As technologies advance, the outsourcing solutions and strategies that are enabled by such technologies are transforming as well, striving to keep pace with and embrace the new functionalities and capabilities that such advances can offer. The next generation of outsourcing is looking to advances in cloud computing, mobility, virtualization and business intelligence to drive faster, more responsive and more cost-effective solutions. Insurance companies are exploring outsourcing solutions that leverage technology advances to support increasingly mobile, remote workforces and to take advantage of on-demand technologies, real-time communications and enhanced data analytics capabilities.
When contracting for outsourcing services that leverage new technologies — including, for example, software as a service (SaaS) or infrastructure as a service (IaaS) — issues that arise in connection with traditional outsourcing are still relevant and should be considered. However, there is an increased focus on data, from the means by which data is provided, generated and stored, to the right to use such data and the security that protects it.
Focus on DataWith the increased focus on data, internal and external lawyers are looking at contract provisions in a new light. Below is a checklist of six data-related issues that outsourcing customers should consider when contracting for next-generation outsourcing services:
1. Where is it? Contrary to what pictures depict, data is not going out to a cloud and sitting in the ether. Your data — whether via private data line or the Internet — is going to a server at a data center. As such, it continues to be important for enterprise outsourcing users to understand where the production and back-up data centers that house their data are located, as well as to retain the right to approve changes to the locations of such centers. The location of data may impact which laws apply to the services and the protection of data, including data privacy, consumer protection, import/export, employment and tax laws. In addition, some of your customer contracts may not allow certain data to be sent offshore.
2. Any-Time Access: Allowing a third party to process and store business data does not mean that the outsourcing customer should not have immediate and real-time access to its data. One of the perceived risks of outsourcing is the loss of control over data and the ability to get data back when needed or at the end of the outsourcing relationship. A critical part of the solution (and the contract) should be to ensure that you, as the outsourcing customer, have access to your data at all times and that in no event (including for failure to pay) should the data not be accessible or “held hostage.”
3. How Is Your Data Protected? Many cloud computing and mobile solutions are based on shared, commodity models, which include leveraging the service provider’s security policies, rather than requiring the service provider to comply with the customer’s policies (a typical requirement under the traditional model). In these models, many outsourcing customers are opting instead to review (and customize if permitted and necessary) and audit the service provider’s existing policies, as well as changes to such policies, to ensure compliance with the customer’s internal control requirements.
4. Data Segregation: In most production environments, data can be logically partitioned to enable restricted access. However, when the production environment is backed up, some solutions back up all customer data at once — onto shared media. In these instances, outsourcing customers need to be sensitive to how you then can get the data back (How do you get data from a shared storage device?) and what happens if another customer’s data is subject to a legal hold (does your data get retained longer than anticipated?).
5. Ownership and Right to Use: Data analytic tools and capabilities have advanced significantly over the past couple of years. Since data and content are valuable assets that need to be protected, it is important to establish who owns the data “input” as well as the data “output,” and how data can be used and analyzed by the service provider for service delivery and commercialization purposes.
6. Data Breaches: Heightened scrutiny is being given to how data breaches and resulting liability (notice, response, remediation) are handled. Data breaches can occur for a variety of reasons, from hacking of a third party to employee negligence or intentional misconduct. The various reasons should be considered when determining the service provider’s potential liability.
Outsourcing solutions are dynamic, so the contracts under which they are provided need to be dynamic as well, allowing for change in services, as well as change in the underlying terms and conditions. As companies are racing to embrace new technologies, the benefits and potential risks should be assessed and the contract should be reviewed to ensure equitable risk mitigation and allocation.
[Accountability: Outsourcing's Next Step.]
Barbara Melby and Michael Pillion are partners in the Outsourcing and Technology Transactions group at Morgan, Lewis & Bockius LLP.