Outsourcing 2014: Negotiating
Outsourced Contracts
Sarah (“Sally”) Church
Kevin A. Wiggins
Evan J. Foster
Saul Ewing, LLP
One PPG Place, 30th Floor
Pittsburgh, PA 15222
1
© Copyright 2014 Saul Ewing LLP
Why Outsource?
• Concentrate on business’ core
competencies or mission
• Take advantage of specialist expertise,
resources or best practices
• Reduce personnel, hardware, software or
facilities investment
• Cost efficiencies due to provider
economies of scale, leverage, global labor
costs
2
© Copyright 2014 Saul Ewing LLP
What to Outsource:
Employee Benefit Contracts
• Retirement Plans
 Legal/Audits
 Trust/Custodial Services/Recordkeeping
 Investments and Consultants
• Health and Welfare Plans





Legal/Audits
Insurance Contracts/Administrative Services
Business Associate Agreements
Pharmacy Management
Brokers/Consultants /Payroll (for ACA reporting)
© Copyright 2014 Saul Ewing LLP
3
What to Outsource:
IT, Recruiting and Business
Processes
• IT




Help Desk
Data center
Desktop or onsite support
Server or network operations
• Recruiting and staffing
• Business Processes
 Finance
 Customer call center
 Document processing
4
© Copyright 2014 Saul Ewing LLP
Before Selecting a Service
Provider
• Define goals and desired outcomes
 Cost savings, improved performance, flexibility?
• Identify legal requirements
• Formal requirements gathering
 Ideally, before selection discussions or RFP
 Separate musts haves from nice to haves
 Thorough requirements create efficiencies and reduce
risks
• What type of relationship do you want?
 Length of commitment, tactical vs. strategic, what is
the future state?
5
© Copyright 2014 Saul Ewing LLP
ERISA Legal Requirements
• Duty of Prudence
 Applies at initial engagement, ongoing (duty
to monitor), and termination of engagement
• Prohibited Transactions
 ERISA requires fiduciaries to engage in a prudent
process to avoid prohibited transactions
 Fiduciaries are generally not liable with prudent
process, even if transaction turns out to be a
prohibited transaction
6
© Copyright 2014 Saul Ewing LLP
ERISA Prudence in Selecting a
Service Provider
• Engage in objective process designed to
elicit information necessary to assess:
 Qualifications and Quality of services offered
 Reasonableness of fees
• DOL Advisory Opinion 2003-02A
• Which outsourcing strategy better
documents a prudent process?
© Copyright 2014 Saul Ewing LLP
7
Outsourcing Strategies
• Sole Source Strategy
• Competitive Strategy
• Collaborative Strategy
8
© Copyright 2014 Saul Ewing LLP
Sole Source
Negotiate with Only One Vendor
Advantages
Disadvantages
• Builds on existing relationships
• Less market information
• Reduced costs
• Less likely to find highest value
• Reduced processing time
• Less of a fiduciary process
• May be required by CBA
• Increased potential for self-dealing
9
© Copyright 2014 Saul Ewing LLP
Competitive Strategy
• Negotiate with a broad range of vendors in
an auction-like process
• Advantages




More market information and competition
More likely to find highest value vendor
More showing of a fiduciary process
Reduced potential for self-dealing
10
© Copyright 2014 Saul Ewing LLP
Competitive Strategy
• Disadvantages
 More time and costs
• RFI and RFP
 Adversarial process tends to reduce trust
 May inhibit vendor’s response and interaction
during process
11
© Copyright 2014 Saul Ewing LLP
Collaborative Strategy
• Negotiate with two (or a few) select vendors
• Engage in parallel negotiations with each
vendor similar to sole source negotiations
• Advantages
 Less Adversarial
 More Trust
 More Responsive Vendors
• Disadvantages
 Less competition and market information
12
© Copyright 2014 Saul Ewing LLP
Contracting:
Who should be involved in the process?
• Depending on the subject matter,
size and complexity, you might
assemble a team of one or a team of
many.
• Define roles and responsibilities to
avoid “too many cooks in the
kitchen” or worse, negotiating
against yourself.
• Involve experts within the customer
organization if the contract contains
unfamiliar subject matter or
sensitive issues (e.g., IS/IT, Risk
Management, HR).
• Don’t assume that other
constituencies within your
organization know that you are
entering into this contract.
© Copyright 2014 Saul Ewing LLP
What should be included in an
outsourcing contract?
• The most important part of the contract may be the
exhibits, schedules, or appendices - the devil is in the
details!
• Vendor proposals, quotations, Statements of Work or
policies often include “legal” terms slipped in. Don’t
assume they don’t require legal review.
• Error on the side of over inclusion. If the vendor said it
or provided it in writing, consider incorporating it into
the agreement.
• Are there specific company policies that the vendor must
adhere to?
© Copyright 2014 Saul Ewing LLP
Contracting Mechanics
• Process differs for different deals depending on
team and negotiating dynamic.
• Establish who will have “document control” and
be responsible for making changes.
• Use caution to avoid sharing internal comments
with the other side (e.g. track changes/
metadata).
• Consider whether negotiations are best handled
via phone calls, email and/or face to face
meetings.
© Copyright 2014 Saul Ewing LLP
Contracting Mechanics: Before You
Sign on the Dotted Line
• Review the final contract package to make
sure it:
 includes all of the required attachments,
exhibits, schedules and appendices
 clearly states what each party’s
obligations are
 lays out each party’s duty should
something go wrong
 provides the company with adequate
protections should the other party breach
the contract or if the company determines
that it is unhappy with the services
© Copyright 2014 Saul Ewing LLP
Form of Agreement
• Master Services Agreement or Master Information
Services Agreement
 The legal terms and conditions
• Scope of Services
 Single most important element
 Clear and comprehensive
 If the vendor promises it, they should put it in writing
• “Don’t worry, we never do that.”
 Identify whether services are provided as fiduciary or
agent
• Exhibits and Schedules
17
© Copyright 2014 Saul Ewing LLP
Master Service Agreements
• Detailed Statement of Work
 Reporting and Disclosure
• Vendor will provide all information in its
possession that plan needs to comply with ERISA
• Including 408(b)(2) for Retirement Plans
 Before you sign the agreement
 Fiduciary Duties (standard of care)
 Minimum Standards
 Other
18
© Copyright 2014 Saul Ewing LLP
Master Service Agreements
• Identify Correct Parties to Agreement
 Employer
 Committee or other plan fiduciary
 Plan (Trustee)
• Parties Covered by Agreement
 Make sure all plans that should be included
are included
19
© Copyright 2014 Saul Ewing LLP
Outsourcing Risks
• Primal fears result from services, software,
content, data and environment being
outside the customer’s control:







management and oversight
availability/uptime
backups/disaster recovery
data/network security
data privacy
what if vendor goes dark?
what if there is a dispute?
20
© Copyright 2014 Saul Ewing LLP
Standard Clauses:
Term and Termination
• Term of Contract
• Termination
 Reasons
 Notice
• Distinguish expiration from termination




Automatic renewal or expiration?
Unilateral option to renew
Termination for cause or convenience
Required notice
21
© Copyright 2014 Saul Ewing LLP
Standard Clauses:
Termination
• Termination
 Post-termination services are critical to
outsourced arrangements
 Obligations should apply regardless of reason for
termination
 Return, destruction, or retention of data and
confidential information
 Transition activities and data migration
 Claim run outs
 Survival clauses
• Indemnification for fiduciary breach should survive for
applicable SOL
22
© Copyright 2014 Saul Ewing LLP
Standard Clauses:
Intellectual Property
• Ownership of work product
 “Work made for hire” - must be in writing or
else author retains ownership
 Assignment - “work made for hire” is limited
• Service provider will want to retain
ownership in its processes, knowledge and
internal tools
 May need a license to all of these items for
transition to another vendor or to bring
services in-house
23
© Copyright 2014 Saul Ewing LLP
Standard Clauses:
Representations and Warranties
 Legal Compliance
• Most outsourcing includes some outsourcing of
compliance functions
 Service Warranties
• Services will be performed in accordance with
contractual requirements (specifications, RFP,
Scope of Work)
• Services be performed at a standard that is
generally accepted in the profession (AICPA, ITIL)
24
© Copyright 2014 Saul Ewing LLP
Standard Clauses:
Confidentiality, security and
data privacy
• Data privacy is a hot-button issue with U.S. and EU
lawmakers and regulators.
 HITECH expansion of HIPAA privacy rules
 2009 FTC data breach notification rule for vendors of personal
health records & service providers
 Numerous state data breach notification laws
 Gramm-Leach-Bliley, FERPA, other statutes
 Industry regulation (e.g., Payment Card Industry (PCI))
 Proposed changes to EU Data Protection Directive may mean
additional scrutiny
• High profile breaches: Target, HomeDepot, JP Morgan
25
© Copyright 2014 Saul Ewing LLP
Standard Clauses:
Confidentiality, security and
data privacy
• Enhanced B2B scrutiny of data flows to
subcontractors and outsourcing providers.
• If you are handling other people’s data, your data
protection/privacy obligations to those people need
to flow through to data centers and outsourcing
providers.
• Need to pay attention to vendor’s processes, not just
physical systems.
• Need to align your privacy commitments, and
vendor obligations, with actual behavior
• Individual security audit may be impractical
26
© Copyright 2014 Saul Ewing LLP
Standard Clauses:
Data backup and Storage
 Where is data stored? Who has access?
 Is data stored in a shared, virtualized “multi-tenant”
environment vs. dedicated physical servers?
 How often are backups made? onsite or offsite? Does
customer have the ability to make its own backup?
 Does the provider have a disaster recovery plan? Do
you? How does provider fit within your plan?
 How often is the full plan tested?
 How long will it take to get services or data back
online?
 May need special terms to localize data storage (“do
not store outside U.S. or Canada”)
27
© Copyright 2014 Saul Ewing LLP
Standard Clauses:
Audits
 Permissible audits
• 5500 Audits
• Financial Audits
 Date revenue sharing is credited
• Compliance Audits
• Other Audits
• Certified compliance with published standards?
 SSAE 16 and ISAE 3402 audits (replaced SAS 70 in June
2011.)
• Type 1 – auditor’s opinion on service organization’s description of
controls in operation and suitability of the design
• Type 2 – auditor’s opinion on whether controls are actually operating
effectively
 ISO 27000, Open Web Application Security Project (OWASP),
NIST, etc.
28
© Copyright 2014 Saul Ewing LLP
Standard Clauses:
Service Levels (SLAs)
• Help measure performance and
improvement over services previously
delivered internally
• Set baselines, targets for improvement and
incentives to meet those targets
• Can be quantitative (uptime, time to
complete transaction), financial (%
savings) and qualitative (user surveys)
29
© Copyright 2014 Saul Ewing LLP
Standard Clauses:
Governance and Communication
 Critical aspect of any Agreement Outsourcing arrangements don’t run
themselves
 Mutual, escalating accountability
 Who has authority to authorize work, make
decisions, change services?
 What is the change management and change
control process?
30
© Copyright 2014 Saul Ewing LLP
Standard Clauses:
Limits on Liability




Unilateral or mutual
Single or multiple caps
Per claim, aggregate, per plan year, etc.
Check for “hidden” limits
• Limits to E&O Insurance
• Limits on Fiduciary Insurance
 Ask to see policies
31
© Copyright 2014 Saul Ewing LLP
Standard Clauses:
Limits on Liability
 Carve-outs
•
•
•
•
Indemnification
Breach of fiduciary duties
Gross negligence/willful misconduct
Cost to correct Hitech breaches
32
© Copyright 2014 Saul Ewing LLP
Standard Clauses:
Limits on Liability
 No indirect, special, or consequential damages
 Many vendors limit to fees paid
• Limited to 3 X fees paid
• Liability over term of contract limited to 3 X fees
paid during that term
 Watch for disclaimers and indemnification of
all HIPAA/HITECH liability
• Some vendors directly liable
33
© Copyright 2014 Saul Ewing LLP
Standard Clauses:
Indemnification
• Indemnification
 Indemnify and hold harmless
 Defend and Pay
• Consider Scope





Plan
Participants
Fiduciaries (Committee)
Employer (directors, officers, employees, etc.)
Controlled Group
34
© Copyright 2014 Saul Ewing LLP
Standard Clauses:
Indemnification
• Third Party Claims
 Fraud, willful or intentional misconduct, gross
negligence, recklessness, negligence, breach of
agreement
• Materiality disclaimers
 Running from vendor in favor of employer
usually limited to failure to follow directions
• Sweep clauses
 Acts or failures to act
35
© Copyright 2014 Saul Ewing LLP
Standard Clauses:
Indemnification
• Indemnification for Third Party Claims




Cross indemnification
Timely notice of action
Right to control action
No settlement clause
36
© Copyright 2014 Saul Ewing LLP
Standard Clauses:
Dispute Resolution
• Arbitration/Mediation/ADR
 Not particularly unique to benefit plans
 Health plan claims cannot be arbitrated per
DOL Regs
• Retain right to seek immediate injunctive
relief in court for critical issues
37
© Copyright 2014 Saul Ewing LLP
Standard Clauses - Benefits
• Source of Fees
 Plan/Participants
• Fiduciary duties and prohibited transactions
• Most ERISA risk
• Vendors prefer credit risk of plan over sponsor
 Investments (Revenue Sharing)
• Dates for crediting revenue sharing
• Who earns interest on revenue sharing
• Medium ERISA risk
 Employer
• Lowest ERISA risk
• Watch for plan listed as secondary payor
38
© Copyright 2014 Saul Ewing LLP
QUESTIONS?
© Copyright 2014 Saul Ewing LLP
39