IP Protection in Off-Shore Companies

Steven J. Frank, Partner, Goodwin Procter LLP

Outsourcing development - particularly software programming and information-technology (IT) design, and particularly to countries like India and China - has become institutionalized. Once-loud voices decrying "Benedict Arnold CEO's" have grown hoarse, and lucrative consulting industries now organize and match offshore development teams with growing legions of seekers. Furthermore, offshore activity appears poised to increase. In fact, IDC Research predicts that offshore spending will quadruple by 2007, to $46 billion.

Still, the trend has led to some high-profile instances of buyer's remorse. Most of these involved cost overruns and quality disappointments, the result of poor management in the home country or - depending who's telling the story - inadequate technical skills overseas. Whatever the cause, it is clear that low wages do not inevitably translate into lower project cost.

But some recent experiences have tapped into something more primal. If fear and greed rule Wall Street, the concerns of offshoring enthusiasts have generally centered on the latter. Now gear has become a factor, too, as IT managers begin to question the security of their intellectual property. An IDC survey of U.S. executives concerning offshore business models revealed "unknown legal rights" among the top concerns of business leaders.

In one widely reported case, California software entrepreneur Sandeep Jolly discovered evidence that an employee at his Mumbai, India development center had sent key files and source code to her personal Yahoo e-mail account. When confronted, the employee professed illness, went home and disappeared. Jolly immediately contacted the local police, which had established a cyber-crime unit to deal precisely with such complaints. According to Jolly, the police refused to investigate.

The police say that they found no evidence of theft, and in any case, that Jolly did not have adequate security systems in place. Jolly also claims to have received no help from the National Association of Software and Service Companies (NASSCOM), an industry group that promotes India's outsource capabilities. "We were told that there are patent, copyright and IP protection laws in India," Jolly declared to IT "They failed to mention that the laws are impossible to enforce."

While incidents of software IP violations are not rampant, neither is Jolly's case unique - at least in the United States. Complaints involving IP theft elsewhere are scant. Part of the reason may be a smaller appetite for outsourcing in other countries. European offshoring activities, according to the Gartner Group, amount to about a third of those in the United States. Even adjusting for greater U.S. expenditures on R&D, it is clear that the offshoring trend in Europe has yet to catch fire. And Asian countries are poised to deliver, rather than consume, a growing share of offshoring business.

Offshoring proponents, of course, point out that IP theft is hardly unknown in developed countries. But when proprietary technology gets loose in jurisdictions with poor enforcement records, it often spreads quickly and elusively. Underground business can spring up and compete with the IP owner on a worldwide basis, zapping stolen software, for example, to anyone with an Internet connection and a credit card.

That can happen even if development takes place at home. In 2003, Texas-based Alibre Inc. discovered an apparent clone of its Design 3D modeling software on sale from a Russian Web site. Further investigation identified the shadowy figure behind the side as former Alibre programmer who had returned to Russia after Alibre terminated him.

The laws of many countries (including Russia) do not prohibit practices which, in the United States, would qualify as trade-secret misappropriation, carrying stiff civil and possibly criminal penalties. Indeed, even if the law provides a remedy, vindication is far from assured. Just getting into court may involve delays that render the ultimate decision largely irrelevant. And enforcement authorities in developing countries not only have their hands full with more serious criminal activity, but may prove reluctant to take actions that harm local businesses.

Consumers of offshore development services, therefore, may find themselves on their own when it comes to protecting IP. Common-sense steps center primarily on defining controls and actively monitoring compliance. Working with an established outsource partner can simplify matters considerable; Wipro, for example, a global technology-consulting firm with offshore delivery centers in India, has instituted multi-level security practices to safeguard client information ranging from proprietary designs to patient records.

An outsourcer's first step is always due diligence. Vet the offshore partner for physical measures:

What kind of perimeter, office and IT security does it maintain? What material is made available on servers for remote staff members? Also consider legal and personnel procedures: Do workers undergo background checks and sign nondisclosure agreements? Can they bring source code home? What is the employee retention rate? Is there legal jurisdiction in the outsourcer's home country?

Outsourcing contracts should include explicit language detailing data and physical security. It's critical for the outsourcer to define responsibilities, securing practices and penalties, obtain the offshore partner's agreement, and then integrate monitoring of these metrics into project management. No same company would write checks to a developer without detailed progress reports and interim audits; the same mindset should dictate oversight of security compliance and reporting requirements. The outsourcer must learn of problems immediately as they arise.

Without reliable institutions for IP enforcement, outsourcers must place their faith in prevention rather than cure. But even the best safeguards can never guarantee invulnerability. The ideal self-help strategy, therefore, extends beyond prevention and assumes the possibility of leakage - outsourcing IT projects in a modular fashion to different developers, for example, so that loss of any one component does limited damage, or restricting offshore efforts to products that have no value without the support and service infrastructure that the originator provides. In adjusting to the business and technical challenges of moving development half a world away, outsourcers must not ignore the less visible but equally charged issues surrounding their IP.