Few areas of law have evolved as rapidly as the legal interfaces between intellectual property and information technology. The lack of reliable precedent and the sheer number of cases of first impression have necessitated the grafting on of legal principles to both analogous and seemingly non-analogous situations. The results are often mixed, at best. Additionally, as various technologies continue to evolve and as new ones emerge, new issues appear to arise on a nearly daily basis. The list of topics that follow are what appear to be some of the more pressing issues that corporate counsel (and those who regularly advise corporate clients) should take into consideration.
I. Internet Policies
The Internet is the gateway to the world of e-commerce and it is vitally important for companies to have articulated and meaningful Internet usage policies for internal and external points of access. Internal policies deal with employees and others within the company who access the company Intranet, Extranet or Internet. External policies deal with website visitors and those who otherwise interact commercially with the company via the Internet.
Internal Internet policies are often cobbled together without any real thought of the company's business needs, and unrestricted Internet access seems to be a given in most office environments. The question is whether your employees are aware of your company's Internet use policy. Has a policy in fact been articulated and disseminated? Does your Internet policy find its way into your employee handbooks, and is compliance acknowledged as part of the terms and conditions of employment? Does your IS function periodically monitor compliance? Are there protections in place guarding against the downloading or installation of unlicensed software? Overlooking or merely paying lip service to having internal Internet use policies can expose the company to liability ranging from possible claims for copyright infringement to sexual harassment to the results of downloading invasive software that can steal valuable company data and even cripple an entire computer network.
External Internet policies such as website terms of use and website terms and conditions are absolutely necessary on websites where business is conducted or where customer and/or vendor information is exchanged. Additionally, to the extent that the company website delivers information to site visitors, the website must also be compliant with federal and state statutes dealing with privacy and email solicitations. Moreover, to the extent that the website deals with information of personal, financial and/or medical, there are federal requirements for detailing financial transactions and maintaining the privacy of personal medical information. Lastly, to the extent that customers can make purchases through the website, not only do the terms and conditions governing the transactions need to be specifically assented to via an on-line agreement, but sound business and legal practice dictate that the site must also have a secure means of safeguarding the integrity of personal financial information such as credit card, social security numbers and other such critical data.
II. Works For Hire - Foreign Country Considerations
Most companies recognize the need to have agreements in place when dealing with independent contractors of IT services in the United States. Usually such agreements are not required where a true employer/employee relationship exists; however it still makes sense to do so. Moreover, as companies continue to regularly outsource the IT function and increasingly utilize foreign independent contractors, it is not only important to have such agreements in place with these contractors but also the laws of the country in which the works are created should also be consulted beforehand. In some countries, the author can retain significant rights in IP and IT even though there is an outright assignment or transfer of those rights.
In fact, hiring outside developers who create inventive subject matter in certain foreign countries may have far different implications than IT outsourcing does in light of several recent decisions, particularly in Japan. Earlier this year, the Tokyo High court ordered Hitachi Ltd. to pay its former employee approximately $1.5 million dollars in connection with the transfer of patents for technology developed by the employee. The following day, another court ordered Nichia Corporation to pay almost $189 million dollars for another employee invention. In each instance, the Japanese courts awarded compensation claims against former employers because the Japanese courts did not feel that the employee was adequately compensated for his contribution to its employer. Both Japan and Germany (which also has an inventor compensation law) have significant statutory provisions designed to compensate employees for their inventions. While the U.S. does not have any such broad statutes, in many cases, U.S. state "common-law" governs how inventors are compensated. A handful of states have even enacted laws which allow inventors to contract around the common law. As the so-called "second" and "third world" countries continue to develop hi-tech manufacturing and research and development capabilities, it may well be that all companies, especially multinationals will have to look more closely at inventor compensation laws in determining where they outsource the development of their IP.
Lastly, before deciding to outsource a development project in a target country, a company must also consider what intellectual property, e.g., core versus non-core development, should be disclosed and licensed to an outsourcing provider. Such a decision involves creating a legal strategy and obtaining advice from counsel both at home as well as counsel in the outsourcing target country. Although the outsourcing of intellectual property development may save considerable costs, a company should treat this type of outsourcing with great care and diligence as the loss of intellectual property rights may be more significant than the dollar savings involved.
III. Spyware
Spyware is software that aids any unauthorized party in obtaining private information from a person's computer without the person's knowledge or consent. It includes anything from key stoke loggers, to web browsing trackers to web cookies, many of which piggy-back file sharing software. Spyware has the potential of causing substantial damage, from obtaining e-mail addresses to capturing personal information such as credit card information. In an attempt to regulate the unauthorized installation of computer software, a federal bill introduced in March known as the SpyBlock Act would prohibit the installation of software without notice and consent. Companies, however, may not have the luxury of waiting for this legislation to become law, and may seek other avenues of protection.
While the legality of spyware is being considered, one option is to contractually prohibit use of a company's web sites by those who install spyware. Implementing meaningful policing of such a provision, however, may prove difficult. One viable option is to run spyware detection and removal programs on a company's network on a consistent basis in addition to adopting a policy prohibiting employees from accepting free ad-supported software downloads. In addition, a company should read all click-wrap or browse wrap licensing agreements before installing software on the company's system. Although not a fool-proof measure against the installation of spyware on a company's computer system, a company can minimize their risk of harm by implementing some or all of these precautions.
IV. Open Source Software
Open source code is software that is licensed through agreements that specifically permit users to freely copy, modify and redistribute the software so long as they do not keep others from also having the right to freely copy, modify, and redistribute the software. Distributed in both machine readable object code and human readable source code to the general public, it is usually "free of charge." Free of charge does not, however, mean there is "no price to pay."
The problem in using open source software is the nature under which such software is licensed, namely, once open source code is incorporated into a software product, the product itself falls under the open source license and becomes non-proprietary.
For developers who do not intend or who are not attempting to create proprietary software, open source software can be a valuable resource. However, for businesses that are creating proprietary software assets, unknown or unintentional use of open source software can have disastrous consequences. Companies must develop policies and procedures that prohibit use or access of open source software by employees and consultants. This could be done as part of your company's overall computer usage policy or as part of your employment agreements with developers.
Consider as well that if your company is using outside consultants, agreements must prohibit the use of open source software. Typically, development/consulting agreements will state that the consultant will not infringe upon a third party's intellectual property rights. If consultants have used open source software, they have not violated this warranty, because the consultant is free to copy, modify and distribute open source software without infringing a third party's rights. Similarly, the typical indemnification provision, in which the consultant/developer agrees to indemnify the customer for third party claims relating to intellectual property infringement, will not provide any relief. Companies should include a specific warranty that states the consultant will not use open source software and modify the indemnification provision to account for a breach of this warranty. If your agreements do not adequately protect against the use of this type of software, you could be left with a product that is tainted by open source software and have no action against the consultant/developer.
V. Sarbanes-Oxley Act And IP/IT Audits
The Sarbanes-Oxley Act imposes duties on senior executives of publicly traded companies to certify that information filed pursuant to the Securities and Exchange Act of 1934 fairly presents, in all material respects, the company's financial conditions and operations. Sarbanes- Oxley also requires the establishment and maintenance of internal controls so that this information is made known to company officers. Where a company's IP assets are material to its financial condition, an audit of the company covering the reporting period is arguably now a necessity to ensure that the financial condition of the company is fairly (and accurately) presented. This goes not only to the ownership of the IP assets of the company but to the company's competitive assessment and the issues of enforcement, and possible exposures for infringement by third parties. Arguably still, the audit requirements apply equally if the assets of the company are of an IT nature. IT plays a critical role in maintaining the integrity of the financial information of the company. The IT infrastructure of the company, its applications and processes all contribute to the company material assets and its financial condition. Few would argue that the failure to have a disaster recovery plan or a system in place would be tantamount to gross dereliction of duty; however, too few senior executives are aware of the processes and controls in place for maintaining the company's financial information. The need for such audits are greater where the company is reliant upon its IP audit for value. The rule is simple - if your company considers itself a high-tech or a technology sector player, the IP/IT audit is no longer an abstract exercise reserved for a rainy day. It is likely a requirement.
Published August 1, 2004.
