TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

As business adoption continues to grow, cloud computing and cloud-based systems have again been selected as major technology trends for 2015. Gartner’s recent industry overview focused on how mobile adoption and the need to maintain services and applications across multiple systems will drive more businesses toward cloud-based products. Meanwhile, as analysts continue to predict a $200 billion market for public cloud computing within the next five years, business leaders have begun to embrace cloud services for reasons that extend well beyond promised information technology (IT) cost savings.

In its annual cloud survey of business executives, consultants at KPMG examined why organizations move to the cloud, and even as nearly half cited cost effectiveness, the need to meet the demands of a mobile workplace comes in as a close second. Of IT decision makers surveyed, 42% say that mobile considerations drive the cloud conversion—a jump of nearly 30 points since 2012. The two biggest factors behind mobile adoption are increased productivity and employee satisfaction. These go hand-in-hand as employees are able to use their mobile devices to access their work systems and be productive while on the go.

Last week, we discussed three important changes to California’s data breach law that become effective January 1, 2015. Part two of this series looks at the data breach report recently released by the California Attorney General.

California Data Breach Report

In October, the California Attorney General’s data breach report presented key findings on breaches occurring in California and recommendations for lawmakers and affected industries. Notable findings and recommendations from the report are summarized below.

  • Data breaches are on the rise. Among other findings, the report found that the number of data breaches in California increased by 28% from 2012 to 2013, with “intentional unauthorized intrusions into computer systems” showing the biggest increase among breach categories and accounting for 53% of reported incidents.

Procurement outsourcing is hot. And, really, what is the downside? Committed savings on identified spend that may not have otherwise been captured and realized (and hopefully offsetting and well exceeding any procurement outsourcing fees). Procurement outsourcing is a great business proposition and can be a win for a company if it picks a service provider that can deliver and it has strong contract protections that enable "guaranteed" savings. Four factors that we have seen lead to a successful deal are good (1) sourcing and category management strategies, (2) contract collection and vendor management, (3) benchmark data and buying leverage, and (4) success metrics that are accurate and measurable.

Companies spend millions of dollars on third-party software products to automate and integrate their operations—from operating systems (OS) for mainframe and distributed systems, to enterprise resource planning (ERP) software, to end user applications. For companies with software and systems shared across business units, implementing corporate changes, such as a divestiture, can be a challenge. Few companies have software strategies—or contractual provisions to support such strategies—that enable them to implement a divestiture without significant diligence, including the following:

  • Identification of business unit dedicated and shared software
  • Review of contract terms that allow for assignment (in whole or in part)
  • Review of contract terms that allow for use as part of post-divestiture transition services
  • Development of a software vendor communication plan and, if necessary, negotiation approach

We spend a significant amount of time working with clients to perform software diligence in contemplation of a divestiture or similar corporate action. Set forth below are a few pointers for lawyers and contract and sourcing professionals to consider when licensing software, managing software portfolios, and engaging pre- and post-divestiture activities.

Information Services Group (ISG) predicts an increase in outsourcing transaction activity for quarter four of 2014. Despite a slow third quarter, ISG expects the outsourcing industry’s busy fourth quarter to create double-digit growth in global annual contract value compared to 2013. It also forecasts this pickup in deal activity to continue into 2015.

In its analysis of the Americas region, the only region with year-over-year third-quarter growth, ISG noted that higher information technology outsourcing contract counts through the first nine months of 2014 reflects the trend toward more contracts and increased multisourcing. ISG also highlighted significant business process outsourcing growth in the financial services, energy, and manufacturing industries.

Check out the full Global ISG Outsourcing Index here.

Over the last two weeks, we discussed contract provisions designed to address the implementation of preventive security measures, as well as responding to security incidents. Our third and final blog post in this series focuses on contractual provisions that address the allocation of liability for breaches that result in security incidents.

Because of the potential for large-scale damages from a security incident, customers and service providers are generally very focused on the allocation of liability in indemnification and liability provisions. Below we list some key issues to consider when drafting these contract provisions.

Cloud computing solutions offer many advantages over traditional enterprise systems, including cost-saving potential, access to enhanced applications, and consumption flexibility. However, with recent security breaches at major banks and retailers, security concerns regarding the storage of proprietary or sensitive data in the cloud may discourage the adoption of these solutions in enterprise environments.

Last week, we discussed contract provisions that focused on documenting security requirements and monitoring security commitments. These provisions are designed to require the implementation of proactive measures to protect data and systems and to reduce the risk of security incidents. In this Contract Corner post, we switch focus to contract provisions that address a security incident if one occurs. In an earlier post, we outlined practical steps to take in response to an incident, including communications with authorities and cyber insurance matters. Below we list some key issues to consider when drafting contract provisions regarding these response measures.

As we have previously discussed, cybersecurity threats are mounting and are a major concern for senior management. In this month’s first Contract Corner post, we discuss contract provisions that cover the implementation and maintenance of proactive and preventive security measures. Below we list some key issues to consider when drafting these types of security provisions.

Documenting Security Requirements

As part of the contracting process, the vendor should agree to abide by the terms of a detailed security plan that meets or exceeds a customer’s requirements. When developing this documentation, consider how the vendor will do the following:

  • Ensure the security of customer data—Will the vendor warrant a specific, detailed security system, or will the customer rely on conformance to more general security standards? How will the vendor monitor security risks and breaches?
  • Protect against viruses and other threats to the integrity of customer data—Will the vendor warrant the absence of viruses or merely a standard of prevention? Is the vendor obligated to remediate all viruses, even if it did not cause them?
  • Protect against unauthorized access of customer data—What technology and processes will the vendor use to control access? What are the customers’ responsibilities, and how will the vendor test its defenses and notify customers of any unauthorized access?
  • Improve security systems—Will the vendor agree to meet or exceed best industry security practices as they evolve in the future?
  • Change any security measures—Will any vendor-initiated security changes require the customer’s consent? Will the customer have the ability to require changes?

Governance is an essential component of outsourcing planning and execution. Outsourcing customers, however, often fail to realize that outsourcing governance requires skills and resources that may not be readily available within their organizations. KPMG highlighted key factors to enable better governance in its recently issued “Nine Factors for Successful Governance.”

A few of these governance factors are summarized below:

  • Governance Expertise: Operations managers may not have the skills and experience necessary to manage an outsourcing relationship. Additional training and hiring may be required to achieve the value and risk mitigation desired from an outsourcing.
  • Retained Personnel: Without oversight, retained personnel may rely on internal support organizations. Redundancies caused by such shadow organizations can erode between 10% and 15% of the outsourcing value.
  • Leveraging of Data: Instead of simply relying on a vendor for data relating to the performance of the outsourced services and client satisfaction, companies should consider other independent tools for collecting, tracking, and analyzing such data. This data may be used to supplement the data provided by the outsourcing vendor and be used internally and across multiple vendor relationships.
  • Level of Effort: Companies should continually reevaluate their governance needs. Governance efforts typically peak in the transition phase and then may be ramped down as operations stabilize.