Pandemic May Prompt Evolution Of IT Outsourcing

By Amy Levin
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Health newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!

Law360 (June 5, 2020, 5:30 PM EDT) --
 Amy Levin
Amy Levin
The outsourcing of information technology functions to a third party is a rapidly expanding market and enables companies to take advantage of a number of benefits and differentiators to which it wouldn't otherwise have access.

These include cost savings and flexible pricing arrangements, access to specialized talent, increased operational resiliency, improved economies of scale, diversification of geographic footprint, access to different and unique types of technology, and many others.

IT outsourcing in today's world also comes in many different shapes and sizes — spanning everything from traditional IT outsourcing arrangements with offshore vendors, to public and private cloud engagements for software as a service, platform as a service, and infrastructure as a service, to one-off software licensing and software development arrangements.

And nearly every industry has sought to utilize IT outsourcing in some form or fashion to its benefit, including retail, health care, financial services, professional services and many others.

However, as the world adjusts to a new normal and begins to transition out of lockdown from the COVID-19 pandemic, what does this mean for the IT outsourcing market? 

To start, the demand for outsourced IT services will only increase as the economy begins to recover and businesses reopen. Many businesses were unprepared to support the spike in remote working brought on by COVID-19 and are rapidly working to scale up their IT infrastructure and other related capabilities, particularly through the cloud.

Others are focused on harnessing the benefits of big data and artificial intelligence — both of which are becoming increasingly important in a post-COVID economy — and are turning to technology partners to provide these services. 

Workforce restructurings and internal budget restraints may also drive businesses to engage third parties to perform IT services as opposed to using internal resources. Long-term operational changes brought on by COVID-19 — such as the increased use of telemedicine, for example, in health care — will also drive an increased reliance on technology in some industries and hence will drive up the market for additional IT outsourcing.

In short, IT outsourcing is not only here to stay, but it is rapidly becoming a critical cornerstone for the future success of many of the world's businesses.

We're also likely to see changes in the structure and types of IT outsourcing deals themselves. For example, India has typically been a dominant player in the offshore IT outsourcing market for more traditional types of information technology outsourcing, or ITO, arrangements, in part due to the availability of high-quality developers and other IT professionals at a competitive cost.

However, many businesses, particularly those in regulated sectors, may seek to reduce or diversify their offshore IT footprint coming out of COVID-19 in order to hedge against widespread stay-at-home orders and other governmental restrictions that could impact service. This could cause IT vendors to shift service locations to additional jurisdictions in the U.S. and the Europe, Middle East and Africa region, such as Ireland, the Netherlands, Scandinavia and Israel. 

Other businesses will also be looking to capitalize on the flexibility and other transformative benefits that are available through the cloud — and will most certainly be looking to the cloud with increased enthusiasm coming out of COVID-19. In particular, the usage-based cost structure, which is commonplace with many types of cloud services is particularly attractive for businesses with less predictable IT needs.

Last but not least, it's highly likely we will see a change in the legal terms and conditions and security and compliance policies that lie at the heart of IT outsourcing deals, particularly for noncloud-based outsourcing transactions.

For example, onsite due diligence and in-person inspections and interviews that are typically performed when a customer is selecting a new outsourcing partner and/or approving a new facility are likely to change going forward.

Given the influx of travel restrictions and associated expenses, it's likely that many companies will turn to remote due diligence, such as video tours and interviews, fewer onsite visits, and the increased use of local third-party agents in lieu of travel.

Customers are also more likely to rely on trusted, established service providers with whom they have a prior relationship and history with — as opposed to vetting and implementing newer and potentially costlier arrangements with new outsourcing partners.

We're also likely to see a similar shift in connection with audits. In the context of traditional ITO deals, contractual audit provisions typically grant the customer specific access and inspection rights over the course of the outsourcing arrangement to confirm the service provider's adherence to contractual terms and compliance with applicable policies. 

Onsite audits are typically routinely conducted and are considered to be the foundation of some customer compliance policies, particularly when engaging with offshore providers. However, in the wake of COVID-19, onside audits will become increasingly difficult and more expensive, and thus we're likely to see more audits and inspections being conducted through alternative means where possible, such as through third-party agents or in some cases, remotely through video capabilities.

We're also likely to see an increased reliance on service organization control reports and other third-party certifications in lieu of physical or direct audits, where appropriate. Thus, while the importance of an audit right remains very high, the type of audit right that is exercised is likely to vary as a result of COVID-19, and contractual audit rights should be flexibly drafted with this level of variation in mind.

Remote access and connectivity terms in the outsourcing contract will similarly need to be revisited and aligned to accommodate service providers that need to perform services from different locations, including their homes, due to COVID-19. These types of provisions may also start to become permanent solutions as more and more service providers may require personnel to work from home for the foreseeable future.

For example, in the case of traditional ITO arrangements, many contracts specifically prohibit service provider personnel from performing services outside of specified, approved facilities for security reasons.

Consequently, these terms need to be reviewed and amended to allow service provider personnel to perform services from their homes or individual residences, where required.

However, this raises a number of security-related questions, such as: Will the service provider personnel be using personal computers or issued service provider or customer laptops? What level of access will service provider personnel be granted, and how will they connect to the relevant networks, e.g., VPN, Citrix Systems Inc., etc.?

How secure and reliable is the internet connection for such personnel? What country are the personnel located in, and does this create additional security concerns? What other types of technical requirements may need to be addressed from a security perspective?

These questions should all be taken into account, in consultation with the customer's internal compliance or security experts, when determining how to structure terms addressing remote access and connectivity by service provider personnel.

Confidentiality terms, policies and best practices should also be reviewed and updated to ensure confidential information is properly protected as both parties in an outsourcing arrangement may inadvertently take video and audio calls in the presence of friends and family members, or otherwise expose unintended third parties to confidential and sensitive information.

To start, parties who are concerned about confidentiality breaches may want to send a written notice to the party receiving confidential information to remind that party of its confidentiality obligations in the contract. Some parties also may wish to contractually require the recipient of confidential information to deliver periodic certifications of compliance with confidentiality terms.

It also may be appropriate to strengthen terms that address the consequences of a confidentiality breach, such as adding direct indemnification provisions for breaches of confidentiality provisions and excluding damages arising out of confidentiality breaches from the liability cap.

Further, while many confidentiality clauses permit the sharing of confidential information with employees, shareholders, legal counsel and accountants (additional parties) on a need-to-know basis and/or only in the event that such additional parties are bound by similar confidentiality restrictions, companies may begin to narrow the scope of these clauses, or the information that is made available to these parties, going forward by restricting access to confidential information to a smaller or more defined group of people.

The use of password-protected files, secure file sharing sites and encryption are also likely to become more commonplace as parties seek additional ways to protect their confidential information.

Contractual termination rights will also be impacted by COVID-19. While the specifics of any termination right will depend on the bargaining strength of the parties and the nature of the specific deal, we are likely to see more customers bargain for the right to terminate for convenience given economic challenges and other uncertainties created by COVID-19.

However, as was the case before COVID-19, any right to terminate for convenience will likely require negotiation of a notice period and possibly a termination fee, if justified under the circumstances.

Parties may also start to negotiate the right to terminate upon the occurrence of a material adverse change or material adverse event, a so-called MAC clause. While MAC clauses are not common in outsourcing arrangements, in a post COVID-19 economy, parties may start to include these in outsourcing contracts going forward to secure additional protection against unforeseen changes that could be materially adverse to either party.

Termination rights for insolvency-related events may also need to be updated or modified to include carveouts for refinancings, restructurings, loans and other similar transactions, which are becoming commonplace due to COVID-19.

Governance provisions should also be revisited and updated going forward, particularly as parties change the way in which they communicate, collaborate and make decisions. For example, post COVID-19, governance models will likely need to accommodate remote and video-based communications and meetings, more robust tracking and reporting (such as more granular service level agreement, or SLA, reporting, for example), modified roles and responsibilities, and additional stakeholder input on key decisions.

Project management efforts may also need to be increased due to COVID-19 as unexpected operational changes need to be implemented, and budgets, expenses and other key statistics need to be managed with greater granularity than ever before.

At the same time, internal roles and resources within a company may have shifted due to COVID-19, and parties may be required to manage the IT outsourcing arrangement using different or fewer personnel than anticipated.

Consequently, parties should ensure that their contractual governance model accurately captures the way in which the parties are working together and making decisions, both now and in the future, as a result of COVID-19.

Finally, force majeure clauses in IT outsourcing deals are currently receiving, and will continue to receive, a great deal of attention as a result of COVID-19. No longer considered a boilerplate term, these clauses will be highly negotiated in IT outsourcing contracts going forward.

While the specifics of a force majeure clause will depend on the type of services provided and the bargaining strength of the respective parties, we expect to see service providers with greater bargaining strength specifically include COVID-19 and related events such as pandemics, quarantines and governmental actions within the scope of a force majeure clause to provide the service provider with protections in the event it is unable to perform the services as a result of these events.

On the other hand, customers with greater bargaining strength will remove the force majeure clause altogether, and/or specifically state in the contract that COVID-19 will not be considered a force majeure event or a basis for the service provider's breach of or excused performance under the contract. Customers in this position will argue that COVID-19 is not unforeseeable and service providers should plan ahead for COVID-19 related interruptions, costs and contingencies to ensure continuity of service, at no additional cost to the customer.

Parties seeking to reach a compromise or middle ground may negotiate a force majeure clause that narrowly defines a closed list of specific triggering events and the rights and remedies available to both parties (e.g., SLA exemptions, termination rights, indemnification or reimbursement of costs) if a force majeure clause is invoked.

Regardless of the scenario, however, a force majeure clause should be carefully considered and, if one is included in the contract, carefully drafted to precisely articulate the definition of a force majeure event and associated consequences to both parties.

Amy Levin is a partner at Seyfarth Shaw LLP.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

For a reprint of this article, please contact

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!