• United States



Offshore Outsourcing: Big Savings, Big Risk

Nov 01, 200313 mins
Data and Information SecurityIT LeadershipOutsourcing

U.S. companies continue a pell-mell rush into offshore outsourcing of software development. Those that haven't stopped to look at global intellectual property law are in for a big surprise.

The StingOn a typically steamy New Delhi day in late August 2002, Nenette Day walked into the Ashoka, one of the city’s best hotels, for a meeting with Shekhar Verma. Verma had been fired from his job at Geometric Software Solutions Ltd. (GSSL), an outsourcer based in Bombay. He claimed to have the source code for SolidWorks Plus’s 3-D computer-aided design package, which GSSL was debugging. Verma had contacted a number of SolidWorks’ competitors and offered to sell them the source code. Day, an American, had taken the bait and flown to New Delhi. After confirming that what Verma possessed was indeed SolidWorks’ source code, Day began negotiating on price, eventually bargaining him down to $200,000 for the code. The deal struck, Day got up and left the room. Then agents from India’s Central Bureau of Intelligence (CBI) swept in and arrested Verma. Day was not arrested

she is actually a special agent out of the FBI’s Boston Cybercrime Unit and had gone undercover to work with the CBI on this case, the first undercover operation for the FBI in India.

The arrest led to the first prosecutorial filing for outsourcing-related intellectual property (IP) theft in India, in a case that may come to trial before year’s end. Given that software outsourcing was a multibillion-dollar business in India last year, the trial will draw close scrutiny from both sides of the world. Sound like an open-and-shut case? Day herself is not nearly so confident. “With no case precedents, the reality is we have no idea how this plays out under their law,” she says. Day also says that Verma made two small mistakes (she declines to specify them) without which he could have already gotten off scot-free, and that after a full week in India working with the prosecutors this fall, Day still doesn’t understand the applicability of at least one of the critical charges.

Intellectual property, if stolen, “is a genie that can’t be put back in the bottle,” says Day. Currently, she says, “there is really no law to protect American companies’ intellectual property.”

U.S. companies need to think seriously about what that means. Consulting company McKinsey estimates that by 2010, the U.S. IT industry will save $390 billion through offshore outsourcing of software development. But it also opens up new channels of industrial espionage in bitterly poor nations that often don’t have laws protecting foreign companies and rarely enforce whatever laws may exist. India, obviously eager to protect its national income from outsourcing, is scrambling to demonstrate that it takes foreign intellectual property seriously. Some observers say that other countries vying for outsourcing dollars are even worse when it comes to providing legal protection for intellectual property. Court cases are still relatively hard to find, but that’s about to change. Smart companies need to reexamine their outsourcing contracts and make sure that they aren’t at risk of becoming the test cases.The JungleIt would be wildly speculative to suggest that the SolidWorks case will even slow the bullet train that is offshore outsourcing of software development. The National Association of Software & Service Companies (Nasscom) alone expects its outsourcing business in India will increase by 26 percent to 28 percent this year (Gartner predicts even faster growth for higher-level business process outsourcing worldwide). India’s IT sector exported $10 billion worth of goods and services last year, and projects it will reach $21 billion to $24 billion in 2008. Meanwhile, Forrester Research estimates that in the next 12 years, 3.3 million IT jobs will leave the United States and go overseas. These trends won’t reverse because of one case of an employee gone bad. “This is dealing with a rogue employee who left and stole information. That happens everywhere,” says William B. Bierce, partner in Bierce & Kenerson, a New York law firm specializing in outsourcing and international business law.

The key question, of course, is the real degree of risk U.S. companies face. If overseas IP theft court cases are hard to find, doesn’t it stand to reason that CIOs and CSOs are doing a decent job of protecting corporate IP assets? Dean Davison, vice president and director of outsourcing and service provider strategies at Meta Group, emphasizes that he almost never hears complaints about IP thefts, and in general doesn’t hear horror stories about overseas outsourcing. On the other hand, Elliot Turrini, an attorney with McElroy, Deutsch & Mulvaney, sounds much more dire. “Intellectual property is a legal fiction we’ve created to ensure a return on investment and promote the arts and sciences,” he says. In countries with less developed laws, Turrini says, “Basically you’re wide open.”

Anecdotally, there are additional examples of IP spats overseas. Davison does say he’s aware of one case where a U.S. company outsourced product design to an Indian firm, which successfully completed the project, then turned around and used the code to create a version for the Indian market. The U.S. company didn’t care because it had no interest in the Indian market. A third case is currently pending in India. Legato Systems, a maker of storage software, has alleged that eight of its former employees in India took some of its intellectual property with them when they went to a competitor. Legato declined to comment on the action publicly, though one of its officials, speaking as an individual, told an Australian publication in February that he would recommend against future offshoring in countries without better legal protections.

The irony: While these IP theft cases are from India, that country actually has a much better cultural and legal climate for IP protection than many other nations offering offshore coding. Observers say India has a culture that generally seems to respect intellectual property, as compared with China or Russia, for exampleconsider those nations’ records regarding piracy of shrink-wrapped software and of copyrighted materials such as movies and music.

Indeed, Indian prosecutors in the SolidWorks case appear to have decided to charge Verma in part to establish firmer support for IP rights. India does not have laws against trade theft, so prosecutors filed charges against Verma under a general civil theft law, with a secondary charge of criminal breach of trust against his employer, GSSL. Another charge, pertaining to copyright law under India’s recently enacted IT Act, was added later. But despite being caught red-handed, Verma might well win his case. Because the source code didn’t belong to GSSL, technically, Verma didn’t steal from an Indian company. Thus India’s laws don’t necessarily apply. It’s a frustrating situation for U.S. law enforcement officials. As Day says, “How can he steal something from GSSL when they don’t own it? And when the nondisclosure breach of trust was signed between him and SolidWorks?”

Those are fine questions, and U.S. companies should look closely at the way the Indian courts and government respond to them.

Nondisclosure works well in the United States, which has laws like the Industrial Espionage Act of 1996, which makes it a criminal offense to steal trade secrets. But the law does not apply to non-U.S. citizens acting outside U.S. borders. Bierce, though, says India’s reaction is already reassuring for U.S. companies. “Even if [the prosecutor] doesn’t win, he’s inspired fear,” he says. He also says that if prosecutors lose the case, they’ll almost certainly complain that India’s existing legal structures are not sufficient. Bierce predicts that “some bright, young legislator will propose a new, more specific law.”The Fine PrintPerhaps. Then again, it may be a long wait. Many observers still say too few U.S. companies worry about intellectual property theft when they send software development overseas, and that those that do fret nevertheless don’t make sufficient efforts to protect themselves contractually. Why the Alfred E. Neuman-like serenity? In the case of India, which by some estimates has about 90 percent of the market for offshore software outsourcing, it’s largely because the country is a member of the World Trade Organization and adheres to its intellectual property add-on, Trips (Trade-Related Aspects of Intellectual Property Rights). In addition, several of the largest Indian outsourcing companies are incorporated in the United States and can be sued here. But Trips protections still must be enforced locally, and no countries prominent in software outsourcing have local laws covering theft of trade secrets.

“Complying with Trips is a starting point, but plenty of countries have signed Trips agreements. China is one of them, but there are plenty of examples of piracy or misappropriation of design by Chinese firms,” says Michael Murphy, an attorney at Shaw Pittman in Los Angeles. Trips signers or not, if a country’s culture does not respect property, the courts are unlikely to enforce laws. Several sources interviewed for this article agreed, though not for attribution, that China regards intellectual propertyespecially that of foreignersas communal property.

Despite its near miss on source code, SolidWorks has no plans to stop outsourcing to India. It won’t even change business partners. It has worked closely with GSSL for more than six years, and has had the company do its debugging for the past five.

“It’s been a very good relationship for us,” says Holly Stratford, vice president and general counsel for SolidWorks. “We think it’s very cost efficient, and it’s a talented group of people. At times they’ve been almost a virtual office of ours.”

Instead, both companies underwent intensive internal security analyses, Stratford says. “We obviously reviewed with them what their procedures were that made this possible, and they instituted a lot of revised procedures,” most of which she won’t disclose, though she does note that GSSL won’t let employees take home source code to work on it anymore. SolidWorks also has substantially changed its security procedures for U.S. workers, ranging from the way it handles access codes and office security to what it makes available on servers for remote workers. She says this might create some inconvenience for employees, but they don’t grumble much about it. Stratford says the prompt response by the FBI and India’s CBI quickly addressed SolidWorks’ main concern, which was making sure it got its source code back. After the sting, all the copies of the source code were recovered from Verma’s quarters. As for any strain in relations, she says matter of factly that “the reality is, everybody has the same issue with their own employees.” To her, a potential landmark case serves mostly as “a wake-up call.”

The truth is, SolidWorks got lucky. Verma allegedly contacted several competitors; only one of them told SolidWorks that its source code was up for sale.

Praba Manivasager, CEO of Renodis, an offshore advisory firm, says that he expects the Indian government to move quickly in passing stronger intellectual property laws, with the full support of Nasscom, India’s main software association and a powerhouse lobbyist in the country.

Manivasager notes that the Indian government is already working to change its traditional reputation of being guarded and difficult to work with, both because the country is competing with China for overseas investment and because existing business investors were nervous about India’s near-war with Pakistan two years ago. “It’s actually overhauled a lot of international policies to help foreign investors come into India,” he says. “This case could serve as a landmark case, but it will most likely solidify what we are seeing, which is more and more support for international business. The Indian government has a lot to lose” if it doesn’t take the case seriously, he adds.The Closing ArgumentLaws or no laws, many believe it would help if U.S. companies would treat offshore software outsourcing with greater care. Many companies looking to farm out their development work care only about dollar savings and can be sloppy about everything else.

Ken Pfeil, CSO at Capital IQ, says the SolidWorks theft case should ring alarm bells at every company that wants to outsource. “You really have to dig on due diligence,” he says. “[Require] background checks on employees, look at the company history and financial stability, look at their retention rates for employees.” Turrini, the lawyer, recommends putting someone with deep pockets on the hook. For instance, insist on indemnification agreements with the outsourcing provider, and make sure that provider has substantial assets in the United States just in case. Failing that, he recommends, get insurance for source code.

While those steps might sound straightforward, companies often fail to take even basic steps to check on potential suppliers, according to Bill Malik, who spent 11 years as an analyst at Gartner. He declined to name names but said that “people far too often don’t do their due diligence. I’ve seen organizations that just want to take a pass on the whole thing. They just want to outsource development to the cheapest vendor.”

Usually, such hasty decisions are driven by the need to keep up profits and revenue. Looking at short-term financial gains is a huge mistake, Malik says, and cases like the one unfolding in India show why.

Also ahead: a shift in the outsourcing market that will put intellectual property protection in the spotlight. The first wave of software outsourcing has focused on application development and maintenance, both of which have fairly contained levels of risk, outside of the odd rogue employee like Verma. But as companies move more and more types of software development overseas, such as databases and other packaged applications, they need to think about what kind of data they make available for testing. Also, Nasscom members are aggressively seeking out higher-end business process outsourcing (BPO) opportunities, such as call centers and claims processing. India did more than $1.2 billion in this type of work last year and expects to generate $16 billion in revenue from BPO in 10 years. These kinds of applications create thorny issues about personal data protection for U.S.-based customers.

Legal eagles such as Bierce say that India and other nations interested in drawing more high-end software work such as BPO need to adopt laws that protect personal information when it’s transferred from other countries. “Software development is easyyou don’t have data protection problems until you start populating a database,” Bierce says. He notes that Nasscom is working on such a law, though it failed to generate one in a similar effort several years ago. The push for call centers, claims processing and other back-office work means that U.S. companies must reassess what’s at stake. As offshore vendors deal more and more often with customers and specific customer data, the potential for abuse rises.