Belt-tightening in technology spending is bad news for hardware and software vendors but not always for technology service providers. Vendors in the outsourcing industry whose services can provide strategic cost-cutting often see a spike in demand as businesses seek to reduce overhead and personnel to meet financial targets.
This current economic environment is no exception. A recent report by TowerGroup, a U.S. research and consulting firm for the financial services industry, forecasts a forty-six percent (46%) annual growth rate in U.S. financial companies' use of off-shore outsourcing projects to 2005. That's a jump in spending from $417 million in 2002 to $1.31 billion in 2005 for that industry alone.
This article provides some guidance on three issues with special implications in off-shore outsourcing: security, privacy and disaster recovery. The goal is to better aid lawyers in understanding how to advise clients buying services in what is becoming a multi-billion dollar international industry.
The Business Model
Off-shore outsourcing's growth is fueled in large part by the difference in cost of having work performed in the company's home country, such as the United States or a European Union nation, compared to developing or Third World countries. While India has emerged as the dominant geographic player, technology companies in many Eastern European, Central American and Pacific Rim nations are also pushing into these markets. Each of these companies markets itself as a solution with lower costs but equal quality to U.S. or EU-based employees or vendors for the same skills.
The variety of services offered by these foreign vendors are equal to those of any national outsourcing vendor. With each service offered, however, the company must consider a different set of business and legal issues driven by the fact that: (a) the actual technology being used is located overseas; (b) some services are mission critical and (c) some services require more access to sensitive data than others. While the most important aspect of negotiating any outsourcing deal are establishing the scope and price of services and creating service levels and remedies for failure to perform, this article will focus on security, privacy and disaster recovery as three critical concerns which require new focus in all types of off-shore outsourcing services.
Security
Security is an issue in any technology service agreement. But in off-shore outsourcing it's a special concern because companies may sign up for services from facilities they never visit. Failing to physically and technically walk through the outsourcer's facility may be a big mistake. Off-shore outsourcers strive for efficiency by reducing the amount invested in office space so they can serve multiple customers, often in the same industry, from the same location. That means the vendor's employees may be in close quarters working on competitor accounts. It can also mean that multiple clients' data share the same server, albeit separated by logical partitions within the central processing unit.
For certain industries, this type of arrangement may be unacceptable. Financial services companies, for example, store a great deal of sensitive data on corporate and individual's financial profiles, including account numbers and access to balances. Depending on the nature of the outsourcing services, the software required to execute transactions may also reside on machines overseas.
The vendor may commit to use commercially reasonable efforts to prevent hacking and viruses, but that alone is not enough. A hacker may enter through the company's vendor-hosted environment or through the environment of another vendor customer who shares the server. Once on a shared server, it is possible for a hacker to infiltrate the company's environment as well.
Companies which plan to outsource such sensitive data must require in their agreements: (1) dedicated servers, if the size of the deal warrants it; (2) that employees working on the company's account are in separate secure office space (using card access) restricted to anyone not providing services to the company; (3) that the company must approve the firewall and anti-virus applications used on the vendor's server; (4) that data stored on the server is encrypted; and (5) that the vendor provide notice of any detected efforts to hack into the company's system, or hack into the entire server if the server is shared with other companies.
The reliability of the vendor's security measures are only as good as the employees who implement it. Corporations have become targets for hackers seeking credit card account numbers, bank accounts and other financial information. Require that the off-shore vendor conduct background checks on those employees working on the company's account. The company can select a third party to perform the checks or ask to see results confirming that employees successfully passed the security criteria. A single individual with bad intent can do immeasurable damage to a company's technology environment, business operations and reputation.
Privacy
In addition to the threat of rogue employees, privacy laws in countries around the globe dictate a new emphasis on security. The European Union, United States, Canada and Australia, to name a few, have each implemented different regimes requiring privacy compliance by those who gather and store personally identifiable information (PII). These requirements place the burden on the company engaged in doing business, so it is up to the company to ensure compliance on behalf of its third-party vendors.
As a primary matter, prior to launching the outsourcing deal, the company should engage in privacy due diligence by having legal counsel interview the business team to understand: (a) what type of information the company will gather; (b) if the information is PII, what types of PII it will receive (e.g. financial, health related); (c) what the company will do with the information (both internally and with whom will it share the information); and (d) whether or not the information will move across international borders.
A French financial services company that has offices in Paris and Montreal, for example, may need to move information across the Internet about customers and employees between those two offices. Unless the company has taken the appropriate measures to provide notice and protect such information, the company could be in violation of privacy laws in both countries. If the French company decides to outsource certain data mining functions or help desk to an Eastern European outsourcer, the company could also be in violation of the EU Directive as the company is ultimately responsible for ensuring EU compliance with the treatment of such data.
Because it may be unclear how the data may move and changes in legislation are likely to occur, the company should negotiate broad language with the vendor that requires the vendor to do as the company directs with respect to privacy compliance. This is also dependent on what services the vendor will be providing. In some cases it may be the vendor, not the company, that is actually gathering data and PII through web hosting services, an ASP or call center. The vendor, then, will have to provide notice that it is collecting PII on behalf of the company and offer the customer the opportunity and method for opting out of such use.
Disaster Recovery
The increased potential for acts of terrorism has heightened interest in disaster recovery to unprecedented levels. Previously, companies were concerned with potential natural disasters, such as violent storms or earthquakes. Those companies which rely on their computing and network environments for critical day-to-day business capability had established duplicate sites or contracted with third parties to provide resources in an emergency. Today, companies which have not assembled some form of disaster recovery plan are putting their businesses at great risk.
When off-shore outsourcing is being considered, legal counsel should evaluate the ability of the company to function without that off-shore facility and urge the company to protect itself if appropriate. For example, a company which has outsourced its internal help desk may be able to struggle along without the service for some time in the event of a disaster. Another company may rely heavily on its call center for its business and can't be down for more than a few hours. Some companies send development of legacy applications overseas but the code under development is always stored in a library at the company's headquarters. Other companies which sell software applications may have the software code for a new product overseas so that a disaster would wipe out 18 months of development.
In the contract, the company has a range of potential steps it may require of the vendor.
- The most extreme is that the vendor run the services out of two geographically separate locations, each with the capability to pick up the work of the other. This is often called "mirroring" so that everything in one environment is the duplicate of the other environment.
- Less burdensome for the vendor (and less expensive for the company) is to require a "hot site" configuration in a geographically separate location. This would require establishing a second office with the same equipment and software up and running where the vendor's employees could go in the event the first location became inaccessible or to which the vendor could seamlessly switch for services. The environment may not be an exact "mirror" of the first site, but it has been duplicated within the last 24 hours or so and is not currently staffed.
- Another step down would be a "cold site" with off-site tape storage. In a cold site the vendor has the computing power at the ready and tape backups of the environment that can be loaded within a few days and bring the system back on line.
- The lowest level would be a simple tape backup without a ready site, so the vendor would have the software and applications it needs, but would have to find or build out a data center in which to establish the environment.
The choice that the company will make is a function of the type of services outsourced and the company's willingness to pay. The company's technical team should review the disaster recovery plan from the off-shore outsourcer and, if possible, confirm in person it actually is in place.
In the contract, disaster recovery should be tied into the force majeure clause. The force majeure clause typically allows that a party is not in breach in the event an act of God or other event outside the control of the vendor. What the company must do is change the force majeure provision so that in the event of a disaster the vendor must first comply with the disaster recovery plan or be held in breach. Only if the disaster has eliminated the disaster recovery option should the force majeure provision apply.
Conclusion
Off-shore outsourcing has the potential to provide tremendous financial benefits, but with real risks as technology systems are often thousands of miles away. Detailed discussions with clients about the nature of their overseas operations are required to ensure proper measures are taken to minimize those risks.