Editor: Please tell us about your practice area and what brought you to Kelley Drye.
Nambiar: I am primarily a transactional attorney and focus my work in three areas – technology licensing, corporate, and outsourcing transactions. In connection with my technology and outsourcing practice, I represent both customers and service providers, which is unique because typically, attorneys in this space represent either customers or service providers. I also do a lot of corporate work, including M&A transactions and other commercial transactions, and I work for Indian companies doing business in the U.S.
I worked in India before I came to the U.S. When I was looking for a firm to join, I sought one that had not only a good technology and corporate practice but also an India interface, and there are very few firms that offer all three. Kelley Drye was one of them.
Editor: According to a recent Thomson Reuters survey, a portion of corporate legal work is now outsourced to legal process outsourcing providers; in fact, 48 percent of law departments responded that they used legal process outsourcing (“LPO”) service providers over the past year. Is this a trend that has affected your firm in terms of type or volume of corporate work it handles?
Nambiar: Companies are increasingly looking at LPO units as one way to reduce legal costs. That said, I don’t think this trend has adversely affected the volume or type of work our firm primarily handles because today, most LPO units handle matters that are commoditized in nature, such as document review for litigation, whereas the type of work for which clients typically come to us is more complex and sophisticated which, by nature, the client does not wish that it be outsourced to an LPO unit. Also, in many cases, work that is being outsourced to an LPO unit involves matters that the client would not have used a law firm for in the first place, but that has typically been serviced by the client’s in-house team, such as large-volume but less-complex contract review.
Editor: Are law firms outsourcing their work? What kinds of work do they tend to outsource?
Nambiar: Yes, they are. Many law firms are outsourcing their work to third-party providers. In addition to outsourcing some of their legal functions, law firms are now outsourcing some of their business functions, such as the law firm’s own billing, accounting, IT, and market research functions.
Editor: How does a law firm benefit most from outsourcing?
Nambiar: There is always the fear that LPO service providers may take work away from attorneys, but at the same time, some of the law firms that have been at the forefront of using LPO units see it as a value-add for their clients: if they are able to keep a client happy by cutting costs in one area that is a low-cost or commoditized service to begin with, they can use that tool to expand work in areas that require more sophisticated skills, creating a win-win situation for the law firm and the client. What is more important, a law firm that uses a LPO unit wisely fosters a better rapport with its clients, because the client will look at the law firm not just as a provider of legal services, but as one who is very much engaged in partnering with the client to improve its legal processes and associated costs.
Editor: What kinds of data privacy risks do companies have to worry about when they outsource?
Nambiar: Inadvertent disclosure or intentional breach of confidential information and personally identifiable information, or PII, of a company, including that of its customers, is still a very serious concern. While much of this can be mitigated by requiring the service provider to implement and maintain key processes and controls that protect against data breaches, it is also important that your service provider ensures that the same processes are implemented by any of its subcontractors. I find that it is much easier for a customer to have its immediate service provider implement proper controls since the customer has a direct contractual relationship with such service provider. But when that service provider subcontracts processes to other service providers, things can, at times, get out of hand. A case in point is that recently, a provider for business process outsourcing services to hospitals and certain health care providers discovered that the patient data that was being processed by one of its offshore subcontractors could be accessed by anyone over the Internet using a search engine like Google, due to a technical glitch at its subcontractor’s systems. While the matter was quickly addressed, these are the types of challenges that providers still face in maintaining proper controls to guard against data privacy risk.
Editor: Can outsourcing improve a company’s compliance efforts?
Nambiar: It is surprising, but the answer to that is yes. In an outsourcing venture where data has to be shared with third parties or has to leave the company’s control to a third-party service provider location and the third party then has control over data, a company is forced to reassess its existing controls and find ways to supplement those to address the new environment. It compels companies, especially those in regulated industries such as banking, healthcare, and insurance, to carefully and continuously evaluate and monitor their compliance efforts, and those of their providers, and then take steps to put better systems and processes in place. It is an opportunity for self-evaluation and self-improvement because now it is not just them, but third parties who have access to that data.
Third-party providers might even teach the client companies better compliance practices. With their own internal processes and controls in place, the service providers, unlike the customer, provide the same type of service to multiple customers, so they have come through the learning curve, having dealt with the same types of issues over and over again.
Editor: What new challenges have arisen with the convergence of outsourcing and cloud computing, social media and mobile computing?
Nambiar: The new challenges are primarily risks associated with data privacy. These are typically IT risks because there is a lot of convergence of technology. A piece of technology might look like a single consolidated solution, whereas there are a lot of different components that are being rendered by different third-party providers at the back end. To integrate all the pieces and make sure every provider who supplies those different components which make up a solution has the same systems and controls in place is often challenging, and that is where the data breaches that you still read about in newspapers sometimes occur.
You might also have other challenges related to new technology, such as with the online currency bitcoin, which could result in cybercrime or tax evasion.
Editor: Why is the RFP a useful tool for writing outsourcing contracts?
Nambiar: The RFP is always a great tool. It helps define the process, because once you run through the RFP and get into contracting, it helps reduce surprises at the contracting stage, as everything material typically has been hashed out at the RFP stage. It is also a way to manage expectations at both ends, on both the customer and service provider side, and to evaluate the capabilities of a potential service provider and also to benchmark one service provider’s capabilities and service approach to another’s. Ultimately, it reduces the chance for an impasse at the contracting stage because by then, the assumption is that the parties have had a meeting of the minds.
Editor: Is the right to audit the outsourcer an important part of the contract? How often should an audit occur?
Nambiar: There should certainly be a very clearly defined audit provision in the contract that gives customers broad rights to audit the systems, processes, and operations of the service provider, and not just how the customer is being billed. Early on, when audit provisions first were being used in technology contracts, it was typically limited to the ability of a customer to audit the fees and expenses being charged to them. But over the years, because of technological demands and regulatory concerns, those have been expanded into a much broader review that includes how the services are rendered, the fees billed to the client, IT audits for security compliance – essentially everything that is related to the services the service provider is providing the customer.
Typically, customers ask for an audit once a year, but not more often than that because it is a cost for the customer, unless there is a breach or shortcoming that is found at the service provider’s site, in which case there could be a shift of the expense. An audit is also a burden for the service provider, who is trying to run its business to keep the customer’s business going, so you shouldn’t run an audit more than once a year unless there is a real concern that something is amiss at the service provider’s site or to prevent recurrence of breach by the service provider of some of its material obligations (such as data protection obligations) under the contract.
Editor: What other provisions should be included in the outsourcing contract to address a company’s concerns about compliance and protection of sensitive data?
Nambiar: In addition to having proper systems and controls in place on the service provider’s side and an audit provision, the contract should include provisions to address limitations of liability. In most outsourcing contracts, a service provider would want to limit its liability to a certain amount, but the exception is when it comes to data breach or breach of confidentiality. There is a slight shift in the industry right now in that position, where some of the larger service providers are no longer willing to accept unlimited liability for data breaches, but are instead trying to push the customer to settle for a “super-cap” on damages, which is typically a multiple of the cap on damages that the service provider agrees to take for less egregious breaches under the contract. A well-worded limitation of liability provision that addresses those instances is important for both parties.
Also, good governance provisions that address handling and escalation of issues and that require a service provider to innovate its processes can go a long way to improve the overall management and success of a project, including matters that relate to protection of data.
Editor: India has always been a popular outsourcing destination. Which countries does India now compete with for that business?
Nambiar: These days many countries compete with India, including the Philippines, some of the Eastern European countries like Poland and Czechoslovakia, and Latin America, with countries like Chile, Argentina and Brazil playing a big role, primarily because of cost. The labor arbitrage is decreasing in India because as salaries are going up the cost of living is going up, so customers are finding it tough to get the same kind of services in India at previously available lower costs. Consequently, customers are moving to cheaper destinations. Initially India was a popular destination because of the available pool of English-speaking folks: but today there are more English-speaking personnel available at much lesser cost structures in English-speaking countries such as the Philippines, which is why jobs are being shifted to the Philippines. Also, countries like China now have a larger pool of engineers and other personnel who are proficient in English – so now China is also giving India a run for its money. There are also Spanish language skills to consider – something India does not have. Consequently, customers are reaching out to service providers located in Latin America and other Spanish-speaking locations to meet this requirement.
Editor: I see that you do pro bono work for an international organization. Please tell our readers about it.
Nambiar: I do a lot of pro bono work for M.A. Center, a nonprofit based in California. M.A. Center, including its division “Embracing the World” and its affiliates, have become a powerhouse for humanitarian activities across the world. I provide legal services for this organization, and I also do social work outside the legal arena. The group runs services like soup kitchens, and I am one of the pot cleaners at my soup kitchen. Since pot cleaning is considered one of the less “glamorous” jobs at the kitchen, I can go to the kitchen sink where no one disturbs me because they are all busy cooking or doing more popular jobs such as sandwich making! I enjoy pot cleaning because it is very therapeutic, almost like meditation.
The group has a presence in almost every country. When the earthquake and tsunami hit in 2006, M.A. Center completed a significant amount of work in India, Sri Lanka and other neighboring countries affected by the disaster. They have an orphanage in Kenya and centers in France and Germany, three or four centers in the U.S., in India, and in Sri Lanka. It is a fantastic organization and it is growing. I do a variety of legal work for them involving general corporate and formation work and some intellectual property work, but as I said, it is the hands-on social work that I really enjoy.