Hewlett-Packard Chief Security Strategist Ira Winkler answers readers’ questions about securing intellectual property and handling corporate espionage.
Q: How should companies address the problem of sensitive information (customer or employee data) leaving the company through e-mail, IM and printouts?
A: This is a very big problem for many organisations. While there are products available, and in development, the technology to provide a reliable solution is not there yet. Some word processors have distribution features, such as limited printing. You may be able to get products that feature extrusion detection. You can also get a clever administrator to configure your perimeter security (firewalls, intrusion detection systems and content filtering tools) to scan outgoing data in the same way you scan incoming data. You can remove floppy drives, but USB ports can make that effort moot. Controlling analog lines is a must. For the short term, you can do only what is feasible for your own situation and then rely on data classification, nondisclosure agreements and employee adherence to your data distribution policies.
Q: My contract with a Web development company was recently terminated without just cause. I completed the design and supervision of three projects but have not been paid for the weeks leading up to my termination. Can I retain intellectual property rights over the design of the projects? Can I advise the company's clients of my claim to the property?
A: The short answer is no, and consult a lawyer immediately. Your contract should hopefully address conflict resolution. It appears that you were part of a team, so you cannot easily claim ownership of any individual aspect of the projects. Contacting your client's clients would probably open you up to more trouble. A lawyer should tell you what recourse you may have, which, unless the contract is extremely favourable to you, is probably limited to suing the company for money. There may even be a binding arbitration clause. Again, consult a lawyer who is an expert on contract law.
Q: What are the major requirements for a nondisclosure agreement, and where can I find a good example?
A: The first answer is, "It depends." There are two types of NDAs — one-sided and mutual. If you write the agreement, you usually want it one-sided to put the requirements on the other party. Frequently, it may be a mutual nondisclosure statement to put equal requirements on both parties. If someone asks me to sign one, I want it to be mutual.
The agreement should include at least a definition of what it covers, what is excluded, why the agreement is in place and why the parties are providing the information. It should also state the exclusion of information that would be or becomes public, how long the NDA is applicable (outlining when you are free from obligations), the penalties for violating the terms of the agreement, whether arbitration is required, the state where violations should be filed and the state whose laws will be followed. There may be more stipulations depending on the nature of the agreement.
If you are asked to sign an NDA, be careful about clauses that may be detrimental to you in the future. For example, I have seen some companies try to sneak in noncompete and "do not hire" clauses.
Concerning sample NDAs, you can buy legal document software or books with samples. For important or frequently used documents, have a lawyer create them.
Q: If your development partner has an offshore programming site, what are reasonable controls for it to meet? Do you recommend onsite visits?
A: In an ideal world, I would want the development partner to be a US-based company that happens to have an offshore site. Otherwise, the company you use should be well-established.
Policies and procedures should clearly state how the company and its employees are required to treat your confidential intellectual property. These policies should also stipulate that you own all rights to the software that you contract for development. Since the amount of effort you put into protecting intellectual property is the balancing of risk, you have to determine what is at stake. I would also recommend that you re-review the developer's procedures at least every six months. You pursue offshore options to save money; however, there is always a cost. If you try to save money up-front by cutting corners, it can end up costing you much more in the end.