All IT and business process outsourcing (BPO) transactions involve the disclosure of sensitive business information by the customer, and most involve disclosures by the service provider. Properly constructed outsourcing agreements address this reality, ensuring that the use and further disclosure of such information is strictly on an as-needed basis and solely for the purposes of the outsourcing engagement.
However, service providers are wary of the potentially adverse implications of such broad proscriptions on their ability to provide services to others in the future. This concern stems from the perception that their personnel, once having increased their skills in the course of providing services to the customer, will inevitably leverage so-called "residual information" -- experience gained or information learned on the project (which could include the customer's confidential information) -- in the course of future work for other customers. As a result, service providers frequently seek contractual provisions, such as the following common type of broad residual information clause, that provide a general exception to the service provider's confidentiality obligations under the outsourcing agreement:
Residual information. Notwithstanding the confidentiality obligations of the service provider under this agreement, the service provider may during and after the term of this Agreement use in its business any residual information. Residual information, for purposes of this agreement, means the ideas, know-how, and techniques retained in the unaided memories of the service provider's personnel who have had access to the confidential information of the customer in the course of performing services under this agreement.
Not surprisingly, customers are less than enthusiastic about the limiting effect such provisions can have on their confidentiality protections. The principle objective in negotiating residual information provisions is effectively balancing the service provider's strong interest in maintaining its ability to freely shift human resources from one project to another over time, and the customer's equally strong interest in preserving the confidential nature of its proprietary information.
This article suggests some techniques that may be useful in overcoming the seemingly intractable tension between the service provider and its customer.
Analyzing the Parties' Competing Interests
The Service Provider
IT and BPO providers are highly leveraged organizations. Keeping each of their employees fully occupied with paying work at all times is key to their profitability. As a result, service providers want the flexibility to service their customers using non-dedicated staff who freely move from one project to another as demand requires. Similarly, when a given customer engagement ends, the service provider's business model demands that it avoid downtime by moving its personnel immediately to other engagements.
When the service provider agrees to prevent employees from working for competitors of the customer, or from working in certain industries or with certain technologies, the resulting administrative demands and loss in workforce dexterity can directly impact the service provider's bottom line. This is the heart of the issue for service providers, who understandably fear that if they agree to overly restrictive confidential information prohibitions, their personnel will be "tainted" by the customer's proprietary information and their costs of doing business will increase as a result.
In order for a customer to obtain the various benefits of having a service provider assume the customer's IT or business process functions, the customer must manage new risks. Among these is the reality that the service provider may need access to and could misuse or improperly provide to others the customer's "keys to the kingdom" - such as financial information and business plans, client lists, proprietary business methods, and source code for business-critical applications. The customer needs to achieve an appropriate balance between allowing the natural honing of individuals' skills during a project and protecting against blatant acts designed to rob the customer of its trade secrets and other intellectual property assets.
Customers understandably take the view that, as an expert in its field, the service provider must be adept at striking that balance and managing the physical, contractual, and procedural protections necessary to appropriately safeguard the customer's business critical information. The customer needs to have confidence that the service provider will live up to such obligations.
Deconstructing the Residual Information Provision
Residual information clauses come in many flavors, although they typically contain a common core set of features. Below is a table identifying these features and briefly summarizing the related perspectives of the service provider and customer:
|Core Features of Residuals Clause
||Service Provider Viewpoint
- Clarification or Exception to Confidentiality Provisions
|The provision should be an exception to the service provider's confidentiality obligations (as in the sample provision provided above).
||The provision should not be an exception. If it is to be included in the agreement at all, the provision should merely highlight for purposes of clarity that the service provider will be entitled to use or disclose residual information to the extent such information does not include any confidential information of the customer. The provision also should be made mutual. †
- "Residual information" Definition
|The definition should be sufficiently broad to avoid any possibility of the service provider's future engagements being tainted by the current outsourcing transaction.
||The definition should not eviscerate the service provider's confidentiality obligations. What the service provider will be permitted to do with residual information has a direct bearing on how broad a definition the customer will agree to.
||This phrase means what it says. No clarification is needed.
||It should be made clear that a memory is not "unaided" with respect to certain information if the information is remembered using notes or other documents, or if it was intentionally memorized other than as necessary for purposes of the outsourcing engagement.
||Any confidential information imparted to the service provider should be eligible for treatment as residual information, regardless of the nature of the information.
||Treatment as residual information may not be appropriate for certain types of confidential information (such as customer data, or personally identifiable information).
||To reduce the likelihood of future disputes, the manner in which confidential information is imparted to the service provider should not impact whether or not the information is treated as residual information.
||Only confidential information to which the service provider has rightful access in connection with the outsourcing arrangement should be eligible for treatment as residual information.
- Rights to Use residual information
|The rights should be defined sufficiently broadly to avoid any possibility of future engagements being tainted by the current outsourcing transaction.
||The rights should not eviscerate the service provider's confidentiality obligations. The breadth of the residual information definition has a direct bearing on the breadth of rights the customer will agree to. In no event should the service provider be permitted to disclose (as opposed to use) any confidential information.
- Incorporate in Products and Services
|The service provider should be able to freely incorporate residual information in its products and service offerings in the future.
||If "residual information" is defined narrowly, the customer may be willing to permit the service provider to incorporate residual information in its products and services in the future, provided that the service provider adheres to the confidentiality obligations described in the outsourcing agreement.
Negotiation Techniques to Consider
Owing to the strong competing interests involved, residual information provisions can be difficult to negotiate. However, certain techniques are useful for stimulating discussion and creative thought toward resolving the deadlock.
1. Appreciate the Nature of the Transaction
Not all outsourcing transactions are alike. For example, the amount and types of proprietary information and access to information that a service provider needs in order to assume the customer's finance and accounting functions is likely to be far greater than that needed to perform call center services. The service providers' level of risk varies from transaction to transaction. When residual information becomes a point of contention in an outsourcing negotiation, both parties should step back and thoughtfully analyze their exposure. Importantly, this should include developing an understanding the other party's probable risks. As it is usually the service provider that proposes a residual information provision, the service provider should at the outset seek to strike a reasonable balance to avoid unnecessarily difficult and protracted negotiations.
2. Recognize the Interplay with Confidentiality Obligations
Residual information provisions at a minimum are intended to clarify the service provider's confidentiality obligations but may be an exception to those obligations. (see above). The breadth and interpretation of the provision often depends on the parameters of the confidentiality provision. The two provisions always should be read together, and proposed modifications to one provision should be considered in light of their effect on the other.
3. Consider What Information You Can Exclude
When preparing the residual information provision, the service provider should consider ways to limit the residual information definition to give comfort to the customer without placing unreasonable or unexpected burdens on its operation. For example, residual information may include only confidential information to which the service provider has rightful access in the course of the outsourcing engagement. The customer will appreciate this, particularly in situations where the service provider is to receive broad technical access to a great deal more sensitive information than the service provider will really have a "need to know" to perform the services (e.g., administrative level network access provided in the context of desktop services).
The customer also may be able to offer a compromise position. The customer may be able to identify particular categories of sensitive information that should be held strictly confidential, while permitting a less stringent treatment of other customer confidential information. For example, the customer may exclude its financial information; its business plans; its customer, supplier, partner and privileged information; its personnel data; and/or its source code. Although certainly a compromise, such an approach gives the service provider an opportunity to educate its staff concerning specific information that should be handled with particular care, while effecting the desired reduction in risk with respect to other types of confidential information.
4. Articulate What "Unaided" Memory Means
Service providers and customers don't often disagree about what an employee's "unaided" memory means. Yet it can give the customer a measure of comfort to define it in the outsourcing agreement.
For example, it may be helpful to make clear that an employee's memory is only "unaided" with respect to information if the employee" has not retained a copy of the information and has not intentionally memorized the information, other than to perform the outsourcing services.
5. Preserve the Efficacy of Registered Intellectual Property Rights
One customer concern is it may be impliedly licensing the service provider and its other clients under the customer's patents, copyrights or other registered intellectual property. The broader the proposed residual information clause, the greater a concern this becomes. But service providers cannot expect to be in a better position than the general public merely because of the outsourcing relationship. In fact, outsourcing service providers are themselves becoming prolific patentees and are often as interested as customers in maintaining the value of their intellectual property. It is not difficult to reach agreement that any residual information clarification will not abrogate or create a license to any of the customer's registered intellectual property rights.
6. Consider Placing Limits on Future Uses of Residual Information
Service providers prefer to avoid agreeing to provisions that preclude their personnel from performing certain types of activities in the future. However, in some situations, the main gap between the parties may be the customer's concern that its own proprietary information or techniques will be used against it. For example, the service provider may use residual information to provide the same services or products to a competitor. Or the service provider itself may compete with the customer in certain fields.
Where the parties are at loggerheads over future uses of residual information, the service provider should consider whether it can agree to commit that its personnel will not use residual information containing confidential information at all for a reasonably short period of time after leaving the customer's account (perhaps 3 to 6 months, depending on the circumstances). During that time knowledge of specific customer confidential information would presumably fade. Or, it could agree to limit the use of residual information in certain situations, such as servicing a reasonably short list of customer competitors. Although this involves assuming unwanted inflexibility and/or risk, a pragmatic analysis may reveal that the service provider can effectively and efficiently manage to such limited restrictions.
7. Consider Other Factors
Negotiating residual information provisions cannot be done in a vacuum. Transaction leverage and other external factors may act as "invisible hands" influencing a party's behavior, either facilitating or encumbering resolution of the issue. However, common themes that make resolution difficult include:
- the influence of pre-existing corporate policies for or against the inclusion of residual information provisions.
- the not uncommon possibility that, once agreed upon in one transaction, a residual information provision will be used as a precedent in future transactions between the parties (whether or not the particular provision is equally appropriate given the specific circumstances of such future situations).
While addressing the outsourcing provider's need to ensure the continuing viability of its business, residual information provisions impact the customer's interest in maintaining the confidentiality of its business critical information. To successfully negotiate a resolution addressing these divergent interests, each party must step back and take a pragmatic view of its (as well as the other party's) risks. The various techniques described in this article may be useful to encourage such analysis and start the parties down the path to acceptable compromise. Ultimately, however, there can be no adequate substitute for insight and creativity on the part of the negotiators.
Lessons from the Outsourcing Journal:
- Negotiating residual information provisions means balancing strong competing interests. Both parties must evaluate and understand these interests in the unique context of their transaction.
- Residual information and confidential information are two sides of a coin. They must be considered together.
- As with any tough issue, creativity is key, and each party should strive to identify areas of flexibility. For example, the customer may be able to specify a sufficiently narrow subset of sensitive information to exclude from the residual information definition; or the service provider may be able to agree to certain limited restrains on its future uses of residual information.
Brian R. Suffredini is an outsourcing attorney in the New York City office of Mayer, Brown, Rowe & Maw LLP. Brian has an engineering background and specializes in outsourcing and other complex technology arrangements. His email address is [email protected]