Outsourcing service providers are frequently requesting that their customers sign a “work from home acknowledgement” or similar document in the context of the COVID-19 pandemic. Some are tailored for individual clients, but most appear to be standard forms. This Legal Update provides background, discusses what we currently view as best practices in responding to those requests, and touches on a few specific areas for contract modifications.
The request to “work from home” sounds straightforward, understandable and perhaps the best solution in light of the numerous lock-down, quarantine and social distancing recommendations and orders from governmental authorities arising out of the COVID-19 pandemic. However, the forms provided by service providers, if granted as drafted, would have a fundamental effect on a typical managed services agreement.
The request to “work from home” is a request for a waiver of the typical requirement in managed services that providers perform their services from the service locations listed in the applicable supplement/statement of work. Generally, that requirement is not a mere preference. Instead, service locations are subject to customer approval and identified as required locations in the agreement because of their logical and physical security controls, systems performance, backup systems, management and other factors. Facilities with more stringent controls typically cost more than facilities without the same, so it is fair to assume that the customer had a reason for the choices. For example, some facility requirements reflect regulatory requirements and others provide risk mitigation or enhanced performance.
In the acknowledgements, providers are looking for more than merely “acknowledgement” that services will be provided by personnel from their homes, rather than approved locations, for the duration of the lockdown periods. The “acknowledgements” frequently include numerous other broad waivers from non-performance, and in some cases even would have the customer hold the provider harmless from liability arising out of provider’s decision to have personnel working from home on personal devices.
These waivers are typically not acceptable to customers. The customer continues to have obligations to comply, for example, with data privacy and security laws, and, to the extent the provider is accessing, storing or processing the data of client’s customers, contractual obligations as to the privacy and security of data. The customer cannot simply ignore such obligations. Further, the “acknowledgements” typically do not include any compensating controls or incentives for the provider to prioritize the customer. So, a customer who signs the “acknowledgment” would have agreed to pay the same charges while being locked into a riskier contract to deliver lower-quality services in a less secure manner.
Customer Response Generally
We believe that the best practice is to agree that some provider personnel may work from home (WFH) in light of the reality of the situation, but subject to reasonable contractual obligations and modifications, including an end to permission to work from home when lock-down, quarantine and social distancing recommendations and orders cease. While it is important to address the real world impact of the COVID-19 pandemic on performance obligations, broad waivers and excuse from non-performance put customers at unnecessary risk. We have these general recommendations:
- Respond quickly with a notice that the WFH acknowledgement is inconsistent with contractual obligations and not acceptable, but with openness to a governance conversation to work on a change order to mitigate risk. Responding in this manner gets the customer into the provider’s queue for negotiation and reduces the risk that the provider will claim that non-response was a waiver. Also, it frames the WFH acknowledgement as what it is contractually – a change request.
- Review the critical contract clauses. While a “one size fits all” approach would be quicker, we have found that the customer’s position varies greatly under actual managed services agreements. At one extreme, if “pandemic” or “government action” is a force majeure event that fully excuses performance until the force majeure event ends, the customer may have little leverage, or leverage limited to the mitigation clauses in the force majeure clause. For example, if the provider has an obligation to use “commercially reasonable efforts” to perform in cases where force majeure applies, the provider’s request for a WFH acknowledgement opens the door to solidify what those “commercially reasonable efforts” entail. If the force majeure clause references only major forces, such as explosions, fires and floods, the provider may remain fully obligated. There may be a business continuity (BC) or disaster recovery (DR) plan that the provider is required to implement that could address the challenges. This is part of understanding the “best alternative to a negotiated agreement” or “BATNA” as preparation for negotiations.
- Consider why and how much it matters that services are performed from a supplier facility. Sound quality might be an easy sacrifice in a help desk deal, but the customer may have compliance requirements that cannot be waived without legal peril greater than the value of continuing the services. The distinctions that governments are now drawing between “essential” and “non-essential” business activity may be another guide. If performing services remotely may imperil food, medical or financial services operations, the customer has an argument not only that it is fair and reasonable for the customer to have priority on what is likely to be a limited number of seats in the facility but also that the service provider may have more legal latitude to perform such services at the facility because it is performing an essential function.
- Develop counterproposals that work with multiple providers. There are no “one size fits all” solutions, but you can save time with a “some sizes that together fit most” solution. For example, some customers are able to quickly provision VPN access to providers to the relevant systems, thus being able to implement adequate logical data security to make up for the loss of physical security, subject to certain minimum security standards, such as personnel who have signed WFH non-disclosure agreements working on fully-patched versions of Windows 10 with the customer’s VPN client loaded. Other customers are able to reallocate tasks such that a reduced number of essential personnel at the provider facility can do the most critical tasks while another group can WFH.
- Leverage your change order or other governance processes to find out what controls will be difficult to maintain and what possible workarounds exist to mitigate risk. Relying on an established process will reduce risk, particularly if the governance team is itself working from home while facing the complexity of numerous WFH acknowledgement requests.
- Sign an amendment or change order in an acceptable format. In the next section, we provide some ideas on how to do that.
Specific Contract Modifications
In addition to requesting the ability to WFH, providers frequently request specific waivers from, for example, physical and information security requirements, audit rights and performance standards. In some cases, providers may ask for general waivers with language along the lines that the waivers apply to “those obligations that cannot be enforced on remote devices and/or remote locations.” Whether specific or general, the waivers put customers at risk of being out-of-compliance with legal and contractual obligations, and potentially creates data, continuity and other business risks. This section reviews some specific examples.
Information Security Obligations
We recommend seeking alternate methods for achieving the security of the provider location. For example:
- Managed services agreements often require that services be performed in segregated locations where the service provider personnel are not permitted to print, download to USB drives, have smart phones or otherwise have the ability to copy sensitive data. To the extent possible, these should be implemented at home also. For example, software loaded on a WFH device might disable its USB drives, “screen shot” software and print functions.
- Managed services arrangements often rely on the physical access control at the facility, generally with some sort of device or token. A reasonable alternate approach might be multi-factor authentication with a separate digital token required for accessing the network. A “look over the shoulder” management approach could be replaced by watching a screen copy.
Consulting cybersecurity and data privacy counsel is essential in determining whether the alternate approach is adequate to meet legal needs.
Providers may also look for clients to waive audit rights for the duration of lock-down orders. A complete waiver of rights is unnecessary and leaves the client without recourse where audit rights are necessary or appropriate, for example where a breach is suspected. While it may not be possible to conduct an on-site audit of a locked-down facility, many audit rights may be available to the client that do not require access to facilities, such as access to contract records and personnel engaged in the performance of the services. It is important for clients to maintain these audit rights, in particular given that the need to ensure adherence to contractual terms may be heightened as personnel work remotely. Thus, the audit rights should be limited only as necessary, for example, to restrict on-site audit rights. Similarly, consider expanding the audit rights as needed to monitor and manage the new work methods.
Many providers are also seeking relief from service levels and other performance standards. The reasons given may include limited bandwidth at home, distracted workers, or inability to use tools available only at the supplier facility.
A broad excuse from service levels and other performance standards is almost never reasonable. For example, there is no reason for excusing provider from meeting accuracy service levels or meeting obligations to exercise due professional care, with qualified and skilled personnel.
However, if there is a particular service level that a provider reasonably believes cannot be met due to a remote work environment, again, the provider’s concern should be addressed through the governance process or a conversation whereby the provider describes with specificity which obligations it cannot meet, why it cannot meet them, and what workarounds and/or modifications would resolve the concerns. The customer can then make an informed decision about if, and to what extent, adjustments (if any) may be made without forgoing rights to receive contracted-for levels of performance.
The largest problem with WFH acknowledgements is that they waive obligations. One way to quickly “bridge the gap” on WFH acknowledgements is to reduce them to acknowledgements that the provider is delivering from home. The parties can then agree that liability for any reduction in service, non-performance or other non-compliance will be determined at a later date. This allows the provider to avoid liability for failing to inform the customer, but leaves the other issues to be determined based on how the provider implements WFH.
As noted above, customers should view a WFH acknowledgement as any other change request. As with any other request by a provider to reduce its obligations, customers should consider reducing their own obligations. For example, a customer that paid a 5% premium to be at a certain level of facility instead of using home workers might reasonably expect a 5% price reduction for allowing WFH. A customer that committed a volume of transactions to a provider might reasonably expect that commitment to be waived if the provider is unable to continue with the prior level of security or performance.
Finally, customers should consider the impact, if any, the COVID-19 pandemic may be having on their own ability to meet their contract obligations. Customers in industries hit hard by the COVID-19 pandemic may need relief from volume or pricing commitments, as an example. Similarly, customers may themselves be working from home and unable to, for example, allow provider personnel to sit with customer personnel as part of knowledge transfer. Customer concerns should be considered in the context of any negotiations with providers on work from home change orders.
For further information on force majeure and the COVID-19 virus, see COVID-19 and Outsourcing Contracts: US Legal Rights and Practical Steps and Contractual performance – Force majeure clauses and other options: a global perspective.