Friday, October 30, 2009

Humor Spotlight of the Month

Over-and-out-sourcing, n. (1) flying a commercial passenger plane without responding to air traffic control; (2) automating the sourcing and procurement functions so that human intervention is required only for final vendor selection and signature of the agreement; (3) auto-pilot.

Sole-sourcing, n. (1) Non-competitive bidding process; (2) Renegotiation where the incumbent provider wins and the competitors are merely stalkingfish ; (3) a failed competitive sourcing, where one of the “final two” down-selected bidders withdraws.

Speed-sourcing, n. (1) a variation of global sourcing that involves excessive haste and concomitant regrets; (2) adrenalin-rush before closing a deal; (3) variation of pharm-sourcing

Case Study for Legal Risk Management for "CloudComputing": Data Loss for T-Mobile Sidekick® Customers

Telecom providers are increasingly outsourcing IT functions for “cloud computing.” A widespread data loss in mid-October 2009 by an IT outsourcer to a mobile telephony provider underscores the practical limitations of using the Internet as a data storage platform.

In this episode, subscribers to T-Mobile Sidekick® mobile devices were informed that their personal data – contact information, calendars, notes, photographs, notes, to-do lists, high scores in video games and other data – had almost certainly been lost. T-Mobile (a service of Deutsche Telekom AG) had outsourced the management of the “cloud computing” function for the Sidekick® devices to Microsoft’s subsidiary, Danger, Inc. While T-Mobile has offered a $100 freebie in lieu of financial compensation and some data was recovered, the case invites legal analysis of the liability of the any service provider – whether for mobile telephony or enterprise backup and remote storage – for “software as a service” (“SaaS”) or “cloud computing.”

Technological Framework for “Cloud Computing. “ “Cloud computing” means simply that data are processed and stored at a remote location on a service provider’s network, not on the enterprise’s network or a consumer’s home computer. Such data could be any form of digital information, ranging from e-mail messages (such as those stored by Google and Yahoo!) to databases, customer records, personal health information, employee information, company financial information, customer contracts and logistics information.

“Clouds” come in two flavors: public and private.

o In a public cloud, the general principles of the Internet apply, and data transmissions can flow between many
different third-party computers before reaching the service provider’s servers. Amazon offers hardware in variable
computing capacities in its “Elastic Compute Clouds” (or “EC2”) services. Similarly, Google offers an “Apps Engine.”

o In a private cloud, one service provider (alone or with its subcontractors) controls the entire end-to-end transport,
processing, storage and retrieval of data.

Cloud computing exposes users to some key vulnerabilities and added costs:

o The user depends on a high-performance Internet connection. Service level performance cannot be guaranteed
except in private clouds.

o ‘Single points of failure” (“SPOC”) in data transmission, processing and storage, for which special security
measures and redundancy may be required. Heightened security risks require extra resources.

o Loss of control over the public portion of a “public cloud” can impair performance through delays and data loss
resulting from uncontrolled environments.

o Delays in data restoration may occur due to interruptions in data transmissions.

o Business continuity, resumption and data protection require special solutions.

o Passwords could be guessed at using social networking tools, but if the user accounts are maintained internally in
a controlled network, the systems could use techniques to detect and eradicate misuses and abuses from users
based on aberrational access profiles and unauthorized territorial access. In a public cloud, security tools such as
data leak prevention (“DLP”) software, data fingerprinting, data audit trail software and other tools might not be

Such vulnerabilities explain why “cloud computing” needs special controls if used as a platform for providing outsourced services.

In the October 2009 T-Mobile debacle, users relied on the telecom service provider to store and backup the data. Mobile telephony devices (other than laptops) were seen as tools for creating but not storing, significant volumes of data. Remote data storage was a unique selling proposition, or so one thought.

T-Mobile’s Technological Failure. In its website, T-Mobile exposed the technological sources of the failure of its “cloud computing” for mobile devices. It explained:

We have determined that the outage was caused by a system failure that created data loss in the core database and the back-up. We rebuilt the system component by component, recovering data along the way. This careful process has taken a significant amount of time, but was necessary to preserve the integrity of the data.
SOURCE:, Oct. 15, 2009 update.

Mitigating Damages: Public Relations Strategy for Restoring Customer Confidence and Maintaining Brand Goodwill. After some delay, without admitting any liability or damages, T-Mobile adopted a “damage control” strategy adopted from the usual “disaster recovery” process models:

Compensation. It offered any affected customers a $100 gift card for their troubles in addition to a free month of service.

Communication Outbound. It created and updated a Web forum for Sidekick users to get information about the nature of the problems, whether the data loss was irretrievable and the time to resume operations.

Communication Inbound. It provided an e-mail contact address so that it could respond to inquiries and thus identify and counteract rumors that might have been spreading.

Compliance. T-Mobile notified the public media since the “disaster” exposed it to the possibility that more than 5,000 consumers in any particular state might have had their personally identifiable information (“PII”) exposed to unauthorized persons such as hackers. Such notifications (along with other notices to individual customers and designated government officials) are mandated by state law in over 40 states.

Corrections and Control. It focused on remediation first, deferring problem resolution with any claims against its service provider Microsoft’s subsidiary Danger, Inc..

Confidentiality. It kept its communications with its failing provider confidential and focused on remediation.

Escaping Liability for Damages. Generally, telecom service providers disclaim liability in excess of a small amount. Further, service contracts contain exclusions of liability for consequential damages as well as force majeure clauses. Generally, such disclaimers and exclusions are enforceable. However, various legal theories might prevent a service provider from escaping liability for failed service delivery.

Legal Risks for Providers of “Cloud Computing” Services. T-Mobile consumers might assert various legal theories against T-Mobile for damages if their data are not fully restored, or if T-Mobile fails to act promptly and reasonably to mitigate damages to consumers.

False Advertising; Unfair and Deceptive Practices. State and federal laws prohibit false or deceptive advertising and unfair and deceptive practices. Enforcement of these laws is generally restricted to governmental agencies such as the Federal Trade Commission, the Federal Department of Justice and the state Attorneys General. Deception is a term of art and depends on the facts. In this case, the question is how solidly did T-Mobile portray the benefits of “cloud computing,” and did it warn against loss of data. If T-Mobile can show that it warned users of potential data loss and recommended that they back up their own data, such a warning might relieve it from liability. If T-Mobile represented that it would use reasonable security, backup and business continuity services, subscribers with lost data might have a claim of negligence or gross negligence.

Consumer Fraud. Under common law and state consumer protection laws, generally, a fraud occurs when the seller knowingly misleads or makes a false statement of fact to induce the consumer to make a purchase. A massive fraud is subject to a class-action claim in Federal court under Federal Rules of Civil Procedure.

Magnuson-Moss Warranty Act. Normally, an outsourcing services contract is not one that is associated with the maintenance of a product such as a telephone or a computer. If the service provider were also selling any equipment to the customer, and the customer were a “consumer,” and the service provider’s agreed to maintain or repair the consumer product, then the Magnuson-Moss Warranty Act, 15 U.S.C. § 2301 et seq. would apply. This risk explains why sellers of consumer products (mobile telephones) offer only limited warranties. The Magnuson-Moss Warranty Act is probably not a source of potential liability for T-Mobile, but that depends on the customer contracts.

Privacy Violations. Cloud computing providers may become liable to consumers or enterprise customers for failure to comply with applicable privacy statutes. Such statutes protect personal health information (under HIPAA), personal financial information (under the Gramm-Leach-Bliley Act), personally identifiable information (state and federal laws), financial information of a plan fiduciary under ERISA or other or simply confidential information that could be a trade secret or potentially patentable idea of an enterprise or its customers, suppliers or licensors. Export control laws and regulations governing trade in arms and “defense articles” are thus not good candidates for “cloud computing” except for “private clouds.”

Enterprises hiring third-parties to remotely process and manage their operational data are liable to third parties if any protected data is mishandled, depending on the exact wording of the law. Allocation of liability for privacy and security violations is typically a negotiated element of any outsourcing agreement.

Protecting Consumers in Cloud Computing. The legal framework for “cloud computing” needs to be well defined before it can become a reliable business model replacing networks or local workstations. Regardless of disclaimers in consumer contracts, providers of “cloud computing” services will need to adopt reliable, resilient storage backups, disaster recovery and business continuity services. Moreover, when hiring a “cloud computing” service provider (as T-Mobile did when it hired Microsoft/Danger, Inc.), the seller must ensure high standards by its subcontractors. Telecom outsourcing to IT providers requires special technical and legal controls to protect the consumer and the telecom carrier.

Thursday, August 6, 2009

Microsoft's Sweet Deal for Yahoo! Search Businesses: WYSIWYG for SLA's

Five days after announcing the deal for licensing of Yahoo’s search technology in return for Microsoft’s commitment to manage the search functions for Yahoo!, on August 4, 2009, Yahoo! revealed the details of the Microsoft-Yahoo! agreement to enter into a definitive “global Search and Advertising Services and Sales Agreement.”

The details are not very pretty for Yahoo! as an outsourcing customer of back office support for its core business of Internet search services.

Maybe something is better than nothing. Yahoo! was essentially not saleable at any price due to the 65% market share of Google, Yahoo!’s smaller market share and the financial strengths of Google and Microsoft to make future technology investments.

As an “outsourcing” deal, there are some key issues, including termination contingencies and Service Level Agreements (SLA’s). Yahoo! is very exposed on each of these key performance indicators (KPI). It gets what Microsoft delivers, WYSIWYG. It has the flavor of a divestiture, not an outsourcing.

Scope. Microsoft will take over R&D expenses for improving the Yahoo! search engine. Microsoft’s role is limited to website technology for Internet websites, applications and other online digital properties designed for use and consumption on personal computers. If Yahoo! wants, it can implement Microsoft mobile search and mapping services, either exclusively or non-exclusively (though the financial terms were not disclosed). Yahoo! will be the exclusive worldwide sales force for the “premium search advertisers” of both parties.

Transition Costs. Microsoft is paying $50 million for each of the first three years to assists Yahoo! in paying Yahoo!’s transition costs. This looks like a payment for the value of the 400 IT staff that Microsoft is rebadging from Yahoo!.

Transition Plan: “WYGIWYG”. The transition is scheduled to compete within two years after the “Commencement Date.” Most outsourcing deals have much tighter schedules. New “best practices”: “What you get is what you get.”

Termination Contingencies.

Shotgun Marriage – Arbitrators to the Rescue? There is “no deal” if the parties cannot reach
definitive agreement by October 27, 2009 (about 90 days after the deal was reached). But
that does not matter. The parties adopted a binding arbitration process to choose, without
any modification, one party or the other’s proposed contracts. They agree to sign the
contracts within 3 days of the panel’s ruling, but they leave some room “to resolve potential
inconsistencies” in the final deal terms.
Regulatory Approvals. Microsoft agreed to use its “best efforts” (a high standard of care,
including moving mountains to get there) to get regulatory approvals, including
commitments to restrictions on its own activities in “search and paid search.” If Microsoft
fails, Microsoft must defend antitrust enforcement action, though it’s unclear when it can
Shotgun Marriage – Risk of “Annulment” due to Possible Misrepresentations. Either party
can escape the deal by declaring that the other is in material breach of its representations.
However, without “Definitive Agreements” being signed, no one knows what those
representations are.
12 or 18 Month Window to Get Started. The deal dies if “the conditions to commencement
have not been satisfied by July 29, 2010. If Yahoo! wishes, it may extend this window by
another 6 months. In short, Microsoft insisted on the right to walk away in 18 months if the
deal has any loose ends.

WYSIWYG Service Level Agreements. The Microsoft Windows® operating system became dominate because it allowed users to see formatting. Well, in this deal, the SLA’s for R&D are nothing other than whatever Microsoft does for itself, in Microsoft’s own format. Also, “Microsoft will not treat Yahoo! or Yahoo!’s Syndication Partners less favorably than Microsoft and Microsoft’s partners in connection with its delivery and operation of the services.

Such non-SLA’s are common in the sale of a business unit, where the selling parent company agrees to manage the administrative back office functions of the spun-off or divested subsidiary for a year. This “non-SLA” is useful to prevent unfair or discriminatory treatment, but does nothing to ensure competitiveness, continuous improvement, minimum features or other metrics of quality.

So, it’s not a classic outsourcing deal with classic SLA’s and the customary clauses giving flexibility in termination, scope change, adaptation to the market. It’s an exit plan with a hope to compete against Google! Yahoo! is hoping Microsoft will rescue it from further decline, and it represents the best alternative to simply exiting the market that requires further investment and faces heavy competition from Google!

Tuesday, August 4, 2009

Yahoo! Deal with Microsoft: Joint Venture, Outsourcing or Exit from Core Business?

Times are tough. Maybe it’s time to do a joint venture with your competitor, and license your core technology to your competitor and get it back as outsourced services, to save some expenses and hopefully allow you to stay in business…for a while.

What has been announced as a joint venture and technology license has a strong resemblance to an outsourcing deal that shifts operational responsibility to the “service partner” (Microsoft) who gets a 12% gainsharing compensation package plus talented personnel plus elimination of a potential competitor.

The global economic decline and the Internet search market domination by Google pushed Yahoo! to explore selling the company, On July 29, 2009, Yahoo! and Microsoft announced their “joint venture” to enable Yahoo! to rely on Microsoft for future software development in the search engine business while Yahoo! retains its customers. The 10-year deal includes a license by Yahoo! to allow Microsoft to use Yahoo! search technology. Yahoo! gets 88% of search and ad revenues from its own websites (subject to repricing after five years) and Microsoft keeps 100% of corresponding revenues from Microsoft websites. The business value for Yahoo! lies in the estimated $500 million annual savings in operations (including transfer of personnel to Microsoft), capital expenditure savings of approximately $200 million and a savings of annual operating cash flow of approximately $275 million. The deal is estimated to take 24 months to implement after completion of regulatory review and approval.

This “joint venture” is not only a classic outsourcing deal with some twists, but resulted in a licensing deal. In February 2008, Microsoft offered by buy for $44.6 billion. Microsoft then projected economies of $1 billion a year, to come from a more efficient company with synergies in (i) scale economics driven by audience critical mass and increased value for advertisers; (ii) combined engineering talent to accelerate innovation; (iii) operational efficiencies through elimination of redundant cost; and (iv) the ability to innovate in emerging user experiences such as video and mobile. Because of regulatory opposition to such consolidation and convergence in a concentrated market, instead of a merger Yahoo! got just a licensing deal. Google also attempted to acquire Yahoo! For a further chronology, see

“The potential risks and uncertainties include, among others,
  1. the expected financial and other benefits of the agreement with Microsoft maynot be eralized, including as a result of actions taken by United States or foreign regulatory authorities and the responseor acceptance of the agreement by publishers, advertisers, users, and employees and Yahoo!s strategic and business partners;
  2. the impact of management and organizational challenges;
  3. the implementation and results of Yahoo!'s ongoing strategic and cost initiatives;
  4. Yahoo!'s ability to compete with new or existing competitors;
  5. reduction in spending by, or loss of, marketing services customers;
  6. the demand by customers for Yahoo!'s premium services;
  7. acceptance by users of new products and services;
  8. risks related to joint ventures and the integration of acquisitions;
  9. risks related to Yahoo!'s international operations;
  10. failure to manage growth and diversification;
  11. adverse results in litigation, including intellectual property infringement claims;
  12. Yahoo!'s ability to protect its intellectual property and the value of its brands;
  13. dependence on key personnel
  14. dependence on third parties for technology, services, content and distribution and;
  15. general economic conditions and changes in economic conditions."
What's missing form this list? The press release is silent on:

  1. the "service level agreement" performance obligations of Microsoft for software development of the Microsoft Bing search engine;
  2. transition planning;
  3. the definition of "in-scope" personnel who will transition from Yahoo! to Microsoft;
  4. the impact on Yahoo! of its loss of its IT personnel to Microsoft's team;
  5. the re-definition of Yahoo!'s strategic position in the online marketplace;
  6. any prohibitions on competitive transactions with Google or others; and
  7. the conditions governing termination.

The deal offers several strategic advantages for Yahoo! These include finding a buyer of its information technology (though it’s only a license for 10 years, with pricing firm only for 5 years), avoiding further investment in such technology in the face of competition from Google and Microsoft, and retention of roughly 7/8ths of its existing cash flow from search engine and advertising services.

For Microsoft, it gets to focus its competition on Google and gains some revenue (12%) for its Internet search operations. Microsoft saves about $35 billion in the deal.

The regulatory review process will include U.S. antitrust and European Union competition law. Regulatory approval is far from certain. Furthermore, while such regulatory review is pending, customers may conclude that Yahoo! has effectively moved away from its core business and might migrate to Microsoft or Google in any event. Indeed, regulatory review in IT and Internet businesses has proven to be slow, sometimes so slow as to nullify the business opportunity and too slow to reflect rapid changes (which regulators find difficult to identify or define) in the markets. All this may explain why Yahoo! shares tumbled 15% on the announcement.

Lessons for outsourcing service providers:
  • If you want to make an acquisition, try offering a licensing and co-branding structure that resembles an outsourcing. This could be cheaper than bank financing for a full-blown acquisitions.
  • Your competitiors may make great outsourcing customers.

Tuesday, July 14, 2009

Humor Spotlight of the Month

Business Process Transformation, n. (1) "Erector Set" for Business; (2) Extreme Makeover, Corporate Edition; (3) instant transformation, as in prestidigitation and legerdemain, (4) a spell taught at Hogwarts School of Magic and Wizardry.

Business Process Management for the Service-Driven Organization: Role of Policies and Procedures Manuals for Governance in Sourcing and Outsourcing

In any business process, the governance and management of operations depends on following policies and procedures. This chapter addresses the use of policies and procedures manuals for service management and business process transformation (“BPT”).

Service Management. For repetitive processes, having a script and flow chart of operations serves to train personnel, enable supervisors to determine conformity of actual services to the intended procedures and ensure delivery of any committed service levels (“service level agreements”, or “ SLA’s”).

Service Catalog. Most organizations today are an amalgamation of multiple services in support of a common business goal under a common brand. To customers, the organization offers different services. Business process management (“BPM”) defines the service suite into a catalog of services. Effective BPM can enable more effective quality management and compliance with standards.

Business Processes as Trade Secrets. Development and updating of policies and procedures manuals involves the enterprise’s core, its trade secrets. By definition, a trade secret is information or a process used in a business that gives it competitive advantage since it is not widely known. Policy manuals need to be protected from security breaches. Individual having access to trade secrets need to be contractually restricted, and appropriate physical and logical security measures are appropriate.

Intellectual Property and Ownership of the Process. Processes are subject to intellectual property rights. The process itself may be subject to patent or trade secret. The manual will be subject to copyright. The labeling of the process, the goods or the services to customers may be subject to trademarks and trade names. Publicity, human resource “poaching” and competitive activities that relate to business processes may be subject to unfair competition. Covenants not to compete, not to solicit employees and not to use or disclose confidential information may apply too.

Shareholder Value from Portability and Fungibility. Defined business processes are portable and can be performed interchangeably by any trained person. For the enterprise, this creates an opportunity to use service level management for achieving cost management and price transparency. Depending on the costs of training, real estate costs and the value added (such as ROI and ROE), shareholder value can be maximized by retaining the high-value processes and outsourcing the rest. “Value” needs to be adjusted to risk, since some key processes (such as marketing vision, business strategy, the design and structuring of new goods and services, prototyping and similar “right-brain” thinking) cannot be effectively outsourced.

Budgeting. Such written procedures help run operations for budgeting because it implicitly defines the time and other resources required to perform a task. Budgeting can also be used for chargebacks to the client organization’s affected departments to more accurately reflect fully distributed costs and net profits. Net profit calculations for a department may be used for incentive compensation to managers and affected personnel.

The “Change Control” Process. Designing and maintaining manuals for policies and procedures imposes a bureaucratic overhead. If procedures change often, there will be additional training, management intervention and administrative updating of the manuals.

Contracting for External Services. Outsourcing contracts should address the legal issues relating to development, maintenance, use, ownership and changes in business processes and related procedures manuals. Vendors should be selected based on their ability to work within applicable business processes, to assist in improving those processes and in ensuring compliance with applicable legal, security, risk management, governance, corporate social responsibility and codes of conduct, import/export and other operational policies.

Risk Management. Process management has a critical impact on the continuity of one’s business processes. External service providers should have their own internal processes and procedures for business continuity that integrate and support the enterprise customer’s operations. Special attention should be given to procedures in case of a security breach, a force majeure event, and a breach of any statutory or regulatory compliance obligation or other business interruption.

Getting Started. There are several good software tools in the marketplace that allow an organization to design and manage its business processes. Some tools combine process design with governance, compliance and risk management. Business process management is an essential tool for the growing service organization. Supply chain management starts with good policies and procedures.

NOTE: For more information generally on business process transformation, please click here.

Friday, April 17, 2009

Social Networking and Cybersquatting in Outsourcing: Legal Conflicts where BPO Meets SaaS

Social networking on the Internet depends on that part of information technology that is called “software as a service” (“SaaS”). SasS offers a form of outsourced infrastructure for relationship management. SaaS works for virtually any business processes delivered as a service.

Social media offer efficient marketing tools for new ventures and transforming long-existing businesses. Social networking media enable professionals to identify, target and interact directly with qualified business prospects, using tags such as geography, interest category, company or any other affinity class. Social networking allows online interactions between individuals and sharing of ideas, photos, audio, video and aspirations. Marketers love social media as a vehicle for (i) efficiently opening new conversations, (ii) inviting engagement by asking for “status updates,” (iii) developing brand goodwill, (iv) creating personal trademarks for self-appointed gurus leading new discussion groups and (v) serving highly targeted and affordable advertising. Social networking marketing can even be outsourced.

Beyond Facebook, MySpace and LinkedIn, social networking has morphed into private-label social networks that depend on memorable URL’s. Since social networking and other delivery of outsourced services by a SaaS Internet host requires a URL (uniform resource locator), any new SaaS services face potential legal conflicts of intellectual property rights in the trademarks and goodwill of the URL’s. This phenomenon underscores the need for prudent intellectual property practices in outsourcing, particularly in the commercial use of social networking.

For more, see my suggestions on how to avoid legal entanglements in social media and other SaaS applications.

Friday, February 27, 2009

Obama's Policy on Outsourcing and Offshoring: "Exporting America" by Taxing U.S. Energy Consumption and Foreign Revenues of U.S. Multinationals

President Barack Obama told Congress on television February 24, 2009, that he wanted to focus on energy, education and healthcare. He wants to eliminate the tax breaks for companies that send jobs offshore and avoid protectionism. Sadly, his proposal is full of economic stimuli for increased local costs of doing business in the U.S. and abroad. It’s a stimulus package for outsourcing and offshoring. It makes Lou Dobbs’ book “Exporting America” look tame.

Taxing U.S. Service Providers through Greenhouse Gas “Climate Revenue” Published on February 26, 2009, President Obama's $3.6 trillion budget proposal would create a tax on U.S. energy producers that pollute using greenhouse gases (GHG’s) and high carbon footprints. For a copy click here.

Such energy producers would be taxed billion under a “cap and trade” program to generate “climate revenues” from “auctioning emission allowances that are reserved for clean energy technology initiatives.” [Table S-2, page 115.] The tax (which the budget proposal calls "receipts" or "offsets to outlays") would be in the form of a market for GHG-reducing activities such as pollution-free energy production or preservation of forests, etc., under the 1997 Kyoto Protocol that the U.S. signed but never ratified. Obama's anticipated "climate revenues" amount would grow from $78.7 billion in 2012 to $237 billion in 2014 and $646 billion into 2019.

Unilateral Approach: Emissions Trading without Kyoto Protocol Commitments. The Kyoto Protocol has a reported 170+ countries as Kyoto Protocol members. According to the UN, these include Brazil, Russia, India and China but no mandatory emission level controls apply to China or India, which reportedly refused to ratify the protocol. The Kyoto Protocol contemplates the use of three mechanisms for environmental protection: Emissions Trading, The Clean Development Mechanism (CDM) and Joint Implementation (JI).A diplomatic balance would require some quid pro quo from American trading partners that might be "free riders" President Obama's omission of any commitments to the Kyoto Protocol shows his unilateral approach to climate control and environmental protection. A diplomatic initiative and ratification might make sense so that environmental benefits are linked to free trade. A better legal framework would involve universal adoption of these policies through a treaty or convention. Without reciprocity mandated by a widely applicable international agreement like the WTO trade agreements, the United States would be giving an increasingly large cost advantage to foreign service providers for the outsourcing and offshoring of business processes that are based on consumption of energy.

Tax Pass-Along to Consumers and Business Customers. Economically, the U.S. energy wasters will pass through the costs of paying for their sins by increasing local energy costs to local employers who run local work places in the United States. In turn, local employers will pass the costs along to customers. Business customers (whether foreign or local) will seek to avoid the tax by hiring foreign service providers who won’t pass any “climate revenue” tax to the users. The “cap and trade” auction thus constitutes an indirect tax on U.S. businesses that hire and house a lot of personnel. Home-based teleworkers would bear the tax too.

Impacted Businesses. This operating cost increase in business operating costs will hit U.S.-based data centers, server farms, call centers, help desks, web developers, application programmers, market researchers, stock market analysts, reviewers of legal documents in litigation, engineers and other knowledge professionals. In short, the "climate revenue" "receipts" will hit all U.S. employers, big and small.

"Climate Revenues" Not Dedicated to Environmental Improvement: Wealth Redistribution Takes Precedence over "Investment" in Climate Protecting Infrastructures. The uses of the auction proceeds are not dedicated to environmental improvement. This follows the approach of Social Security (where taxes flow into the government's general account) and disregards a dedicated account (such as the Federal Highway Trust Funds, adopted in 1956, to require that federal gasoline taxes pay only for improvements in interstate transportation).

Income Reallocation through Carbon Credits. Since it will be used to pay a flat $15 billion a year for “climate policy - clean energy technologies” and $63.4 billion (to $68 billion in 2019) for tax subsidies for workers (many of whom do not pay taxes) through a “Make Work Pay” program, the new “climate revenues” would create entrenched constituencies to receive a redistribution of wealth. The “climate revenues” are not dedicated 100% to converting to more energy efficiency.

Taxation on Offshore Income of Foreign Operations of U.S. Companies. The budget attacks “loopholes” that have existed for decades and are already subject to tightened “controlled foreign corporation” rules for “deemed dividends” under “Subpart F” of the Internal Revenue Code, 26 U.S.C. §951 et seq. Forcing repatriation of foreign profits of foreign subsidiaries will put American corporations at a tax disadvantage compared to foreign manufacturers and foreign service providers.

Winners. Who wins? Offshore-incorporated manufacturers and service providers. India, Inc.; China, Inc. Latin America. TCS, Infosys, Wipro, WNS, Accenture (a Bermuda company), Toyota, Nissan.

Losers. Who loses? Domestic American corporations that have foreign subsidiaries producing local revenues from locally delivered services. U.S. manufacturers that use a large amount of energy in production, including steel makers, automobile manufacturers. Cognizant, EXLService, IBM, Hewlett-Packard, Affiliated Computer Services, Computer Sciences Corporation, General Motors, Ford, Chrysler, UAW, International Brotherhood of Teamsters.

Thursday, February 19, 2009

Stimulus Bill and Electronic Health Records: Privacy, Regulation and the Coming Liability Feast

As a $787 billion “economic stimulus law,” the American Recovery and Reinvestment Act of 2009 ("ARRA"), signed by President Obama on February 17, 2009, launched new federal mandates on health information technology ("HIT") and privacy of personally identifiable information (“PII”), both on “ordinary” identity theft and on specially protected health information under HIPAA. It inaugurates a $200 million Health IT czar (our official “HIT Man”) to define and manage standards for electronic health records (“EHR”). Is HIT going to be a real “hit”?

Optimism. The federalization of security and encryption norms for PII and EHR promises a new wave of governmentally sponsored IT contracts with private contractors, advisors and medical records managers. It will re-shape the outsourcing and software provider relationships with healthcare customers. Optimistically, the resulting e-health records will enable a new national system for better healthcare outcomes, more global coverage, less disparity in treatment, fewer medical errors, better accounting, better security, more valid data on “ordinary and customary” treatments, and other benefits of a centralized data base for monitoring and improving the efficacy of medical treatments. The law sets ambitious goals. We will post a one-page flow chart showing the roles and mission statement for the new health care “National Coordinator” for Health Information Technology and related government officials on and http://www.biercekenerson.comRisks of New Regulation. Pessimistically, the promise of e-medical records is elusive. It opens new risks for all stakeholders.

Cost Management. Spending money to set and enforce federal standards in a short time could be wasteful. Such massive programs have failed in the past, in the cases of the IT systems for the U.S. IRS, the U.S. Navy and the U.K. socialized medicine system.

Regulation vs. Innovation. As a general principle, regulation of standards stifles innovation. Such regulation deprives the marketplace of the competition that involves winners and losers in innovation and service quality. The political jockeying for having one’s proprietary software system adopted as a “certified” standard could be a race to the bottom. A standardized e-health record could simply result in a workable, “lowest common denominator” format. Imagine using Microsoft Excel for HIPAA-based accounting! So expectations about quality need to be low.

Limited Scope. Happily, the ARRA economic stimulus law does not go so far as to allow the government to dictate guidelines for clinical treatment or decisions on national insurance coverage. This could be a first step towards that long-term goal.

What You Need to Know. The stimulus law will impact every employer, consumer, medical service provider, patient, insurance carrier, and, indeed, buyer or seller of IT-enabled business process services.

New Privacy Rules.
Under the EHR provisions, the privacy and security rules of HIPAA will no longer be enough for medical records management. Under the PII rules, anyone processing PII will have to report to authorities on any breach if that breach impacts more than 500 individuals in a single “jurisdiction.” Sadly, legislated privacy mandates are not easy to comply with, as witnessed by a report on February 18, 2009, in USA Today that cyber-attacks on U.S. government computer networks have doubled in 2008 compared to 2006, based on a report by the U.S. Computer Emergency Readiness Team (“US-CERT”).

Liability Exposure. It’s time for everyone to go back to civics class and learn what a “jurisdiction” is and how it will define breach notification rules. Further, the liability rules will be strict, though the ARRA economic stimulus law does not give individuals a right to sue. This may be scant encouragement to victims of hacking, since the private rights of action under common law and local statutes are not preempted.

Privacy At Risk. Quis custodiet custodies ipses? Who can save us from data privacy and security breaches when the Government can’t? Maybe we all agree to less anonymity of Internet communications as a small price to pay for allowing unknowns to conduct cyber-attacks and gain unauthorized access to PII and medical records.

Litigation Opportunities.
Underemployed litigators, take heart. There is stimulus enough for you too. The stimulus law offers an extraordinary litigation opportunity, a liability feast, if you can prove negligence in recordkeeping of personal data or e-medical records. (Of course, you might have to overcome the defense that a company complied with the HIT standards but that the standards were not strong enough).

Custodians of E-Medical Records.
For healthcare providers, health plans, third-party administrators, employers and service providers alike, it’s time to redefine your security procedures, review your insurance coverage and review your contract risk allocations. For more, see our February 2009 newsletter.

Saturday, January 24, 2009

TARP Relief Law Might Discriminate against Offshore Call Centers and Customer Support

“The change we need.” That was the campaign slogan of Barack Obama in 2008. It's time to explore what change is really needed.

TARP. After his Presidential inauguration on January 20, 2009, an early item on the Democratic Party’s legislative agenda is to change the way in which the U.S. Government monitors and controls the $700 billion in TARP funds used to recapitalize banks and other “assisted institutions” (such as broker-dealers converted into banks) under the TARP relief program. H.R. 384, “An Act to reform the Troubled Assets Relief Program of the Secretary of the Treasury and ensure accountability under such Program,” 111th Cong., 1st Sess., H. Rep. 111-3. While not directed against offshore outsourcing, the new “accountability” legislation could adversely affect offshore outsourcing and violate U.S. obligations on multilateral free trade under the WTO.

A Tool for Bashing Offshore BPO. On Day 1 after the inauguration, now comes Rep. Sue Wilkins Myrick (Republican, North Carolina) with an anti-outsourcing amendment from the floor. Her Amendment no. 8 to the TARP reform act would prohibit any “assisted institution that became an assisted institution on or after October 3, 2008,” from entering into “a new agreement, or expand a current agreement, with any foreign company for provision of customer service functions, including call-center services, while any of such assistance is outstanding.” Fed. Reg., Jan. 21, 2009, page H407. That’s right, if it receives U.S. capital contribution as shareholder or lender, it can’t expand its use of a “foreign company” (including a captive) as provider of call center or “customer service functions.” The scope of such a prohibition could capture a large portion of the BPO global services industry.

Rep. Myrick argued this protectionism is justified by a high local unemployment rate and the principle that U.S. taxes should not fund foreign jobs.

Parliamentary Circumvention of WTO? Parliamentary rules of courtesy invite speakers in opposition to such floor amendments. Well, Rep. Barney Frank (D, Massachusetts) rose in opposition, nominally, saying he supported the amendment but explained that it could result in a breach of WTO obligations. Rep. Frank hit the nail on the head:

But I do want to point out a difficulty that Members of this House should contemplate. We run the risk here that this may violate our obligations under the World Trade Organization. As someone who voted against joining, and I say that without any embarrassment, I would say to Members who will be joining, I believe, virtually every Member of this House in supporting the gentlewoman's amendment that perhaps it should lead them to rethink to having so enthusiastically subscribed to the WTO agreement without some changes. It certainly seems to us that while we do know the government is directly involved, spending its own money, you can have a requirement for domesticity. It is unclear what the interpretation will be here. The interpretation be not be purely an American one. It will be in the dispute resolution procedures of the WTO.

So as we go forward in this Congress and we are told about the advantages of a multilateral approach to trade, and I agree that, properly done, that is very advantageous, I hope Members who more enthusiastically than I embraced this principle will stop to think about it.

Some of us who were worried about the job impact of international economic relations have been derided as the reincarnation of Smoot and Hawley. Well, I guess Smoot and Hawley would have been with us on this one because it says companies who do business in America cannot go overseas for hiring. …

But the fact that we have the hook in the TARP doesn't change what the economics would be. So I welcome what I think is a renewed recognition for some and a belated recognition for others that a regime in which none of these considerations of local employment can be considered is not necessarily in our best interest. [Emphasis added.] Fed. Reg., Jan. 21, 2009, page H408.

Impact on Global Services Business. Providers and users of global services should monitor the legislative process to ensure the U.S. does not revert to the high-tariff exclusionary trade practices of the Smoot-Hawley tariff act of 1930 that spawned the Great Depression.

o The anti-call center TARP amendment passed by voice vote. No one called any one else to stand and be counted in support of a law that violates U.S. international obligations.

o Those voting for the anti-call center TARP amendment were warned about such a violation, and disregarded the warning.

o This issue will reappear and may disappear when the House and Senate adopt similar bills and meet behind closed doors in conference to adopt a single bill that each can then approve for transmittal to the President for signature.

o Maybe if the government were exercising rights as a shareholder in a TARP “assisted institution” such restrictions might be valid under WTO rules.

o This debate about TARP and offshore call centers and customer service functions is only a side show to new U.S. legislation on outsourced manufacturing and international trade regulation. Cong. Charles Rangel (Dem., New York) introduced a H.R. 496 on January 14, 2009, a bill “To amend United States trade laws to eliminate foreign barriers to exports of United States goods and services, to restore rights under trade remedy laws, to strengthen enforcement of United States intellectual property rights and health and safety laws at United States borders, and for other purposes.”

o This is also a side show to President Obama’s projected $850 billion stimulus package. If the terms of financial assistance will include banning new work for offshore call centers and offshore customer service functions, the U.S. can expect no mercy by foreign governments in retaliation against U.S. services.

Impact on U.S. Business and Workers. American businesses and even workers should consider the possibility of foreign retaliation. If the terms of U.S. governmental financial assistance will include banning new work for offshore call centers and offshore customer service functions, the U.S. can expect no mercy by foreign governments in retaliation against U.S. services. That could be another Smoot-Hawley wall-building exercise.

Valid Alternatives. There might be alternatives that do not violate the WTO rules. Consider (i) amending the terms of American accession to the WTO agreement, involving restructuring the global economic system, or (ii) adoption of special shareholder rights giving the government some rights in management, or (iii) identifying a justification under WTO rules for taking such action. But legislation like this TARP encrustation could raises concerns globally about the willingness of the U.S. to enter into the hard dialogues that need to be addressed to deal with these political issues consistent with existing U.S. multilateral obligations. Incidentally, the U.S. Trade Representative, who represents the President, is authorized to negotiate international trade agreements, not Congress. Of course, Congress approves trade agreements, so maybe this is just an opening invitation by Congress to have the USTR start some negotiations.
For info on U.S. obligations under WTO, see the General Agreement on Trade in Services and Government Procurement Code of the World Trade Organization

Friday, January 23, 2009

“NABOPIA” against Identity Theft:“ “Notifying Americans before Outsourcing Personal Information Act”

Worried about foreign governmental rules that might discriminate against American-sourced IT services? You should be.

Here’s a cute draft U.S. law that would require discrimination against foreign service providers processing personally identifiable information regarding American citizens. H.R. 427, 111th Cong., 1st Sess., introduced by Rep. Ted Poe (R., Tex.) would prohibit any “business” (defined as a financial institution collecting personally identifiable information) from transferring “personally identifiable information regarding a citizen of the United States to any foreign affiliate or subcontractor located in another country without providing that citizen written notice that such information may be transferred to such foreign affiliate or subcontractor.”

It gets better. The proposal would create a private right of action “to obtain damages, including compensatory and punitive; to obtain injunctive relief; and to obtain any other compensation, … in State court.”

The “NABOPIA” bill would nab all financial transactions. U.S. financial institutions would be liable for a reporting error (NABOPIA) rather than for actually transferring data across borders. Sort of like nabbing Al Capone on tax evasion rather than other crimes. Never mind that Canada, Switzerland and the European Union don’t discriminate against IT service providers based on the location of the service delivery center. Never mind that such discrimination violates the WTO Agreement on Trade in Services.

NABOPIA – sounds like UTOPIA.

Thursday, January 8, 2009

Outsourcing Law for Restoring Trust in the Global Services and Outsourcing after the Raju / Satyam Financial Fraud

What should an enterprise customer do to protect itself from a grand financial fraud by senior manager(s) of a globally respected IT or BPO outsourcing company?

This astounding question arises from the reported confession on January 7, 2009, by B Ramalinga Raju, founder and CEO of Satyam Computer Services, India’s fourth largest IT and outsourcing firm. Raju reportedly confessed to an abuse of trust involving understating assets and income and overstating liabilities, about a month after he made a failed proposal to engage in quasi-insider trading by using Satyam to acquire some real estate companies owned by his sons. The shockwaves from the confession sent the Mumbai stock market down 7.2% in a day on January 8, 2008.

The Raju / Satyam Shock Wave.
More likely, further shock waves will usher in a new era of global regulation covering securities issued by ITO and BPO service providers, auditing standards, conflicts of interest and thoughtful contractual precautions in outsourcing contracts for global services. I call will call it the Raju / Satyam Shock Wave. The Raju / Satyam Shock Wave will forever change the landscape for supply chain management, the global services industry and outsourcing contracts. We can expect globalization of new regulations, procedures, contractual provisions and software for corporate governance, risk management and compliance (“GRC”).

Restoring Confidence. Like auditors, consultants and advisors, lawyers play a role in creating a legal framework of trust, transparency and accountability in global services economy. Any such abuse of trust refocuses attention on tools for escaping from similar abuses in the future. So, what does the global services community need to do to restore confidence?

There are the inescapable lessons that came after the massive Enron fraud in early 2000’s, in which a few individuals inside the company and in the auditing firm were responsible for the collapse of both the company and the auditing firm and the loss of value by investors, employees, retirees and suppliers. In the U.S., the lessons learned were encapsulated and promulgated in the massive Sarbanes-Oxley Act of 2002.

A New Discipline.
In its visceral response, Nasscom hit the nail on the head: it’s time to install more discipline into corporate governance of BPO service providers in India. This begs the question: why not a more global, holistic approach to governance, risk and compliance? Many other questions arise too.

What Losses Have Been Suffered?
If Satyam’s reputation is damaged, what loss has Satyam’s clientele suffered? Is such loss compensable? What other rights do the clients have? This line of inquiry suggests a number of possible solutions.

New Contractual Clauses. Outsourcing contracts contain several standard clauses designed to protect against financial frauds by service providers.

New Audit Rights.
These contracts generally involve technical and operational audits, but not broad financial audits, of the service provider. Enterprise customers of BPO services generally rely upon the service provider’s corporate auditors to ensure the financial statements are not fraudulent.

Rights of Customers against Auditors. This is not new. Already, the Institute of Chartered Accountants of India (“ICAI”) reportedly filed a show-cause notice under its internal rules demanding that PricewaterhouseCoopers, Satyam’s auditors, face discipline. What rights do customers have against auditors?

New Representations and Warranties. Purchasers of goods and services from foreign suppliers generally do not ask for representations or warranties that the financial statements of the supplier are true, accurate and complete in all material respects. But major investors, banks and other lenders ask for such assurances. Should enterprise customers ask for such assurances? How can suppliers deal with these concerns? What should be the remedies for a breach? Termination rights? Partial termination? Change in pricing? Damages? Injunctive relief? Release from non-hire and non-solicitation covenants? It will be some time before new “best practices” are adopted to rebalance the risks of a huge financial fraud.

Choice of Applicable Law. Must the foreign service provider meet the local laws of the service recipient’s country? Or should there be differences, just like wage differences for “wage arbitrage,” where service recipients can shop based on “legal system arbitrage”?

New Termination Rights.
What rights can an enterprise customer legitimately ask for to protect against the risk a global services provider will implode? Implosions can come from disasters, unsustainable business operations, lack of redundancy, securities fraud and violations of applicable law by the CEO or by the enterprise. Termination rights might now include clauses taken from other industries, such as Hollywood (and maybe now Bollywood):

- “Morals” Clause. This clause allows termination of a contract if the “star” is caught up on scandal. It’s only a question of definition, and who decides when a scandal has occurred.
- A Special “Raju / Satyam” Clause. I’d like to know if anyone thinks a special clause is needed to protect against future frauds.
- Cross-Defaults. Bankers, famous for lending you an umbrella on a sunny day, understand implosion. They use cross-default clauses. Of course, such clauses are self-fulfilling prophecies, since any single default could trigger bankruptcy, hurting all customers.
- Code of Conduct. A breach of a code of conduct could be an omnibus termination right. But most Codes of Conduct are vague, and might be so vague as to be ineffectual against some frauds.
New Internal Controls. Happily, “governance, risk and compliance” software is now available from ERP vendors. Oracle touts its suite as complete, integrated business intelligence and analytics for GRC. Enterprise customers will now want to know more about those internal controls at their service providers.

New Auditing Principles.
India’s auditors will face the same music that American auditors did after the Enron debacle. Any conflicts of interest between giving consulting advice and auditing should be shut down.

New Corporate Governance Rules.
India’s securities laws for the protection of investors are nowhere near as stringent and pervasive as the American securities laws. The Raju/Satyam debacle has already inspired Nasscom and others to call for a sea change in regulation of BPO service providers. New Sarbanes-Oxley-type regulations will likely follow those that were adopted in the United States following the Enron debacle. So we can expect globalization of regulation of BPO service providers:

- Separation of Roles of CEO and Chairman.
- Development of a culture of corporate compliance (as a factor in the rules for
determining whether a criminal offense was aggravated and thus merits harsher punishment of white collar crime.
- Personal certification by CEO and CFO of quarterly financial statements.
- Internal reporting rules for “up the line” responsibility from each person in a managerial or financial role.
- Imposition of protections for whistleblowers, and designation of in-house attorneys as the whisteblower.

New National Legal Regimes. All this boils down to one conclusion. Legislators in countries promoting local outsourcing service providers need to play by new emerging global rules for restoring trust through corporate governance, risk management and compliance frameworks. In short, it’s also time to understand that differences in legal regimes constitute real economic risks. And harmonization of investor-protection laws can restore trust locally and globally.

New Headquarters.
Many Indian, Chinese, Russian and other outsourcing companies have incorporated in other jurisdictions to establish trust in their corporate governance regimes. The Raju / Satyam Shock Wave will tilt the selection process to favor such truly global companies who select predictable, “secure,” transparent and democratic legal regimes for their place of incorporation.

Developing New Strategies. These are issues for discussion with strategic lawyers who understand the outsourcing process, the role of outsourcing in corporate operations and risk management. Everyone in the sourcing industry should take advice on practical and legal solutions and strategies.. It’s never too early to review your rights, remedies, roles and responsibilities or to develop new strategies in response.