TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

When we represent customers in outsourcing and managed services transactions, we spend a significant amount of time drafting the exhibits for transition, which is typically a major project in and of itself. In order to help clients think about the major components of transition, we often provide the following checklist of common workstreams to facilitate our discussion.

  1. Governance – Governance is an overarching workstream that spans all phases of transition. A key component is the formation of a transition management office that is responsible for managing the overall transition (including performance and risk management) and coordinating with the company’s governance organization.
  2. Planning – Detailed design and implementation planning is critical to ensuring timelines are integrated and met, with all dependencies considered. Plans typically include the responsibilities of each party, anticipated completion dates, and acceptance criteria.

In a recent Law360 article, Morgan Lewis lawyers Gregory Parks, Kristin Hadgis, and Terese Schireson discussed the recently passed bill in Nevada – Nevada Senate Bill 220 (SB 220) – that will require defined “operators” of websites or online services that are used for commercial purposes and collect personal data of Nevada consumers to comply with a consumer’s request not to sell personal information. SB 220 will be the first law of this scope in the United States that provides consumers with opt-out rights with respect to the sale of their data.

With SB 220 going into effect on October 1 of this year, it is time now for operators to implement measures to enable compliance with SB 220. The article offers helpful tips for compliance, including suggesting that affected operators establish designated addresses where consumers can submit requests.

As a follow-up to our recent post on third-party contract due diligence in outsourcing deals, this post focuses on how customers in outsourcing deals handle the disposition of legacy third-party contracts—one of the thorniest and most work-intensive work streams—once diligence has concluded.

The National Institute of Standards and Technology (NIST) recently circulated a draft white paper discussing recommended security practices to be adopted throughout the various phases of software development. The white paper provides three overarching reasons for integrating secure development practices throughout the software development lifecycle (SDLC) regardless of the development model (e.g., waterfall, agile), namely, “to reduce the number of vulnerabilities in released software, to mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and to address the root causes of vulnerabilities to prevent future recurrences.”

The white paper discusses the following four secure software development practices, and breaks down each topic by (1) practices, (2) tasks, (3) implementation examples, and (4) references.

Open source programs are becoming a best practice in the technology, telecom/media, and financial services industries. Companies are establishing open source best practices to streamline and organize the way their employees use open source, focusing on long-term business plans. Since open source, a collaborative development process, varies so greatly from traditional software practices (i.e., proprietary and closed), companies are creating their own open source programs and policies to manage how it is used and how it can work best for the company’s long-term goals. Naturally, large technology companies are leading the way in establishing open source best practices, but open source is becoming commonplace for both tech and non-tech companies.

Open source programs are typically created by a company’s software engineering or development department for informal use and then eventually grow to a “formal” program with a collection of policies and guidelines. These policies may include open source contributions, a list of acceptable licenses, and the use of OS code.

Complexity in sourcing transactions relates to the interdependence between the parties executing a program. However, “complexity” can be a surprisingly nuanced concept whose meaning can vary under different circumstances. Here are a couple of these nuances.

What Is Complexity?

If you are buying a physical product, the transaction is not truly “complex” if it can be described completely in the contract, although the product itself may be complicated. For example, a rocket ship is a complicated product, but with specifications that can (and probably should) be described in perfect detail, there is no requirement for an overly complicated contract structure, and the relationship between the parties may not be complex. Contrast this with an engagement that involves business process redesign accompanied by software development and implementation like an enterprise resource planning (ERP) implementation, or a large-scale robotic process automation (RPA) initiative. Although the contract can specify the desired result, in many cases the results will depend on both parties working together to realize that result. This interdependency makes the relationship complex and requires a more nuanced procurement and contracting process.

Even with the standard independent contractor provision in a Master Services Agreement, when employees of the contractor work at a client's site, there can be a heightened risk for joint employment liability, especially where such employees were hired by the contractor as part of an outsourcing arrangement. The US Department of Labor (DOL) recently issued a Notice of Proposed Rulemaking (NPRM) to update its interpretation of the standard for establishing joint-employer liability under the Fair Labor Standards Act (FLSA). The proposal is “designed to promote certainty for employers and employees, reduce litigation, promote greater uniformity among court decisions, and encourage innovation in the economy” by making clear employers’ and joint employers’ respective obligations to pay the appropriate employee wages and overtime for a workweek.

The audit section in a services agreement contains the provisions that specify a party’s right to access and review another party’s information in order to determine such party’s compliance with the agreement. Depending on the scope of audit rights, the audit section can range from a single paragraph to an entire exhibit to the contract.

Many considerations go into drafting appropriate audit rights, including the types of services that the customer is receiving, and the industry in which the customer’s business operates. In many cases, the customer is the auditing party and the service provider is the audited party, but there are situations where the roles will be reversed. Below is an overview of several key issues to consider when drafting audit rights for services agreements.

Forbes has listed its top outsourcing trends in the Asia-Pacific (APAC) region for 2019. The APAC region has long been the dominant region for outsourcing, although it is facing competition from emerging outsourcing markets in other regions. Trends include the growing presence of outsourcing in Malaysia, shifting resource models, and personnel shortages.

March is a busy month for webinars at Morgan Lewis. Check out the Morgan Lewis website for a number of webinars coming up in March that are of interest to technology and sourcing lawyers and professionals. A few that caught our eye:

  • March 12 - Cyber Insurance: Is Your Company Covered?
  • March 12 - M&A Academy: Bridging the Gap with Transition Services Agreements
  • March 13 - Global Public Company Academy: Cryptocurrency and Blockchain Developments

For a complete listing of firm events and CLE opportunities, visit our Global Events Calendar.