DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 31, Issue 4

Full Contents Now Available!

The combination of political turmoil, a down economy and technology developments are providing new and challenging legal issues for manager negotiating outsourcing agreements. Hostility in the Middle East as well as the on-going threat of terrorism has increased focus on security at a time when faltering financial markets are causing more companies to outsource technology functions as a means of cost-cutting. This combination raises three new areas where managers must focus their attention: security, disaster recovery, and privacy.

One of the fastest-growing areas in outsourcing is contracting with offshore software development companies for legacy and custom application development and maintenance.

Dr. Arvind Shah, founder of India’s National Association of Computer Trainers, claims the U.S. economic slowdown will actually benefit Indian development companies as cost-cutting drives work to less expensive service providers. But the risk of political instability in some of the countries providing these services, such as India, China and Eastern Europe raises questions of security regarding U.S. companies’ technology systems.

When negotiating an outsourcing deal, managers need to consider carefully issues such as requiring background checks for the offshore employees, disaster recovery plans, and cross-border privacy issues.

• Consider requiring the company to submit any employee who will work on the account to pass a thorough background check. Sensitive corporate and customer information may be stored on machines that reside in a foreign jurisdiction. That information is useful to hackers and terrorists and must be carefully guarded by trustworthy employees.
• Retain the right to audit the records for compliance. A periodic check for compliance is an excellent precaution.
• Restrict the office space where the client’s work is performed to those authorized employees. Other employees and other companies’ data should not mix with the client’s information.

In the event of a political crisis, such as the outbreak of war in the vendor’s country, agreements should provide for disaster recovery measures. The vendor should be able to provide multiple sites to work from and a plan to move people, software, databases and network connectivity from one secure hardware environment to another.

• Require production by the vendor of a disaster recovery plan before the agreement is signed. Have the technical team review the plan to ensure the vendor can comply.
• Tie the disaster recovery plan into the force majeure clause. The force majeure (or “greater force”) clause excuses the vendor from performance in the event of a major disaster. But if the vendor is unable to perform due to a force majeure event, the vendor should be obligated to then switch to the disaster recovery site to provide services.
• Allow for a termination by the company in the event the vendor can’t comply with the disaster recovery plan within a certain period of time. The company should not have its business stalled while the vendor tries to figure out what it has done wrong.

Finally, privacy issues come under increasingly tight scrutiny as more countries grow concerned about where data on individuals is going in a worldwide economy. At the same time, many companies are outsourcing database management and customer service functions to offshore service providers. That means a lot of customers’ personally identifiable information resides on servers in foreign countries. Many countries, or entire regions, such as the European Union, have established laws and regulations regarding how data can move out of their jurisdictions. Even data that is transferred internally within a corporate entity is subject to privacy rules if it crosses some international borders.

• Meet with the managers of the system being outsourced and find out what kind of data is processed and stored and consult legal counsel to see if it is covered by U.S. or international laws.
• Discuss the legal issues which arise as a result of the nature and location of the data. Compliance may be required with U.S. laws such as Graham-Leach-Bliley or HIPAA, or international laws such as the EU Directive or Canada’s Personal Information Protection and Electronic Documents Act.
• Have the technical team review the vendor’s security measures to confirm it has taken commercially reasonable measures using the latest available technology to protect the databases. A breach of the system by a hacker can mean liability for the company for failing to properly protect the data.
• Discuss with legal counsel an indemnity requiring the vendor to defend and indemnify the company in the event a breach occurs and a suit arises.
Technology services are more global today than ever, but so is the threat to the security of the technology environment. If a company is going to put its technology management into someone else’s hands, it’s critical to make sure they are trusted hands.

John Dieffenbach is a senior associate in the Technology, Intellectual Property and Outsourcing Group at Kaye Scholer LLP where he focuses his practice on outsourcing, system integration, and licensing transactions and litigation.