Search Results for: NS0-404 Schulungsunterlagen 🩱 NS0-404 Fragen&Antworten 🍕 NS0-404 Zertifikatsfragen 🚋 ➠ www.itzert.com 🠰 ist die beste Webseite um den kostenlosen Download von ⮆ NS0-404 ⮄ zu erhalten 🦗NS0-404 Fragen Antworten

Posted
By

Although reconciliation of the key terms has been a best practice for over-the-counter derivative trades for some time (particularly with collateralised trades), the scale of the reconciliation exercise imposed by forthcoming regulations in the EU and U.S. has caused many market participants to undertake a fundamental review of the systems and processes in place. For many, compliance can only be achieved by utilising a third party for provision of an appropriate technology platform or an end-to-end service. With imminent compliance deadlines and the late development of the requirements themselves, functionality has understandably been the focus of any sourcing process. However, from a supply chain and outsourcing perspective, a key challenge remains the manner in which the financial services-specific regulations are applied to this type of third-party arrangement.

The New Legislation

With the 1 July deadline for compliance with CFTC Rule 23.502 looming and the equivalent EU legislation (in the form of the Commission Delegated Regulation (EU) No. 149/2013) due to come into force on 15 September, OTC market participants are bracing themselves for major changes to the way they perform portfolio reconciliation in relation to non-cleared trades. In fact, it is looking increasingly likely that the deadline will have to be extended by around three months, to allow further time for compliance by the affected institutions.

For the full client alert “Meeting New OTC Swap Reconciliation Rules May Require Better Technology and Processes”, please go to our website.

Posted
By

As noted in our previous blog postings on the subject (Applications Outsourcing Pricing – Part 1 and Applications Outsourcing Pricing – Part 2), the most prevalent model for pricing applications outsourcing services involves the following components:

  1. a fixed monthly charge for applications maintenance and support;
  2. a fixed monthly charge for a baseline number of application enhancements hours (typically included as part of the fixed fee for applications support) with authorized incremental hours charged on a time and materials basis; and
  3. a framework for pricing significant development work on a project-by-project basis on a fixed fee, capped time and materials, or straight time and materials basis.

This is the third of three blog postings that describes the basic features of each of these pricing components, and discusses some of the key considerations in structuring and negotiating them. The first and second postings discussed pricing for applications support and applications enhancements. This posting focuses on the framework for pricing applications development projects.

Core Development / Testing Staff

Applications development projects are generally priced on a case-by-case basis and, in some instances, competitively bid. Although individual projects are priced on a case-by-case basis, in an applications outsourcing arrangement customers often purchase a core dedicated applications staff for a flat monthly fee to handle a steady state level of expected project work. A core dedicated team can provide continuity that enables higher levels of productivity and quality. In addition, suppliers are assured of full utilization of these resources and thus able to provide deeper discount levels. The time expended by core development team resources can be allocated to individual projects and credited against the charges for those projects. With reasonable advance notice, the customer should be permitted to increase or decrease the size of the core team without penalty.

Estimation Process

Business Requirements – The estimation process for an applications development project starts with the customer working with the supplier to define the business requirements for the project. Typically, there would not be a separate charge for the supplier to prepare an estimate (particularly in a competitive bid). For large complex projects, however, a detailed assessment may be required for the supplier to provide a meaningful estimate of the resources, effort and associated cost of performing the project. In those cases, the supplier should provide a separate estimate for the assessment and, at the conclusion of the assessment phase, prepare an estimate for completing the project within a reasonable range of accuracy.

Estimating Tools – A key challenge for customers is determining whether the supplier has provided a reasonable estimate of the level of effort required to perform a project. In the absence of a competitive bid, there is a natural tendency for the supplier to estimate on the high side, particularly with fixed fee or capped time and materials pricing. Prior to selecting an applications outsourcing supplier, the customer should evaluate the tools the supplier will use to estimate the level of effort and associated costs of projects. The customer should insist on visibility into the inputs and outputs of the tools used by the supplier to estimate project work. On an ongoing basis, actual results should be tracked and compared with estimates to refine application of the tools for future estimates.

Competitive Bids – Customers should consider putting large projects out for bid whenever it is reasonable to expect that other suppliers could be competitive with the incumbent. Our clients routinely obtain lower pricing from incumbent suppliers when work is put out for bid. Bidding out work from time to time also sends a message to the incumbent supplier that it should not assume its position is secure.

Pricing Models
There are three basic models for pricing applications development projects with a large number of variations and hybrids. The three basic models are as follows:

Fixed Fee – A fixed fee is the most common way of pricing a development project but presents certain challenges and risks. The primary challenge is that the requirements for the project need to be defined at a sufficient level of detail for the fixed fee to be meaningful; otherwise, there is a substantial risk that there will be disputes as to whether a particular item represents a further definition of the high level requirements included in the Statement of Work or a scope change. This risk can be mitigated (although not entirely eliminated) through various mechanisms, such as:

  • limiting the customer’s initial commitment to the project to satisfactory completion of the requirements phase, including the customer’s acceptance of any modifications to the fixed fee proposed by the supplier coming out of that phase;
  • building a materiality threshold into the change control process (i.e. no adjustment to price unless a change requested by the customer is reasonably expected to have a material impact on schedule or the cost of performance); and
  • adding appropriate “catch-all” requirements in the Statement of Work (e.g., the new application must include all of the features, functionality and capabilities of the legacy application it is replacing).

Of course, where practicable the best approach is to invest the time upfront with the supplier defining the requirements for the project at a reasonable level of detail before committing to the project.

Capped Time and Materials – Fixed fee pricing also presents a risk that the customer will pay too much in relation to the level of effort required to complete a project. A more favorable arrangement for the customer is to be charged on a time and materials basis up to an agreed cap. This ensures the customer pays only for the time actually expended by supplier personnel and shifts the risk to the supplier of completing the project on budget. Not surprisingly, suppliers are very reluctant to agree to this pricing model.

For projects in which the supplier has significant accumulated experience to draw from (e.g., implementation of the supplier’s proprietary software for the customer), it is reasonable for the customer to insist on capped time and materials pricing. The harshness of this model for the supplier can also be mitigated by risk / gain sharing above and below the cap. For example, the parties could agree that the customer would pay only a percentage of the supplier’s charges above the cap and the supplier would be paid a premium for completing the project under the cap. In addition, the supplier also has the protections afforded by the change control process (i.e. the cap would be subject to adjustment for material scope changes requested by the customer).

Straight Time and Materials – Straight time and materials pricing shifts the risk of project costs to the customer. It is generally used when the customer’s requirements cannot be defined sufficiently upfront for the supplier to propose a meaningful fixed price or cap. It is not uncommon to price detailed requirements definitions (e.g., SAP Blueprinting) on a straight time and materials basis. This pricing model does provide flexibility for the customer to change the scope of the project without the “overhead” of having to negotiate adjustments to the fixed fee or cap, and in some instances our clients have felt that they can more effectively manage the supplier’s spend on a project under this model.

However, straight time and materials pricing does not provide an incentive for the supplier to perform work efficiently and suppliers often argue (incorrectly) that they cannot be held accountable for successfully completing work on time in accordance with the project requirements and schedule under this pricing model. As a general rule, we have found that fixed fee or capped time and materials pricing produces better outcomes for customers.

Posted
By

You’re a CIO and a major software publisher proposes an “enterprise” or an “unlimited” license arrangement. Having made its way up the chain to your desk, you are told the deal looks promising. There can be pitfalls in any software deal. In “enterprise” or “unlimited” license arrangements the pitfalls can be devastating.

Asking yourself (and your staff) four basic questions may help you ferret out the risks and reduce your exposure to many of the big problems.

This is the first of four installments identifying and explaining each of these four questions. The first question is:

What does “enterprise” or “unlimited” really mean?

Every software license has limits, even those that purport to be enterprise-wide or unlimited. Misunderstanding the limits of what was touted as an “unlimited” license erodes the deal’s value proposition and can be expensive as well as be embarrassing when justifying the additional expense necessary to pay for uncovered rights.

Without attempting to describe every limit, what follows are a few examples for your consideration and to demonstrate the need to understand what “enterprise” or “unlimited” really means when you are called upon to approve the deal.

It used to be, when publishers were more interested in knowing exactly who used their software, where it was used and on what machine, an “enterprise agreement” generally meant that anyone in the enterprise could use the product anywhere in the enterprise’s geographic footprint so long as the software was only used on a specific machine. This seemed to work when IT was centralized. Today, however, some real difficulties can arise in the definition of the “enterprise” because of the decentralized fabric of an enterprise’s IT operations. An enterprise may be defined in terms of usage by a specific company or by a specific business unit within a company.. The reach of the enterprise definition might be further constrained by coupling one or more of these limitations with a limit on the geographic usage footprint.

Once you understand how the “enterprise” is defined, it is important to keep in mind that enterprise rights generally do not translate into unlimited usage or deployment rights. You must understand the specific usage and deployment rights as well. The license may permit anyone in your company to use the product across multiple geographies, but it may only allow use by a defined number of users (or processors, or a defined level of enterprise revenues). Your usage rights may be further constrained in other ways as well. For example, an enterprise license agreement may give you unlimited deployment rights for a product (e.g., a database), but only for a specific application or for a specific business process.

Once you understand how the “enterprise” is defined and whether or not you have “unlimited” deployment rights, there are still other seemingly elementary limitations you should explore and understand. Here are two examples of these elementary limitations.

  1. It is very unusual for unlimited usage rights to extend to every product offered by a publisher. Most unlimited license agreements will include a listing of the specific products to which unlimited deployment rights apply. It is important to understand the specific products that are included and socialize that list within your organization. A well-intentioned end-user or IT professional may assume that an unlimited database license covers all database products. However, if database products that are not listed in the license are deployed without first securing the additional license rights, the company could be responsible for additional (potentially significant) fees and/or be exposed to remedies for license violations. Unfortunately this is not uncommon and is, in part, the reason why vendors typically include an audit right in the license terms.
  2. In addition to the product listing, unlimited deployment rights are limited typically to a fixed term – usually three to five years. If it is your intent to purchase rights to cover the needs of an ongoing project or business function you should confirm that the deployment term covers the projected time frame for that project or initiative.

In summary, in an enterprise or unlimited license, it is very important that you understand exactly what usage rights are granted and how those rights match your needs. Like all purchases, ask enough questions to understand the full scope (and limitations) of the product before you procure it.

Posted
By

The details are not the details. They make the design.” – Charles Eames
Indiana vs. IBM

In 2006 Indiana awarded IBM a contract for more than $1 billion to modernize Indiana’s welfare case management system and manage and process the State of Indiana’s applications for food stamps, Medicaid and other welfare benefits for its residents. The program sought to increase efficiency and reduce fraud by moving to an automated case management process. After only 19 months into the relationship, while still in the transition period, it became clear to Indiana that the relationship was not going as planned. The expected levels of automation were not being realized. Instead, the program reverted back to a caseworker process, and performance was consistently slower than agreed to levels.

In October 2009, Indiana terminated the contract claiming that IBM committed a material breach. The claim relied primarily on a showing that the coalition of vendors led by IBM consistently missed the key performance indicators (KPIs) for Call Center abandonment rate, timely processing of applications and redeterminations, and service level metrics (SLMs) for adherence to proper processing procedures. IBM claimed that only a limited number of KPIs applied during the relevant period, and IBM already fulfilled their performance obligations by paying liquidated damages as a penalty for these KPI failures.

This case is interesting because it is rare for material breach claims such as this to be decided by a court. Typically, these cases involve messy arguments of cause and effect, and so most are settled by negotiation. Outsourcing practitioners should take this opportunity to learn from a judge’s perspective on materiality and the meaning of these complicated contractual arrangements.

The court found that Indiana failed to prove that IBM materially breached its contract with the State. The Marion Superior Court in July 2012 held that widespread performance failures by IBM did not constitute a material breach when certain program objectives (e.g., increased efficiency, reduced fraud) were being realized by the State. Judge Dreyer also held that IBM’s ongoing improvement precludes a finding of material breach within the short nineteen month period between service commencement and termination, and that payment of liquidated damages fulfilled IBMs performance obligations. In summary, the court found that IBM “substantially performed” its contractual obligations to the State, precluding a material breach award. IBM received a damages award of $52 million for subcontractor fees and equipment being used by the State. The State of Indiana is appealing this decision in the Indiana Court of Appeals, where various briefs by IBM and the State are due between now and the end of July 2013.

Could Indiana have avoided such heartbreak?

Including the following contractual levers and utilizing such measures in an agreement may have more adequately protected Indiana’s interests:

  • Provide explicit performance-based termination rights: Include in the agreement explicit grounds for termination tied to objective performance measures. For example, termination rights could be triggered when a service provider fails to achieve a service level for three consecutive months, or when the aggregate of non-material breaches constitute a material breach (the “death by 1000 cuts” approach).
  • Set meaningful Service Level credit amounts or don’t have them at all: Liquidated damages will only incentivize performance if they are set at levels commensurate with the importance and cost of the services. The Service Level Credits that IBM was paying amounted to $500 – $5,000 per month and in other instances they had not been yet determined. If it is cheaper to pay then perform that speaks volumes about the significance of the Service Level in question. Worse still, insignificant credits may do more harm than good — this is not the situation where something is in fact better than nothing, because it de-values the importance of the metrics the customer is looking for the Service Provider to measure. And, while it is tempting in the negotiating process to defer setting Service Levels until after the contract commences, as was the case in Indiana, it is highly unlikely to set Service Levels that are satisfactory from the customer’s perspective after an agreement is signed.
  • Reserve a right of election: Reserve the right to elect alternative non-monetary relief in place of liquidated damages. This will prevent the situation found in Indiana v. IBM, where the service provider can continually cure nonperformance by paying liquidated damage amounts. While some jurisdictions (including New York) hold that liquidated damages must be the sole and exclusive monetary remedy to be valid, this does not preclude the election of non-monetary remedies, such as termination, injunctive relief, or specific performance.
  • Enforce rights through proper governance: Vigilant ongoing communication and recordkeeping is required to enforce and preserve rights granted under an agreement. In other words, don’t let your sourcing agreement become merely a door stop. If the best path is to grant an exception for nonperformance, do so by explicitly affirming your right to relief, and simultaneously disclaiming that right in the immediate instance. Indiana, for example, praised IBM publicly and turned a blind eye to performance failures they would later hold up as justification for termination. Conducting an outsourcing relationship inconsistent with the agreement for a long period of time can make it difficult for one party to suddenly insist on strict adherence to the agreement.

Posted
By

Steve Farmer recently published an article in World Data Protection Report titled “Personal Data Transfers from the European Economic Area: Time to Consider Binding Corporate Rules 2.0.”

What exactly is the ‘”best” solution for an international business needing to handle and transfer personal data across borders?

This has become an increasingly important and common question as business becomes more global and companies grow, reorganise or merge.

There has been a lot of discussion, not least in the context of the European Commission’s proposal for the new EU regulation to replace the EU Data Protection Directive and the EU Article 29 Data Protection Working Party’s push towards ”privacy by design”, about the best way for companies to adequately safeguard personal data which is transferred out of the European Economic Area, thereby ensuring that their transfers are compliant with EU data protection laws relating to extra-EEA transfers.
Many commentators, including some of the key EU regulators, have noted that there remains a lot of confusion, and a fair amount of misinformation, surrounding the pros and cons of the various routes used to ensure that extra-EEA transfers are compliant. It is certainly true in the authors’ experience that even quite sophisticated companies and knowledgeable data protection officers can many times have an out of date view, and better solutions are indeed available.

This article looks at some of the common misconceptions and takes a fresh look at the key routes to ensuring compliance. As will be seen, for various reasons, Binding Corporate Rules 2.0, as we might call them, are worthy of fresh consideration, even where they may have been overlooked or discounted as a way to ensure compliance only very recently.

What Does EU Law Say about Extra-EEA Transfers?
By way of recap, the law in the European Union is such that personal data can be transferred to a country or territory outside the European Economic Area only if that country or territory ensures an adequate level of protection for the rights of individuals in relation to the processing. The European Commission has, of course, drawn up a list of countries or territories which are deemed ”adequate” for this purpose, this narrow list containing the likes of Argentina, Switzerland, Israel and, more recently, New Zealand. Conspicuous by their absence from this list, however, are a number of large countries where multinationals typically operate or are headquartered, such as the United States. If a company wishes to transfer personal data outside the European Economic Area and an importer is not on the European Commission’s ”adequate list” (being based in, say, the United States), then such an exporter has to rely on another ”route” to ensure its transfers are compliant with, and not in breach of, EU law.

In terms of the alternative routes available, at least in theory, an exporting entity could form its own view that a third country/importing entity ensures an adequate level of protection. However, the general consensus is that this practice comes with a serious health warning, to the extent that this should be relied on only in the most clear-cut cases. There is absolutely no guarantee that an EU regulator’s view would align with the exporting entity’s, meaning that entity could find itself in considerable hot water, namely, on the end of an enforcement notice preventing the transfer (which could cause a great deal of inconvenience to even the smallest of businesses with international operations) and/or a fine.

On the issue of fines, one noteworthy development is, of course, that the powers for EU regulators to fine those found to be non-compliant have significantly increased recently. By way of example, the UK Information Commissioner has been empowered to issue on the spot fines of up to £500,000 (U.S.$761,886) for more serious breaches since April 2010, and discussions in the European Union suggest that even larger fines, of up to 2 percent of global turnover (revenue), may well be with us soon.

Another option for an exporter is to try to rely on one of the exceptions which permit a transfer, such as by obtaining the consent of the individual concerned to the transfer. It is fair to say, however, that this is most certainly not as simple as it sounds. In practice, it can be very difficult to get this right, not least because many regulators interpret this very narrowly indeed (the Dutch view, for example, being that there is a presumption that consent can almost never be freely given by an employee to an employer, given the bargaining position of the parties).

So what about the remaining options available to ensure that personal data transfers from the European Economic Area are compliant?

EU-U.S. Safe Harbor ProgramLet’s look at the EU-U.S. Safe Harbor Program, which for a number of years has been viewed by some as one of the better ways to comply. However, recent developments, and some serious downsides that are often overlooked, should be considered in the mix before choosing this as one’s ”solution”.

Whilst this scheme has relative simplicity as one attraction, and is unlikely to disappear anytime soon, support for the scheme does appear to be waning in some EU quarters, particularly because it is viewed as inadequately dealing with the issue of onward transfers once personal data arrives in the United States.

In addition, it addresses only transfers from the European Economic Area to the United States, and so is of limited help for global companies.

A further important aspect, and one that is often over-looked, is that, by signing up to the scheme, one exposes oneself to liability and enforcement action in the United States.

Of note is the fact that the U.S. Department of Commerce and the U.S. Federal Trade Commission have responded to recent criticism by saying they will be increasing scrutiny and enforcement.

For the full text, please visit the World Data Protection Report.

Posted
By

In Part 2 of “It’s 2013. Do You Know Where Your BYOD Policies Are?” we will discuss employer BYOD concerns. Check out Part 1 to learn more about employee interests; Part 3 will present developing trends and suggest best practices for BYOD policy drafting and implementation.
The Employer’s Perspective on BYOD
While BYOD provides employees with enhanced user experience, their employers welcome BYOD for cost savings, increased productivity, and improved employee satisfaction. Yet, these benefits come with certain costs, primarily data security risk, as well as regulatory compliance risk.

Why BYOD Keeps CIOs Awake at Night
Security management becomes much more difficult the less control an IT department has over the relevant data and hardware. BYOD by its very nature makes control a challenge. Security breaches may result from inadvertent action. For example, sensitive information could be accessed by unauthorized individuals who are using a friend’s iPad, or sensitive data may be inadvertently placed in a shared cloud folder. The proliferation of cloud-based services such as Dropbox and Siri make this accidental leakage all the more concerning. A security breach can also result from active external penetration, through theft, hacking, malware, or espionage. Finally, intentional leakage of information by authorized employees poses a third category of information security risk.

Information Security Strategies
To prevent the various types of breaches described above, IT departments will generally employ a range of tools and practices. Security tools include password protection, forced disabling of certain applications, and remote wipe controls. A growing number of companies provide mobile device management (MDM) solutions to help manage BYOD programs. These solutions typically manage devices by enforcing security policies, managing password controls, controlling the installation of applications, and remotely wiping a device. In addition to these technology-based controls, policies and practices may prohibit or require certain activity from employees.

Security Strategy Example: Cloud-Application Risks
As an example of a BYOD security strategy, IBM prevents its employees from using many cloud-based applications, including Apple’s Siri. In response to concern by IBM and others, Apple revealed this Spring that user data generated through the use of Siri remains in cloud storage for 2 years. Dropbox and similar cloud-based storage services are frequently used by employees even though the risks have been widely reported. If employees will be handling sensitive information regularly, then tools and policies must be in place to ensure that this information is not sitting unprotected in a cloud environment.

Compliance with Data Security and Breach Notification Laws
Federal and state laws regulate data security and other activity surrounding the use of mobile devices. Many of these laws were created to prevent unauthorized access to third party personally identifiable or sensitive personal information. Such laws include the Health Insurance Portability and Accountability Act (HIPAA), Drivers Privacy Protection Act of 1994 (DPPA), Fair Credit Reporting Act, Gramm Leach Bliley Act, Federal Trade Commission Act, and NASD Rule 3110. Most states have also adopted security breach notification laws over the last decade. Most of these laws require certain breach notification policies and other incident reporting and response procedures, which may be more difficult when employees do not report promptly the loss or improper access to personal devices. Noncompliance can trigger stiff fines and other penalties.

Other Compliance Regimes to Consider
The application of other laws to the BYOD context may not be immediately obvious. Export laws, such as the Export Administration Act regulate the carrying of certain information outside of the United States, or exposure of this information to certain foreign nationals. The executive or engineer who takes a Blackberry on a personal vacation may be inadvertently “exporting” protected technology in violation of U.S. trade controls. In addition, the devices may be accessed in customs as a security measure–exposing restricted information.

Finally, companies must be careful to avoid violations of the Fair Labor Standards Act and other labor laws if they explicitly or implicitly require non-exempt employees to access and reply to emails outside of clearly defined working hours. Approximately 200 police officers are arguing in an ongoing lawsuit that the City of Chicago owes them overtime pay for time spent checking email outside of work.

Most of the federal and state regulations mentioned above do not apply explicitly to BYOD practices. Yet, BYOD practices may exacerbate the risk of noncompliance, and therefore compliance should be considered when designing and implementing a BYOD strategy. Ignoring these laws could prove costly.

Posted
By

Imagine you grab your phone only to find it locked, with all of your applications, pictures, and contacts permanently deleted. Imagine your employer’s IT department remote-wiped your phone because they mistakenly believed it was stolen. Better yet, imagine your Angry-Birds-obsessed child triggered an auto-wipe with too many failed password attempts (don’t laugh – it’s based on a true story!). Can your employer really do this to your phone?

Imagine instead that you are the CIO responsible for protecting sensitive corporate and third party information. How can you ensure information security when your employees carry sensitive data in their pocket everywhere they go, and let their friends and family play with these devices?

The use of user-selected personal mobile devices for work (often called “Bring Your Own Device” or “BYOD”) is undoubtedly delivering benefits for employers and employees alike. Yet, competing employee-employer interests and related risks must not be ignored. Remarkably, only 20.1% of companies surveyed globally have implemented signed BYOD policies according to a recent study (Ovum Research Shows U.S. Ahead of Other Countries in Asking Employees to Sign BYOD Agreements). This three-part series will outline competing interests and risks, and will suggest that the best way to manage these risks is through the drafting and enforcement of proper BYOD policies.

This Part 1 will consider employee interests related to BYOD; Part 2 will focus on the employer’s perspective; and Part 3 will present some developing BYOD trends based on recent reports, and suggest some best practices for drafting and implementing a BYOD policy.

BYOD is the New Normal
BYOD is here to stay. Using personal mobile devices at work has become so common that BYOD can no longer be treated as a mere trend. In fact, a recent Cisco study found that 90% of full-time American workers use their personal smartphones for work purposes. As one recent article put it, IT departments have “learned to stop worrying and start loving user experience.” This comes as welcome news to many employees, who no longer have to juggle two cell phones. Droidheads and Macheads alike can work and play on their phone of choice. BYOD also allows employees to be productive and available without being tied to a desk.

Employee Concerns: Privacy and Control
In exchange for the user-experience benefits mentioned above, employees typically have to give up some level of control and privacy. To maintain information security employers may require access and control over an employee’s device (the subject of Part 2). These security controls push up against the privacy concerns of employees. Employees reasonably expect a certain level of privacy, especially when it comes to their personal property and private information. When corporate information is stored alongside private information on a private device these corporate-personal divisions become murky. An employee could reasonably ask the following questions: What personal information can and will be accessed by the employer? Under what circumstances will an employer obtain such access? What private information could be saved and disseminated by the employer (e.g., through automatic backups)? Under what situations would the employee be asked or forced to surrender the device (discovery, external or internal investigations, security maintenance, etc.)? If a device is surrendered, how would private information be protected? Is the employer able to use GPS and other location-based data to track the employee’s location? Employers must determine the answers to these questions, formalize the approach in a policy, and communicate this information to employees.

In addition to privacy concerns, employees should consider the preservation of personal content (mobile apps, pictures, contacts, etc.) on a personal device, especially when employers have the ability to remotely wipe a device. At a minimum, if employees are given notice that their device could be remotely wiped at some point in the future, they could mitigate by backing up their content frequently. A more employee-friendly option would be to require advance notice or even employee consent before a remote wipe is performed. Available technology allows companies to restrict remote locks and deletions to corporate applications under certain implementations.

Corporate BYOD policies must take employee control and security interests into account. A policy should not be patently unfair to employees, and employers should provide clear notice and obtain employee consent before implementing BYOD policies that impact an employee’s privacy.

Posted
By

In a previous post, TUPE: Service Provision Change, we discussed that the UK Government had issued a Call for Evidence to review the current Transfer of Undertakings (Protection of Employment) Regulations 2006 (“TUPE 2006”) as part of its wider review of reforms to UK employment laws. The Call for Evidence concluded in 2012 and the UK Government has now launched a consultation on its proposal to amend TUPE 2006, which it believes will improve and simplify the regulations for all parties involved.

The Proposed Changes
The Government’s proposed changes to TUPE 2006 include:
1. Removal of the Service Provision Changes (“SPC”). As a result, outsourcing, in-sourcing and re-tendering wouldnot be brought expressly within the scope of TUPE.
2. Removal of the requirement to provide Employee Liability Information at least 14 days before a transfer and replace this with an obligation that the parties disclose information necessary for the parties to comply with their duties under TUPE.
3. Enabling pre-transfer consultation under TUPE to count towards collective consultation on redundancies and to allow smaller businesses to inform and consult with employees directly where there are no recognised trade union or existing employee representatives.
4. Allowing greater flexibility for employers to make changes to terms and conditions of employment post transfer. However, the Government will not introduce an express provision allowing parties to agree changes in order to harmonise terms and conditions of employment .Changing the wording of the provisions giving protection against dismissal so that dismissals will only be automatically unfair where they are by reason of the transfer itself. As a result dismissals for a reason connected with the transfer (which is currently automatically unfair) may potentially be fair, subject to the employer satisfying the normal test for a fair dismissal.
5. Limiting an employee’s right to resign in response to a material detriment to their working conditions or to claim unfair dismissal as a result.
6. Expanding the definition of Economical Technical and Organisational (ETO) reasons to include changes in the location of the workforce. This would benefit employers who, depending on the facts, might be able to argue a broader range of ETO reasons for making a fair dismissal. The Government is also seeking views on whether a transferor can rely on the transferee’s ETO reason to legitimise pre-transfer dismissals.

The effect of the proposed changes
Some of the proposed changes will be welcomed and will ease the burden on business, such as greater flexibility in making changes to terms and conditions of employment post transfer or being able to make employees redundant where there is a change in the location of the workforce. On the other hand, there is likely to be a wave of new legal challenges if the proposals are implemented. The repeal of the SPC provisions is a likely hot button. The UK Government view is that the SPC provisions impose unnecessary burdens on businesses and go beyond the requirements of the ARD. Supporters of the SPC provisions argue that they give needed clarity that TUPE applies to outsourcing, insourcing and re-tendering and thereby provide a level playing field. Businesses have also embraced the general assumption that TUPE will apply to service provision changes and factor the costs into their pricing model. The proposed elimination of the SPC provisions would once again bring unwanted uncertainty, much like the uncertainty that surrounded the application of TUPE 1981, with multiple criteria being applied inconsistently in European case law.

Next steps
The consultation will end on 11 April 2013 and any reforms (with the exception of the repeal of SPC provisions) are expected to come into force in October 2013. Although the Government has indicated that there will be a significant transitional period before the SPC provisions are repealed, when negotiating contracts going forward, it will be prudent for businesses to bear in mind that TUPE may not automatically apply on exit.

Posted
By

Why do you need to act urgently even if you feel your data handling is compliant?

If you are a US headquartered company do you need to bother with these new EU laws and significant changes proposed?

2013 has already seen the frenetic pace of change from last year continue regarding new data laws and fines that will affect how all companies, regardless of business sector, use employee or customer data. The European Union, confirmed in the January 2013 Albrecht report, is indeed planning to dramatically amend its EU Data Protection Directive with a new Regulation.

This will tackle recent developments in social media, mobile apps and cloud computing as well as deal with a perceived serious lack of compliance thus far, particularly over use of customer data, lack of proper consents and more invasive marketing and advertising.

Some were hoping that after much discussion and lobbying some of the more serious proposals might be further watered down or deleted, such as the “nuclear” 2% of global turnover/revenue fine for serious breaches of EU data law. However, the recent report from the EU Parliament’s Jan Philipp Albrecht confirms the perceived need for even tougher fine levels and more aggressive enforcement. This is all on top of recent changes which saw fines dramatically increased in a number of EU countries, for example in the UK with new powers to issue fines of up to £500,000 (approx $800,000) per breach, and increased fine levels being pursued in France, Spain and so on. These major fines are not theoretical or proposals. They have already come into force and are being used. The “nuclear” option will be in addition.

Other hopes from some in industry that new proposed rights such as that “to be forgotten” might fade away were also dashed. Businesses will have to consider seriously what the impact will be of such changes and also note that such proposals have also highlighted existing requirements, such as not holding onto data for longer than necessary, which are already law and which enforcers are looking to more closely. This, along with the new Binding Corporate Rules (BCRs) for data processors that took effect on 1 January 2013, are just some of the recent changes with respect to privacy in the EU that need immediate attention and consideration even if the business is not EU based.

This week many stakeholders are meeting in Washington DC to take part in a major conference (as is your author) on such issues and it will be interesting to see if the feedback from industry sessions makes its way into deliberations and further fine tuning of the proposed new Regulation. Some further twists and turns are likely but the core new elements will almost certainly not be going away. What is certain is that companies cannot assume they are fully on top of what is arguably the fastest moving area of the law currently. A review of where the business is now and identification of what needs addressing is without doubt a current business imperative.

Posted
By

2013 began with a flurry of articles about companies insourcing work or rethinking their sourcing strategies. The reasons for this vary by company, but often include a perception that outsourcing has not delivered the cost savings, innovation or other value the companies had hoped to realize, particularly in information technology outsourcing (ITO). In contrast, we continue to see high levels of satisfaction among companies that have outsourced facilities management and other real estate functions. This makes us think the ITO industry might benefit from some of the best practices used in FMO deals.

First, let’s define what we mean by FMO. FMO involves the outsourcing of functions necessary to keep a company’s leased and owned buildings operating. FMO deals typically include core functions like maintaining building systems, performing repairs, and handling custodial and landscaping work. They will often also include higher value services like energy demand management and procurement, space planning and support for critical facilities like data centers and lab space. They may also be part of larger outsourcing relationships in which a company outsources responsibility for managing construction projects, lease administration or brokerage transaction management. For companies with sizable real estate portfolios, the annual spend covered by an FMO deal can be in the tens of millions of dollars.

Now let’s outline some of the key reasons we think FMO deals seem to have a relatively high success as compared to other types of outsourcing.

Transparency. FMO pricing is usually open-book. The supplier will perform the services using a combination of its own employees and networks of third party providers. The customer will reimburse the supplier for the salary and benefits of each supplier employee and for the actual costs paid by the supplier to the third party providers (with no mark-ups). The customer has visibility at all times into what resources are working on its account and what each of them costs.

Supplier Pricing. FMO pricing structures can vary, but the most common structure is for the supplier to charge a management fee for each square foot of real estate it manages. Management fees typically range from $0.05 to $0.20 per square foot depending on the size of the deal and the type of space to be managed, and include all supplier profit and non-reimbursable overhead. Because supplier employee and third party provider costs are passed through without mark-up, the supplier has no incentive to increase these costs (and equally important, no disincentive to reduce them). The supplier receives the same management fee whether it uses 5 or 10 employees to perform a particular function. This creates a very different dynamic between customer and supplier than the unit price x quantity (PxQ) pricing structures that often discourage ITO suppliers from proposing to automate services, virtualize servers or implement other innovative solutions that may benefit their customers but ultimately reduce the number of “units” they can charge for.

Risk/Gain Sharing. ITO suppliers often talk about risk/gain sharing mechanisms, but they almost never come to fruition, in part because of how ITO deals are structured. With a PxQ pricing structure, it is very difficult to create “gain” that benefits both parties and even more difficult to measure it when the supplier does not share its underlying costs. In contrast, FMO deals often include “savings targets” that focus both customer and supplier on reducing the customer’s costs. For example, assume the customer and supplier have agreed to a cumulative savings target of 10% in year 1. If the supplier exceeds its target, it might receive a bonus (e.g., 20% of incremental savings); if the supplier fails to meet its target, it might share in the pain (e.g., reduce its management fee by 20% of the variance between actual costs and the savings target). The contract must include clear guidelines about how “savings” are to be measured, but in general this type of risk/gain sharing structure can align customer and supplier interests, motivate supplier account teams, and allow both parties to “win” when they are able to reduce the customer’s costs.

Customer Satisfaction. Like ITO deals, FMO contracts typically include quantitative service levels (or key performance indicators) that are measured on a monthly or quarterly basis and obligations for the supplier to provide a credit against its management fee if it fails to meet them. However, unlike ITO, FMO suppliers will often also put a significant amount of their management fee at risk (typically 25% to 35%) for meeting the expectations of customer leadership. In other words, at the end of the year if the customer is not happy with the supplier’s performance, the supplier will receive a significantly lower fee even if it is meeting the quantitative service levels and technically fulfilling its obligations under the contract. If the supplier exceeds customer expectations, it might receive 100% of its fee and a bonus that is to be distributed among the employees working on the customer account.

There are certainly inherent differences in ITO and FMO deals and in many cases good reasons to have different deal structures. Nonetheless, FMO provides some interesting alternatives to consider for customers that are unhappy with their existing ITO relationships and for suppliers that are looking for new ways to build trust and expand relationships with their customers.