FAST - Federation Against Software Theft Investors in Software

Championing the professional management of software
and protecting members rights

  • Home
  • Our Services
    • Enforcement
      • What is software theft
      • How to spot counterfeit software
      • Anti Piracy FAQs
      • Enforcement Services
      • Tracker
      • Report Piracy
    • Education
      • Avoiding the Pitfalls
      • Know Your Responsibilities and Risks
      • Software Copyright
      • Being Compliant
      • Glossary of Terms
      • Events
    • Software Asset Management (SAM)
      • SAM Blog
      • Recognised Adopter Program
      • SAM case studies
      • ISO/IEC 19770-1 SAM Standard Overview
      • ISO/IEC 19770-2 Software Identification Tag
      • SAM Roundtable Debate
    • SLM Product Reviews
    • Lobbying
    • Research
    • Thought Leadership
  • Guidance For
    • Legal Counsel
      • Mediation Panel
    • SAM Practitioners
    • Software Publishers
      • How to protect your own copyright
    • Resellers
    • End Users
      • Microsoft Windows 7
      • Protecting IP in the Workplace
      • ITIL to fit your IT business model
      • Structuring IT Asset Data
  • Resources
    • Kaleidoscope
    • SAM ROI Tool
    • Govt Consultation Responses
    • Product Reviews
    • Publications
    • SIRB White Papers
    • Self Assessment Engine
      • SAE add-ons
    • Microsoft Windows® Licensing Guide
    • Industry News
    • SAM Blog
    • Legal Blog
    • Online Shop
    • CIF
  • News & Events
    • Press Releases
    • Events
      • Event Reviews & Downloads
    • Kaleidoscope
  • How to Join Us
    • End Users
    • Members
    • List of Members
    • Membership Enquiry
  • About Us
    • About FAST IiS
    • History
    • Charter
    • Members
    • SIRB
    • CIF
    • Organisation
    • Contact
    • Alliances
    • Speakers Profiles

Education

Microsoft Windows 7

ITIL to fit your IT Business Model

Structuring IT Asset Data

SAM Blog

SAM Case Studies

ISO/IEC 19770-1 SAM Standard Overview

ISO/IEC 19770-1 Self Assessment Engine

SAM Roundtable Debate

SIRB White Papers

Events

Calling All Software Users Don't delay click here today to subscribe to our FREE Bulletin Service!

Events

Membership Area

The UK Software Management and Licensing Conference

21st April 2010
General Information
Find out who exhibited
Find out who spoke

IT Law Today – Protecting IP in the Workplace

IT Law Today – Protecting IP in the Workplace

Introduction

Two strategic objectives should inform corporate IP protection: identifying and protecting the company’s own IP, and not infringing third party IP. With the advent of a computer on every desk and untrammelled access to the internet, so that content can be downloaded and uploaded easily, there has never been so much scope for infringement of third party rights, or for leakage of a company’s own rights and data.

To ensure protection there are two places to start. The first is with the IT department, who control access to the IT facilities and have a significant part to play in protecting company IP by:

  • Laying down policies for the use of IT;
  • Ensuring that information and soft-copy materials are backed-up and archived, and less able to be moved freely outside the company;
  • Policing the implementation of those policies.

The second starting point is with the workforce. For employees and contractors, protection can be secured through a combination of contractual obligations, internal codes of practice and training as to what is acceptable with company information.

Finally, data protection law permeates all of the IT functions of any business. This must be taken into account when implementing policies. The Information Commissioner provides guidance.

It is for management to lay the conditions under which the IT department and employees can operate, thereby ensuring that they are able to do their jobs efficiently with as little regulation as is commensurate with good practice.

What are the relevant IP Rights?

In the IT universe, of the panoply of IP rights, only two legal rights and one protection are of any major importance. These are the law of copyright (literally the exclusive right to copy) and the law of confidence, which deals with use and breach of confidential information. The law of copyright includes databases, and importantly, software is in general strongly protected by copyright, not in the main by patents. For some businesses database rights are critical, as protection can only be gained from the effort put into compiling and arranging the database, and not into the collection of the information itself. Copyright and database rights tend to be two-way issues: both not infringing third party rights and not giving away the company’s own rights. The law relating to confidential information tends to involve protecting the company’s own rights.

The one protection is data protection, where strict laws exist to protect computer-stored personal data from misuse. There is a statutory obligation with respect to personal data, and therefore management must implement a proper and lawful data management policy.

Other IP rights which companies may come across need to be protected as well (including patents, trademarks, passing off, and design rights), but they rarely impinge on the day-to-day office IT user.

The essential essence of the relevant IP Rights

Copyright is the exclusive right to control copying. For those involved in IT, the subject matter is primarily computer programs and content, such as the download of films and audio. The law is that copyright subsists in every original artistic and literary work. For present purposes it suffices that a computer program is a literary work, and content will consist of a mixture of literary works, artistic works, photographs, and broadcast content (audio and visual). The first owner of copyright is the maker of the work or his or her employer if the work was made under a contract of employment.

Ownership may be transferred by assignment. It is often noted by the use of the © symbol and the date, but this is not a legal requirement for protection. Copyright is long lasting; most works are protected for the life of the author plus 70 years.

Where an article or work is improved or added to, additional copyright will subsist in the improvement, provided that part is an original work, thus extending the protection period.

Infringement is by copying. In an office situation, most copying will be by download, which is more than merely transient. A copyist is a primary infringer, and the act of copying gives rise to the possibility of legal action including an injunction and damages. In the workplace the employer is generally vicariously liable for the acts of its employees, and therefore in a case brought in this instance, it will generally be the employer, who has the deeper pockets, who will be the target of any lawsuit.

In IT, the expanding use of open-source codes in software development sometimes raises issues of breach of copyright, so it is crucial that the company is aware of what open-source software is in use, and that employees downloading or using these materials are aware of the licensing obligations that attach to them as the obligation to release code may strike at the heart of the company’s business confidentiality strategy.

Confidential information or trade secrets form another valuable right. Know-how owned by a business should be kept confidential and only used for that purpose. Much effort and know-how goes into compiling computer programs to operate in-house IT systems, and much of that effort would be wasted and competitive advantage lost if the underlying know-how as to the operation of the business and its systems was freely conveyed to the public. Consequently, protection of confidential information is of real value.

Data, and in particular personal data needs to be protected by law against unauthorised disclosure subject to certain limited exceptions. Companies who determine the purposes manner for which personal data are processed are supposed to lodge with the UK Information Commissioner a “data controller notification”, a description of the data being processed, why it is being processed, the recipients of any personal data being disclosed and the categories of data subjects to which the personal data relate. Generally that data should remain within the organisation, and not be shared with others without the consent of the subject. The recent high profile losses of personal data by large organisations has focused the public sensitivity on this issue, and as a result, additional regulations, not yet in force, may result in criminal liability for this situation (www.opsi.gov.uk/acts/acts2008/ukpga_20080004_en_16)

Ensuring Protection

In the majority of businesses the most valuable assets are the employees. Employees go home at night, sometimes with their computers and memory sticks (small and easily misplaced); data and information gets lost.

There are several ways of minimising the risk of IT and data leakage. The first is to have comprehensive contracts of employment including appropriate confidentiality provisions. Next, there should be a rigidly enforced practice of marking confidential documents as being confidential, and a code of practice and training to back it up to generate buy-in and understanding. Ideally archiving confidential materials and storing them on site, rather than on laptop computers would be the norm.

In relation to the copyright protection issue, the company’s own copyright works, including computer programs, can be protected by contracts of employment.

In general, any work created during employment is the property of the employer, though this should be ensured through specific contractual terms. Independent contractors should be required to sign assignments of copyright to ensure the company is the owner, as there is no “work for hire” doctrine in the UK whereby the copyright in commissioned software belongs to the commissioner and not to the author.

In addition it is always wise to ensure that the copyright symbol, date and identity of the copyright owner are marked on documents, programs and advertisements, to lay public claim to copyright.

Internal codes of practice, which should also be part of employment contracts, and the working conditions of contractors, must deal with what can be downloaded from the internet. Depending on the industry, there needs to be a list of forbidden downloads, including music, films and newspaper articles (unless there is a CLA and NLA licence), and a prohibition on use of shareware or related programs. At the same time it needs to be made clear that there is no such thing as personal use of an office computer. Whatever is on the computer should belong to the office as a condition of use and therefore no expectation of privacy. For the company to ensure it is able to comply with its data protection obligations, such a term, which includes consent to access by the company, should be in the terms of employment and signed off by employees.

Protection by the IT department

There are two areas where the IT department should take the lead. The first is obvious: strong firewalls, passwords and other protections including encryption where required. Compliance with data protection legislation requires that personal data, when mobile, is properly encrypted, and failure to comply with this, resulting in loss of data, may in future result in criminal sanctions.

Prevention of unauthorised access over the net is a key priority, and encryption will help to minimise the data loss where computers or memory devices are stolen or lost. When computers are retired, hard disks should also be forensically wiped clean.

The second protection is to ensure that programs and downloads are properly licensed. This goes not only for fundamental programs like operating systems and for desktop tools (applications) including word processing software, but also for content that is copyright protected, such as newspaper archive materials and open-source codes, which may have specific licensing conditions attached in connection with the re-release of code.

Summary

By following these sensible rules, a business should be able to keep out of trouble and out of court. Much is good housekeeping, and remembering that ‘free’ is often too good to be true. Employees, managers and the IT department have to buy into the concept of protection and rules must be laid down, understood, bought into by employees and enforced. All stakeholders have an interest in getting it right, and there is little cost to doing so.

Larry Cohen, Partner
Latham & Watkins (London) LLP
Federation Against Software Theft Legal Advisory Group member (FLAG)

Julian Heathcote Hobbins
General Counsel & Deputy Chairman, FLAG
www.fastiis.org/guidance/legal

Download this page as a PDF: Download Now

© 2010 – The Federation Against Software Theft
Registered Office: York House, 18 York Road, Maidenhead, Berkshire, SL6 1SF
Tel No: +44 (0)845 521 8630, Fax No: +44 (0)845 521 8625
UK Registered Business: #1821298, VAT No: 404563570
Links  |  Terms & Conditions  |  Privacy Policy