For years now, engaging vendors in other countries to provide business process or technical services has been a potentially useful way for U.S.-based companies to obtain skilled work at a reduced cost. However, as remote work has become more ubiquitous, many organizations that have not previously done so are assessing how to best leverage the opportunities presented by offshore vendors.
From developers and engineers to fully outsourced IT capabilities, these international resources can deliver expertise and increase productivity. These opportunities, however, also present unique risks and considerations for U.S.-based organizations. Although many companies have robust vendor management programs, there are several unique issues associated with offshore vendors. Below are some of the important legal and risk issues to be reviewed when considering an offshore vendor.
Both contractual and regulatory obligations can restrict a company’s ability to transfer, store and process certain data outside of the United States. Thus, a critical first step is to determine whether the organization is permitted to send information abroad and, if so, what contractual and regulatory requirements apply. For example, many customer contracts and data privacy or security agreements specifically restrict the use of offshore vendors or storage of personal information outside of the United States, or require obtaining the consent of the other party.
In addition, certain sector-specific laws restrict the offshoring of data. For example, in healthcare, several state Medicaid programs prohibit the offshoring of patient information. With respect to protected health information, HIPAA requires the offshoring of health data to be addressed as a part of the required security risk analysis. Although HIPAA does not prohibit the use of offshore vendors, the particular security risks must be considered.
LAWS THAT APPLY TO THE VENDOR
It is important to remember that offshore vendors may not be subject to U.S. laws. In certain instances, this may not be a concern. Although some jurisdictions, such as the European Union, have robust privacy and security frameworks, other jurisdictions do not require companies to implement any protections with respect to personal or other sensitive data. As a result, organizations should determine which legal frameworks will apply to the vendor. This will provide some insight with respect to baseline legal expectations. Potential gaps could be addressed in a contract.
Organizations may also determine that vendors with operations in certain jurisdictions should not be considered due to the general risks associated with offshoring data in those locales.
PROTECTING YOUR DATA
Privacy and security are top of mind for many organizations, as the risks to trade secrets, confidential corporate information and personal information continue to evolve. Because vendor-based data breaches are, by definition, outside of the direct control of the customer, the diligence process for offshore vendors should be robust, particularly regarding privacy and security considerations.
The security assessment should evaluate the administrative, physical and technical safeguards in place, as well as the vendor’s processes for vetting its staff. Similarly, it is important to identify whether the vendor has subcontractors that process data in other jurisdictions. Further, in addition to pre-contracting diligence, companies should impose minimum standards via the contracting process, including periodic audits, security risk assessments, and even penetration testing in appropriate circumstances. Data security agreements are now common practice, and these agreements help to ensure a minimum level of protection and demonstrate that the organization has taken reasonable steps to protect the data being sent offshore.
SUING AN OFFSHORE VENDOR
Finally, while most businesses do not enter into a new relationship expecting a dispute, it should be a consideration. Contractual obligations with a vendor that has no corporate ties here can be difficult to enforce. International service of process is complex, and the vendor may contest jurisdiction in the United States. Because of this, there is a material difference between using a U.S.-based vendor that will store data in another country and using a vendor that only operates outside of the United States.
Vendors that do not have any physical presence in the United States require a careful approach to maximize the customer’s ability to enforce the contract and obtain a meaningful remedy. The specific approach will vary according to the country in question. In many jurisdictions, an arbitration clause may be the preferred approach because most countries are party to the United Nations Convention on the Recognition and Enforcement of Foreign Arbitral Awards (more commonly called the New York Convention), which allows for easier enforcement of arbitration awards in member countries.
Ultimately, when reviewing and selecting offshore vendors, it is important to have an informed decision-making process that helps determine the overall risks and benefits, and an appropriate contract that is tailored to the particular risks.
Christopher Sloan is a shareholder at Baker Donelson and Chair of the firm’s Emerging Companies Group. He focuses his practice on start-ups and other emerging businesses, and handles complex software and other IT transactions.
Andrew Droke is a senior associate at Baker Donelson and co-leader of the firm’s GDPR team. He counsels clients on a broad range of data protection, privacy and cybersecurity matters.