Professional Documents
Culture Documents
The US and the EU do not have comprehensive privacy or data protection laws, which affect the BPO and Information Technology Enabled Services
Intellectual property Corporate secrets Confidential Customer Health Information Financial Information Trade Secrets
(EU Directive)
Recognizes privacy as a right Data protection principles - limit the processing and transfer of personal information, including transfer of the data to countries outside the EU
Each EC Member State has to enact laws in keeping with the EU Directive For e.g. the EU Directive implemented by the United Kingdom Data Protection Act 1998. Approved set of standard contractual clauses EU Directive applies to the processing of personal data
Restricts the transfer of personal data outside the EU Countries unless the other country ensures an adequate level of protection The data controller is liable for ensuring that these principles are adhered to
Transfer to Countries with Adequate Protection without additional adequacy requirements Switzerland, Canada, Argentina and the UK territories of Guernsey and the Isle of Man, all recognized by the EU as offering adequate data protection. European Court recent holding mere access from non-EU country does not constitute transfer.
Adopt Standard Contract Clauses Unambiguous Consent to transfer from affected individuals Negotiated Protections acceptable in the UK Codes of Conduct Direct Compliance/registration with EU Authority Some EU countries require that a copy of the executed agreement with the standard clauses be deposited with the regulatory authority this is not the case in the UK.
Each Member States national laws will determine the penalty For Instance Under The UK Data Protection Act 1998 The Regulatory Authority who is The Information Commissioner also imposes the penalty
11
Some US Laws
Graham-Leach-Biley Act 1999 (GLBA) The Sarbanes-Oxley (SOX) Act The Health Insurance Portability and Accountability Act (HIPAA)
12
Applies to financial institutions to ensure meaningful measures to protect customers' personal information. Restricts the transmission of personal data to third parties. Transfer of data includes actual physical movement of data to a processor located in another country as well as the remote access by the Overseas Service Provider.
Monday, April 15, 2013
13
GLBA contd.
Organizations must: Develop, Implement and maintain a comprehensive information security Program. Program must include administrative, technical and physical safeguards appropriate to the
Monday, April 15, 2013 14
Reactionary measure to US corporate scandals, has a significant impact on US companies as well as auditing firms. To strengthen Corporate governance and restore investors confidence. Companies must attest that outsourcing firms have internal controls in place to comply with SOX and other regulations.
Sarbanes Oxley
Legislation is wide ranging and establishes new or enhanced standards for all US public company Boards, Management, and public accounting firms. Contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties. Requires Security and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law.
Establishes privacy protection for health care information. HIPAA provisions apply to organizations that offer health plans, doctors, hospitals and other health care providers and in turn the Medical Transcription Industry Limits the use of patient information Would extend to the Offshored activity of the organizations s
HIPAA Contd.
The data owner obtains satisfactory assurance in a written agreement that the information will be safeguarded
Data Owner will most likely require business associates to agree to the same obligations that apply to the covered entity.
HIPAA Compliance
Self-assessments, employee training, and increased technological capacities Administrative, technical, and physical safeguards Must reasonably safeguard from any intentional or unintentional use or disclosure that is in violation of the standard implementation specifications or other requirements of (the Privacy Rules). Business associate would have to comply too.
Prohibits autodialed calls to emergency telephone lines, health care facilities, paging services, cellular telephones, and any service for which the called party is charged for the call.
A National Do-Not-Call registry It includes all telemarketers (with the exception of certain nonprofit organizations) Covers both interstate and intrastate telemarketing calls Consumers can place their telephone numbers on the registry through one telephone call or one Web click.
Monday, April 15, 2013
21
Other US laws
The Fair and Accurate Credit Transactions Act of 2003 Disposal of Records (affects almost every business in the US The Federal Credit Reporting Act limits access to credit histories and personal information. US Patriot Act Affects bank secrecy to combat money laundering, terrorism and criminal behavior.
Monday, April 15, 2013
22
Penalties
Each violation of The Childrens Online Privacy Protection Act invokes a penalty of $11,000.
Penalty actual damages, statutory damages up to $1000, punitive damages per violation (no cap on class action damages, attorney fees and civil penalties up to $2,500
23
Penalties
HIPAA violations Penalty of up to US$ 25,000; Knowing wrongful disclosure invokes penalty of US$ 50,000 and/or imprisonment up to one year False pretenses, the offender may be fined up to US$ 1000,000 and/or imprisoned up to 5 years, the penalty is increased respectively to US$ 250,000, and 10 years if the offense is committed with intent to gain commercial advantage for violating HIPAA.
Monday, April 15, 2013 24
Penalties
The penalties for violating GLBA are steep and cost up to $11,000 per day and $10,000 Penalties for violation of FACTAs rule of disposal, which affects most businesses, invokes actual damages, statutory damages, punitive damages per violation, attorneys fees and penalties up to US$ 2,500.
25
Extraterritorial reach? Affect conduct of business (both onshore and offshore). Stringent reporting requirements and penalties. Assumption of liability under contract. Choice of law of a foreign jurisdiction automatically extends to liability.
Monday, April 15, 2013 26
Indian laws - loopholes need to be plugged. Lack of regulation and enforcement. Exclusive regulation of the outsourcing industry. Lack of awareness of Data Security and Confidentially Poor general awareness about data security and confidentially.
Governing Law
Generally Indian Law India recognises and respects Choice of Law, but not Ouster of Jurisdiction Clauses Different laws for different aspects. Local laws may preempt choice of law. Contractual law may imply choice of foreign law.
30
A Texas bill prohibits the employment of foreign workers on state contracts. Iowa has a bill that provides for preference for call centers contracts to be performed with US citizens or others authorized to work in the US.
Ohio bill requires any employer that eliminates employment positions in Ohio and those employment positions outside the United States to provide those employees loosing their job with written notice of the relocation.
Connecticut bill: Would require companies with a net job loss of one hundred or more to
Submit to the states Development of Economic and Community Development A statement including the number of jobs the company cut Would also allow a citizen who believes he has lost his job as a result of outsourcing to report the loss to the state for recordkeeping purposes.
32
Six states and US Senate have introduced legislation that would make it mandatory for companies to make disclosures about any activities, that relate to Offshoring.
Contain language that does not apply to private contracts but specifically affects state contracts.
33
State Bills
North Carolina Washington
Bills that require all contractors to disclose where work on the state contracts will be performed, which can figure into the evaluation of the bid. Oregon;
Bills that curtail the granting of state contracts to Non-US workers or restrict performance of state contracts outside the US
35
Online Privacy Act Information sharing disclosure: Business having personal information of a California resident must give list of categories of information shared with third parties with the names and contact information of the third parties, OR provide a conspicuous privacy statement with a cost free opt out prior to the disclosure.
38
Tennessee legislators introduced a measure that would require a company to obtain the express written permission of a customer before sending any financial, credit or identifying information to a foreign country. In California proposed legislation that would require businesses to comply with very strict privacy requirements when by sending an individuals personal information abroad. Much of these legislation is aimed at either blocking the transmission of an individuals medical records to a site overseas or preventing a customers financial information being sent to a foreign country without their express consent.
Create friction and hurdles in commercial activities Effective measures to stifle meaningful outsourcing US companies will be less competitive and will put even more jobs in danger if they cannot benefit from service cost arbitrage Deterrent to American companies from offshoring medical, accounting, financial consulting or other information-based services overseas
The legislation banning state awards of grants, loans, or tax credits to companies that outsource any labor or services would serve primarily to alter the formula businesses use to evaluate the cost-effectiveness of offshoring. Protectionist measures will only serve to alleviate Us job market issues for the immediate future. Offshoring is a valuable tool for American business and lawmakers who should be embracing it as a vehicle for innovation, not deriding it as the US economys executioner.
Data protection laws, that are modeled on the European regime, are aimed at data controllers or processors without regard to any employment relationship. Customer retains legal responsibility for transgressions by the sourced processor abroad.
Legislation similar to the EU Data Privacy Directive. Canadas The Personal Information and Protection of Electronic Documents Act, (PIPEDA) legislation is particularly important to United State interests. PIPEDA creates a Privacy Commissioner. Citizens may bring complaints to the Commissioner who has the power to enforce the Act in Canadian Federal Court. The Act requires prior consent before disclosure and prohibits disclosure without consent. A strong opt in provision, the Act clearly covers businesses based outside of Canada who collect, use, or transfer data including personal information about individuals within Canada.
Choice of Law
This is subject to the conflicting views Proper law identified in contracts otherwise courts may impute the law of the country that has the closest and most real connection to the contract Indian and UK courts recognize express choice of law US courts generally honor chosen law but choice of law and jurisdiction further complicated because of different state laws
India is a signatory of the New York Convention, Indian Arbitration Law - The Arbitration and Conciliation Act, 1996 Deals with the enforcement of awards of a foreign reciprocating territory A foreign award is enforceable if the Indian Court is satisfied and is not subject to any of the exceptions will pronounce judgment on it followed by a decree
Non-tangible Essentials
Honesty Flexibility Transparency Supported by contracts that adequately address the risks associated with the outsourced service, be it risk of OSPs capabilities of customers compliance needs
49
Contracts
and
Transition and Exit Procedures Dispute Resolution Alternate Dispute Resolution Governing Law and Jurisdiction
Contracts
Aspects of Business Continuity Compliance with legal and regulatory requirements pertaining to the
HR Training Requirements Confidentiality Choice of law (may be more than one to govern different aspects of the contract
51
Contracts Contd.
Adopting the EU model contractual provisions in contracts to mitigate problems with EU Directive compliance issues Careful and clear allocation of responsibility of the OSP and the customer for violations of the rights of third parties and, indeed, liability for punitive damages. Careful consideration before granting customer indemnity in the contract. Any liability agreement should include a cap.
Monday, April 15, 2013 52
Transfer pricing and permanent establishment issues, non-solicitation, tax matters, personnel issues, infrastructure and technology ownership are issues that should be addressed in the contracts. IPR ownership when joint efforts create new IPR Disaster Management Issues Backup or Alternate Work Locations
Retain an attorney who is familiar with the legal provisions of the customers country Customer
should inform the OSP about changes in laws or compliance requirements
Monday, April 15, 2013
53
Due Diligence by both parties Commitment of negotiating representative and Senior Management Staff to ensure security and compliance Regular and frequent monitoring of the relationship Ensure that knowledge of compliance policies percolates through all operation levels
Technical and Physical Security of Infrastructure Operational protection measures Monday, April 15, - No devices to save data locally 2013
54
Dedicated Physical Security Officer appointed by the OSP Onsite Manager appointed by the customer Dedicated and Trained (in the requirements) Compliance Officer
OSPs should configure a complex matrix or capabilities, scale, skills, language, management and infrastructure when making commitments.
Monday, April 15, 2013 55
Standard Written Internal Company Practices to Enhance Security with Recorded Standard Operating Procedures Manuals
Disaster Recovery Plan Insurance to cover risks of security breaches and/or loss of data Insurance to cover risk of claims arising out of the quality, timeliness and quantity of services April 15, Monday, Employee certified security professionals
2013 57
Centralized Data Bank of all BPO related employees, helps identify prior violators (as initiated by NASSCOM) Need Based Dissemination of Information Division of process, access and/or control
Technical Limitations on Access or Communication of different processes
Standard Written Internal Company Practices to Enhance Security with Recorded Standard Operating Procedures Manuals
59
Self-Regulation and Compliance Training OSP should inform customer about any infractions to mitigate damage
Card Holder Information Security Program (CISP) Payment Card Industry (PCI) Data Security Standard, to safeguard sensitive data for all card brands result of a collaboration between Visa and MasterCard - creates common industry security requirements endorsed by other card services Industry
Monday, April 15, 2013 61
to create an Indian Safe Harbor Agreement To provide regulatory authority and frame work like SEBI and SEBI guidelines The amendments to the IT Act should be in sync with global laws and trends.
63
Conclusion
Factors that nurture BPOs also spawn crimes. Elaborate, onerous, technical security measures reduce productivity and erode employee motivation. Combination of Best Practices. US Protectionist Measures likely to have an adverse effect upon both the US and the global economy. Laws will have to evolve to govern the runaway proliferation of outsourcing. Fraud and Data Violations can occur anywhere in the world.
64
Thank You
Poorvi Chothani, Esq. LawQuest 36, Maker Tower F Cuffe Parade Mumbai 400 005 E-mail poorvi@lawquestindia.com Telephone 00 91 22 5654 1671