First let me disclose that I am not a lawyer. The legalities of Intellectual Property (IP) protection and enforcement are complex and expensive. Whenever a legal question arises in the course of our business I defer completely to our lawyers. It happens often and we spend a considerable amount to retain a top notch law firm to draft contracts, review agreements, to counsel us on what level of risk we’re exposing ourselves to in various situations, and to provide risk mitigation strategies.
Keep in mind, you can sue anyone for any reason. And vice versa. The case be without merit, but the parties will need to fund the legal battle. None of the below techniques, alone or in combination, will ensure 100% protection against IP infringement. But if applied together then your risk exposure to theft of intellectual property is greatly decreased.
There are many precautions you can take to protect the intellectual property of your digital products.
Non Disclosure Agreements (NDA)
When interviewing an agency to help with your software, or when exposing the inner workings of your software to an external party, always sign an NDA before getting too deep in the weeds. An NDA is not necessary for high level discussions about the software such as whether there’s a fit between you and the agency.. But once you determine there’s a fit, insist on the NDA. That’s your first level of basic protection where the party that receives confidential information assures that it will not disclose that confidential information to others. There are exceptions where disclosure is coerced on the receiving party, such as when parties are subpoenaed by law enforcement agencies are as part of lawsuits. Typical NDAs allow for that type of cooperation in legal issues. If they don’t, the law trumps your written documents anyway.
If the NDA is violated then it sets the terms of recourse by the disclosing party who has been damaged. And by “terms of recourse” I mean that the party violating the NDA is subject to financial penalties and legal action.
Work under a contract
My lawyer tells me all the time that a contract isn’t meant for when a project or client relationship is going great. During good times people pretty much forget that a contract exists. Rather, the contract is needed for when everything falls apart. When that happens the terms and conditions established in the contract could be enforced. Those terms including clauses like confidentiality restrictions, intellectual property assignments, penalties for non performance, and selection of venue (where a court case would be heard in person).
Always work under a contract. Your agency should have a standard contract they use. If they don’t then strongly question their organizational maturity and whether they are are fit for your project.
Again, I’m not a lawyer, but from my research on this topic and my understanding as a person that runs a software agency, I’ve found the following for IP assignments apply.
The creator of the new work is automatically, and by default, assigned the intellectual property rights to that work. That means that the individual software developer who creates the code gets IP rights by default.
If the software developer is paid by someone to write the code then the person/entity paying automatically receives a lifetime license to use the creation. They do not, however, hold the IP assignment…just the right to use it. But that right extends into perpetuity. Only the creator has the right to leverage that IP as they desire (ex: sell it, extend it, protect it).
As a condition of employment at Array Digital, all software developers assign their IP to the company. As part of the company’s with clients, we automatically assign the IP to the client. You will want a similar assignment with whoever you contract with unless there is a business reason to do otherwise.
A copyright notice isn’t required in order to enforce the copyright that’s granted to the creator or assigned. But it’s a good deterrent and should be used liberally on works protected by IP.
We add copyright notices to the footer of the websites we create, and in various places in other software products we create. The copyright notice is in the format “@ [year] [legal entity name]”, ex: “@ 2017 Array Digital, LLC”. You can add an “All rights reserved” statement afterwards as well, but we don’t by default because the statement gets quite lengthy and stuffy.
Restrict access to the source code
Keep your source code in a private repository. “Repository” is the name for the place where the code is stored and the history of changes is recorded. Use either in an internal repository location on a company server, or more as more commonly done these days use a private repository online in a system such as GitHub. Keeping the code online provides efficiency for the team, but the tradeoff is that you must take measures to restrict access to the source code repository.
We use GitHub exclusively and have for years, but there are many other similar systems (ex: Bitbucket, GitLab) that each provide similar protections. We keep a private organization with access restricted to only those on our team. Each project is further protected with permissions given to individual team members on a “need to know” basis.
We also require that each team member who has access to our repositories uses Two Factor Authentication (TFA). TFA requires that when a person logs into the system with a valid username and password, they must additionally verify a one-time code sent to the account’s mobile phone on record. There are other forms of TFA, but the technique is the same – to use another previously verified device to verify the current access request to the system. This greatly reduces the chances of unauthorized access to the IP contained in the repository.
Treat source code as a trade secret
The source code has an “economic value” not generally known or understood by the public. Thus you need to take the same measures to protect source code is as you would for another other trade secret such as a client list or company financials.
As an example: create written internal policies that state who in your company is approved to release source code to others, and document the approval process. Also, wherever possible proclaim your IP protection via copyright statements as previously discussed. These various steps are referred to as your trade secret protection policy.
Patent the code
I’ve only been somewhat involved in this process. But we have provided source code to our clients’ lawyers in the past for the purposes of potentially filing for a patent on the source code. The aspects that would be patentable are the business logic that is implemented. The modules, plugins, or frameworks that were imported as part of the project are not patentable by you because those come with their own copyright terms. That leads us to our next consideration.
Impact of leveraged code
Very rarely is software these days created from absolutely nothing. As software developers we import other developers’ open source or paid code as part of modules, frameworks, plugins, gems, etc. Different software platforms call leveraged (aka imported) code different terms, but the gist is the same. You don’t want to waste time and money to building “plumbing”; you want to spend your time and money building the skyscraper. You can leverage code made by other developers to get the plumbing that’s required. Nowadays there are many open source projects that provide that low level plumbing, and each comes with their own copyright. Most of open source copyrights allow for commercial use, whereas most paid software does not. Each copyright of leveraged code should be reviewed to ensure compliance with how you will be using the final product.
As an example, React is currently a popular module for modern websites. It’s a good technology, but there’s a legal consideration. It was created by Facebook and the copyright that Facebook placed on React allows anyone to use React unless the company is involved in litigation with Facebook. The moment that litigation with Facebook occurs, the other party’s rights to use React are withdrawn.
So, if you’re building software that could potentially be sold, and if a buyer could be in litigation with Facebook or a Facebook company (there are many now), then you could have a hard time selling your software. If litigation were to occur with Facebook then the software that uses React would be in immediately violation of the copyright. That means that the owner of the software is exposed to further litigation with Facebook – a giant with deep pockets – or that the company would have to scramble to rewrite their software with another framework.
Enforce your IP rights
Last, and least desired, is enforcing your IP rights. That means that you file a lawsuit against another person or company that you believe is infringing on your rights. This is an expensive option and you will pay your lawyers handsomely. It will also be a big distraction for you and your company, and will take away from the focus on normal operations.
I have been involved in a large lawsuit where my client brought the suit against a much bigger industry player. It took three years and hundreds of thousands of dollars to bring the suit which eventually ended with a settlement. My client had to partner with an investor in order to fund the lawsuit and protect his patent. But in the end it worked out in his favor.
Filing a lawsuit is typically a last resort and you need to make sure you have a solid foundation for the case. Again, it will become very expensive very quickly, so the return on that investment must be worthwhile.
There are many techniques you can use to protect your Intellectual Property rights. Most of these techniques involve a level of maturity as an organization, and a level of maturity in the agency you hire to work on your software. Start with paperwork – agreements, NDAs, confidentiality agreements – and be sure to restrict access to the source code and treat it as a trade secret. If warranted, file for additional protections such as patents and enforce your rights. As with most things in life, plan and protect what is worth protecting.