Search Results for: NS0-404 Schulungsunterlagen 🩱 NS0-404 Fragen&Antworten 🍕 NS0-404 Zertifikatsfragen 🚋 ➠ www.itzert.com 🠰 ist die beste Webseite um den kostenlosen Download von ⮆ NS0-404 ⮄ zu erhalten 🦗NS0-404 Fragen Antworten

Posted
By

A recent special report in the Economist focused on the general state of the offshore outsourcing industry, with a particular focus on the emerging trend of companies relocating the performance of IT services from offshore locations to locations closer to home in the United States (known as “re-sourcing”). The report cites a number of reasons for this trend, such as the increase in wages in offshore locations, performance issues by offshore service providers, and the inherent challenges posed by the distance between a U.S.-based customer and the offshore service provider. The Economist isn’t the only one to take notice, a recent article on CIO.com cited a number of similar factors contributing to the new attractions in keeping outsourced resources stateside.

The Economist notes that 67% of American and European outsourcing contracts have some element of offshore outsourcing, so most customers with any sort of outsourcing agreement are impacted by the changing landscape of the offshore outsourcing industry. However, deciding to move services back from an offshore location isn’t as simple as flipping a switch (or sending a notice of termination). There are major risks in terminating and transitioning IT services, and the service provider, having been notified that their services are no longer required, is hardly in a motivated position to help mitigate those risks.

Common risks associated with terminating an outsourcing contract include potential disruption to, or degradation of, service, loss of critical resources (e.g., people, equipment, software) and loss of historical knowledge relating to the impacted environment (i.e., scant or insufficient knowledge transfer by the service provider to the customer or the successor provider). Put another way, at the time when the customer is most vulnerable to service disruptions and unanticipated costs, the service provider has the least incentive to provide quality assistance and services. The question that follows is, what can a customer do to protect itself from the pitfalls of re-shoring services either by taking the services in-house or sourcing them to a successor provider?

The best answer is to make sure that the contract addresses the risks inherent in re-shoring services by including robust termination/expiration assistance requirements. It may feel like planning the divorce while preparing for the wedding, but it is crucial that a customer obtain clear contractual rights that will make any exit from the contract go as smoothly as possible. In particular, the customer should ensure that the contract includes:

  • An obligation for the service provider to continue to provide the base services while the services are being re-shored;
  • A right to procure from the outgoing provider sufficient rights in the critical assets that are used to provide the services, such as equipment, software and third party contracts;
  • A right to hire critical personnel from the incumbent service provider (while the customer ordinarily will not be hiring offshore personnel, there are often key on-shore personnel assigned to the account that the customer may want to hire);
  • Clear ownership rights in deliverables that were developed by the service provider;
  • A requirement that the service provider provide sufficient knowledge transfer to the customer (or successor provider) about the services;
  • A comprehensive re-transfer plan, which should include the details of the knowledge transfer requirements;
  • Clear pricing (usually in the form of a pre-agreed personnel rate card) for services requested and approved by the customer that are in addition to the base services, if any;
  • A list of operational activities that the service provider must perform to re-transfer the services, assets and knowledge; and
  • An obligation for the service provider to provide general cooperation and assistance to the customer and any successor provider.

While obtaining these types of contract clauses as part of the initial contract is ideal, what if a customer is contemplating re-shoring an existing offshore contract that lacks these protective exit clauses?

  • First, be prepared to devote more time and resources to marshal the actions needed to mitigate the risks. Whether or not the contract contains the robust exit terms described above, a customer will be well served by assigning a dedicated transition manager to oversee re-shoring of the services, and an internal team to manage the re-shoring effort.
  • Second, the customer should start the planning process as soon as it decides (or is fairly certain it will decide) to re-shore the services. The timing of notice to the incumbent service provider must be carefully considered and, if possible, should be orchestrated to occur only after (i) the successor approach (be it in-house or external re-shoring) has been decided, and (ii) some form of transfer plan has been developed by the customer.
  • Third, in the absence of an existing plan (and detailed terms) under the contract, formulate a “proxy” plan that establishes the key steps and requirements (analogous to the key points noted above) for an effective transfer. Of course, this may require some measure of negotiation with the incumbent service provider and may require some additional financial investment to secure the cooperation of the service provider (e.g., payment of time and materials charges based on a negotiated rate card). However, this investment may well save time and money, including by reducing the headaches, risks and potential costs of service disruption.

As with any major transition of services, re-shoring carries inherent risks and potential headaches. The best preparation is a combination of the right contractual terms and a mindset (and process) premised on the need for a dedicated team and advanced planning.

Posted
By

We have written before on this blog about the visa issues that offshore service providers face when bringing talented resourced to the U.S. from other countries. Since there are a finite number of H1-B visas that can be issued each year, some service providers have sidestepped the limit by obtaining B-1 visas, which contemplate a more short term engagement than most outsourcing contracts envision.

In response to a host of immigration issues, the Senate has recently introduced a bill that would not only increase the number of H1-B visas that can be issued each year, but would also include an automatic increase to a maximum of 300,000 visas annually if there is sufficient demand. Currently, the United States has an H-1B visa cap of 65,000, and the proposed legislation would increase the cap to 115,000, with the potential to rise to 300,000.

The proposed legislation would certainly ease the visa restrictions on offshore service providers that are seeking to bring top talent to the United States. A recent report in the Economist has noted that there is an increasing trend in customers bringing offshored services closer to home in the United States, and this proposed legislation would make it easier for offshore suppliers to staff in the U.S. using foreign workers. In particular, the Economist noted that Infosys has opened new offices in the U.S. in order to accommodate its customer’s requirements for on-shore offices. With the trend of customers moving IT services back closer to home, the relaxed visa restrictions will put offshore service providers in a better position to win business with their top talent located in the U.S.

However, celebration for service providers is a bit premature, as the new bill is part of a much larger immigration overhaul and is likely to undergo substantial modification over the coming months.

Posted
By

It pays to closely read the payment terms in your software license. Or rather, it costs if you don’t read them closely enough.

I was reviewing a software license for a client recently and came across this term:

“We may increase the license fee in a renewal term by giving you notice at least 60 days prior to the commencement of that term by an amount considered by us to be reasonable if we determine that the existing license fee does not give us an appropriate return when compared to returns from other of our customers, but in no event will any such increase be greater than 10% of the renewal License Fee.”

I’m not joking. That was in the contract. On my reading, it’s a ‘Most Unfavorable Customer’ clause. If we have another customer who pays more, then we get to put your prices up. And that was additional to a CPI increase, an increase for any additional users and an increase passing on higher charges imposed by the licensor’s third party suppliers. A license to print money.

What about the principal that the cost of technology should diminish year-on-year. How is it that software vendors get to reap more profits year-on-year? Do they demonstrate any additional costs to provide the software to their customers? Does the price bear any relationship to the actual research, development and production costs of the software? Are they giving you more for the additional price you are paying? Probably not. More likely, it’s based on a simple supply and demand curve – “how much can we get away with charging for this product before customers turn elsewhere”. Software houses will have done the number crunching and determined what they can charge while still maximizing sales.

Software is not something that is in limited supply. Software licensing is not, for example, like real estate where, in a tight market, landlords can raise rents. Real estate is a limited resource; software isn’t. The licensor can generally license as many versions of the software as it can find customers willing to take it. The theory of scarcity doesn’t come into play in the software market – the licensor isn’t going to run out of copies of the software. Apart from their selling, general and administrative (SG&A) expenses of selling more licenses, it’s not likely that the licensor incurs any significant costs to produce more copies of the same software. Having a customer continue to use the software for another year probably incurs little or no SG&A expense, yet the licensor usually demands more money.

For example, software license fees that are charged on a periodic or annual basis (rather than as a one-off fee) will often include an annual price escalator. It’s generally not the Most Unfavorable Customer clause above – it’s more likely to be a fixed escalator (perhaps 5%), or a set amount plus maybe a little extra (3% plus CPI increases). It doesn’t seem a lot, and many Customers therefore don’t take too much notice of it. It would attract much more attention if it was set at 25%. Customers would be asking the licensor to justify a price increase of that magnitude, but don’t often ask for justification of a smaller increase. However, as a customer, you should be asking that question no matter how much the increase is. Why are you paying more for the same thing if nothing else has changed?

Pay attention to those clauses, and ask that price escalators be removed. Some licensors will agree without too much protest, while others will hold firm. Obviously, the size of your business and other factors will come into play, but the basic principle applies here – you won’t get what you don’t ask for.

Posted
By

As customers continue to embrace Software as a Service (SAAS) solutions that are hosted in the cloud, rather than traditional software solutions that are loaded onto and hosted on the customer’s own environment, they should closely review the contract that will govern their relationship with their SAAS provider. Frequently, we see SAAS contracts that are missing certain basic (and key) requirements that serve to protect SAAS customers.

In Part 2 of our two-part series, we continue our list from Part 1 of the critical contract protections that SAAS customers should keep in mind, before signing any SAAS agreement. Alternatively, if a customer already has a SAAS agreement that omits any of the following terms, the customer should explore amending its current agreement to include these protections, during its next contract renegotiation.

Who May Use the SAAS Solution? SAAS customers should think about who they need to access and/or use the SAAS solution. SAAS agreements frequently place limits on those who are allowed to access the solution. Make sure that the contract allows access and/or use by all of the necessary categories of users. Will the persons accessing the solution only be employees of the customer? What about employees of a customer’s affiliates? What about a customer’s customers – are there any VIP, downstream customers who need access rights? And what about agents, subcontractors and independent contractors, whether they work for the customer itself, an affiliate, or a customer’s customer? (More about the last category directly below).

Don’t Forget Technology Partners and Outsourcing Suppliers Many companies currently rely on a third party supplier to provide and/or support their IT services. Many times, those third party IT suppliers need the ability to access a customer’s technology solutions (including SAAS solutions), not necessarily to use the functionality per se, but in order to provide technology support to the customer. For example, a third party and/or outsourced technology provider may need to access all solutions that interact with the customer’s core IT suite of services, in order to perform troubleshooting or problem analysis and resolution with respect to the customer’s IT environment. SAAS customers should keep this in mind, if applicable, and make sure that the SAAS contract allows such access by the customer’s third party IT provider, in its role supporting the customer.

Virus Protection Since the SAAS solution will be hosted in the cloud on technology and servers that are external to the customer’s standard IT environment, customers should make sure that the SAAS agreement includes clear protections against viruses. Make sure the SAAS provider will utilize necessary virus-prevention software and/or technology solutions. Make sure that the SAAS provider agrees to attempt to prevent viruses from being loaded into the SAAS solution and into the customer’s own standard IT environment. And make sure that if a virus is introduced, that the SAAS provider will take appropriate steps to reduce the effects of the virus. SAAS contracts occasionally include language limiting the steps a SAAS provider must take to respond to a virus, until it is clear that the virus originated from the SAAS provider itself. Customers should think carefully about any such provision – is it more important to respond to the virus quickly or to spend time attempting to identify a root cause? Many customers expect immediate steps to be taken to respond to the virus, and for root cause analysis to be performed later, after the effects of the virus are reduced.

Protection Against Infringement Although a SAAS customer does not host and operate the SAAS solution like traditional software, the same concerns exist with respect to infringement that arise when analyzing software contracts. If the SAAS solution is found to be a solution that infringes upon a third party’s intellectual property (or if a third party alleges that the SAAS solution infringes its intellectual property), the SAAS provider should protect the SAAS customer against any resulting damages. Confer with legal counsel for specific protections, as these concepts are complicated. However, as a high-level matter, the SAAS provider should clearly guarantee to the customer that the SAAS provider owns (or appropriately licenses) the SAAS solution, and that it will indemnify and make whole its customer for any infringement claims related to the SAAS solution.

Are Limitations on Subcontracting by the SAAS Provider Necessary? SAAS customers should consider whether limits on the SAAS provider’s ability to subcontract its services are necessary, whether because of regulatory restrictions or policies internal to the customer. Are there restrictions on who may host the customer’s data? If yes, then the customer does not want to realize two years after signing its contract that the SAAS provider is no longer hosting the servers that support the SAAS solution, but it has turned over that function to a third party that presents problems for the SAAS customer. Are specific restrictions against subcontracting necessary? Or is it simply that the customer needs the right to review and provide reasonable approval over any new subcontractors? If “approval” over a future subcontractor is nor realistic (for example, a SAAS provider may not want to obtain the approval of all 1000 of its customers, just because it is changing a particular subcontractor), then is it possible for the customer to walk away from the contract, if a newly proposed subcontractor presents significant problems for the SAAS customer?

Protect Customer Data Stored Within the SAAS Solution If the customer’s confidential information, sensitive data and/or personally identifiable information will be stored within the SAAS solution, a whole host of data protection issues arise. At a high-level, the customer should make sure that the contract (1) makes clear that the customer owns its own data, (2) includes strong protections against the release or transfer of that data, (3) describes the specific steps that will be taken if a security breach occurs or is suspected, and (4) includes guarantees that the customer will receive its data back, at the end of the contract. Customers also should consider if they need the right to audit the security and privacy procedures implemented by the SAAS provider. Finally, if the SAAS provider is backing up the customer’s data, the contract should make clear how quickly it takes to load backed-up data, after a disaster occurs (the “Recovery Time Objective”).

The topics explored in Part 1 and Part 2 are addressed at a high-level and not particularly nuanced, but SAAS customers should raise these issues with their supplier and their legal advisor so that the necessary provisions and contract language can be inserted into their SAAS agreement to appropriately protect their business.

Posted
By

As customers continue to embrace Software as a Service (SAAS) solutions that are hosted in the cloud, rather than traditional software solutions that are loaded onto and hosted on the customer’s own environment, they should closely review the contract that will govern their relationship with their SAAS provider. Frequently, we see SAAS contracts that are missing certain basic (and key) requirements that serve to protect SAAS customers.

In the first of a two-part series, we offer the following critical contract protections that SAAS customers should keep in mind, before signing any SAAS agreement. Alternatively, if a customer already has a SAAS agreement that omits any of the following terms, the customer should explore amending its current agreement to include these protections, during its next contract renegotiation.

Implementation Schedule If a SAAS solution is being put into service for the first time for a customer, the customer should make sure that the contract lists the expected schedule for the implementation, including the milestones that must be met and hard dates (not wishy-washy “we hope to get it done” or “we will use reasonable efforts to try and get it done” by a certain date) by which the milestones must be met. If the milestones are not attached to hard dates, then arguably, an implementation that is over one year behind schedule may be “late” in terms of what everyone expected, but it may not be late in terms of the specific guarantees in the contract.

Milestone Payments Related to implementation concerns, if there is an “upfront” payment expected or if there will be implementation fees associated with the set-up and implementation of the SAAS solution, many customers prefer to tie that payment to successful completion of the milestones, rather than simply pay the entire amount up-front. A related protection is that “successful completion” of the milestone should require that the customer provide written sign-off that the milestone has been successfully completed, rather than (simply) the SAAS provider’s notification to the customer that the milestone has been completed.

What Does the Final “S” in “SAAS” Actually Mean? If a customer is contracting for “Software as a Service”, the customer must make sure that its contract has clear, well-defined descriptions of the specific “Service” or “Services” that it will receive. Many SAAS contracts include detailed provisions with respect to payments due from the customer, as well as general legal provisions, but very little description of the service or services that the customer will receive. Related to this point, SAAS customers should make sure that their contract includes appropriate guarantees that the SAAS solution will comply with any requirements, specifications, on-line documentation and/or manuals that describe the services.

When Is Support Available? SAAS customers should make sure that their contract describes the hours during which the customer may receive support from the SAAS provider. Is the customer paying for 24×7 support? Or is it paying for support only during business hours? Be mindful of time zones if support will received only during certain hours – what if the customer is in California but the service/support center is in Florida? (or Ireland? or Poland?) If the customer elects to pay for support only from 8:00am – 5:30pm ET, is after-hours support available for an additional cost? Does the contract list that charge?

Clear Understanding of Maintenance Windows SAAS solutions are hosted on servers and/or equipment that is outside the control of the customer (whether the customer is accessing that SAAS solution over the Internet, a private network, or otherwise). When a customer gives up control of the hosting of the SAAS solution, the customer needs to clearly understand (1) when the normal maintenance windows will occur for the SAAS solution, (2) the extent to which the SAAS solution can or cannot be accessed during those normal maintenance windows, and (3) what the SAAS provider’s rights are (and any related procedures) with respect to shutting down the solution outside of the normal maintenance windows? If a critical issue arises outside of the maintenance windows, does the SAAS provider have the right to shut the solution down? Will the provider notify (or attempt to notify) the customer, before shutting down the SAAS solution?

Uptime Service Levels with Teeth Related to the Maintenance Windows, customers should make sure that their SAAS agreement includes clear service levels with respect to the uptime of the solution (for example, 99.9% uptime monthly), and ensure that the service level “has teeth”. The “teeth” means a service level credit that is paid to the customer, if the guaranteed service level is not met within a given period of time (usually monthly). Without “teeth”, a service level is really nothing more than a hopeful target. SAAS providers should stand behind their contractual service levels and provide an appropriate payment amount back to the customer (usually a percentage of monthly fees), if the service level is not met. Some suppliers will refund a proportionate amount of the monthly fees compared to the minutes lost in excess of the service level. Given the number of minutes in a month, that is typically an insignificant amount that doesn’t motivate the supplier to fix the underlying problem that caused the failure in service.

And Just How Does the SAAS Provider Calculate “Uptime”? Related to the uptime service level review, SAAS customers should closely examine the language that describes how the uptime service level percentage is calculated. If the maintenance window runs from 1:00am – 5:30am each Sunday night, and if the customer has been told that it should not expect to be able to access the SAAS solution during those hours, then the SAAS provider should not receive “uptime credit” if it happens to have the SAAS solution back up-and-running by 4:30am. The “uptime” calculation should examine whether the SAAS solution is available during the times that the customer expects to access the solution (and those time windows should be clearly listed in the contract). The calculated uptime should not include any time that overlaps with the contractual maintenance windows. Additionally, closely examine the language with respect to “emergency” maintenance. A customer may be okay with contract language allowing the SAAS provider the right to take the SAAS solution down to perform emergency maintenance in the middle of a work day. However, the resulting downtime should count against the “uptime” calculation. Some SAAS providers have been known to insert contract language that excuses any such emergency maintenance from being calculated as “downtime”, by simply sending an email prior to taking the solution off-line. Be careful of this: emergency downtime may be operationally necessary but “downtime” is still “downtime”.

We will continue this list in Part 2.
The topics explored above are addressed at a high-level and not particularly nuanced, but SAAS customers should raise these issues with their supplier and their legal advisor so that the necessary provisions and contract language can be inserted into their SAAS agreement to appropriately protect their business.

Posted
By

Tim Wright and Craig Wolff, partners in Pillsbury’s Global Sourcing practice and Jack Barufka, partner in the IP practice, explain Legal Process Outsourcing.

Whatever your viewpoint, there’s no denying that Legal Process Outsourcing (LPO) is undergoing a boom, with regular reports in the legal press of its use by law firms and corporate clients alike. Companies, as well as law firms themselves are now looking to outsource legal processes for many of the same reasons that saw them already outsource an increasingly wide array of other corporate functions previously performed in-house – to achieve compelling cost reductions and faster turnaround times, to free up scarce in-house resources to focus on more strategic and higher value activities, and to refocus the company’s energies on its core business activities.

As a result of this phenomenon, a rapidly growing cadre of LPO service providers has sprung up in countries that are able to offer the right mix of a suitably educated workforce with good English language skills, modern telecommunications capabilities, a substantially lower wage structure than Western industrialised countries, and a reasonably well developed legal system which is typically based on English law. Favoured LPO destinations currently include India, the Philippines, Sri Lanka, South Africa, Singapore and Canada.

To date, the kinds of legal processes that are being regularly outsourced are primarily legal support services at the lower end of the legal service value chain – services that are often performed by paralegals and other non-lawyers, such as due diligence in M&A and capital markets transactions, contract management, document review, e-discovery, legal research and writing, and related administrative functions.

Within the LPO sector generally, the contracting models typically employed are (a) a direct contract between the company and the LPO provider; (b) a managed service model, where the company retains a law firm who in turn contacts with the LPO provider, coordinates the LPO provider’s activities and has responsibility for the performance and quality of the provider’s services; and (c) multi-sourcing, where the outsourced work is divided up and passed out to a number of different LPO providers (either directly or as a managed service), taking advantage of each provider’s different strengths and reducing the concentration risk (ie having ‘all your eggs in one basket’).

A growing sub-discipline within LPO is the outsourcing by companies of their intellectual property work – everything from routine maintenance and management of their existing copyright and trademark portfolios to preparing and filing new patent applications and handling adversarial proceedings, including IP litigation. Not surprisingly, the traditional LPO service providers are ill-equipped (at least at present) to take on the responsibility for performing IP or other legal functions that require highly specialised legal skills, training and qualifications. Hence, the outsourcing of higher-end IP legal processes has thus far tended to be to law firms with established IP practices, good skill set matches and the geographic reach to adequately service the client company’s needs, either within the law firm itself or through its network of foreign law firms.

This, however, is under challenge as LPO providers are themselves increasingly utilising licensed attorneys as part of their offerings. Law firms are also responding and adapting with the deployment of new service delivery models, building out both captive and outsourced ‘LPOstyle’ offerings capable of delivering lower value simple, repeatable and standardised activities alongside their ‘traditional-style’ legal practices.

Special issues and challenges presented by the outsourcing of IP legal work
Once a company has made the decision to outsource its IP legal functions, it faces several interesting threshold questions including the following:

  • Should the work be bid out competitively or awarded to a law firm or LPO provider which the company already uses, knows and trusts?
  • Is there work which by its nature falls within a regulator’s ambit as a “reserved legal activity” or similar, and thus must be handled, or at least supervised, by a licensed attorney in the relevant jurisdiction?
  • If the company has operations in multiple countries, which country should be the location of the LPO service provider’s lead office, and what role and responsibility (technically, operationally, financially and legally) should the LPO service provider have for work that needs to be performed in countries in which its lawyers are not admitted to practice.
  • What should become of the company’s in-house staff whose positions will be displaced by the outsourcing, taking into consideration that the answer to this question will be driven to a large extent in EU countries by the Acquired Rights Directive and national legislation implementing it?
  • Considering the degree to which the conduct of law firms and lawyers is already regulated by national codes of professional conduct, should the contracting model for such an engagement be a traditional form of legal engagement letter, a full-blown outsourcing contract with its attendant annexes governing everything from
  • employee background screening to privacy, data protection and service levels, or some hybrid form of contract developed specifically for legal process outsourcing?
  • If something other than a traditional form of legal engagement agreement is used to document the terms of the LPO arrangement, how should conflicts between the contract’s terms and applicable codes of professional conduct be mediated and resolved?
  • How shall conflicts of interest be handled in the event that the law firm cannot handle a particular matter for the client because the matter is adverse to another client of the firm?

It is not difficult to understand why a company that has decided to outsource its IP legal work might decide to conduct the transaction in much the same way it would go about outsourcing any other company function. After all, the company probably has a supply chain organisation that has substantial experience and expertise in how to conduct an efficient and effective outsourcing process. However, the company may discover some of the challenges that following a traditional outsourcing process will pose for an IP LPO transaction, ultimately leading the company to conclude that specialised processes and contracting models must be developed that are purpose-built for the outsourcing of functions performed by lawyers.

Please view this article in it’s entirety here.

This article first appeared in the December/January issue of Intellectual Property Magazine.

Posted
By

The end of 2012 saw a flurry of activity in the area of privacy enforcement. In July, Kamala Harris, the Attorney General of California, announced the formation of California’s own state agency, Attorney General Kamala D. Harris Announces Privacy Enforcement and Protection Unit to investigate and enforce the state’s robust privacy laws. By the end of the year, Harris made it clear that she did not intend this new unit to sit on the sidelines. On December 6th, Harris filed a groundbreaking civil suit against Delta Air Lines alleging a violation of the California Online Privacy Protection Act for the company’s failure to include a privacy policy on its “Fly Delta” mobile app. The State of California is seeking up to $2,500 in penalties from Delta for each violation of the California law.

California is not the only government entity that is ramping up its privacy enforcement efforts. The Federal Trade Commission has signaled that it plans to get in on the action as well. On August 9th, the FTC announced a record $22.5 million civil penalty to be paid by Google in order to settle charges that the company made misrepresentations with respect to how it planned to track users’ online activity.

On December 10th, the FTC published a report following up on a year-long investigation in which it found only 20% of mobile apps targeting children properly disclosed how the apps collected and shared personal data. The FTC announced it would be launching multiple investigations to determine whether certain companies have violated the Children’s Online Privacy Protection Act (COPPA), which requires operators of online services (including mobile apps) directed to children under the age of 13 to provide notice and obtain parental consent before collecting personal information from children. The FTC’s record settlement with Google suggests that these investigations could yield serious penalties.

What Does This Mean and What Should Be Done?

If last year is any indication, now is the time for mobile app providers to get serious about protecting the privacy of their current and future users. The latest developments out of California and from the FTC serve as reminders that a business’s online presence – which includes not only its websites, but also its mobile apps, Facebook apps, or any other online form of information collection – must comply with both federal and state privacy laws. Therefore, as we enter 2013, mobile app providers should adopt the following New Year’s “Resolutions.” (Bear in mind, of course, that these resolutions do not represent an exhaustive list of requirements necessary for mobile app providers to be compliant with federal and state law. Rather, they highlight some of the areas that are likely to be the subject of enforcement action in the coming year, both at the state and federal levels.)

Resolution #1: Post a Privacy Policy.

The California suit against Delta serves as a simple reminder that any “online service” must conspicuously post or link to a privacy policy. Posting a privacy policy and/or reviewing the sufficiency of its existing policy should be included on any online service provider’s list of New Year’s resolutions.

What counts as an “online service”? In sum, it is very broadly defined. The State of California concluded that “[t]he term ‘online service’ broadly covers any service available over the Internet or that connects to the Internet, including Internet-enabled gaming platforms, voice-over-Internet protocol services, cloud services, and mobile applications.” Therefore, it is incumbent on companies to ensure that their online products properly disclose what personal information is being collected, how the company is using such personal information, and to whom such personal information is shared or sold. Even if the online product only collects users’ names and email addresses, this information alone can be considered “personal information” in many jurisdictions.

Some may ask why they should be concerned with California law, especially if they are not actively doing business in the state. For example, a startup company may have developed an iPhone app that allows its customers to rate local restaurants in the Washington, DC area. What does the Attorney General of California have to do with this startup? The answer is pretty straightforward – California’s privacy laws extend to all residents of the state, and it does not require that the startup conduct any business there. Therefore, if a California resident merely downloads the Washington, DC restaurant app, the startup will be within reach of California’s privacy laws. The same principle can apply to other states that may have stringent privacy laws (for example, in Massachusetts), so it is important to be aware of the latest trends in the privacy laws of each jurisdiction.

Resolution #2: Pay Attention to the New COPPA Rules.

Mobile app providers should also resolve to review their COPPA compliance practices. As noted above, the FTC conducted a year-long survey during 2012 that culminated in two staff reports concerning the data privacy practices of mobile apps targeted at children. The reports determined that Apple’s and Google’s respective mobile platforms currently contain at least a million apps and that at least 50% of children in the United States have access to these mobile app platforms. The report concluded that there is a widespread “lack of information available to parents” about the privacy practices of these mobile apps.

Particularly, the FTC focused on the collection and sharing of a user’s name, geolocation, birth date, email address, mailing address, phone number, and other mobile device identifiers. Most of the apps surveyed by the FTC shared this information with third parties, and very few of these apps disclosed to their users that they were doing so. Therefore, the FTC called on the industry to:

  1. Incorporate privacy protections into the design of the mobile apps themselves;
  2. Offer parents easy to understand choices about the data collection practices of these mobile apps; and
  3. Provide greater transparency about how data is collected, used, and shared through these mobile apps.

Furthermore, a week after publishing the second report, the FTC announced new amendments to COPPA, which are designed to strengthen the privacy protection of children as the online world continues to evolve. The new rules go into effect on July 1, 2013 and include:

  1. Clarifying that “personal information” includes geolocation information, photographs, and videos;
  2. Offering companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
  3. Closing a loophole that allowed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
  4. Extending coverage of COPPA to any third party collecting personal information through the app;
  5. Extending COPPA to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
  6. Strengthening data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential;
  7. Requiring that covered website operators adopt reasonable procedures for data retention and deletion; and
  8. Strengthening the FTC’s oversight of self-regulatory safe harbor programs.

Closing Thoughts.

In 2012, government enforcement agencies continued to scrutinize the privacy practices of online services that collect, store, and use personal information, particularly those companies that have ventured into the increasingly popular area of mobile apps. The New Year looks to be no different. As mobile app providers establish their goals and assess their challenges for 2013, they must remember to keep privacy compliance at the top of the list.

Posted
By

In a look forward, Aaron Oser was recently quoted in Stephanie Overby’s other recent CIO.com article, “9 IT Outsourcing Trends to Watch in 2013.”  One of the trends he suggests to look out for in 2013 is troubled transitions and their potential for disputes. He says, “Customers and suppliers will continue to close deals without fleshing out transition and transformation details and plans. Failed or delayed transitions and transformations will [become the] number one area of disputes between customers and suppliers.”

Check out Aaron’s other comments on what to look out for next year and the full article in CIO.com here.

Posted
By

The timelines of most strategic IT or sourcing projects are punctuated with key moments that can make or break the deal. These include defining the customer’s strategic objectives, determining which suppliers will be asked to compete (assuming it’s not a sole source deal) and, of course, executing the contract. Another critical juncture is downselection. This is when the customer eliminates competition by choosing a “winning” supplier and focusing on getting a contract signed.

Customers should manage the downselection process thoughtfully. Here are some factors to think about:

1. Timing.

The customer should downselect when competition is no longer beneficial and when it becomes more efficient to start final contract talks. At that point, the customer should have had enough discussions with each supplier so that the customer has a detailed understanding of each supplier’s proposed solution, pricing and terms. Similarly, the suppliers should have had enough time to perform their due diligence to ensure that their bids are grounded in reality.

Ideally, at this stage a customer should be able to compare the suppliers’ positions on key terms on an “apples to apples” basis so that it will be relatively straightforward to identify a winner. Also, any remaining open issues with the winner should not be material in either number or substance. The contracting phase with the winner therefore should be, as much as possible, an exercise in just papering the deal.

2. Communications.
It also matters how the customer communicates its decision to winner and to the unsuccessful suppliers.

For those suppliers that didn’t make the cut, the customer should be sensitive in what it says and how it says it. These suppliers have invested significant resources in the pursuit and they will want to know why they weren’t chosen. Some may even interpret the communication as a negotiation tactic and will try to make concessions to stay in the race. In making its communication, the customer therefore should be firm but gentle. The customer also may have other strategic relationships with the rejected suppliers, so it is important to communicate in a way that keeps relations between the companies cordial. Last, it is always possible that the customer in fact cannot reach a final deal with the winner, so it is in the customer’s interest to have another supplier potentially to turn to.

The customer’s communication to the winner in turn should be clear on a number of points. First, clearly articulate the basis of the customer’s decision (e.g., the winner’s “best and final offer” on pricing or agreement on key terms like liability or IP rights) and make clear that there will be no reopeners. This will mitigate any subsequent backsliding by the winner. Second, identify a clear timetable to get to the final contract quickly and efficiently. An extended post-downselection period will just give the parties more of an opportunity to continue negotiations and reopen issues. Third, make it clear that if the contracting process does not proceed to the customer’s satisfaction, it reserves the right either to forgo the deal or to restart competition. This way, the customer will be able to maintain some leverage in the talks.

3. Backsliding.
Backsliding by the winning supplier almost invariably happens. It’s a combination of negotiation strategy and human nature. The customer should expect this and be prepared for it. Although the customer’s leverage practically disappears the moment it downselects, it can take steps to keep the supplier focused.

First, make sure that the terms already agreed to (whether financial, operational or legal) are well articulated and as clear as possible. This way, when the customer is confronted with backsliding, it can pull out evidence of what the supplier has signed up to. As noted above, there should be relatively few open issues left to discuss, which should minimize the opportunity for reopeners. Second, be serious about either suspending the talks or bringing one of the other suppliers back into the process. These sorts of transactions can affect an organization for years and, if one takes a huge step back, no deal may be better than a bad one. Suppliers will backslide only if they think they can benefit from it. Last, get to contract quickly. Negotiations follow an inexorable logic: the more time there is to negotiate, the more negotiation there will be.

What It All Boils Down To.
The downselect decision boils down to this: is the customer better served by maintaining leverage through competition or by working out details with a single supplier?

Of course, if the customer downselects too soon, it may be giving up valuable leverage and setting itself up for a tough contract negotiation.

But there is also a downside to waiting too long that customers often don’t think about. Maintaining a competitive process is time-consuming and expensive for everyone. If downselection is delayed too long, it can become a waste of time because the benefits are no longer worth the level of effort. The customer also may lose credibility with the suppliers and deal fatigue can easily set in on all sides. It may be a far better use of the customer’s limited resources to focus on the preferred solution in order to get the deal done.

Posted
By

“Everywhere you look, the quantity of information in the world is soaring.”

ICD has predicted that, by 2012, mankind will have created 2.7 zettabytes of data! The numbers are mind boggling – a zettabyte is a 1 billion terabytes. With all of that data comes the Next Big Thing – namely, Big Data.

What is Big Data?

Big Data refers to the commercial “aggregation, mining, and analysis” of very large, complex and unstructured datasets such as images, videos, MP3 files, and files based on social media and web-enabled workloads. This data is rich in (often personal) information but until recently has been difficult to understand and analyse – that is, without a supercomputer or two at your disposal! New data and analytics technologies, coupled with scalable, distributed data processing models (i.e. cloud computing), are enabling commercial and research organisations to take advantage of Big Data processing techniques with a relatively low investment in technology.

Why does it matter?

Simple really, it’s a huge market opportunity. According to a research report from the McKinsey Global Institute, Big Data is the next frontier for innovation, competitive advantage and productivity, although, as McKinsey notes, it is not without its challenges “including a shortage of skilled analysts and managers.” IT analyst, Gartner, suggests worldwide IT spending on Big Data in 2013 will be $34 billion. Big Data is Big Business.

As businesses move online the number one issue is customer engagement. Data (demographic, behavioural and real-time) is the key to connecting businesses with customers. Early movers such as Amazon use collaborative filtering technology to develop automatic recommendations for customers based on their purchase history. Global pharmaceutical company GlaxoSmithKline (Sensodyne, Lucozade and lots of other brands) uses data analytics tools to track consumers online and repurpose the data to benefit particular brands. GSK aims to build direct relationships with one million consumers using social media . Somewhat more controversially, US discount retailer Target’s use of Big Data analytics, first reported by the New York Times then picked up in more sensationalist form by Forbes.com, used Big Data analysis “to figure out whether you have a baby on the way long before you need to start buying diapers”. With all this analysis being applied to commercial ends, privacy advocates are concerned that individuals may be harmed, or at least annoyed, by the use of “their” data in ways they had not expected.

Is anonymity an answer?

When thinking about the legal issues, data protection laws seem to throw up more roadblocks than solutions. Just take, as an example, EU Data Protection Principles which mandate things such as user notice and choice, purpose limitation, data minimisation, data retention and data export. These principles are shortly to be bolstered by the new General Data Protection Regulation which will propose a new “right to be forgotten”.
Whilst data rendered anonymous falls outside the scope of EU data protection laws, there have long been concerns that anonymised data can be re-identified with a particular individual through matching with other data, leading to official EU guidance that, for data to be considered as anonymised, re-identification must no longer be possible.

In the UK, the Information Commissioner’s Office (ICO) just came out on the side of business with pragmatic guidance on the use of anonymisation. In an approach modelled on UK case law, the ICO stated that a business which wants to anonymise data need only prove that it has assessed the risk of re-identification, and having done so, can reasonably conclude that there is only a remote risk of re-identification. The ICO code of practice “Anonymisation: managing data protection risk” is essential reading for UK-based data controllers looking at developing and implementing compliant Big Data strategies. The ICO has also established the Anonymisation Network (not to be confused with Anonymous, the notorious hacker network). This is a consortium led by the University of Manchester, with the University of Southampton, Office for National Statistics and the UK government’s new Open Data Institute (ODI), in order to provide greater access to more detailed expertise and advice.

It remains to be seen if other EU countries will adopt the business-friendly approach of the ICO.