In the last article of this outsourcing series, I will be offering some tips based on my experience and identifying some definite traps for the unwary, in dealing with many of the key outsourcing agreement provisions not addressed in the previous articles. Because failure to properly address some of these issues may favor the service provider rather than the customer, some of the following suggestions may appear biased toward the customer, but the intent here is to illuminate the issues.
Parties often spend significant time negotiating minimum measurable service levels and the financial penalties for a service provider’s failure to meet them. From the customer’s perspective, I will note two traps for the unwary. First, you can have too many service levels, which dilute the focus of the parties and also reduce the financial penalties available for any one particular breach. The better practice is to have a more limited number of meaningful service levels. I often suggest to customers that they seek the “meta” service levels that cover as comprehensively as they can what the customer and its users actually value. Second, customers are regularly surprised by how small the penalties actually are for failure to meet the service levels. The reason for this surprise is that the service level schedules commonly used in the industry involve a series of formulas involving at-risk amounts, allocation percentages, pool percentages and other variables that, in my view, unnecessarily obscure the facts. A detailed explanation of service level credit calculations is beyond the scope of this article, but my bottom line advice to customers is to run the numbers so that you know (and can then intelligently negotiate) the actual dollar amounts that will be credited upon a service provider’s failure to meet your critical service levels.
The parties need to think through what intellectual property will be created during the relationship and who should own it. Common mistakes include customers taking the “I paid for it so I must own it” approach – which may not be appropriate under the circumstances- or the parties avoiding a proper analysis by declaring that IP will be jointly owned – which is almost always a terrible idea. An additional trap for the unwary is that a choice of governing law (e.g. U.S.) may not have much effect on the applicability of the intellectual property laws local to where the IP is created (e.g., India). If the parties in a cross-border relationship contemplate the creation of valuable customer-owned intellectual property, then I would strongly urge the customer to engage local counsel to review the applicable local laws and their impact on the respective rights of the parties.
Treatment of Data
Given the continuing expansion of privacy law regimes, combined with the unfortunate frequency of high-profile security breaches, the parties should review carefully their respective obligations for security and privacy law compliance. One common mistake is over-reliance on boilerplate confidentiality provisions, which are generally designed to protect trade secrets and other proprietary business information but not personally identifiable information (PII). For one of the more obvious examples, consider that much PII fits within the standard exception for publicly available information. A vendor would therefore be free to publish, for example, customer home addresses because they are usually available to the public at county clerk offices and other similar sources. Third-Party Consents
A commonly overlooked area in outsourcing relationships is the necessity for third-party consents. If the customer has not been previously proactive in seeking outsourcing-friendly language in its vendor agreements, it may find that its software and other license agreements may not permit use by the proposed service provider. Both parties should make the review of third-party issues a significant element of their due diligence prior to negotiations as these issues can have significant effects on the timing and economics of a transaction.
Force Majeure/Disaster Recovery
Force majeure provisions should be combined and coordinated with disaster recovery obligations to ensure the customer is getting the disaster recovery and/or business continuity services it is expecting. Furthermore, even customers not purchasing business continuity services would be wise to pay attention to the boilerplate language of the force majeure clause. The clauses are frequently overbroad and should be tailored as appropriate, and additionally, customers will often want an exception stating that the clause will not excuse a failure of the service provider’s own backup plans.
Compliance with Laws
For some outsourcing relationships, the boilerplate provision stating that each party will comply with applicable laws may prove insufficient. This is particularly true for public company compliance requirements (e.g. Sarbanes-Oxley) and highly regulated industries. The best practice is for the parties to discuss and address in detail, 1)who will be responsible for which compliance-related activities, and 2) how the parties will address compliance-related obligations arising after the effective date, including any impact on service delivery and pricing.
Limitation of Liability
The limitation of liability provisions in outsourcing agreements are often highly negotiated and generally include a cap on the vendor’s aggregate monetary liability, subject to certain exceptions. The amount of the dollar cap is often expressed in relation to amounts paid under the agreement (e.g. amounts paid under the previous 12 months or all fees paid under the agreement),or perhaps a multiple of such amounts. The final dollar value of such a cap is generally correlated to the respective negotiating leverage of the parties. The parties should also pay particular attention to the exceptions to the cap, which historically have included indemnity obligations, gross negligence/willful misconduct and breaches of confidentiality. In recent years compliance with law and data breach liabilities have also become part of these negotiations.
Given the unique and long-term nature of most outsourcing relationships, the parties should give serious thought to dispute-resolution procedures that have the potential for minimizing harm to the relationship, such as initial escalation to senior executives at the parties and/or mediation proceedings. For binding resolution of disputes in cross-border relationships, the industry standard is generally arbitration rather than litigation (even in a favorable venue) because of the difficulty in enforcing foreign judgments in many of the popular offshore destinations. Finally, notwithstanding any arbitration or venue provisions, the parties should always include a provision permitting the pursuit of injunctive relief in the country in which the breach occurs.
One of the least understood aspects of outsourcing transactions is the differing treatment of expiration in outsourcing agreements compared to more conventional services agreements. When the customer and vendor end an outsourcing relationship, the customer will normally have to recommence the outsourced functions or hire a different vendor to provide them. Because many outsourcing relationships are (or quickly become) relatively customized, it may be difficult and costly for the customer to replace those operations without help from the vendor. Accordingly, the wise customer should require detailed obligations from the vendor with respect to the re-transition of the outsourced functions, either back to the customer or to a new vendor. Since after a termination notice the vendor will be understandably reluctant to focus on a relationship soon to end, it is in the customer’s interest to include detailed preparatory tasks that the vendor will perform during the normal operations under the agreement. These may include: 1) the inclusion of appropriate assignment clauses in third-party agreements entered into by the vendor on behalf of the customer; 2) the preparation of detailed documentation and procedures manuals that will enable the customer or new provider to take over the services as seamlessly as possible; and 3)periodic reviews and reporting to ensure that 1) and 2) are being done on an ongoing basis.