You are here:
Image credit: Reader’s Digest

Legal Protection for Offshore Development: IP & Data Security Concerns

IP protection is vital to consider at every single step on the software development labyrinth. Should you be in charge of software development and are outsourcing programming, adopt these proven practices to foster your winning outsourcing relationship.
By Kaley Nguyen | EnvZone Staff
on November 03, 2019 | 12 min read
Image credit: Reader’s Digest

Within the ever-evolving business landscape, outsourcing has become an inevitable route that enterprises use to help them scale their businesses, especially with the dominant trend of globalization. In fact, the outsourcing industry is gearing up for the future with no signs of slowing down in the years to come.

Regarded as a genuine business innovation, offshore development has offered numerous advantages to businesses. Actually, it's a smarter way of delivering value – usually the software solutions - by leveraging workforces all over the world.

Besides its benefits, nonetheless, it’s more than vital to keep an open mind of the potential risks associated with such a decision. Amongst them, Intellectual Property stands out as a major concern which is worth careful consideration as well as crafting timely strategies to address well. 

Before diving into the specifics, let’s take a look at the general picture of the outsourcing world as well as its current trends.

Offshore Outsourcing: Major Trends

In general, outsourcing can be defined as a means of “… marrying efficiency with innovation, which requires managers to consider the following: time-cycle and cost reduction, levering scale and scope, reduction of resources, partners as role models for change, and reduction of risk”. In other words, it refers to an enterprise making an arm’s length alliance with one or more enterprises to perform either carefully selected operations or day-to-day business processes (or both) that were previously done in-house.

In practices, there are basically two major groups of offshore outsourcing that are now on the rise:

  • Technology services, which includes information technologies (applications hosting, telecommunications (voice and data), logistics, etc.); electronics (semiconductor chips; high-value microprocessors); electronic commerce, etc;
  • Business processing outsourcing (or BPO for short), which deals with differentiated activities, such as finance and accounting, procurement and supply, customer contact (customer relations management), human resources, security, etc.

Besides these major functions, there are other fields being outsourced offshore, such as drug and product development in the pharmaceutical and biotechnology industries, especially clinical trials and legal services. Another typical example is of several law firms in the United States of America, which are offshoring a major part of the task of patent application drafting and prosecution.

Offshore Outsourcing: The Value-chain & Levels in Outsourcing Relationship

The global commodity chain has both a supply chain as well as a value chain. When it comes to outsourcing, it is a “must” to grasp the distinction between these two.

Legal Protection For Offshore Development IP & Data Security Concerns - Fig 1
Image credit: Intrigo Systems

Speaking of the supply chain, it is essentially concerned with the supply of raw materials, their transformation into finished products by a manufacturing process, and their distribution through a network of distributors, warehouses and retailers.

On the other hand, the concept of the value chain is significantly extended and applied to the whole supply chain and its distribution networks. In the delivery of products and services, different economic actors are mobilized, and each will manage its own value chain.

Such independence in the exploitation of upstream and downstream information can be considered to be one of the main reasons why outsourcing has become so popular with businesses. A disintegration of the vertical (supply chain) integrated factory, however, could result in the eventual fragmentation of ownership rights, thus making it imperative for firms to identify the strengths and weaknesses in each identified value chain activity.

Keeping this in mind, every single firm should be able to create new value for itself as well as its customers through one or more outsourcing relationships. Or to put it simply, a company should do “in-house” only those activities which it is capable of doing faster, cheaper and better than others. In other words, other activities are all candidates for being outsourced to others who are capable of doing such activities faster, cheaper and better.

Thus, it goes beyond any doubt that offshore outsourcing may happen at any level of the value chain:

  • At the lowest level, labor-intensive unskilled tasks are outsourced.
  • At the next level, the production or manufacture of a component, or the whole product or service, is also outsourced.
  • At the next higher level, technology development is outsourced, including some or all of the associated research and development (R&D) tasks.
  • Some may even consider outsourcing marketing functions to be the highest level of outsourcing. It may be done either partly (for instance, outsourcing of market research) or almost wholly (for instance, distribution and sales are outsourced).

In practice, there can be multiple permutations and combinations of the above categories.

As regards levels of outsourcing relationships, there exist some major levels as follows:

Basic Level of Outsourcing Relationships: Low-wage Human Capital

Focus is on labor-intensive tasks, which require unskilled, low-wage labor, then moves on to tasks requiring educated and skilled low-wage labor.

Second Level of Outsourcing Relationships: Manufacture of Commodity Products

Focus on standardized and often labor-intensive production systems for standardized or mature (limited value-addition) products, often reaping economies of scale.

Third Level of Outsourcing Relationships: Outsourcing Development of Technology

Focus on highly skilled science and engineering or technical personnel employed in state-of-the-art R&D setups in lower-wage countries.

Offshore Outsourcing: Intellectual Property (IP) Assets & Know-how

Legal Protection For Offshore Development IP & Data Security Concerns - Fig 2
Image credit: SmartFile

Undeniably, offshore outsourcing requires the sharing of a wide array of proprietary knowledge. Nature, as well as the critical importance of intellectual property, will differ in every sector of industry and business. Furthermore, every type of IP asset – trade secrets, trademarks, industrial designs, patents, copyright, and related rights, to name a few – may be involved at the separate levels of outsourcing relationships.

Nevertheless, each type of IP asset is generally governed by its own distinct national law, which does vary from one country to another. Such governance differences have added further complexity to managing IP assets in offshore outsourcing relationships, especially if there are many partners in different countries.

In fact, these issues are of considerable significance to enterprises as the practice of offshore outsourcing continues to grow. To manage this “sharing of knowledge” effectively, it’s imperative that both parties involved - properly - administer their IP while keeping the overall business objectives in view.

From the perspective of intellectual property, the benefits of sharing IP assets must outweigh the myriad of risks encountered in outsourcing, including the risks linked to the shared IP assets. To be more specific, such risks do include challenges in monitoring and/or dealing effectively with various types of breaches of contract clauses, theft or misappropriation of trade secrets, misuse or loss of other types of IP rights (resulting in partial loss of control of business), poor or inconsistent quality of goods and services (that may affect the reputation or brand image), enforcement of IP rights, parallel imports and grey-market issues.

On this basis, while determining which functions be kept in-house or outsourced, the intellectual property due diligence inquiry - a thorough analysis and inventory of a company’s key assets - should be undertaken before finalizing any outsourcing plan to safeguard an enterprise’s IP.

Based on Wipo, there is a non-exhaustive list of essential issues in IP Due Diligence Enquiry, which should be paid adequate information:

  • Identify and document IP: trade secrets, trademark(s), patent(s), industrial design(s), copyright and related right(s).
  • Identify the inventor, creator or author of the IP.
  • Determine ownership rights in the identified IP, including joint-ownership issues.
  • Identify contracts or other agreements associated with the IP. For instance, technology transfer or licensing agreements; confidentiality and non-compete agreements.
  • Identify assigned or licensed IP used by the interested enterprise(s): IP of third parties and/or by employees. Ascertain the rights granted to each party, and detect existing and potential sub-contracting issues.
  • Identify existing or alleged breaches of contract, infringements, disclosure of confidential information and trade secrets.
  • Determine jurisdiction and enforcement: applicable laws, enforceability: dispute resolution mechanisms (mediation, arbitration, choice of governing law, applicable jurisdiction).
  • Termination, expiration or exit clause of arrangement: Is there an indemnity against infringement?
  • Determine other IP related responsibilities: Ongoing maintenance and upgrades to the IP; payments of transfer fees; product liability, IP insurance, ...

Offshore Outsourcing: IP-related Issues & Its Practices

#1. Ownership of Intellectual Property

Ownership of intellectual property may be a “sticking point” when it comes to offshore outsourcing. Whether the outsourced work is expected to take place domestically or outside the enterprises’ national borders, it is a “must” to identify, account for as well as further clarify ownership-related problems of IP assets that are improved or created during the relationship. Nonetheless, many companies - more often than not - overlook or pay inadequate attention to such a vital aspect.

In practice, there exist several approaches to sharing ownership rights over IP, which is either improved or newly formed during an outsourcing relationship. One approach would be for the customer to own all IP assets and know-how, with the vendor having the possibility of using the IP through a negotiated license agreement. Another approach would be for the vendor or the developer to own all such IP, with the customer - the party having commissioned the task - taking a license through negotiations. Besides, there are other approaches of IP ownership such as both the customer and vendor jointly owning the resulting IP or apportioning ownership of different IP assets amongst the parties concerned, namely, amongst the vendor, customer and one or more third parties.

Which particular approach is adopted will be clearly stated under a formal agreement based on negotiations guided by each parties’ current and future business needs. As all approaches are complex, careful evaluation, as well as negotiation, is definitely required before any agreement is reached.

Legal Protection For Offshore Development IP & Data Security Concerns - Fig 3
Image credit: The Ladders

To avoid any possible conflict, such an agreement must be detailed, and, amongst many other things, should deal with ownership and use of the intellectual property assets - both during and after the termination or end of the outsourcing relationship. In fact, several other questions concerning the intellectual property will arise and do not differ greatly from those that arise in collaborative contractual agreements. Some typical concerns will include:

  • Who owns the IP created by a company’s employees or independent contractors?
  • If it is to belong to the company, then are all such IP assets properly transferred or assigned to the company?
  • Who will own the customized features, improvements, new technology and product in outsourced work?
  • As regards copyrighted works, such as software, will an improvement or modification possibly lead to the creation of co-authorship and resulting joint ownership?
  • Or, will it be treated as an adaptation, also known as a ‘derivative’ work, which would be owned by the party that made the improvement?
  • How does one determine whether ownership will be exclusive to one party or another or held jointly?
  • What entitlements will each party have to exploit jointly created IP?
  • Should it want to switch vendors or terminate the contract, then what will happen to the customer’s IP?

Actually, the complexities of the above-mentioned questions will vary depending on the type of IP owned, for example, entitlements differ between patents and copyright. Normally, unless provided for specifically in the relevant IP law, most of the issues raised would be decided by negotiations by the parties, based on their respective business objectives. As a rule of thumb, you should try to avoid agreeing to joint ownership of IP assets during negotiations. In case it is not possible to do so, then all questions about its proper management need to be spelled out in requisite detail in the agreement between the parties concerned.

#2. Confidential Information & Trade Secrets

As you’ve grasped the basics of IP ownership, it’s high time to move on the second critical concern in outsourcing offshore - the inadvertent, accidental or willful disclosure of confidential information and trade secrets.

Legal Protection For Offshore Development IP & Data Security Concerns - Fig 4
Image credit: Clavis Technologies

Speaking of trade secrets, they are protected by an expressed or implied contract – in other words, trade secrets are either not at all, or are inadequately, protected by a specific national law for the protection of trade secrets or preventing espionage. Thereby, a primary concern when outsourcing is the potential partner’s ability to safeguard confidential information of commercial value against accidental, inadvertent or willful misappropriation, misuse, sabotage, loss or theft.

Should the partner cannot be truly trusted to protect trade secrets, then the risks of outsourcing offshore may far outweigh its potential benefits. Thus, it is more than essential to review the integrated security and IP protection program of the potential outsourcing partner.

Bear in mind that the value of a trade secret rests in the company’s ability to keep relevant information confidential. Once a trade secret is disclosed or made public, it enters the public domain. Invariably, it will be lost permanently and, in most instances, so will the competitive advantage – directly or indirectly - linked to it.

To accommodate such a critical concern, myriad practical measures have been recommended, such as those indicated in the articles on the website of the SMEs Division of World Intellectual Property Organization (WIPO). Amongst these, it’s also a “should” to consider relying on a Non-Disclosure Agreement (NDA), which is also known as a confidentiality agreement, for keeping such vital business information confidential. Whereas such agreements provide for broad protection and are a relatively low-cost measure for the protection of trade secrets, these may be of limited value should litigation issues arise.

To assist companies to overcome or mitigate, the risks of accidental or willful loss or misappropriation of trade secrets, logistical controls will be needed. Security, especially one in the electronic environment, is then an exigency in offshore outsourcing arrangements. In fact, measures to prevent breaches of security (for example, the ones resulting in disruptions in the supply chains) are usually linked to those measures for the protection of trade secrets. Furthermore, these may be associated with the protection of individual privacy in the context of database protection obligations, particularly in the financial and health sectors.

Based on the CSI-FBI Computer Crime and Security Survey, it was revealed that trade secret theft was a greater threat to most enterprises. The sensitivity surrounding security and privacy is seen as "businesses are installing intellectual property ‘trackers” which aim to tag or track company-owned IP in order to prevent theft. This is an issue for both big companies … as well  as small companies who often don’t have much more to protect than their IP.” The security measures to such threats may basically include electronic watermarking and time-stamping.

Bonuses: Other Strategies for Offshore Outsourcers to Address Data Security & IP-Related Concerns

Legal Protection For Offshore Development IP & Data Security Concerns - Fig 5
Image credit: The Ladders

#3. Information Classification

So, besides these legal protection measures, what can offshore outsourcers also do to strengthen offshore data security? 

The first and most obvious solution is to avoid sending sensitive data offshore in the first place. However, not a small number of companies have failed to keep sensitive data onshore either out of lack of transactional offshore experience or, more often, because they do not have a classification system delineating between sensitive and non-sensitive information. 

Understanding that, companies should consider adopting an information security classification similar to those employed by national governments.  To take a typical example, the US Federal Government sorts its sensitive information into confidential, secret, and top-secret categories, applying an increasing number of precautions to each.  Plus, the government requires its sub-contractors and sub-contractors' sub-contractors to follow the same system.  By conducting a thorough security review of sensitive documentation like that, companies can create similar classifications. 

No matter how simple this idea seems to be, the measure of information classification has offered three-fold benefits for offshore outsourcers. First of all, it does allow companies to determine what data can be processed offshore and what precautions are required. Secondly, it assigns the responsibility of sensitive information to trusted sources, permitting much easier audit trails.  And thirdly, it lowers costs by not applying restrictive constraints on public information.

#4. Organizational Design

It’s beyond any doubt that not all sensitive data can be kept onshore.  From the organizational design standpoint, companies should consider if and how their current structure will interface with outside service providers.  In some cases, it may be the smartest move for a highly integrated firm to develop its own office overseas instead of outsourcing.  Reducing the future organizational costs of coordination are amplified for offshore outsourcing over onshore outsourcing. 

Historically, global corporations have been organized as multi-domestic firms.  This model traditionally provided firms with the financial benefits of expanding globally while minimizing the need for operational processes to cross national borders. Such a traditional model has limited the transfer of knowledge and IP across national borders. 

Nonetheless, within the ever-changing globally competitive landscape, knowledge sharing across borders has become inevitable and also, in the past decades, two predominant organizational models for the global firm have evolved. Whilst the first design is a matrix structure based on product lines and countries, the second one is known as a back to front model.  

In the latter model, "back office” functions, such as engineering and operations, are grouped together across the entire organization pooling resources and taking advantage of economies of scale. “Front office” functions, such as sales and marketing, on the other hand, are grouped based on geographic continuity or similarity.  Whereas some companies have attempted to outsource entire “back office” functions, this can be challenging depending on the degree of integration required across the rest of the firm.

#5. Financial Controls

Since the key driver of offshore outsourcing is often to benefit from “labor arbitrage”, proper financial controls must be in place in order to quantify the costs and benefits associated with outsourcing. 

For instance, the resulting shift in cost allocations, such as the percentage of labor spend on a product, can have considerable managerial accounting impact.  Hence, the cost basis and cost allocation methods, in particular, the assignment of overhead, in the company must be reconsidered for projects which are outsourced. 

What’s more, establishing firm financial controls is of utmost importance from the perspective of the classic “principal-agent" problem.  Without such controls, the agent, for example, the outsourcing manager, has strong individual financial incentives to allocate the benefits or cost of outsourcing contrary to the position of the previous manager.  In fact, loose financial controls tend to result in pendulum swings in firm strategic policy regarding outsourcing, and in particular offshore outsourcing as each new senior executive seeks to distance himself or herself from predecessors, “clean the books”, and then show immediate short-term financial benefits from his or her business strategy.  Such a practice is undoubtedly bad for both the outsourcing company and the service provider.   

#6. Contractual Relationships

As fore-mentioned, after selecting an offshore provider, companies need to be extremely careful in drafting their contracts.  Actually, the normal precautions to any outsourcing agreement apply, such as the inclusion of termination clauses and measurable expectations. However, contracts with offshore providers require outsourcers to consider carefully the validity of any implicit assumptions. 

In particular, outsourcers must account for the international variance in trade secret and nondisclosure laws. Whereas onshore agreements can usually assume fundamental legal protections, offshore contracts must explicitly describe each party's liabilities in case anything goes wrong. With a properly written contract, both parties will thoroughly understand their obligations as well as can operate with a minimum of overhead.

Those companies who are outsourcing work should examine contractual models developed by highly regulated industries such as US government contracts or the medical and pharmaceutical industry.  Fortunately for IT-related work, governments are less involved in stipulating regulations leaving the specifics to the firm or industrial standards bodies. Nevertheless, the processes these regulated industries have in place to ensure traceability and accountability throughout the supply chain provide one model for control by the Original equipment manufacturer or OEM.

The Bottom Lines

Before entering into an outsourcing relationship, it’s a “must” that you undertake a realistic assessment of its challenges, which include the concerns over Intellectual property and data security. Be well prepared with IP-related knowledge as well as strictly follow these proven strategies to foster a winning outsourcing relationship.

This article is also credited to Mira Sahney, Eric Syu and page Wipo.

You May Also Like:

Offshore Software Development: The Ultimate Guide.

SUBSCRIBE FOR THREE THINGS

Three links or tips of interest curated about offshore outsourcing every week by the experts at ENVZONE Consulting.