Visit us at www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our customers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, please visit www.syngress.com. Once registered, you can access your e-book with print, copy, and comment features enabled. ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable e-book format. These are available at www.syngress.com. SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations. Please contact our corporate sales department at [email protected] for more information. CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use. Please contact our corporate sales department at [email protected] for more information. This page intentionally left blank This page intentionally left blank An Information Security Reader Butterworth-Heinemann is an imprint of Elsevier Syngress is an imprint of Elsevier 30 Corporate Drive, Suite 400, Burlington, MA 01803, USA Linacre House, Jordan Hill, Oxford OX2 8DP, UK Securing Intellectual Property: Protecting Trade Secrets and Other Information Assets Copyright © 2009. Some portions © 2008, Elsevier Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Library of Congress Cataloging-in-Publication Data Application submitted British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. ISBN: 978-0-7506-7995-4 Printed in the United States of America 08 09 10 11 12 13 10 9 8 7 6 5 4 3 2 1 Elsevier Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights; email [email protected] Publisher: Laura Colantoni Acquisitions Editor: Pamela Chester Development Editor: Matthew Cater Project Manager: Paul Gottehrer Code = 58741140 For information on all Syngress publications visit our Web site at www.syngress.com Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xv Chapter 1 Elements of a Holistic Program . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 False Memes Lead People the Wrong Way . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 From the Industrial Age to the Information Age . . . . . . . . . . . . . . . . . . . . . . . . . 2 Chapter 2 Trade Secrets and Nondisclosure Agreements . . . . . . . . . . . . . . .7 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 What Is a Trade Secret? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Basis of Trade Secret Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Trade Secret Law vs . Contractual Protection of Confidential Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Technology as a Trade Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Source Code as a Trade Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Product Ideas—Flying under the Radar Screen . . . . . . . . . . . . . . . . . . . . 10 Confidential Business Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Confidential Information from Third Parties . . . . . . . . . . . . . . . . . . . . . . . . 11 Limits to Trade Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 How Long Trade Secrets Last . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Patents vs . Trade Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Can More Than One Company Have the Same Trade Secret? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Care and Protection of Trade Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 One Person in Charge of Confidentiality Measures . . . . . . . . . . . . . . . . . . . 13 Controls on Access to Confidential Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Entry Control and Badges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Confidentiality Legends on Documents, Code, and Other Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Agreements with Third Parties to Protect Confidentiality . . . . . . . . . . . . . . . 15 Confidential Undertakings by Employees and Contractors . . . . . . . . . . . . . . 15 Employee Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Speeches, Paper, and Presentations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 vii viii Contents New Employee Orientation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Exit Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Nondisclosure Agreements and Confidential Disclosure . . . . . . . . . . . . . . . . . . . 17 Mutual or Unilateral NDAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Defining “Confidential Information” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 What Written Information Is “Confidential Information”? . . . . . . . . . . . . . . 18 What Oral or Visual Information Is “Confidential Information”? . . . . . . . . . 19 Carve-Outs from Confidential Information . . . . . . . . . . . . . . . . . . . . . . . . . 19 Prohibition of Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Use of Confidential Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 When Does Protection Time-Out? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Risks from Others’ Confidential Information . . . . . . . . . . . . . . . . . . . . . . . . 21 Two-Stage Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Watch Out for “Residuals” Clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Are There Oral Agreements for Nondisclosure? . . . . . . . . . . . . . . . . . . . . . . 22 Disclosure Agreements that Are the Opposite of NDAs . . . . . . . . . . . . . . . . 22 When You Negotiate a Deal, Should NDAs Be Superseded? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Confidentiality Clauses Generally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Violations of Trade Secret Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 What Is Illegal under Trade Secret Law? . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 What Is Not Illegal under Trade Secret Law? . . . . . . . . . . . . . . . . . . . . . . . . 24 What if Trade Secrets Are Disclosed? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Dealing with Violations of Trade Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Remedies Short of Litigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Is Taking Trade Secrets a Crime? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Can Software Trade Secrets Be Licensed or Sold? . . . . . . . . . . . . . . . . . . . . . . . . 26 Use of Counsel in Managing Trade Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Chapter 3 Confidentiality, Rights Transfer, and Noncompetition Agreements for Employees . . . . . . . . . . . . . . . . . . . . .29 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Note on Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 About Employment Law Generally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Contents of Employee Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Confidentiality Provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Definition of “Confidential Information” . . . . . . . . . . . . . . . . . . . . . . . . 32 Regarding Use and Protection of Confidential Information . . . . . . . . . . . 32 Confidentiality and Pre-Employment Communications . . . . . . . . . . . . . . 33 Provisions in Aid of Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Contents ix Capturing Intellectual Property Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Special Rule for California and Certain Other States . . . . . . . . . . . . . . . . 35 Cooperation in Rights Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Documents and Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Noncompetition and Nonsolicitation Provisions . . . . . . . . . . . . . . . . . . . . . . . . 36 State with Limitations on Restrictive Covenants . . . . . . . . . . . . . . . . . . . . . 37 About Consideration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Getting Employees to Sign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Enforceability of Provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Nature of the Employment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Reasonable Scope and Duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Noncompetition Clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Automatic Extension of Restricted Period . . . . . . . . . . . . . . . . . . . . . . . 40 “Blue Pencil” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Enforcement of Noncompetition Agreements by Employers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Do Not Delay in Addressing a Breach . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Remedies Short of Litigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Preliminary Injunction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Obtaining Assurance of the Absence of Conflicting Prior Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Chapter 4 IT Services—Development, Outsourcing, and Consulting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 In This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 IT Consulting Business Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Development Deals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Why Outside Development? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Scale of Development Deals and the Development Forms . . . . . . . . . . . . . . 46 Development Can Be a Risky Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Need for Planning and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Writing and Responding to RFPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Elements of an RFP—From the Customer’s Point of View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Responding to RFPs—From the Developer’s Point of View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Getting the First Draft on the Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52