The unavoidable fear that an original and innovative idea might get copied makes many customers not to trust fully in this process of outsourcing. The greatest fear of a budding entrepreneur is that his idea gets copied when outsourcing to a web development agency or freelance web developer.
One of the biggest risks is protecting your intellectual property (“IP”) when it is outsourced. There are no silver bullets that will guarantee protection. However, if you are considering developing a mobile app and want to protect your idea, you must not be fuzzy when describing your application project. This will only get you unrealistic budgets that will ultimately not convince you and you will not be able to pick a good freelance programmer. One possible solution for protecting your idea is to get a non-disclosure agreement signed.
In 1995, Milberg, Burke, Smith, and Kallman formulated five international regulatory models regarding information privacy, based on a continuum of government involvement in day-to-day corporate privacy management:
- Voluntary Control
- Data Commissioner
- Registration Model
At the low end of the continuum, anchored by the Self-help Model, ” the government assumes a ‘hands-off’ role and allows corporations to monitor themselves, with reliance on injured individuals to pursue their own remedies in the court system.” At the high end, anchored by the Licensing Model, “the government assumes the authority to license and regulate all corporate uses of personal data, including the right to conduct inspections inside corporations and to examine all proposed applications of personal data before they are implemented.”
Based on this continuum – and the work of Westin in 1967, which found that expressions of privacy vary significantly across cultures – Milberg and her colleagues proposed and tested a theoretical model of the relationships among nationality, cultural values, the level of information privacy concerns, and regulatory approaches.
Their study revealed substantial statistical relationships between
- nationality and information privacy concerns
- information privacy concerns and privacy regulations.
The researchers also found that “countries with either ‘no privacy regulation,’ or the most strict model of privacy regulation were often associated with considerably lower information privacy concerns than those who adopted the other three models. Countries with more moderate regulatory structures were associated with higher aggregate levels of concern, and those levels of concern did not vary much from one another.”
We can segment the information security requirements into the specific attributes of confidentiality’, ‘integrity’ and ‘availability’ (‘CIA’) and to consider these from a system life-cycle perspective. The below table presents an example of different levels of information risk over a typical system life-cycle(this will vary depending on the nature of the system and data).
Such decomposition will create the granularity needed to identify specific levels of security for different life-cycle stages.
One of the thorniest issues when outsourcing is to be sure that our IP remains safe throughout the process. There are some guidelines you might wish to follow to reduce the risk that your IP will be compromised when outsourcing to a freelancer or web developing agency. Here they are.
- Be insightful
You must have an account of all IP and IP related knowledge (if it’s registered or if the registration is pending or is new or in the development stage and then decide the extend to which the availability should be limited. You must know what your IP is before you begin your project to ensure it is properly protected from the beginning.
Distinguishing between sensitive data and common data helps in preventing disclosure of confidential information. IP can be of diverse nature, it can take many forms (copyrights, trademarks, trade secrets and patents) and can be structured into databases or embedded in software code.
- Safeguard your data
The usage of application layer firewalls and database monitoring gateways while outsourcing by the vendor will enable you to prevent privilege abuse and reduce vulnerability.
Keep an eye on the vendor’s customer list to see if any potential rival or competitor and what extra precautions are needed to safeguard the IP shared with the vendor.
3) Ascertain vulnerability
Identify the key components of your IP, the location, who controls it or who adds or enhances it, who is responsible for protecting it, how it is protected and how vulnerable it is to attack.
Ascertain the vendor’s legal obligation with respect to the outsourced function and ensure that the IP assets are not compromised. Figure out what are the risks involved if the vendor were to sub-contract part of the outsourced function to consultants, independent contractors, etc.
Investigate the Vendor’s track record by talking to its references and assess its security and/or IP protection program and check on the background of the Vendor’s project manager. It’s advisable to examine the Vendor’s ability to safeguard your IP against accidental, inadvertent or willful misappropriation, misuse, sabotage, loss or theft.
You may also want to examine the potential Vendor’s reputation, financial and technical resources and compatibility with your corporate culture.
5) Comprehension of IP
It’s vital to have a comprehensive understanding of your IP licensing agreements, the clauses, the terms and conditions associated with it. Determine whether these agreements prohibit outsourcing the IP without the permission of your licensing partner.
6) Identify safety measures
Any form of outsourcing should specify in the agreement how the Vendor will guard and protect your IP, who will access it and under what circumstances. For instance, the contract should provide information if the Vendor will write over and not simply erase any data no longer needed.
Make sure that your vendor will go by your privacy and intellectual property policies. Make these clear with your vendor to avoid later misunderstandings.
Whether it’s ownership issues regarding jointly created IP or IP assets developed by the vendor during outsourcing, make sure that it is explicitly addressed. It is essential to clearly define who will own the ownership rights of newly created information that is established on customer’s IP data. Most outsourcing agreements executed in USA uses “US work for hire” rules. YOu should verify if thats the case with vendors from other countries.
It’s vital to decide whether you want to keep all the IP you intend to outsource on servers located in the US with vendor access to the IP on only permission basis or give unlimited access to the IP for the vendor. Identify the limitations of any licensed third party IP, if it can it be sub-licensed to a vendor or not.
9) Other influential factors
- Project Management
In addition to a security person to prevent security breaches, you will need a competent IT manager and in house project manager.
- Privilege Transition
It’s advisable to outsource your less valued IP & saving your core IP until you have developed a trusting relationship with the vendor.
Challenges to Enforcement of IP Rights
- Time and Resources
using the legal and administrative mechanisms for dispute resolution and enforcement of IP rights, and to deal with piracy and counterfeiting,
- Diverse IP law across countries
The legal framework varies significantly from one country to another with respect to the exhaustion principle applied which may be on a national, regional or international level. If you are signing a non disclosure agreement or confidentiality agreement with a party in another country make sure your lawyer and your lawyer understands enforccibilty. In many cases it will be very difficult.
(Exhaustion Principle: After a product covered by an IP right, such as by a patent right, has been sold by the IP right owner or by others with the consent of the owner, the IP right is said to be exhausted. It can no longer be exercised by the owner. This limitation is also referred to as the exhaustion doctrine or first sale doctrine.)
- Types of IP asset involved
Different types of IP rights often vary within a country itself which makes it a challenge to enforce IP rights.
While deciding to outsource, it is better to have the counsel of experts, as to what resolution does the customer have when an IP right, has been marketed or/and commercially exploited by an unauthorized third party. Therefore, any consequent act of resale, rental, lending or other forms of commercial use by third parties can no longer be curbed or disputed.
Once the critical attributes to the outsourcing business are identified, the enterprise can then initiate the process of scouting and opt one or more partners. It’s advisable o assess the economic and political environment of a potential partner’s or vendors location (country), as well as to examine and understand the country’s institutions and legal framework. Nevertheless, it is important to understand that there are no ‘bullet-proof vests’ anywhere in the world for the complete protection of IP.
If you wish to know more, feel free to download white-paper on Due Diligence Checklist for Outsourcing Software Projects.