Insider Theft of Trade Secrets in India: Employee of Captive R&D Subsidiary Accused of Source Code Theft (and What You Need to Know About Protecting Your Trade Secrets Abroad)
Posted October 9, 2009 by Bierce & Kenerson, P.C. · Print This Post
In a global economy, which risks are greater: theft of trade secrets by a service provider or theft of trade secrets by an employee of a foreign subsidiary? How can a global enterprise contain such risks in either case? The story of theft of source code by an employee of an Indian research and development center highlights the need for proper strategies for risk mitigation in the face of the inherent risks of human nature.
Indian R&D Center, Site of Source Code Theft.
On August 4, 2004, Jolly Technologies, a division of U.S. business Jolly Inc., publicly reported that one of its employees at its Mumbai, India R&D center had misappropriated key ports of source code being developed along with confidential documents. The trade secrets relate to one of its key products for the labeling and card software for the print publishing industry.
Profile of a Thief and a Theft.
Jolly Technologies was new to India. Its center was established only three months prior to the trade secret theft. The employee alleged to have stolen the trade secrets was a new hire. The theft was done by simply uploading the source code to her Yahoo account.
Consequences to the R&D Center.
Jolly reportedly shut down its R&D center immediately to assess and contain the damage. It also sought assistance from Indian police to deal with the matter as a criminal act. The company’s investment may be a loss, and it may need to expend further resources to prevent the use by its competitors and other third parties of any stolen source code.
Security Precautions.
The theft shows how simple it is for any person with Internet access to misappropriate trade secrets.
- Data Export Controls on Internet Access.
Internet access may be essential to virtually all knowledge-economy employees, so management may consider that shutting off Internet access may be impossible. The Affaire Jolly suggests that software development might need to occur in an environment that allows employees access to information but does not allow them to transfer certain types of information from a company computer to anyone via the Internet. The advent of network administration software, XML metatags, html, virus sniffers and spam blockers may introduce technology that allows a company to prevent the transfer of source code to unauthorized Internet addresses.- Segregation of Function.
Most software development projects start with modules and build into integrated suites of modules. In the manufacturing sector, complex trade secrets may be protected by separating multiple manufacturing processes into separate functions and separating the component processes. This can be done by either putting the component processes into different operations or by separating subassemblies from final assembly. Software development could be structured similarly, though segregation of function reduces efficiency. Background Checks.
The new hire at Jolly Technologies might have been investigated for a possibly criminal background. But background checks probably do not help with curious employees interested in studying stolen code or restructuring it for possible other purposes.
Legal Precautions.
The trade secret theft also highlights the weakness of national legal systems where, in the case of India, courts have historically taken a decade to decide civil disputes. Whether establishing a foreign captive service subsidiary or hiring a foreign service provider, the legal environment and legal precautions are critical to risk management.
- Statutory Protection for Trade Secrets.
Most countries hosting R&D centers or outsourcing service centers are members of the basic international conventions on the protection of intellectual property. Even China, by adhering to the World Trade Organization, now officially grants intellectual property rights under the WTO Agreement on Trade-Related Intellectual Property right (“TRIP’s”). India has long been a member of the Paris Convention on Industrial Property and protects copyrights, patents and trade secrets. As the Affaire Jolly demonstrates, it is not sufficient to have a legal right. You need to have a credible forum for enforcing those rights. - Contractual Commitments.
Well-advised enterprises require their employees by contract to abide by various policies and procedures, including respect for intellectual property rights and trade secrets of the employer and third parties doing business with the employer. Contractual commitments are a basic requirement of any IPR protection. - Security Surveillance.
Jolly’s security surveillance, by an internal audit, discovered the theft. Pre-emptive security precautions cannot prevent fraud or theft, but surveillance can discover it. - Risk Mitigation after the Theft.
After the horse has left the barn, how do you get it back into the barn? In a global digital economy, the only solution might be to find some way to tag the digital works, just as ranchers did for their cows in the 1880’s.- Court Systems.
Indian courts now have a commercial part that is intended to accelerate adjudication. It is not clear whether the Mumbai courts offer any real adequate forum, and even adjudication of civil liability does not automatically result in enforcement of a money judgment. Access to court systems are so fundamental to investors and employers that the issue should become one of diplomatic entreaty (as the U.S. has done with China), investor due diligence, and recommendations by intermediaries such as trade associations (such as Nasscom and ITAA), venture capitalists, private equity funds and investors and multinational enterprises and their advisors such as international business lawyers and business process and sourcing consultants.. Ratings on access to judicial systems should be part of the due diligence in all international operations.
- Court Systems.
Other Measures.
Insurance may be available, but the consequential loss may be too high for a fair premium.
Conclusion.
In captives and outsourcing, IPR protection needs practical and legal protections. Blatant misappropriation will continue as a matter of human nature, so risks can only be mitigated. Effective methods of mitigation will continue to evolve. Technology and IP lawyers should be consulted before international operations are launched.