Disaster Recovery Journal - Spring 2003 Issue-Global Outsourcing During Tumultuous Times Raises New Legal Issues

Return to the Spring 2003 Index

DISASTER RECOVERY
JOURNAL

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276
Fax: (314) 894-7474
Internet www.drj.com
E-mail drj@drj.com

PUBLISHER &
EDITOR-IN-CHIEF
Richard L. Arnold, CBCP
richard@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

MANAGING EDITOR
Jon Seals
jon@drj.com

COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela Clifton
pamelaclifton@hotmail.com

ADVERTISING
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

EXECUTIVE COUNCIL
Patrick Corcoran, IBM Bus. Cont. & Rec. Services
Jeff Dato, MBCP, KPMG
Edward S. Devlin, E.S. Devlin & Associates
Judith Eckles, SunGard Availability Services
James Hammill, CBCP, JMH Consulting Inc.
John Jackson, Independant

INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity
Phone: 0161-237-1007
thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

Brazil: Jose Carlos Ferreira
Disaster Recovery Mercosul
Phone: 55 11 3666-9506
conc2000@uol.com.br
www.drms.com.br

Click Here for a Printable Version

Legal

Global Outsourcing During Tumultuous Times Raises New Legal Issues

By JOHN DIEFFENBACH

The combination of political turmoil, a down economy and technology developments are providing new and challenging legal issues for manager negotiating outsourcing agreements. Hostility in the Middle East as well as the on-going threat of terrorism has increased focus on security at a time when faltering financial markets are causing more companies to outsource technology functions as a means of cost-cutting. This combination raises three new areas where managers must focus their attention: security, disaster recovery, and privacy.
One of the fastest-growing areas in outsourcing is contracting with offshore software development companies for legacy and custom application development and maintenance.
Dr. Arvind Shah, founder of India’s National Association of Computer Trainers, claims the U.S. economic slowdown will actually benefit Indian development companies as cost-cutting drives work to less expensive service providers. But the risk of political instability in some of the countries providing these services, such as India, China and Eastern Europe raises questions of security regarding U.S. companies’ technology systems.
When negotiating an outsourcing deal, managers need to consider carefully issues such as requiring background checks for the offshore employees, disaster recovery plans, and cross-border privacy issues.
• Consider requiring the company to submit any employee who will work on the account to pass a thorough background check. Sensitive corporate and customer information may be stored on machines that reside in a foreign jurisdiction. That information is useful to hackers and terrorists and must be carefully guarded by trustworthy employees.
• Retain the right to audit the records for compliance. A periodic check for compliance is an excellent precaution.
• Restrict the office space where the client’s work is performed to those authorized employees. Other employees and other companies’ data should not mix with the client’s information.
In the event of a political crisis, such as the outbreak of war in the vendor’s country, agreements should provide for disaster recovery measures. The vendor should be able to provide multiple sites to work from and a plan to move people, software, databases and network connectivity from one secure hardware environment to another.
• Require production by the vendor of a disaster recovery plan before the agreement is signed. Have the technical team review the plan to ensure the vendor can comply.
• Tie the disaster recovery plan into the force majeure clause. The force majeure (or “greater force”) clause excuses the vendor from performance in the event of a major disaster. But if the vendor is unable to perform due to a force majeure event, the vendor should be obligated to then switch to the disaster recovery site to provide services.
• Allow for a termination by the company in the event the vendor can’t comply with the disaster recovery plan within a certain period of time. The company should not have its business stalled while the vendor tries to figure out what it has done wrong.
Finally, privacy issues come under increasingly tight scrutiny as more countries grow concerned about where data on individuals is going in a worldwide economy. At the same time, many companies are outsourcing database management and customer service functions to offshore service providers. That means a lot of customers’ personally identifiable information resides on servers in foreign countries. Many countries, or entire regions, such as the European Union, have established laws and regulations regarding how data can move out of their jurisdictions. Even data that is transferred internally within a corporate entity is subject to privacy rules if it crosses some international borders.
• Meet with the managers of the system being outsourced and find out what kind of data is processed and stored and consult legal counsel to see if it is covered by U.S. or international laws.
• Discuss the legal issues which arise as a result of the nature and location of the data. Compliance may be required with U.S. laws such as Graham-Leach-Bliley or HIPAA, or international laws such as the EU Directive or Canada’s Personal Information Protection and Electronic Documents Act.
• Have the technical team review the vendor’s security measures to confirm it has taken commercially reasonable measures using the latest available technology to protect the databases. A breach of the system by a hacker can mean liability for the company for failing to properly protect the data.
• Discuss with legal counsel an indemnity requiring the vendor to defend and indemnify the company in the event a breach occurs and a suit arises.
Technology services are more global today than ever, but so is the threat to the security of the technology environment. If a company is going to put its technology management into someone else’s hands, it’s critical to make sure they are trusted hands.

John Dieffenbach is a senior associate in the Technology, Intellectual Property and Outsourcing Group at Kaye Scholer LLP where he focuses his practice on outsourcing, system integration, and licensing transactions and litigation.

To comment on this article, go to 1602-06 at www.drj.com/feedback.