Protecting Data and IP when Outsourcing Offshore, cont.

What can you do to minimize / mitigate risks of IP loss with your outsourcing partner? Here are some tips to consider:

General

  • Learn, understand and keep yourself up to day on Information security topics
  • Do not outsource your crown jewels. If it’s at all possible do not send any high value IP work offshore.
  • Hold the offshore vendor, its employees and subcontractors to the same or higher standards of Data and IP security as your own team.

Vendor search / RFP process

  • Include IP handling inquiries in your RFP process and in on-site visits
  • Consider legal maturity and IP laws from geopolitical view
  • Check for signs of casual treatment. For example while at the site visit ask developers what they are working on / etc. Your IP would be at best treated in the way it’s treated for current clients.

Contract / negotiation process

  • Make sure to include IP elements in the contract, have it reviewed by legal team specializing in IP. My preferred approach is to have vendor “work for hire” and keep the ownership all IP including IP produced during engagement.
  • Make sure that required clauses are enforceable and can be seen through downstream (employees, subcontractors, etc.). You can ask for specific language in chain of trust agreements and NDA documents.
  • Put excessive penalty clauses associated with IP loss in the contract. I also recommend including “right to inspect” and other control elements directly into the contract.
  • Decide on a level of additional security elements you need at a physical / infrastructure level, for example network separation, biometric locks, etc. Keep in mind that it usually comes with a notable price tag.
  • Align payments with deliverables and milestones. Put some time for verifying deliverable before your pay for them.

Kick Off

  • Define and communicate to vendor policies and SOPs on data and IP handling, e.g. level of encryption, separation of duties, firewall policies, etc.
  • Consider investing into education and helping your vendor maintain IP and data secure.
  • Consider an infrastructure approach under which none of the sensitive elements reside on a vendor side. For example developers could perform all work on your network using terminal services over VPN.

Ongoing

  • Make sure that all information and artifacts produced by your vendor are physically copied to your location.
  • Test integrity of the information delivered by the vendor. For source code my preferred method is using continues integration (CI) integrated with unit / smoke testing running of local repositories.
  • Control / inspect / audit the guards you agreed to put in place.
  • Consider independent audits by a 3rd party.

Termination

  • Plan / define termination procedures when establishing the contract
  • Use appropriate InfoSec processes and procedures to close accounts, revoke privileges, destroy media, etc.
  • And make sure that you part on good terms

Protecting Data and IP when Outsourcing Offshore

Securing data when working with offshore is a well known yet a very challenging task. It’s especially serious if your company deals with financial or private data, such as ePHI (electronic protected health information). In some way though dealing with data protection in offshore scenario while complex is a straight forward task, especially for companies that are used to that kind of challenges in-house. Protecting Intellectual Property (IP) takes the challenge to a completely new level.

Risk of losing IP through offshore outsourcing is serious and real. I would venture to say that overall price tag related to IP loss in offshore outsourcing is measuring in billions. For example a friend of mine found himself out of the job after an IP ordeal with an outsourcing company in Eastern Europe. He was responsible for a product line in developer’s tools space in late nineties. He found a hired a group of vary talented engineers from Byelorussia. The requirements were coming from USA and development work was done 100% offshore. Source control and document repository were maintained offshore what seemed to be the right approach considering aggressive nature of the project and weak communication infrastructure. Cutting to the chase – when it came to transferring of the finished product into the hands of the owner the team in Byelorussia simply refused to do so. Initially the asked for some ridiculous amount of money but later on dropped out of negotiations, re-branded the product and took it to the market themselves…

To mitigate the risk you first need to understand channels of IP loss, here are the main few to consider:

  • There is clear possibility of malicious / criminal acts relevant to your IP. Your product idea could be stolen, repackaged and sold by the very partner you have entrusted. Not just idea, the source code, processes, documentation.
  • Even more probable scenario arises when a disgruntle or “entrepreneurial” employee of your vendor takes advantage of gaining access to your IP, source code, etc. Of course that could happen with your own staff; offshore just exacerbates the issue / increases the probability.
  • Immaturity of vendor infrastructure (physical security, network security, etc.) could become a reason for massive IP loss / data exposure. Insufficient physical, network security and data security opens up data and IP for hackers of all sorts.
  • Poor understanding of data and IP security, insufficient or non-existing security policy framework has the similar effect, often with even more severe consequences.
  • Casual treatment of IP security by your vendor. I remember visiting one offshore outsourcer in Eastern Europe. During a tour of facilities my guide brought me to office which had a number of expensive physical guards in place. We still went inside and my guide started – “here where we have super secret project with the company I can not name, they are a major search engine that rhymes with “frugal”, wink, wink. Those guys use our Ph.D’s to…”

What can you do to minimize / mitigate risks of IP loss with your outsourcing partner? That would be a next post