Thank you for sharing!

Your article was successfully shared with the contacts you provided.
The burst of the technology bubble in 2000 left considerable debris on the information highway, yet the survival of the application service provider continues to provide a vehicle for businesses to use the Internet to increase profits and reduce expenses. But before a company starts test-driving the latest ASP model, to minimize the risk of harm, it must learn what lies in the road ahead. The term ASP is a new economy buzzword for a company that can assist another to outsource its non-core business functions using the Internet and other forms of telecommunication for data transport. ASPs are adept at transforming a company’s back-office business function into a technology-based process, without the need for significant investment of capital for computers and associated infrastructure (and the stress of choosing the right components and platform), employees and technical support. ASPs provide a variety of services, from as simple as hosting a single application of software (such as Microsoft Word) to supporting a company’s entire order procurement and processing department. In the case of a software application, instead of burdening the company with upgrades to the program, the ASP does it. In the case of an entire department, through an exchange of knowledge between the company and the ASP, the ASP adopts (and refines) the business process and takes operational (but not management) control over the data. ASP-based services can support such business functions as medical billing, electronic storage of medical records, inventory control, payroll processing, employee benefits programs and e-mail marketing. The primary reason to engage an ASP is to gain access to substantial and complex computer hardware and software without investing capital. It provides the business owner with time to focus on its core business activities (which generate profits) while paring payroll, eliminating onsite technical support, and allocating the risks associated with information technology to the experts. The decision to outsource any non-core business process should be made with careful thought and consideration. The risk of losing control over a critical business process to a third party, or the inadvertent disclosure of confidential information about patients and customers, must be balanced against the benefits to be achieved. TRANSITION TIPS Once a decision is made to outsource a process, a transition team should be selected from both low- and high-level positions. In case the company is leery about including lower-level employees, remember that they are likely to know the process (and the shortcuts) better than upper management. If the goal is to eliminate such employees as a consequence of the outsourcing, care must be taken to ensure their cooperation. Announcing that a department is being outsourced will cause all but the most unemployable members to bolt for the door. Giving incentives to these employees is the key to retaining their loyalty. Bonuses, enhanced severance packages and guaranteed short-term employment are but a few of the options available to garner loyalty. Many ASPs proudly list their clients on their Web sites. Call them. Learn from their negotiation and transition experiences to improve the efficacy of your own. In addition, the experience of the ASP’s workforce should be analyzed just as closely as its financial health. Ownership rights to the intellectual property that run the ASP’s operations should also be inspected. A financially troubled ASP could lose its license to key software programs, leaving the customer without the means to otherwise perform the outsourced function. The substance of the relationship with an ASP is the services and service levels, known as SLs, to be provided. In order to ensure a company gets what it pays for, prior to engaging an ASP the transition team should (1) enumerate the goals the company seeks to achieve from outsourcing and (2) depose the personnel responsible for the process to be outsourced. By listing the goals and delivering them to the ASP in writing, the ASP can be proactive in deciding whether a particular service or SL it intends to provide is consistent with the company’s stated intentions. In addition, the more knowledge the team can compile about how the company handles its data, the easier it will be for the ASP to interface with the company to arrive at the SLs required to meet the company’s stated needs. When setting SLs, it is favorable for both parties to have the company tell the ASP what it needs rather than the ASP explaining to the company what it can provide. Of course, SLs are only as good as the enforcement provisions contained in the agreement. Flat-fee arrangements do little to encourage an ASP to meet or beat the agreed upon SLs. Such fee agreements entice the ASP to search for ways to cut costs to increase its margin on that business. The better solution is to provide incentive payments for improving the SLs, and penalties for falling below them. Once the team has compiled the knowledge the ASP will require to make the transition, care must be taken by the company to ensure success even in the face of significant challenges. The team should be prepared for a rocky conversion and appoint a contact person to serve as a communicator between the company and the transition team. Potential bottlenecks should be identified and a timeline of the transfer process should be distributed to upper management in the event other functions of the company are negatively affected. Communication between the company and the ASP (and feedback from the company’s customers) must be maintained to assist in refining the SLs as the project matures. Typically, the closer the parties look at the process, the more obvious the flaws in the system appear and the need for new SLs arise. BUSINESS AND LEGAL ISSUES Up to this point, management will likely have assumed the lead. At this juncture, business and legal advisers should review the status of the project. If a material segment of the company is being outsourced — such as the digital conversion and maintenance of hospital medical records or inventory control — a forensic business intelligence company capable of investigating the ASP and its owners can provide further assurances that the ASP is financially sound and the stated qualifications of the principles are true. Legal advisers can refine the incentive programs to be provided to employees for their assistance in the transition, identify intellectual property rights that the company may have to license to the ASP in order to run the process, and further define the SLs that the company will require of the ASP. Typical security issues such as the timing of data backup, off-site storage, firewalls, encryption programming and physical plant issues are basic technology issues easily reviewed by IT personnel already on staff. But issues of confidentiality, privacy and compliance with statutes such as the Graham-Leach-Bliley Act and the Health Insurance Portability and Accountability Act are key areas for legal experts to focus on when a client seeks to engage an ASP. Graham-Leach-Bliley requires that financial institutions may not disclose private customer information without first (1) notifying customers of the institution’s privacy policies, and (2) giving them the opportunity to direct that the information not be disclosed. Similarly, HIPAA obligates healthcare providers to guard against the disclosure of personally identifiable health information pursuant to the standards established by the U.S. Department of Health and Human Services for privacy of individually identifiable health information. (Note: For medical practices which expect to conduct billing practices over the Internet, they must comply with the electronic healthcare transactions and code sets standards no later than Oct. 16, 2002. The government recently announced an extension of this deadline for one year, until Oct. 16, 2003, but only if the practice has submitted a compliance plan to the centers for Medicare and Medicaid services by Oct. 15, 2002.) In the event a healthcare provider engages an ASP, before any data is exchanged, counsel should determine whether the ASP must execute a business associate contract in accordance with HIPAA’s proposed privacy regulations (67 Fed. Reg. 14775 (March 27, 2002)) and whether patient consent must be obtained. Similar analysis must be undertaken in the case of a “financial institution” under the FTC’s privacy regulations. Since the FTC declined to explicitly define the term, accountants, lawyers and many other businesses that strain to fit the definition should use caution when proceeding with an ASP if personal financial information is being transmitted electronically. Confidentiality clauses and the obligation to return all data upon termination should similarly be negotiated into the agreement. Most general comprehensive liability policies do not cover risks associated with e-commerce. Niche markets have developed for the sale of cyberliability policies that provide coverage for loss of data, damage caused by the transmission of viruses, e-business interruption, hackers, invasion of privacy and losses associated with intellectual property infringement. Obtain a representation, and evidence of, insurance from the ASP that it is insured for such losses and ask to be named as an additional insured. A similar policy for the customer may be necessary for its transmission of data to the ASP and for the receipt of information from customers, which is then transferred to the ASP. DETAILS OF AGREEMENT The agreement should include a right to investigate an ASP for fraud in the event such information comes to the knowledge of the company. It should stipulate that the company has a right to conduct an independent investigation of the ASP and obligate the ASP to preserve evidence and maintain confidentiality. For example, if it is determined that phony orders are being placed, inventory is being siphoned, or phantom employees are being added to the payroll, the contract should permit the company to conduct an investigation of its own of the ASP to uncover the perceived fraud and also should require the ASP to make the company whole. Since most sophisticated ASP contracts are multiyear agreements, changes in the law may cause additional costs to be incurred to bring the system into compliance. Agree in advance on which party will bear the cost of upgrading the SLs and agree on the maximum price increase that can be imposed as a result of the changes. Negotiate the right to terminate the service without penalty if the change in law will cause the contract to become illegal or if the cost to comply is in excess of the savings the client expects to achieve from outsourcing in the first place. Most ASPs will vigorously seek to limit their liability to no more than the cost of the services provided and will not agree to indemnify the client for lost profits or consequential damages. Nevertheless, violations of applicable privacy laws should be excepted from such limitations, as should any right to indemnity provided by available insurance. Tax counsel should evaluate whether sales-and-use taxes on transactions performed by the ASP can be imposed by the local jurisdiction in which the ASP is operating, or in which the company is conducting its business. In New Jersey, certain telecommunication services are subject to a sales and use tax, and thus, the manner in which the services are sold and paid for can result in the imposition of a tax. Deciding who has the burden of collecting and paying the taxes should be set forth in the contract and coupled with an audit to ensure the taxes are remitted to the applicable jurisdiction. In the event the ASP becomes bankrupt or otherwise is no longer in business, if the sales taxes were not collected and paid, it is possible that the Division of Taxation could impose a use-tax obligation on the company. If the ASP is a large company, expect to be hauled into court or an arbitration proceeding within its home state. If the parties are of equal bargaining power, a compromise could be structured to allow for suits to occur in the customer’s home state, but the law of the ASP’s principal place of business would apply. The decision may be made easier if one or both states have adopted the Uniform Computer Information Transactions Act and/or the Uniform Electronic Transactions Act. Depending on the type of service provided, these statutes may provide the customer with greater ability to contract with their customers online. While arbitration proceedings are less costly and provide a rapid outcome, the legal issues associated with the demise of an ASP arrangement condone the use of the judicial system. The status of intellectual property ownership rights, violations of nascent privacy laws and bankruptcy issues are best suited for courts of competent jurisdiction. In the event that the ASP becomes bankrupt, to minimize the ASP’s ability to cease operations, the agreement should seek to create an executory contract with an ongoing obligation for both parties to perform and, in the case of licensing rights, provide for payment periods which are to survive bankruptcy. Further, limitations on the transfer of personally identifiable health and financial information must be imposed to prevent the information from being sold to another ASP without prior consent. DISASTER PLANNING AND EXIT STRATEGIES The Achilles Heel of engaging an ASP is the threat that it will go out of business without notice or that the Internet connection will be severed (a construction backhoe cuts the trunk line leading to the ASP’s building). Either way, the company dependent on the ASP will not have ready access to its data. Short of maintaining duplicate hardware on which to store the data, requiring the ASP to back up the data nightly both at the ASP’s facility and at an off-site location is likely to be the best solution. Additional terms to negotiate to minimize losses and downtime can include: requiring redundant trunk lines and/or multiple locations; data delivery to the company on a periodic basis; and provision of the home phone numbers of key IT personnel in the event the company closes its doors. Similarly, terminating an ASP also requires careful planning to prevent business interruption. It is far more costly to terminate an ASP than it is to switch software programs on a desktop. Unless there is good cause, an ASP should not object to being limited to the right to terminate for nonpayment. An ASP that desires to include the right to terminate if it determines it cannot afford to continue to provide the services at the agreed-on price is evidence of its inexperience in the field. It is important to have knowledge of what is necessary to make a transition away from an ASP before starting service. Therefore, the contract should include terms that will obligate the ASP to provide (1) transition assistance; (2) an inventory of the assets used by the ASP to provide the service, (equipment, software, personnel); (3) an index and explanation of the data being returned; and (4) the right to run parallel systems while the transition is taking place. Offering to give incentive payments to the terminated ASP for its assistance in the transition is another means to ensure cooperation. In the end, the lesson to be learned regarding ASPs is that it is a business marriage. The relationship must be built before a contract is signed, and communication must continue thereafter to refine and further implement the transition. How potential ASPs negotiate and respond to a company’s needs and concerns will tell whether a business can develop trust in order to make the marriage last. Do not expect ASPs to develop flexibility and proactive strategies for your business after the contract is signed. The author is an associate in the tax and corporate practice group of Flaster/Greenberg of Cherry Hill, N.J.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at customer[email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.