social responsibility” (“CSR”) is measured by investors, local community groups, government and non-profits. When assessing prospective sourcing partners, enterprise customers should add the Open Letter criteria to their checklist and communicate the CSR issues for a dialogue. By addressing issues on the “rule of law” (versus “rule by bureaucrats”), the vendor selection process can serve the enterprise customer’s search for “viable” vendors, improve local legal frameworks and achieve more stable, predictable and resilient sourcing outcomes.
Service Providers. This plea by Wipro’s Chairman Premji and other Indian business leaders highlights the role of the service provider in promoting good governance in the host government. Service providers have a “bully pulpit” to promote social responsibility so that the benefits of globalization and outsourcing are distributed widely to the larger community in their countries. Focusing on a more transparent, less corrupt, less bureaucratic government will invite further foreign direct investment and avoid loss of opportunities for sustainable economic growth.
Global Sourcing Council. The Global Sourcing Council is a non-profit corporation dedicated to promoting sustainable business practices and corporate social responsibility in global sourcing. See www.gscouncil.org to join. (Full disclosure: the author of this article is a member of the Board of Directors of this organization.)
Managing the New “Trade Secrecy” Risks in Global Sourcing: Criminal Theft, Criminal Negligence, Espionage, Bribery, Antitrust and Cross-Border Law Enforcement
April 30, 2010 by Bierce & Kenerson, P.C.
Trade secrecy risks arise whenever an enterprise shares confidential business information with a supplier, service provider, joint venturer or customer. Trade secrecy protection measures should be planned and implemented through appropriate non-disclosure covenants by the third party and possibly even its employees and others in the value chain. Current trade secrecy are reflected in three seemingly disparate events: the Rio Tinto employee economic espionage and bribery case in China, the U.S. Department of Justice’s investigation into the anticompetitive use of non-competition covenants (“non-competes”) by high-tech companies and the Algerian-U.S. Mutual Legal Assistance Treaty (“MLAT”).
These three current events suggest that both enterprise customers and their service providers take a second look at their current practices for protecting trade secrets. At the end of this article, we offer a series of questions that need answers before any kind of outsourcing – indeed, any cross-border data flow — can take place. Such questions offer a basic refresher course, with “James Bond-compliant” updates, on challenges of trade secret protections in global operations.
I. The Current Context of Trade Secrets at Risk
Item #1: Bribery and Espionage in China (the Rio Tinto employee case). On March 28, 2010, China convicted a local sales employee of a British-Australian mining company named Stern Hu, a Chinese-born Australian citizen, and other Chinese-resident employees of Rio Tinto (but not Rio Tinto itself) of bribery and theft of trade secrets relating to price negotiations of iron ore for sale to Chinese state-owned companies. The trial was conducted largely in secret. Rio Tinto had previously rejected an investment offer from Chinalco that involved some Australian national security issues. Some analysts suggested the case was a political retaliation for that rejection and an abuse of judicial authority. Others suggested that the case leaves open the question of whether there was any rule of law or was this merely the use of judicial power to punish foreign business that used aggressive means of driving hard bargains. The case attracted global attention to the concept in Chinese law that identifies non-public commercial information of a Chinese state-owned enterprise as a “state secret.” Rio Tinto initially defended the employees but then said they had acted outside the scope of their operations and authority. The employees were convicted and sentenced to 7 to 14 years in prison plus financial penalties.
On March 25, 2010, China’s State-Owned Assets Supervision and Administration Commission issued regulations on commercial secrets, but did not disclose them until the Rio Tinto employee verdict. Those regulations remain somewhat vague, leaving foreign companies (and Chinese companies that are not state-owned enterprises, or “SOE’s”) to interpret them at their peril. See www.outsourcing-law.com/jurisdictions/countries/china.
Item #2: Anti-Terrorism and Cybercrimes under a Mutual Legal Assistance Treaty. On April 7, 2010, the U.S. and Algeria signed a mutual legal assistance treaty to combat international crime and terrorism. According to the press release:
The mutual legal assistance treaty, or MLAT, will be an effective tool in the investigation and prosecution of terrorism, cybercrime, white collar offenses and other crimes. Among other tools, the treaty will help law enforcement officials from the two countries obtain testimonies and statements; retrieve evidence, including bank and business records; provide information and records from governmental departments or agencies; and provide a means of inviting individuals to testify in a requesting country.
The U.S. has approximately 50 such MLAT’s. Such agreements could be used to enforce criminal prosecutions of misappropriation of trade secrets, assuming such misappropriation is a criminal act in the relevant jurisdictions. The press release announcing the MLAT did not link to any copy of the treaty, and the Justice Department website does not publish a copy either. Interested parties will need to do some further investigation then in how such a treaty might be used to enforce trade secret protections.
Item #3: Hiring Practices by Global Services Providers. Now, enterprise customers have to be worried about the legality of hiring practices – at least in the United States – of their outsourcing service providers. Since July 2009, the U.S. Department of Justice has been investigating the hiring practices of Google, Intel, IBM, Apple and IAC/InterActiveCorp., according to the Wall Street Journal and other news reports in April 2010. The reports claim that the U.S. Government could challenge, or chill, the use of non-competition covenants in industries, such as high-tech, where innovation drives comparative advantage and non-competes might constitute illegal collusion on cost management, thereby depriving knowledge workers of a market for their skills. The investigation appears inspired by cases where innovators are hired away and the former employer seeks to enforce a non-competition covenant, particularly where the new employer claims that the litigation lacks a valid legal basis and thus is anticompetitive. (Such a case happened in 2005 when Google hired a Microsoft engineer in China, and Google claimed that Chinese law did not permit enforcement in China of a non-competition covenant). Enterprise customers should now be concerned with compliance by their service providers with antitrust concerns.
II. The Law of Trade Secrecy
All these recent events underscore the need for prudent trade secrecy practices in the global supply chain. Trade secrets are now at risk due to potential civil and criminal espionage, bribery, cybercrime, and antitrust prohibitions on abusive and illegal anticompetitive practices. Further, the area of trade secrecy is now engulfed in national security and public policy considerations, underscoring the importance of a stable political environment for assuring the predictability of legal rights and enforcement actions in the various jurisdictions where trade secrets are shared and used in an outsourcing business relationship.
Trade Secrets. It is a best practice in outsourcing contracts, to protect the enterprise customer’s trade secrets. The customer wants to know how this is done. Such protections can be applied to individual employees under non-disclosure agreements and maybe even non-competition covenants. NDA’s are generally enforceable but are generally construed in a manner to avoid depriving an employee (or service provider) of “general skill and knowledge” in the industry.
NDA’s are essential to enable any outsourcing, resourcing (retro sourcing back in-house) and transfer sourcing (to a new service provider on expiration or termination). As a matter of public policy under national laws, NDA’s are critical. The WTO protections of trade secrets are not very strong, based instead on non-secret intellectual property rights such as patents, trademarks and copyrights.
Non-Competition Covenants. Non-compete covenants are unenforceable in California as a matter of law and possibly in the BPO provider’s service delivery jurisdiction. Non-competes deprive employees of a right to be hired by competitors. They are unenforceable in some jurisdictions, and where enforceable they must be limited to reasonable scope in time, territory and subject matter. Employers can make the arguments, in an antitrust context, that non-competition covenants:
- are not anti-competitive in practice;
- do not deny employees the right to find work in non-competitive companies;
- are widespread across industries and countries; and
- are used by companies across many industries to maintain good business relationships by promoting exchanges of information across the full spectrum of personnel (not just through a narrow channel, like a chaperone of trade secrets), and as a result collaboration between technology-based companies is promoted by such practices.
An antitrust enforcer might argue that non-compete agreements distort access by skilled workers to mobility and job choice, thus depressing competition for skilled workers and depressing wages.
Risk Management: Knowing Your Service Provider’s Hiring Practices. Based on this antitrust activity, enterprise customers should investigate the employment practices of their service providers to understand clearly the contractual framework and legal enforceability of employment practices in the relevant jurisdictions. The legal framework for protecting trade secrets, or allowing them to be disclosed to the local government without judicial review with open adversarial procedure, should also be explored and fully appreciated. Thus, trade secrecy risks should be assessed in the selection of service providers, the scoping of the functions to be outsourced and the use of encryption and decryption before data transfers.
Compliance: Knowing Yourself and the Law. These recent events raise questions that compliance officers and legal departments, as well as product managers and CEO’s, should answer before any kind of outsourcing takes place:
1. What does the enterprise customer do today to identify and protect its trade secrets internally?
a. Identify types of non-public information from all sources that needs to be maintained as non-public.
i. Securities (risk of liability for securities fraud)
ii. Financial information (risk of loss of advantage in pricing negotiations; risk of securities liability for failure to comply with Regulation FD or other “fair disclosure” rules)
iii. Human capital information (governed by labor laws and privacy laws)
iv. Technical data, such as designs, processes, formulae, manufacturing techniques (risk of loss of patent rights or loss of competitive advantage)
v. Marketing information (customer names and related business information relating to the enterprise’s customer relationship)
vi. Sales information (the existence of RFP’s and the contents of offers and other responses to RFP’s)
2. How much data does the enterprise need to have to accomplish its mission?
a. Avoid excessive collection and preservation of unencrypted
i. personally identifiable information (“PII”) of individuals in any business relationship.
ii. healthcare information.
iii. credit card information.
b. Avoid collection of non-public information from third parties who might be under a duty of non-disclosure, or who cannot explain how they legitimately obtained the non-public information.
3. How does the enterprise ensure that it has the legal right to know the non-public information?
a. Obtain written confirmation from the disclosing party that it has the authority to make the disclosure.
b. Identify non-disclosure agreements and categorize the information so that it can be accessed, stored, retained and destroyed in accordance with the non-disclosure agreement.
c. Limit access by persons having a legitimate “need to know.”
d. Use the non-public information only as necessary to perform a legal and permitted business activity.
e. Avoid use of bribery, coercion, theft and other illicit means of acquiring non-confidential information.
4. How does the enterprise identify and protect the trade secrets of third parties with whom it does business.
a. Identify source of non-public information.
b. Identify the duration of any holding period for non-public information under any non-disclosure agreement.
5. What measures does the enterprise take to train and audit its employees for compliance with trade secrecy policies?
6. Does the enterprise identify special duties and special risks.
a. Take special measures to identify, segregate and protect “commercial secrets” or “state secrets” when dealing with a foreign state-owned enterprise (“SOE”)?
7. How are trade secret rights recognized and enforced under local law? Are such rights clearly protected, or must a company rely upon contract or criminal prosecution?
8. What are the best ways to protect trade secrets from a practical viewpoint?
a. Divide work flows or discrete functions across suppliers, countries and sources to avoid having one person or supplier know too much.
b. Retain competitive information in-house.
c. Segregate sales and marketing functions from non-public information in internal technical, financial and human resources departments.
9. What is the history of trade secret enforcement in the country?
a. Risk of inadvertent criminal liability, including vicarious liability of senior executives for misdeeds of employees (See China’s Criminal Law, article 219).
b. Risk of investing in new products or services that cannot be exploited due to misappropriation.
c. Identify any history of data security breaches and remediation activities.
10. Does the enterprise customer’s country have a “mutual legal assistance treaty” or other agreement with the service provider’s country to prosecute “cyber-crime”, so that evidence can be exchanged and used in international abuses of trade secrets?
11. What policies, practices and contractual measures does the service provider take to protect trade secrets? Are such measures a violation of antitrust law and therefore unenforceable?
Related topics:
- Discovery and disclosure of confidential information in litigation
- Trade secrets in Outsourcing
- Chinese Regulations on Commercial Secrets
Outsourcing Law & Business Journal™: April 2010
April 29, 2010 by Bierce & Kenerson, P.C.
OUTSOURCING LAW & BUSINESS JOURNAL (™) : Strategies and rules for adding value and improving legal and regulation compliance through business process management techniques in strategic alliances, joint ventures, shared services and cost-effective, durable and flexible sourcing of services. www.outsourcing-law.com. Visit our blog at http://blog.outsourcing-law.com for commentary on current events.
Insights by Bierce & Kenerson, P.C., Editors. www.biercekenerson.com
Editor’s Note:
Three recent events conspired to produce our article about trade secrecy risks in this month’s newsletter; they were the conviction of a Rio Tinto employee in China, the signing of a mutual legal assistance treaty between the U.S. and Algeria, and the on-going investigations of hiring practices of tech companies, using non-competition covenants, by the U.S. Dept. of Justice. As a result, we are providing you with a checklist of questions that you need answers to before your company shares confidential business information during the course of contract negotiations. Read on…
Vol. 10, No. 4 (April 2010)
_______________________________
1. Managing the New “Trade Secrecy” Risks in Global Sourcing: Criminal Theft, Criminal Negligence, Espionage, Bribery, Antitrust and Cross-Border Law Enforcement. Trade secrecy risks arise whenever an enterprise shares confidential business information with a supplier, service provider, joint venturer or customer. Trade secrecy protection measures should be planned and implemented through appropriate non-disclosure covenants by the third party and possibly even its employees and others in the value chain. Current trade secrecy are reflected in three seemingly disparate events: the Rio Tinto employee economic espionage and bribery case in China, the U.S. Department of Justice’s investigation into the anticompetitive use of non-competition covenants (“non-competes”) by high-tech companies and the Algerian-U.S. Mutual Legal Assistance Treaty (“MLAT”).
These three current events suggest that both enterprise customers and their service providers take a second look at their current practices for protecting trade secrets. At the end of this article, we offer a series of questions that need answers before any kind of outsourcing – indeed, any cross-border data flow — can take place. Such questions offer a basic refresher course, with “James Bond-compliant” updates, on challenges of trade secret protections in global operations. For more on trade secrets, go to http://www.outsourcing-law.com/2010/04/managing-the-new-trade-secrecy/
2. Trade Secrets. Chinese Criminal Law, Article 219, imposes criminal liability for improper conduct relating to “commercial secrets.” The Criminal Law has only a vague definition of “commercial secrets.”….On March 25, 2010, the State-owned Assets Supervision and Administration Commission (“SASAC”) adopted regulations on commercial secrets applicable to approximately 120 state-owned enterprises (“SOE’s”)….The regulations were announced on April 26, 2010, shortly after the convictions of certain Rio Tinto employees of bribery and theft of commercial secrets. For the complete article, go to http://www.outsourcing-law.com/2010/04/trade-secrets/
3. Humor.
MLAT, n. (1) mutual legal assistance treaty; (2) milk-flavored coffee latte; (3) multi-legal aptititude test.
Trade secret management, n. (1) Hear no evil, see no evil, speak no evil; (2) keeping secret how you keep your secrets.
SOE, n. (1) state-owned enterprise; (2) social oriented environmenta; (3) sorry out of energy.
4. Conferences.
May 10-12, IQPC’s 7th Annual HR Shared Services and Outsourcing Summit, Chicago, Illinois. This event will be a gathering for corporate HR & shared services executives from companies across North America to exchange ideas, develop new partnerships and discuss the latest tools, technologies and strategies being employed in the profession to enhance departmental efficiencies and propel corporate growth. The event will focus on the most current topics in the HR shared services industry including metrics, automation, outsourcing, globalization, compensation & rewards, benefits and an overall focus on the new strategic role of HR shared services.how to tackle change management, analyze current and future projects and further develop the instrumental key areas within HR shared services. Visit their website at http://www.hrssoutsourcing.com/Event.aspx?id=270796 to register and get more information.
May 17-19, IQPC presents its Information Retention & E-Disclosure Management Summit, London, UK. This is Europe’s premier event in this field, designed to help you steer your organisation successfully through lawsuits and regulatory inquiries. Topics include:
- Fast track your understanding of the Civil Litigation Costs Review: Hear directly from Lord Justice Jackson and engage in debate with our acclaimed international Judge’s panel
- Develop a legally defensible and technically sound Information Retention policy with a multidisciplinary approach with insights from Debra Logan of Gartner plus Pfizer, and Kleinwort Benson
- Reduce risk, cost, time and complexity of eDisclosure with critical updates on advances in technology
- Ensure compliance by sanity checking your strategy with the FSA and ICO
For more information, visit their website at http://www.informationretention.co.uk/Event.aspx?id=262244i
June 6-8, 4th Annual IQPC Shared Services Exchange™, Austin, Texas, United States, an elite event for shared services executives who are looking to develop new strategy, solve challenges and source partners that will allow them to create efficiency and drive more value out of their shared services centers.
This event will continue IQPC Exchange’s ongoing tradition of offering cutting-edge, strategic networking and learning opportunities for senior level shared services executives, combining conference sessions, one-on-one business meetings and numerous networking functions to allow executives to speak with their peers. With pre-scheduled one-on-one advisory meetings and personalized itineraries, the Share Services Exchange™ provides the opportunity to create an agenda that directly reflect the goals and initiatives of participating executives.
To request a complimentary delegate invitation or for information on solution provider packages, please contact: exchange@iqpc.com, call 1-866-296-4580 or visit their website at http://www.sharedservicesexchange.com/
July 14-16, 2010. IQPC Presents Shared Services for Finance and Accounting, Chicago, Illinois. The SSFA 2010 Summit brings together leading financial shared services experts to network, benchmark and learn through keynote presentations, interactive roundtables, case studies and discussion panels. This program will help you improve internal accounting processes, maximize your efficiency with less resources, make smarter sourcing decisions, and drive continuous value through your financial services. For more information, visit http://www.sharedservicesfa.com/Event.aspx?id=314126
September 26-28, 2010. IQPC Shared Services Exchange™ Event, 2nd Annual, to be held in The Hague, Netherlands. Shared Service Centres have long been seen as the cost saving centre of HR, Finance & Accounting and IT processes, but with changing employment trends and global challenges facing organisations, how can SSC’s continually offer service value?
Unlike typical conferences, the Shared Services Exchange™ , which will be co-located with the Corporate Finance Exchange™, focuses on networking, strategic conference sessions and one-on-one meetings with solution providers. The Exchange invites strategic decision makers to take a step back from their current operations, see what strategies and solutions others are adopting, develop new partnerships and make investment choices that deliver innovative solutions and benefits to their businesses.
To request your complimentary delegate invitation or for information on solution provider packages, please contact: exchangeinfo@iqpc.com, call +44 (0) 207 368 9709, or visit their website at http://www.sharedservicesexchange.co.uk/Event.aspx?id=263014
******************************************
FEEDBACK: This newsletter addresses legal issues in sourcing of IT, HR, finance and accounting, procurement, logistics, manufacturing, customer relationship management including outsourcing, shared services, BOT and strategic acquisitions for sourcing. Send us your suggestions for article topics, or report a broken link at: wbierce@biercekenerson.com The information provided herein does not necessarily constitute the opinion of Bierce & Kenerson, P.C. or any author or its clients. This newsletter is not legal advice and does not create an attorney-client relationship. Reproductions must include our copyright notice. For reprint permission, please contact: wbierce@biercekenerson.com . Edited by Bierce & Kenerson, P.C. Copyright (c) 2010, Outsourcing Law Global LLC. All rights reserved. Editor in Chief: William Bierce of Bierce & Kenerson, P.C. located at 420 Lexington Avenue, Suite 2920, New York, NY 10170, 212-840-0080.
Tuesday, March 23, 2010, Webinar on Sourcing of Global Talent
March 2, 2010 by Bierce & Kenerson, P.C.
Back by popular demand, this webinar will again be presented:
Managing Knowledge, Compliance and Legal Risks in Sourcing of Global Talent
Tuesday, March 23, 2010
11:00AM, EDT
45 Minutes
Speakers:
• William B. Bierce, Esq., Bierce & Kenerson, P.C. – outsourcing lawyer
• Chris Nuttall, PA Consulting, Member of PA’s Management Group
• Larry Scinto, PA Consulting, Managing Consultant
This webinar will discuss the human capital management for the contingent workforce in our current economic climate. The speakers will address issues in designing a contingent workforce strategy, managing this contingent workforce, effective governance and the managing risks and legal issues that arise with the implementation of such a workforce using internal and external resources. In this webinar, some of the questions that will be discussed are:
• How do I put together an effective contingent workforce strategy to optimize my investment in contingent labor?
• How do I ensure that my business customers are engaged in the case for
change and buy-in to common technology, process, policy and governance?
• How do I govern multiple providers and ensure effective performance and
value for my investment?
• What technologies should I be using to track provider/contingent worker
utilization and performance?
• How do I identify and manage legal, regulatory and compliance risks
in all geographies where I operate directly and through external service
providers?
• How do I ensure that there is effective governance across the entirety of my
contingent workforce?
• What policies and procedures should I adopt to design a flexible contingent
workforce into my global workforce and service supply chain?
Who Should Attend – Corporate decision-makers and both buyers and sellers of outsourced services.
Space is limited.
Reserve your Webinar seat now at:
https://www2.gotomeeting.com/register/162314754
After registering you will receive a confirmation email containing information about joining the Webinar.
Please forward your questions, comments and feedback to
Laura Sanfiorenzo of Bierce & Kenerson, P.C.
Risks of “Climate Change”: SEC Highlights Global Need for Business Resiliency Planning and Policies
January 27, 2010 by Bierce & Kenerson, P.C.
On January 27, 2010, the U.S. Securities and Exchange Commission adopted an “interpretive guidance” to public companies on existing disclosure requirements as they relate to business or legislative events on the issue of climate change. Such “interpretive guidance” is not a new regulation, but serves to express an intention to clarify existing requirements. It was adopted by a vote of 3 Democrats to 2 Republican commissioners, who in principle are not representing their respective political parties. The interpretive guidance will have a significant impact, both in the U.S. and across the world, on investor relations, risk management and indirectly on corporate social responsibility.
Impact on Business Continuity and Profitability. Climate change could have material impacts on a company’s business. Disclosures of the impact of changes in climate – such as more severe storms, a rise in sea levels, increases in the costs of farm products, etc. – could be a “ material” factor for an investor in deciding whether to buy, sell or hold securities in such a company. Thus, the issue of climate change has, in a sense, always been a material factor for discussion in management’s general discussion and disclosure of risk factors.
The SEC’s Interpretive Guidance. Quoted below, the SEC’s interpretive guidance on January 27, 2010 highlights several specific areas as examples of where climate change may trigger disclosure requirements:
- Impact of Legislation and Regulation: When assessing potential disclosure obligations, a company should consider whether the impact of certain existing laws and regulations regarding climate change is material. In certain circumstances, a company should also evaluate the potential impact of pending legislation and regulation related to this topic.
- Impact of International Accords: A company should consider, and disclose when material, the risks or effects on its business of international accords and treaties relating to climate change.
- Indirect Consequences of Regulation or Business Trends: Legal, technological, political and scientific developments regarding climate change may create new opportunities or risks for companies. For instance, a company may face decreased demand for goods that produce significant greenhouse gas emissions or increased demand for goods that result in lower emissions than competing products. As such, a company should consider, for disclosure purposes, the actual or potential indirect consequences it may face due to climate change related regulatory or business trends.
- Physical Impacts of Climate Change: Companies should also evaluate for disclosure purposes the actual and potential material impacts of environmental matters on their business.
Impact on Global Sourcing. This interpretive guidance is important for outsourcing service providers that support global or globalizing businesses in outsourcing of IT, business processes, call centers, knowledge processing, HR staffing and administration, legal processing and other services. The possibility of severe storms in a service delivery center should thus be reflected in a disclosure about the susceptibility of such a center to service outages and damages to facilities and resulting consequential damages to the reporting public company. Such disclosures should consider the related disaster recovery plans and business resiliency plans that might mitigate such outages and lost business.
What does this regulatory concern mean for global sourcing?
- Corporate Investor Relations. “Climate change” is now on the scoreboard for disclosures by public companies and evaluation by portfolio managers.
- Corporate Strategy, Business Process Design and Risk Management. Business resiliency measures that relate to climatic conditions have now become a subject of scrutiny.
- Global Workforce Management. “Climate change” is now a matter of very public concern. The impact of weather and climate change on a service provider’s capacity to deliver services, as well as on the customer enterprise’s ability to receive services from different service centers, have now become very openly a regulatory disclosure concern.
- Corporate Social Responsibility. The interpretive guidance gives a new impetus for corporations, both public and private, to identify their strategies and contingency planning for reducing the impact of adverse climate changes. While not commanding any CSR initiative, the interpretive guidance will undoubtedly highlight this on the corporate business agenda for branding of “good corporate citizens.” It could further spur greater interest in measuring and reducing the carbon footprint of publicly traded companies.
Underscoring Existing “Best Practices.” The SEC’s interpretive guidance has given enterprises a clear path on managing risks related to climate change. This is actually nothing new, since sophisticated service customers have already been demanding disaster recovery plans and contingency sourcing plans as “best practices” in global sourcing. Such plans require considerable attention to scenario analysis, alternative sourcing strategies and contingency planning. Business resiliency planning will require continuing development of policies and procedures, training and testing. What was a “best practice” has now become an even more compelling “best practice.”
Outsourcing Law & Business Journal™:November 2009
December 21, 2009 by Bierce & Kenerson, P.C.
OUTSOURCING LAW & BUSINESS JOURNAL (™) : Strategies and rules for adding value and improving legal and regulation compliance through business process management techniques in strategic alliances, joint ventures, shared services and cost-effective, durable and flexible sourcing of services. www.outsourcing-law.com. Visit our blog at http://blog.outsourcing-law.com for commentary on current events. Insights by Bierce & Kenerson, P.C. www.biercekenerson.com
Vol. 9, No. 11 (November, 2009) Last Opportunity to Register – Webinar on Sourcing of Global Talent
Managing Knowledge, Compliance and Legal Risks in Sourcing of Global Talent
Thursday November 17, 2009, 11 A.M. – 12 Noon, Eastern Daylight Time U.S.
Speakers:
- William B. Bierce, Esq., Bierce & Kenerson, P.C. – Outsourcing Lawyer
- Larry Scinto, PA Consulting, Managing Consultant
- Neil McEwen, PA Consulting, Managing Consultant
Agenda. This webinar will discuss the human capital management for the contingent workforce in our current economic climate. The speakers will address issues in designing a contingent workforce strategy, managing this contingent workforce, effective governance and the managing risks and legal issues that arise with the implementation of such a workforce. In this webinar, some of the questions that will be discussed are:
- How do I put together an effective contingent workforce strategy to optimize my investment in contingent labor?
- How do I ensure that my business customers are engaged in the case for change and buy-in to common technology, process, policy and governance?
- How do I govern multiple providers and ensure effective performance and value for my investment?
- What technologies should I be using to track provider/contingent worker utilization and performance?
- How do I ensure that legal/regulatory/compliance risks are recognized and managed in all geographies where I operate?
- How do I ensure that there is effective governance across the entirety of my contingent workforce?
- How do I manage risk and compliance issues that arise through the implementation of a contingent workforce?
This webinar is by invitation only. To register, please click here. _________________________________________________________________________
1. “ObamaCare”: Promotion of Automation, Offshore Outsourcing and Job Losses; Penalizing Foreign Companies Based in Tax Havens (and Other Non-Treaty Countries).
2. Humor.
3. Conferences.
____________________________________________________________________________________
1. “ObamaCare”: Promotion of Automation, Offshore Outsourcing and Job Losses; Penalizing Foreign Companies Based in Tax Havens (and Other Non-Treaty Countries). If enacted, President Obama’s healthcare reform would probably hurt domestic employment and accelerate automation, outsourcing and offshoring. It would change the economic incentives for keeping service industries in America. And it would hurt foreign-owned businesses whose ultimate parent company is based in a tax haven or other country that has no U.S. income tax treaty. On November 6, 2009, by a paper-thin margin of 220 votes to 215, the U.S. House of Representatives passed the “ Affordable Health Care for America Act,”H.R. 3962, the 1,990-page health care reform law that has been frequently called “ObamaCare.” If substantially adopted by the Senate and passed into law, the bill would impose significant new burdens on employers and self-employed persons. For the complete article, please click here.
2. Humor.
Healthcare reform, n. (1) a plan to make healthcare “affordable” in America by making employment less affordable.
Independent contractor, n. (1) a staffing company, outsourcing service provider or personal service company working on projects under a defined scope, subject to change control procedures and never under the direction or control of the enterprise customer except by contract revision; (2) a free spirit, within the freedom of the statement of work.
3. Conferences.
December 6-8, 2009, IQPC and SSON’s 4th European Shared Services Exchange, The Hague, Netherlands. Following the success of our Shared Services Exchanges in North America we are now launching the new format for Europe, bringing together senior level conference topics in a highly productive and interactive meeting platform. The 4th European Shared Services Exchange is an invitation-only gathering for VP and C-Level senior Shared Services executives from successful European organizations. With a distinguished speaking faculty from Dell, Lafarge and Microsoft amongst others, the seats at the 2009 Exchange are limited and filling up quickly. We have limited complimentary invitations available for qualified delegates for a limited time. Please give us your reference when inquiring. There are solution provider opportunities also available for companies who want to be represented. You can request your invitation at exchange@iqpc.com or call us at 1866-296-4580. Visit the website for more information.
December 7-9, 2009, Legal IQ and IQPC’s 8th Annual E-Discovery Conference in New York, New York. Legal IQ and IQPC present the 8th eDiscovery event this December in New York City. Bringing industry leaders together to explore current risks, opportunities and challenges facing eDiscovery, this event will offer best practices and possible solutions to the ever remaining question: How can we lower our costs? This event goes beyond the traditional basics by examining the critical, high level, and strategic issues. Some of the topics to be addressed by the expert speaker faculty will be:
- Organizing an effective records program by tapping into existing resources
- Developing a litigation preparedness plan
- Determining judges’ priorities when eDiscovery conflicts arise
- Aligning the interests of IT, inhouse and outside counsel
- Handling eDiscovery via social media sites and other new sources of ESI
- Controlling the cost of review while maintaining defensibility
- Saving money by employing Early Case Assessment tools and new technologies
For more information and to register for this event, please click here.
January, 24-26, 2010, IQPC Business Process Outsourcing and Shared Services Exchange 2010, West Coast, USA. This is an invitation-only gathering for VP and C-Level senior Shared Services and Outsourcing executives made up of highly crafted, executive level conference sessions, interactive “Brain Weave” discussions, engaging networking opportunities and strategic one-on-one advisory meetings between solution providers and delegates. With a distinguished speaking faculty from McGraw-Hill, Ingram Micro and Pfizer, amongst others, the seats at the 2010 Exchange are limited and filling up quickly. We have limited complimentary invitations available for qualified delegates for a limited time. Please give us your reference ‘Outsourcing Law’ when inquiring. There are solution provider opportunities also available for companies who want to be represented. You can request your invitation at exchange@iqpc.com, call at 1866-296-4580 or visit their website.
February 22-24, 2010 ,SSON and IQPC 8th Procure-to-Pay Summit, Miami, Florida. Join Procurement, Accounts Payable and Sourcing professionals at the 8th Procure-to-Pay Summit to discuss new initiatives for procurement as IQPC and SSON continues with its Procure-to-Pay series in 2010. More information will be available shortly. In the interim, check out what happened at the 7th P2P Summit this past summer.
March 22-26, 2010, SSON presents the 14th Annual North American Shared Services & Outsourcing Week, Orlando, FL. Here’s a sneak peek of new and enhanced features, which include:
- Speakers from Top Companies:Aramark, Arbys/Wendy’s, AstraZeneca, Chevron, Coca-Cola, Conagra Foods, General Motors, Kellogg, Kraft, Microsoft, Monster, NASA, Northrop Grumman, Oakley, Perdue Farms, Schering Plough, Warner Brothers and more
- G8: Global Sourcing Think Tank Eliminating the White Noise: The first ever neutral platform to help shape a common industry agenda in the US
- Under the C-Suite Spotlight with Rene Carayol, An Exclusive Onstage CXO Interview: Board-room revelations regarding shared service & sourcing model strategy
- New, Strong, Business Outcome-Focused Content: 8 content-intense tracks, from Planning & Launching and BPO Evolution to IACCM’s Contracting to Collaboration
- Enhanced Annual Features: Quick Wins Energizers, Speed Networking, Blue Sky Innovation Room for Mature SSO’s, and more.
Please contact Kim Vigilia directly at 1-212-885-2753 or at kim.vigilia@iqpc.com with your special code IUS_OSL_#1 to get a 20% discount off the all-access pass. You can also visit the website at www.sharedservicesweek.com.
Case Study for Legal Risk Management for “Cloud Computing”: Data Loss for T-Mobile Sidekick® Customers
October 29, 2009 by Bierce & Kenerson, P.C.
Telecom providers are increasingly outsourcing IT functions for “cloud computing.” A widespread data loss in mid-October 2009 by an IT outsourcer to a mobile telephony provider underscores the practical limitations of using the Internet as a data storage platform.
In this episode, subscribers to T-Mobile Sidekick® mobile devices were informed that their personal data – contact information, calendars, notes, photographs, notes, to-do lists, high scores in video games and other data – had almost certainly been lost. T-Mobile (a service of Deutsche Telekom AG) had outsourced the management of the “cloud computing” function for the Sidekick® devices to Microsoft’s subsidiary, Danger, Inc. While T-Mobile has offered a $100 freebie in lieu of financial compensation and some data was recovered, the case invites legal analysis of the liability of the any service provider – whether for mobile telephony or enterprise backup and remote storage – for “software as a service” (“SaaS”) or “cloud computing.”
Technological Framework for “Cloud Computing. “ “Cloud computing” means simply that data are processed and stored at a remote location on a service provider’s network, not on the enterprise’s network or a consumer’s home computer. Such data could be any form of digital information, ranging from e-mail messages (such as those stored by Google and Yahoo!) to databases, customer records, personal health information, employee information, company financial information, customer contracts and logistics information.
“Clouds” come in two flavors: public and private.
- In a public cloud, the general principles of the Internet apply, and data transmissions can flow between many different third-party computers before reaching the service provider’s servers. Amazon offers hardware in variable computing capacities in its “Elastic Compute Clouds” (or “EC2”) services. Similarly, Google offers an “Apps Engine.”
- In a private cloud, one service provider (alone or with its subcontractors) controls the entire end-to-end transport, processing, storage and retrieval of data.
Cloud computing exposes users to some key vulnerabilities and added costs:
- The user depends on a high-performance Internet connection. Service level performance cannot be guaranteed except in private clouds.
- ‘Single points of failure” (“SPOC”) in data transmission, processing and storage, for which special security measures and redundancy may be required. Heightened security risks require extra resources.
- Loss of control over the public portion of a “public cloud” can impair performance through delays and data loss resulting from uncontrolled environments.
- Delays in data restoration may occur due to interruptions in data transmissions.
- Business continuity, resumption and data protection require special solutions.
- Passwords could be guessed at using social networking tools, but if the user accounts are maintained internally in a controlled network, the systems could use techniques to detect and eradicate misuses and abuses from users based on aberrational access profiles and unauthorized territorial access. In a public cloud, security tools such as data leak prevention (“DLP”) software, data fingerprinting, data audit trail software and other tools might not be effective.
Such vulnerabilities explain why “cloud computing” needs special controls if used as a platform for providing outsourced services.
In the October 2009 T-Mobile debacle, users relied on the telecom service provider to store and backup the data. Mobile telephony devices (other than laptops) were seen as tools for creating but not storing, significant volumes of data. Remote data storage was a unique selling proposition, or so one thought.
T-Mobile’s Technological Failure. In its website, T-Mobile exposed the technological sources of the failure of its “cloud computing” for mobile devices. It explained:
We have determined that the outage was caused by a system failure that created data loss in the core database and the back-up. We rebuilt the system component by component, recovering data along the way. This careful process has taken a significant amount of time, but was necessary to preserve the integrity of the data. SOURCE: T-Mobile Forums, Oct. 15, 2009 update.
Mitigating Damages: Public Relations Strategy for Restoring Customer Confidence and Maintaining Brand Goodwill. After some delay, without admitting any liability or damages, T-Mobile adopted a “damage control” strategy adopted from the usual “disaster recovery” process models:
Compensation. It offered any affected customers a $100 gift card for their troubles in addition to a free month of service.
Communication Outbound. It created and updated a Web forum for Sidekick users to get information about the nature of the problems, whether the data loss was irretrievable and the time to resume operations.
Communication Inbound. It provided an e-mail contact address so that it could respond to inquiries and thus identify and counteract rumors that might have been spreading.
Compliance. T-Mobile notified the public media since the “disaster” exposed it to the possibility that more than 5,000 consumers in any particular state might have had their personally identifiable information (“PII”) exposed to unauthorized persons such as hackers. Such notifications (along with other notices to individual customers and designated government officials) are mandated by state law in over 40 states.
Corrections and Control. It focused on remediation first, deferring problem resolution with any claims against its service provider Microsoft’s subsidiary Danger, Inc..
Confidentiality. It kept its communications with its failing provider confidential and focused on remediation.
Escaping Liability for Damages. Generally, telecom service providers disclaim liability in excess of a small amount. Further, service contracts contain exclusions of liability for consequential damages as well as force majeure clauses. Generally, such disclaimers and exclusions are enforceable. However, various legal theories might prevent a service provider from escaping liability for failed service delivery.
Legal Risks for Providers of “Cloud Computing” Services. T-Mobile consumers might assert various legal theories against T-Mobile for damages if their data are not fully restored, or if T-Mobile fails to act promptly and reasonably to mitigate damages to consumers.
False Advertising; Unfair and Deceptive Practices. State and federal laws prohibit false or deceptive advertising and unfair and deceptive practices. Enforcement of these laws is generally restricted to governmental agencies such as the Federal Trade Commission, the Federal Department of Justice and the state Attorneys General. Deception is a term of art and depends on the facts. In this case, the question is how solidly did T-Mobile portray the benefits of “cloud computing,” and did it warn against loss of data. If T-Mobile can show that it warned users of potential data loss and recommended that they back up their own data, such a warning might relieve it from liability. If T-Mobile represented that it would use reasonable security, backup and business continuity services, subscribers with lost data might have a claim of negligence or gross negligence.
Consumer Fraud. Under common law and state consumer protection laws, generally, a fraud occurs when the seller knowingly misleads or makes a false statement of fact to induce the consumer to make a purchase.A massive fraud is subject to a class-action claim in Federal court under Federal Rules of Civil Procedure.
Magnuson-Moss Warranty Act. Normally, an outsourcing services contract is not one that is associated with the maintenance of a product such as a telephone or a computer. If the service provider were also selling any equipment to the customer, and the customer were a “consumer,” and the service provider’s agreed to maintain or repair the consumer product, then the Magnuson-Moss Warranty Act, 15 U.S.C. § 2301 et seq. would apply. This risk explains why sellers of consumer products (mobile telephones) offer only limited warranties. The Magnuson-Moss Warranty Act is probably not a source of potential liability for T-Mobile, but that depends on the customer contracts.
Privacy Violations. Cloud computing providers may become liable to consumers or enterprise customers for failure to comply with applicable privacy statutes. Such statutes protect personal health information (under HIPAA), personal financial information (under the Gramm-Leach-Bliley Act), personally identifiable information (state and federal laws), financial information of a plan fiduciary under ERISA or other or simply confidential information that could be a trade secret or potentially patentable idea of an enterprise or its customers, suppliers or licensors. Export control laws and regulations governing trade in arms and “defense articles” are thus not good candidates for “cloud computing” except for “private clouds.”
Enterprises hiring third-parties to remotely process and manage their operational data are liable to third parties if any protected data is mishandled, depending on the exact wording of the law. Allocation of liability for privacy and security violations is typically a negotiated element of any outsourcing agreement.
Protecting Consumers in Cloud Computing. The legal framework for “cloud computing” needs to be well defined before it can become a reliable business model replacing networks or local workstations. Regardless of disclaimers in consumer contracts, providers of “cloud computing” services will need to adopt reliable, resilient storage backups, disaster recovery and business continuity services. Moreover, when hiring a “cloud computing” service provider (as T-Mobile did when it hired Microsoft/Danger, Inc.), the seller must ensure high standards by its subcontractors. Telecom outsourcing to IT providers requires special technical and legal controls to protect the consumer and the telecom carrier.
Outsourcing Law & Business Journal™: September 2009
October 29, 2009 by Bierce & Kenerson, P.C.
OUTSOURCING LAW & BUSINESS JOURNAL (™) : Strategies and rules for adding value and improving legal and regulation compliance through business process management techniques in strategic alliances, joint ventures, shared services and cost-effective, durable and flexible sourcing of services. www.outsourcing-law.com. Visit our blog at http://blog.outsourcing-law.com for commentary on current events.
Insights by Bierce & Kenerson, P.C. www.biercekenerson.com
Vol. 9, No. 8 (September, 2009)
Special Notice – Webinar on Sourcing of Global Talent
Managing Knowledge, Compliance and Legal Risks in Sourcing of Global Talent
Thursday November 5, 2009, 11 A.M. – 12 Noon, Eastern Daylight Time U.S.
Speakers:
- William B. Bierce, Esq., Bierce & Kenerson, P.C. – outsourcing lawyer
- Larry Scinto, PA Consulting, Managing Consultant
- Neil McEwen, PA Consulting, Managing Consultant
Agenda. This webinar will discuss the human capital management for the contingent workforce in our current economic climate. The speakers will address issues in designing a contingent workforce strategy, managing this contingent workforce, effective governance and the managing risks and legal issues that arise with the implementation of such a workforce. In this webinar, some of the questions that will be discussed are:
- How do I put together an effective contingent workforce strategy to optimize my investment in contingent labor?
- How do I ensure that my business customers are engaged in the case for change and buy-in to common technology, process, policy and governance?
- How do I govern multiple providers and ensure effective performance and value for my investment?
- What technologies should I be using to track provider/contingent worker utilization and performance?
- How do I ensure that legal/regulatory/compliance risks are recognized and managed in all geographies where I operate?
- How do I ensure that there is effective governance across the entirety of my contingent workforce?
- How do I manage risk and compliance issues that arise through the implementation of a contingent workforce?
This webinar is by invitation only. To register, please click here.
_________________________________________________________________________
1. Mortgage Loan Servicing and Other Outsourcing by TARP-Assisted Entities: Criminalization of Contract Fraud under Government Contracts.
2. Humor.
3. Conferences.
____________________________________________________________________________________
1. Mortgage Loan Servicing and Other Outsourcing by TARP-Assisted Entities: Criminalization of Contract Fraud under Government Contracts. Do you know whether you are a subcontractor receiving payments from an entity assisted under the U.S. Troubled Assets Relief Program or the American Recovery and Reinvestment Act of February 2009? You should be aware of the criminalization of contract fraud and the protection of whistleblowers denouncing contract fraud in your operations. Managing to prevent fraud just became more important. For more information and some “lessons learned,” click here.
2. Humor.
Feral, adj. (1) relating to the Fraud Enforcement and Recovery Act of 2009; (2) undomesticated.
3. Conferences.
October 6-7, 2009, American Conference Institute’s Software Licensing Agreements Event in San Francisco, California. Companies on both sides of the table in software license negotiations are being increasingly confronted with challenges relating to the use and licensing of proprietary products that contain or otherwise incorporate open source code. Coupled with the other core challenges presented by the negotiation of software licensing agreements – IP infringement, warranties, limitations on liability, indemnification, revenue recognition, product development and maintenance, and contract termination, it is imperative to a successful negotiation that one has a process in place to preemptively anticipate, address and quickly resolve these issues when they arise.
To provide you with specific insights into how to confront these and other contentious issues, ACI has assembled an exceptional faculty, including in-house representatives from the major players in this industry who will provide you with the tactical and strategic insights you need to negotiate more lucrative, airtight agreements – whether acting as the licensor or the licensee. For more information, visit the website .
December 6-8, 2009, IQPC and SSON’s 4th European Shared Services Exchange, The Hague, Netherlands. Following the success of our Shared Services Exchanges in North America we are now launching the new format for Europe, bringing together senior level conference topics in a highly productive and interactive meeting platform. The 4th European Shared Services Exchange is an invitation-only gathering for VP and C-Level senior Shared Services executives from successful European organizations. With a distinguished speaking faculty from Dell, Lafarge and Microsoft amongst others, the seats at the 2009 Exchange are limited and filling up quickly. We have limited complimentary invitations available for qualified delegates for a limited time. Please give us your reference when inquiring. There are solution provider opportunities also available for companies who want to be represented. You can request your invitation at exchange@iqpc.com or call us at 1866-296-4580. Visit the website for more information.
December 7-9, 2009, Legal IQ and IQPC’s 8th Annual E-Discovery Conference in New York, New York. Legal IQ and IQPC present the 8th eDiscovery event this December in New York City. Bringing industry leaders together to explore current risks, opportunities and challenges facing eDiscovery, this event will offer best practices and possible solutions to the ever remaining question: How can we lower our costs? This event goes beyond the traditional basics by examining the critical, high level, and strategic issues. Some of the topics to be addressed by the expert speaker faculty will be:
- Organizing an effective records program by tapping into existing resources
- Developing a litigation preparedness plan
- Determining judges’ priorities when eDiscovery conflicts arise
- Aligning the interests of IT, inhouse and outside counsel
- Handling eDiscovery via social media sites and other new sources of ESI
- Controlling the cost of review while maintaining defensibility
- Saving money by employing Early Case Assessment tools and new technologies
For more information and to register for this event, please click here.
January, 24-26, 2010, IQPC Business Process Outsourcing and Shared Services Exchange 2010, West Coast, USA. This is an invitation-only gathering for VP and C-Level senior Shared Services and Outsourcing executives made up of highly crafted, executive level conference sessions, interactive “Brain Weave” discussions, engaging networking opportunities and strategic one-on-one advisory meetings between solution providers and delegates. With a distinguished speaking faculty from McGraw-Hill, Ingram Micro and Pfizer, amongst others, the seats at the 2010 Exchange are limited and filling up quickly. We have limited complimentary invitations available for qualified delegates for a limited time. Please give us your reference ‘Outsourcing Law’ when inquiring. There are solution provider opportunities also available for companies who want to be represented. You can request your invitation at exchange@iqpc.com, call at 1866-296-4580 or visit their website.
******************************************
FEEDBACK: This newsletter addresses legal issues in sourcing of IT, HR, finance and accounting, procurement, logistics, manufacturing, customer relationship management including outsourcing, shared services, BOT and strategic acquisitions for sourcing. Send us your suggestions for article topics, or report a broken link at: wbierce@biercekenerson.com The information provided herein does not necessarily constitute the opinion of Bierce & Kenerson, P.C. or any author or its clients. This newsletter is not legal advice and does not create an attorney-client relationship. Reproductions must include our copyright notice. For reprint permission, please contact: wbierce@biercekenerson.com . Edited by Bierce & Kenerson, P.C. Copyright (c) 2009, Outsourcing Law Global LLC. All rights reserved. Editor in Chief: William Bierce of Bierce & Kenerson, P.C. located at 420 Lexington Avenue, Suite 2920, New York, NY 10170, 212-840-0080.