Big Brother Is Watching

Companies considering outsourcing today, and companies that have already outsourced significant functions and processes, face an increasingly complex web of domestic and foreign laws and regulations at various levels of government. Compliance with those laws in the context of an outsourcing transaction poses a considerable and growing challenge. This article examines three of the hottest topics in the area of regulatory compliance in outsourcing: Sarbanes-Oxley, privacy, and legislative initiatives focusing on offshore outsourcing.

Corporate Reform: the Impact of Sarbanes-Oxley

In response to high-profile corporate collapses resulting from accounting irregularities and perceived failures of ethics and controls, Congress enacted the Sarbanes-Oxley Act of 2002 (SOX). Section 404 of SOX requires the CEO and CFO of reporting companies to assess, and certify in each 10-K, the adequacy of the company's internal control structures and procedures for financial reporting. If functions relating to or impacting a company's financial reporting have been outsourced, this assessment must include an assessment of the adequacy of the service provider's internal control structures and procedures. If the company has outsourced significant portions of finance and accounting to a third party, those functions obviously impact financial reporting. However, any outsourced function that is part of the information and communication component of the company's internal control over financial reporting may also be part of the company's controls over financial reporting.

The penalty for certifying a periodic report knowing that it does not satisfy the requirements of the Act includes a fine up to $1 million or imprisonment up to 10 years or both. If that certification is also willful, the CEO and CFO may be fined up to $5 million or imprisoned up to 20 years or both.

Nov. 15, 2004 is the effective date for the applicability of Section 404 requirements. Yet, many companies have not focused on how to assess their relevant outsourcing service providers' internal control structures and procedures. Recently, the SEC adopted the Public Company Accounting Oversight Board's Auditing Standard No. 2. In Appendix B, the PCAOB provided some guidance on that question. In discussing a reporting company's use of service organizations, the PCAOB suggests procedures that management should perform. First, management should obtain an understanding of the controls at the service organization that are relevant to the entity's internal controls as well as the controls at the company over the activities of the service provider. Second, management should obtain evidence that such controls are operating effectively. The PCAOB suggests at least three types of procedures for obtaining that evidence:

• Performing tests of the user organization's controls over the activities of the service organization;
• Performing test of controls at the service organization;
• Obtaining a service auditor's report on controls placed in operation and tests of operating effectiveness, or obtaining a report on the application of agreed-upon procedures that describes relevant tests of controls.

A note in Appendix B makes it clear that the service auditor's report mentioned in the last bullet is an SAS 70 (Type II) audit. Simply obtaining a SAS 70 (Type II) audit from the service organization however is not enough. Management must review the report and draw its own conclusions about the adequacy and effectiveness of the controls. Scope and timing issues of an SAS 70 audit may also impact its effectiveness as “evidence” for a reporting company that the service organization's controls are operating effectively.

New outsourcing contracts by reporting companies must permit the public company customer to take steps necessary to obtain an understanding of relevant controls at the service provider, as well as evidence that such controls are operating effectively. Existing outsourcing contracts should be reviewed in light of these new requirements and adjustments made if necessary. Given the evolving environment, it may not be advisable to rely on a single procedure (such as a SAS 70 (Type II) audit) to obtain evidence of the adequacy of the service provider's controls.

Privacy and Data Protection

Any company outsourcing across national boundaries has faced significant privacy and data protection issues for years. Now, with existing federal privacy legislation and a trend in some state legislatures for privacy legislation at the state level, even outsourcing transactions entirely within the United States potentially presents privacy issues that need to be addressed up front, both in the outsourcing contract and operationally.

European Union

The European Union Data Protection Directive 95/46/ED imposes restrictions on transborder data flows and prohibits the transfer of personal data to countries that do not provide adequate levels of protection. Since outsourcing reduces costs in part because the service provider leverages economies of scale, the service provider will often consolidate transaction processing from a number of countries into one country.

However, the EU considers only a handful of countries as providing “adequate levels of protection,” and the United States is not one of them. Therefore, personal data from the EU cannot be transferred to the U.S. for processing unless one of several exceptions apply.

Trying to address this problem, in July 2000, the EU and the U.S. State Department adopted “safe harbor” principles. If a U.S. company elects to comply with the safe harbor principles, transfers of personal data to the company are treated the same way as data transfers within the EU. A list of U.S. companies opting into the safe harbor is found at www.export.gov/safeharbor.

Another way of complying with the EU Directive is to include in the applicable service contract certain standard contractual clauses prescribed by the EU regulators. These clauses generally require both the data exporter and importer to process data in accordance with basic data protection rules. They also provide that individuals may enforce their rights under the contract. However, putting standard contractual clauses into operation has been difficult, and many U.S. companies are reluctant to be exposed to individual claims in EU courts by individuals in the EU member countries.

In short, the provider's services in an outsourcing transaction must be carefully evaluated. If they involve the transfer of personal data of EU citizens outside the EU, those transfers must comply with the EU Directive.

EU Member Country-Specific Laws

Assuming that a transaction is successfully structured to comply with the EU Directive, the job is not finished. The laws of each EU member country within the geographic scope of the transaction must be examined to make sure that privacy and data protection legislation will not be violated by activities contemplated by the transaction. That legislation generally falls into two categories – legislation implementing the EU Directive and other country-specific legislation that may be more restrictive than the EU Directive.

Non-EU Countries

Over 50 countries (including EU member countries) have significant data protection laws in place with strong privacy protection requirements as well as broad enforcement rights for citizens. These laws must be considered in any outsourcing transactions that involve services in or information from such countries.

U.S. Federal Legislation

There are a number of federal privacy laws that may impact outsourcing transactions. While many are nominally industry-specific, some cut a wide swath. Two examples will suffice. The Gramm-Leach-Bliley Act of 1999 (GLB) protects the financial information of consumers. Its wide reach potentially affects any company having access to such information, including banking institutions, insurance companies, broker-dealers, mortgage lenders and many others.

Similarly, the Health Insurance Portability and Accountability Act of 1996 (HIPPA) protects personal health information. It applies to health care providers and health plans, among others. Regulations under HIPPA set privacy standards and security standards. While HIPPA does not apply directly to contractors (including outsourcing service providers) of health care providers and health plans that may handle personal health information, a “covered entity” is required to enter into a “business associate agreement” with its contractors with adequate assurances that the contractors will appropriately safeguard the information. Since the enactment of HIPPA regulations, covered entities and their contractors have generally been successful in contractually allocating operational responsibilities for complying with the standards and implementation specifications under the security rule. However, the covered entity is ultimately responsible for it contractors' compliance.

Unlike the EU Directive and much local legislation in EU member countries, neither GLB nor HIPPA is concerned about where personal financial information or personal health information is processed, but what safeguards are in place to protect such information. The outsourcing agreement under which such information will be disclosed must include the appropriate standards and, as between the parties, allocate operational responsibility for compliance. Standard confidentiality clauses, while necessary, are not enough.

State Legislation

As it has in other areas, California is leading the other states in the area of privacy legislation. The Financial Information Privacy Act, effective on July 1, 2004, offers broader protections than GLB. The act allows a financial services consumer to prohibit the financial institution from sharing the consumer's information with non-affiliated third parties without the consumer's prior written consent. Another California statute effective July 1, 2004 requires privacy policies for commercial web sites and on-line services that collect and maintain personally identifiable information from a consumer residing in California. We should expect the California legislature to continue to be active in privacy matters.

Offshoring

Offshoring as an aspect of outsourcing has captured the interest of the American electorate during this election year. Technology and labor arbitrage allows U.S. companies to capture significant cost savings, while sacrificing little if anything in quality, by sending work offshore. Offshore outsourcing came of age when U.S. companies facing Y2K discovered that Indian programmers could provide remedial code for date-related software errors at a fraction of the cost of their U.S. counterparts. Now, in addition to software development and maintenance work, many information technology functions and transaction-intensive, technology-enabled business processes are being performed in India and many other countries.

Faced with the “export of American jobs,” there are dozens of legislative initiatives at the federal and state level to slow offshoring. For the most part, pending federal legislation proposes using tax incentives and disincentives to encourage U.S. companies to keep jobs in the U.S. Individual states, however, are considering a variety of legislative schemes. The earliest theme was leveraging state purchasing power – “if you want to do business with the state, you won't send work offshore.” More recently, some proposed anti-offshoring legislation is privacy-based, proposing to restrict, preclude or regulate the transfer of personal data outside of the U.S. Such “anti-offshoring legislation in privacy's clothing” may, if enacted, change the analytical focus of domestic-U.S. outsourcing transactions with offshore components from “processing safeguards” to “processing location.”

Conclusion

Faced with this increasingly complex web of laws and regulations at various levels of government, both in the United States and elsewhere, companies considering outsourcing today, and companies that have already outsourced significant functions and processes, must ensure that their outsourcing strategy, relationships and contracts pass muster. Failure to do so not only exposes the company to significant operational risk, but also exposes it and its executive officers to significant liability.

Companies considering outsourcing today, and companies that have already outsourced significant functions and processes, face an increasingly complex web of domestic and foreign laws and regulations at various levels of government. Compliance with those laws in the context of an outsourcing transaction poses a considerable and growing challenge. This article examines three of the hottest topics in the area of regulatory compliance in outsourcing: Sarbanes-Oxley, privacy, and legislative initiatives focusing on offshore outsourcing.

Corporate Reform: the Impact of Sarbanes-Oxley

In response to high-profile corporate collapses resulting from accounting irregularities and perceived failures of ethics and controls, Congress enacted the Sarbanes-Oxley Act of 2002 (SOX). Section 404 of SOX requires the CEO and CFO of reporting companies to assess, and certify in each 10-K, the adequacy of the company's internal control structures and procedures for financial reporting. If functions relating to or impacting a company's financial reporting have been outsourced, this assessment must include an assessment of the adequacy of the service provider's internal control structures and procedures. If the company has outsourced significant portions of finance and accounting to a third party, those functions obviously impact financial reporting. However, any outsourced function that is part of the information and communication component of the company's internal control over financial reporting may also be part of the company's controls over financial reporting.

The penalty for certifying a periodic report knowing that it does not satisfy the requirements of the Act includes a fine up to $1 million or imprisonment up to 10 years or both. If that certification is also willful, the CEO and CFO may be fined up to $5 million or imprisoned up to 20 years or both.

Nov. 15, 2004 is the effective date for the applicability of Section 404 requirements. Yet, many companies have not focused on how to assess their relevant outsourcing service providers' internal control structures and procedures. Recently, the SEC adopted the Public Company Accounting Oversight Board's Auditing Standard No. 2. In Appendix B, the PCAOB provided some guidance on that question. In discussing a reporting company's use of service organizations, the PCAOB suggests procedures that management should perform. First, management should obtain an understanding of the controls at the service organization that are relevant to the entity's internal controls as well as the controls at the company over the activities of the service provider. Second, management should obtain evidence that such controls are operating effectively. The PCAOB suggests at least three types of procedures for obtaining that evidence:

• Performing tests of the user organization's controls over the activities of the service organization;
• Performing test of controls at the service organization;
• Obtaining a service auditor's report on controls placed in operation and tests of operating effectiveness, or obtaining a report on the application of agreed-upon procedures that describes relevant tests of controls.

A note in Appendix B makes it clear that the service auditor's report mentioned in the last bullet is an SAS 70 (Type II) audit. Simply obtaining a SAS 70 (Type II) audit from the service organization however is not enough. Management must review the report and draw its own conclusions about the adequacy and effectiveness of the controls. Scope and timing issues of an SAS 70 audit may also impact its effectiveness as “evidence” for a reporting company that the service organization's controls are operating effectively.

New outsourcing contracts by reporting companies must permit the public company customer to take steps necessary to obtain an understanding of relevant controls at the service provider, as well as evidence that such controls are operating effectively. Existing outsourcing contracts should be reviewed in light of these new requirements and adjustments made if necessary. Given the evolving environment, it may not be advisable to rely on a single procedure (such as a SAS 70 (Type II) audit) to obtain evidence of the adequacy of the service provider's controls.

Privacy and Data Protection

Any company outsourcing across national boundaries has faced significant privacy and data protection issues for years. Now, with existing federal privacy legislation and a trend in some state legislatures for privacy legislation at the state level, even outsourcing transactions entirely within the United States potentially presents privacy issues that need to be addressed up front, both in the outsourcing contract and operationally.

European Union

The European Union Data Protection Directive 95/46/ED imposes restrictions on transborder data flows and prohibits the transfer of personal data to countries that do not provide adequate levels of protection. Since outsourcing reduces costs in part because the service provider leverages economies of scale, the service provider will often consolidate transaction processing from a number of countries into one country.

However, the EU considers only a handful of countries as providing “adequate levels of protection,” and the United States is not one of them. Therefore, personal data from the EU cannot be transferred to the U.S. for processing unless one of several exceptions apply.

Trying to address this problem, in July 2000, the EU and the U.S. State Department adopted “safe harbor” principles. If a U.S. company elects to comply with the safe harbor principles, transfers of personal data to the company are treated the same way as data transfers within the EU. A list of U.S. companies opting into the safe harbor is found at www.export.gov/safeharbor.

Another way of complying with the EU Directive is to include in the applicable service contract certain standard contractual clauses prescribed by the EU regulators. These clauses generally require both the data exporter and importer to process data in accordance with basic data protection rules. They also provide that individuals may enforce their rights under the contract. However, putting standard contractual clauses into operation has been difficult, and many U.S. companies are reluctant to be exposed to individual claims in EU courts by individuals in the EU member countries.

In short, the provider's services in an outsourcing transaction must be carefully evaluated. If they involve the transfer of personal data of EU citizens outside the EU, those transfers must comply with the EU Directive.

EU Member Country-Specific Laws

Assuming that a transaction is successfully structured to comply with the EU Directive, the job is not finished. The laws of each EU member country within the geographic scope of the transaction must be examined to make sure that privacy and data protection legislation will not be violated by activities contemplated by the transaction. That legislation generally falls into two categories – legislation implementing the EU Directive and other country-specific legislation that may be more restrictive than the EU Directive.

Non-EU Countries

Over 50 countries (including EU member countries) have significant data protection laws in place with strong privacy protection requirements as well as broad enforcement rights for citizens. These laws must be considered in any outsourcing transactions that involve services in or information from such countries.

U.S. Federal Legislation

There are a number of federal privacy laws that may impact outsourcing transactions. While many are nominally industry-specific, some cut a wide swath. Two examples will suffice. The Gramm-Leach-Bliley Act of 1999 (GLB) protects the financial information of consumers. Its wide reach potentially affects any company having access to such information, including banking institutions, insurance companies, broker-dealers, mortgage lenders and many others.

Similarly, the Health Insurance Portability and Accountability Act of 1996 (HIPPA) protects personal health information. It applies to health care providers and health plans, among others. Regulations under HIPPA set privacy standards and security standards. While HIPPA does not apply directly to contractors (including outsourcing service providers) of health care providers and health plans that may handle personal health information, a “covered entity” is required to enter into a “business associate agreement” with its contractors with adequate assurances that the contractors will appropriately safeguard the information. Since the enactment of HIPPA regulations, covered entities and their contractors have generally been successful in contractually allocating operational responsibilities for complying with the standards and implementation specifications under the security rule. However, the covered entity is ultimately responsible for it contractors' compliance.

Unlike the EU Directive and much local legislation in EU member countries, neither GLB nor HIPPA is concerned about where personal financial information or personal health information is processed, but what safeguards are in place to protect such information. The outsourcing agreement under which such information will be disclosed must include the appropriate standards and, as between the parties, allocate operational responsibility for compliance. Standard confidentiality clauses, while necessary, are not enough.

State Legislation

As it has in other areas, California is leading the other states in the area of privacy legislation. The Financial Information Privacy Act, effective on July 1, 2004, offers broader protections than GLB. The act allows a financial services consumer to prohibit the financial institution from sharing the consumer's information with non-affiliated third parties without the consumer's prior written consent. Another California statute effective July 1, 2004 requires privacy policies for commercial web sites and on-line services that collect and maintain personally identifiable information from a consumer residing in California. We should expect the California legislature to continue to be active in privacy matters.

Offshoring

Offshoring as an aspect of outsourcing has captured the interest of the American electorate during this election year. Technology and labor arbitrage allows U.S. companies to capture significant cost savings, while sacrificing little if anything in quality, by sending work offshore. Offshore outsourcing came of age when U.S. companies facing Y2K discovered that Indian programmers could provide remedial code for date-related software errors at a fraction of the cost of their U.S. counterparts. Now, in addition to software development and maintenance work, many information technology functions and transaction-intensive, technology-enabled business processes are being performed in India and many other countries.

Faced with the “export of American jobs,” there are dozens of legislative initiatives at the federal and state level to slow offshoring. For the most part, pending federal legislation proposes using tax incentives and disincentives to encourage U.S. companies to keep jobs in the U.S. Individual states, however, are considering a variety of legislative schemes. The earliest theme was leveraging state purchasing power – “if you want to do business with the state, you won't send work offshore.” More recently, some proposed anti-offshoring legislation is privacy-based, proposing to restrict, preclude or regulate the transfer of personal data outside of the U.S. Such “anti-offshoring legislation in privacy's clothing” may, if enacted, change the analytical focus of domestic-U.S. outsourcing transactions with offshore components from “processing safeguards” to “processing location.”

Conclusion

Faced with this increasingly complex web of laws and regulations at various levels of government, both in the United States and elsewhere, companies considering outsourcing today, and companies that have already outsourced significant functions and processes, must ensure that their outsourcing strategy, relationships and contracts pass muster. Failure to do so not only exposes the company to significant operational risk, but also exposes it and its executive officers to significant liability.