Reducing Security Risks in Information Technology Contracts


Trade Secrets

□ Stamp with “CONFIDENTIAL”

□ Control physical access

□ Use time stamps and ID logs

□ Strong password requirements

□ Encryption

□ Firewalls

□ Prohibited use of USB drives

□ Isolate development and testing environments


□ Establish and communicate policy

□ Mark with © symbol

□ Mark with year of first publication

□ Mark with name of legal owner

□ Include textual marking in source code

□ US copyright registration

□ Register with US Customs

Joint IP

□ “Clean room” protocols

□ Isolate independent IP from joint IP

Embedded Open Source

□ Policy against embedding open source

□ Advance planning for correct embedding if at all

Internal Procedures

□ Archive copies of each software version

□ Verify company’s right to use other IP

□ Enforce security policies

□ Appropriate use of computers

□ Appropriate use of mobile devices

□ Passwords

Policies After Infringement

□ Audit rights

□ “Phone-home” features

□ Swift action upon infringement

□ Terms for end of license

  • - Uninstall program code
  • - Destroy electronic copies
  • - Return physical copies

□ Insure against IP infringement

Employee Training

□ Need to protect software

□ How to protect software

□ Responsibilities for protection during and after employment

□ Exit interviews

Contractual Protections

□ Proprietary information of former employer

□ Assignment

□ Prohibited use or disclosure of confidential information

□ Noncompete agreements

□ Nonsolicitation agreements

Nonemployees and Subcontractors

□ Confidentiality agreements

□ Need-to-know basis

□ Work-for-hire agreements

□ Assignment of all IP ownership rights

Software Distribution

□ Only distribute object code, but if not:

- Source code obfuscator

□ Embed signature in code

License Agreements

□ End-User License Agreement (EULA)

□ Require acceptance of EULA

□ Licensing in writing

□ State clear terms and conditions

□ No limited liability for misappropriation

□ Breach results in breach of contract

□ Breach results in IP infringement

□ Specify narrow uses for IP

□ No selling/transferring embedded software

□ Prohibit reverse engineering

□ Prohibit decompiling

□ Prohibit discovering source code

□ Prohibit discovering trade secrets

□ Disclosure of accompanying documents

□ Explicit statement of confidentiality

Nondisclosure Agreements (NDAs)

□ Standard NDA for initial discussions

□ After code delivery, license

□ Perpetual trade secret confidentiality

Audit Rights

□ Include audit rights

□ Written certification by licensee officer

□ Identify installations of software

□ Retain certification copies for five years

Foreign Jurisdictions

□ Distribute with care

Source Code Licenses

□ Escrow the source code

□ Limit release conditions

□ Prohibit installation on network computer

□ Licensee keeps copies in locked safe

□ Prohibit copying onto removable media

□ Limit personnel who can access code

□ Third party: require written authorization

□ No competitor access to code

□ Keep logs of source code

□ Use no open-source software

□ Indemnify company from all infringement

□ Warranties apply to unmodified software

□ Prohibit IP rights in derivative works

□ License to company for derivative works

□ Total assignment of all IP is better

□ Require specific security measures

□ Right to audit licensee’s use

□ Strict confidentiality requirements

□ Limited jurisdictions

□ Limited remote access

□ Risk of a “deemed export”

Best Practices and Guiding Principles

Effective intellectual property (IP) protection commences with a company’s handling its own IP in a systematic and cautious manner. A proper foundation, both in educating employees and in maintaining best practices, is a necessary prerequisite for safe licensing of IP to prospective licensees. The licenses in particular require significant attention to detail in drafting the relevant portions to ensure that no unintended consequences result from loopholes or lack of clarity. This chapter outlines best practices—both within and outside a company—for controlling the handling and distribution of its IP.

Trade Secret Considerations

■ All documents containing information that is not generally known to the company’s competitors should be stamped “CONFIDENTIAL” or “TRADE SECRET.” The primary means of protecting IP rights in software is through copyright and trade secrets. Trade secret protection can help ensure that the software, particularly source code, is always subject to rigorous confidentiality requirements.

■ Where software or other design information may be readily observed, copied, or stolen, the company should control physical access to it. This includes time stamp and/or ID logs of those who have access to, and do access, the software.

■ The company should adopt a strict system of data security measures, including strong password requirements, encryption, firewalls, and prohibited use of USB drives. The company should isolate the development and testing environments from the public Internet.

< Prev   CONTENTS   Source   Next >