Impact of Certain International Laws on the Indian Outsourcing Industry

IIM-Bangalore Conference on Management of Globally Distributed Work

Poorvi Chothani, Esq.
Correspondent to Cyrus D. Mehta & Associates, PLLC, New York (US Immigration & Nationality Law)
poorvi@cyrusmehta.com CP: 98209 39666

Need for Protection

Technological readiness of the Indian BPO industry is very high Regulatory frame work is inadequate BPOs deal with sensitive and/or private data that needs protection Internet instrument in flattening of the world level playing field for knowledge and access to ideas*

Ref. Thomas Friedmans The World is Flat

Monday, April 15, 2013

Need for Protection

Legal lag behind technology Outsourcing Industry is a great economic advantage to India Other, competing outsourcing destinations are growing The Right to Information Act in India will raise more privacy issues

Monday, April 15, 2013 3

The US and the EU do not have comprehensive privacy or data protection laws, which affect the BPO and Information Technology Enabled Services

Intellectual property Corporate secrets Confidential Customer Health Information Financial Information Trade Secrets

Personal Identifiable Information

Name Addresses National Identifying Numbers Telephone Numbers Birth Date Drivers License information Credit History Court, and Traffic violation records

Monday, April 15, 2013

The EC Data Protection Directive

(EU Directive)

Recognizes privacy as a right Data protection principles - limit the processing and transfer of personal information, including transfer of the data to countries outside the EU

EU Data Protection Directive The EU Directive

Each EC Member State has to enact laws in keeping with the EU Directive For e.g. the EU Directive implemented by the United Kingdom Data Protection Act 1998. Approved set of standard contractual clauses EU Directive applies to the processing of personal data

Data Protection Principle

Restricts the transfer of personal data outside the EU Countries unless the other country ensures an adequate level of protection The data controller is liable for ensuring that these principles are adhered to

Monday, April 15, 2013

Transfer of Data Under the EU Directive

Transfer to Countries with Adequate Protection without additional adequacy requirements Switzerland, Canada, Argentina and the UK territories of Guernsey and the Isle of Man, all recognized by the EU as offering adequate data protection. European Court recent holding mere access from non-EU country does not constitute transfer.

Options to transfer restrictions under the EU Directive

Adopt Standard Contract Clauses Unambiguous Consent to transfer from affected individuals Negotiated Protections acceptable in the UK Codes of Conduct Direct Compliance/registration with EU Authority Some EU countries require that a copy of the executed agreement with the standard clauses be deposited with the regulatory authority this is not the case in the UK.

Safe Harbor Framework

The Safe Harbor is a voluntary selfcertification program. It recognizes and implements principles of the EU Data Directive. Create a system of notice, opt-out, optin for certain sensitive information, control of subsequent transfers, data security and integrity systems
Monday, April 15, 2013 10

Penalties Under the EU Directive

Each Member States national laws will determine the penalty For Instance Under The UK Data Protection Act 1998 The Regulatory Authority who is The Information Commissioner also imposes the penalty

Fines; and Document that infringes privacy to be forfeited, destroyed or erased.

Monday, April 15, 2013

11

Some US Laws

Graham-Leach-Biley Act 1999 (GLBA) The Sarbanes-Oxley (SOX) Act The Health Insurance Portability and Accountability Act (HIPAA)

Monday, April 15, 2013

12

Graham-Leach-Biley Act 1999 (GLBA)

Applies to financial institutions to ensure meaningful measures to protect customers' personal information. Restricts the transmission of personal data to third parties. Transfer of data includes actual physical movement of data to a processor located in another country as well as the remote access by the Overseas Service Provider.
Monday, April 15, 2013

13

GLBA contd.
Organizations must: Develop, Implement and maintain a comprehensive information security Program. Program must include administrative, technical and physical safeguards appropriate to the
Monday, April 15, 2013 14

The Sarbanes-Oxley (SOX) Act

Reactionary measure to US corporate scandals, has a significant impact on US companies as well as auditing firms. To strengthen Corporate governance and restore investors confidence. Companies must attest that outsourcing firms have internal controls in place to comply with SOX and other regulations.

Sarbanes Oxley

Legislation is wide ranging and establishes new or enhanced standards for all US public company Boards, Management, and public accounting firms. Contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties. Requires Security and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law.

The Health Insurance Portability and Accountability Act (HIPAA)

Establishes privacy protection for health care information. HIPAA provisions apply to organizations that offer health plans, doctors, hospitals and other health care providers and in turn the Medical Transcription Industry Limits the use of patient information Would extend to the Offshored activity of the organizations s

HIPAA Contd.

Information may be disclosed to a business associate if

The data owner obtains satisfactory assurance in a written agreement that the information will be safeguarded

Data Owner will most likely require business associates to agree to the same obligations that apply to the covered entity.

HIPAA Compliance

Self-assessments, employee training, and increased technological capacities Administrative, technical, and physical safeguards Must reasonably safeguard from any intentional or unintentional use or disclosure that is in violation of the standard implementation specifications or other requirements of (the Privacy Rules). Business associate would have to comply too.

The Telephone Consumer Protection Act, (TCPA)

Restricts the use of the telephone and facsimile machine to deliver unsolicited advertisements. Prohibits the delivery of artificial or prerecorded messages to residences Once a consumer asks not to receive calls from a particular company, that company may not call that consumer.

Monday, April 15, 2013 20

TCPA & Related FCC Rules

Prohibits autodialed calls to emergency telephone lines, health care facilities, paging services, cellular telephones, and any service for which the called party is charged for the call.
A National Do-Not-Call registry It includes all telemarketers (with the exception of certain nonprofit organizations) Covers both interstate and intrastate telemarketing calls Consumers can place their telephone numbers on the registry through one telephone call or one Web click.
Monday, April 15, 2013

21

Other US laws

The Fair and Accurate Credit Transactions Act of 2003 Disposal of Records (affects almost every business in the US The Federal Credit Reporting Act limits access to credit histories and personal information. US Patriot Act Affects bank secrecy to combat money laundering, terrorism and criminal behavior.
Monday, April 15, 2013

22

Penalties
Each violation of The Childrens Online Privacy Protection Act invokes a penalty of $11,000.

Penalty actual damages, statutory damages up to $1000, punitive damages per violation (no cap on class action damages, attorney fees and civil penalties up to $2,500

Monday, April 15, 2013

23

Penalties

HIPAA violations Penalty of up to US$ 25,000; Knowing wrongful disclosure invokes penalty of US$ 50,000 and/or imprisonment up to one year False pretenses, the offender may be fined up to US$ 1000,000 and/or imprisoned up to 5 years, the penalty is increased respectively to US$ 250,000, and 10 years if the offense is committed with intent to gain commercial advantage for violating HIPAA.
Monday, April 15, 2013 24

Penalties

The penalties for violating GLBA are steep and cost up to $11,000 per day and $10,000 Penalties for violation of FACTAs rule of disposal, which affects most businesses, invokes actual damages, statutory damages, punitive damages per violation, attorneys fees and penalties up to US$ 2,500.

Monday, April 15, 2013

25

Relevance of US Laws to Indian Businesses

Extraterritorial reach? Affect conduct of business (both onshore and offshore). Stringent reporting requirements and penalties. Assumption of liability under contract. Choice of law of a foreign jurisdiction automatically extends to liability.
Monday, April 15, 2013 26

Challenges to the OSP Industry

Indian laws - loopholes need to be plugged. Lack of regulation and enforcement. Exclusive regulation of the outsourcing industry. Lack of awareness of Data Security and Confidentially Poor general awareness about data security and confidentially.

Governing Law

Generally Indian Law India recognises and respects Choice of Law, but not Ouster of Jurisdiction Clauses Different laws for different aspects. Local laws may preempt choice of law. Contractual law may imply choice of foreign law.

US or State Laws and Pending Bills

US States, laws or pending bills to: Regulate privacy and personal data; Impose obligations on call center activities; Try to minimize or ban offshoring of state contracts; Some of these measures are protective of the US workforce. Many of the bills may fail, be significantly diluted or be challenged on grounds of constitutionality or found to violate international trade agreements.

US or State Laws and Pending Bills

The United States Workers Protection Act of 2004. The American Manufacturing Jobs Retention Act of 2003. The Call Centers Customers Right to Know Act of 2003.

Monday, April 15, 2013

30

US State Laws or Pending Bills

A Texas bill prohibits the employment of foreign workers on state contracts. Iowa has a bill that provides for preference for call centers contracts to be performed with US citizens or others authorized to work in the US.
Ohio bill requires any employer that eliminates employment positions in Ohio and those employment positions outside the United States to provide those employees loosing their job with written notice of the relocation.

US State Laws or Pending Bills

Connecticut bill: Would require companies with a net job loss of one hundred or more to

Submit to the states Development of Economic and Community Development A statement including the number of jobs the company cut Would also allow a citizen who believes he has lost his job as a result of outsourcing to report the loss to the state for recordkeeping purposes.
32

Monday, April 15, 2013

US State Laws or Pending Bills

Six states and US Senate have introduced legislation that would make it mandatory for companies to make disclosures about any activities, that relate to Offshoring.

Contain language that does not apply to private contracts but specifically affects state contracts.
33

Monday, April 15, 2013

State Bills
North Carolina Washington

Bills that require all contractors to disclose where work on the state contracts will be performed, which can figure into the evaluation of the bid. Oregon;

Minnesota; and Massachusetts

Bills That Require Call Center Operators to Disclose Their Location

Monday, April 15, 2013 34

Bills that curtail the granting of state contracts to Non-US workers or restrict performance of state contracts outside the US

New York; Massachusetts; Texas; Oregon; Pennsylvania; Florida;

Monday, April 15, 2013

Maryland; Missouri; and Nevada

35

Vermont Bill Example of Language in Bills

The General Assembly finds that the state regularly awards contracts for services that are vital to Vermont residents, and that a disturbing trend is developing nationally in which contractors and subcontractors under service contracts awarded by state governments employ persons in foreign countries to perform these vital services. The general assembly further finds that persons performing these service contracts in foreign counties are generally paid wages that are significantly below the minimum wages in this stage, and that this trend of awarding service contract to performed outside the United states is threatening to the jobs and livelihood of Vermonters and all Americans.

California Privacy Laws

Law of Notice of Security Breach: Owner of personal information becomes aware of a breach of security must disclose the breach to every resident of California whose unencrypted personal information was, or is believed to have been, accessed by an unauthorized person. Privacy of financial information: Stricter than GLBA requires affirmative opt-in for sharing of information with third parties, provides Monday, for April opt 15,-out for sharing with affiliates 2013 37 unless in the same line of business

California Privacy Laws

Online Privacy Act Information sharing disclosure: Business having personal information of a California resident must give list of categories of information shared with third parties with the names and contact information of the third parties, OR provide a conspicuous privacy statement with a cost free opt out prior to the disclosure.
38

Monday, April 15, 2013

Prohibitions on the Transmission of Information

Tennessee legislators introduced a measure that would require a company to obtain the express written permission of a customer before sending any financial, credit or identifying information to a foreign country. In California proposed legislation that would require businesses to comply with very strict privacy requirements when by sending an individuals personal information abroad. Much of these legislation is aimed at either blocking the transmission of an individuals medical records to a site overseas or preventing a customers financial information being sent to a foreign country without their express consent.

Protectionism-Implications for the US and the World

Create friction and hurdles in commercial activities Effective measures to stifle meaningful outsourcing US companies will be less competitive and will put even more jobs in danger if they cannot benefit from service cost arbitrage Deterrent to American companies from offshoring medical, accounting, financial consulting or other information-based services overseas

Protectionism-Implications for the US and the World

Stringent laws will. Restrictions restrict offshore call centers because OSPs would be unable to access most account information to perform any useful tasks. Absence of lsegal ramifications does not alleviate the harm to public image

The legislation banning state awards of grants, loans, or tax credits to companies that outsource any labor or services would serve primarily to alter the formula businesses use to evaluate the cost-effectiveness of offshoring. Protectionist measures will only serve to alleviate Us job market issues for the immediate future. Offshoring is a valuable tool for American business and lawmakers who should be embracing it as a vehicle for innovation, not deriding it as the US economys executioner.

Protectionism-Implications for the US and the World

Non-Delegable Responsibilities for Offshored Work

Data protection laws, that are modeled on the European regime, are aimed at data controllers or processors without regard to any employment relationship. Customer retains legal responsibility for transgressions by the sourced processor abroad.

Canada Legislation affects business with the US

Legislation similar to the EU Data Privacy Directive. Canadas The Personal Information and Protection of Electronic Documents Act, (PIPEDA) legislation is particularly important to United State interests. PIPEDA creates a Privacy Commissioner. Citizens may bring complaints to the Commissioner who has the power to enforce the Act in Canadian Federal Court. The Act requires prior consent before disclosure and prohibits disclosure without consent. A strong opt in provision, the Act clearly covers businesses based outside of Canada who collect, use, or transfer data including personal information about individuals within Canada.

Choice of Law

This is subject to the conflicting views Proper law identified in contracts otherwise courts may impute the law of the country that has the closest and most real connection to the contract Indian and UK courts recognize express choice of law US courts generally honor chosen law but choice of law and jurisdiction further complicated because of different state laws

Enforcement of Foreign Judgments

Acquiring a judgment in one country and enforcing it in another country is subject to principles of conflict of law Section 44A of the Indian Civil Procedure Code governs the enforcement of foreign judgments in India Foreign Judgments may be enforced in India subsequent to court proceeding may not require leading evidence An Indian judgment may be enforced in other countries subject to local laws A foreign court judgment is enforceable in the English courts subject to certain criteria To enforce a foreign judgment, decree or order in the US a suit must be filed before a competent court in the US, which will determine whether to give

Alternate Dispute Resolution - Arbitration

India is a signatory of the New York Convention, Indian Arbitration Law - The Arbitration and Conciliation Act, 1996 Deals with the enforcement of awards of a foreign reciprocating territory A foreign award is enforceable if the Indian Court is satisfied and is not subject to any of the exceptions will pronounce judgment on it followed by a decree

Strategies to Optimize Opportunities in the Face of International Laws

Suggested Best Practices for Working Managers and Chief Executives

Non-tangible Essentials

Honesty Flexibility Transparency Supported by contracts that adequately address the risks associated with the outsourced service, be it risk of OSPs capabilities of customers compliance needs
49

Monday, April 15, 2013

Contracts

Effective Comprehensive Contracts

and

Clear and unambiguous contracts Flexibility in Contracts

Service Level Contracts Employee Contracts Limitations on Liability Confidentiality Contracts Third Party Licenses and Service Contracts

Transition and Exit Procedures Dispute Resolution Alternate Dispute Resolution Governing Law and Jurisdiction

Monday, April 15, 2013

Service Level Breakdown

50

Contracts

Aspects of Business Continuity Compliance with legal and regulatory requirements pertaining to the

OSPs country Customers country

HR Training Requirements Confidentiality Choice of law (may be more than one to govern different aspects of the contract

Monday, April 15, 2013

51

Contracts Contd.

Adopting the EU model contractual provisions in contracts to mitigate problems with EU Directive compliance issues Careful and clear allocation of responsibility of the OSP and the customer for violations of the rights of third parties and, indeed, liability for punitive damages. Careful consideration before granting customer indemnity in the contract. Any liability agreement should include a cap.
Monday, April 15, 2013 52

Some Important Issues in a Contract

Transfer pricing and permanent establishment issues, non-solicitation, tax matters, personnel issues, infrastructure and technology ownership are issues that should be addressed in the contracts. IPR ownership when joint efforts create new IPR Disaster Management Issues Backup or Alternate Work Locations
Retain an attorney who is familiar with the legal provisions of the customers country Customer
should inform the OSP about changes in laws or compliance requirements
Monday, April 15, 2013

53

Management Related Best Practices

Due Diligence by both parties Commitment of negotiating representative and Senior Management Staff to ensure security and compliance Regular and frequent monitoring of the relationship Ensure that knowledge of compliance policies percolates through all operation levels

Technical and Physical Security of Infrastructure Operational protection measures Monday, April 15, - No devices to save data locally 2013

54

Management Related Best Practices Contd.

Dedicated Physical Security Officer appointed by the OSP Onsite Manager appointed by the customer Dedicated and Trained (in the requirements) Compliance Officer

OSPs should configure a complex matrix or capabilities, scale, skills, language, management and infrastructure when making commitments.
Monday, April 15, 2013 55

Management Related Best Practices Contd.

Consolidate information for managing business performance Improve Business Intelligence Periodically Asses internal controls Record Management and Provisions to Examine Audit Trails

Monitoring, Managing and Transforming the Services

Monday, April 15, 2013 56

Management Related Best Practices Contd.

Standard Written Internal Company Practices to Enhance Security with Recorded Standard Operating Procedures Manuals

Disaster Recovery Plan Insurance to cover risks of security breaches and/or loss of data Insurance to cover risk of claims arising out of the quality, timeliness and quantity of services April 15, Monday, Employee certified security professionals

2013 57

Employee Related Best Practices

Employee Background Checks

Centralized Data Bank of all BPO related employees, helps identify prior violators (as initiated by NASSCOM) Need Based Dissemination of Information Division of process, access and/or control
Technical Limitations on Access or Communication of different processes
Standard Written Internal Company Practices to Enhance Security with Recorded Standard Operating Procedures Manuals

Technological Best Practices

Encryption Installing and Using Standardized Technical Measures

Monday, April 15, 2013

59

Industry Related Best Practices

Establishment of an Independent Governing Body to regulate the industry

Independent Certification About Security Standards
Some Certifying Authorities British Standards Institute (BSI) ISO 1799 or BS 7799 Det Norske Veritas (DNV) Standardization Testing Quality Certification (STQCGovt. of India) KPMG Ernst & Young

Self-Regulation and Compliance Training OSP should inform customer about any infractions to mitigate damage

Industry Related Best Practices

Card Holder Information Security Program (CISP) Payment Card Industry (PCI) Data Security Standard, to safeguard sensitive data for all card brands result of a collaboration between Visa and MasterCard - creates common industry security requirements endorsed by other card services Industry
Monday, April 15, 2013 61

Industry Related Best Practices

Technology Regulation and Certification COBIT Control Objectives for Information and related Technology (by ISACA) based on ITIL ITIL (the IT Infrastructure Library) - Office of Government Commerce (UK) is the most widely accepted approach to IT service management
Monday, April 15, 2013 62

Industry and the Indian Government

Industry should lobby with the Government

to create an Indian Safe Harbor Agreement To provide regulatory authority and frame work like SEBI and SEBI guidelines The amendments to the IT Act should be in sync with global laws and trends.

Monday, April 15, 2013

63

Conclusion

Factors that nurture BPOs also spawn crimes. Elaborate, onerous, technical security measures reduce productivity and erode employee motivation. Combination of Best Practices. US Protectionist Measures likely to have an adverse effect upon both the US and the global economy. Laws will have to evolve to govern the runaway proliferation of outsourcing. Fraud and Data Violations can occur anywhere in the world.
64

Monday, April 15, 2013

Thank You
Poorvi Chothani, Esq. LawQuest 36, Maker Tower F Cuffe Parade Mumbai 400 005 E-mail poorvi@lawquestindia.com Telephone 00 91 22 5654 1671