At risk offshore

On a typically steamy New Delhi day in late August 2002, Nenette Day walked into the Ashoka, one of the city's best hotels, for a meeting with Shekhar Verma. Verma had been fired from his job at Geometric Software Solutions Ltd. (GSSL), an outsourcer in Bombay. He allegedly claimed to have the source code for SolidWorks Corp.'s 3-D computer-aided design package, which GSSL was debugging. Verma had contacted a number of SolidWorks' competitors and offered to sell them the source code. Day, an American, had taken the bait and flown to New Delhi. After confirming that what Verma possessed was indeed SolidWorks' source code, Day began negotiating on price, eventually bargaining him down to $200,000 for the code. The deal was struck, and Day got up and left the room. Then agents from India's Central Bureau of Intelligence (CBI) swept in and arrested Verma. Day wasn't arrested -- she's actually a special agent from the FBI's Boston Cybercrime Unit and had gone undercover to work with the CBI on this case, the first undercover operation for the FBI in India.

The arrest led to the first prosecutorial filing for outsourcing-related intellectual property theft in India, in a case that may come to trial before year's end. Given that software outsourcing was a multibillion-dollar business in India last year, the trial will likely draw close scrutiny from both sides of the world. Sound like an open-and-shut case? Day herself isn't nearly so confident. "With no case precedents, the reality is we have no idea how this plays out under their law," she says. Day also says that Verma made two small mistakes (she declines to specify them), without which he could have already gotten off scot-free, and that after a full week in India working with the prosecutors this fall, Day still doesn't understand the applicability of at least one of the critical charges.

Intellectual property, if stolen, "is a genie that can't be put back in the bottle," says Day. Currently, she says, "there is really no law to protect American companies' intellectual property."

U.S. companies need to think seriously about what that means. Consulting firm McKinsey & Co. estimates that by 2010, the U.S. IT industry will save $390 billion through offshore outsourcing of software development. But that trend also opens up new channels of industrial espionage in bitterly poor nations that often don't have laws protecting foreign companies and rarely enforce whatever laws may exist. India, obviously eager to protect its national income earned through outsourcing, is scrambling to demonstrate that it takes foreign intellectual property seriously. Some observers say that other countries vying for outsourcing dollars are even worse when it comes to providing legal protection for intellectual property. Court cases are still relatively hard to find, but that's about to change. Smart companies need to re-examine their outsourcing contracts and make sure they aren't at risk of becoming the test cases.

In the Jungle

It would be wildly speculative to suggest that the SolidWorks case will even slow the bullet train of offshore outsourcing of software development. India's National Association of Software & Service Companies (Nasscom) alone expects its outsourcing business to surge more than 28% this year (38% worldwide for higher-level business process outsourcing, according to Gartner Inc.). India's IT sector exported $10 billion worth of goods and services last year and projects that it will reach $21 billion to $24 billion in 2008. Meanwhile, Forrester Research Inc. estimates that in the next 12 years, 3.3 million IT jobs will leave the U.S. and go overseas. These trends won't be reversed because of one case of an employee gone bad. "This is dealing with a rogue employee who left and stole information. That happens everywhere," says William B. Bierce, a partner at Bierce & Kenerson, a New York law firm that specializes in outsourcing and international business law.

The key question, of course, is the real degree of risk U.S. companies face. If intellectual property theft cases are hard to find in overseas courts, doesn't it stand to reason that CIOs and chief security officers are doing a decent job of protecting corporate intellectual property assets? Dean Davison, an analyst at Meta Group Inc., emphasizes that he almost never hears complaints about intellectual property theft and in general doesn't hear horror stories about overseas outsourcing. On the other hand, Elliot Turrini, an attorney at McElroy, Deutsch & Mulvaney, sounds much more dire. "Intellectual property is a legal fiction we've created to ensure a return on investment and promote the arts and sciences," he says. In countries with less developed laws, Turrini says, "basically, you're wide open."

Anecdotally, there are additional examples of intellectual property spats overseas. Davison does say he's aware of one case where a U.S. company outsourced product design to an Indian firm, which successfully completed the project and then turned around and used the code to create a version for the Indian market. The U.S. company didn't care because it had no interest in the Indian market. Another case is currently pending in India. Legato Systems Inc., a maker of storage software, has alleged that eight of its former employees in India took some of its intellectual property with them when they went to a competitor. Legato declined to comment on the action publicly, though one of its officials told an Australian publication in February that his personal opinion was to recommend against future offshoring in countries without better legal protections.

The irony: While these intellectual property theft cases are from India, that country actually has a much better cultural and legal climate for intellectual property protection than many other nations offering offshore coding. Observers say India generally seems to respect intellectual property, as compared with China or Russia, for example. Consider those nations' records regarding piracy of shrink-wrapped software and of copyrighted materials such as movies and music.

Indeed, Indian prosecutors in the SolidWorks case appear to have decided to charge Verma in part to establish firmer support for intellectual property rights. India doesn't have laws against trade theft, so prosecutors filed charges against Verma under a general civil theft law, with a secondary charge of criminal breach of trust against his employer, GSSL. Another charge, pertaining to copyright law under India's recently enacted IT Act, was added later. But despite being caught red-handed, Verma might well win his case. Because the source code didn't belong to GSSL, technically, Verma didn't steal from an Indian company. Thus, India's laws don't necessarily apply. It's a frustrating situation for U.S. law enforcement officials. As Day says, "How can he steal something from GSSL when they don't own it and when the nondisclosure breach of trust was signed between him and SolidWorks?"

Those are fine questions, and U.S. companies should look closely at the way the Indian courts and government respond to them.

Nondisclosure works well in the U.S., which has laws like the Industrial Espionage Act of 1996, which makes it a criminal offense to steal trade secrets. But the law doesn't apply to non-U.S. citizens acting outside U.S. borders. However, Bierce says that India's reaction is already reassuring for U.S. companies. "Even if [the prosecutor] doesn't win, he's inspired fear," Bierce says. He also says that if prosecutors lose the case, they'll almost certainly complain that India's existing legal structures aren't sufficient. He predicts that "some bright, young legislator will propose a new, more specific law."

The Finer Points of Law

Perhaps. Then again, it may be a long wait. Many observers still say that too few U.S. companies worry about intellectual property theft when they send software development overseas and that those that do fret don't make sufficient efforts to protect themselves contractually. Why the Alfred E. Neuman-like serenity? In the case of India, which by some estimates has about 90% of the market for offshore software outsourcing, it's largely because the country is a member of the World Trade Organization and adheres to its intellectual property add-on, Trips (Trade-Related Aspects of Intellectual Property Rights). In addition, several of the largest Indian outsourcing companies are incorporated in the U.S. and can be sued here. But Trips protections still must be enforced locally, and no countries prominent in software outsourcing have local laws covering theft of trade secrets.

"Complying with Trips is a starting point, but plenty of countries have signed Trips agreements. China is one of them, but there are plenty of examples of piracy or misappropriation of design by Chinese firms," says Michael Murphy, an attorney at Shaw Pittman. Trips signers or not, if a country's businesses don't respect property, the courts are unlikely to enforce laws. Several sources interviewed for this article agreed, though not for attribution, that China regards intellectual property -- especially that of foreigners -- as communal property.

Despite its near-miss on source code, SolidWorks has no plans to stop outsourcing to India. It won't even change business partners. It has worked closely with GSSL for more than six years and has had the company do its debugging for the past five.

"It's been a very good relationship for us," says Holly Stratford, vice president and general counsel at SolidWorks. "We think it's very cost-efficient, and it's a talented group of people. At times, they've been almost a virtual office of ours."

Instead, both companies underwent intensive internal security analyses, Stratford says. "We obviously reviewed with them what their procedures were that made this possible, and they instituted a lot of revised procedures," most of which she won't disclose, though she does note that GSSL won't let employees take home source code to work on anymore. SolidWorks also has substantially changed its security procedures for U.S. workers, ranging from the way it handles access codes and office security to what it makes available on servers for remote workers. Stratford says this might inconvenience some employees, but they don't grumble much about it. She says the prompt response by the FBI and India's CBI quickly addressed SolidWorks' main concern, which was making sure it got its source code back. After the sting, all the copies of the source code were recovered from Verma's quarters. As for any strain in relations, Stratford says matter of factly that "the reality is, everybody has the same issue with their own employees." To her, a potential landmark case serves mostly as "a wake-up call."

The truth is, SolidWorks got lucky. Verma allegedly contacted several competitors; only one of them told SolidWorks that its source code was up for sale.

Praba Manivasager, CEO of Renodis, an offshore advisory firm, says he expects the Indian government to move quickly in passing stronger intellectual property laws, with the full support of Nasscom, India's main software association and a powerhouse lobbyist in that country.

Manivasager notes that the Indian government is already working to change its reputation of being guarded and difficult to work with, both because the country is competing with China for overseas investment and because existing business investors were nervous about India's near-war with Pakistan two years ago. "It's actually overhauled a lot of international policies to help foreign investors come into India," he says. "This case could serve as a landmark case, but it will most likely solidify what we are seeing, which is more and more support for international business. The Indian government has a lot to lose" if it doesn't take the case seriously, he adds.

The Diligence That's Due

Laws or no laws, many believe it would help if U.S. companies would treat offshore software outsourcing with greater care. Many companies looking to farm out their development work care only about dollar savings and can be sloppy about everything else.

Ken Pfeil, CSO at Capital IQ, says the SolidWorks theft case should ring alarm bells at every company that wants to outsource. "You really have to dig on due diligence," he says. "[Require] background checks on employees, look at the company history and financial stability, look at their retention rates for employees." Turrini, the lawyer, recommends putting someone with deep pockets on the hook. For instance, insist on indemnification agreements with the outsourcing provider, and make sure that provider has substantial assets in the U.S., just in case. Failing that, he recommends getting insurance for source code.

While those steps might sound straightforward, companies often fail to take even basic steps to check on potential suppliers, according to Bill Malik, who spent 11 years as an analyst at Gartner before becoming chief technology officer at Waveset Technologies Inc. He declines to name names but says that "people far too often don't do their due diligence. I've seen organizations that just want to take a pass on the whole thing. They just want to outsource development to the cheapest vendor."

1 2 Page 1
Page 1 of 2
It’s time to break the ChatGPT habit
Shop Tech Products at Amazon