Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring

Transcription

1 Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring A Perspective on Managing Compliance Risks in Cross-Border Flows of Technology and Personal Data Michael S. Mensik Peter George October 2010

2 Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring A Perspective on Managing Compliance Risks in Cross-Border Flows of Technology and Personal Data Michael S. Mensik Peter George 1 An Extended Enterprise is a loosely coupled, self-organizing network of firms that combine their economic output to provide products and services offerings to the market The notion of the Extended Enterprise has taken on more importance as firms have become more specialized and inter-connected, trade has become more global, processes have become more standardized and information has become ubiquitous. The standardization of business processes has permitted companies to purchase as services many of the activities that previously had been provided directly by the firm. By outsourcing certain business functions that had been previously self-provided, such as transportation, warehousing, procurement, public relations, and information technology, firms have been able to concentrate their resources on those investments and activities that provide them the greatest rate of return. The remaining core competencies determine the firm s unique value proposition. 2 Outsourcing is an inherent feature of today s extended enterprise. The growth of outsourcing may have slowed in recent years, but it did not stop and is now re-accelerating. 3 In this environment, it becomes even more critical to manage risk. This paper focuses on some of the more pressing compliance risks that an extended enterprise currently confronts: the evolving legal constraints on cross-border flows of technology and data. Part A describes the extended enterprise and how technology and data flow among the various participants. Part B provides background on enterprise risk management and its utility in addressing compliance risks. Part C then highlights the key legal constraints on cross-border flows of technology. Part D addresses the key legal constraints on cross-border flows of data. A. The Extended Enterprise What is an extended enterprise? Ronald Coase anticipated this question back in Naturally, a point must be reached where the costs of organizing an extra transaction within the firm are equal to the costs involved in carrying out the transaction in the open market, or, to the costs of organizing by another entrepreneur. 4 Consequently, Coase hypothesized, a firm will tend to expand until the costs of organizing an extra transaction within the firm will become equal to the costs of carrying out the same 1 Michael S. Mensik and Peter George are partners of Baker & McKenzie. They would like to thank Brian Hengesbaugh, John McKenzie, Amy de la Lama and Lindsey Schek for their invaluable contributions to this paper Expansion Seen for Global Outsourcing Market, PwC News Release, 4 R. H. Coase, The Nature of the Firm, Economica, New Series, Vol. 4, No. 16 (Nov. 1937), p Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 1

3 transaction by means of an exchange on the open market or the costs of organizing in another firm. 5 At that point, the enterprise should consider entering the network of firms described in the foregoing quote and focusing more sharply on its core competencies. The enterprise will have outsourced a wide array of business functions to participating firms. It does not actually make much of what it sells manufacturing has been outsourced to lower cost contract manufacturers, which in turn procure components from third party suppliers. The enterprise has a complex IT infrastructure that supports its global business, but independent service providers manage these systems. It outsourced application development and maintenance long ago. More recently, it outsourced various business functions: accounts payable, accounts receivable and general ledger; procurement; payroll, employee benefits and recruiting; and customer relationship management. Product design still takes place within the company, but outside providers do most of the engineering work. And the legal department has now been instructed to explore legal process outsourcing. The following diagram illustrates such an extended enterprise: Coase may have predicted the development of extended enterprises over 70 years ago. However, he could not have foreseen a more recent phenomenon: the birth of a new age of cheap information and an explosion of connectivity an era in which everyone can instantly access huge amounts of information, essentially for free. 6 In Coase s terminology, this phenomenon further drives down the costs of carrying out the same transaction by means of an exchange on the open market or the costs of organizing in another firm. 7 Business processes can be further disaggregated and allocated among participating firms to reduce costs, achieve greater efficiencies and enhance innovation. The firms become more specialized and deeply inter-connected within the extended enterprise. The business activity of the 5 Id. at p Mia de Kuijper, Profit Power Economics: A New Competitive Strategy for Creating Sustainable Wealth, Oxford University Press (2009), p R.H. Coase, supra note 3, p.395. Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 2

4 enterprise itself becomes more collaborative and dependent on this network of firms. Corporate boundaries become less ascertainable and begin to lose their relevance. In this ecosystem, technology and data are constantly flowing between and among the enterprise and its participating firms. What would these flows look like if mapped onto the foregoing diagram of the extended enterprise? As this diagram illustrates, the technology and data flows within an extended enterprise are ubiquitous. For instance, the enterprise discloses proprietary technology to its contract manufacturer and various component suppliers. A third party service provider processes customer orders on enterprise IT systems maintained by other service providers and forwards the order data to the contract manufacturer and other intermediaries. Customer data flows between and among the enterprise and its logistics, IT, analytics and marketing service providers. These technology and data flows are also quite dynamic likely to change at any time; changing all the time. And this fluidity will rise with the growing utilization of cloud computing. In the cloud, it may be virtually impossible to know precisely where particular information resides at any given point in time. B. Compliance Risks In most enterprises today, managing risk is a key imperative, along with reducing costs, improving efficiency and enhancing innovation. Risk is difficult to manage in a largely self-contained enterprise, where most critical business functions are performed within the four walls of the organization. The challenges are even greater in an extended enterprise that relies on multiple participants around the world to conduct its business. Checklists may be helpful. Fortunately, more rigorous analytic frameworks are also available to assess and manage risk, such as the COSO Enterprise Risk Management ( ERM ) Framework. This framework provides a useful lens though which to examine compliance risks. COSO is an acronym that stands for The Committee of Sponsoring Organizations of the Treadway Commission. This private-sector organization was established in 1985 to study the causal factors of Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 3

5 fraudulent financial reporting. 8 COSO, therefore, did not originally focus on risk management; instead, it focused on internal control systems and their effectiveness. COSO released its first report, Internal Control Integrated Framework, in Three years later, the Auditing Standards Board of the American Institute of Certified Public Accounts ( AICPA ) endorsed the internal control framework contemplated in this report with the release of SAS 78, an auditing standard that essentially mandated its use. 9 SAS 78 was subsequently endorsed by the Public Company Accounting Oversight Board ( PCAOB ) after it assumed responsibility for setting auditing standards from the AICPA under the Sarbanes Oxley Act ( SOX ). The 1992 COSO report essentially sets forth a common framework for defining internal control and procedure for evaluating the control activities. Specifically, it defines internal control as a process, effected by an entity s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations. 10 This definition formed the basis of the internal control assessment contemplated under Section 404 of SOX. Moreover, it became the springboard for COSO s next, more ambitious endeavor: establishing a common framework for defining risk management. In 2001, COSO retained Pricewaterhouse-Coopers ( PwC ) to develop an ERM framework. PwC released the final report, Enterprise Risk Management Integrated Framework, three years later in September Like the 1992 report, the 2004 report begins by defining its subject matter in this case, a risk management framework: Enterprise risk management is a process, effected by an entity s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. 11 Based on this definition, COSO framed an ERM model. It has three dimensions: four vertical columns representing an enterprise s risk management objectives; eight horizontal rows representing the discrete steps of a risk analysis; and an essentially unlimited set of entity-level organizational dimensions at which this two-dimensional risk analysis can be applied. For simplicity s sake, this last dimension is not graphically illustrated below. 8 See, The sponsoring organizations are the American Accounting Association, American Institute of Certified Public Accountants, Financial Executives International, Institute of Management Accountants, and The Institute of Internal Auditors. 9 See, Robert R. Moeller, COSO Enterprise Risk Management Understanding the New Integrated ERM Framework, John Wiley & Sons, Inc. (2007), pp Internal Control Integrated Framework, The Committee of Sponsoring Organizations of the Treadway Committee, New York, 1992, emphasis added. 11 Enterprise Risk Management Integrated Framework, The Committee of Sponsoring Organizations of the Treadway Committee, New York, 2004, emphasis added. Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 4

6 Strategic Risk Operational Risk Reporting Risk Compliance Risk Environment Risk appetite Objectives Mission statement Events Internal/external Assessment Likelihood/impact Response Controls Communication Monitoring Avoid, reduce, share, accept Design/tests Tools/dashboards Reports/audits As illustrated above, the COSO ERM model distinguishes among four types of risk: (i) strategic; (ii) operational; (iii) reporting; and (iv) compliance. Strategic risk is the possibility that the enterprise may not achieve its strategic objectives; for example, its offshoring initiative fails to generate anticipated cost savings. Operational risk is the possibility that a critical step or process within the enterprise may fail; for example, network connectivity with the enterprise s Indian captive is lost. Reporting risk is the possibility that financial or non-financial data may not be communicated accurately or timely within the enterprise or to outside parties or authorities; for example, a provider s service level performance at a remote facility is not reported in time to claim an available credit. Compliance risk is the possibility that the enterprise s activities may not be conducted in accordance with applicable law and regulations, as further discussed below. After identifying a particular risk, whether strategic, operational, reporting or compliance, the risk can then be analyzed using the model s methodology. The analysis begins at the highest level of the enterprise by considering such factors as its philosophy, values and organization in order to ascertain management s risk appetite. With this background, management establishes specific goals and objectives with respect to the risk what is the enterprise s mission? Next, the model calls for identifying the various internal and external events that may impact the achievement of those goals and objectives. What follows is the risk assessment: how likely is the risk, and what might be its potential impact? Management then decides whether to avoid, reduce, share or accept the risk. Unless the risk is accepted or avoided (e.g., the relevant initiative is abandoned), the effort then turns to developing and placing in operation control activities designed to reduce the risk, along with supporting communication tools and protocols and auditing, testing and other monitoring procedures. Lawyers will naturally be most interested in compliance risks. And concern about these risks is clearly rising around the globe. In part, this results from external events; for example, the recent bribery investigations of certain multi-national corporations. Last year, moreover, the US Department of Justice pronounced that anti-corruption enforcement efforts were at an all-time high and would likely remain there: 12 With more investigations; greater cooperation among government officials of different countries; 12 In late January 2009, Mark Mendelsohn, Deputy Chief, Fraud Section, Criminal Division, US Department of Justice, at an anti-corruption conference in Frankfurt that included speakers from the DOJ, SEC and prosecutors from Germany, the United Kingdom and Switzerland, identified the following top ten trends for 2009: the level of enforcement is at an all-time high and is likely to remain there; prosecuting senior company executives in their individual capacities will be a priority; the U.S will investigate US and foreign issuers equally, as well as companies Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 5

7 higher fines; and stiffer penalties, non-compliance is costly. In addition, management may also have committed the company to a social responsibility initiative that emphasizes good corporate citizenship. Failure to comply with such commitments can have a very negative reputational impact. All of this feeds the rising concern about compliance risks. The COSO ERM model offers an effective methodology for analyzing and prioritizing compliance risks. In addition, it provides clear direction on how to mitigate these risks develop and implement appropriate controls, communication protocols, and monitoring procedures. However, it does not identify the specific compliance risks that an enterprise should consider for any given activity. To that end, we have developed the compliance wheel. This wheel represents a holistic view of the compliance challenge that enterprises face in today s environment. It groups compliance issues by business function governance and structure; people; information; financial; design and production (i.e., sourcing); distribution; and sales and marketing. Under each of these functional headings lies an array of discrete compliance issues to consider. The task is then to select the particular compliance issues that create the greatest exposure for the enterprise given its specific business activities and areas of concern a customized compliance risk profile. Governance & Structure Sales & Marketing Distribution Compliance Issues People Information Design & Production Financial The compliance risks that normally attract the greatest attention are those that raise the specter of criminal liability foreign corrupt practices; money laundering; export controls; and economic sanction legislation. This is understandable for obvious reasons. However, data protection, privacy and security operating within the US territory; multi-jurisdictional investigations are on the rise; informal international cooperation will continue to improve, together with increased mutual legal assistance; the DOJ and FBI are committing more resources to FCPA enforcement, including eight full-time, dedicated FBI investigators; the DOJ will coordinate, where appropriate, sector-wide investigations, as it has in the oil and gas, medical devices and freight forwarding industries; the pace of voluntary disclosures is likely to continue; FCPA due diligence will be a regular feature of mergers and acquisitions and transactional work; and increased enforcement of other crimes, alongside FCPA violations, is expected, including money-laundering, export control violations and false accounting. But, see also, Feds Call Time Out, The FCPA Blog, Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 6

8 issues are increasingly included among top five lists, even if criminal prosecution for violating these laws is still somewhat limited. 13 In large measure, this shift is attributable to the substantial costs that firms have incurred in addressing security breaches. 14 While less tangible, the reputational damage resulting from such incidents can also be significant. In combination, these adverse consequences are not trivial and cannot be ignored. As discussed above in Part A, an extended enterprise relies on a large number of participating firms to conduct its business. The cross-border flows of technology and data between and among the enterprise and its participating firms can be considerable and constant. What compliance risks do these flows present? What particular risks should be prioritized for more immediate attention? The compliance wheel helps to address these questions. At least two functional headings would appear to be relevant to cross-border flows of technology: design & production (i.e., sourcing) and distribution. The information heading is obviously relevant to cross-border flows of data. As shown below, a key compliance issue under design and production is export controls. Key compliance issues under distribution are both export controls and economic sanctions. The information heading identifies data protection, privacy and security as key compliance issues. As previously mentioned, all of these issues can result in considerable negative impact in case of noncompliance. Accordingly, given the extent of cross-border technology and data flows within an extended enterprise, it is appropriate to prioritize compliance efforts around these particular areas of law. 13 Violation of data protection laws constitutes a criminal offence in a number of countries, particularly in the EU Member States. Criminal prosecutions have been limited, but this may be changing. Consider, for example, the recent criminal conviction of three Google officers. See, Three Google Bosses Convicted in Italy, BBC News, 14 A recent Ponemon Institute study indicates that each data security breach costs on average $6.75 million or $204 per record, and 42% of these data breaches occurred at the service provider level. US Cost of a Data Breach Study 2010, Ponemon Institute, Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 7

9 Parts C and D below will describe the main attributes of these areas of law and highlight some common traps for the unwary. Based on this knowledge, the enterprise can then consider what controls, communication protocols and monitoring procedures are needed to reduce the related risk of noncompliance. Some of these measures may be implemented entirely within the four walls of the enterprise. In an extended enterprise, however, others will have to be placed in operation within the participating firms, in whole or in part. This topic is often disregarded when negotiating an outsourcing or service agreement, or it is deferred to blueprinting or some other post-signing phase. In other instances, more pro-active service providers have seized the opportunity to address these issues in the down-select process as a means of differentiating themselves from their competition. C. Cross-Border Flows of Technology Cross-border flows of technology present compliance issues under both export control and economic sanction legislation. These are complex regulatory regimes. Moreover, while this discussion focuses on the US rules, various other countries have similar regimes that may need to be analyzed under the particular circumstances. An extended enterprise may, therefore, face multiple layers of potential complexity. And conclusions reached at any given point in time will need to be revisited if or, better said, when the enterprise shifts how and where product is sourced or service is provided. As the discussion below will illustrate, technology flows that are legally compliant under one set of facts can quickly become non-compliant when those facts change. 1. Economic Sanctions Trade embargoes are nothing new. In the United States, the Department of Treasury first imposed a trade embargo against England almost 200 years ago during the War of Today, the Treasury Department administers an array of embargoes under the Economic Sanction Regulations through the Office of Foreign Asset Control, or OFAC. In general, these regulations prohibit the export or re-export of US origin commodities, software, technology and services to certain proscribed destinations or persons, as follows: Countries subject to comprehensive embargo (i.e., Cuba, Iran and Sudan). Entities, wherever located, owned or controlled by, or affiliated with, the governments of those embargoed countries. Governments of certain terrorist supporting countries (e.g., Syria). Terrorist organizations. Individuals and firms listed on the OFAC list of specially designated nationals and blocked persons. An enterprise organized under US law is obviously subject to this general prohibition. Accordingly, such enterprises should consider what internal controls are needed to ensure that (i) none of their participating firms are or include proscribed persons, as defined by these regulations, and (ii) no US origin product or technology disclosed to any such firm will be re-exported to a proscribed destination or person. The participating firms should take similar steps, even if not organized under US law. Why? Because the OFAC regulations apply not only to US companies, but also to any individual or firm that comes into possession of US origin products or technology. In other words, the US government takes the position Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 8

10 that it has in rem jurisdiction over any US origin product and technology, wherever situated and whoever holds it. 15 These regulations, therefore, have a broad reach in terms of who may fall within their ambit. Another expansive dimension is what may constitute US origin products or technology. They include: Products made or assembled in the US, even if comprised primarily of foreign origin parts. Products exported from the US, even if made or assembled abroad. Software compiled abroad from source code written in the US Software that commingles code written abroad with code written in the US, unless de minimis. Certain products made abroad that are a direct product of US origin technology. Any other product made abroad that is more than 10% comprised of controlled US origin parts, components or materials. So, for example, consider an Indian service provider that performs application development services for both US and Iranian clients. Assume this Indian provider develops a program for the US client that embodies more than a de minimis amount of code originally developed in the US. That program, although mostly developed in India, will be considered as US origin software. Thus, the exportation of that program, or even a derivative work, to the Iranian client will constitute an unauthorized reexportation in violation of the OFAC regulations. 16 As such, the US client should expressly prohibit such re-exportations, and the service provider should have in place controls that prevent them. These regulations proscribe other activities that may impact an extended enterprise. For example, the Iranian Transactions Regulations prohibit any US person from approving, participating in or otherwise facilitating an offshore transaction between a foreign person and Iran. Facilitation has very broad meaning it would cover furnishing legal support, financing, marketing assistance, order processing, technical assistance or the like. Similarly, US person is defined broadly to include (i) any US citizen or permanent resident, (ii) any US corporation and its directors, officers, employees and agents, and (iii) any 15 The US government may not be able to assert jurisdiction over the non-resident, but it can place the non-resident on the black list, thereby denying it the privilege of trading with the United States. 16 If the Indian firm, including a foreign subsidiary of a US parent corporation, proposes to take the position that a software product developed abroad, with minimal US origin code, is below the de minimis threshold specified in section 734.4(a) of the Export Administration Regulations, that foreign firm must file a notice with the Commerce Department s Bureau of Industry and Security, explaining the rationale for its de minimis conclusion, and then must wait 30 days before concluding that it may ship that product to third countries without reference to the U.S export control and economic sanctions restrictions, in accordance with Supplement No. 2 to Part 734 of the Export Administration Regulations. In addition, for encryption software that would otherwise be controlled under ECCN 5D002, before submitting the notification to the Bureau of Industry and Security, the foreign firm must confirm that the US origin encryption code has been subject to technical review and classification by the Bureau of Industry and Security under section of the Export Administration Regulations. Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 9

11 other person in the United States. 17 In the earlier scenario, therefore, if the Indian service provider has a US subsidiary, neither this subsidiary nor any of its directors, officers, employees or agents should be involved in transactions with the provider s Iranian clients. 2. Export Controls The US export control program is largely embodied in two sets of regulations: The International Traffic in Arms Regulations, or ITAR, which are administered by the US Department of State and cover munitions and other defense items. The Export Administration Regulations, or EAR, which are administered by the US Department of Commerce through its Bureau of Industry and Security, or BIS, and cover socalled dual use and other commercial items not specifically regulated under ITAR or some other specific export regime. The latter regulations, the EAR, regulate the bulk of US exports. They prescribe a fairly straightforward analysis. To begin, every US exporter is obligated to determine the export classification number, or ECCN, of the particular product or technology that it intends to export. This is accomplished by referring to the so-called Commodity Control List, which provides a detailed description of all items subject to control under the EAR. If there is no specific ECCN for the particular item, then it will be designated as EAR 99. Items designated as EAR 99 may generally be exported without an export license, subject to certain additional considerations. If there is a specific ECCN for the particular item, then the exporter cannot export the item, unless (i) it procures the applicable export license or (ii) the intended export qualifies for a so-called license exception. The following diagram summarizes this basic analytic framework: EAR 99 No license required, unless triggered by destination, end-user or end-use Specific ECCN or EAR 99? Specific ECCN License required, unless qualifies for license exception 17 Note, however, that a foreign subsidiary of a US corporation would not be considered a US person for purposes of these regulations. Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 10

12 Determining the ECCN of a particular item is just the first step in the analysis. As mentioned above, even if an item is designated as EAR 99, the exporter must consider several additional questions: First, the exporter must consider the intended destination of the export where is the item going? This question is important: the BIS maintains a list of controlled countries, and items that can be exported to certain countries without restriction require a specific license for export to any of these countries. 18 Second, the exporter must consider the intended end-user to whom will the item ultimately be supplied? The US government maintains various lists of prohibited or restricted persons, including the OFAC list and the BIS Denied Persons List. 19 The export of even EAR 99 items to any such individual or firm may be prohibited or require a specific license. Third, the exporter must also consider the end-use for which the particular item is intended. Does the exporter know, or have reason to know, that the item is intended for use, directly or indirectly, in an activity related to the proliferation of nuclear, chemical or biological weapons? If so, a specific license may be needed to export the item, again, even if it is designated as EAR 99. In an extended enterprise, this analysis should obviously be undertaken before the enterprise exports the technology to any of its participating firms, including those organized under US law. Specifically, the enterprise should determine the ECCN of the technology and consider whether there are any additional hurdles based on where the participating firm will use the technology and for what purpose. The enterprise should also check the various lists of prohibited or restricted persons to verify that neither the firm nor anyone employed or associated with the firm appears on any of these lists. Appropriate language should be included in the agreement that the parties will presumably sign governing how the technology may be used, where and by whom. These are all important steps to ensuring compliance with the US export control regulations. However, the regulations create a number of additional traps for the unwary. Many of the traps surface after the technology has been exported, but some arise before. Accordingly, the enterprise may need to consider what other controls, communication protocols and monitoring procedures should be placed in operation at the enterprise, at the participating firm, or both in order to minimize the risk of non-compliance. To illustrate the point, we will briefly explore three scenarios: (i) deemed exports; (ii) re-exports; and (iii) license exceptions. 18 Armenia, Azerbaijan, Belarus, Cambodia, Cuba, China, Georgia, Iraq, Kazakhstan, Laos, Macau, Moldova, Mongolia, North Korea, Russia, Tajikistan, Turkmenistan, Ukraine, Uzbekistan and Vietnam Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 11

13 a. Deemed Exports Under the EAR, the term export encompasses more than just physical shipment of an item from the United States to a foreign destination. It also includes disclosing, transmitting or otherwise transferring US origin products or technology in any form to a non-us national, regardless of where this may occur. 20 Accordingly, each of the following may represent a situation that requires an export license or license exception under these regulations: A US client gives its Indian service provider access to the client s servers in California to remotely repair certain code. A Brazilian service provider dispatches its engineer from Sao Paulo to a US client s IT facility in New York to repair a system while on site. The CTO of the US client gives a presentation in Chicago to a group of visiting Chinese engineers about certain new encryption software. None of these situations necessarily involves the physical exportation of technology from the United States to a foreign destination. Yet each represents a deemed export under the EAR. As such, the US client should have undertaken the export control analysis described above in advance of the particular event. Failure to do so may expose it to sanctions. 21 b. Re-Exports As mentioned above, the US government takes the position for OFAC purposes that it has in rem jurisdiction over any US origin product and technology, wherever situated and whoever holds it. The same is true under the EAR. In other words, the US export control regime attaches itself to the particular item, and moves with the item as it passes from hand to hand. This feature of the export control regime can produce surprising and unexpected results. Consider, for example, a US client that secured an export license to provide certain code to its Indian service provider. The Indian provider committed to undertake all programming work at its development center in Noida, India. The provider then decides to involve a programmer from its Chinese development center in the project. However, the client s export license does not authorize the disclosure of its technology to persons from one of the controlled countries, such as China. 22 Consequently, disclosing the code to the Chinese programmer constitutes an unauthorized re-exportation, even if the disclosure occurs in Noida. c. License Exceptions As previously discussed, if the Commodity Control List specifies an ECCN for a particular item, then it cannot be exported unless (i) the exporter procures the applicable export license or (ii) the intended export 20 A US permanent resident is considered a US national for these purposes. 21 The concept of deemed exports is rather unique to the US export control regime. It is not found, for example, in the equivalent regulations of the European Union (Regulation 428/2009). 22 See, supra, note 15. Note that India is not a controlled country, but China is identified as such a country. Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 12

14 qualifies for a license exception. When technology is exported under a specific license or license exception, it is critical to remember the underlying conditions and ensure that they are not violated in a subsequent disclosure or transfer of the technology. A common example of this trap for the unwary involves encryption software. Such software is heavily regulated and generally cannot be exported without a specific license or applicable license exception. 23 However, the rules allowed a US parent to export certain unrestricted encryption software to its foreign subsidiary under a special license exception, without undergoing a review by the BIS that was otherwise required, but only if the software was to be used by employees and for internal purposes. 24 Imagine, therefore, that a US parent company has availed itself of this license exception to export certain crypto technology to its Indian subsidiary for use on an internal project. Without informing the parent, the subsidiary subsequently hires a local service provider to assist in the project. The disclosure of the crypto technology to this provider violates one of the conditions that underlie the license exception under which the technology was originally exported to India that only employees use it. As such, any such disclosure would constitute an unauthorized re-exportation and may give rise to sanctions. 25 These scenarios illustrate why an enterprise needs to consider implementing internal controls that go beyond simply determining the applicable ECCN of an item prior to its exportation. Additional policies, procedures and programs are needed to prevent inadvertent and unauthorized deemed exports and reexports and violations of implicit license conditions. These measures may include internal security procedures governing access to and disclosure of technology and regular training, testing and certification programs for relevant employees. They should also contemplate periodic reviews and audits to verify that the internal controls are operating effectively and the enterprise continues to comply with applicable requirements. Depending on the circumstances, moreover, the enterprise may determine that its participating firms also need to implement certain internal controls to minimize the risk of violating the EAR. In other words, it may want to do more than merely include general compliance with applicable law provisions in its contracts with the participating firms. 23 Exceptions exist for software products that (i) use encryption technology solely for user authentication, password protection or other forms of access control, or (ii) utilize or support only very weak encryption functionality (i.e., a symmetric encryption algorithm with a key length not exceeding 56 bits; an asymmetric encryption algorithm with a key length not exceeding 512 bits). The Commerce Department has also sought to simplify the licensing procedure for particular categories of encryption software. For example, there is a special procedure for so-called mass market encryption software, which was further liberalized on June 25, 2010 (see, Software qualifies as mass market if it (i) is distributed through retail distribution channels (including electronic transactions over the internet); (ii) includes a cryptographic functionality that is not user-accessible and cannot be easily changed by the user; and (iii) is designed for installation and use by the user without substantial support from the supplier (i.e., plug and play ). 24 Prior to June 15, 2010, a special license exception, ENC, was available for certain unrestricted encryption products, provided that the exporter (i) undergoes a one-time technical review by the BIS, and (ii) then reports its exports under this exception to the BIS on a semi-annual basis. The new EAR amendment removes this review requirement for the export of encryption items previously eligible for export under License Exception ENC unrestricted, subject to new encryption registration and annual self-certification reporting requirements. 25 Also consider the scenario where a US parent has transferred encryption software to its foreign subsidiary under this license exception and then sells the subsidiary to a foreign buyer, without first removing the encryption software from the subsidiary or securing an appropriate export license. Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 13

15 D. Cross-Border Flows of Data Cross-border flows of data present compliance issues under a rapidly expanding and evolving array of laws and regulations. As these regulatory regimes mature, moreover, the rules are becoming more specific and increasingly rigorous. And public and private enforcement efforts are also picking up around the world. In an extended enterprise, therefore, it is critical to understand the scope and nature of the evolving legal constraints on cross-border flows of data. In the US, Congress recently adopted new enhancements to the federal health privacy laws and is actively considering a range of new privacy laws. The Federal Trade Commission is more active than ever in recent memory in demanding greater privacy protections under its general Section 5 authority to pursue unfair or deceptive trade practices. In addition, the states continue to operate as privacy laboratories by adopting new information security requirements in Massachusetts, California and elsewhere. Outside of the US, the European Commission has issued new model contract form to be used in service provider arrangements involving data processors and their sub-processors. European data protection authorities are also actively establishing requirements for service arrangements as diverse as third party operated whistleblower hotlines to financial payment processors. Beyond Europe, countries such as China, Malaysia, Mexico, Russia, Taiwan and others are getting in the game by adopting rigorous privacy laws. Keeping pace with all of these developments is a challenging task. Another challenge is determining how to react to these ongoing changes. The COSO ERM model can help make such determinations. Again, the first task is to determine the enterprise s appetite for risk in this compliance area? Has it shifted in recent times due to internal or external events? Which developments pose the greatest risk to the organization in terms of likelihood and potential adverse impact? What compliance measures can the enterprise take to reduce or minimize these risks? Where do these procedures and controls need to be implemented to accomplish the risk profile objectives within the enterprise, its participating firms, or both? At least three areas of legal development merit special attention in this regard: (i) the issuance of a new European Union model processor contract form; (ii) the enactment of the new Massachusetts information security requirements; and (iii) the ongoing proliferation of laws that regulate data security breaches. A fourth issue to consider does not involve new legislation; rather, it is more a function of the ongoing evolution of the extended enterprise and increasingly ubiquitous flows of data between and among its various participants. Specifically, are these flows changing so fundamentally within the extended enterprise that we need to reconsider who actually is a data controller? If so, what are the potential implications of any shift in our usual assumptions? 1. EU Model Processor Contract As is widely recognized today, cross-border flows of data present special challenges, particularly from the European Union. Specifically, the 1995 Data Protection Directive prohibits the transfer of personal data from the EU to another country, unless the European Commission has determined that such country Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 14

16 provides adequate protection for the data. 26 Consequently, if an enterprise wants to transfer personal information about an EU data subject whether the subject is its employee or agent; the employee or agent of a customer, supplier or other third party; or in some instances even a legal entity from within the EU to a participating firm outside of the EU that is not situated in one of the relatively few countries that the European Commission has designated as offering adequate data protection, then the enterprise must generally consider one of the following options: Require the firm to execute with the EU data exporter an appropriate version of the European Commission s standard contractual clauses that legitimizes the data transfer. If the firm is located within the United States, verify that the firm participates in the US/EU Safe Harbor Privacy Arrangement, and such participation applies to the particular transfer. If the enterprise has secured approval of a set of Binding Corporate Rules from the relevant EU data protection authorities, require the firm to contractually agree to adhere to these rules. Secure the consent of each data subject to the transfer of his or her personal data to the participating firm. For a variety of reasons, many enterprises have opted for the first option require the participating firm to execute an appropriate model agreement. This usually connotes use of the so-called Model Processor Contract, which is appropriate for situations where the enterprise determines the purposes and means of processing [the] personal data and the participating firm merely processes [the] personal data on behalf of the [enterprise.] 27 The European Commission issued the first Model Processor Contract in In February 2010, it issued an updated version, which must be used beginning as of May 15, This updated version introduces a significant innovation that will likely complicate matters for many extended enterprises: a new sub-processing clause. Specifically, the original Model Processor Contract basically envisaged a bilateral arrangement between a data exporter (e.g., the customer) and a data importer (e.g., its service provider). It did not specifically address the possibility that the service provider might in turn subcontract its service obligations, in whole or part, to a third party. In contrast, the updated Model Processor Contract not only contemplates this possibility, but also imposes a number of specific requirements in case of any such subcontracting arrangement, including: First, before disclosing any personal data to a sub-processor, the data importer must obtain the prior written consent of the data exporter. This requirement may prove somewhat burdensome. Consider, for example, the situation where a service provider receives personal 26 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data, (the EC Directive). 27 EC Directive, supra, note 25, Article Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C92010) 593), Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 15

17 data from multiple EU affiliates of a particular customer. Technically, it will need to secure each affiliate s consent before disclosing the customer s data to any of its subcontractors. Second, the data importer must expressly impose specific standard contractual clauses on every one of its subcontractors who may have access to the data exporter s data. This may be accomplished by causing the subcontractor co-sign the Model Processor Contract that the data exporter and data importer have executed; alternatively, the data importer and subcontractor may sign a separate privacy agreement that incorporates the relevant standard clauses. Third, the standard clauses require the data importer and its sub-processors to expressly acknowledge that data subjects enjoy third party beneficiary rights to bring claims for compensation against them under certain circumstances. In principal, these rights may be exercised only if the data exporter has ceased to exist or become insolvent. Nonetheless, service providers will likely encounter some resistance in pushing down these terms on their subcontractors. Fourth, like the original version of the Model Processor Contract, the updated version requires that the standard clauses be governed by the law of the Member State in which the data exporter is established. 29 This requirement now extends to sub-processing arrangements. Accordingly, where the data importer and its subcontractor sign a separate privacy agreement, it must also stipulate that at least the standard clauses will be governed by the law of the Member State in which the data exporter is established. As these comments suggest, although the original version of the Model Processor Contract has become a popular option for complying with the EU Data Protection Directive, the updated version may prove considerably less attractive given the various new requirements that it imposes in relation to the use of sub-processors. Going forward, outsourcing customers should now demand that the new form contract be executed for any new service arrangement or material change to an existing arrangement. How service providers will respond to such requests remains to be seen. The transaction cost involved in implementing at least some of the new requirements is likely not insignificant. As a practical matter, most service providers hopefully now have agreements in place with their subcontractors that require compliance with the key substantive requirement of the EU standard clauses the obligation to implement appropriate technical and organizational security measures. On the other hand, it is an open question whether service providers and their subcontractors will be able to easily construct a contractual framework that is deemed to satisfy the more formal requirements of the new Model Processor Contract, such as the obligation to expressly acknowledge the third party beneficiary rights of data subjects. 30 In the absence of a more universal solution, service providers and their subcontractors will have to address these requirements on a contract-by-contract basis, which could be quite burdensome and costly. 29 Commission Decision of 5 February 2010, supra, note 27, Annex, Standard Contractual Clauses (Processors), Clause Such a contractual framework could be in the nature of a set of binding corporate rules to which the service provider and all its related and unrelated subcontractors would ascribe. Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 16

18 Beyond pursuing more universal solutions under the model contract construct, the enterprise and its participating firms may want to reconsider whether any of the other options for complying with the EU Data Protection Directive might now offer a more attractive alternative in light of the new model processor contract. For example, the US/EU Safe Harbor Privacy Arrangement does not itself legitimize the onward transfer of EU personal data from a US service provider to, say, its Indian captive service center. This transfer would require an appropriate onward transfer contract between the US provider and the Indian captive. 31 Such a contract, however, does not necessarily have to recognize the third party beneficiary rights of EU data subjects in order to satisfy the requirements of the Safe Harbor Privacy Arrangement Data Controller/Data Processor In slightly different ways, most data protection and privacy laws around the world distinguish between data controllers and data processors. 33 Generally speaking, a data controller owns the personal data and is directly responsible for compliance with applicable data protection law. In contrast, a data processor is a mere instruction taker that handles personal data on behalf of the data controller; as a result, processors typically are not directly responsible for compliance with applicable data protection law. This distinction may be sharp in theory. In practice, however, it is becoming somewhat blurred as business processes are further disaggregated within extended enterprises and information flows become more ubiquitous. Consider, for example, the recent case in the European Union involving the Society for Worldwide Interbank Financial Telecommunications, or SWIFT. 34 The facts can be summarized as follows: 31 US/EU Safe Harbor Privacy Arrangement, Frequently Asked Questions, No. 10, Note, this arrangement is not available to companies that are not subject to the jurisdiction of the Federal Trade Commission, such as banks and other financial institutions. 32 The Decision of 5 February 2010 only applies to subcontracting by a data processor established in a third country of his processing services to a sub-processor established in a third country. The Commission specifically states that it should not apply to the situation by which a processor established in the European Union and performing the processing of personal data on behalf of a controller established in the European Union subcontracts his processing operations to a subcontractor established in a third country, although Member States may elect to apply the principles and safeguards of the standard clauses in such situations. See, supra, note 27, Whereas (23). If the Member States do not elect to do so, other structures may possibly be available for complying with the EU Data Protection Directive. 33 In the United States, the Health Insurance Portability and Accountability Act ( HIPAA ) distinguishes between covered entities and business associates, and the Gramm-Leach Bliley Act ( GLBA ) distinguishes between financial institution and service provider, which are roughly equivalent to data controller and data processor. The data protection laws of Argentina, Hong Kong and Japan contain concepts similar to those found in the EC Directive. In a few countries, the data protection law applies equally to all organizations that handle personal data, regardless of their level of control, such as in Australia and Russia. 34 Working Party Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication, Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 17

19 SWIFT processes financial payment transactions for mostly European financial institutions and had a mirror server in the United States to support the delivery of the services and provide back-up support. The US Department of Treasury issued a subpoena to SWIFT for information in connection with terrorist financing and related concerns, and SWIFT complied with that demand over a series of months. In its service contracts with the financial institutions, SWIFT had specified that it was a data processor, as opposed to a data controller. Upon examination, however, the collective view of the Working Party of Data Protection Authorities in Europe held that SWIFT functionally acted as a data controller. In short, the Working Party concluded that SWIFT s ability to make and act upon a decision to respond to the US Treasury Department s subpoena, without consulting with the relevant financial institutions, demonstrated its status as a data controller. Based on this conclusion, the Working Party then identified a series of data protection principles applicable to data controllers that SWIFT had violated in connection with its disclosures to the Treasury Department, such as failure to meet its obligations related to proportionality, legitimacy, customer notification, registrations with local data protection authorities, and cross-border data transfers. 35 The financial institutions also were drawn into the mix, as the sufficiency of their consumer notifications became an issue. This case suggests that greater care ought to be exercised when structuring arrangements within an extended enterprise that involve access to or disclosure of personal data in order to minimize the risk that the authorities may ultimately consider the participating firm to have sufficient discretionary authority over the enterprise s data so as to qualify as a data controller, rather than a processor. In SWIFT, for instance, this result arguably could have been avoided if subject to any applicable legal constraint SWIFT had been contractually obligated to consult with the participating financial institutions before providing information to the Treasury Department. Service providers, therefore, may want to consider what approval requirements and other controls should be superimposed on their client relationships to make it harder for the authorities to conclude that they possess a right to determine the purposes and means of processing personal data obtained from their clients. 36 Such controls over the processing of personal data should minimize the risk that a service provider may be characterized as a data controller. In today s environment, however, participating firms increasingly exercise discretionary authority over personal data as an inherent element of the service that they have been contracted to perform. For example, a service provider may provide a client with both analytic services in respect to customer data and more sophisticated direct marketing services. Although the provider should be deemed to act as a data processor in performing the former service, it may functionally be acting as a data controller when doing the latter the provider may be effectively determining which 35 SWIFT responded to this ruling by self-certifying compliance to the US-EU Safe Harbor Privacy Agreement, relocating its mirror servers to Switzerland, and taking a range of other remedial steps to satisfy the regulatory authorities and customers. See, SWIFT Chronology of Events, 36 EC Directive, supra, note 25, Article 2. Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 18

20 of its client s customers to target for marketing efforts, and its compensation may be directly tied to resulting sales. In view of SWIFT, these sorts of arrangements are likely to present challenges and merit special attention. 3. Data Security Requirements In the United States, various laws impose general information security requirements that apply to more important data categories, most notably Social Security numbers; driver s license numbers; bank account, credit, debit, or other financial account numbers; and other data categories that, if compromised, could be used to perpetuate financial or medical identity theft. As discussed below, these requirements are now becoming more detailed in certain states. Both types of requirements general and detailed obviously need to be considered in relation to flows of data between and among an enterprise and its participating firms that may involve these more important categories of information. California offers a good example of general information security requirements. Under its Civil Code, a business must generally implement and maintain reasonable security procedures and practices to protect certain personal information from unauthorized access, destruction, use, modification, or disclosure. 37 When contracting with a third party service provider, moreover, the Civil Code obligates the customer to require by contract that the third party implement and maintain reasonable security procures and practices to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Massachusetts has enacted the first of its kind detailed law regarding the security of personal information. 38 This law and its implementing regulations essentially contemplate two sets of standards: (i) common obligations concerning both electronically and non-electronically stored personal information, and (ii) specific computer system requirements. These standards apply to any company that owns or licenses personal information about a resident of Massachusetts and also require that appropriate data security requirements be imposed on the company s service providers by contract. The common obligations require every person or business that has personal information about a resident of Massachusetts to develop, implement and maintain a comprehensive written information security program, or WISP, that is appropriate for the (i) size and type of the business, (ii) amount of resources available, (iii) the amount of stored data, and (iv) the need for security and confidentiality of both consumer and employee information. To satisfy the law, the WISP must adequately address each of the following requirements: Designate one or more employees to be responsible for maintaining the program. 37 California Civil Code, Sections , and Mass. Gen. Laws 93H, Sections 1-6, 2(a); Mass. Code of Regs., 201, Sections Note the definition of personal information : a resident s first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident s financial account; provided, however, that Personal information shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. Mass. Gen Laws 93H, Section 1(a). Baker & McKenzie Trends, Traps and Emerging Opportunities in Global Outsourcing and Offshoring 19