Outsourcing practices may come under greater scrutiny as state and federal lawmakers focus on privacy and data security issues; buyers look for more contractual assurances in complying with existing statutes.
As HRO continues to gather steam, few obstacles seem capable of slowing its momentum. With a growing number of companies realizing the benefits of outsourcing, the industry is on track to post an ever-increasing number of deals. But even with more capable vendors in the market offering new and comprehensive services, and with buyers becoming more educated and sophisticated about their choices, legislative and legal developments in 2006 may indeed weigh on HRO’s prospects.
Even though the backlash against outsourcing has dimmed somewhat recently and many companies have reached a comfort level with employing third parties to take over HR functions, some recent events have Corporate America squirming at times in their seats about HRO. When high-profile stories about data theft and corporate and government data security breaches draw attention to consumer privacy, for instance, they may also have repercussions for outsourcing, legal advisors to the HRO industry say. Specifically, as federal and state lawmakers react to these events by proposing legislation aimed at restricting data sharing and offshoring—even if the bills are intended for consumer markets—they could have a chilling effect on HRO. Although no federal legislation has yet been introduced that would directly shackle HRO practices, some proposals on the state level may indeed give pause to companies considering outsourcing.
STATES TAKE UP THE BATTLE
“A lot of states continue to look at should they and how will they regulate in their own environment,” said John Halvey, the head of strategic sourcing and technology group for Millbank, Tweed, Hadley & McCloy, an international law firm that provides advice in the HRO field. He pointed out that growing awareness among consumers about privacy issues have led states to be more active in legislating data transfer, retention, and security, although some federal lawmakers are also actively pushing privacy and data protection legislation forward.
Halvey, like a number of other legal advisors, said that this year offered a quiet period for the industry to expand with few legislative or legal encumbrances. As buyers and providers work out model partnerships, they are more focused on contract stipulations than on legislative or legal precedence—which have been few and far in between. He said some of the state-level laws and other federal initiatives could have minimal impact on HRO, but it’s not clear how that scenario will play.
Efforts to push through privacy and data legislation this year have been spurred on by widely reported instances of data loss and theft. For instance, several large data aggregators reported thefts earlier in the year. ChoicePoint, which holds credit data for millions of Americans, in February reported that information for more than 30,000 Californians were accessed by fake businesses. In April, Lexis Nexis said information for 310,000 Americans was taken. Data such as driver license and social security numbers, which can be used to apply for credit, were stolen. In the same month, HSBC revealed that data for some of its credit card holders were compromised because of a system flaw at one national retailer.
These and other thefts have led to calls for tougher legislation. On Capitol Hill, the Senate Judiciary Committee in November approved a bipartisan bill that would require some companies to implement more stringent security measures. The proposed legislation would mete out significant fines and penalties to those who fail to do so. The Personal Data Privacy and Security Act of 2005, sponsored by Sens. Patrick Leahy (D-VT) and Arlen Specter (R-PA), gained strong support from both sides of the aisle after the Senate committee held hearings in April on data breaches. In addition to fines and penalties for non-complying data aggregators, the bill also calls for data companies to notify consumers when a breach occurs and also what information they have about the consumer.
In October, California Gov. Arnold Schwarzenneger signed a series of bills aimed at toughening existing state privacy laws, including one that allowed its Department of Managed Health Care (DMHC) to run criminal background checks on any contractor, its employees, agents, or subcontractors who will have access to medical records. Elsewhere, state officials in Maryland and New York are looking at ways of “freezing” or restricting the dissemination of consumer credit reports.
While these initiatives are not directly aimed at outsourcing providers, concerns are that they may trickle down to HRO. If sweeping legislation fails to distinguish data aggregators from HR service providers, the outsourcing industry may very well get swept up in penalties, fines, and even jail time for failing to comply.
“I think a lot of what you are seeing out there is similar legislation. Most companies have gotten the message and are looking ahead and thinking greater security is coming,” said Akiba Stern, an attorney with Morgan Lewis, an international law firm. He noted that outsource providers have largely operated under self-regulation in the U.S. when it comes to privacy and data security issues. However, the troubles occurring in the consumer credit sector could raise the scrutiny on HRO vendors. Questions about access by subcontractors remain unanswered. For instance, who monitors the data mining and gathering by providers? What mechanisms are in place to prevent data breaches? While many providers have put measures in place, there doesn’t appear to be a standardized or uniform approach.
Privacy concerns aren’t isolated to the U.S. Europe passed its continent-wide directive a decade ago, so providers operating internationally have become all too familiar with employee data transfer issues. More recently, India, which has become a hub for U.S. call centers, IT support, and other business-process outsourcing services, has intensified its efforts to pass a European directive-like law governing employee privacy issues. Some reports cite Indian companies and government officials concerned about the country losing significant business because of the lack of privacy legislation. This concern was amplified last year when the employee of one Indian call center fraudulently used the credit card of a U.S. citizen to go on a shopping spree, according to reports.
The move to legislate privacy protection instead of relying on self-policing might get a mixed reception from the HRO community. While some may view these efforts as heavy handed, others believe it will ultimately help standardize the industry.
“The challenge is to be creative and come up with the right solution,” said Vipul Nishawala, an attorney with law firm Pillsbury Winthrop Shaw Pittman, which advises companies in the outsourcing field. He pointed out that as HRO takes on a more international flavor and as labor arbitrage evolves to become a central motivator for buyers, they will insist on greater assurances for their employees’ information. International providers operating in the EU already comply with its directive, so they might be less resistant to legislation passed in the U.S. and India.
The European directive provides broad consumer data privacy rights and mandates that processors of information must implement adequate security measures. It also specifies recourses and penalties for failing to comply with the directive. The directive specifically addresses the transfer of information to third parties such asoutsourcing providers.
John Haworth, a consulting principal with the same firm, said he believes the globalization of HRO will clearly have an effect onprivacy. As a result, companies will tend to gravitate toward higher standards to satisfyall markets.
Moreover, he added, concerns about privacy may even help drive growth in HRO. Because providers typically invest a greater sum in security measures than their customers, some buyers may see outsourcing as a way to gain added protection supplementing their own internal systems.
“The outsourcers themselves may be innovating better solutions that are more durable and farther reaching than any one company may craft on its own,” he said.
FALLOUT FROM SARBANES-OXLEY
Aside from laws covering privacy and data security, what other legislative items might halt HRO’s progress? None on the horizon currently pose a threat to outsourcing, but many companies continue to feel the weight of one far-reaching law that strikes fear into the hearts of even the pluckiest CEO. That would be none other than Sarbanes-Oxley, which has led thousands of chief executives to spend millions of dollars on compliance efforts and legal fees. One article in the Economist cited a survey that showed companies on average spent $2.4 million more for their audits last year than they had anticipated. It also quoted Deloitte as saying that large firms have on average spent nearly 70,000 additional man-hours complying with the law.
Of course Sarbanes-Oxley isn’t limited to just companies that outsource, but those who do may have to pay particularly close attention when it comes to drafting contracts with service providers. Even if they outsource, buyers are still ultimately responsible for the work performed on their behalf. As a result, more buyers are asking their providers to focus on issues relating to laws such as Sarbanes-Oxley, HIPPA, and Gramm-Leach-Bliley.
“Another trend is that in the past few years, customers have been asking for specific clauses requiring provider assistance on answering requests due to regulations,” according to John Gliedman, an attorney with Brown Raysman Millstein Felder & Steiner. “We are in the early days of Sarbanes-Oxley taking effect, but a trend has emerged. Where appropriate, customers have been increasingly requesting providers to obtain a special accounting report known as a SAS-70 Type II regarding the controls which the provider has in effect that may affect the customer’s financial controls. The provisions on this point have added several new paragraphs to outsourcing contracts.”
This wrinkle to outsourcing, while minor relative to the strategy of HRO, is nevertheless another layer of bureaucracy that could fuel arguments against outsourcing. Clearly a buyer must ensure that vendors understand his compliance obligations, design controls accordingly, and establish the appropriate documentation in case of an audit later on. Additionally, if there are problems with the provider’s systems, clients are insisting on indemnification clauses that hold them harmless. But if there are changes in these laws, who’s responsible for following and implementing them?
“To the extent that the outsourced functions are part of the system for which the [buyer] companies have to certify that they are fully compliant with the right language, then the companies need to ensure that their services providers allow them to be compliant,” Stern pointed out. He further pointed out that
contracts should specify the responsibilities of both parties and not leave room for interpretation. For instance, who will decide how new changes will be implemented in the system? Which party will perform root-cause analysis for problems that occur?
“One of the problems you have in outsourcing agreements is setting appropriate expectations on both sides,” he added, pointing out that most providers are willing to shoulder the burden but cautioned clients to specify it in their contracts.
Another recent trend, some attorneys observe, is increased awareness of requirements under Section 404 of Sarbanes-Oxley, which addresses internal controls. This section requires senior management to sign off on the control structure. Buyers have responded by including provisions in their contracts that address 404 needs. They must ensure that the following are established, according to Nishawala: a paper trail for audit purposes, regular reporting, and access to documentation for government audits.
He pointed to one study that showed companies are spending 42 percent more in internal and auditing costs to comply. Over time, he reassured, those costs will come down and become accepted as a cost of doing business. At the same time, Nishawala contended, third parties may help alleviate some of the burden. “Suppliers have to say, ‘We’re going to give you solutions,’” he added.
IP CONCERNS TO OUTSOURCING
As the number of outsourcing deals grows, buyers are asking suppliers to take on more services. In some instances, they are also taking over entire facilities such as shared-services centers. While this offloads customers’ capital costs, they are also exposed to new risks such as loss of control and possibly loss of intellectual property, said Halvey. For instance, if a customer uses a proprietary shared-service model and it sells the center to a vendor, can it still retain its processes elsewhere?
“What they really want to know is what sort of rights do they have in an ongoing deal,” he said.
These and other legal issues are likely to be worked out as the industry moves from the nascent to developmental stage, Halvey added. As late arrivals join the HRO party, they are learning from the mistakes of the first generation of buyers who pioneered this space. The second generation is also benefiting from vendors who have grown up over the past five years; providers have honed their service skills and learned just what their customers want and need. So even though some legal and legislative developments might give pause to the faint of heart, HRO legal advisors say these efforts in statehouses everywhere and on Capitol Hill are not likely to significantly slow outsourcing’s growth in 2006.