Wednesday, May 5, 2010

Managing the New "Trade Secrecy" Risks in Global Sourcing: Criminal Theft, Criminal Negligence, Espionage, Bribery, Antitrust, and Enforcement

Trade secrecy risks arise whenever an enterprise shares confidential business information with a supplier, service provider, joint venturer or customer. Trade secrecy protection measures should be planned and implemented through appropriate non-disclosure covenants by the third party and possibly even its employees and others in the value chain. Current trade secrecy are reflected in three seemingly disparate events: the Rio Tinto employee economic espionage and bribery case in China, the U.S. Department of Justice’s investigation into the anticompetitive use of non-competition covenants (“non-competes”) by high-tech companies and the Algerian-U.S. Mutual Legal Assistance Treaty (“MLAT”).


These three current events suggest that both enterprise customers and their service providers take a second look at their current practices for protecting trade secrets. At the end of this article, we offer a series of questions that need answers before any kind of outsourcing – indeed, any cross-border data flow — can take place. Such questions offer a basic refresher course, with “James Bond-compliant” updates, on challenges of trade secret protections in global operations.

I. The Current Context of Trade Secrets at Risk

Item #1: Bribery and Espionage in China (the Rio Tinto employee case). On March 28, 2010, China convicted a local sales employee of a British-Australian mining company named Stern Hu, a Chinese-born Australian citizen, and other Chinese-resident employees of Rio Tinto (but not Rio Tinto itself) of bribery and theft of trade secrets relating to price negotiations of iron ore for sale to Chinese state-owned companies. The trial was conducted largely in secret. Rio Tinto had previously rejected an investment offer from Chinalco that involved some Australian national security issues. Some analysts suggested the case was a political retaliation for that rejection and an abuse of judicial authority. Others suggested that the case leaves open the question of whether there was any rule of law or was this merely the use of judicial power to punish foreign business that used aggressive means of driving hard bargains. The case attracted global attention to the concept in Chinese law that identifies non-public commercial information of a Chinese state-owned enterprise as a “state secret.” Rio Tinto initially defended the employees but then said they had acted outside the scope of their operations and authority. The employees were convicted and sentenced to 7 to 14 years in prison plus financial penalties.

On March 25, 2010, China’s State-Owned Assets Supervision and Administration Commission issued regulations on commercial secrets, but did not disclose them until the Rio Tinto employee verdict. Those regulations remain somewhat vague, leaving foreign companies (and Chinese companies that are not state-owned enterprises, or “SOE’s”) to interpret them at their peril. See www.outsourcing-law.com/jurisdictions/countries/china.

Item #2: Anti-Terrorism and Cybercrimes under a Mutual Legal Assistance Treaty. On April 7, 2010, the U.S. and Algeria signed a mutual legal assistance treaty to combat international crime and terrorism. According to the press release:

The mutual legal assistance treaty, or MLAT, will be an effective tool in the investigation and prosecution of terrorism, cybercrime, white collar offenses and other crimes. Among other tools, the treaty will help law enforcement officials from the two countries obtain testimonies and statements; retrieve evidence, including bank and business records; provide information and records from governmental departments or agencies; and provide a means of inviting individuals to testify in a requesting country.

The U.S. has approximately 50 such MLAT’s. Such agreements could be used to enforce criminal prosecutions of misappropriation of trade secrets, assuming such misappropriation is a criminal act in the relevant jurisdictions. The press release announcing the MLAT did not link to any copy of the treaty, and the Justice Department website does not publish a copy either. Interested parties will need to do some further investigation then in how such a treaty might be used to enforce trade secret protections.

Item #3: Hiring Practices by Global Services Providers. Now, enterprise customers have to be worried about the legality of hiring practices – at least in the United States – of their outsourcing service providers. Since July 2009, the U.S. Department of Justice has been investigating the hiring practices of Google, Intel, IBM, Apple and IAC/InterActiveCorp., according to the Wall Street Journal and other news reports in April 2010. The reports claim that the U.S. Government could challenge, or chill, the use of non-competition covenants in industries, such as high-tech, where innovation drives comparative advantage and non-competes might constitute illegal collusion on cost management, thereby depriving knowledge workers of a market for their skills. The investigation appears inspired by cases where innovators are hired away and the former employer seeks to enforce a non-competition covenant, particularly where the new employer claims that the litigation lacks a valid legal basis and thus is anticompetitive. (Such a case happened in 2005 when Google hired a Microsoft engineer in China, and Google claimed that Chinese law did not permit enforcement in China of a non-competition covenant). Enterprise customers should now be concerned with compliance by their service providers with antitrust concerns.

II. The Law of Trade Secrecy

All these recent events underscore the need for prudent trade secrecy practices in the global supply chain. Trade secrets are now at risk due to potential civil and criminal espionage, bribery, cybercrime, and antitrust prohibitions on abusive and illegal anticompetitive practices. Further, the area of trade secrecy is now engulfed in national security and public policy considerations, underscoring the importance of a stable political environment for assuring the predictability of legal rights and enforcement actions in the various jurisdictions where trade secrets are shared and used in an outsourcing business relationship.

Trade Secrets. It is a best practice in outsourcing contracts, to protect the enterprise customer’s trade secrets. The customer wants to know how this is done. Such protections can be applied to individual employees under non-disclosure agreements and maybe even non-competition covenants. NDA’s are generally enforceable but are generally construed in a manner to avoid depriving an employee (or service provider) of “general skill and knowledge” in the industry.

NDA’s are essential to enable any outsourcing, resourcing (retro sourcing back in-house) and transfer sourcing (to a new service provider on expiration or termination). As a matter of public policy under national laws, NDA’s are critical. The WTO protections of trade secrets are not very strong, based instead on non-secret intellectual property rights such as patents, trademarks and copyrights.

Non-Competition Covenants. Non-compete covenants are unenforceable in California as a matter of law and possibly in the BPO provider’s service delivery jurisdiction. Non-competes deprive employees of a right to be hired by competitors. They are unenforceable in some jurisdictions, and where enforceable they must be limited to reasonable scope in time, territory and subject matter. Employers can make the arguments, in an antitrust context, that non-competition covenants:

  1. are not anti-competitive in practice;
  2. do not deny employees the right to find work in non-competitive companies;
  3. are widespread across industries and countries; and
  4. are used by companies across many industries to maintain good business relationships by promoting exchanges of information across the full spectrum of personnel (not just through a narrow channel, like a chaperone of trade secrets), and as a result collaboration between technology-based companies is promoted by such practices.


An antitrust enforcer might argue that non-compete agreements distort access by skilled workers to mobility and job choice, thus depressing competition for skilled workers and depressing wages.

Risk Management: Knowing Your Service Provider’s Hiring Practices. Based on this antitrust activity, enterprise customers should investigate the employment practices of their service providers to understand clearly the contractual framework and legal enforceability of employment practices in the relevant jurisdictions. The legal framework for protecting trade secrets, or allowing them to be disclosed to the local government without judicial review with open adversarial procedure, should also be explored and fully appreciated. Thus, trade secrecy risks should be assessed in the selection of service providers, the scoping of the functions to be outsourced and the use of encryption and decryption before data transfers.

Compliance: Knowing Yourself and the Law. These recent events raise questions that compliance officers and legal departments, as well as product managers and CEO’s, should answer before any kind of outsourcing takes place:

1. What does the enterprise customer do today to identify and protect its trade secrets internally?

a. Identify types of non-public information from all sources that needs to be maintained as non-public.

i. Securities (risk of liability for securities fraud)
ii. Financial information (risk of loss of advantage in pricing negotiations; risk of
securities liability for failure to comply with Regulation FD or other “fair disclosure”
rules)
iii. Human capital information (governed by labor laws and privacy laws)
iv. Technical data, such as designs, processes, formulae, manufacturing techniques
(risk of loss of patent rights or loss of competitive advantage)
v. Marketing information (customer names and related business information relating
to the enterprise’s customer relationship)
vi. Sales information (the existence of RFP’s and the contents of offers and other
responses to RFP’s)

2. How much data does the enterprise need to have to accomplish its mission?

a. Avoid excessive collection and preservation of unencrypted

i. personally identifiable information (“PII”) of individuals in any business relationship.
ii. healthcare information.
iii. credit card information.

b. Avoid collection of non-public information from third parties who might be under a duty
of non-disclosure, or who cannot explain how they legitimately obtained the non-public
information.

3. How does the enterprise ensure that it has the legal right to know the non-public information?

a. Obtain written confirmation from the disclosing party that it has the authority to make
the disclosure.
b. Identify non-disclosure agreements and categorize the information so that it can be
accessed, stored, retained and destroyed in accordance with the non-disclosure
agreement.
c. Limit access by persons having a legitimate “need to know.”
d. Use the non-public information only as necessary to perform a legal and permitted
business activity.
e. Avoid use of bribery, coercion, theft and other illicit means of acquiring non-confidential
information.

4. How does the enterprise identify and protect the trade secrets of third parties with whom it does business.

a. Identify source of non-public information.
b. Identify the duration of any holding period for non-public information under any
non-disclosure agreement.

5. What measures does the enterprise take to train and audit its employees for compliance with trade secrecy policies?

6. Does the enterprise identify special duties and special risks.

a. Take special measures to identify, segregate and protect “commercial secrets” or “state
secrets” when dealing with a foreign state-owned enterprise (“SOE”)?

7. How are trade secret rights recognized and enforced under local law? Are such rights clearly protected, or must a company rely upon contract or criminal prosecution?

8. What are the best ways to protect trade secrets from a practical viewpoint?

a. Divide work flows or discrete functions across suppliers, countries and sources to avoid
having one person or supplier know too much.
b. Retain competitive information in-house.
c. Segregate sales and marketing functions from non-public information in internal technical,
financial and human resources departments.

9. What is the history of trade secret enforcement in the country?

a. Risk of inadvertent criminal liability, including vicarious liability of senior executives for
misdeeds of employees (See China’s Criminal Law, article 219).
b. Risk of investing in new products or services that cannot be exploited due to
misappropriation.
c. Identify any history of data security breaches and remediation activities.

10. Does the enterprise customer’s country have a “mutual legal assistance treaty” or other agreement with the service provider’s country to prosecute “cyber-crime”, so that evidence can be exchanged and used in international abuses of trade secrets?

11. What policies, practices and contractual measures does the service provider take to protect trade secrets? Are such measures a violation of antitrust law and therefore unenforceable? Read more...

Posted by William B. Bierce at 4:03 PM 0 comments
Labels: , , , , , , ,

Friday, March 19, 2010

Read our newest case study on "Achieving Innovation through Outsourcing: Shifting the Paradigm"

Can an enterprise customer get real innovation through outsourcing? It depends. After looking at a case study in contract manufacturing and finance and accounting outsourcing, we can draw some lessons on the squeaky wheel that will need lubrication beyond effective governance.

New Product Development. Recently, Bierce & Kenerson, P.C. was engaged by a global enterprise to assist in a two-phase deal with a supplier. In phase one, the parties entered into an agreement for the joint development of a new type of product to retrofit an old product using new energy-efficient technology. In phase two, the enterprise customer agreed to either buy the new product from the supplier or to pay a royalty for the value of the supplier’s intellectual property and development efforts. The risk of failure was essentially nil, since the enterprise customer could have developed the product alone. Yet it chose to work in tandem with the supplier to achieve a speedier path to market for a hot product with a big potential demand in order to avoid loss of market share to well-financed agile competitors.

The contract development process took much longer than the product development process for several reasons.

o Market Positioning. First, the customer and supplier had not really reached agreement on issues of exclusivity, market positioning and branding. Having already committed resources for joint development of a new innovative product offering to the enterprise’s customers, the enterprise customer lost some of its bargaining power (and actually lost some goodwill in the marketplace) until these issues were resolved in the master supply agreement.

o Financial Viability and Contingency Planning. Second, the supplier was a new entrant into the market, with venture funding but no strong ongoing revenue stream. Financial viability issues challenged the paradigm, requiring careful scenario analysis and negotiation of step-in rights using various sources of goods, services and intellectual property rights. Both parties had different compliance issues arising from separate provisions of securities disclosure laws, including the Sarbanes-Oxley Act of 2002.

o Publicity. Third, the supplier was a publicly traded company for which the new deal would require public disclosure under investor protection laws. The enterprise customer had not focused on managing the public message that might be presented by the supplier. Initially, the supplier was considering issuing messages – through its Marketing Department – that suggested that the enterprise customer could not develop the new product through its own skill, ingenuity, foresight and initiative. The supplier wanted to build its own goodwill on the back of its customer, while the customer wanted an OEM relationship. Modifications of the supply agreement were negotiated so that it would not constitute a “material” relationship for disclosure to investors. This delayed disclosure and thus enabled the enterprise customer to pursue the OEM strategy until after its entry into the new market under its own name.

o Teamwork and Leadership. Fourth, initially, the enterprise customer’s internal teams lacked a management leader to pull together all the participants in a pre-deal analysis of the entire impact. The Sales Department wanted new product to compete with new customers. The R&D Department responded to the Sales Department’s push by offering innovation through joint development with a potential competitor. The Finance Department did not kill the deal even though it lacked a strong business continuity plan. The Legal Department was told that it did not need to bind the parties in one master relationship agreement because deal terms were still being worked out for phase two (production and delivery). As the relationship evolved, the team coalesced and aligned their common interests for achieving, selling and supporting the innovative new product.

New Service Development. Use of third parties to assist in development of new lines of service face similar issues.

o Continuous Process Improvement. It is a best practice in outsourcing deals for service providers to deliver “continuous process improvement.” In designing the outsourcing relationship, the parties need to distinguish between incremental process improvements that come from learning how to be more efficient at a given process, on one hand, and major shifts in business process design that can yield dramatic cost savings. To overcome the hurdle, some dealmakers simply accept that, if there is no measurable “process improvement,” the service provider will drop the price over time in lieu of real process improvement. This is no substitute for true innovation through joint design.

o Intellectual Property. It is a best practice in outsourcing deals to allocate rights in existing and future intellectual property. In advance of a master services agreement, the parties must therefore distinguish between ordinary intellectual property that comes from continuous process improvement and that which flows from some form of capital investment by either party or both parties. Neither party wants to be foreclosed from using improvements or new breakthroughs. The challenge is to agree in advance on scenarios for each case and to provide rewards and governance criteria to minimize disputes on governance as the “innovation” unfolds during the course of the relationship.

o Competition by Service Providers. It is also a best practice for service providers to use “state of the art” service delivery platform – people, process, technology and business processes -- to deliver competitive services. In designing their business relationship, the parties to an outsourcing need to distinguish between the service provider’s competitive service delivery platform and the enterprise customer’s unique brand and goodwill in the marketplace. Management of the business reputation and goodwill of each party to a joint innovation project thus becomes a critical contract and business element for negotiation. It requires careful scenario analysis involving business opportunities in new markets and existing markets, capital investment and ROI hurdle rates as well as contractual provisions consistent with applicable antitrust and competition laws.

o Joint Venture. It is a best practice in outsourcing for the parties to expressly disclaim they are in a joint venture. In effect, this eliminates a fiduciary duty to account for profits from the joint efforts. This clause could defeat joint efforts in innovation, since it segregates benefits and promotes potential competition.

Designing Relationships for Innovation. These examples underscore that outsourcing and OEM contract manufacturing cannot be relied upon to achieve “innovation” without a clear business plan. That plan must include the key factors that are considered in any joint venture. Each party needs to focus on its investment, the proprietary nature of its investment and the ultimate uses of those innovations. Ultimately these impact innovation’s on marketing, branding, sales, customer relationships, goodwill, competitive positioning and new product development. The parties need effective communication on evolution of the innovation and how to share future benefits and ongoing investment, if any, in maintenance.

In short, without an innovation strategy, outsourcing is unlikely to yield much other than some cost savings and some gain sharing. In any event, even such a narrow goal risks an inability to reach agreement. The parties must first reach agreement on allocating ownership of any resulting intellectual property rights and understanding the impact on each party’s competitive positioning.

Most importantly, implementing an innovation strategy will require a governance plan for managing collaboration and competition. A governance plan will identify conflicts of interest and principles for collaboratively resolving conflicts.
 Read more...

Posted by William B. Bierce at 12:08 PM 0 comments
Labels: , , , ,

Monday, February 1, 2010

Humor Spotlight of the Month

Cybersecurity, n. (1) a locked door; (2) an open door with pass key; (3) trust; (4) hope.



 Read more...

Posted by William B. Bierce at 3:35 PM 0 comments

Cyber Security Threat Management in Outsourcing: The Coming National Security Regulation of ITO, BPO and KPO

Imminent national regulation of Internet-based services will impact all companies that use the Internet for project management, collaboration, and remote transaction processing. Google and China have precipitated a showdown that may cause the extension of a web (!) of national of Internet regulations, with many consequences on the freedom and costs of running a global business or servicing customers remotely. The showdown highlights the fact that cybersecurity threats come from many sources, including foreign nation states, domestic criminals and hackers and disgruntled employees.

On January 12, 2010, Google Inc. announced by blog that it had been the target of concerted attacks from Chinese hackers, that its intellectual property had been compromised and that the attacks targeted the identities of its subscribers. See press release, http://www.sec.gov/Archives/edgar/data/1288776/000119312510005667/dex991.htm . Google’s blog revealed that “at least twenty other large companies from a wide range of businesses—including the Internet, finance, technology, media and chemical sectors” were affected. The Wall Street Journal reported that 34 U.S. companies were targets, including Adobe Systems Inc. and Juniper Networks Inc. Other companies such as Symantec acknowledged they are under constant siege of cyberattacks. Cyber warfare attacks have been reportedly used in Iran to ferret out political dissidents and in Georgia to overload telecommunications during military exercises. China filters Internet content through registration and regulation of Internet services.

Cybersecurity is a critical foundation for any country’s national security and economic security and, indirectly, global trade in IT-enabled services and in the global supply chain. Information networks support financial services, energy, telecommunications, transportation, health care, and emergency response systems, as well as ordinary commerce, employment, education, civil liberties and social and family cohesion. The security of private information networks, such as Google, Yahoo, Symantec and Juniper Networks and the underlying software such as Adobe Systems and Microsoft, are the foundation for today’s global economy.

In global sourcing, cyber security is an essential commitment by anyone business seeking to acquire and be a trusted custodian of personally identifiable information (“PII”). If enterprises (“data controllers” under the European Union Data Protection Directive) are going to gather PII and contract with service providers (“data processors”) to process it, the risk of cyber attacks frames the debate on risk allocation, roles, responsibilities, pricing and process integration.

For all participants in the outsourcing industry, it’s time to fresh look at legal structures and financial implications of cybersecurity.

Existing General U.S. Cybersecurity Laws. Current U.S. legislation and regulations already require cybersecurity compliance, audit, certification and compliance generally. Special cybersecurity mandates arise under the Health Insurance Portability and Accountability Act (“HIPAA”) of 1996, the Sarbanes-Oxley Act of 2002 (“Sox”), state security breach notification legislation and credit card rules applicable to banking transactions (the “PCI rules”). The Computer Fraud and Abuse Act, 18 USC 1030, protects against unauthorized disclosure of most computer data. In addition to securities regulations on insider trading, common law also imposes cybersecurity mandates on lawyers and others receiving confidential financial information. Other cybersecurity rules exist in other legislation:

(1) the Privacy Protection Act of 1980 (42 U.S.C. 2000aa);
(2) the Electronic Communications Privacy Act of 1986 (18 U.S.C. 2510 note);
(3) the Computer Security Act of 1987 (15 U.S.C. 271 et seq.; 40 U.S.C. 759);
(4) the Federal Information Security Management Act of 2002 (44 U.S.C. 3531 et seq.);
(5) the E-Government Act of 2002 (44 U.S.C. 9501 et seq.);
(6) the Defense Production Act of 1950 (50 U.S.C. App. 2061 et seq.);
(7) any other Federal law bearing upon cyber-related activities; and
(8) any applicable Executive Order or agency rule, regulation, guideline.

But there are no laws mandating that small business or individuals adopt cybersecurity standards (other than general rules).

Public and Private Assets: “Critical Infrastructure” and “Protected Systems.” Already, the cybersecurity jurisdiction of the Department of Homeland Security applies to both “critical infrastructure” and “protected systems.” The concept of “protected system” would extend the more restrictive concept of “critical infrastructure” to virtually any private computer network. A “protected system” would mean “any service, physical or computer-based system, process, or procedure that directly or indirectly affects the viability of a facility of critical infrastructure.” It would include “any physical or computer-based system, including a computer, computer system, computer or communications network, or any component hardware or element thereof, software program, processing instructions, or information or data in transmission or storage therein, irrespective of the medium of transmission or storage.” Homeland Security Act, Sec. 212. In short, national security and economic security mean that public and private assets will be managed as one suite of assets at risk.

Special Purpose Legislation: Electrical Grids. According to legislation proposed in April 2009, “According to current and former national security officials, cyber spies from China, Russia, and other countries have penetrated the United States electrical system in order to map the system, and have left behind software programs that could be used to disrupt and disable the system.” Proposed “Critical Electric Infrastructure Protection Act,” H.R. 2195, An Act to amend the Federal Power Act to provide additional authorities to adequately protect the critical electric infrastructure against cyber attack, and for other purposes, 111th Cong, 1st Sess. The proposed law would require the Secretary of Homeland Security, working with other national security and intelligence agencies, to “conduct research and determine if the security of federally owned programmable electronic devices and communication networks (including hardware, software, and data) essential to the reliable operation of critical electric infrastructure have been compromised,” including “the extent of compromise, identification of attackers, the method of penetration, ramifications of the compromise on future operations of critical electric infrastructure, secondary ramifications of the compromise on other critical infrastructure sectors and the functioning of civil society, ramifications of compromise on national security, including war fighting capability, and recommended mitigation activities.” Preamble. In short, the new law (if enacted) would amend the Homeland Security Act of 2002 (6 U.S.C. 133(i)) to require special studies to “ensure the security and resilience of electronic devices and communication networks essential to each of the critical infrastructure sectors.”

Pending General Cybersecurity Legislation: Cybersecurity Act of 2009. In April 2009, Sen. Jay Rockefeller (D., W. Va.) introduced a draft Cybersecurity Act of 2009, S 773, 111th Cong., 1st Sess. The bill’s long-form name is “An Act To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes.” The draft focuses on the commercial impact of cyber espionage: “Since intellectual property is now often stored in digital form, industrial espionage that exploits weak cybersecurity dilutes our investment in innovation while subsidizing the research and development efforts of foreign competitors. In the new global competition, where economic strength and technological leadership are vital components of national power, failing to secure cyberspace puts us at a disadvantage.” S. 773, Sec. 2 (2). The drafters warned that the nation is unprepared for “a massive cyber disruption [that] could have a cascading, long-term impact without adequate co-ordination between government and the private sector.” S. 773, Sec. 2 (6).

Cybersecurity Advisory Panel. The draft law contemplates the appointment of a panel of advisors to include “representatives of industry, academic, non-profit organizations, interest groups and advocacy organizations, and State and local governments who are qualified to provide advice and information on cybersecurity research, development, demonstrations, education, technology transfer, commercial application, or societal and civil liberty concerns.” S. 773, Sec. 3(b)(i).

Cybersecurity Dashboard. The bill would also “implement a system to provide dynamic, comprehensive, real-time cybersecurity status and vulnerability information of all Federal Government information systems and networks managed by the Department of Commerce.” S. 773, Sec. 4.

Cybersecurity Institute. Under the bill, the Secretary of Commerce would provide assistance for the creation and support of “Regional Cybersecurity Centers” for the promotion and implementation of cybersecurity standards. Each Center would be affiliated with a United States-based nonprofit institution or organization, or consortium thereof, that applies for and is awarded financial assistance. Such centers would seek to enhance the cybersecurity of small and medium sized businesses and industrial firms in United States through the dissemination and transfer of cybersecurity standards, processes, technology, and techniques developed at the National Institute of Standards and Technology (“NIST”). www.nist.gov. S. 773, Sec. 5(a). This approach reflects other draft legislation, such as the Cybersecurity Enhancement Act of 2009, HR 4061, 111th Cong., 1st Sess., for cybersecurity research, development, education and technical standards for identity management technologies, authentication and security protocols, expanding on the existing Cyber Security Research and Development Act (15 U.S.C. 7401).

Licensing of Cybersecurity Professionals. The draft law would require a national licensing, certification, and periodic recertification program, under the aegis of the Department of Commerce, for cybersecurity professionals (defined as “providers of cybersecurity services”). Such licensing would effectively submit all outsourcing service providers to U.S. federal jurisdiction and enforcement of cybersecurity compliance standards. S. 773, Sec. 7.

Federal Standards. Within a year after enactment, the NIST would be required to “establish measurable and auditable cybersecurity standards for all Federal Government, government contractor, or grantee critical infrastructure information systems and networks.” These would include standards for

(1) security controls that are known to block or mitigate known attacks;
(2) the software security, including a separate set of such standards for measuring security
in embedded software such as that found in industrial control systems;
(3) standard computer-readable language for completely specifying the configuration of
software on computer systems widely used in the Federal Government, by government
contractors and grantees, and in private sector owned critical infrastructure information
systems and networks;
(4) standard configurations for security settings for operating system software and software
utilities widely used in the Federal Government, by government contractors and grantees,
and in private sector owned critical infrastructure information systems and networks; and
(5) sniffer standards to identify vulnerabilities in software to enable software vendors to
communicate vulnerability data to software users in real time.

The NIST would establish a standard testing and accreditation protocol for all software built by or for the Federal Government, its contractors, and grantees, and privately owned critical infrastructure information systems and networks. The testing would occur during the software development process and on acceptance prior to deployment of software.

International Standards. The draft Cybersecurity Act of 2009 would require the U.S. to participate in setting international standards for cybersecurity. But it stops short of any hope for an international law on cybersecurity. It does not call for a convention on cybersecurity. Certainly any negotiations for such a convention could lead to a “least common denominator” of weak standards and political excuses. In light of the impact on trade in services, certainly cybersecurity would be a subject that might fall under the mission of the World Trade Organization, www.wto.org, or the Organization for Economic Development, www.oecd.org. As it is, the International Standards Organization, www.iso.org, would be the probable forum for any such discussions. Also, the bill would require the President to “work with representatives of foreign governments” to develop norms, organizations, and other cooperative activities for international engagement to improve cybersecurity and to encourage international cooperation in improving cybersecurity on a global basis. S. 773, Sec. 21.

Further Legislation. The United States already has several laws governing cyber security. The draft Cybersecurity Act of 2009 would require the President to review and propose changes in existing cybersecurity laws.

“Pulling the Plug” on Impaired Cyber Infrastructure. The Cybersecurity Act would set up a framework for national regulation of the Internet, which currently is controlled by ICANN, a California-incorporated non-profit organization. www.icann.org. One of the most controversial provisions in the bill would allow the President to shut down the Internet during a time of crisis. The President would be authorized to declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network. S. 773, Sec. 18(2). The President “may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security.” S. 773, Sec. 18(6). This police power would be generally without judicial review.
Insurance and Risk Disclosure and Mitigation. The bill invites Presidential reports to Congress on ways to manage commercial risks of cyber attacks. Such reports would seek to identify the feasibility of:

(1) creating a market for cybersecurity risk management, including the creation of a system
of civil liability and insurance (including government reinsurance); and

(2) requiring cybersecurity to be a factor in all bond ratings. Sec. 15.

Identity Management; Identity Theft; Civil Liberties. The bill requires the President to present a report on the “feasibility of an identity management and authentication program, with the appropriate civil liberties and privacy protections, for government and critical infrastructure information systems and networks.” This provision creates a balance between national security and civil liberties guaranteed by the Constitution.

Investment in Security. The current appropriations bill for the Department of Homeland Security, for the fiscal year ending September 30, 2010, contemplates a small budget for infrastructure security on the scale contemplated in the draft Cybersecurity Act. See, Pub. L. 111-83, H.R.2892, Department Of Homeland Security Appropriations Act, 2010, 111th Cong., 1st Sess. (Oct. 28, 2009).

Implications for Outsourcing.

New Opportunities for Outsourcing of Cybersecurity. As cybersecurity becomes more complex, new opportunities will emerge for service providers that deliver protected processes complying with new regulatory standards.

Industry Sectors; “Verticals.” Outsourcing services (including shared service centers and captive processing centers) manage many “critical infrastructures” that are essential to national security and economic security. Certain sectors are generally included in the definition of “critical infrastructures”: banking, financial services and insurance (“BFSI”), public utilities (water, telecommunications, transportation, oil and gas and electricity supply), emergency services and government. See John Motoff and Paul Parfomak, “Critical Infrastructure and Key Assets: Definition and Identification,” Cong. Research Service (Oct. 1, 2004), http://www.fas.org/sgp/crs/RL32631.pdf. The current statutory definition (established in the USA PATRIOT Act of 2001, Sec. 1016(e) and referenced in the Homeland Security Act of 2002) states:
Systems and assets, whether physical or virtual, so vital to the United States that the
incapacity or destruction of such systems and assets would have a debilitating effect on the
security, national economic security, national public health or safety, or any combination of
those matters.

Under this sweeping definition, virtually all of outsourcing and the economic supply chain of goods and services could be seen as a “critical infrastructure” for regulation, protection and ultimately potential control by the federal government for purposes of security of the government, economy, health and safety.

Covered ITO and BPO Service Providers. The Cybersecurity Act of 2009 would apply new standards to government contractors and grantees and private sector “critical infrastructure systems and networks.” However, in due course, such standards could be applied to all “protected computers” and private computers as well.

Vendor Selection. By adopting national cybersecurity standards, any new federal legislation would impact the selection of competing outsourcing vendors, based on compliance and risk assessments. Smaller vendors, that might comply today with ISO 27000 but not the PCI credit card security standards or any new federal cybersecurity standards, might not be competitive. Their market value might decline, and their selling prices in an acquisition might be lower on the basis of earnings multiples or other valuation metrics.

National Regulation of Cybersecurity. In short, all business and personal computers would be “protected systems” subject to national security protections, including registrations, licensing, compliance and verification. It is clear that the draft law would superimpose itself on all outsourcing contracts that involve the use of any computers. In short, it would apply to all sourcing contracts.

Allocation of Risk for Compliance with Applicable Law. Generally, outsourcing contracts require service providers (including software developers and IT infrastructure support providers) to comply with applicable U.S. law. The draft Cybersecurity Act of 2009 would be implicit in all applications development and maintenance contracts. It would apply to software developed outside the United States.

Extraterritorial Application of National Laws. Currently, the United States and other countries have laws intended to regulate conduct of persons outside their borders that have an impact inside their borders. Such extraterritorial laws include the Foreign Corrupt Practices Act, the Export Administration Act and the International Trade in Arms Regulations. Outsourcing service providers already are expected to comply with such legislation. Service providers should anticipate the extension of national cybersecurity regulation to their operations outside the United States (and other countries where outsourcing customers receive the services). Further, the U.S. Homeland Security department might conduct inspections on foreign territory, subject to local governmental authorization, similar to historical inspections conducted by the Federal Aviation Administration for maintenance and repairs done abroad to U.S. registered aircraft.

Reciprocity between Governments. Protecting outsourcing as an economic process will require governments to collaborate on cybersecurity management. One can easily foresee a new dialogue between the U.S. government and the Government of India, a key source of talent for software development, ITO and BPO, for the mutual adoption of cybersecurity standards, registration, licensing and compliance procedures. A similar dialogue may eventually arise with China, which hopes to promote its technology centers and “software technology parks” as centers of excellence and sources of employment for engineers servicing non-Chinese global enterprises. Similarly, cybersecurity “best practices” are likely to evolve under the aegis of the OECD for economic regulation and NATO for military use.

For related topics:

Privacy, Data Protection and Outsourcing in the United States
 Read more...

Posted by William B. Bierce at 3:15 PM 0 comments

Friday, October 30, 2009

Humor Spotlight of the Month

Over-and-out-sourcing, n. (1) flying a commercial passenger plane without responding to air traffic control; (2) automating the sourcing and procurement functions so that human intervention is required only for final vendor selection and signature of the agreement; (3) auto-pilot.


Sole-sourcing, n. (1) Non-competitive bidding process; (2) Renegotiation where the incumbent provider wins and the competitors are merely stalkingfish ; (3) a failed competitive sourcing, where one of the “final two” down-selected bidders withdraws.

Speed-sourcing, n. (1) a variation of global sourcing that involves excessive haste and concomitant regrets; (2) adrenalin-rush before closing a deal; (3) variation of pharm-sourcing

 Read more...

Posted by William B. Bierce at 2:43 PM 0 comments

Case Study for Legal Risk Management for "CloudComputing": Data Loss for T-Mobile Sidekick® Customers

Telecom providers are increasingly outsourcing IT functions for “cloud computing.” A widespread data loss in mid-October 2009 by an IT outsourcer to a mobile telephony provider underscores the practical limitations of using the Internet as a data storage platform.

In this episode, subscribers to T-Mobile Sidekick® mobile devices were informed that their personal data – contact information, calendars, notes, photographs, notes, to-do lists, high scores in video games and other data – had almost certainly been lost. T-Mobile (a service of Deutsche Telekom AG) had outsourced the management of the “cloud computing” function for the Sidekick® devices to Microsoft’s subsidiary, Danger, Inc. While T-Mobile has offered a $100 freebie in lieu of financial compensation and some data was recovered, the case invites legal analysis of the liability of the any service provider – whether for mobile telephony or enterprise backup and remote storage – for “software as a service” (“SaaS”) or “cloud computing.”


Technological Framework for “Cloud Computing. “ “Cloud computing” means simply that data are processed and stored at a remote location on a service provider’s network, not on the enterprise’s network or a consumer’s home computer. Such data could be any form of digital information, ranging from e-mail messages (such as those stored by Google and Yahoo!) to databases, customer records, personal health information, employee information, company financial information, customer contracts and logistics information.

“Clouds” come in two flavors: public and private.

o In a public cloud, the general principles of the Internet apply, and data transmissions can flow between many
different third-party computers before reaching the service provider’s servers. Amazon offers hardware in variable
computing capacities in its “Elastic Compute Clouds” (or “EC2”) services. Similarly, Google offers an “Apps Engine.”

o In a private cloud, one service provider (alone or with its subcontractors) controls the entire end-to-end transport,
processing, storage and retrieval of data.

Cloud computing exposes users to some key vulnerabilities and added costs:

o The user depends on a high-performance Internet connection. Service level performance cannot be guaranteed
except in private clouds.

o ‘Single points of failure” (“SPOC”) in data transmission, processing and storage, for which special security
measures and redundancy may be required. Heightened security risks require extra resources.

o Loss of control over the public portion of a “public cloud” can impair performance through delays and data loss
resulting from uncontrolled environments.

o Delays in data restoration may occur due to interruptions in data transmissions.

o Business continuity, resumption and data protection require special solutions.

o Passwords could be guessed at using social networking tools, but if the user accounts are maintained internally in
a controlled network, the systems could use techniques to detect and eradicate misuses and abuses from users
based on aberrational access profiles and unauthorized territorial access. In a public cloud, security tools such as
data leak prevention (“DLP”) software, data fingerprinting, data audit trail software and other tools might not be
effective.

Such vulnerabilities explain why “cloud computing” needs special controls if used as a platform for providing outsourced services.

In the October 2009 T-Mobile debacle, users relied on the telecom service provider to store and backup the data. Mobile telephony devices (other than laptops) were seen as tools for creating but not storing, significant volumes of data. Remote data storage was a unique selling proposition, or so one thought.

T-Mobile’s Technological Failure. In its website, T-Mobile exposed the technological sources of the failure of its “cloud computing” for mobile devices. It explained:

We have determined that the outage was caused by a system failure that created data loss in the core database and the back-up. We rebuilt the system component by component, recovering data along the way. This careful process has taken a significant amount of time, but was necessary to preserve the integrity of the data.
SOURCE:http://forums.t-mobile.com/tmbl/board/message?board.id=Sidekick2&thread.id=22698, Oct. 15, 2009 update.

Mitigating Damages: Public Relations Strategy for Restoring Customer Confidence and Maintaining Brand Goodwill. After some delay, without admitting any liability or damages, T-Mobile adopted a “damage control” strategy adopted from the usual “disaster recovery” process models:

Compensation. It offered any affected customers a $100 gift card for their troubles in addition to a free month of service.

Communication Outbound. It created and updated a Web forum for Sidekick users to get information about the nature of the problems, whether the data loss was irretrievable and the time to resume operations.

Communication Inbound. It provided an e-mail contact address so that it could respond to inquiries and thus identify and counteract rumors that might have been spreading.

Compliance. T-Mobile notified the public media since the “disaster” exposed it to the possibility that more than 5,000 consumers in any particular state might have had their personally identifiable information (“PII”) exposed to unauthorized persons such as hackers. Such notifications (along with other notices to individual customers and designated government officials) are mandated by state law in over 40 states.

Corrections and Control. It focused on remediation first, deferring problem resolution with any claims against its service provider Microsoft’s subsidiary Danger, Inc..

Confidentiality. It kept its communications with its failing provider confidential and focused on remediation.

Escaping Liability for Damages. Generally, telecom service providers disclaim liability in excess of a small amount. Further, service contracts contain exclusions of liability for consequential damages as well as force majeure clauses. Generally, such disclaimers and exclusions are enforceable. However, various legal theories might prevent a service provider from escaping liability for failed service delivery.

Legal Risks for Providers of “Cloud Computing” Services. T-Mobile consumers might assert various legal theories against T-Mobile for damages if their data are not fully restored, or if T-Mobile fails to act promptly and reasonably to mitigate damages to consumers.

False Advertising; Unfair and Deceptive Practices. State and federal laws prohibit false or deceptive advertising and unfair and deceptive practices. Enforcement of these laws is generally restricted to governmental agencies such as the Federal Trade Commission, the Federal Department of Justice and the state Attorneys General. Deception is a term of art and depends on the facts. In this case, the question is how solidly did T-Mobile portray the benefits of “cloud computing,” and did it warn against loss of data. If T-Mobile can show that it warned users of potential data loss and recommended that they back up their own data, such a warning might relieve it from liability. If T-Mobile represented that it would use reasonable security, backup and business continuity services, subscribers with lost data might have a claim of negligence or gross negligence.

Consumer Fraud. Under common law and state consumer protection laws, generally, a fraud occurs when the seller knowingly misleads or makes a false statement of fact to induce the consumer to make a purchase. A massive fraud is subject to a class-action claim in Federal court under Federal Rules of Civil Procedure.

Magnuson-Moss Warranty Act. Normally, an outsourcing services contract is not one that is associated with the maintenance of a product such as a telephone or a computer. If the service provider were also selling any equipment to the customer, and the customer were a “consumer,” and the service provider’s agreed to maintain or repair the consumer product, then the Magnuson-Moss Warranty Act, 15 U.S.C. § 2301 et seq. would apply. This risk explains why sellers of consumer products (mobile telephones) offer only limited warranties. The Magnuson-Moss Warranty Act is probably not a source of potential liability for T-Mobile, but that depends on the customer contracts.

Privacy Violations. Cloud computing providers may become liable to consumers or enterprise customers for failure to comply with applicable privacy statutes. Such statutes protect personal health information (under HIPAA), personal financial information (under the Gramm-Leach-Bliley Act), personally identifiable information (state and federal laws), financial information of a plan fiduciary under ERISA or other or simply confidential information that could be a trade secret or potentially patentable idea of an enterprise or its customers, suppliers or licensors. Export control laws and regulations governing trade in arms and “defense articles” are thus not good candidates for “cloud computing” except for “private clouds.”

Enterprises hiring third-parties to remotely process and manage their operational data are liable to third parties if any protected data is mishandled, depending on the exact wording of the law. Allocation of liability for privacy and security violations is typically a negotiated element of any outsourcing agreement.

Protecting Consumers in Cloud Computing. The legal framework for “cloud computing” needs to be well defined before it can become a reliable business model replacing networks or local workstations. Regardless of disclaimers in consumer contracts, providers of “cloud computing” services will need to adopt reliable, resilient storage backups, disaster recovery and business continuity services. Moreover, when hiring a “cloud computing” service provider (as T-Mobile did when it hired Microsoft/Danger, Inc.), the seller must ensure high standards by its subcontractors. Telecom outsourcing to IT providers requires special technical and legal controls to protect the consumer and the telecom carrier.




 Read more...

Posted by William B. Bierce at 12:19 PM 0 comments

Thursday, August 6, 2009

Microsoft's Sweet Deal for Yahoo! Search Businesses: WYSIWYG for SLA's

Five days after announcing the deal for licensing of Yahoo’s search technology in return for Microsoft’s commitment to manage the search functions for Yahoo!, on August 4, 2009, Yahoo! revealed the details of the Microsoft-Yahoo! agreement to enter into a definitive “global Search and Advertising Services and Sales Agreement.”

The details are not very pretty for Yahoo! as an outsourcing customer of back office support for its core business of Internet search services.



Maybe something is better than nothing. Yahoo! was essentially not saleable at any price due to the 65% market share of Google, Yahoo!’s smaller market share and the financial strengths of Google and Microsoft to make future technology investments.

As an “outsourcing” deal, there are some key issues, including termination contingencies and Service Level Agreements (SLA’s). Yahoo! is very exposed on each of these key performance indicators (KPI). It gets what Microsoft delivers, WYSIWYG. It has the flavor of a divestiture, not an outsourcing.

Scope. Microsoft will take over R&D expenses for improving the Yahoo! search engine. Microsoft’s role is limited to website technology for Internet websites, applications and other online digital properties designed for use and consumption on personal computers. If Yahoo! wants, it can implement Microsoft mobile search and mapping services, either exclusively or non-exclusively (though the financial terms were not disclosed). Yahoo! will be the exclusive worldwide sales force for the “premium search advertisers” of both parties.

Transition Costs. Microsoft is paying $50 million for each of the first three years to assists Yahoo! in paying Yahoo!’s transition costs. This looks like a payment for the value of the 400 IT staff that Microsoft is rebadging from Yahoo!.

Transition Plan: “WYGIWYG”. The transition is scheduled to compete within two years after the “Commencement Date.” Most outsourcing deals have much tighter schedules. New “best practices”: “What you get is what you get.”

Termination Contingencies.

Shotgun Marriage – Arbitrators to the Rescue? There is “no deal” if the parties cannot reach
definitive agreement by October 27, 2009 (about 90 days after the deal was reached). But
that does not matter. The parties adopted a binding arbitration process to choose, without
any modification, one party or the other’s proposed contracts. They agree to sign the
contracts within 3 days of the panel’s ruling, but they leave some room “to resolve potential
inconsistencies” in the final deal terms.
Regulatory Approvals. Microsoft agreed to use its “best efforts” (a high standard of care,
including moving mountains to get there) to get regulatory approvals, including
commitments to restrictions on its own activities in “search and paid search.” If Microsoft
fails, Microsoft must defend antitrust enforcement action, though it’s unclear when it can
acquiesce.
Shotgun Marriage – Risk of “Annulment” due to Possible Misrepresentations. Either party
can escape the deal by declaring that the other is in material breach of its representations.
However, without “Definitive Agreements” being signed, no one knows what those
representations are.
12 or 18 Month Window to Get Started. The deal dies if “the conditions to commencement
have not been satisfied by July 29, 2010. If Yahoo! wishes, it may extend this window by
another 6 months. In short, Microsoft insisted on the right to walk away in 18 months if the
deal has any loose ends.

WYSIWYG Service Level Agreements. The Microsoft Windows® operating system became dominate because it allowed users to see formatting. Well, in this deal, the SLA’s for R&D are nothing other than whatever Microsoft does for itself, in Microsoft’s own format. Also, “Microsoft will not treat Yahoo! or Yahoo!’s Syndication Partners less favorably than Microsoft and Microsoft’s partners in connection with its delivery and operation of the services.

Such non-SLA’s are common in the sale of a business unit, where the selling parent company agrees to manage the administrative back office functions of the spun-off or divested subsidiary for a year. This “non-SLA” is useful to prevent unfair or discriminatory treatment, but does nothing to ensure competitiveness, continuous improvement, minimum features or other metrics of quality.

So, it’s not a classic outsourcing deal with classic SLA’s and the customary clauses giving flexibility in termination, scope change, adaptation to the market. It’s an exit plan with a hope to compete against Google! Yahoo! is hoping Microsoft will rescue it from further decline, and it represents the best alternative to simply exiting the market that requires further investment and faces heavy competition from Google!


 Read more...

Posted by William B. Bierce at 12:02 PM 0 comments

Tuesday, August 4, 2009

Yahoo! Deal with Microsoft: Joint Venture, Outsourcing or Exit from Core Business?

Times are tough. Maybe it’s time to do a joint venture with your competitor, and license your core technology to your competitor and get it back as outsourced services, to save some expenses and hopefully allow you to stay in business…for a while.


What has been announced as a joint venture and technology license has a strong resemblance to an outsourcing deal that shifts operational responsibility to the “service partner” (Microsoft) who gets a 12% gainsharing compensation package plus talented personnel plus elimination of a potential competitor.

The global economic decline and the Internet search market domination by Google pushed Yahoo! to explore selling the company, On July 29, 2009, Yahoo! and Microsoft announced their “joint venture” to enable Yahoo! to rely on Microsoft for future software development in the search engine business while Yahoo! retains its customers. The 10-year deal includes a license by Yahoo! to allow Microsoft to use Yahoo! search technology. Yahoo! gets 88% of search and ad revenues from its own websites (subject to repricing after five years) and Microsoft keeps 100% of corresponding revenues from Microsoft websites. The business value for Yahoo! lies in the estimated $500 million annual savings in operations (including transfer of personnel to Microsoft), capital expenditure savings of approximately $200 million and a savings of annual operating cash flow of approximately $275 million. The deal is estimated to take 24 months to implement after completion of regulatory review and approval.

This “joint venture” is not only a classic outsourcing deal with some twists, but resulted in a licensing deal. In February 2008, Microsoft offered by buy for $44.6 billion. Microsoft then projected economies of $1 billion a year, to come from a more efficient company with synergies in (i) scale economics driven by audience critical mass and increased value for advertisers; (ii) combined engineering talent to accelerate innovation; (iii) operational efficiencies through elimination of redundant cost; and (iv) the ability to innovate in emerging user experiences such as video and mobile. Because of regulatory opposition to such consolidation and convergence in a concentrated market, instead of a merger Yahoo! got just a licensing deal. Google also attempted to acquire Yahoo! For a further chronology, see http://www.thestandard.com/news/2009/07/29/microsoft-yahoo-deal-was-long-time-making?page=0%2C0

“The potential risks and uncertainties include, among others,

  1. the expected financial and other benefits of the agreement with Microsoft maynot be eralized, including as a result of actions taken by United States or foreign regulatory authorities and the responseor acceptance of the agreement by publishers, advertisers, users, and employees and Yahoo!s strategic and business partners;
  2. the impact of management and organizational challenges;
  3. the implementation and results of Yahoo!'s ongoing strategic and cost initiatives;
  4. Yahoo!'s ability to compete with new or existing competitors;
  5. reduction in spending by, or loss of, marketing services customers;
  6. the demand by customers for Yahoo!'s premium services;
  7. acceptance by users of new products and services;
  8. risks related to joint ventures and the integration of acquisitions;
  9. risks related to Yahoo!'s international operations;
  10. failure to manage growth and diversification;
  11. adverse results in litigation, including intellectual property infringement claims;
  12. Yahoo!'s ability to protect its intellectual property and the value of its brands;
  13. dependence on key personnel
  14. dependence on third parties for technology, services, content and distribution and;
  15. general economic conditions and changes in economic conditions."
What's missing form this list? The press release is silent on:

  1. the "service level agreement" performance obligations of Microsoft for software development of the Microsoft Bing search engine;
  2. transition planning;
  3. the definition of "in-scope" personnel who will transition from Yahoo! to Microsoft;
  4. the impact on Yahoo! of its loss of its IT personnel to Microsoft's team;
  5. the re-definition of Yahoo!'s strategic position in the online marketplace;
  6. any prohibitions on competitive transactions with Google or others; and
  7. the conditions governing termination.

The deal offers several strategic advantages for Yahoo! These include finding a buyer of its information technology (though it’s only a license for 10 years, with pricing firm only for 5 years), avoiding further investment in such technology in the face of competition from Google and Microsoft, and retention of roughly 7/8ths of its existing cash flow from search engine and advertising services.

For Microsoft, it gets to focus its competition on Google and gains some revenue (12%) for its Internet search operations. Microsoft saves about $35 billion in the deal.

The regulatory review process will include U.S. antitrust and European Union competition law. Regulatory approval is far from certain. Furthermore, while such regulatory review is pending, customers may conclude that Yahoo! has effectively moved away from its core business and might migrate to Microsoft or Google in any event. Indeed, regulatory review in IT and Internet businesses has proven to be slow, sometimes so slow as to nullify the business opportunity and too slow to reflect rapid changes (which regulators find difficult to identify or define) in the markets. All this may explain why Yahoo! shares tumbled 15% on the announcement.

Lessons for outsourcing service providers:
  • If you want to make an acquisition, try offering a licensing and co-branding structure that resembles an outsourcing. This could be cheaper than bank financing for a full-blown acquisitions.
  • Your competitiors may make great outsourcing customers.


Read more...

Posted by William B. Bierce at 4:30 PM 0 comments

Tuesday, July 14, 2009

Humor Spotlight of the Month

Business Process Transformation, n. (1) "Erector Set" for Business; (2) Extreme Makeover, Corporate Edition; (3) instant transformation, as in prestidigitation and legerdemain, (4) a spell taught at Hogwarts School of Magic and Wizardry. Read more...

Posted by William B. Bierce at 2:19 PM 0 comments

Business Process Management for the Service-Driven Organization: Role of Policies and Procedures Manuals for Governance in Sourcing and Outsourcing

In any business process, the governance and management of operations depends on following policies and procedures. This chapter addresses the use of policies and procedures manuals for service management and business process transformation (“BPT”).



Service Management. For repetitive processes, having a script and flow chart of operations serves to train personnel, enable supervisors to determine conformity of actual services to the intended procedures and ensure delivery of any committed service levels (“service level agreements”, or “ SLA’s”).

Service Catalog. Most organizations today are an amalgamation of multiple services in support of a common business goal under a common brand. To customers, the organization offers different services. Business process management (“BPM”) defines the service suite into a catalog of services. Effective BPM can enable more effective quality management and compliance with standards.

Business Processes as Trade Secrets. Development and updating of policies and procedures manuals involves the enterprise’s core, its trade secrets. By definition, a trade secret is information or a process used in a business that gives it competitive advantage since it is not widely known. Policy manuals need to be protected from security breaches. Individual having access to trade secrets need to be contractually restricted, and appropriate physical and logical security measures are appropriate.

Intellectual Property and Ownership of the Process. Processes are subject to intellectual property rights. The process itself may be subject to patent or trade secret. The manual will be subject to copyright. The labeling of the process, the goods or the services to customers may be subject to trademarks and trade names. Publicity, human resource “poaching” and competitive activities that relate to business processes may be subject to unfair competition. Covenants not to compete, not to solicit employees and not to use or disclose confidential information may apply too.

Shareholder Value from Portability and Fungibility. Defined business processes are portable and can be performed interchangeably by any trained person. For the enterprise, this creates an opportunity to use service level management for achieving cost management and price transparency. Depending on the costs of training, real estate costs and the value added (such as ROI and ROE), shareholder value can be maximized by retaining the high-value processes and outsourcing the rest. “Value” needs to be adjusted to risk, since some key processes (such as marketing vision, business strategy, the design and structuring of new goods and services, prototyping and similar “right-brain” thinking) cannot be effectively outsourced.

Budgeting. Such written procedures help run operations for budgeting because it implicitly defines the time and other resources required to perform a task. Budgeting can also be used for chargebacks to the client organization’s affected departments to more accurately reflect fully distributed costs and net profits. Net profit calculations for a department may be used for incentive compensation to managers and affected personnel.

The “Change Control” Process. Designing and maintaining manuals for policies and procedures imposes a bureaucratic overhead. If procedures change often, there will be additional training, management intervention and administrative updating of the manuals.

Contracting for External Services. Outsourcing contracts should address the legal issues relating to development, maintenance, use, ownership and changes in business processes and related procedures manuals. Vendors should be selected based on their ability to work within applicable business processes, to assist in improving those processes and in ensuring compliance with applicable legal, security, risk management, governance, corporate social responsibility and codes of conduct, import/export and other operational policies.

Risk Management. Process management has a critical impact on the continuity of one’s business processes. External service providers should have their own internal processes and procedures for business continuity that integrate and support the enterprise customer’s operations. Special attention should be given to procedures in case of a security breach, a force majeure event, and a breach of any statutory or regulatory compliance obligation or other business interruption.

Getting Started. There are several good software tools in the marketplace that allow an organization to design and manage its business processes. Some tools combine process design with governance, compliance and risk management. Business process management is an essential tool for the growing service organization. Supply chain management starts with good policies and procedures.

NOTE: For more information generally on business process transformation, please click here.




 Read more...

Posted by William B. Bierce at 9:04 AM 0 comments
Labels: , , , , ,
Subscribe to: Posts (Atom)