The disruptions caused by COVID-19 pandemic are remarkably similar from country to country and from provider to provider in the Nearshore region. The common experience of confronting the crisis can also be seen in the legal sphere of global outsourcing services, where parties on either side of an existing contract are trying to come to grips with how to navigate an assortment of sticky legal questions.
Nearshore Americas consulted with a group of attorneys, Richard Corley, Peter Ruby, and Steve Inglis, from the Canadian law firm Goodmans LLP, to increase the level of clarity on common questions arising during the crisis. These are their answers:
Nearshore Americas (NSA): While the contract I have with my offshore/nearshore service provider broadly prohibits work-at-home, to sustain delivery of services, we basically have no choice but to permit work-at-home. What steps should we take to manage this quandary?
Goodmans LLP (GLP): While the customer’s rights and obligations, and the sensitivity of the services, will vary from case to case and from contract to contract, in most cases the change process could be used to facilitate the assessment and approval of the proposed change in service delivery model. A principal concern would relate to the implications of this change for the security and confidentiality of the customer data and information and the steps which would need to be taken to eliminate or mitigate risks in this regard. Service measurement and service level compliance and reporting could also become more challenging in this distributed mode of operation.
You may wish to work with your legal counsel to review your rights under your contract, and to involve your security, contract management, and other relevant subject matter experts in the development and review of the proposed changes and change documentation.
Over the longer term, the customer may wish to consider increasing its use of automation technologies to reduce its vulnerability to disruption if service provider personnel are enabled to report to their workplace.
NSA: The process of provisioning hardware for work-at-home use is becoming a significant challenge for my Nearshore BPO provider. As a result, we, as the client organization, are weighing whether to assist in the provisioning of equipment to the service provider’s employees. If we choose to take this action, what risks should we be considering?
GLP: Any request from a service provider for a customer to provide money for equipment for use in the service provider’s business operations should be viewed with some concern and as potentially raising a number of questions. While in each case, the contract should be reviewed to determine the rights and obligations applicable in this particular circumstance, assuming that the provider has an obligation to support service delivery through both ordinary course and business continuity operations, the customer may well have questions as to why the customer is better positioned than the service provider to provision hardware for work-at-home use by service provider personnel?
If the customer wished to assist, it may want to do so by helping to facilitate the purchases by introducing the service provider to suppliers who could provide the required hardware directly to the service provider. As a general rule, it would be prudent to avoid purchasing or guaranteeing the purchase by the service provider of such equipment, as such amounts would seem likely to become an unsecured loan to an under-capitalized service provider.
Depending on the terms of the contract, an adjustment to the price of the BPO services may be required or appropriate, and if so, could assist the service provider in defraying the additional cost of hardware for work-at-home use.
NSA: Managing compliance with data privacy requirements is an extremely challenging aspect of the current crisis. What steps can you recommend to anticipate both current and future challenges that pertain to maintaining adherence to compliance requirements?
GLP: The use of well-architected and secured data stores and the implementation of available security protocols are among the steps which can be taken to manage compliance with data privacy requirements. In the short term, a quick data privacy compliance check, including an audit of the interfaces through which personal information may be exposed to the internet, and possible penetration testing, together with robust training of personnel to work securely at home, are among the steps that can be taken. In the longer term, the use of secure, cloud-based data stores, which the provider commits to maintain in compliance with evolving privacy law requirements, together with strong data security skills and practices may help to ease the transition between in office and at home-work (and the work is being performed in the same secure, virtualized electronic workspace in either case).
NSA: Our team is actively discussing the pros and cons of terminating the contract we have in place with our Nearshore application development partner. At least in the short-term, we simply don’t require the same volume of deliverables. What advice would you offer in this scenario?
GLP: The costs and benefits of terminating a development contract will depend principally on the terms of the applicable contract, and the costs and the savings of each course of action. (Please review with counsel to confirm the applicable terms of the agreement – in particular any limitation of liability, indemnity, and termination clauses.) A factor to consider might be the possibility of temporary shortages of skilled personnel once the pandemic is over. Depending on the profile of the recovery, access to skilled development resources could be at a premium for some time in the aftermath, such that an existing contract with committed access to such resources may have some value.
NSA: Should workers employed by my Nearshore service provider become ill due to the COVID-19 disease (and they are currently dedicated to projects connected to our organization), what liability would our organization have in this scenario?
GLP: All organizations have an obligation to comply with applicable health and safety laws and regulations and should endeavor to comply with the recommendations of local government and health officials in an effort to avoid the spread of COVID-19. If despite such efforts and precautions, personnel become ill due to COVID-19, the situation would have to be assessed with the assistance of local counsel in light of the facts, applicable local laws, and governmental and other workplace safety and insurance programs.
NSA: At a high level, what lessons do you believe the global outsourcing industry will be able to take away from the disruptions caused by the COVID-19 pandemic?
GLP: Takeaways will vary from business to business but may include: (i) broadening business continuity plans to specifically contemplate and provide for fully distributed operations; (ii) ensuring that security controls and artifacts include end-to-end security for fully distributed operations; (iii) further movement to the cloud to make operations less site- and personnel- dependent and more secure; (iv) further adoption of robotics and process automation; (v) less travel, especially internationally; (vi) fewer in-person meetings and greater use of video conferencing; (vii) something of a premium on shorter supply chains and local sources of supply.