At Risk Offshore

Companies outsourcing their software development offshore can get stung by industrial espionage and poor intellectual property safequards.

The Sting

On a typically steamy STEAMY New Delhi day in late August 2002, Nenette Day walked into the Ashoka, one of the city's best hotels, for a meeting with Shekhar Verma. Verma had been fired from his job at Geometric Software Solutions Ltd (GSSL), an outsourcer based in Bombay. He claimed to have the source code for SolidWorks Plus's 3-D computer-aided design package, which GSSL was debugging. Verma had contacted a number of SolidWorks' competitors and offered to sell them the source code. Day had taken the bait and flown to New Delhi. After confirming that what Verma possessed was indeed SolidWorks' source code, Day began negotiating on price, eventually bargaining him down to $US200,000 for the code. The deal struck, Day got up and left the room. Then agents from India's Central Bureau of Intelligence (CBI) swept in and arrested Verma. Day was not arrested - she is actually a special agent from the FBI's Boston Cybercrime Unit and had gone undercover to work with the CBI on this case, the first undercover operation for the FBI in India.

The arrest led to the first prosecutorial filing for outsourcing-related intellectual property (IP) theft in India. Given that software outsourcing was a multibillion-dollar business in India last year, the trial will draw close scrutiny from both sides of the world. Sound like an open-and-shut case? Day herself is not nearly so confident. "With no case precedents, the reality is we have no idea how this plays out under their law," she says. Day also says that Verma made two small mistakes (she declines to specify them) without which he could have already got off scot-free, and that after a full week in India working with the prosecutors last northern autumn, Day still doesn't understand the applicability of at least one of the critical charges.

Intellectual property, if stolen, "is a genie that can't be put back in the bottle", says Day. Currently, she says, "there is really no law to protect companies' intellectual property".

Companies need to think seriously about what that means. Consulting company McKinsey estimates that by 2010, the IT industry will save $US390 billion through offshore outsourcing of software development. But it also opens up new channels of industrial espionage in bitterly poor nations that often don't have laws protecting foreign companies and rarely enforce whatever laws may exist. India, obviously eager to protect its national income from outsourcing, is scrambling to demonstrate that it takes foreign intellectual property seriously. Some observers say that other countries vying for outsourcing dollars are even worse when it comes to providing legal protection for intellectual property. Court cases are still relatively hard to find, but that's about to change. Smart companies need to re-examine their outsourcing contracts and make sure they aren't at risk of becoming the test cases.

Page Break

In the Jungle

It would be wildly speculative to suggest that the SolidWorks case will even slow the bullet train that is offshore outsourcing of software development. India's National Association of Software Service Companies (Nasscom) alone expects its outsourcing business will surge more than 26 percent to 28 percent this year (38 percent worldwide for higher-level business process outsourcing, according to Gartner). India's IT sector exported $US10 billion worth of goods and services in 2002, and projects it will reach $US21 billion to $US24 billion in 2008. Meanwhile, Forrester Research estimates that in the US alone, 3.3 million IT jobs will go offshore over the next 12 years. These trends won't reverse over one case of an employee gone bad. "This is dealing with a rogue employee who left and stole information. That happens everywhere," says William Bierce, partner in Bierce Kenerson, a New York law firm specializing in outsourcing and international business law.

The key question, of course, is the real degree of risk companies face. If overseas IP theft court cases are hard to find, doesn't it stand to reason that CIOs and CSOs are doing a decent job of protecting corporate IP assets? Dean Davison, vice president and director of outsourcing and service provider strategies at Meta Group, emphasizes that he almost never hears complaints about IP thefts, and in general doesn't hear horror stories about overseas outsourcing. On the other hand, Elliot Turrini, an attorney with McElroy, Deutsch Mulvaney, sounds much more dire. "Intellectual property is a legal fiction we've created to ensure a return on investment and promote the arts and sciences," he says. In countries with less developed laws, Turrini says, "basically you're wide open".

Anecdotally, there are additional examples of IP spats overseas. Davison does say he's aware of one case where a US company outsourced product design to an Indian firm, which successfully completed the project, then turned around and used the code to create a version for the Indian market. The US company didn't care because it had no interest in the Indian market. A third case is currently pending in India. Legato Systems, a maker of storage software, has alleged that eight of its former employees in India took some of its intellectual property with them when they went to a competitor. Legato declined to comment on the action publicly, though one of its officials, speaking as an individual, told a local publication last February that he would recommend against future offshoring in countries without better legal protections.

The irony: While these IP theft cases are from India, that country actually has a much better cultural and legal climate for IP protection than many other nations offering offshore coding. Observers say India has a culture that generally seems to respect intellectual property, as compared with China or Russia, for example - consider those nations' records regarding piracy of shrink-wrapped software and of copyrighted materials such as movies and music.

Indeed, Indian prosecutors in the SolidWorks case appear to have decided to charge Verma in part to establish firmer support for IP rights. India does not have laws against trade theft, so prosecutors filed charges against Verma under a general civil theft law, with a secondary charge of criminal breach of trust against his employer, GSSL. Another charge, pertaining to copyright law under India's recently enacted IT Act, was added later. But despite being caught red-handed, Verma might well win his case. Because the source code didn't belong to GSSL, technically, Verma didn't steal from an Indian company. Thus India's laws don't necessarily apply. It's a frustrating situation for US law enforcement officials. As Day says, "How can he steal something from GSSL when they don't own it? And when the nondisclosure breach of trust was signed between him and SolidWorks?"

Those are fine questions, and companies should look closely at the way the Indian courts and government respond to them.

Bierce says India's reaction is already reassuring for companies. "Even if [the prosecutor] doesn't win, he's inspired fear," Bierce says. He also says that if the US prosecutors lose the case, they'll almost certainly complain that India's existing legal structures are not sufficient. He predicts that "some bright, young legislator will propose a new, more specific law".

Page Break

The Finer Points of Law

Perhaps. Then again, it may be a long wait. Many observers still say too few companies worry about intellectual property theft when they send software development overseas, and that those that do fret nevertheless don't make sufficient efforts to protect themselves contractually. Why the Alfred E Neuman-like serenity? In the case of India, which by some estimates has about 90 percent of the market for offshore software outsourcing, it's largely because the country is a member of the World Trade Organization and adheres to its intellectual property add-on, Trips (Trade-Related Aspects of Intellectual Property Rights). In addition, several of the largest Indian outsourcing companies are incorporated in the United States and can be sued there. But Trips protections still must be enforced locally, and no countries prominent in software outsourcing have local laws covering theft of trade secrets.

"Complying with Trips is a starting point, but plenty of countries have signed Trips agreements. China is one of them, but there are plenty of examples of piracy or misappropriation of design by Chinese firms," says Michael Murphy, an attorney at Shaw Pittman. Trips signers or not, if a country's culture does not respect property, the courts are unlikely to enforce laws. Several sources interviewed for this article agreed, though not for attribution, that China regards intellectual property - especially that of foreigners - as communal property.

Despite its near miss on source code, SolidWorks has no plans to stop outsourcing to India. It won't even change business partners. It has worked closely with GSSL for more than six years, and has had the company do its debugging for the past five.

"It's been a very good relationship for us," says Holly Stratford, vice president and general counsel for SolidWorks. "We think it's very cost efficient, and it's a talented group of people. At times they've been almost a virtual office of ours."

Instead, both companies underwent intensive internal security analyses, Stratford says. "We obviously reviewed with them what their procedures were that made this possible, and they instituted a lot of revised procedures," most of which she won't disclose, though she does note that GSSL won't let employees take home source code to work on any more. SolidWorks also has substantially changed its security procedures for US workers, ranging from the way it handles access codes and office security to what it makes available on servers for remote workers. Stratford says this might create some inconvenience for employees, but they don't grumble much about it. She says the prompt response by the FBI and India's CBI quickly addressed SolidWorks' main concern, which was making sure it got its source code back. After the sting, all the copies of the source code were recovered from Verma's quarters. As for any strain in relations, Stratford says matter of factly that "the reality is, everybody has the same issue with their own employees". To her, a potential landmark case serves mostly as "a wake-up call".

The truth is, SolidWorks got lucky. Verma allegedly contacted several competitors; only one of them told SolidWorks that its source code was up for sale.

Praba Manivasager, CEO of Renodis, an offshore advisory firm, says that he expects the Indian government to move quickly in passing stronger intellectual property laws, with the full support of Nasscom, India's main software association and a powerhouse lobbyist in the country.

Manivasager notes that the Indian government is already working to change its traditional reputation of being guarded and difficult to work with, both because the country is competing with China for overseas investment and because existing business investors were nervous about India's near-war with Pakistan two years ago. "It's actually overhauled a lot of international policies to help foreign investors come into India," he says. "This case could serve as a landmark case, but it will most likely solidify what we are seeing, which is more and more support for international business. The Indian government has a lot to lose" if it doesn't take the case seriously, he adds.

Page Break

The Diligence That's Due

Laws or no laws, many believe it would help if companies would treat offshore software outsourcing with greater care. Many companies looking to farm out their development work care only about dollar savings and can be sloppy about everything else.

Ken Pfeil, CSO at Capital IQ, says the SolidWorks theft case should ring alarm bells at every company that wants to outsource. "You really have to dig on due diligence," he says. "[Require] background checks on employees, look at the company history and financial stability, look at their retention rates for employees." Turrini, the lawyer, recommends putting someone with deep pockets on the hook. For instance, insist on indemnification agreements with the outsourcing provider, and make sure that provider has substantial assets locally just in case. Failing that, he recommends, get insurance for source code.

While those steps might sound straightforward, companies often fail to take even basic steps to check on potential suppliers, according to Bill Malik, who spent 11 years as an analyst at Gartner before becoming CTO of Waveset Technologies. He declines to name names but says that "people far too often don't do their due diligence. I've seen organizations that just want to take a pass on the whole thing. They just want to outsource development to the cheapest vendor."

Usually, such hasty decisions are driven by the need to keep up profits and revenue. Looking at short-term financial gains is a huge mistake, Malik says, and cases like the one unfolding in India show why.

1 2 Page 1
Page 1 of 2
7 secrets of successful remote IT teams