May 2011

A fundamental expectation of clients in any commercial transaction is that counsel understand the business deal.  When procuring Wireline voice and data communications services,  major businesses, institutions and state governments make five fundamental business decisions.  The first four apply to Wireless services procurements.
              1. Service
              2. Choice of Carriers
              3. Pricing
              4. Minimum Purchase Commitments
              5. Wireline Service for Enterprise Data Communications

1.       Services

The major domestic Wireline carriers are AT&T, Verizon, Sprint and Qwest/CenturyTel .  The core services these carriers offer to enterprise customers include long distance, VoIP, audio conferencing and various data services—high-speed Internet access, frame relay, private line (TDM and Ethernet), and Multi-Protocol Label Switching (“MPLS”) services.   As a rule, local exchange service remains regulated and is not included in these deals.  These carriers offer related services, such as network (router) management , data center (collocation) and network security services, but are not yet substantial providers of cloud computing or content delivery services.   Customer premises equipment  (routers and switches) typically are not bundled with these services.

All of these carriers offer international services ( i.e., services between the US and other countries).   Multinational enterprises also are interested in Rest-of- World (“ROW”) services (i.e., services between and sometimes within foreign countries).  Several domestic carriers and foreign carriers such as Telefonica and BT offer ROW services.

The Wireless voice and data services available to enterprise customers are largely the same as those offered to consumers, although pricing options are different.  Handsets are bundled with Wireless services.  The principal domestic providers are AT&T, Verizon Wireless, Sprint and T-Mobile.  Available handset options, in-country coverage, Wireless data options  and the extent to which domestic carriers coordinate or manage wireless services in other countries are among the critical decision points.  Wireless service offerings tend to be country-centric.

2.         Choice of Carriers

Wireline and Wireless services are highly commoditized offerings with high  market entry barriers.  Enterprise customers typically utilize RFPs and consultants specializing in procuring these services.   Properly crafted RFPs include substantial information regarding enterprise traffic and bandwidth requirements and service preferences.  As discussed below,  the real-world prices paid by enterprise customers are not publicly available.

Enterprise customers have a strong interest in limiting the number of Wireline and Wireless carriers, respectively, from which they obtain service, principally to clarify responsibility for service quality, provisioning and trouble resolution, maximize bargaining leverage, and develop a mutually beneficial business relationship.  Typically, Wireline and Wireless carrier selection decisions are made independent of each other.

Continue Reading Understanding the Business Deal in Wireless and Wireline Services Agreements

Don’t let the Committee on Foreign Investment in the United States (“CFIUS”) be your 3:00 AM phone call after your sale of telecom or information technology assets to foreign investors has closed.

CFIUS “is an inter-agency committee authorized to review transactions that could result in control of a U.S. business by a foreign person … in order to determine the effect of such transactions on the national security of the United States.” (see U.S. Department of the Treasury, The Committee on Foreign Investment in the United States (CFIUS), Resource Center). Obtaining CFIUS’ blessing is voluntary, but CFIUS has the authority to review transactions on its own. The CFIUS may recommend to the President of the United States to involuntarily suspend or prohibit your transaction if your deal has a negative impact on national security 50 U.S.C. § 2170(d).

The concern over foreign investment in the U.S. is not new. For example, the International Investment Survey Act requires that foreign direct investment in the U.S. be reported to the Bureau of Economic Analysis 22 U.S.C. § 3101-08., and the Foreign Investment in Real Property Tax requires foreign persons to pay a tax when they dispose of US real estate (see, FIRPTA Withholding). CFIUS tracks foreign involvement in mergers, acquisitons, takeovers, long term leases and joint ventures of critical infrastructure.  Critical infrastructure is not defined by class or size of transaction, but by impact on national security (31 C.F.R. § 800.208).

James K. Jackson writes:

The broad sweep of industrial sectors in the economy that fall within the terms “critical infrastructure,” “homeland security,” and “key resources” reflects a fundamental change in the way some in Congress view national economic security. From this viewpoint, economic activities are a separately identifiable component of national security and, therefore, should be protected from foreign investment that transfers control to foreigners or shifts technological leadership abroad.” (see Foreign Investment, CFIUS, and Homeland Security: An Overview)

The Department of Homeland Security is tasked with identifying critical infrastructure industries relevant to CFIUS review, and that list currently includes telecommunications (see DHS Critical Infrastructure Sectors).

Clearly, voluntarily reporting and additional due diligence are considerations for transactions involving foreign investors.

The recent United States Supreme Court decision in AT&T Mobility LLC v. Concepcion, heralded by many as a win for business over the consumer, actually was an affirmation of  agreements to arbitrate disputes  under federal law.

The Court found that the Federal Arbitration Act preempted state law that negated an arbitration provision in this instance.  The Supreme Court noted that the “overarching purpose” of the Federal Arbitration Act was to “ensure the enforcement of arbitration agreements according to their terms . . . .”  The Court affirmed that contracts that provide for resolution of disputes by arbitration are enforceable and are supported by “a “liberal federal policy favoring arbitration.”  This liberal policy applies whether the contract is between two businesses, even if of unequal negotiating strength, or between a business and a consumer.

Thus, if a party favors dispute resolution through arbitration there is now an extremely high expectation that a properly phrased arbitration preference in an agreement will be enforced. All that is required is a clearly worded clause that establishes an agreement to arbitrate any dispute related to the contractual relationship.  Whether such an agreement is advisable and what other provisions might be included  are topics for future posts.

Amazon’s analysis of its extended cloud computing outage, as summarized in Richi Jennings IT Blogwatch, raises an important question for counsel advising clients negotiating agreements to procure cloud computing, content delivery and data communications services:  Should the agreement include a provision defining a service problem threshold and/or a series of problems threshold that triggers a right to terminate the agreement? We believe such a provision should be included, notwithstanding significant service provider pushback.

Several reasons underlie this position:

  • The concept of “cure” in standard breach and default provisions doesn’t really work.   Telecommunications and technology services agreements call for a service to be provided for a defined period of time.  When the service is unavailable or substandard during this period, the lost operating time cannot be recaptured.     
  • The widespread use of service level agreements (“SLAs”) impliedly recognizes that the “opportunity for cure” approach is largely irrelevant in circumstances when service is inadequate or unavailable.    
  • Standard SLAs are premised on the assumption that outages and periods of degraded service will be limited in duration and that credits and escalated response provide a sort of rough equity and reasonable compensation.
  • When an outage is extended, standard SLA remedies do not begin to compensate the customer for the disruption to its business.  

The potential termination of a problematic service relationship may give rise to the concern of “the cure being worse than the disease” because migrating from one services provider to another is often time-and resource-intensive and disruptive for the customer.  Thus, a service provider transition clause should always be included so the customer has adequate time to re-procure the service and migrate to a replacement provider.  During this transition, the service provider must be obligated to continue to provide and support the service and the customer must continue to pay for the service.

Clearly, reasonable contract provisions do not obviate the need for redundancy and contingency plans, as noted in a thoughtful blog post on the Amazon outage by Sharon Machlis.  On the other hand, a customer’s decision to procure back-up or alternative service should not negate a customer’s right to terminate an agreement when the primary service is degraded or unavailable for extended periods.  The service provider has put the Customer’s business at serious risk.  The customer purchased the insurance (redundant or back-up service) for its protection, not the services provider’s.

In April, we witnessed some of the largest data breaches in U.S. history, one of which reportedly affected more than 100 million consumers.  Those breaches occurred as two comprehensive privacy bills- the Commercial Privacy Bill of Rights Act of 2011 and the Consumer Privacy Protection Act of 2011– were introduced in Congress, and they sparked investigations from officials and regulators around the world.  This landscape increases the likelihood of action on federal privacy legislation this year, which could change the way that companies collect, use, store, and share personal information online and offline.

Recent breaches illustrate the ways that personal information can be compromised.  In April:

  • Sony  experienced an unauthorized network intrusion that compromised account information for the PlayStation® Network and Qriocity™ service, including names, addresses, email addresses, birth dates, passwords, and logins for more than 70 million consumers;
  • One week later, Sony announced that hackers may also have stolen information for approximately 24.6 million Sony Online Entertainment customer accounts, as well as information from a database with 12,700 non-U.S. credit or debit card numbers and 10,700 direct debit records of customers in Europe;
  • The email marketing provider Epsilon (whose clients include major supermarket chains, hotel chains, banks, and retail stores) announced that a hacker obtained customer names and email addresses from the company’s system (but not more sensitive information, such as credit card numbers and social security numbers);
  • The Texas Comptroller’s office inadvertently disclosed personal information of about 3.5 million residents (including names, addresses, social security numbers, dates of birth, and driver’s license numbers) on a server that was accessible to the public; and
  • A New York Yankees employee sent an email to season ticket holders that mistakenly attached a spreadsheet with names, addresses, phone numbers, fax numbers, email addresses, and Yankees account numbers for approximately 20,000 ticket holders.

We are still experiencing the aftermath of the Sony and Epsilon breaches.  Just days after Sony reported the breach, the company was named in a class action lawsuit, and Rep. Bobby Rush announced  his intent to reintroduce data security legislation.  Senator Richard Blumenthal requested an investigation  of the Epsilon breach, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade sent letters to both Sony and Epsilon inquiring about the breaches, and the Subcommittee Chair, Rep. Mary Bono Mack, stated  that she plans to introduce legislation.

Given the possibility of lawsuits, government action, and not to mention negative publicity following a major data breach, all companies that handle personal information and/or entrust it to other parties should carefully assess their policies, practices, and procedures before an incident occurs and get ready for new laws down the road.