Search Results for: NS0-404 Schulungsunterlagen 🩱 NS0-404 Fragen&Antworten 🍕 NS0-404 Zertifikatsfragen 🚋 ➠ www.itzert.com 🠰 ist die beste Webseite um den kostenlosen Download von ⮆ NS0-404 ⮄ zu erhalten 🦗NS0-404 Fragen Antworten

Posted

The advent of the new year provides an opportunity to contemplate a fresh start — and that’s just what is needed when it comes to structuring the fundamentals of an IT outsourcing transaction.

Early IT outsourcing transactions typically involved significant capital investments by suppliers, who would often purchase the customer’s existing assets and promise to deliver services inclusive of refreshed assets at defined refresh cycles. These “asset-heavy” transactions often included mechanisms to either prevent the customer from exiting early, or to compensate the supplier for significant unamortized capital investment where the customer terminated services early. Examples of these “exit-restricting” mechanisms are:

  • Whole or partial exclusivity;
  • Termination for convenience and/or wind-down fees;
  • Limitations on the customer’s withdrawal of services (calculated in a variety of different ways);
  • Variable resource category “banding”, whereby fluctuations in chargeable volume metrics force renegotiation of pricing; and
  • Mandatory asset buyout mechanisms.

Very few transactions today contemplate the same level of capital investment by the supplier. This is due in part to the evolution of technology (e.g., cloud-based computing leveraging different degrees of shared resources), and in part to the shareholders of maturing supplier organizations demanding a greater return on their capital investments. Unfortunately for the customer, however, the “exit-restricting” mechanisms have tended to linger, even though the capital investments that they were once designed to protect have largely disappeared.

Suppliers seek to defend the continued use of these mechanisms for a variety of reasons, most of which are not very compelling. Justifying the continued use of the mechanisms as being “industry standard” is misleading; this might be true for asset-heavy deals that were once common, but is questionable for the deals that are more common today. Similarly, justifying their use as being necessary to compensate the supplier for costs associated with the transaction is often an exaggerated claim, as in many cases there are little or no stranded costs associated with losing a customer (e.g., where resources can be easily redeployed for use by other customers). Even if such costs do exist, the basis for compensation is questionable for things like pursuit costs or overhead, which should arguably not be directly allocable to the customer.

Suppliers do, however, have a legitimate expectation of revenue in an outsourcing deal. Consider where a customer offers high volumes of services for an extended term, and seeks discounts based on the aggregate, anticipated revenue. If the supplier did not employ some mechanism to assure revenue, the customer could simply take the discounted pricing and provide only marginal volumes for a modest term, taking the benefit of the pricing but not actually providing the revenue that justified the discounts in the first place.

While the old mechanisms can be deployed to assure this expectation, doing so tends to come at a heavy cost for the customer, who are forced to sacrifice their legitimate objectives of price certainty and commercial flexibility. The new year brings an opportunity to contemplate a fresh approach to balance both the supplier’s and the customer’s objectives.

In our next post, we’ll explore why these old mechanisms really ought to be left to history, and offer an example of a better solution more attuned to the fundamentals of today’s transactions.

Posted

Of Silk and Services
As I listened to my wife, a custom wedding dress designer, talk a hysterical bride off the cliff this past weekend, I realized the conversation sounded eerily familiar. My wife was certain that the completed dress in front of them was exactly what had been ordered and she had emails, sketches and photos to prove it. The bride knew exactly what dress she had ordered, and this wasn’t it. She also had a set of texts, emails, and photos to support her expectation.

Sound familiar? This was nothing more than a failure to document a services solution. How can a “bride” to an outsourcing engagement avoid the same disaster?

Expectation Gaps
Outsourcing customers, like brides, are often nervous and excited about their engagement. They gradually become comfortable through hours of discussion with the solution designers. This exchange is almost always verbal, supplemented with the service provider’s charts and marketing language. Eventually, the customer becomes comfortable with the solution they are ordering, and each party thinks their understanding is mutual. Exhale, smile, shake hands. It is time for the lawyers to “paper it,” and we can jet off to Hawaii for the honeymoon, right?

Inevitably, right before signing the agreement, or, worse yet, after signing, the parties experience that awkward silent moment when they both realize that there is a million dollar gap in expectations. How can this be avoided? How can you document services like a champ?

Four Keys to Documenting Services like a Champ

  • Reduce Services to Contract Documents Early in the Process. In-person discussions and bright graphic slides can be an efficient way to reach mutual understanding and trust. The problem arises when this process is disconnected from the ultimate contract documents. These fluid discussions should be seen as just the first step in the service documentation process. Unless these discussions are consolidated and crafted into a single source of truth early on, features and components will be discussed but never make it into the agreement. Or, conflicts arise when some aspects of the solution differ from what is described elsewhere in the agreement. This leads to conflicts that are often dropped in the lap of individuals who were never part of the initial discussion.

 

  • Plan Time for Consolidating and Contractualizing the Services. The only way to document the services early is to budget time and prepare your team for working through and documenting the services. This starts at the initial procurement planning stage—before the RFP goes out or the sole-sourced partner is engaged. The parties often leave too little time to collectively consolidate and work through the service details. Include not only the business team and subject matter experts, but also the procurement and/or legal staff who will be responsible for drafting and eventually managing against the contract. For great advice on how to contract efficiently using “straight-through processing” read this article written by a colleague.

 

  • Ask the Hard Questions Early. Imagine that the prospective outsourcing customer hears the service provider say that the service desk is only operating during business hours, even though she knows that the contract clearly requires 24x7x365 coverage. It can be tempting to rely on the contractual language and avoid bringing up this discrepancy, lest the service provider use this as an opportunity to increase the price. This is an extreme example, and gaps are often more subtle. In almost every case, transparency and clarity up front result in a healthier relationship and decrease the chance of heartbreak for both parties later on.

 

  • Separate the “What” from the “How.” In drafting services it is important to distinguish between the customer’s requirements (“what” services must be performed) and the service provider’s solution (“how” the services will be performed). For example, the customer requires a world-class service desk tool, but trusts the service provider to select the best tool and operate it according to their best practices. This what-how distinction also guides the drafting process, and allows for the approaches suggested in the first two bullets above. Typically, we recommend that the customer draft their service requirements, then let the service provider create the first draft of the solution description in response to those requirements. This latter piece, the solution, is the location where the pertinent information from PowerPoint slides and conversations should be distilled down into contractual language. Both parties should walk through this service description and make any necessary adjustments to ensure clarity and completeness.

 
Happy Customer, Happy Life
The real benefit of documenting services properly is not just that it creates a great end product. Rather, the greatest value is found in the conversations that necessarily occur through this distillation process.

Of course, brides need their dream dress, and businesses need solutions that address their business requirements. It is almost never a question of whether the dress or the solution gets fixed. It is a question of “Who pays?” and “How much?”. Follow the keys above and think early and strategically about the process for drafting the services to ensure a healthy and happy relationship for years to come.

Posted

In the first installment of this post, I posited that one factor contributing to disappointing results following a merger or acquisition is the flawed perception that transition services are not that important. I noted that this mindset may dilute the effectiveness of the post-deal enterprise(s) and result in unanticipated and unmitigated risks, lost or reduced revenues and/or interruptions of key business operations.

Let’s assume that you are sold on the importance of transition services. Even when transition is given appropriate attention, companies often suffer the perils of misguided implementation of the transition service regime, which may include:

  • Insufficient planning;
  • An undisciplined process;
  • Inadequate diligence (not asking the right questions); and/or
  • Incomplete or improper terms.

This installment focuses on how best to avoid these issues by adhering to a practical set of informed best practices.

Transition Services “Value Imperative”

Although there is no single “right way” to devise and execute a transition services strategy, there is one guiding principle that should drive any transition service regime. For the sake of discussion, I’ll call it the “value imperative,” which should advance three primary objectives:

  1. Help position the post-closing enterprise(s) to be at least as (if not more) competitive in the market(s) in which they operate;
  2. At a minimum, preserve (and potentially enhance) the valuation; and
  3. Enable the enterprise(s) to fully exploit the targeted synergies of the deal.

Put another way, the transition services should, at a minimum, “do no harm” to the value proposition being pursued, recognizing that the mechanisms for achieving this goal may differ depending on whether you are the seller or buyer (the recipient or provider of the transition services).

Implementing an effective transition services regime is as much about process as it is about substance. In this installment I explore the key attributes of an effective transition services process from the perspectives of both the provider and the recipient of these services.

Continue reading

Posted

The Court of Justice of the European Union (CJEU) has been very busy in recent weeks re-shaping EU privacy laws. In addition to the much-anticipated decision in “Schrems” (Case C-362/14), which essentially rules the US-EU Safe Harbor invalid, the CJEU has also considered the key issue of “establishment” in another landmark case, namely “Weltimmo” (Case C-230/14).

In particular, it has ruled that businesses with only very minimal operations in an EU Member State can nevertheless be subject to the data protection laws of that Member State, where they process personal data in the context of activities directed towards that Member State. This effectively widens the scope of “establishment” and creates additional headaches for those with European operations.

The action point for companies with a European footprint is therefore to review their European processing activities, re-think where they might be established and look to comply with local laws in those jurisdictions. Status quo is not an option for those who wish to avoid enforcement action in “foreign” jurisdictions they previously thought they could ignore.

Background

The Weltimmo case was referred to the CJEU by the Kúria, Hungary’s Supreme Court, and the facts of the case can be summarized as follows.

Weltimmo operated a property advertising service in Hungary, but was headquartered in Slovakia. It allowed people to advertise a property free of charge for one month, but then would subsequently charge a fee. When Weltimmo failed to delete adverts and personal data at its customers’ request upon the expiry of the free offer period, and passed such data on to debt collection agencies seeking payment for an on-going subscription, it was fined by the Hungarian Data Protection Authority (DPA).  The DPA considered it had jurisdiction to impose a fine on the Slovakian company for breaches of Hungarian data protection laws because Weltimmo was “established” in Hungary.

Weltimmo had one representative on the ground in Hungary, a Hungarian bank account and a post office box in the country, and so it appealed the DPA’s decision to the Hungarian court on the basis this was not sufficient to amount to an establishment, nor confer jurisdiction on the Hungarian DPA. Although the DPA’s decision was annulled for lack of clarity over some of the facts, the first instance court did not accept Weltimmo’s defence.

The dispute was then escalated up to the Kúria, at which point Weltimmo continued to argue that the Hungarian DPA had no jurisdiction to apply Hungarian law to it, as (i) it was registered in Slovakia, and (ii) the DPA had failed in its view to follow the procedure set out in the Data Protection Directive (95/46/EC) dealing with “supervisory authorities”, namely that the Hungarian DPA should have shared its findings with the Slovakian DPA and requested the Slovakian DPA to exercise its authority.

The KĂşria was unclear as to the correct interpretation and decided to make a reference to the CJEU.

The CJEU’s Ruling

The CJEU’s judgment concerned the interpretation of the words “in the context of the activities of an establishment” as they are used in the Directive and, significantly, ruled that this extends to “any real and effective activity – even a minimal one – exercised through stable arrangements”.

Given the nature of Weltimmo’s operations, the CJEU considered that Weltimmo did have an establishment in Hungary and was, therefore, subject to Hungary’s data protection regime.

Comment

This ruling has changed the landscape of data protection for companies operating in more than one EU Member State, eroding the idea of a “one-stop-shop” in terms of one supervising DPA and making many companies subject to multiple DPAs in Europe.

Previously, companies could arguably “forum shop” from a data protection perspective, choosing to headquarter in a Member State perceived to be more business friendly, such as the UK or Ireland for example, whilst seeking to avoid the long arms of some of the traditionally more conservative (and often aggressive) DPAs.

However, following this ruling, if a company operates a website in the native language of a particular Member State, or has representatives in that Member State (amongst other things), then this could well be enough to constitute an “establishment” such that the company would be accountable under that Member State’s laws and be subject to enforcement action in that Member State, regardless of where it is headquartered.

Whilst this ruling means Weltimmo is likely to be liable for a fairly hefty fine levied by the Hungarian DPA, the ramifications of this judgment are much further reaching and are likely to significantly increase compliance costs for companies with pan-European operations.

Posted

These days it seems every supplier’s infrastructure pitch book is full of the virtues and potential benefits of their drive toward automation, the objective being to get the same work done for less. What’s not clear is whether the supplier will actually be able to achieve what they promise or how to allocate the benefits between buyer and seller.

The same for less is a well-travelled road; the same goal drove moving work to less expensive delivery locations over the last couple of decades. Along the way some algorithmic alchemy created an acceptable balance among costs, margins, prices and benefit to the buyer. While the arithmetic to ensure the benefits were reasonably distributed amongst buyers and sellers could be complex, the factors of production to drive economic verification models were pretty well known, or at least could be with a bit of research. Underlying it all was a basic assumption, that an FTE was an FTE, and many buyers used the number of proposed FTEs to validate a suppliers’ ability to actually perform the work.

Automation changes all that. Is an FTE still an FTE, or is an automation assisted FTE a 125% of an historical FTE or maybe it is 150%, or maybe even more? What if there is no FTE at all just some robotics doing what an FTE used to do? Since an automaton is likely to make fewer mistakes than a human FTE, and will do those error-reduced tasks faster than the human FTE, the promise of better and faster and cheaper seems attainable.

Nothing wrong with any of that — it all sounds pretty terrific…

Yet the road to automation nirvana features unexpected curves and potholes. Overcoming these obstacles requires answering the challenge of accurately projecting the financial impact of automation. Putting aside for a moment how to allocate the benefits of automation between the buyer and seller, what will a supplier expect costs do over the typical five-year term of an ITO? What is the probability of the supplier under and over estimating progress?

Suppliers projecting year-over-year pricing improvements is nothing new. ITOs have, for many years, included cyclical pricing improvements in the 4% to 10% range, linked to known learning curve improvements and the introduction of management tooling. But automation presents two new problems, the automation technology is just now being deployed into supplier delivery engines and processes and the potential range of productivity increases is far larger. Assuming, sans automation, a provider server administrator can oversee about 75 virtual server images, resulting in a gap of at least one and half orders of magnitude with the productivity ratios achieved by Internet scale operators like Google and Amazon. Drawing a pricing curve between those two productivity points is very different problem than computing the incremental adjustments suppliers have accommodated in their past pricing and will be, at the outset, far more difficult to model.

The inclination of buyers is to press suppliers to maximize improvements in year over year pricing over the term. Consider the consequences if a supplier makes an extremely aggressive pricing choice to win the business and later fails to be able to meet their automation goals – resulting in higher supplier costs. That leaves the supplier with several unpleasant choices, take a margin haircut, negotiate with the buyer for a price increase or reduce the manpower to the levels projected as if the automation objectives were achieved and run the risk of failing to meet service levels. Historical behavior would suggest a higher probability of the supplier reducing the amount of labor and taking the risk of reduced performance.

So how does a buyer cope with the situation of entering into a new or renewed ITO arrangement over the next two years or so before the automation track record is established? What kind of pricing improvements should be demanded? How does the buyer avoid unintended consequences and resultant issues in performance or price uncertainty?

Recently we have seen situations where suppliers, in order to maintain or expand margins, have reduced staffing across their entire delivery engine, resulting in individual buyers seeing resources simply vanish from their engagements, without suitable replacements in either numbers or skills.

Automation offers suppliers a sexy cover story for these moves. One can imagine hearing something along the lines of “of course we reduced staffing, that is the result of our automation efforts and that is how we were able to offer you the low pricing levels that you enjoy.” Skepticism would suggest that buyers would be hearing that refrain whether or not the supplier has actually achieved the automation objectives supporting that position.

The dilemma is that it is still early days and neither buyers nor sellers have the ability to accurately predict the automation benefits that will be achieved over a five-year term. What is needed is some sort of commercial mousetrap that can be adjusted over time; adjusted as more is known about the benefits of automation and the supplier’s ability to actually harvest them.

One way to build that adjustable mousetrap…

An appropriate approach would be to set several trigger points for discussion of adjustments, these triggers should include: (i) annual periodic reviews of the suppliers overall progress in respect to achieving the productivity changes to support the scheduled contract year pricing reductions, (ii) any supplier action to materially change the amount or quality of staffing on the engagement, and (iii) any sustained deterioration in service delivery. The first two of these of these triggered discussions should be conducted well in advance of any action to allow the buyer and supplier ample opportunity to resolve any differences of opinion prior to the supplier implementing their proposed or scheduled action.

These discussions should be formalized and should include buyer and seller leadership above the managers running the day-to-day relationship. Our experience is that improperly planned resource reductions are a cause for serious operational concern and have the potential to be escalated to the COO/CEO even in very large enterprises.

Posted

This blog is the second part of a two-part series on key contracting issues with technology service providers, and the focus is specifically geared toward companies doing business in the real estate industry.

As noted in Part 1, technology has infused every sector of society, and the real estate business is no different. Firms running large, complex real estate projects typically do not have the core competency to design, develop, implement, host, and/or maintain the technology applications and systems to run these innovative ideas, which is why these firms typically partner with third party technology service providers to design, develop, and implement their technology needs.

Entering into these partnerships with third party technology providers can come with risk and requires a contracting strategy. In Part 1, I discussed the issues of pricing and service performance. In this Part 2 below, I discuss data protection, infringement, and insurance.

Data Protection

A wave of data security breaches has arrived – from Target to the United States Office of Personnel Management. For a real estate company to protect itself, should it terminate all the contracts with its technology providers and crawl into a cave? Of course not. Or maybe it can just hope that the hackers will not be interested in the company’s data? Given the amount of personal information real estate management companies typically collect about current and prospective tenants, that is not an option either.

First, it is important to have a clear understanding of which of the company’s current and proposed third-party suppliers have access to sensitive data and systems. Second, with respect to those suppliers that have access to such data and systems, there are measures that the company can implement in the contract to mitigate the risks and costs of a supplier data breach. This is especially important when the average cost of a data breach can run into the millions. One key area in the supplier contract on which to focus is the limitation of liability provision, which should be carefully tailored to ensure that the company’s ability to recover from a supplier responsible for the breach is commensurate with the company’s overall risk of exposure.

An additional – and maybe more important – consideration with respect to the supplier contract is that of prevention. Does the contract require the supplier to design, implement and maintain a comprehensive safeguard of security controls? What kind of firewall and encryption technology is the supplier using? Will the supplier commit to meeting industry standard security controls (e.g., ISO standards)? If the supplier collects credit card data, is it PCI compliant? What technical and operational commitments will the supplier make if a security breach occurs?

Planning for a data breach has become the new normal, and those companies operating in the real estate industry are not immune. When partnering with a technology supplier, these companies must be mindful of how to protect their data, especially in relation to their supplier contracts.

Infringement

As an in-house counsel at a real estate firm, imagine one day receiving notice of an infringement lawsuit being brought against the company alleging infringement of a third-party’s software code or technical patent. How in the world could the firm be involved in such a claim? As you keep reading, you realize that the claim involves your company’s use of your technology supplier’s services or products. Did you negotiate an infringement indemnity in your technology supplier’s contract? Let’s hope so.

Discussions around indemnities can be painful during business negotiations, indemnities really do matter. Dealing with a lawsuit can be extremely costly, and a properly negotiated indemnity provision can be used as an important shield if and/or when third-party claims arise in connection with a supplier’s performance of technology services. For example, claims of IP infringement can be a risk, even with respect to cloud transactions. These provisions are complicated, which is why having properly engaged internal or outside counsel is important when negotiating contracts with technology service providers.

Insurance

Real estate firms are quite sophisticated when it comes to maintaining insurance coverage and requiring insurance coverage from contractors. This sophistication is not surprising, given the dangerous nature of conducting complex real estate projects and/or managing buildings with many individual or commercial tenants.

However, does the company have appropriate cyber liability insurance to cover a potential network or data security breach? If so, has the company properly negotiated its policy to account for its risk of exposure? Every cyber insurance policy is different, but thankfully Sourcing Speak has covered how to negotiate those policies.

Insurance can also be a negotiated issue in a supplier contract. Real estate firms will often include required levels of coverage in form contracts with suppliers. Sophisticated technology suppliers are used to seeing these provisions in a contract, and negotiations in this area are usually not a big sticking point.

Conclusion

The real estate industry is embracing the technology revolution – innovative software and systems are becoming an integral part of the design and development of commercial and residential buildings. Furthermore, data collection and analysis is making it easier for property managers to market and manage their portfolios.

All of this innovation means real estate firms are engaging with third-party technology suppliers to execute this strategic vision. Each engagement requires a sophisticated contracting strategy to ensure that the real estate firm properly protects itself from financial and operational risk.

Posted

Technology continues to infuse our homes, businesses, and places of employment. For example, the “Internet of Things” – as it is sometimes called – brings a lot of promise to a wide variety of industries and sectors, including farming, government, natural resources, and manufacturing. The list goes on.

Even though it often gets the (unwarranted) reputation as being slow to innovate, the real estate industry has joined the technological trend. Real estate developers, property managers, and construction firms are constantly on the lookout for new ways to incorporate the promises of new technology into the design, development, and maintenance of their projects and properties.

For example, automated parking garages have become an efficient way to maximize parking in markets where automobile space is at a premium. Some hotel chains are doing away with keys and permitting guests to access their rooms with smartphone apps. Homes and apartments are following suit. Construction firms are starting to gain FAA approval for drone use in connection with their projects. And finally, there is a smartphone app for just about every sector of the real estate industry.

Firms running large, complex real estate projects typically do not have the core competency to design, develop, implement, host, and/or maintain the technology applications and systems to run these innovative ideas, which is why these firms typically partner with third-party technology service providers to design, develop, and implement their technology needs.

Entering into these partnerships with third-party technology providers can come with risk and requires a contracting strategy. Has the company developed its own contractual forms governing technology services? Is the company content with negotiating on supplier paper every time? Companies operating in the real estate space that buy, license, or otherwise incorporate technology into their projects should be thoughtful regarding their contracting strategy and their approach to key risk and financial issues. Some of these key issues include:

  • Pricing and commercial terms
  • Service performance
  • Data protection
  • Infringement
  • Insurance

In this Part 1 of this blog, I will discuss issues of pricing and service performance. In Part 2 of this blog, I will discuss data protection, infringement, and insurance.

Price and Commercial Terms

Typically, the pricing gets all the attention. As it should! If an innovative technology idea cannot be supported by the company’s budget, then the deal will be dead in the water before it even starts.

Whether a supplier’s solution fits into a company’s budget, however, is only one consideration. Just because the company can pay does not mean the company should pay. For example, some suppliers like to include cost of living inflationary adjustments in their proposed pricing. Given the nature of the particular transaction, is it reasonable to have an inflationary adjustment at all? If the service is highly automated, then likely not. Even if having an adjustment is reasonable, sometimes a supplier will propose an upward adjustment with no ceiling. In our view, uncapped inflationary adjustment is certainly unreasonable.

There are numerous other pricing issues to consider. When will the company receive its invoices – when it signs the contract or when the service actually goes live? Does the contract permit the company to dispute fees that are incorrectly invoiced? How long does the company have to remit payment on an invoice? Will the company be required to pay in advance or in arrears? Are there any “hidden” costs like travel expenses, per diem amounts, or late payment fees? Is there a minimum revenue or volume commitment? Companies negotiating technology transactions should be on the lookout for hidden expenses that can impact its base case.

Service Performance

A typical real estate company is unaware that a technology supplier’s level of performance can be subject to negotiation. The company should ask itself: does the contract with our technology partner contain sufficient performance standards or service levels? For that matter, what is a service level anyway? A service level is a contractual commitment by the service provider to perform its functions in accordance with a certain level of performance.

Sophisticated IT service providers will offer their customers a service level agreement, and these terms are usually subject to negotiation. One particular software-as-a-service provider (with whom I have negotiated several transactions) that operates exclusively in the real estate space never proactively offers service levels unless the customer specifically asks for them.

Having service levels can help drive better performance from the supplier, but only if the company has focused on the right service levels. For example, a service provider may contractually commit that its cloud offering be available for use and working normally 99.9% of the time each month (i.e., allowing approximately 43 minutes of system downtime per month). Given the critical nature of the particular system and service, is that metric acceptable?

Another service level might measure the responsiveness by the service provider to correct errors and bugs in a software or system. For example, if the software operating a sophisticated automated parking garage contains a bug that impedes the operation of the system, how fast will the software developer respond to and resolve the issue? Does that response or resolution commitment meet the building manager’s business needs?

Finally, are the service levels being enforced? Sure, a breach of the service level could be considered a material breach of the contract, but typical contract breach remedies (e.g., termination, suit for damages) are usually not commensurate with the nature of the performance failure. The parties may instead negotiate a predetermined amount of money – known as a service level credit – that the service provider will pay to the customer for the service provider’s failure to meet a particular service level. These credits drive the supplier’s incentive to meet the service levels and serve as a powerful self-enforcement mechanism. In other words, service levels are typically only as good as the associated service level credits.

Next Time

As mentioned above, in Part 2 of this blog I will discuss issues concerning data protection, infringement, and insurance as illustrative topics for real estate companies to consider when formulating a contracting strategy with technology service providers.

Posted

Managed security services are often a natural “add-on” when outsourcing IT services given that data protection is integral to application development, software as a service, and cloud storage, among other services. More recently, managed security services has become a “niche” sourcing alternative that many companies are considering as they seek to leverage supplier’s expertise in cyber threat assessment, detection and response. One critical consideration to keep in mind prior to outsourcing your cybersecurity is that you cannot outsource your regulatory responsibilities. In a sense, you may hire a supplier to protect your and your clients’ data and cyber infrastructure to the degree required of your organization under the law, but if those legal standards are not met by the supplier, your organization remains liable.

Under U.S. laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Federal Information Security Management Act (FISMA), executive orders and state-specific regulations, or the UK Data Protection Act, you may outsource day-to-day information management; you may not outsource your regulatory liability. If a breach occurs, your organization must notify your own clients, state Attorneys General and federal agencies, as applicable. Enforcement actions may be taken against your organization based on violation by a supplier, regardless of your organization’s knowledge, involvement, or lack thereof. For example, the Consumer Financial Protection Bureau (CFPB), a relatively new federal agency formed in 2011 under The Dodd-Frank Act, explicitly targets its enforcement powers at the conduct of both financial institutions and their service providers.

As of 2012, the CFPB announced that it expects “supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with federal consumer financial law” and avoids harm to consumers. And what is one of the biggest risks of harm facing consumers in 2015? Loss or improper disclosure of consumers’ personal and financial data, which may occur over the Internet, via smart-devices and related applications, at merchant points of sale when making card payments, or even at the hands of a rogue employee within your organization or that of your supplier. If the CFPB investigates your organization, as a matter of course they will likely investigate your service provider(s), if any, and focus on areas of consumer data security and risk of identity fraud.

But remaining under the thumb of various regulatory regimes doesn’t mean that you shouldn’t take advantage of managed security outsourcing. So what does it mean?

  • Know before you select a managed security services provider. Complete due diligence on the suppliers’ then-current regulatory compliance status pre down-selection. Particularly emphasize the systems and experience needed to comply with agencies that have authority over your organization.
  • Shift the risk of breach to the party best able to avoid such risk at the lowest cost. Negotiate contractual obligations requiring the supplier to comply with relevant cybersecurity law and indemnify your organization for supplier-caused breaches of data security and confidentiality obligations. Bear the risks that your organization can more easily defray than a supplier.
  • Keep up with the law. Institute a rigorous process in-house or via outside counsel to regularly update your supplier(s) on regulatory changes that are applicable to your organization’s business. You know (or should know!) better than a supplier what your obligations are and what actions you’re capable of undertaking in the event of information loss or disclosure.
  • Document your vendor management processes and actions, particularly any security incidents, related communications with the supplier, corrective measures and resolutions.
  • Check in periodically. Include audit rights provisions in your outsourcing agreement and exercise those rights regularly. Pleading ignorance won’t absolve your organization of a compliance violation, but timely awareness of a problem may allow you to fix it and/or the supplier relationship before a violation occurs.

Posted

Nearly every website, app or online service posts a set of Terms of Use outlining company policies for users (sometimes called Terms of Service) (“Terms”), but many companies do not know if their Terms are enforceable in court. Do you? Online platform use has increased quickly, and companies have tried a variety of methods to present these Terms to users. Not every method works—some companies have been dragged into unfavorable litigation when courts hold their Terms unenforceable, a situation which can result in a tremendous drain on time and resources. Today, appropriate website design and Terms content are crucial for addressing the enforceability of your company’s policies, reducing uncertainty, and minimizing future costs.

I. Importance of Terms of Service

Clearly communicating Terms of Use to users is critical to reducing liability and demonstrating transparency to customers. Terms of Use outline a company’s expectations and the types of penalties that can be imposed for violations. If a third party brings a claim against your company based on their or another’s use of your service, Terms can serve to protect your interests and reduce litigation costs by designating on the front end which state’s laws will apply or possibly requiring arbitration. When properly coordinated with a Privacy Policy, your company can also minimize liability involving use by children, copyright or intellectual property infringement, and the performance or security of your service.

II. Types of Online Contracts

Online contracts developed from shrink-wrap agreements – the paper license agreements found inside tight plastic packaging of a product box. Today, these online contracts tend to come in two major forms: click-wrap and browse-wrap. Click-wrap agreements require a user’s assent to Terms through an affirmative action, such as clicking an “I Agree” button or similar. In contrast, a browse-wrap agreement does not require a click – a user passively consents simply by using the website or app. Generally, we see the Terms for online contracts are posted via hyperlink at the bottom of the webpage.

    a. Click-Wrap Enforceability

In terms of enforceability, click-wrap agreements are the safest bet. A user is presented either with a link to the Terms or the Terms are displayed directly to users on a screen. Only by affirmatively “clicking” are users permitted to proceed to using the service being offered (e.g., paying for an item, downloading software, or even just using your company’s website). These agreements align with traditional contract principles – it is easy to see whether a user (i) had reasonable notice of, and (ii) manifested assent to the Terms because of the affirmative clicking action. Keep in mind that a user’s click of an “I Agree” button will show these elements only when the design of a webpage or app makes it clear that clicking signifies assent to the Terms.

    b. Browse-Wrap Enforceability

Browse-wrap agreements are upheld less often. Showing a user (i) had reasonable notice of, and (ii) manifested assent to the Terms can be more difficult without an affirmative action such as a click. An oft-cited case involves Barnes & Noble’s browse-wrap agreement where the website’s Terms were located in a hyperlink at the bottom left-hand corner of every webpage. The court held the Terms unenforceable because a reasonable user would not have had notice. Proximity or conspicuousness of the hyperlink alone, such as underlined, color-contrasting text, was not enough to infer notice and enforce the arbitration provision without more effort to give customers notice of the Terms.

III. Making Your Online Agreements Enforceable

    a. Design

Where possible use a click-wrap model for your Terms of Use which allows users to have the opportunity to both review the Terms and affirmatively consent to them. One model includes requiring a user to scroll through the Terms in their entirety and presenting the option to click a clear “I Agree to the Terms of Use” button before moving onto the next step. This button should be close enough to the Terms that it is obvious what it references. If for some reason a browse-wrap model must be used, the Terms’ hyperlink should be conspicuous – for instance, constantly visible on every webpage, color-contrasted, and underlined. Importantly, there should be explicit text referencing the Terms that tell users they are giving assent to agreements by navigating the website.

    b. Content

Even if you are able to demonstrate a valid contract with users through the design of your webpage or app, enforcement of every provision is not guaranteed. Particularly sensitive terms might be more difficult for a company to enforce without additional action. These terms might include forum selection clauses, arbitration provisions, class action waivers, or statements about data collection and use. Depending on the state, most forum selection and arbitration clauses are upheld, however, companies should strive to give as full and clear a disclosure about these types of provisions. Strategies include:

  • requiring specific consent to these provisions through multiple clicks,
  • using headers,
  • avoiding boilerplate language or legalese,
  • using highly readable font,
  • adding spaces between paragraphs and sections,
  • allowing printing or saving, and
  • using easy or limited scrolling.

Lastly, it is critical to maintain a digital record of each individual user’s click-wrap acceptance to provide evidence necessary to enforce the contract in its entirety.

Posted

On 24 June, the UK’s National Outsourcing Association hosted its annual symposium in London.  This is one of the best attended and most prestigious sourcing industry events in the UK, and is well attended by suppliers, customers and advisors.

Pillsbury sponsored this year’s event, and hosted a breakout session on transition and change in outsourcing, chaired by Aaron Oser, and Tim Wright.  Guest speaker was Andrew Cubitt, Senior Commercial Lead at Transport for London.  The session focused on how customers’ and suppliers’ priorities during a transition programme can often conflict in respect of the key matters of scope, pricing and performance, and the challenges that arise from such conflict.  Working in break-outs with the attendees, the Pillsbury team identified several key recurring themes such as relationship breakdowns exacerbated by poor governance and challenges in balancing incentivisation with punishment.

More information about the event, including the slides prepared by the Pillsbury team for the transition session and the materials prepared by the other symposium speakers on topics such as robotics and digitalisation, can be found via this link: http://www.noa.co.uk/event/noa-symposium-2015/.