Tips to navigating the new normal of contract negotiation.
By Barbara Melby and Kristen Hall
With the maturing of the HRO industry during the past decade and the increased sophistication of HR executives, we have seen a growing acceptance of the types of terms and conditions that are included in the contract on the buy side. Gone are the days of negotiating whether the contract should include service levels or indemnities: They are now considered commonplace. However, the level of acceptable risk continues to keep pace with the changes in the industry as the technology that supports and enables HRO continues to grow. How, for example, should—or can—a buyer negotiate customized service levels in a leveraged, cloud-based model, and what exactly are those service levels?
Same Issues, New Twist
The negotiation really occurs around the detail:
• Which party owns the procedures manual, scripts, and system customizations;
• What changes are in scope versus incremental;
• How is inflation handled;
• How much audit support is in scope; and
• What are the appropriate exclusions from the disclaimer on consequential damages.
Advancements in technology have transformed the way companies conduct business and interact with their employees. HRO providers are continuously transforming their solutions to leverage the new functionalities and capabilities that new technology can offer and that HRO customers—and their increasingly mobile workforce—demand. The next generation of HRO is looking to advances in cloud computing, mobility, virtualization, and business intelligence to fuel more responsive, flexible, and cost-effective solutions.
The “look and feel” of HRO has changed during the past decade to stay current with technology and solution developments, and the buzzwords have changed. Application service providers (ASPs) are a thing of the past, giving way to providers of solutions such as software-as-a-service (SaaS), platform-as-a-service (Paas) and cloud-based models (private, public, and hybrid). The new models require both the HRO buyers and providers alike to relook at the traditional terms and conditions, with shifts in positions with respect to the applicable terms, negotiation leverage, and the level of detail included in the HRO contract.
Focus on Data
With the increase of focus on more standardization, less customization, non-dedicated systems that support multiple clients, and an underlying objective to obtain the benefit of better functionality at lower costs, HRO customers have shifted their needs. No longer do they require system ownership; now it’s all about on-demand, real-time data access, and control.
Areas that customers have focused on regarding their data include: how is data stored and accessed in production, disaster recovery, test, and back-up environments; how can data be used for internal and (if at all) external data analytics and marketing purposes; how is data secured and protected; and are there any compliance issues? With the increased focus on data, internal and external lawyers are looking at traditional contract provisions in a new light.
Regardless of the solution selected, customer data—whether via private data lines or the Internet—is going to a server at a data center. As such, it continues to be important for HRO customers to understand where the production and back-up data centers that house such sensitive HR data are located. Most customers continue to require the right to approve changes to the locations of such centers if any risk in relocation exists. The location of data might impact which laws apply to the services and the protection of data, including data privacy, consumer protection, import/export, employment, and tax laws. In some instances, customers might not be permitted to move certain data offshore.
Allowing a third party to process and store HR data does not prevent the outsourcing organization from having immediate and real-time access to its data. One of the perceived risks of outsourcing is the loss of control over data and the ability to get data back when needed or at the end of the outsourcing relationship. A critical part of the contract continues to be that the HRO customer has access to its data at all times and that in no event (including for failure to pay) should the data be inaccessible nor should the provider feel free to refuse return of the data.
Data segregation is an emerging issue as more and more customers are engaging providers that leverage systems that support multiple clients. For these solutions, typically data can be logically partitioned to enable restricted access in production environments. However, when the production environment is backed up, some solutions archive all customer data at once (holistically) onto shared media. In these instances, HRO customers need to be sensitive to how they then can get the data back (how do you get data from a shared storage device) and what happens if another customer’s data is subject to a legal hold (is data retained longer than anticipated).
Personal employee and business data are valuable assets that should be protected. A critical task is to establish ownership with respect to data input and data output generated or processed by the systems plus any reports, data feeds or databases that include the sensitive information. With interest in data analytics on the rise, understanding how it can be used and analyzed by the provider for service delivery, as well as commercialization purposes, is key. It is important to keep this in mind when allocating ownership and usage rights that, in many instances, require consent from an individual (here the employee) to use that data for other purposes.
A huge fear for most companies is to become a headline story due to a major data leak or breach. Due to the nature of the publicity and the potential liability, we are seeing heightened attention paid to how data breaches (notice, response, remediation) and resulting liability are handled. Data breaches can occur for a variety of reasons, from hacking by a third party (notwithstanding compliance with appropriate security protocols) to intentional disclosure by disgruntled employees. The remedies available for data breaches typically depend on the cause of the data breach and whose possession the data was in at the time of the breach.
Leveraged Models
The shift in interest from dedicated to leveraged models gives rise to other contracting issues, including whose security and business continuity policies should be followed, how changes should be considered and implemented, and how to exit an HRO relationship while ensuring minimal service disruption and transition cost.
Whose policies: Yours, mine, or a hybrid. A key issue in deals that leverage multiple-customer solutions is whose policies should control and be followed. Many customers have internal policies with which internal security and audit groups require third-party providers to comply. Customers must balance the requirement to comply with internal policies and the benefits of a standardized model where customer-specific requirements are difficult to administer and cost more to implement. Some companies have taken a “mind the gap” approach, whereby the customer reviews the provider’s policies and identifies any gaps between the customer’s policies and the provider’s policies. Then the discussion takes place around the “gaps,” rather than a wholesale requirement to comply and administer a customer-specific policy. The approach taken will depend upon the scope and size of the transactions, as well as the parameters of the proposed solution.
Similar to the discussion on whose policies to adopt is whose background check/screening requirements should be implemented. Certain customers have strict requirements regarding the background checks (including checks against designated lists) that must be conducted before assigning any individual to a task where access to certain data or systems is required. In some instances, additional screening is required; in some instances the provider’s practices are sufficient.
Change, change, change: Notice versus approval, or both. As leveraged systems, technology, and even customer needs evolve, buyers must balance the need for control, with the cost and potential functionality benefits of the leveraged model. A major issue that comes up with these models is how much, for example, say a single customer has over changes that can or will be implemented. Questions that arise in connection with changes include who gets to request changes and who gets final say in whether a change is implemented. With respect to buyer-requested changes, the question is which changes are mandatory and which changes are discretionary. If a change requested by one customer benefits multiple customers, how are the costs for such change allocated?
At one end of the spectrum are changes that the customer requests or requires; at the other end is the provider’s right to implement changes. A gating issue is whether the customer will even have visibility to review changes being made. It is important to consider when negotiating contract terms around change when the provider is required to provide notice of changes. Then, assuming the customer is aware of a change to be made, the question becomes which changes can be made unilaterally and which changes require approval.
Exit rights: Plan for the future. When entering into an HRO transaction, the parties should consider not only what will take place during the term but also what will happen at the end of the relationship—whether the relationship is ended early or at the end of the contract. It remains important in HRO transactions, before entering the transaction, for customers to assess what they will require out of the engagement. The issues relevant for leverage models do not focus as much on ownership of the systems used to support the HRO services, as on the right to continue to use the system and ensure that the services (including the relevant data) are effectively and efficiently transitioned to the successor provider.
A checklist of items that the customer should consider requiring post-termination includes business and personnel data, performance data, scripts, reports, knowledge bases, phone numbers (including for call center contacts), website addresses (including for self-help portals), procedures manuals, and certain customizations to the systems. Other issues to consider include the duration of wind-down support (for example, should it be long enough to encompass the next benefit enrollment cycle or extend past year-end close), the types of wind-down support that will be provided and the right to communicate with, and in some instances, hire provider personnel. At the time the parties are entering into an HRO relationship, it might seem counter productive to negotiate the exit plan, but doing so (to the extent possible) will help facilitate behavior and expectations at termination or expiration.
The HRO landscape continues to evolve, and this ongoing change is good, enabling the industry to move forward and offer better, more exciting solutions. It is incumbent on HRO buyers and providers alike to continually review, reevaluate, and redefine the positions taken with respect to the applicable contract terms to assess whether the positions are appropriate and equitable based on shifts in potential pitfalls and liability that each party might be exposed to as a result of the change.
Barbara Melby is a partner and Kristen Hall is an associate in the outsourcing and commercial transactions group at Morgan, Lewis & Bockius LLP.
