Reducing Security Risks in Information Technology Contracts: Best Practices and Guiding Principles
Michael R. Overly and Matthew A. Karlyn
Effective intellectual property (IP) protection commences with a company's handling its own intellectual property in a systematic and cautious manner. A proper foundation, both in educating employees and maintaining best practices, is a necessary pre-requisite for safe licensing of IP to prospective licensees. The licenses in particular require significant attention to detail in drafting the relevant portions to ensure that no unintended consequences result from loopholes or lack of clarity. This article outlines best practicesboth within and outside a companyfor controlling the handling and distribution of its intellectual property.
Trade Secret Considerations
- All documents containing information that is not generally known to the company's competitors should be stamped "CONFIDENTIAL" or "TRADE SECRET." The primary means of protecting intellectual property rights in software is through copyright and trade secrets. Trade secret protection ensures the software, particularly source code, is always subject to rigorous confidentiality requirements.
- Where software may be readily observed, copied or stolen, the company should control physical access to it. This includes time stamp and/or ID logs of those who have access to, and do access, the software.
- The company should adopt a strict system of data security measures, including strong password requirements, encryption, firewalls, and prohibited use of USB drives. The company should isolate the development and testing environments from the public Internet.
- Establishing and communicating a policy for marking all copyrightable works, including source code and software, should be a principal objective for the company. The company should mark all software with the copyright symbol ©, year of first publication, and legal owner and include a textual marking of the same in the source code.
- The company should implement a process for U.S. copyright registration of all versions of the software, preferably within three months of publication. Software should also be registered with U.S. Customs and Border Protection to prevent infringing copies from being imported.
Joint IP Considerations
In a joint development environment, the company should adopt "clean room" protocols and policies to ensure that existing and independently developed IP is isolated from new and jointly developed work product.
Policy On Embedded Open Source
The company should adopt policies to prevent employees and contractors from embedding any open source software components in the software without management's knowledge. Doing so could compromise IP rights in the proprietary code. There are "wrong" ways and "right" ways to implement open source in a proprietary environment, and the right way requires advance planning.
- The company should implement a system to archive copies of each version of the software. For the purposes of documentation, this system establishes the overall course of software development. Version control software automatically tracks and documents development.
- Verify and document the company's right to use the software and intellectual property of others, including graphics, artwork, software, and photographs.
Implement and enforce company security policies to protect IP assets, including appropriate use of computer and mobile devices, and passwords.
Policies Following Infringement
- Through the use of audit rights and "phone-home" features, actively monitor the use of the company's IP by third parties and take swift action when infringement occurs.
- Ensure that the licensing agreements require the customer, on termination or expiration of the agreement, to uninstall the program code, destroy any electronic copies, and return physical copies of the code.
The company should consider insuring IP against infringement.
Employee Training and Communication
- The company should train employees involved in developing, maintaining, and protecting its software on the need to protect it, how to protect it, and their responsibilities in protecting it during and after employment.
- The company should take steps to secure its IP when employees depart the company by conducting exit interviews concerning IP issues, including discussion of inventions, and return of company property.
- The company should require all new employees to acknowledge that they have not and will not use any proprietary information from any prior employer.
- The company should require all development personnel to execute agreements that (i) require assignment of all IP rights developed while they are employees and (ii) prohibit use or disclosure of confidential information.
- The company should also consider requiring certain employees to execute noncompete and nonsolicitation agreements.
Nonemployees and Subcontractors
- Subcontractors must be subject to appropriate confidentiality agreements. Nonemployees and subcontractors should have access only to modules as necessary to perform their tasks.
- All nonemployees and subcontractors, especially those engaged to create or contribute to the software, should enter into work-for-hire agreements with an express assignment of all IP ownership rights.
Object Code vs. Source Code
- It is important to distribute software only in object code form.
- If object code distribution is not possible, the company should consider:
- Utilizing a source code obfuscator (i.e., scramble the symbols, code and data of a software, rendering it impossible to reverseengineer, while preserving the application's functionality).
- Embedding a "signature" that can be easily traced in the code (e.g., inserting a non-functioning block of code into functions or portions of the code that can later be used to verify whether portions of the code were copied, replacing a commonly used value (e.g., "0") with a symbol, number, or short text string).
Language for License Agreements
- An appropriate End User License Agreement (EULA) should be included with the software and requires acceptance prior to installation or use of the software. Any licensing arrangements should be in writing and should set out the terms and conditions on which the IP may be used.
- In terms of limiting liability, ensure that misappropriation of intellectual property by the customer is excluded from any damage cap or other limitation of liability clause. Breach of the license to the software should result not only in a breach of contract, but should also constitute an infringement of IP rights.
- License agreements should clearly and narrowly describe the specific uses the licensee can make of the software, including whether the software is subject to limitations such as specific hardware, locations, or servers on which it can be operated.
- For software embedded in hardware, the licensee should not be permitted to sell or otherwise transfer the hardware without the transferee's agreement to be bound by the license agreement.
- The license agreement should include express prohibitions against reverse engineering, decompiling, or otherwise acting to discover the source code and trade secrets of the software.
- Documentation accompanying the software frequently contains trade secret and other proprietary information. Its disclosure should be subject to an NDA or other confidentiality obligations.
- In addition to a copyright notice, documentation should include a statement that the material is confidential, constitutes trade secrets of the licensor, and is provided solely in support of the licensee's use of the software.
- Initial discussions with potential licensees and provision of product documentation can be conducted under a standard NDA. Once any code is delivered, however, a license should be required.
- Confidentiality obligations with respect to trade secrets should be perpetual. NDAs and other confidentiality obligations frequently have time limits for their protections. While this may be appropriate for most confidential information, the presence of these limitations could result in waiver of trade secret protection. These provisions should be revised to ensure trade secrets are protected as long as they are protected under applicable trade secret law.
- The company should always include audit rights to ensure proper use of the software. Use a third-party auditor who specializes in conducting compliance audits and determines its fees solely as a function of instances it uncovers in which the licensee has used the software in violation of the license agreement (e.g., the auditor receives a percentage of revenue generated by the excess use, but no other compensation).
- In addition to audit rights, the company should require that, on a periodic basis, an officer of the licensee certifies in writing that all use of the software is in compliance with the terms of the agreement. In particular, the certification should identify all installations and uses of the software. Copies of the certifications should be retained until at least five years after expiration of the license agreement.
- Distribution in foreign jurisdictions should be done with care to ensure the relevant locations respect intellectual property rights.
Source Code Licenses
Escrow the Source Code
- Providing licensees with access to source code is strongly disfavored. If a licensee insists on access, the initial response should be to, at most, escrow the source code with an approved escrow agent. The release conditions from the escrow should be limited to voluntary bankruptcy, the company's decision to cease support of the entire product line, and other appropriate narrow conditions.
Language for Source Code License Agreements
- If source code is to be licensed, it must be done under a specifically drafted source code license agreement that, among other things, does the following:
- Prohibits the licensee from installing the source code on any networked computer (whether an internal or external network).
- Requires the licensee to keep physical copies of the source code in a locked safe when not in use.
- Prohibits copying the source code onto any form of removable media (e.g., USB fobs, CDs, DVDs, removable drives).
- Strictly limits the licensee personnel who can access the source code.
- Prohibits access to the source code by any third-party contractor without the company's express written authorization. At minimum, competitors should be precluded from ever accessing the source code.
- Requires retention of complete and accurate logs of all access to and use of the source code.
- Strictly precludes the licensee from using any open source software in connection with the source code.
- Requires the licensee to indemnify the company from any and all infringement claims that may arise from their revisions to the source code.
- Makes clear that any warranties, indemnities, and support obligations are applicable only to the unmodified version of the software. Once a licensee modifies the source code, the obligation will no longer apply.
- Prevents the licensee from applying for or obtaining any IP rights in any derivative works.
- Includes express contractual provisions preventing the licensee from ever enforcing any rights it may have in the derivative works against the company or its customers.
- Includes a broad, irrevocable license from the licensee to the company for all derivative works. An outright assignment of IP rights would be preferred.
- Requires licensee to follow specific information security measures in handling and using the source code.
- Includes the company's right to audit the licensee's use of the source code, including the use of third-party auditors.
- Clearly and narrowly defines the licensee's uses of the source code.
- States that all licensee personnel coming in contact with the source code must be bound by strict confidentiality agreements.
- States that licensees should be strictly limited in the jurisdictions in which the source code may be used. As noted above, some jurisdictions do not respect or protect IP. In addition to physical transfer of the software to other jurisdictions, the license should also limit remote access to the software in those jurisdictions (e.g., the software is located in the United States, but accessed in Russia).
- If the source code includes encryption technology, its export may be subject to export restrictions in the United States and possible import restrictions in other countries. Be aware that access to such technology in the United States by foreign nationals may constitute a "deemed export."
The dynamic environment of software development warrants genuine caution on behalf of companies participating in this space. In many cases, a company's IP can be among its most valuable assets. Anticipating the potential risks associated with IP can prevent a host of issues from arising after the opportunity to protect IP has passed.
Read more IT Performance Improvement
Certain names and logos on this page and others may constitute trademarks, servicemarks, or tradenames of
Taylor & Francis LLC. Copyright © 20082015 Taylor & Francis LLC. All rights reserved.
This article is an excerpt from:
Even leading organizations with sophisticated IT infrastructures and teams of lawyers can find themselves unprepared to deal with the range of issues that can arise in IT contracting. Written by two long-experienced attorneys, A Guide to IT Contracting: Checklists, Tools, and Techniques distills the most critical business and legal lessons learned through the authors’ decades of experience drafting and negotiating IT-related agreements.
In a single volume, readers can quickly access information on virtually every type of technology agreement. Structured to focus on a particular type of IT agreement, each chapter includes a checklist of essential terms, a brief summary of what the agreement is intended to do, and a complete review of the legal and business issues that are addressed in that particular agreement.
About the Authors
Michael R. Overly is a partner in the Information Technology & Outsourcing Practice Group in Foley & Lardner’s Los Angeles office. As an attorney and former electrical engineer, his practice focuses on counseling clients regarding technology licensing, intellectual property development, information security, and electronic commerce. Michael is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified in Risk and Information Systems Controls (CRISC), and Certified Information Privacy Professional (CIPP) certifications. He is a member of the Computer Security Institute and the Information Systems Security Association. Michael is a frequent writer and speaker in many areas including negotiating and drafting technology transactions and the legal issues of technology in the workplace, e-mail, and electronic evidence.
Matthew A. Karlyn is a partner in the Technology Transactions Practice in the Boston office of Cooley LLP. Matt regularly represents companies in technology transactions and outsourcing transactions and has experience in both private practice as well as in-house for two software companies. A sought after writer and speaker in the area of information technology and the law, Matt has published over 40 articles, written chapters in several books, and given more than 60 presentations on topics ranging from the latest developments in information technology to best practices for drafting and negotiating information technology contracts.
Interested in submitting an article? Want to comment about an article?
Contact John Wyzalek editor of IT Performance Improvement.