Takeaways

Third-party suppliers of technology products and services are notifying their customers that they are implementing business continuity and recovery plans in light of COVID-19 and are requesting written authorization for remote work arrangements.
Suppliers rightfully feel compelled (if not strictly legally obligated in all cases) to look after the health and safety of their personnel (and their customers) and to comply with applicable laws and any governmental restrictions that are put in place.
It is necessary for customers to understand the pandemic planning efforts of their key suppliers and to consider what back-up options exist if a supplier is unable adequately to provide a critical service.

Third-party suppliers of technology products and services are notifying their customers that they are implementing business continuity and recovery plans (BCPs) in light of COVID-19 and are requesting written authorization for remote work arrangements. These requests typically are broad in scope, open in timeframe and, in some cases, provide certain information about the security, connectivity and continuity protocols that the supplier will put in place.

We expect customers to receive an increasing number of these requests in the coming days and weeks. When considering these requests, it is important for the customer to assess and respond in a manner that is as consistent as possible across its supplier base, subject to deviations appropriate for different services. Below are key topics to keep in mind.

More generally, it is necessary for customers to understand the pandemic planning efforts of their key suppliers and to consider what back-up options exist if a supplier is unable adequately to provide a critical service.

Supplier Position

Like other companies worldwide, suppliers are grappling with how to respond to the spread of COVID-19. Suppliers rightfully feel compelled (if not strictly legally obligated in all cases) to look after the health and safety of their personnel (and their customers). Suppliers also must comply with applicable laws and any governmental restrictions that are put in place (e.g., executive orders, government directives or legislation regarding travel restrictions, limits on group size, quarantines, etc.). In this regard, as is the case with its customers, each supplier will do what it believes it must do to protect itself and its people.

Customer Flexibility

It is in the customer’s interest to grant these remote work requests (within certain parameters, as noted below). During a time of crisis, it is paramount that the services provided by the suppliers continue uninterrupted and with no (or as little as feasible) degradation. If the customer does not authorize the remote work arrangement, the chances increase that the supplier may be unable to perform and may declare a force majeure event per the terms of the agreement. For example:

  • The supplier cannot perform because a significant number of its personnel on the customer’s account become ill because they had to be in the workplace, or must self-quarantine due to potential exposure while at the workplace.
  • The supplier cannot perform because the governmental authorities have required all non-essential businesses to shut down.
  • The supplier cannot perform because it has instituted a company-wide work from home policy for health and safety reasons, but it does not have the requisite authorization from the customer.

Of course, the extent to which a supplier can rely on a force majeure occurrence (and the rights and obligations it has upon such an occurrence) requires careful review of the force majeure provisions in the relevant contract. In the absence of a force majeure provision, a supplier may seek to rely on common law principles, such as impracticality of performance or frustration of purpose.

Customer Considerations and Parameters

When considering a supplier request for written authorization for remote work arrangements, the customer should consider the following:

  • DR/BCP. Does the disaster recovery/business continuity plan in place with the supplier already address remote work arrangements? If so, that will inform how the customer responds. In addition, has the supplier’s request come in the context of a disaster declaration or DR/BCP plan implementation? If so, the remote work arrangement will be merely one element of a broader shift in how the services are delivered.
  • No Service Interruption. The authorization should state that the remote work arrangement will not interrupt the performance of the services and that the supplier will continue to meet all contractual requirements (including meeting service levels). In this regard, consider whether it is appropriate to allow the supplier to “pause” on performing certain non-essential services in order to minimize any potential security exposures from the remote work arrangement or perhaps grant a service level credit holiday (for a defined duration) for those non-essential services.
  • No Waiver. The authorization should make clear that the customer is not waiving any of its rights under the agreement or any supplier obligations or defaults under the agreement. The customer should not sign up to any broad waivers with respect to service delivery. Any such waiver, if appropriate, should be narrow and time-limited.
  • Security and Connectivity Protocols. The authorization should set out what security and connectivity protocols will be in place for remote work. These protocols should be reviewed with the customer’s information technology and security teams. Note that any such protocols may not meet all the rigorous data security requirements of the underlying contract (e.g., “clean room” standards that often apply to customer-dedicated areas of supplier facilities). In this regard, some flexibility on the customer’s part is important and may be a necessity in some areas. In addition, such protocols may differ depending on the nature of the service and the level of access to sensitive customer data.
  • Scope of Personnel. The authorization should make clear what supplier personnel are within the scope of the remote work arrangement. Is it everyone? Does it depend on the nature of the service? Does a geographic segmentation make sense? What about subcontractors?
  • Timing. The authorization should make clear that the supplier will return to normal operations as soon as possible.
  • Customer Approach/Supply Chain. Customer responses to such supplier requests also should be considered within the context of the customer’s own approach to this issue. What is the customer’s own remote work policy? What communications is it making to its own personnel and clients? The service that the supplier provides is one link in an overall supply chain of the customer’s business.

Pillsbury’s experienced crisis management professionals are closely monitoring the global threat of COVID-19, drawing on the firm's capabilities in supply chain management, insurance law, cybersecurity, employment law, corporate law and other areas to provide critical guidance to clients in an urgent and quickly evolving situation. For more thought leadership on this rapidly developing topic, please visit our COVID-19 resources page.