On March 24, the Indian government implemented a country-wide lockdown to slow the spread of COVID-19 with restrictions in place for 21 days. This means hundreds of thousands of IT and business services employees are now working remotely – regardless of what the services contract states. Not surprisingly, we’re seeing the impact of this with our clients – especially as it relates to how to ensure business critical work continues while keeping data safe and privacy intact.
Our view is that solving the immediate need with your provider in a rational and logical way is more important than making contractual statements that may trigger enforced waiting periods and potential future litigation. A cool, rational, collaborative approach is essential right now.
In our previous communications, we have focused on identifying your critical business processes and making sure your business continuity plans are up to date. This guidance has not changed. What has changed is the degree to which COVID-19 is now impacting the ability of IT and business service providers to work inside their delivery centers, which means some very real, near-term tactical decisions need to be made for work to continue. And it starts with service providers asking for your approval – in the form of a waiver – to work from home.
1. Do allow a work-from-home waiver.
Most service providers with offshore delivery centers have already asked their clients for work-from-home (WFH) waivers. If they have not asked yet, they will be asking soon. Immediately engage your providers if this point has not yet been discussed.
For some background: A waiver is a customer’s voluntary renunciation of rights in the contract for some period of time. It’s the customer’s documented willingness to allow the service provider to relax certain specific contractual requirements that might include service level relief, work from home vs. clean room locations, security or privacy relief, scope relief or other specific and clearly articulated relief with reference to specific performance or contractual provisions. A waiver, if acceptable, must carefully define the relevant scope, time and consequences.
We understand granting this is not easy, especially for companies in regulated industries. Handling of sensitive data in “clean rooms” has been a standard for offshore providers for years – and working from home turns the clean room concept on its head. But there are ways to mitigate the risk (see point #2 below). It’s important to keep in mind that every industry is having to learn how to relax requirements so global commerce can continue – from stock market traders to mental health professionals.
2. Do put a plan into place that addresses data security and adequate bandwidth.
Ensure your provider is thinking about security and bandwidth for their employees now working from home. Ask them about their virtual private network (VPN) technology standards and how they are monitoring activity while employees are connected to and working on your business. Also ask about the training providers are conducting to ensure proper data and device handling, as well as safe online behavior to reduce the risk of phishing and social engineering attacks.
Ask about network bandwidth. Providers should be actively working with each employee to ensure they have adequate bandwidth to get their job done. This is not easy in a country like India where many people don’t have adequate bandwidth at home – but there are other options, like Wi-Fi hotspots over cellular networks. Your provider should be getting creative right now – push them to find innovative solutions outside of the contract.
There are a number of other controls and risk mitigation techniques you and your providers can put into place. We’ll have more specific guidance on this important topic, so stay tuned.
3. Do not agree to relax data breach clauses and penalties.
We are starting to see some examples of providers asking their clients to relax data breach clauses and penalties after granting work-from-home waivers. Do not agree to these. If your provider is asking for this, accelerate point #2 above, and engage your internal counsel.
Remember that every contract has a change process, and any change or waiver must be made according to the agreed-upon process on an extremely expedited basis and by mutual agreement. We do not recommend using side letters or email to document this change. And, finally, remember that these are not contract amendments; they are temporary measures to provide relief from obligations, not permanent contract changes.
4. Do not think force majeure is required to make these changes.
Force majeure is a way for a provider to get contractual relief because of a failure to perform. Making waivers or changes to specific service provisions like work-from-home does not require the invocation of force majeure by your provider. If both parties agree to change conditions, service levels or other aspects of the contract, this can be handled using the process described above.
There are many helpful articles available by legal experts – for example here and here – to explain the details of force majeure, but most experts stress that a contested force majeure event will be litigated and recommend the consumer of services work with their provider to try to solve the problem without resorting to legal action.
Practically speaking, this is no time to initiate a lawsuit to determine if the provider is in default of an agreement to deliver a critical business process for a client. Even if it were, the remedies are mostly irrelevant: few clients can bring a process being performed by subject matter experts in India back to a U.S. office to be performed within a few days or move the work to another provider that will likely be in the same situation as the incumbent. Remedies such as termination or step-in rights (which give the client the right to have a third-party step in and take over the work) are simply not appropriate at this time and in this situation.
5. Do get your business leaders involved.
Right now, you need to maintain a laser focus on working collaboratively with your provider to find solutions for continuity of services, not defaults and terminations. Therefore, we strongly recommend getting your business leadership involved. A key business leader will be more empowered to negotiate and able to make decisions immediately about what scope of work can be changed and how it can be changed.
No service provider wants to fall into breach of its agreements, and it will be ready to work with you to find a solution. If there is friction between your team and theirs, a new and more senior leader from your side should act as the spokesperson for your enterprise. If there is a problem person on the provider’s side, invoke your right to replace that person even if temporarily. If and only if these efforts fail should you consider alternatives like contractual remedies based on legal advice from your counsel. This is a time when advice from a third-party expert can help guide the two sides to a reasonable solution.
We understand these are incredibly challenging times. We’ll be holding a webinar this Thursday at 1:00 pm Eastern Time to discuss these topics and solicit your feedback. Our ISG experts can provide relevant insights specific to your business. We are here to help. If you want to talk, please fill out this Contact Us form and we will be in touch.