Search Results for: NS0-404 Schulungsunterlagen 🩱 NS0-404 Fragen&Antworten 🍕 NS0-404 Zertifikatsfragen 🚋 ➠ www.itzert.com 🠰 ist die beste Webseite um den kostenlosen Download von ⮆ NS0-404 ⮄ zu erhalten 🦗NS0-404 Fragen Antworten

Posted
By

This article was originally published on February 27, 2014 and is reprinted with permission from Corporate Compliance Insight.
lookout-300x187.jpg

Managing third-party suppliers presents significant compliance challenges that often span an organization, raising legal, insurance, human resources and technology concerns, to name just a few. Corporations will continue to wrestle with these risks in the year ahead, but the convergence of external threats, abundance of valuable corporate data and the current regulatory environment has highlighted the importance of corporate cybersecurity practices. Cybersecurity is perhaps one of the hottest topics being discussed in boardrooms today.  The Cybersecurity Framework,
anticipated legislation and litany of high-profile data breaches have resulted in even more heightened scrutiny.

The landscape for corporate cybersecurity is rapidly changing and outsourced services, including IT and business process services, all stand to be impacted.  Corporate stakeholders, particularly in the legal,
information security and information technology departments, should be keenly focused on the current cybersecurity climate and the state of cybersecurity across third-party outsourcing agreements.

A significant aspect of this heightened attention on cybersecurity is not only how third-party outsourcing partners are managing security as part of the service they deliver, but also the risk and cybersecurity exposure to an organization from these third-party relationships.  Attackers increasingly exploit weaknesses in third-party suppliers’ networks to access data and assets from target companies. As a result, having in place the appropriate contractual and governance safeguards with your third-party suppliers is paramount.

Efforts to integrate and manage cybersecurity in outsourcing arrangements should start early. Detailed security assessments and internal cybersecurity stakeholders should be included as part of initial due diligence efforts with selected suppliers. It is important to understand the security processes and tools that proposed suppliers will use as part of the outsourced service, the supplier’s vulnerabilities and plans to remediate gaps during the term of the proposed agreement and the plan for the supplier to integrate with existing corporate cybersecurity programs.  Also, understanding how the supplier has previously responded to past incidents and improved its operations as a result is crucial.

Contract documentation should include meaningful cybersecurity provisions related to liability and indemnification for incidents and identify the security policies and procedures that the supplier will be expected to comply with during the term.  Ideally, contracts should support liability and indemnification provisions that align with the value of the data exposed to the third-party supplier, not simply derivatives of the contract value.
Including adequate audit and risk assessment provisions for regular risk assessments and remediation plans (annual at a minimum), of the supplier’s operations is also highly recommended.

It is important to remain mindful of proposed cybersecurity legislation – at both the federal and state levels – that may need to be accounted for in outsourcing agreements. Compliance professionals should continue to monitor the proposed landscape of legislative and regulatory changes.  Accounting for requirements in third-party agreements to accommodate new cybersecurity laws will be critical.

Finally, and perhaps most importantly, governance models that allow corporations to manage the security functions of individual suppliers as well as the full portfolio of suppliers in a holistic fashion will become increasingly important over the next year.  The ability to respond quickly to incidents but also make the appropriate strategic risk management decisions related to cybersecurity will be a defining characteristic of a strong corporate cybersecurity program.

Compliance managers and in-house counsel should remain keenly focused on cybersecurity during the next year when negotiating new agreements, amending existing contracts or participating in ongoing governance activities with current service providers. Proactively addressing cybersecurity risks by incorporating security considerations early in the contracting process and defining more appropriate services descriptions, service levels and interaction/governance frameworks can help limit cybersecurity exposures in the first place.

Posted
By

Mario Dottori is quoted in Stephanie Overby’s recent CIO.com article discussing 8 Tips to Deal With Liability When Outsourcing to Multiple IT Vendors.

“In theory, a multi-provider service delivery environment should not create additional complexities in terms of liability. The contracts — entered into separately between the customer and each supplier — should, if well constructed, clearly delineate the liabilities between the parties,” says Mario Dottori, leader of the global sourcing practice in Pillsbury’s Washington, D.C. office.

One tip offered is to create operation level agreements, “OLAs state how particular parties involved in the process of delivering IT services will interact with each other in order to maintain performance, and can help all parties ‘see the forest for the trees,’ says Dottori.  ‘These arrangements offer the opportunity for enhanced visibility of the service regime as a whole and helps to reduce — or better arm the parties with solutions for — missed hand-offs and finger pointing.’ One caveat: Most providers will not agree to take on additional liability in OLAs. But such an agreement can be an effective preventative measure.”

For the full article and all 8 tips, please see Stephanie Overby’s article on CIO.com.

Posted
By

On February 12, 2014, the National Institute of Standards and Technology (“NIST“) released the final version of its Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework” or “Framework“)
and the companion NIST Roadmap for Improving Critical Infrastructure Cybersecurity (the “Roadmap“).
The final version is the result of a year-long development process which included the release of multiple iterations for public comment and working sessions with the private sector and security stakeholders. The most significant change from previous working versions is the removal of a separate privacy appendix criticized as being overly prescriptive and costly to implement in favor of a more general set of recommended privacy practices that should be “considered” by companies.

The Cybersecurity Framework marks an important step for U.S. cybersecurity policy after an Executive Order from the Obama Administration called for its creation in February 2013 (see Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”, February 12, 2013). While use of the Cybersecurity Framework is voluntary, the Federal government has been actively exploring various measures to incentivize participation both universally and on a sector-by-sector basis (see http://m.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecurity-framework.
See also Incentives Study Analytic Report, Department of Homeland Security,
June 12, 2013 available at https://www.dhs.gov/sites/default/files/publications/dhs-eo13636-analytic-report-cybersecurity-incentives-study.pdf).
While the Framework is focused on the 16 sectors identified as critical infrastructure (the 16 critical infrastructure sectors are chemical, commercial facilities, communications, critical manufacturing, dams, defense, emergency services, energy, financial services, food and agriculture, government facilities, health, information technology, nuclear, transportation, and water),
companies outside those areas can use the Framework in their risk assessment and enterprise security planning.

What is the Cybersecurity Framework?
The Cybersecurity Framework is a risk management tool to assist companies with assessing the risk of cyber-attack, protecting against attack, and detecting intrusions as they occur. According to NIST, it complements, but does not replace, an organization’s existing risk management processes and cybersecurity program. It is organized into three parts – the Framework Core, the Framework Implementation Tiers, and the Framework Profile. The Framework was developed by leveraging existing cybersecurity standards, guidelines and practices.
Organizations are encouraged to use it as a tool to continuously assess and improve (where appropriate) cybersecurity practices.

The Framework Core is comprised of five key functions: Identify, Protect, Prevent,
Respond, and Recover. These functions are intended to organize companies’ basic cybersecurity activities at the highest level and represent a lifecycle for managing cybersecurity across an organization. Each function is further broken down into categories and subcategories that highlight the more detailed processes and activities associated with managing cybersecurity. As set forth in the Cybersecurity Framework, examples of the categories under each function include:

Identify: Asset Management, Business Environment;
Governance; and Risk Assessment
Protect:
Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology
Detect:
Anomalies and Events; Security Continuous Monitoring; and Detection Processes
Response:
Response Planning; Communications; Analysis; Mitigation; and Improvements
Recover:
Recovery Planning; Improvements; and Communications

The Cybersecurity Framework includes a maturity model that is characterized by implementation “Tiers” for companies to use to assess their progress and development across the various functions. The tiers involve characterizing an organization’s development as Partial, Risk-Informed, Repeatable, or Adaptive behavior. Partial maturity is characterized by informal and occasional implementation of the Framework, meaning that the organization is unlikely to have processes in place to utilize cybersecurity information. Risk-Informed entities will have formal, risk-aware processes defined and implemented. An organization that has achieved the Repeatable stage of maturity will have validated processes that are responsive to larger enterprise requirements and needs.
Finally, entities that are considered Adaptive will be able to anticipate challenges, adapt rapidly and manage risk in conjunction with changes.

Under the Cybersecurity Framework, assessing an organization’s functions in relation to the maturity or implementation Tiers and risk tolerance results in its Profile. NIST encourages companies to use the profile to identify gaps and develop action plans to improve cybersecurity.

Criticisms
The Cybersecurity Framework has been criticized as being overly broad and toothless. Some security professionals note that the Framework is not that different from the checklists that chief security officers already regularly implement. Most large organizations have already implemented a risk management process similar to the Cybersecurity Framework to manage their cybersecurity activities. And, in practice medium and smaller sized organizations may benefit most significantly from this first version of the Cybersecurity Framework.
However, additional sector-specific iterations are anticipated and many government analysts note that the Cybersecurity Framework has the potential to become the de facto standard for managing cybersecurity risk.

What’s next for U.S. Cybersecurity Policy?
The companion Roadmap to the Cybersecurity Framework outlines several planned follow on activities. In the near term, NIST will continue to oversee and coordinate the ongoing development of the Cybersecurity Framework including by accepting informal comments on the recent release. Additionally, a workshop will be held in the next six months for stakeholders to share feedback on their use of the Cybersecurity Framework. Options for long term governance including identifying the appropriate responsible partners(s) for overseeing the Cybersecurity Framework are also being solicited. Finally, the Roadmap identifies nine cybersecurity disciplines marked for further development and discussion including: (i) authentication; (ii) automated indicator sharing;
(iii) conforming cybersecurity assessments; (iv) preparation of a skilled cybersecurity workforce; (v) use of data analytics in cybersecurity; (vi)
Federal agency cybersecurity alignment; (vii) international coordination;
(viii) supply chain risk management; and (ix) technical privacy standards.

How Can Your Organization Use the Cybersecurity Framework?
Regardless of whether your company falls within one of the defined critical infrastructure sectors, the Framework can be a valuable tool for cross-checking and testing your existing cybersecurity risk management programs. The Framework provides granularity that can be useful in each phase of your program.

Financial services businesses covered by the Gramm-Leach -Bliley Act have guidance in the form of the Standards for Safeguarding Customer Information (Safeguarding Rule)
and the Interagency Guidance on Response Programs that require implementation of an information security program including conducting an annual risk assessment, assess the sufficiency of any safeguards in place to control the identified risks, training employees, reviewing information systems (network and software as well as processing, storage, transmission and disposal),
detecting, preventing and responding to intrusions or system failures, and overseeing vendors and service providers.

Similarly,
companies that are covered entities under the Health Insurance Portability and Accountability Act (HIPAA) have fairly specific regulations governing security of protected health information.

Companies outside financial services and healthcare that comply with the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth (201 Mass. Code Regs. § 17.00) will have implemented a written data security plan that meets the requirements of that regulation, including designating a responsible employee, conducting a risk assessment, implementing an employee security policy, enforcing the policies, addressing issues surrounding terminated employees, overseeing and requiring compliance by service providers, limiting the amount of information collected, limiting retention of data, data mapping, restricting access to records, monitoring performance, reviewing the program annually and implementing an incident response plan.

For each of these businesses, the Cybersecurity Framework addresses additional areas where threats may exist and additional specific steps that can be taken to better protect the business. While the Framework is not designed to replace an information security program, certain aspects of the Framework may trigger improvements in a company’s program that help meet the business’ strategic priorities: protecting assets and business viability against loss, achieving the appropriate level of security commensurate with the security and scope of the company’s data, protecting company systems and data against threats to the network structure and security, anticipating evolving threats to the company’s systems and meeting the company’s regulatory compliance obligations.

Posted
By

Background

In response to the financial crisis and recession in the United States that began in 2007, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (now commonly known as “Dodd-Frank”). Dodd-Frank created a vast array of new financial regulations, including the new and independent Bureau of Consumer Financial Protection designed to “regulate the offering and provision of consumer financial products or services under the Federal consumer financial laws.”

Now known by its alphabet soup moniker, the CFPB has jurisdiction to enforce one of the simplest, yet most powerful, provisions in Dodd-Frank: “It shall be unlawful for any covered person or service provider to engage in any unfair, deceptive, or abusive act or practice.” These “unfair, deceptive, or abusive” acts or practices have become commonly known in the legal and financial industries as “UDAAPs.” The CFPB has not implemented formal rulemaking with respect to the prohibition on UDAAPs. Instead, it has made the conscious decision to largely implement its UDAAP rules via its enforcement actions and a series of guidance documents, including the “Supervision and Examination Manual,” which articulates CFPB’s expectations for how this law is to be enforced.

Much has been written about the impacts of Dodd-Frank, including the prohibition against UDAAPs. This blog, however, focuses solely on potential penalties to financial institutions based on the actions of their third party service providers. Because Dodd-Frank primarily holds the large financial institutions supervised by the CFPB responsible for service provider behavior, these institutions should be aware of and guard against the UDAAP trap.

Third Party Service Providers Can Create UDAAP Risk

Dodd-Frank defines “service provider” as “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or person.” A service provider also includes a party that “participates in designing, operating, or maintaining” financial products as well as one that “processes transactions” relating to financial products. Such a broad definition could capture almost every type of third party service provider with whom a financial institution has a relationship.

While the CFPB has not been explicit about which third party services are subject to scrutiny, the agency has given some high-level guidance on the topic. For example on July 10, 2013, the CFPB issued a bulletin in which it focused almost exclusively on a financial institution’s debt collection practices. Based on this initial guidance, it appears that the CFPB is most concerned about those practices that directly interface with the institution’s individual customers. Financial institutions have similar direct interactions with their customers through other activities, such as telemarketing services, loyalty programs, and other services that involve a customer’s interaction with representatives in a customer service center. Many financial institutions outsource these functions, and such services would likely subject large financial institutions to similar CFPB scrutiny.

Early enforcement actions have confirmed this approach. For example, the CFPB – sometimes in conjunction with other federal and state regulators – has ordered several banks to pay millions of dollars in restitution to consumers, as well as civil monetary penalties to the government, for “deceptive” marketing practices related to add-on products for credit cards and installment loans. In several of these cases, regulators concluded that telemarketers hired by bank service providers deceptively marketed the cost and coverage of the add-ons. In another enforcement action, the CFPB found that a bank engaged in “unfair” billing practices for credit card add-on products by charging consumers for credit-monitoring services they did not receive. Additionally, the CFPB obtained a judgment against a non-bank debt relief company for its alleged “abusive” practice of collecting advance fees from consumers who the company knew could not afford to complete the debt relief program.

Because UDAAP enforcement is in a nascent stage, financial institutions should consider how other third party relationships may trigger UDAAP concerns. For example, if a provider servicing a bank’s mortgage portfolios makes systemic errors that cause “substantial injury” to a group of the bank’s consumers, it might trigger UDAAP violations, particularly if the bank failed to properly monitor those services. The same could be said for (i) payment card processors that handle customer credit card transactions; (ii) online bill pay service providers that handle bill payments, late fees, and credit reporting; (iii) ATM service providers that process retail banking transactions that are required to post in a timely manner; or (iv) remote deposit capture service providers that manage check scanning and posting.

One type of services, however, that is unlikely to impact directly the interaction between a financial institution and its customers are those services that provide backend IT functions. Examples could include traditional IT managed services, application development and maintenance services, system implementation services, and other back office support services.

Again, the CFPB has not expressly outlined the type of third party services that may subject a financial institution to the highest scrutiny, so each financial institution should carefully review and consider each third party service relationship on a case-by-case basis.

Mitigating the UDAAP Risk

Best practices dictate that each financial institution have in place robust policies and procedures to prevent the occurrence of UDAAP violations within its enterprise. Once such policies and procedures are in place, institutions should also train their employees to ensure maximum compliance.

Because its own policies and procedures are within its control, a financial institution can ensure a certain level of UDAAP compliance, but the behavior of its service providers can be a wild card. In Part 2, we will look at various approaches as to how financial institutions can leverage its third party contracts to mitigate its own UDAAP risk. We will also take a substantive look at some of the key terms that should be considered when negotiating such contracts with third party service providers.

Posted
By

“How does a large software project get to be one year late?  One day at a time!”  

-Fred Brooks, former IBM employee and OS/360 developer

2013 was not a stellar year for public sector outsourcing.  As we reported in an earlier blog article, Indiana is appealing judgment in an ongoing court battle with IBM over a troubled welfare claims processing project.  Agencies in Pennsylvania, Massachusetts and Australia also hit the news.

To be sure, implementing any large IT project is difficult and risky.  Publicity and politics further complicate contracting in the public sector.  And, as IBM quickly pointed out in response to Pennsylvania’s announcement, “there is accountability on both sides for system performance and service delivery.”  In other words, it takes two to mess up this badly.

In spite of these challenges, there are many successful public sector IT programs that benefit the government and their constituents as well as the service provider.  As we explained in an earlier report, outsourcing can help state and local governments reduce costs, improve services, and free up funds otherwise locked in IT assets.  Successful programs are reported on as frequently as are safe on-time flight arrivals.

As the following examples show, public sector IT projects face unique challenges.  If unmitigated, these projects can prove disastrous to the government and taxpayers.

Pennsylvania Unemployment Claims Processing Program

On July 31, 2013 Pennsylvania decided
not to renew its contract with IBM to modernize the state’s unemployment compensation computer system, a project 42 months behind schedule and 56% over budget.  A report
by Carnegie Mellon’s Software Engineering Institute concluded that even after spending nearly $170 million there “is no high confidence estimate for when the [system] will demonstrate the level of performance necessary.”  For the immediate term Pennsylvania will revert back to an extremely inefficient, yet functional, 40-year old unemployment compensation processing system.

Queensland Health Payroll Project

The State of Queensland, Australia released a scathing report in July 2013 detailing a multitude of failures that afflicted IBM’s program to replace Queensland Health’s payroll system.  This project has even been called “one of the worst IT projects ever.”  When the under-tested system was put in place in 2010, 80,000 staff went unpaid, or received the wrong amount.  In response, Queensland’s Premier Campbell Newman issued a broad ban preventing IBM from entering into any new contracts with the State “until it improves its governance and contracting practices,” and declared that IBM “took the State of Queensland for a ride.”  The ride, quoted at A$6.19 million, will reportedly cost the State A$1.2 billion, almost 200 times the original budget.

Massachusetts Unemployment and Revenue Programs

Last fall the Commonwealth of Massachusetts held a hearing to examine Deloitte’s handling of projects for the Department of Unemployment Assistance and the Department of Revenue.  The unemployment benefits system was delivered two years late and, at a total cost of $52 million, ran 13% over budget.  The resulting software was reportedly unusable.  Earlier in 2013, Massachusetts cancelled a separate Department of Revenue project with Deloitte, a project on which the Commonwealth had already spent $114 million, because a test run of the software revealed no fewer than 1,000 glitches. These examples from Massachusetts represent just a few of numerous disputes Deloitte is facing with public sector customers.

How can public agencies avoid these failures?
Here are some features of successful projects that all agencies should keep in mind:

· Devote sufficient resources and care to the procurement process.  Successful projects focus intently on identifying and clarifying the functional, technical and business requirements for the solution, and building the procurement process around those requirements.  The Queensland report found that the original system scope “was seriously deficient and remained highly unstable for the duration of the Project.”  Similarly, Carnegie Mellon’s Pennsylvania report pointed out major weakness in the procurement process, including “unprioritized and often ambiguous requirements.”  Lacking sufficient experience, many government agencies fail to fully comprehend what “it’s really going to take to get a project done right” until halfway through contract completion.  Devoting sufficient resources and attention to scope and requirements definition, and leveraging the experience of outside advisors early in the process can prevent costly disasters down the road.

· Leverage best practices of the commercial sector.  State and local governments are subject to unique requirements (e.g., strict competitive procurement procedures) and budget limitations, yet many of the lessons from the commercial world still apply.
Examples from the private sector and outside advisors can help bring cutting edge best practices to public sector projects.  The schedule and budget for the projects in Pennsylvania and Queensland were allowed to escalate without apparent governance controls.  Consider employing a governance and incentive structure that will monitor and respond to delays and cost overruns sooner than later.

· Prepare for significant internal and external changes.
Unforeseen changes can quickly derail a project.  Specific events, such as an economic crisis and resulting increase in unemployment claims, may be unforeseeable.  But, by ensuring that the contract accounts for change these events will not ruin the intent of the parties.  The agreement should include a method to incorporate change into the contract that requires the service provider to meet their obligations through the change and have a mechanism that allows for redirection and/or expansion of the scope as necessary.

· Negotiate contractual provisions that allow for termination if necessary.
Ensure that the contract can be terminated for cause in response to a range of performance failures.  Termination rights provide a means of exit.  Perhaps just as importantly, the threat of termination gives a customer additional contract renegotiation and/or enforcement leverage.  For more information on how a state or local government can protect against poor performance through explicit performance based termination rights, a meaningful service level credit mechanism, and a right of election, see our earlier article on Indiana vs. IBM.

· Seek protection from high turnover within the service provider’s workforce.  The Carnegie Mellon report on Pennsylvania’s failed project concluded that high turnover in IBM’s workforce created instability and knowledge gaps at critical stages in the process.  Consider negotiating provisions that prevent the unauthorized removal from the project of certain key personnel, and including a requirement that a certain percentage of overall personnel within a given timeframe must remain on the account.

· Devote sufficient internal resources to governance, management, and performance of retained functions.  According to the Carnegie Mellon report, insufficient management by the state meant that no one “was accountable and responsible for the administration of the program.”  It is critical to remember that not all costs and responsibilities can or should be delegated to the service provider.  The program will only be successful if the customer devotes sufficient resources to governing the project, and performing any retained functions on which service provider’s performance depends.  The customer should be prepared to have (and budget for) a retained organization to oversee the relationship.  Towards this end, the customer and the service provider should each assign an executive-level primary representative to manage the relationship, efficiently address disputes, and generally serve as the principal point of contact for all matters pertaining to the Agreement.

Posted
By

Labor arbitrage has long been a feature of ITOs . With off-shore to on-shore staffing ratios in the 65:35 to 75:25 range, suppliers have long used arbitrage to deliver significantly lower pricing. IT organizations have made many a CFO happy when recommending deals featuring 20%+ savings, especially done under the pressure of corporate “blood” drives to cut costs. Unescapably, however, corporate “blood” drives are a lot like the girl scout cookie sales season, just when you think you gotten everyone happy, here comes the next guy trying to boost his kid’s financial performance.

Unfortunately, our one trick pony is also a one-time pony, especially with deals where off to on shore ratios have been maximized. When the CFO next comes calling, our pony is fresh out of tricks; there is no more arbitrage to be had — at least not from the same delivery market. What is next? Shall we pack our bags in Bangalore and head off to a Chinese Model City or perhaps see what kind of benefit stream enrichment can be had in Ghana or Mauritius? Most buyers, we suspect, will not find this an appealing prospect when viewed through an operating risk management lens.

Maybe it is time for a change in approach. Instead of continuing to try to derive benefit from pushing on the P lever, maybe some answer can be found by putting pressure onto the Q factor in the equation. Rather than buying cheaper labor, how about we find a way to use less labor. One way to reduce labor demand is to gain leverage through standardization (ala Google and Amazon), but heterogeneous installed bases, which reflect most of our clients’ environments, are notoriously resistant to standardization efforts. Good idea, best practice even, just not responsive to the CFO demand for results sooner rather than later. So then why not turn to the reason why we have computers in the first place — to do things faster and cheaper than people can do them. How about the shoemaker’s children taking some of their own medicine and using their own technology on themselves? Why not use technology to automate IT business processes and reduce the number of people needed to operate these complex infrastructure configurations? Assuming we can keep labor rates in roughly the same range, fewer people equals a lower labor cost, which equals lower prices, which means happier CFOs. And happier CFOs are a good thing for CIOs.

New deals should include both elements of labor arbitrage and automation and it should be reflected in lower and sustainable managed services unit prices. The challenge is to scrape a reasonable amount of the benefit onto the customer’s side of the ledger in the face of the supplier’s desire for “margin enhancement”. More difficult are existing deals; the client’s need to pledge to the corporate “blood” drive is real and imminent. The supplier’s desire to please their investors with better margins is equally real. In the long term, automation will drive services up the efficiency curve and down the pricing curve. The new trick for the customer is to extract at least some share of the benefit in the short-term.

Posted
By

In a look back at 2013, Mario Dottori commented in Stephanie Overby’s CIO.com article on grading our initial 2013 IT Outsourcing predictions that we discussed last December.

Third-Generation Deals Enter Uncharted Territory It was true that many of the latest generation of outsourcing deals were more complex. But the advantage did not go to the incumbents. Quite the opposite came to pass. “Incumbents are always ‘sticky’ because of high — or perceived high — barriers to exit,” says Mario Dottori, partner in the global sourcing practice at law firm Pillsbury. “However, we have seen more movement away from incumbents where there are lower barriers to exist. Customers are balancing the switching costs and risks with significant improved service delivery and meaningful reduction in spend.”

Check out the full article in CIO.com

By
Posted In: Industry Trends
Posted
Updated:

Posted
By

The High Court of England and Wales has recently decided that a contract can, in principle, be made in two separate jurisdictions at the same time if the contract does not include choice of law and jurisdiction clauses. In this situation, either party could seek to enforce the contract in its home jurisdiction.

In Conductive Inkjet Technology Ltd v Uni-Pixel Displays Inc [2013] EWHC 2968 (Ch), the court considered a dispute between two parties, one based in England and the other in Texas. The agreement in question was a non-disclosure agreement, which did not include a choice of law and jurisdiction clause as the parties were not able to agree on one during negotiations. The parties agreed the contract in an email exchange, and it was then signed by Conductive Inkjet Technology (CIT) in England and by Uni-Pixel Displays (UPD) in Texas. CIT then claimed that UPD made use of certain proprietary information in breach of the agreement and sought permission to serve claims on UPD in England. UPD challenged this by arguing that English courts did not have jurisdiction in the matter.

To recap the English law position on contract formation, the general rule is that a contract is made at the time and place where acceptance of the relevant offer is communicated to the offeror. There are two main rules as to when acceptance is communicated:

  1. The reception rule applies to relatively instantaneous forms of communication, and provides that time and place of contract is when the acceptance is received by the offeror. This was established in Entores Ltd v Miles Far East Corporation [1955] EWCA Civ 3 and confirmed in Brinkibon Ltd v Stahag Stahl G.m.b.h. [1983] 2 AC 34 (both cases involving telexes). In Brinkibon, Lord Wilberforce commented that: “In the case of successive telephone conversations it may indeed be most artificial to ask where the contract was made…” but he concluded that the courts simply have to do their best with the test.
  2. The postal rule applies to delayed forms of communication, with acceptances being deemed to be effective at the time of sending, provided the offeree correctly addresses and stamps the letter (Adams v Lindsell (1818) 1 B & Ald 681).

However, the High Court in this instance applied the reasoning of Mann J in the High Court case of Apple Corps Ltd v Apple Computer Inc [2004] EWHC 768 (Ch). Whilst Mann J’s comments on this point were obiter, Mann J expressed the view in the Apple case that it is possible, as a matter of principle, for a contract to be made in two places at once. Mann J noted: “Where completion takes place at a distance over the telephone, it might well be possible to construct an offer and acceptance analysis (indeed, each party has sought to do so in this case) but it might equally be thought that that analysis is extremely forced and introduces a highly random element. The offer and acceptance may well depend on who speaks first and who speaks second, which is likely to be largely a matter of chance in closing an agreement of this sort. It is very arguably a much more satisfactory analysis to say that the contract was made in both places at the same time.”

Mann J also commented that holding the contract to have been made in both places would coincide more closely with the clearly expressed intentions of the parties, namely not to give the other an advantage in terms of governing law and jurisdiction, than would “introducing the somewhat random element of offer and acceptance”.

In the CIT and UPD case, Roth J similarly found that the parties had expressly agreed not to incorporate a choice of law and jurisdiction clause, and that it would be wholly artificial to determine the place of the contract by applying the tradition postal rule, depending on which party happened to send the fully executed document. The English Civil Procedure Rules establish the principle that English courts should be able to exercise jurisdiction over foreign defendants where the subject matter of the dispute has a sufficient connection to England, and it would be arbitrary to make a decision as to the connection to English jurisdiction simply on the basis of the order in which a document was signed.

Exclusive jurisdiction clauses in agreements may not be entirely watertight. For example the courts may apply the forum non conveniens test to see whether there are any exceptional reasons for departing from an exclusive jurisdiction clause. However, having an exclusive jurisdiction clause and also a governing law clause in an agreement certainly does reduce the uncertainty that parties may face if a dispute arises and the contract that is silent on the matter.

Posted
By

As part of its UK Employment Law Review in 2012, the UK Government announced that it intended to remove the third-party harassment liability provision from section 40(2) of the Equality Act 2010. This provision was repealed on 1 October 2013. This post considers the impact of the repeal and whether employers are safe from claims made by their employees based on harassment by their outsourcing or other third party contractors.

Background
In October 2010, section 40(2) of the Equality Act introduced the concept that employers could be liable for harassment of their employees by a third party where the harassment was persistent and based on a protected characteristic. Under this provision, employees could bring a claim against their employer if they had been subjected to discriminatory harassment by third parties during the course of their employment on at least two occasions and their employer had failed to take any reasonably practicable steps to prevent the harassment. This provision had potentially far reaching impact as employers became potentially liable for acts committed by third parties such as their suppliers, customers or visitors.

The Repeal
The UK Government’s rationale for the repeal was that it recognised that imposing such a duty on employers was unworkable because employers have little or no direct control over the actions of a third party. During the UK Government’s consultation process on the proposal to repeal this provision, the UK Government received 80 responses from individuals, public sector employers, unions, equality lobby groups, not-for profit sector employers and business organisations. Interestingly, only 20% of the respondents were in favour of the repeal and 71% were opposed to it. Nonetheless, the UK Government concluded that the provision should be repealed because there is “no evidence to suggest that the third-party harassment provisions are serving a practical purpose or are an appropriate or proportionate manner of dealing with the type of conduct that they are intended to cover.”

Are Employers Safe from Claims?
While the repeal is helpful to employers, employers should be mindful that employees can still potentially rely on other provisions in the Equality Act 2010 or other legislation to bring claims against their employers. It is currently unclear whether the general harassment provision in the Equality Act 2010 will exclude acts by third parties. An employee could argue that the failure to prevent third-party harassment in itself amounts to “unwanted conduct” under the general harassment provision and there is a risk that a sympathetic Tribunal may find in the employee’s favour. Similarly, an employee could argue that being placed in a situation where the employee is subjected to third party harassment amounts to direct discrimination. An employee could also claim that being subjected to such harassment and the employer failing to take any appropriate actions amounts to a breach of mutual trust and confidence entitling the employee to resign and claim constructive dismissal. It is likely that the Tribunals will now rely on case law that was established before the third party harassment liability provision existed in which the test for liability is whether the employer had control over the event and whether it could control if the harassment occurred or not.

It remains prudent and good employment practice for employers to continue to take any concerns or complaints from their employees about third-party harassment seriously and deal with it appropriately in accordance with the employer’s grievance procedure, harassment and equal opportunities policies. Outsourcing agreements should continue to have adequate provisions and indemnities covering claims that may arise from such concerns or complaints.

Posted
By

On 19 November, Datateam won permission to appeal from an unreported decision of District Judge Bell sitting in the Reigate County Court on 12 June. The facts of the case, which related to unpaid invoices for database maintenance services, are not of interest except to say that the services agreement did not establish a contractual lien over the customer’s data, that is, it did not contain an express term requiring the return of the data to the customer at the end of the contract period.) What is of interest is that when it hears the appeal, the Court of Appeal will consider “whether or not a service provider can claim a [common law] lien over electronic data which it manages.”

In English law, a common law lien normally arises in respect of tangible property but not in the case of intangible property such as intellectual property. The classic example is a mechanic who is entitled to exercise a lien over (hold onto) a customer’s car until the customer settles his bill. However, electronic data is intangible property. In granting Datateam permission to appeal, Lady Justice Arden commented that there is no English authority “which establishes that a [common law] lien is exercisable over intangible property.” She thought this was “a point of law… worthy of consideration… since it could have very considerable implications if there was no lien.”

The Court of Appeal’s decision is eagerly awaited.

If the Court rules that a common law lien can arise over electronic data it will reflect the commercial reality of the day. Service providers often insist on payment in full as a precondition of returning data to a customer regardless of the actual contractual position. Establishing a common law lien could affect not just database maintenance services but a wide range of data-related services in this regard, including cloud services, where a customer hands over data to a service provider for hosting and/or processing.

If the Court instead decides that no such lien exists, a service provider faced with unpaid invoices and a demand to return a customer’s data upon termination must be careful not to overstep its contractual rights.