BLOG POST

Tech & Sourcing @ Morgan Lewis

TECHNOLOGY TRANSACTIONS, OUTSOURCING, AND COMMERCIAL CONTRACTS NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Considering Security, Audit, and Other Key Provisions When Your Supplier Shifts to a More Permanent Remote Work Model

Contract Corner

With the COVID-19 pandemic, many industries experienced a major shift in how the personnel of key suppliers worked, with “nonessential” personnel in large part working remotely. When this shift to remote work first happened (rather abruptly for many companies), security was a critical consideration, but one that was handled in many instances outside the supplier contract, with both parties focusing on keeping business operations going with must-have data and security safeguards in place.

Now that companies and suppliers have had a chance to evaluate the benefits gained from remote work (including reduced overhead costs and better ability to source talent), many companies and suppliers are considering allowing more remote work to be “business as usual.” We are seeing companies dig into what this practice means and what the guidelines are for when remote work is allowed versus when personnel must work at a delivery center. This analysis includes an assessment of what remote work policies are or should be in place, and what potential amendments to supplier contracts are needed to adapt to the change.

Set out below are five major areas of the supplier contract that at a minimum should be reviewed and updated to account for the shift in treatment of remote work.

  1. Permitted Roles
    In the old days (and by old days, we mean pre-COVID), service contracts would specify the supplier’s delivery centers where the supplier personnel would be located and from where the services would be provided. Working remotely would not be permitted unless specifically approved on a case-by-case basis. Fast forward to the present, where many suppliers are pricing their deals on the assumption that a certain percentage of personnel can work from home and not from “delivery centers.” When considering the right to work from home, some key considerations include (a) are there any roles (based on access, security, or collaboration reasons) that the company requires be provided from a delivery center on a regular basis; (b) should all roles regardless of status be tied to a delivery center to allow for the flexibility to require roles to work from designated delivery centers in the future; and (c) should the country or region from where the remote workers be located be designated (e.g., should India-based resources be required to work from home in India rather than a different country)?
  2. Security and Defining the Requirement for a Home Office
    References to “home office” are often vague without a clear definition of what constitutes a home office. With the desire in some circumstances to permit more flexibility with respect to “work from home” models, companies are starting to document what is allowed as a “home office” and the associated security and use protocols. For example, a “home office” may be limited to a secure home workspace that (a) is enabled with the necessary supplier-provided technology, including a supplier-provided laptop with the required security software and tools, and connectivity and bandwidth that meet the requirements of the supplier agreement, and (b) allows for the handling of phone calls and other communications in a confidential manner in accordance with the agreement. Further, the supplier should have detailed procedures in place for its remote personnel regarding the setup, maintenance, and use of home offices, that at a minimum require that a home office be part of the company’s security and use policies.
  3. Connectivity and Remote System Access
    Key features of remote work are the mechanisms for connecting to the supplier’s systems and, if applicable, those permitted components of the company’s systems and environments. Whether VPNs or other approved secure and encrypted methods are required to enable connectivity, these methods (including associated operational and financial responsibility) should be clearly spelled out and understood. Further, the parties may want to document the security tools and hardening requirements for any supplier-provided devices (such as antivirus software, data loss prevention tools, and encrypted hard drives).
  4. Collaboration Tools
    The use of collaboration tools has boomed over the last two years, with many of us embracing these tools to allow for more effective meetings, document sharing, and interactive work environments. It is prudent that the parties agree upfront as to what tools are to be used by the supplier, what data can be stored or processed in or through such tools, and who has operational and financial responsibility for such tools.
  5. Audit and Forensic Investigation Rights
    Many suppliers provide devices for their personnel to provide services remotely. In some instances, personnel may use their own devices. Such devices may access, store, and/or process company data. While the company’s interest in audits and investigations with respect to such devices has not changed, some suppliers are pausing with respect to the extent to which the company may audit and perform forensic investigations on devices that access, store, and/or process its data. Suppliers, on one hand, have privacy concerns, and companies (in their capacity as the customer), on the other hand, do not want to lose their ability to access and investigate devices that are used to access, store, and/or process their data.

Working from home offices will likely continue for many roles provided by third-party suppliers. As part of good governance, it is time to set or reassess the rules for working remotely and associated requirements.