Outsourcing—The New Pitfalls To Avoid
Watch out for legal snags in data privacy, Intellectual Property and More By Dr. Shan Nair, Nair & Co.
Even the most resilient strategic planners are not immune to dangers of a business left exposed by a third-
party supplier - and as countries change their regulatory frameworks, exposures in Intellectual Property laws
can threaten competitive advantage with the risk of data leaks becoming more significant and frequent.
There can never be a 100% bullet-proof plan for ensuring the security of an overseas operation, but there is
always a risk-minimisation approach, especially when outsourcing core business and Information Technology
For management, careful review of regulatory, IT/data security and process integrity risks can mean the
difference between a successful outsourcing relationship that reduces costs, and an expensive legal mess that
has all the makings and costs of a bad divorce. Where is the Data Going?
Where data is held and what controls are built around the data are two of the biggest strategic questions for
Chief Information Officers and IT managers. Privacy, piracy, loss, security breaches, and theft can erode the
value of brands, intellectual property, and other intangible assets that companies have earned and heavily
invested in. It is also mandatory to carefully consider privacy laws of the target countries, and weigh them
against the cost benefits when outsourcing data storage. Also, additional IP protection can be assured if an IT
architecture or working practice can be designed and implemented that makes an act of piracy hard to
In Europe, businesses have the benefit of tightly worded contract terms as well as a clearly defined legal
framework. It is also a more secure environment as there are civil and criminal penalties for enforcing data
privacy where “sensitive personal data” are concerned. Similar IP and data protection legislation exists in
countries like Canada, Australia, Hong Kong, New Zealand and Japan, but in many other countries laws are
weaker and offer less protection.
In the U.S., data privacy is not guaranteed, as security legislation allows authorities access to any data stored
in the country. In India, there is a burgeoning level of legislation relating to data privacy. Also, while the legal
process is generally slow, it is relatively easy to obtain quick injunctive relief for clear cut breaches of IP for
most technologies outside of the health/medical arena.
A key pitfall faced by companies arises when they do not effectively marry their own system of internal control
with the vendor or BPO entity’s system of internal control. The contractual clauses should encompass a
Service Level Management Framework with a high transparency to compliance monitoring -a missing link in
many outsourcing agreements today.
Provisions need to be made for legal issues arising due to the nature and location of the data. Compliance will
also be required with both U.S. laws and local country laws and regulations.
Executives can get thinking in the right direction by asking questions like does the service-provider have a
comprehensive information security control environment in place and how is the operational effectiveness of
this control monitored or audited? Is my Intellectual Property safe?
In an outsourcing relationship, any kind of an Intellectual Property (IP) asset– trade secrets, trademarks,
industrial designs, patents, copyright and related rights, software, etc. – may be involved at the different levels
of the process.
Distinct national laws generally govern the IP assets. And as the laws vary country-by-country, so do the
headaches of the executives and managers dealing with their protection.
Managers need to account for multiple risks including:
Challenges in monitoring and/or dealing with various types of breaches of contract clauses, theft or
misappropriation of trade secrets
Enforcement of IP rights, parallel imports and grey-market issues.
Ownership of IP
is a critical concern. It is essential to identify, account for and clarify ownership issues of IP
assets improved or created during the relationship. More often than not, many companies overlook or pay
inadequate attention to this very important aspect in their initial contractual arrangements.
Clear terms must be laid out for ownership of IP created by a company’s employees or independent
contractors, ownership of the customized features, improvements, new technology and product in outsourced
work, ownership of a company’s IP when it wants to switch vendors (i.e., transfer rights) or terminate a
IP can sometimes be protected by subdividing a manufacturing process into parts and locating each part in a
different country or location, each with its own ring fenced management structure. This will make the act of
piracy much harder to implement as nobody other than the owner of the IP will have access to all of the
A critical concern is the inadvertent, accidental or willful disclosure of confidential information and trade
Once a trade secret is made public, it enters the public domain and is invariably lost. Non-Disclosure
Agreements (NDA) can provide broad protection, but may this may not be sufficient should litigation arise. Am I ready for a contingency?
The basic risk in any business endeavor is that it will fail to deliver at some point of time. The stakes are higher
when functions outsourced are of strategic importance, and problems with delivery could threaten the
reputation or even financial viability of the organization.
A service provider can have delivery and infrastructural issues, for e.g. a supplier in China to a service
provider suffers a supply interruption, delaying implementation of a key application in the service provider’s
customer - a U.S. bank. Does the bank absorb the monetary loss it suffered or is the service provider
accountable or is the supplier accountable?
Potential losses can be averted with informed projections for possible contingencies, and pre-empting answers
to questions like if the service is interrupted how rapid and severe can the impact be? Who pays? Is there
insurance protection available for compensating the service disruption? What is the likely quantum of loss?
What are the liabilities for both parties? In case of multi-sourcing does the master agreement entail that one
service provider can manage the responsibilities of the other in an emergency?
The assessment should be holistic, encompassing both risks caused by actual interruption to supply as well as
risks that could cause reputational damage to the organization. Whose law is it?
A company in San Francisco wants to sue a service provider in England over a dispute. Where should the
company file the case? Which countries laws are applicable? Either party can refuse to file the case in the
other’s legal system as applicable laws in both differ unless their agreement specifies which country’s laws and
courts have exclusive jurisdiction. Equally, sometimes non-exclusive jurisdiction may be preferred to enable
one party to be able to more easily serve proceedings on the other. For example, it is not uncommon for cases
to be heard in a CA court under English law!
All offshore contracts should specifically highlight the system of dispute settlement. Although there are
international dispute settlement groups situated in London, Brussels and Geneva, it is essential to clarify the
legal aspects of dispute settlement in the outsourcing contract itself. Final Thoughts
Outsourcing does not need to be a roll of the dice or a patchwork of legal battles across continents. Carry out a
“fault tree analysis” right at the beginning and ensure your contract, IT, security and IP protection
arrangements adequately cover the adverse scenarios.
Understanding how to avoid the pitfalls is important to ensure you gain a business advantage from the venture,
thereby ending up in a winning position.
For more information, please visit www.nair-co.com or email email@example.com.
© Copyright Nair & Co.
About the Author: Dr. Shan Nair, Co-founder, Nair & Co.
Award-winning businessman Dr. Shan Nair is a highly sought after speaker on globalization, a contributing author for various
publications and considered an expert in international expansion.
Since first founding Nair & Co. in 1994, Dr. Nair now leads the strategic operations and global group expansion for the
company and is driving the company’s strong focus on using IT to leverage business advantage. Today, Nair & Co., which is
headquartered in the United Kingdom has offices in India, China, the United States and Japan and currently acts for 700+ foreign
operations in over 40 countries. With the company at more than 350 employees globally, Dr. Nair’s success is evident in that nearly
75% of executives at the company have been seven years or longer at Nair & Co., excluding the most recent recruitment initiative. Also,
under Dr. Nair’s guidance, Nair & Co. has been named as Top 100 Outsourcing Service Provider in the World by the International
Association of Outsourcing Professionals (IAOP).
Dr. Nair is an Oxford University Ph.D. nuclear physicist and was instrumental in developing a code which set the U.K. standard
for calculating waste arising from spent nuclear fuel. When the Chernobyl accident occurred, he was one of the two U.K. technical
experts selected to assist the European Commission in its post-accident response.
Dr. Nair has received recognition for his success in business including the 2008 Outstanding 50 Asian Americans in Business
Award, Asian American Business Development Center (AABDC), New York, NY. U.S.A; 2008 Bharat Samman Pravasi Award, NRI
Institute, Delhi, India; 2008 Gulland's Excellence Award, NRI Institute, London, England; and 2009 Hind Rattan (Jewel of India) Award,
NRI Welfare Society, Delhi, India.