By Karen M. Sanzaro[1. Karen M. Sanzaro is a partner in the Atlanta office of Hunton & Williams, LLP. Karen’s practice focuses on outsourcing, global technology transactions, privacy and data security.] and Christyne Ferris[2. Christyne Ferris is an associate in the Atlanta office of Hunton & Williams, LLP. Christyne’s practice focuses on outsourcing, global technology and corporate securities.] On February 5, 2009, the President of India signed into law the Information Technology (Amendment) Act, 2008 (the “ITAA”)[3. Information Technology (Amendment) Act, 2008, No. 10 of 2009, India Code (2000).], a robust amendment to the country’s Information Technology Act, 2000 (the “IT Act”).[4. Information Technology Act, 2000, No. 21 of 2000, India Code (2000).] The IT Act was enacted primarily to promote e-commerce and give effect to e-commerce transactions, with provisions for the legal recognition of electronic documents and digital signatures. It also included provisions for the identification of, and establishment of penalties for, certain cybercrimes. The ITAA is the culmination of a multiyear effort to update the IT Act to take into account new technologies, increases in cybercrimes, the growth of the business process outsourcing industry in India and rising global concerns about data privacy and security.

While the ITAA is a significant step forward in establishing a data protection framework in India, and in providing assurances for those doing business with Indian entities, much of the detail was left to a rule-making process that has yet to be completed. The Indian government ministries charged with establishing these rules have sought input from the Data Security Council of India (DSCI), a self-regulatory body established by the National Association of Software and Services Companies (NASSCOM),[5. NASSCOM is an Indian IT trade association established in 1988 to facilitate business and trade in software and promote growth of the global offshoring industry.] on several key data security-related terms and provisions left undefined by the ITAA. The DSCI submitted its recommendations to the Department of Information Technology on May 11, 2009.[6. Making of Rules under Sections 43A, 67C and 79 of the Information Technology (Amendment) Act, 2008, available at http://www.dsci.in/index.php?option=com_content&view=article&id=52&Itemid=76.] Until the specifics are finalized and put into practice, companies outsourcing to Indian providers still face many uncertainties about how the law will change the IT landscape and what impact it may have on their relationships with their sourcing providers. Although its efficacy remains to be seen, the ITAA sets the stage for outsourcing providers and their customers to engage in a more robust dialogue about customers’ electronic data and the appropriate measures for securing such data.

The Catalyst for Change Increases in cybercrimes generally, coupled with the terrorist attack in Mumbai (largely effected through coordinated technology efforts), were likely a contributing factor in the recent passage of the ITAA, which had previously been stalled in India’s parliament since 2006. The ITAA expands the scope of cybercrimes (and includes cyber-terrorism), increases some of the penalties for cybercrimes and includes enhanced data retention, access and cooperation requirements for “intermediaries” (i.e., any person who receives, stores or transmits electronic records on behalf of another person, including ISPs and network and telecom providers) and others with responsibility for computer resources. The rapid growth of India’s outsourcing and information technology industries, in which the processing of data is often a critical component, is also a likely contributing factor in the ITAA’s passage. Without the confidence of the rest of the world, particularly the U.S. and Europe, India’s outsourcing industry could risk its competitive advantage. The ITAA represents an investment in India’s data security infrastructure and a signal to the outside world that India is still a stable place to do business.

The ITAA and Protection of Sensitive Personal Data For companies doing business in India or with Indian entities, Section 43A of the ITAA is of particular importance. Section 43A is a new provision designed to hold companies accountable for the protection of personal data. It provides:

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

This provision has a number of important implications for the Indian outsourcing industry and its customers in other parts of the globe.

Establishes Corporate Reasonable Standard Prior to its amendment, the IT Act focused more on individual hackers than on systematic data protection. The pre-amendment IT Act imposed liability on any “person” who (among other things) accesses or extracts data from a computer or network without the owner’s permission, damages the data or programs stored on a computer, or denies authorized access to a computer. The amendment, on the other hand, takes a broader view of the IT landscape in India by recognizing that corporations and other intermediaries also bear some responsibility in ensuring data in their possession is secure. Failure to do so creates a private right of action in the individuals whose sensitive personal information is compromised.

Defines Personal Data Perhaps one of the more important consequences of the ITAA is that it introduces the concept of personal data into Indian law. The original IT Act punished unauthorized extraction of or damage to data, but it did not explicitly target personal data. The ITAA, however, requires companies to maintain the security of “sensitive personal data,” thus recognizing that certain data deserves a higher level of protection.

The ITAA, however, limits the protections afforded to “sensitive” personal data, which is defined in the act as “such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.”[7. Section 43A(iii) of the IT Act, as amended by the ITAA.] The Central Government of India has not yet prescribed what constitutes “sensitive personal data,” but the DSCI, at the government’s behest, has recommended that personal information be defined consistently with the EU Data Directive,[8. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “EU Data Directive”).] as information that can identify an individual through one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Sensitive personal information, however, would be defined more narrowly to include health and financial data (but not embracing the broader EU concept of data regarding racial, ethnic, political and religious beliefs, which the DSCI has noted is often publicly known in India).

Notably, the DSCI’s draft recommendations limited sensitive personal information to data pertaining to a person’s health or sex life.[9. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “EU Data Directive”).] As the protection of Section 43A is afforded only to “sensitive” personal data, this would have left financial data unprotected. Although the DSCI has now expanded its proposed definition of sensitive information to include financial data, it is not clear why the act extends the protection only to sensitive personal data or whether the Central Government will ultimately adopt a more expansive definition of sensitive personal data. The EU Data Directive, for instance, affords basic protections to all personal data, and distinguishes sensitive personal data for certain additional protections.

Establishes Security Standards The ITAA also requires the use of “reasonable security practices and procedures,” which it defines as practices and procedures designed to protect sensitive personal information from unauthorized access, damage, use, modification, disclosure or impairment. What constitutes “reasonable security practices and procedures” may be specified in an agreement between the parties or in an applicable law. In the absence of an agreement or law, reasonable security practices may be prescribed by the Indian Central Government. Although this provides little clarity in describing the practices and procedures required, it stresses the need for companies to take a comprehensive and systematic approach to data protection (at least with respect to sensitive personal data).

As of the date of this article, the Indian Central Government had not yet prescribed “reasonable security practices and procedures.” However, the DSCI, noting that appropriate security measures may vary from one organization to the next depending on the type of information processed (and rejecting a “one-size-fits-all” approach), has recommended that companies: (1) adopt one or a combination of industry-recognized security standards, namely ISO 27001[10. ISO 27001 is an international information security management system (ISMS) standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) that specifies a set of requirements for the establishment, monitoring, maintenance and improvement of an ISMS aimed at managing information security risks based on a set of high level principles.] and/or the OECD Privacy Principles for design and operation of Information Security Management Systems,[11. Presumably, the Organisation for Economic Cooperation and Development’s revised Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, adopted in July 2002, although the DSCI did not include a specific reference.] and implement such standards within their organization in a manner that is appropriate given the nature of the company’s information assets and its corresponding risk assessment; and (2) publicly declare that it is following ISO 27001 principles (presumably via a website, privacy policy or similar publication, although the method of declaration is not specified). In addition, companies would be obligated to document the standard in writing, along with the specific controls they have implemented to meet the standard and how such controls are deployed. There is no requirement that companies undergo an audit (external or otherwise) to verify that the controls are in place or the effectiveness of the controls. However, in the event of a security breach, a company would be obligated to demonstrate to investigators that it had a written security policy, that it was following such policy, and that the controls required by its policy were commensurate with the assets being protected.

Other Important Provisions While businesses focus on the new data protection rules, a host of other provisions of the ITAA has also received attention. Section 66 expands the definition of cybercrime to include identity theft and makes it punishable by up to three years in jail. Sections 66A – 66F define and impose penalties for other cybercrimes, including cyber-terrorism. The ITAA protects intermediaries, such as network service providers, when unlawful content is transmitted on their sites or via their networks, as long as they were not involved in the transmission and exercised “due diligence” in discharging their duties under the ITAA. The DSCI has recommended that intermediaries, in order to obtain the protections of the ITAA, declare their privacy, security and operational policies and procedures for the handling of third-party content and require their subscribers to agree to such policies.

Sections 69 through 69B grant the Central Government the authority to intercept, monitor and block access to electronic information in the interest of national security, and to monitor and collect “traffic data” (data identifying a person, computer system, or location to or from which the communication was transmitted, including origin, destination and other details) for purposes of enhancing cyber security, all in accordance with procedures and safeguards “as may be prescribed.” The Ministry of Communications & Information Technology has posted draft rules prescribing such procedures and safeguards at its website for public comment.[12. Draft Rules under IT (Amendment) Act, 2008 available at http://www.mit.gov.in/default.aspx?id=969.] Among other things, the draft rules require authorities to consider whether there are other ways to acquire the necessary information and to issue orders to monitor or intercept such information only if it is not possible to obtain the information by other reasonable means. The draft rules also place time limits on how long an interception or monitoring order may remain in force, how quickly intermediaries must respond to an order for monitoring or interception of information and how long security agencies and intermediaries may retain the information obtained.

Section 70B creates a government agency, dubbed the “Indian Computer Emergency Response Team,” with responsibility over the analysis and dissemination of information and alerts regarding cyber incidents, the coordination of responses to cyber incidents and the issuance of guidelines regarding information security practices and the prevention, response and reporting of cyber incidents.

Consequences for Outsourcing to India While the ITAA is an important first step for India in promoting and requiring appropriate data security protections, until it is formally adopted (via publication in the Official Gazette) and fully implemented, with “sensitive personal data” defined, “reasonable security practices and procedures” specified, and the corresponding rules promulgated, companies contemplating outsourcing operations or processes to an Indian provider should take care both in making the decision to move operations involving critical data offshore and in selecting and contracting with a provider.

Practice Pointers While the ITAA may not necessarily require immediate and specific changes in your existing outsourcing contracts, it will certainly bring data security issues to the forefront for the Indian outsourcing community. Thus, the ITAA’s recent enactment may represent an opportunity to revisit contracts that may not have adequately addressed the issue in the first instance, or longer-term contracts where the existing data security provisions are outdated or otherwise inadequate. The following are some data security considerations to take into account when evaluating your existing outsourcing relationships with Indian providers or in entering into new ones:

Diligence Your Provider’s Data Security Practices Thoroughly evaluate your Indian provider’s information security practices and procedures (including via a site visit, where feasible) before committing to a long-term relationship. Make sure the provider has a plan in place to address any identified gaps or deficiencies and follow up to make sure the plan is implemented. Document Compliance Obligations Your outsourcing agreement should expressly require your service provider to comply with those data security laws and regulations applicable to the provider (including the ITAA) and those applicable to the operations or functions it will perform for your company. Where applicable, include an obligation to comply with industry standards (e.g., the Payment Card Industry Data Security Standard ). In the event the Central Government has not prescribed reasonable security procedures, your outsourcing agreement should specifically define the provider’s data security obligations (which should supersede any less stringent requirements imposed by law). Address Security Breaches Determine and clearly document your provider’s obligations in the event of a security breach. Your outsourcing agreement should specifically address what constitutes a “security breach,” the circumstances under which the service provider is responsible for the breach, and what happens in the event of such a security breach. Obtain Robust Audit Rights Include robust audit rights in your agreement, allowing you to verify that your provider is doing what it agreed to do. These rights will be particularly important in the event there is a security breach. Negotiate Appropriate Remedies Negotiate, and document in your agreement, remedies in the event your provider fails to comply with its data security obligations. These might include indemnities, termination rights and/or other measures. Consider Liability Implications Consider and document the provider’s liability for direct and indirect damages for security breaches. We Can Help / About Hunton & Williams Hunton & Williams’ Global Technology, Outsourcing and Privacy practice has substantial experience advising clients in executing, managing and redefining large-scale outsourcing transactions. With our integrated privacy and sourcing practice, we are able to proactively assist our clients in addressing the complex data privacy and security issues typically encountered in outsourcing transactions. If you would like to discuss the Indian legislation, or need assistance in determining its impact on your organization’s proposed or existing outsourcing relationships, please contact us.

By Karen M. Sanzaro[1. Karen M. Sanzaro is a partner in the Atlanta office of Hunton & Williams, LLP.  Karen’s practice focuses on outsourcing, global technology transactions, privacy and data security.] and Christyne Ferris[2. Christyne Ferris is an associate in the Atlanta office of Hunton & Williams, LLP.  Christyne’s practice focuses on outsourcing, global technology and corporate securities.] On February 5, 2009, the President of India signed into law the Information Technology (Amendment) Act, 2008 (the “ITAA”)[3. Information Technology (Amendment) Act, 2008, No. 10 of 2009, India Code (2000).], a robust amendment to the country’s Information Technology Act, 2000 (the “IT Act”).[4. Information Technology Act, 2000, No. 21 of 2000, India Code (2000).] The IT Act was enacted primarily to promote e-commerce and give effect to e-commerce transactions, with provisions for the legal recognition of electronic documents and digital signatures. It also included provisions for the identification of, and establishment of penalties for, certain cybercrimes. The ITAA is the culmination of a multiyear effort to update the IT Act to take into account new technologies, increases in cybercrimes, the growth of the business process outsourcing industry in India and rising global concerns about data privacy and security.

While the ITAA is a significant step forward in establishing a data protection framework in India, and in providing assurances for those doing business with Indian entities, much of the detail was left to a rule-making process that has yet to be completed. The Indian government ministries charged with establishing these rules have sought input from the Data Security Council of India (DSCI), a self-regulatory body established by the National Association of Software and Services Companies (NASSCOM),[5. NASSCOM is an Indian IT trade association established in 1988 to facilitate business and trade in software and promote growth of the global offshoring industry.] on several key data security-related terms and provisions left undefined by the ITAA. The DSCI submitted its recommendations to the Department of Information Technology on May 11, 2009.[6. Making of Rules under Sections 43A, 67C and 79 of the Information Technology (Amendment) Act, 2008, available at http://www.dsci.in/index.php?option=com_content&view=article&id=52&Itemid=76.] Until the specifics are finalized and put into practice, companies outsourcing to Indian providers still face many uncertainties about how the law will change the IT landscape and what impact it may have on their relationships with their sourcing providers. Although its efficacy remains to be seen, the ITAA sets the stage for outsourcing providers and their customers to engage in a more robust dialogue about customers’ electronic data and the appropriate measures for securing such data.

The Catalyst for Change Increases in cybercrimes generally, coupled with the terrorist attack in Mumbai (largely effected through coordinated technology efforts), were likely a contributing factor in the recent passage of the ITAA, which had previously been stalled in India’s parliament since 2006. The ITAA expands the scope of cybercrimes (and includes cyber-terrorism), increases some of the penalties for cybercrimes and includes enhanced data retention, access and cooperation requirements for “intermediaries” (i.e., any person who receives, stores or transmits electronic records on behalf of another person, including ISPs and network and telecom providers) and others with responsibility for computer resources. The rapid growth of India’s outsourcing and information technology industries, in which the processing of data is often a critical component, is also a likely contributing factor in the ITAA’s passage. Without the confidence of the rest of the world, particularly the U.S. and Europe, India’s outsourcing industry could risk its competitive advantage. The ITAA represents an investment in India’s data security infrastructure and a signal to the outside world that India is still a stable place to do business.

The ITAA and Protection of Sensitive Personal Data For companies doing business in India or with Indian entities, Section 43A of the ITAA is of particular importance. Section 43A is a new provision designed to hold companies accountable for the protection of personal data. It provides:

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

This provision has a number of important implications for the Indian outsourcing industry and its customers in other parts of the globe.

Establishes Corporate Reasonable Standard Prior to its amendment, the IT Act focused more on individual hackers than on systematic data protection. The pre-amendment IT Act imposed liability on any “person” who (among other things) accesses or extracts data from a computer or network without the owner’s permission, damages the data or programs stored on a computer, or denies authorized access to a computer. The amendment, on the other hand, takes a broader view of the IT landscape in India by recognizing that corporations and other intermediaries also bear some responsibility in ensuring data in their possession is secure. Failure to do so creates a private right of action in the individuals whose sensitive personal information is compromised.

Defines Personal Data Perhaps one of the more important consequences of the ITAA is that it introduces the concept of personal data into Indian law. The original IT Act punished unauthorized extraction of or damage to data, but it did not explicitly target personal data. The ITAA, however, requires companies to maintain the security of “sensitive personal data,” thus recognizing that certain data deserves a higher level of protection.

The ITAA, however, limits the protections afforded to “sensitive” personal data, which is defined in the act as “such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.”[7. Section 43A(iii) of the IT Act, as amended by the ITAA.] The Central Government of India has not yet prescribed what constitutes “sensitive personal data,” but the DSCI, at the government’s behest, has recommended that personal information be defined consistently with the EU Data Directive,[8. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “EU Data Directive”).] as information that can identify an individual through one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Sensitive personal information, however, would be defined more narrowly to include health and financial data (but not embracing the broader EU concept of data regarding racial, ethnic, political and religious beliefs, which the DSCI has noted is often publicly known in India).

Notably, the DSCI’s draft recommendations limited sensitive personal information to data pertaining to a person’s health or sex life.[9. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “EU Data Directive”).] As the protection of Section 43A is afforded only to “sensitive” personal data, this would have left financial data unprotected. Although the DSCI has now expanded its proposed definition of sensitive information to include financial data, it is not clear why the act extends the protection only to sensitive personal data or whether the Central Government will ultimately adopt a more expansive definition of sensitive personal data. The EU Data Directive, for instance, affords basic protections to all personal data, and distinguishes sensitive personal data for certain additional protections.

Establishes Security Standards The ITAA also requires the use of “reasonable security practices and procedures,” which it defines as practices and procedures designed to protect sensitive personal information from unauthorized access, damage, use, modification, disclosure or impairment. What constitutes “reasonable security practices and procedures” may be specified in an agreement between the parties or in an applicable law. In the absence of an agreement or law, reasonable security practices may be prescribed by the Indian Central Government. Although this provides little clarity in describing the practices and procedures required, it stresses the need for companies to take a comprehensive and systematic approach to data protection (at least with respect to sensitive personal data).

As of the date of this article, the Indian Central Government had not yet prescribed “reasonable security practices and procedures.” However, the DSCI, noting that appropriate security measures may vary from one organization to the next depending on the type of information processed (and rejecting a “one-size-fits-all” approach), has recommended that companies: (1) adopt one or a combination of industry-recognized security standards, namely ISO 27001[10. ISO 27001 is an international information security management system (ISMS) standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) that specifies a set of requirements for the establishment, monitoring, maintenance and improvement of an ISMS aimed at managing information security risks based on a set of high level principles.] and/or the OECD Privacy Principles for design and operation of Information Security Management Systems,[11. Presumably, the Organisation for Economic Cooperation and Development’s revised Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, adopted in July 2002, although the DSCI did not include a specific reference.] and implement such standards within their organization in a manner that is appropriate given the nature of the company’s information assets and its corresponding risk assessment; and (2) publicly declare that it is following ISO 27001 principles (presumably via a website, privacy policy or similar publication, although the method of declaration is not specified). In addition, companies would be obligated to document the standard in writing, along with the specific controls they have implemented to meet the standard and how such controls are deployed. There is no requirement that companies undergo an audit (external or otherwise) to verify that the controls are in place or the effectiveness of the controls. However, in the event of a security breach, a company would be obligated to demonstrate to investigators that it had a written security policy, that it was following such policy, and that the controls required by its policy were commensurate with the assets being protected.

Other Important Provisions While businesses focus on the new data protection rules, a host of other provisions of the ITAA has also received attention. Section 66 expands the definition of cybercrime to include identity theft and makes it punishable by up to three years in jail. Sections 66A – 66F define and impose penalties for other cybercrimes, including cyber-terrorism. The ITAA protects intermediaries, such as network service providers, when unlawful content is transmitted on their sites or via their networks, as long as they were not involved in the transmission and exercised “due diligence” in discharging their duties under the ITAA. The DSCI has recommended that intermediaries, in order to obtain the protections of the ITAA, declare their privacy, security and operational policies and procedures for the handling of third-party content and require their subscribers to agree to such policies.

Sections 69 through 69B grant the Central Government the authority to intercept, monitor and block access to electronic information in the interest of national security, and to monitor and collect “traffic data” (data identifying a person, computer system, or location to or from which the communication was transmitted, including origin, destination and other details) for purposes of enhancing cyber security, all in accordance with procedures and safeguards “as may be prescribed.” The Ministry of Communications & Information Technology has posted draft rules prescribing such procedures and safeguards at its website for public comment.[12. Draft Rules under IT (Amendment) Act, 2008 available at http://www.mit.gov.in/default.aspx?id=969.] Among other things, the draft rules require authorities to consider whether there are other ways to acquire the necessary information and to issue orders to monitor or intercept such information only if it is not possible to obtain the information by other reasonable means. The draft rules also place time limits on how long an interception or monitoring order may remain in force, how quickly intermediaries must respond to an order for monitoring or interception of information and how long security agencies and intermediaries may retain the information obtained.

Section 70B creates a government agency, dubbed the “Indian Computer Emergency Response Team,” with responsibility over the analysis and dissemination of information and alerts regarding cyber incidents, the coordination of responses to cyber incidents and the issuance of guidelines regarding information security practices and the prevention, response and reporting of cyber incidents.

Consequences for Outsourcing to India While the ITAA is an important first step for India in promoting and requiring appropriate data security protections, until it is formally adopted (via publication in the Official Gazette) and fully implemented, with “sensitive personal data” defined, “reasonable security practices and procedures” specified, and the corresponding rules promulgated, companies contemplating outsourcing operations or processes to an Indian provider should take care both in making the decision to move operations involving critical data offshore and in selecting and contracting with a provider.

Practice Pointers While the ITAA may not necessarily require immediate and specific changes in your existing outsourcing contracts, it will certainly bring data security issues to the forefront for the Indian outsourcing community. Thus, the ITAA’s recent enactment may represent an opportunity to revisit contracts that may not have adequately addressed the issue in the first instance, or longer-term contracts where the existing data security provisions are outdated or otherwise inadequate. The following are some data security considerations to take into account when evaluating your existing outsourcing relationships with Indian providers or in entering into new ones:

• Diligence Your Provider’s Data Security Practices Thoroughly evaluate your Indian provider’s information security practices and procedures (including via a site visit, where feasible) before committing to a long-term relationship. Make sure the provider has a plan in place to address any identified gaps or deficiencies and follow up to make sure the plan is implemented.
• Document Compliance Obligations Your outsourcing agreement should expressly require your service provider to comply with those data security laws and regulations applicable to the provider (including the ITAA) and those applicable to the operations or functions it will perform for your company. Where applicable, include an obligation to comply with industry standards (e.g., the Payment Card Industry Data Security Standard ). In the event the Central Government has not prescribed reasonable security procedures, your outsourcing agreement should specifically define the provider’s data security obligations (which should supersede any less stringent requirements imposed by law).
• Address Security Breaches Determine and clearly document your provider’s obligations in the event of a security breach. Your outsourcing agreement should specifically address what constitutes a “security breach,” the circumstances under which the service provider is responsible for the breach, and what happens in the event of such a security breach.
• Obtain Robust Audit Rights Include robust audit rights in your agreement, allowing you to verify that your provider is doing what it agreed to do. These rights will be particularly important in the event there is a security breach.
• Negotiate Appropriate Remedies Negotiate, and document in your agreement, remedies in the event your provider fails to comply with its data security obligations. These might include indemnities, termination rights and/or other measures.
• Consider Liability Implications Consider and document the provider’s liability for direct and indirect damages for security breaches.

We Can Help / About Hunton & Williams Hunton & Williams’ Global Technology, Outsourcing and Privacy practice has substantial experience advising clients in executing, managing and redefining large-scale outsourcing transactions. With our integrated privacy and sourcing practice, we are able to proactively assist our clients in addressing the complex data privacy and security issues typically encountered in outsourcing transactions. If you would like to discuss the Indian legislation, or need assistance in determining its impact on your organization’s proposed or existing outsourcing relationships, please contact us.

By Michael Elkon[1. Michael Elkon is an associate with Seyfarth Shaw LLP in Atlanta. Michael, along with his colleagues Erika Birg and Erin Wetty, worked with bill sponsor Kevin Levitas on Georgia’s new non-compete statute. Michael can be reached at melkon@seyfarth.com. ]

First principles, Clarice. Simplicity.

Silence of the Lambs is one of only three films to win the five major Academy Awards: Best Actor, Best Actress, Best Director, Best Picture and Best Screenplay (Adapted). Much of the cause for the movie’s success can be found in the dialogue between Hannibal Lecter and Clarice Starling. Starling is an FBI trainee who is (at first unwittingly) trying to find a serial killer named Buffalo Bill. Lecter is a brilliant former psychologist turned mental facility inmate. As the movie progresses, it becomes clear that Lecter knows about Buffalo Bill. Although he grows to like Starling, he does not share his knowledge directly with her. Instead, he gives her faint clues: an oblique reference to a storage facility containing Buffalo Bill’s first victim; an anagram that leads Starling to realize that Lecter did not provide Bill’s true identity to the authorities; a vague hint buried in Starling’s voluminous case file. At the end of the movie, Starling finds and kills Buffalo Bill because of her ability to decipher Lecter’s subtle tips. [quote1]

Attempting to solve a difficult riddle can make for great entertainment, but it can be an unnecessary challenge for a business or an individual when trying to figure out the rules applying to certain situations. This is the case with the law governing non-compete, non-solicitation of customers, and non-disclosure of confidential information covenants in Georgia.[2. These three types of covenants are often lumped together into the category of “restrictive covenants.”] Georgia law is hostile to these covenants, but not in an explicit way like, say, California or North Dakota, which have an outright prohibition on non-competes (with limited exceptions). Instead, Georgia has a dense thicket of cases that create a series of traps for companies seeking to enforce restrictive covenants. Georgia common law has evolved over decades to create a bevy of bushes, branches, and fallen logs over and around which employers must navigate to enforce non-competes and other restrictive covenants. To keep with the Silence of the Lambs metaphor, Georgia courts have not come out and said, “Buffalo Bill lives in a house in Ohio; here’s the address.” Instead, the courts leave hints and clues, requiring a lawyer, much like Agent Starling, to piece them together to decipher what is permissible in a restrictive covenant. The cases on the subject are not anagrams, but they can feel like that, especially to a lawyer who does not practice in the area regularly.

To provide predictability and encourage enforceability of reasonable restrictive covenants, the Georgia General Assembly passed and Governor Perdue signed HB 173, which is codified at O.C.G.A. § 13-8-50, et seq. The statute sets forth rules for the temporal and geographic scope of restrictive covenants, as well as the types of activities that can be proscribed and the categories of employees who can be bound by such prohibitions. The goal of the statute is to create an easily understood legal regime to govern the enforcement of restrictive covenants, as opposed to the heavily populated universe of case law that supplies the current framework.

The statute’s guiding principles will not become effective unless an enabling constitutional amendment passes the Legislature and is then ratified by the voters in the November 2010 election. An amendment is required because the Legislature’s previous effort to pass a statute governing restrictive covenants – O.C.G.A. § 13-8-2.1 – was ruled unconstitutional by the Georgia Supreme Court.[3.  Jackson & Coker, Inc. v. Hart, 261 Ga. 371, 405 S.E.2d 253 (1991).] Also, the new statute will apply only to agreements executed after the statute’s provisions become effective, so the current legal rules still remain relevant, although decreasingly so over the passage of time.

Technology companies should be especially interested in HB 173. This is so because restrictive covenants are particularly important in the technology field. “Tech” companies have to be especially vigilant to protect their confidential, company-specific information because so much of their value is bound up in this information, unlike brick-and-mortar assets that dominate the balance sheets of companies in other industries. Instead, tech companies derive much of their worth from information that is, by its nature, portable. Also, because of the novelty of what tech companies often do, they are more likely to have key employees whose move to a competitor could have serious repercussions. The savvy tech company should have tailored agreements for its key employees, and HB 173 will give those companies more latitude in protecting their information and tailoring their agreements. The statute raises three particular issues for technology companies to consider.

1. Replacement of an Outdated System

[quote2]Georgia’s current rules for non-competes require that an employer specify the exact geographic area covered by a non-compete provision at the time that the employee puts pen to paper.[4. AGA, LLC v. Rubin, 243 Ga. App. 772, 533 S.E.2d 804 (2000).] Nationwide non-compete provisions are almost certainly forbidden under Georgia law.[5. American Software Inc. v. Moore, 264 Ga. 480, 448 S.E.2d 206 (1994).] These rules make sense for professions where an employee will have a defined, local geographic area. For instance, a door-to-door salesman who works within certain zip codes in Fulton, DeKalb, and Clayton Counties could be specifically restrained from competing in those areas. Such geographic specificity is not the case for most tech companies.

Imagine a fictional software company – Figment Programming – that employs high-level developers to create and improve upon the company’s offerings, which are designed for amusement parks. These developers can do their work anywhere in the country as long as they have a computer and an Internet connection. Figment is in a competitive field with a few primary rivals. The current Georgia rules for non-compete provisions do not provide Figment with many options. A nationwide non-compete provision is out of the question, no matter how narrowly the software company draws up the definition of proscribed activity. There is no concept of a sliding scale in Georgia law. A non-compete provision that prevents the employee from working for specific competitors is also an unlikely proposition.[6. There is no clear authority on this question, though arguments can be made that a prohibition against working for specific competitors or starting a competing business should be allowed as within the types of restraints that the courts previously have adopted.]The new statute would help Figment protect its interests. A nationwide non-compete would no longer be forbidden if the particular situation justified such a restraint. If Figment drafted a provision that covered the entire country, but was limited to the narrow field of programming software specific to amusement parks, it would have a reasonable chance of enforcing the provision. As long as Figment can show that it made a “good faith estimate of the activities, products, and services, or geographic areas” covered by the provision, then it can show that the restriction was reasonable.[7. O.C.G.A. § 13-8-53(c)(1)] Figment could also replace the geographic provision with a specific ban on its programmers going to work for its primary competitors.[8. O.C.G.A. § 13-8-56(2)(B).] The risk with this latter approach is that it would be ineffective against programmers starting their own companies, which is a factor in an industry with lower barriers to entry such as software programming. Finally, and most importantly, the new statute would permit courts to modify restrictions (sometimes known as “blue penciling”) to fit Figment’s legitimate interests.[9. O.C.G.A. §§ 13-8-53(d); 13-8-54(d). The term “blue-penciling” is sometimes used to refer to modification of contracts. In other instances, such as current Georgia law involving restrictive covenants in the sale of a business, it only refers to striking unenforceable provisions out of agreements. Hamrick v. Kelley, 260 Ga. 307, 308, 392 S.E.2d 518, 519 (1990).] Thus, if Figment lists five competitors as being off-limits and a Court finds that an employee would pose a threat if he or she moved to only one or two competitors, the Court can limit the restriction accordingly.

Figment also will need to account for one other provision in HB 173 when considering non-compete provisions for its employees. The new statute states that only four categories of employees can sign non-compete provisions: (1) sales employees; (2) key employees; (3) professionals; or (4) managers.[10. O.C.G.A. § 13-8-53(a). The statute does not prevent employees who fall outside of these four categories from signing non-solicitation or non-disclosure covenants.] There is some question as to whether a high-level programmer is a “professional.” If the answer to that question is no, then a programmer will have to fall into the category of “key employee” to be eligible for an enforceable non-compete agreement.[11. The new statute has a lengthy definition of “key employee”:'Key employee' means an employee who, by reason of the employer's investment of time, training, money, trust, exposure to the public, or exposure to customers, vendors, or other business relationships during the course of the employee's employment with the employer, has gained a high level of notoriety, fame, reputation, or public persona as the employer's representative or spokesperson or has gained a high level of influence or credibility with the employer's customers, vendors, or other business relationships or is intimately involved in the planning for or direction of the business of the employer or a defined unit of the business of the employer. Such term also means an employee in possession of selective or specialized skills, learning, or abilities or customer contacts or customer information who has obtained such skills, learning, abilities, contacts, or information by reason of having worked for the employer. O.C.G.A. § 13-8-51(8).]

2. New Rules for Non-disclosure Covenants

Technology companies rely heavily on non-disclosure of confidential information provisions because, comparatively speaking, their value often is bound up in proprietary information, including customer data and information. Under current Georgia law, there are two traps for employers who rely on non-disclosure covenants as the sole means to protect this information. The first is that Georgia is one of two states to require a time limitation on non-disclosure covenants.[12.  Pregler v. C&Z, Inc., 259 Ga. App. 149, 151, 575 S.E.2d 915, 917 (2003).] The second is that non-disclosure covenants cannot cover any information that is otherwise publicly available, even if the provision also covers truly confidential information.[13. Nasco, Inc. v. Gimbert, 239 Ga. 675, 238 S.E.2d 368 (1977).] Because of Georgia’s strict prohibition against modification or blue-penciling of restrictive covenants,[14. Habif, Arogeti & Wynne, P.C. v. Baggett, 231 Ga. App. 289, 290, 498 S.E.2d 346 (1998).] a mistake in drafting as to either element is fatal.

Coming back to Figment Programming, it is not quite in the situation it found itself with non-compete law where it cannot craft a sufficient restriction because of the lack of a narrow geographic zone of operations. With non-disclosure provisions, drafting a proper and enforceable provision is usually (but not always) possible. The trick is that Figment has to write its provision with Georgia law in mind or else it will lose the protections altogether. This would be a particularly dangerous issue if Figment were a national employer with standard non-disclosure agreements used throughout the country.

The new statute removes this risk as to both elements. The statute permits employers to protect their confidential information so long as the information or material remains confidential.[15. O.C.G.A. § 13-8-53(e).] As mentioned, the statute also permits courts to modify restrictive covenants to cover an employer’s legitimate interests, but nothing more. Thus, Georgia law would be closer to the law in the majority of states, helping national companies with operations in Georgia.

The new law will also lead to better results. Right now, if Figment omitted a time-limit from a non-disclosure provision, then the entire provision would be rendered unenforceable, leaving the company with no protection, other than what is afforded under the Georgia Trade Secrets Act.[16. O.C.G.A. § 10-1-760, et seq.] Under the new statute, a trial court will be charged with making sure that the non-disclosure provision protects Figment’s legitimate interests. Thus, instead of an all-or-nothing proposition, Figment’s oversight can be addressed and Figment can still obtain the protections intended by the agreement.

3. The New Law Aims to Balance the Interests of Employers and Employees

Under current Georgia law, it is very difficult for employers to stop their employees from moving to competitors through restrictive covenants. However, there is a second side to the coin. Georgia employers can hire employees from unsuspecting competitors who may not have properly accounted for the quirks of Georgia law when crafting agreements. In an industry like software development that often entails cross-pollination between companies, this is a relevant consideration. Thus, Figment has a greater chance under the current law of poaching employees from competitors than it would under the statute. The new statute creates a clearer legal regime governing restrictive covenants. Employers and employees alike will have an easier time understanding the rules. They will have greater latitude to write and agree to restrictions that cover what is most important, thus providing an employer like Figment with confidence that when it exposes its programmers to cutting-edge, proprietary software concepts, that information is protected. Employers and employees will know that courts will be empowered to make enforceability determinations based on the facts of a given situation as opposed to one-size-fits-all rules, making sure that only reasonable restrictions are in place. Competitors will know that they will have a harder time poaching employees, customers and other key relationships, and confidential information from one another without serious legal consequences. This is the world that technology companies will be in if the Legislature and voters enable HB 173 in 2010, no longer wondering to themselves “what did that guy behind the glass mean when he said . . . .”

EDITORS NOTE: David will be speaking at the Section's Technology Law Insitute in October. Stay tuned for future details on that event. In the interim, enjoy David's words of wisdom on handling Q&A sessions. By David J. Dempsey, JD[1. David is the President and CEO of Neon Zebra, an Atlanta-based communications and presentation skills consulting company with one goal: empowering you to become the BEST speaker you can be, every time you speak. www.neon-zebra.com © 2009 Neon Zebra, LLC]

“Before I refuse to take your questions, I have an opening statement.” —President Ronald Reagan

Here is a bitter truism that those speakers who are rigidly tethered to a speech script do not want to hear: Most speakers do more to inspire, persuade, sell, and inform their listeners by confidently responding to audience questions than by anything they say during the prepared speech. I can hear the “say-it-ain’t-so” wails of anguish from the disciples who never deviate from the prepared speech. Sorry, it is time to leave the safe cocoon.

These unpredictable sessions give you an excellent opportunity to clarify and reinforce points, elaborate on issues, solidify your expertise, address misunderstandings, and perhaps persuade those who seem unpersuadable. Yes, you up the ante when you venture away from the safety of your carefully planned presentation and invite audience input, but the rewards outstrip the risks by a tremendous margin.

A question-and-answer session typically crackles with energy, often generating more interest than the prepared presentation. What accounts for its appeal? During a question-and-answer session, the speaker traipses into uncharted territory. When the questions start flying, everyone, even the drowsiest listener, snaps to attention and perches on the edge of his or her seat, especially if the exchange promises to be heated (such as when the speaker is advocating plunking a halfway house in the audience’s bucolic neighborhood).

A question-and-answer session is a tremendous opportunity—now listen, because this is important—if, and only if, you are prepared. If you are unprepared, the session can quickly become a treacherous minefield, the kind that has doomed even exceptional speakers. If you are unprepared, cower and pray when the questioning onslaught begins.

There are numerous rewards for deftly handling audience questions. Yet sometimes a speaker devotes not a single forethought to them; he just wings it: “I was just strolling through the Q & A neighborhood, and thought, "What the heck! Why not take a few questions . . . ?” That is a sure recipe for disaster. With no planning, this foolhardy speaker is often perplexed by even the most predictable questions. Staggered, he lamely mumbles an unresponsive reply, or he reaches into his handy grab bag of canned answers. If you do that, you can put one gigantic check mark in the squandered-opportunity column. And while you’re at it, let a little air out of your “expert” balloon to boot.

Ten Q & A Rules

All right, you are willing to add a little zest to your talk with questions. Now what? Unless you enjoy living on the edge—bungee jumping or skydiving—don’t enter the Q & A arena without a plan. Study these rules before you invite the first question.

1. KNOW THE TERRAIN

Do not simply cross your fingers and fervently hope that your audience will not ask the questions you are dreading. They will. In the same way that a predatory animal can smell fear, an audience has the uncanny ability to zero in with amazing accuracy on the tough questions. So you better be prepared, lest you find yourself under the heat of the spotlight, babbling and scrambling for some coherent thought.

What can you do? Start by knowing as much as possible about your audience before you speak. Anticipate their questions and plan your responses. Ask yourself the following:

• Are the questions likely to be pointed and probing or friendly and fluffy?
• Do my listeners understand the issues?
• What is the opposing position?
• What are the strengths of the opposing position?
• Am I advocating something that threatens my listeners?
• Am I dealing with emotional or inflammatory topics?
• What are the weaknesses in my position?
• Should I concede anything in my response?
• Do any listeners have a hidden agenda?
• How will I respond to provocative or irrelevant questions?
• What will I do if an audience member becomes confrontational?

Know the terrain and your vulnerabilities before you step into the Q & A arena.

2. DEVISE A PLAN

Before you speak, decide whether you will field questions during or after your speech. In your introduction or in your opening comments, clarify for your audience which approach you will take. Each has inherent advantages and disadvantages.

Accepting questions during the speech typically heightens the interest for everyone, it enables you to immediately gauge your audience’s interest and level of understanding, and it gives you an opportunity to correct misunderstandings quickly (what seems clear to you may be murky to your audience). This approach can be risky, however, if one of the questions baffles you or if it is only marginally related to your topic. In addition, the questions might divert your audience’s attention from your message. Finally, if you accept questions during the speech, your allotted time can quickly evaporate, so plan accordingly.

On the other hand, if you hold questions until you have completed your speech, you will be able to cover all of your points without interruption. Unfortunately, however, without immediate input from your audience, you limit your ability to evaluate their reaction to your message. Moreover, listeners may forget their questions or be reluctant to raise a question regarding a subject that you covered much earlier.

Either approach will work, but pick your path before you begin to speak.

3. UNDERSTAND THE QUESTION

Here is a simple rule: If you don’t understand a question, don’t guess. No one will think you are a dunce if you ask the questioner to explain or clarify the question. That is definitely preferable to taking a wild stab or answering unresponsively. If you are clueless but plunge into a response anyway, you may create confusion; irritate the questioner, who will conclude that you are being evasive or flippant; and irk the other audience members, who may think you are patronizing one of their kindred spirits in the audience. Clarify before responding.

4. THANK THE QUESTIONER

If you want to encourage questions, create a friendly, nonthreatening atmosphere. Solicit participation with an open-ended invitation for questions: “I know I covered that topic quickly. What questions do you have?” Also acknowledge and thank audience members for their participation: “Thank you for that question.”

This respectful attitude toward those who ask questions—yes, even when all you really want to do is pop the bozo in the nose—helps to build audience rapport, a worthy goal.

5. REPEAT THE QUESTION If it is a large audience, repeat the question before responding, to ensure that everyone heard it. The listeners will appreciate your audience focus, and you will gain additional time to consider your response. If you are momentarily stumped, even a few seconds can help while your brain whirs away searching for a reasonably coherent thought.

6. ADMIT IT IF YOU DO NOT KNOW

Some speakers feel that saying “I do not know” will cause them to turn to stone. It is not merely okay to admit ignorance, it is preferable at times. Unless the question is clearly one that you should know the answer to (“Is it not true that Giovanni  ‘The Hatchet Man’ Gotti handed you a greasy duffel bag filled with fifty thousand dollars in crisp one-hundred-dollar bills?”), it’s perfectly acceptable to respond by saying, “I am sorry, but I dont know the answer. Let me see if I can find out and get back to you.”

Understand, however, that there is no substitute for thorough preparation, and if you are intentionally unresponsive (“A greasy duffel bag jammed with cash? Let me think . . . I’m not sure.”) or cagey (“That depends on what your definition of ‘is’ is.”), your audience will quickly become exasperated.

7. REMAIN COMPOSED

Stay positive and composed despite questions that are antagonistic (“Your position is just double-stupid!”), personal (“I would not expect a chauvinist pig like you to understand!”), or irrelevant (“Why, oh why, are we having tuna pot pies for lunch again?”). Do not let hostile questioners provoke an angry response from you. An emotional response is often precisely what they want to accomplish. Be firm but polite. Smile, grit your teeth, and agree to disagree. Shouting invectives may be cathartic, but it is neither helpful nor persuasive.

 8. BE BRIEF

Get to the point. Don’t ramble, filibuster, or browbeat when responding. This only annoys your listeners, creates confusion, and generates more questions. Your listeners will better understand and remember concise, focused answers. Being brief also enables you to address more questions in the time allotted. Answer succinctly, and let your listeners get on with their lives.

9. PRACTICE Q & A

Round up all of your inquisitive, annoying, and stubborn friends (don’t tell them that this combination of characteristics is why they were selected) and role-play. Practice responding to their questions. This will hone your ability to think on your feet and to formulate crisp, responsive answers. Have your inquisitors ask every conceivable type of question, because that is exactly what you can expect from your audience: compound, convoluted, and confrontational questions posed by bewildered, inarticulate, and hostile questioners.

Some of the questioners in your audience will have amazingly fertile imaginations; others will have hidden agendas; and still others will just be dunderheads. Inevitably there will be at least one who will thrill to the sound of her own voice and will welcome any opportunity to pontificate. The practice sessions will help you prepare for all of them.

10. STUDY THE VIDEOTAPES

Prepare yourself first; then dive in and analyze the videotapes of both your practice sessions and your live presentations involving Q & A. This process may be painful, but it will be profitable, I promise.

Be analytical, and ask yourself these questions: “Was I responsive, or were my answers gobbledygook?” “Did I remain composed and focused, or did I blather?” “Did I sound confident, or confused?” “Did I focus on the questioner, or did I allow my eyes to dart around?” The videotape reveals exactly what your audience will see, so study it, internalize the lessons, and improve. Deftly fielding questions is a developed skill, which you need to practice.

Venturing from your script can be a tad unnerving, but you can minimize the risks with careful planning. Handle questions adroitly, and you will distinguish yourself and gain credibility with every audience. Just don’t enter that briar patch unprepared; many speakers have done that, and they have not been heard from since.