Most companies recognise outsourcing as an attractive way to efficiently complete software development projects, especially for companies that are experiencing skills gaps, time gaps or budget gaps. When this happens, outsourcing can be a viable solution - but only if the company trusts the vendor to protect proprietary code, follow through on promises, be accountable, and deliver quality work on time. But trust isn’t the only consideration when it comes to outsourcing software development. Legal issues pose major risks too in a world where business laws and policies differ widely from country to country. For this reason, headquarters location has become an essential consideration when choosing a vendor.
At first glance, vendor headquarters may not seem important. Yet, in business too often a perfect storm is right around the corner. When this happens, productivity can slow or come to a standstill, and expenses can get out of hand. Consider the global piracy rate, which is currently at 42% worldwide. However, the rate in outsourcing destinations varies widely. Some are lower than the average, such as the US (with a 19% rating), Japan (21%), and the EU (at 33%). On the other hand, India and Russia are tied at 63%, China is at 77% and Indonesia is at 85%. Piracy rates in a vendor headquarters area affect a company’s legal risk and affect the quality of the software development. In countries where piracy is widespread, the cultural and business climate focuses on stealing or copying rather than innovating.
Intellectual property rights
Vendor headquarters are also a principal consideration when considering intellectual property (IP) rights. Usually, unless the contract states otherwise, countries conducting international business are bound by the laws of the country where a crime occurs. For instance, although described as having a “good copyright law,” India is on the International Intellectual Property Alliance's (IIPA) Priority Watch List. The IIPA criticises Indian enforcement as lacking an effective mechanism for “national enforcement coordination” and relying heavily on individual states for law enforcement.
Russia is also on the IIPA Watch List. Because the country lacks a clarified approach to foreign IP, many view the Russian government as a threat to foreign business interests. According to a report by the IP Commission, meanwhile China is the world’s largest source of IP theft.
By definition, a breach occurs when an organisation entrusted with sensitive data loses control of that data. Yet, not every breach involves theft. Some data breaches occur when hard drives or spools of tape get lost during transport. When a breach happens, companies can experience brand damage as well as loss of revenue. Further, companies and industries can be criminally liable for violating their home country's privacy or national security laws.
When outsourcing outside the US, trade secrets, customer data, and financial information are often made available to a vendor whose employees are not subject to US laws. For instance, a security compromise might have no consequences for the overseas vendor. In turn, rectifying the situation may require international litigation, a process that could take years of effort and expense while the damage is immediate.
India, for example, currently has no data privacy laws. So, how vigorously authorities will pursue offenders is anyone’s guess. For instance, a contract may cover all aspects of the relationship, even state that both parties are covered by US law and under US jurisdiction. Yet, unless the service provider has significant assets to use as leverage in a US court, the contract may prove to be null and void.
When the outsourcer outsources
A company could be in additional danger if a vendor outsources any part of its services to a third party. Layers of subcontractors, often referred to as re-offshoring, can make security and legal recourse a messy proposition. A few years ago, UCSF Medical Center in San Francisco outsourced medical transcription to a Canadian company. Although the agreement specified all work be done domestically, eventually, some of the work was outsourced. When a payment issue with one of the contractors arose, a foreign employee emailed UCSF directly, threatening to post patient records on the internet unless UCSF helped settle the issue. Although eventually resolved, the situation had the potential to destroy UCSF patient confidence and negatively affect the reputation of the medical centre.
Avoid potential risks
As with all business partnerships, researching the vendor’s reputation and capabilities beforehand helps eliminate risk. When it comes to international outsourcing, make sure the vendor headquarters is legitimate versus a satellite connection. For instance, do they have a CEO at their US office? Why? Because, if there’s a legal issue, the outsourcer can “scuttle,” or close the US office and transfer all assets to the overseas headquarters. When this happens, the company that originally outsourced the project is forced to travel to the overseas vendor headquarters to pursue a case, wasting time and money, often with little chance of success. On the other hand, US outsourced vendors are bound by US law, and so are their employees. When issues arise, judgements are settled by US law in US courts.
For maximum protection, here are some essential questions to ask before signing any contracts:
- Does the vendor country recognise certain US legal doctrines, such as confidentiality agreements
- Does the vendor country permit a choice of law provision which would allow courts to apply U.S. law?
- Are there enforceable laws on the books of the vendor country that sufficiently cover IP, piracy, breach of contract, etc.?
- Who bears the burden of proof, and how is that proof collected?
- Is the vendor open to arbitration for dispute settlement?
- Where will the arbitration occur, and which country’s laws will be followed?
- Does vendor country recognise confidentiality or non-compete agreements?
- In the case of contract termination, what are vendor country laws regarding recovery of confidential property?
Careful planning is key
Outsourced relationships - whether they are onshore, nearshore or offshore - involve trust, verification and strong contracts. To minimise risk, it’s important to identify the true headquarters of the provider, know the legal system of the country where the provider is located, and be careful not to violate privacy laws. Overall, choose providers carefully, ask probing questions, and write detailed, thorough contracts.
About the Author
Yousef Awad is CEO of Integrant, Inc., a software development company headquartered in San Diego, California, with additional offices in Jordan and Egypt. Mr. Awad earned a Bachelor of Science degree in Information Systems from San Diego State University and has more than 20 years’ experience in the custom software development industry.