Summary: If you are planning to engage an outsourcing development company, understanding the safety of IPRs is very important. With so many dubious outsourcing vendors in the market, it is important to only deal with someone that has ability to protect your IPRs.
How do you protect your IPRs with a company that has no legal jurisdiction in the US? NDAs aren’t even worth it since it is very difficult to impose them on a foreign entity.
Nature and critical importance of intellectual property vary across industries and types of business. Software development outsourcing requires high level of knowledge sharing between customer organization and vendor. Consequently, IP rights of stakeholders are involved in one form or another. Thus intellectual property management and data protection issues have become increasingly important for businesses utilizing offshore/nearshore outsourcing.
Intellectual property that can be transferred to the vendor may include software, data, business and technology processes, trade secrets, inventions, know-how as well as other confidential information and works of authorship. Furthermore some of it may belong to third parties and require licensing.
Both customer and vendor must properly administer their IP and stick to overall business objectives in order to effectively manage information sharing. Benefits of sharing IP assets must outweigh risks associated with outsourcing.
The World Intellectual Property Organization (WIPO) emphasizes two critical IP-related concerns in offshore outsourcing: ownership of IP and “inadvertent, accidental or willful disclosure of confidential information and trade secrets” (loss of business knowledge). But in most cases these concerns can be overcome by properly conducting IP due diligence, thoroughly evaluating the vendor and taking appropriate IP-protection measures.
IP Due Diligence
Prior to concluding any outsourcing initiative customer organization should conduct IP due diligence and risk assessment. As a result the company will be able to safeguard its intellectual property and clearly define which functions should be kept in-house and which can be outsourced.
IP due diligence may include the following indicative steps:
- Identify areas of critical importance to your business
- Carefully assess business knowledge and determine if moving it outside the company or to an offshore location will compromise company practices
- Identify and document all of the IP assets associated with the outsourced task
- Determine ownership rights in the identified IP
- Carefully review third-party or jointly-owned IP
- Identify existing or alleged breaches of contract, infringements, disclosure of confidential information and trade secrets
- Assess how well the legal infrastructure in the foreign country will protect IP rights
- Determine jurisdiction and enforcement (applicable laws, their enforceability, dispute resolution mechanisms)
- Define termination, expiration or exit clauses of arrangement
- Determine other IP-related responsibilities if applicable: ongoing maintenance and upgrades to the IP; payments of transfer fees; product liability, IP insurance, etc.
Having conducted IP due diligence, the organization can proceed to evaluation of potential outsourcing partner. Results can be used during negotiation of outsourcing agreements to provide for IP-related issues that may arise.
Practical business negotiations should be initiated only after being satisfied with vendor’s reputation, resources and compatibility of business culture. They should focus on the steps needed to be taken by both parties in order to safeguard and ensure proper use, sharing, licensing, development and improvement of the IP during and after the relationship. It should also include any relevant IP assets of third parties.
Selection of the outsourcing vendor in the context of IP-related issues
When outsourcing, customer organization should scrutinize potential partner’s ability to safeguard confidential information of commercial value against misappropriation, misuse, sabotage, loss or theft.
- Check that the vendor has a documented and enforceable information security management policy in place
- Review outsourcing vendor’s data security and IP protection practices as well as processes they have in place to protect customer’s confidential information
- Check whether additional security policies can be implemented to protect your sensitive data
- Provide vendor with only the minimum proprietary technology or data needed to complete the project
- Insist on clear documentation of all source code of your project as it becomes your company’s property and is legally protected
- Scrutinize physical security and personnel practices, policies and procedures
- Demand tight human resources screening, look for employee retention figures
- Find out whether vendor does business with your competitors; if yes, ensure that there is no contact between respective teams
- Choose an established partner that complements your business strategy and understands how to implement required level of security
Practical measures for protection of intellectual property
Intellectual property is one of the company’s most valuable assets. This is especially true for SMEs and startups where it can be the only tangible assets. Risks of not protecting IP are further escalated when outsourcing comes into play. That’s why customer organizations must effectively deal with related issues and use all types of IP protection: physical, electronic and legal.
Physical and electronic protection of intellectual property
- Treat data security as an exigency
- Limit the number of people who have access to the full information
- Make sure that outsourcing vendor has a physically secure facility (mechanical and electronic access control, intrusion detection, video monitoring etc)
- Check whether offshore team uses computers without removable media to reduce the risk of unauthorized access to your IP
- Ensure that in-house employees understand what information can and cannot be shared
- Use firewalls, VPN, encryption and other measures to prevent breaches of security in electronic environment, which may lead to disruptions in the supply chains
- Protect important information, such as source code, with passwords and access codes, and make sure that they are not widely available (both onsite and offshore)
- Always maintain original copy of the source code
- Make sure that any test data being used does not reveal real information
Legal protection of intellectual property
- Determine what country’s legal system will govern and have jurisdiction over contract disputes
- Work to understand the legal system and culture of both countries
- Find out how IP rights enforcement works in provider’s country
- Negotiate a clearly stated contract that specifically addresses business knowledge and IP-related issues and make vendor responsible for the actions of its employees. This will allow to ensure appropriate protection, avoid disagreements and prevent litigation
- Clearly define compliance audit procedures prior to engaging into outsourcing relationships
- Clarify licensing and source code ownership
- Consider open source software issues
- Enforce individual privacy in the context of database protection obligations (if applicable)
- Rely on non-disclosure and non-compete agreements with the vendor or its team members for keeping vital business information confidential
- Define mechanism for possible dispute resolution and arbitration