Reprinted with permission from the January 2004 issue of the Intellectual Property & Technology Law Journal.

Transcription

1 Reprinted with permission from the January 2004 issue of the Intellectual Property & Technology Law Journal.

2 Beyond the NDA: Digital Rights Management Isn t Just for Music By Adam Petravicius and Joseph T. Miotke Theft of proprietary information causes companies to lose billions of dollars each year. 1 Yet to compete effectively, companies often must share their most valuable secrets with third parties, even their fiercest competitors. Companies routinely enter into non-disclosure agreements (NDAs) when sharing their proprietary information but then forget about them shortly after they are signed, assuming that their information is fully protected by the NDA. However, there are a number of steps that companies should consider taking to protect their proprietary information after signing an NDA. These steps range from simple steps, such as marking information appropriately, to sophisticated technological solutions, such as using digital rights management (DRM) software. Although a well-drafted NDA provides significant legal protection to a company s proprietary information, the best protection is often non-legal security measures. 2 Theft or misuse of information is often difficult to detect and even more difficult to prove. Legal remedies may be expensive and time-consuming to obtain and may not fully compensate a company for the harm that it suffers. On the other hand, a company may be able to implement security measures that minimize the risk of theft or misuse in the first place. The cost of these security measures is relatively low when compared to the staggering losses that could result from theft or misuse. Selective Disclosure The most effective method of preventing a third party from stealing or misusing proprietary information is not sharing the information with it. Although collaborating with a third party sharing some of a company s proprietary information, companies often disclose more information than they should. Once an NDA is signed, companies frequently engage in a free flow of information. Although the flow of information may be naturally limited to information relating Adam Petravicius is a partner in the Intellectual Property and Technology Practice of Jenner & Block LLP. His practice focuses on transactions involving intellectual property or technology, including licenses, strategic alliances and joint ventures, and outsourcing agreements. Joseph T. Miotke is an associate in the firm, focusing primarily on patent, trademark, trade secret, and copyright matters. to a particular project, little regard is given to whether the information is actually needed for the project. Before sharing its proprietary information, a company should carefully consider the scope of information that needs to be shared. This should be done both at the beginning of each relationship and periodically throughout the relationship. When doing so, a company should not just identify general categories of information to be shared but should identify the specific information in each category. For example, if a company decides to share its customer information, it may not be necessary to disclose customer names; names could be withheld or replaced with random, unique identifiers. One factor that should be considered when determining which information to share is the scope of protection provided by the relevant NDA. For example, if an NDA requires information to be protected for only a limited time, a company should consider whether information to be disclosed will have value beyond that time. When reviewing the scope of protection, a company should not just look at the duration of protection but also should look at terms regarding the handling of information. In some cases, a company may decide not to disclose certain information until the NDA is updated to protect the information adequately. A company may be able to make the process of selective disclosure more efficient by routinely categorizing its proprietary information in advance of disclosure. The categories to be used should be selected to guide decisions regarding disclosure. One or more categories may be used for information that should never be disclosed outside of the company. Other categories may be used for information that should not be disclosed unless certain conditions are met, such as written approval by specified individuals. Finally, categories may be used to identify information that can be freely disclosed as long as there is an appropriate NDA in place. Limiting the scope of information to be disclosed sometimes means that information cannot be disclosed in the form that it is usually kept. Instead, a company will need to prepare the information in a different form (e.g., by redacting unnecessary information). This is a big reason why companies often disclose more than they should; they simply disclose information in whatever form it exists at the time of disclosure. The costs of preparing information for disclosure Volume 16 Number 1 January 2004 Intellectual Property & Technology Law Journal 1

3 will need to be considered when determining what information will be shared. However, these costs are usually relatively small, especially for electronic information. Proper Marking Although it should go without saying, many companies fail to mark their proprietary information appropriately. 3 Yet companies may significantly reduce their risk of loss by taking the simple step of appropriately marking their proprietary information as confidential. Marking information will likely prevent it from being inadvertently stolen or misused (e.g., because the individual or company doing so did not realize the information was confidential). Perhaps more importantly, it deters intentional theft or misuse by making it difficult for an individual or company to claim ignorance about the confidential nature of the information after being caught. For individuals acting on their own, 4 intentional behavior may also be deterred by the real, or even perceived, increase in the likelihood of being caught because the markings may call attention to behavior that would otherwise go unnoticed. Finally, the terms of many NDAs require information to be marked in a certain way in order to be protected by the confidentiality provisions in the NDA. When marking its proprietary information, a company should do so in a manner that clearly and conspicuously identifies it as confidential. At a minimum, this should include a prominent placement of the word confidential or similar words on every page of information. A company should also consider adding its name or a project or code name next to the word confidential. Doing so eliminates confusion about the source of the information and the corresponding restrictions that go with it. For example, an employee who finds a document simply marked confidential may assume it belongs to the employee s own company (and not to the competitor with which the employee s company is collaborating). Although the employee will likely treat the information in accordance with the company s policies, this treatment may go far beyond what was permitted by the NDA between the company and the competitor and may never be detected by either the company or the competitor. The competitor could have avoided this situation by simply adding its name to the confidentiality legend. A company should consider additional ways to identify its information as confidential and distinguish it from any other company s confidential information. This may include using watermarks, colored ink or colored paper, or special bindings or containers. The more sensitive the information, the more a company should do along these lines. When considering additional ways to mark its information, a company should pay particular attention to one of the purposes discussed above, calling attention to improper behavior. For example, consider a confidential document that is required to be kept in a certain room. If the document is only marked by use of the word confidential in its header, then removing the document may be as simple as covering it with another piece of paper. Removing the document would be much more difficult if it is printed on red paper and bound in a red notebook with the word confidential appearing on the covers and sides of the binder and on the sides of the pages of the document itself. In addition to marking information as confidential, a company may wish to include markings that specify restrictions applicable to the information. In the red notebook example above, the document would be much better protected if it contained equally conspicuous markings indicating that the document was not to be removed from the specific room. If information is subject to numerous restrictions, it may be easier to include a reference to the applicable NDA or other document that identifies the relevant restrictions. However, referring to another document only works if the other document is actually read. As a result, it may be preferable to include all of the essential restrictions on the document itself, even if doing so requires attaching a separate instruction sheet (e.g., as a cover sheet). A company should take care not to mark information indiscriminately. It should avoid marking as confidential information that is in fact not confidential or of little value to it. By indiscriminately marking this type of information as confidential, a company may undermine the effectiveness of marking its truly confidential information and, as a result, lose the benefits of marking described above. For example, it may be difficult for a company to rely on a marking to prove that someone knew its information was confidential when the company has frequently put the same marking on publicly available information. 5 Perhaps more importantly, the individuals handling proprietary information (whether a company s own employees or the employees of a third party to which information is disclosed) may stop treating information as confidential simply because it is marked as confidential. Another form of marking that may be used for more sensitive information is to apply unique numbers or other identifiers to each copy of information that is disclosed (e.g., a unique number on each copy of a document). The individual recipients of each document should then be tracked using the document number or identifier. When done overtly, this may deter improper behavior by individual recipients because they realize that it may be easier to trace their improper behavior back to them. When done covertly, this may help a company discover, and therefore correct, the source of any 2 Intellectual Property & Technology Law Journal Volume 16 Number 1 January 2004

4 improper behavior after it has occurred. Covert markings include, for example, changing the wording of a document without changing its meaning so that each copy is worded slightly differently or adding dummy data or information (e.g., fake customer names or unused software code) to a document in a way that does not undermine the usefulness of the information. Access and Copy Controls Although an NDA may contain provisions that restrict access or copying, a company should also consider security measures that do the same. The most effective way to control access and copying is to retain control over the information. Sharing information does not necessarily require sharing control. For example, a company could keep its information at its own premises and require third parties to review the information there. The company could even provide workspace as needed. If it is impractical to keep the information at its own facilities, a company can still retain control of information that is given to a third party. For example, the company could require the third party to provide space for the information and allow the company to control access to that space. Alternatively, the company could install its own security devices at the third party s facilities. For example, if a company is sharing its proprietary software, instead of providing an installation disk and allowing the third party to install it, the company could deliver a computer with the software pre-installed. Not providing the installation disk may make it difficult for the software to be copied. The company can take further steps to prevent copying by removing all external drives, modems and network access cards from the computer and locking the case so that the hard drive cannot be removed and no drives can be added. The company could take steps to limit access by installing access controls on the computer such as password systems or hardware key devices. In any case, the company will likely need ongoing access to the third party s facilities to make its control over its information effective. If it is impractical for a company to retain actual control over its information, it should consider exercising control over how its information is handled. The language in most NDAs regarding the handling of information is very general. They usually contain a provision requiring information to be handled with a reasonable degree of care or in the same manner that the other party uses to handle its own information but often do not provide any further detail. In these cases, a company should consider providing additional instructions regarding how its information should be handled. In other words, a company should consider specifying what it believes is a reasonable degree of care. 6 These instructions may include, for example, keeping the information in a locked room or locked file cabinet. Documentation A company should keep a record of all of its proprietary information that it discloses to a third party. This record may be necessary to prevent the third party from misusing that information. For example, if a company is unable to demonstrate that it provided certain information to a third party, it may not be able to prevent the third party from using that information. The manner in which information is documented will depend on the type of information. Information in hardcopy or electronic form can be documented by keeping separate copies of all of the information that is shared. Alternatively, this information can be documented in a log that identifies by title or other unique identifier each item that was shared. Information that is disclosed orally or by observation (e.g., a plant visit) must later be described in writing. In fact, many NDAs require the information to be described in writing before it will be protected by the NDA. In all cases, the documentation should identify the date on which the information was disclosed and, if possible, to whom. In some circumstances, it may also be desirable to obtain written acknowledgement of receipt of the information. Return and Destruction Procedures A well-drafted NDA will include a provision to address how information should be handled at the end of a relationship. In most cases, the NDA will simply state that the information must be returned or destroyed. If an NDA allows information to be destroyed instead of returned, a company should consider specifying how the information should be destroyed. Some methods of destruction are more secure than other methods. For example, a third party may decide to destroy information by shredding it. However, confetti or cross-cut shredding is much more secure than simple strip shredding. 7 Shredding itself may be an insecure method of destruction. There are now commercially available services that use software to piece together shredded documents. 8 When information is transmitted or stored electronically, a company will need to give special consideration to how that information will be returned or destroyed at the end of a relationship. This information will likely be automatically copied numerous times by the computer systems through which it is transmitted or on which it is stored. For example, servers may automatically retain copies of s and computer networks are frequently backed up, creating multiple copies of any information stored on the network. Deleting files from a computer often does not physically remove the Volume 16 Number 1 January 2004 Intellectual Property & Technology Law Journal 3

5 information from the computer, making it possible to retrieve the information at a later time. To avoid these problems, a company may decide not to transmit information via and not to permit information to be stored on a network or otherwise backed up. For example, if information is stored on a single hard drive and never copied, then returning the information can be as simple as returning the entire hard drive. Destroying the information can be as simple as using a special software program that physically removes information from a hard drive, making it nearly impossible to retrieve. Another potential solution is to encrypt the information whenever it is transmitted or stored. Destroying the information can then be accomplished by destroying the encryption keys (which are needed to decrypt the information) without having to destroy every copy of the information itself (which is encrypted). Even though the information may still physically reside on a computer system, it cannot be accessed without the encryption keys and is, therefore, effectively destroyed. However, care must be taken to ensure that all copies of the keys are destroyed, which may present a similar set of challenges. There is also the risk that it becomes possible in the future to decrypt the information without the encryption keys. For example, a flaw may be discovered in the encryption method that was used or computer processing power may increase to the point that cracking the code becomes a trivial exercise. Employee Training Training its employees is a key step for a company to take to protect its proprietary information. A company may adopt policies to protect its information (such as those suggested in this article), but the policies are useless if its employees are not familiar with them or do not know how or when to apply them. A company must educate its employees on what the company considers to be proprietary information. If an employee does not know that certain information is considered proprietary, the employee will likely not follow any of the company s procedures regarding proprietary information when dealing with that information. A company must also educate employees on how to handle proprietary information. Whatever policies a company adopts, it should be sure that its employees understand how and when to implement them. When sharing information with a third party, a company should also consider requiring the third party to train its employees how to handle the company s information. The company s information may be subject to security procedures that are different from the third party s procedures and, therefore, are unknown or unfamiliar to the third party s employees. A company may also wish to train its own employees on the treatment of a third party s information. The more a company can demonstrate that it is taking steps to protect a third party s information, the more steps the third party may take to protect the company s information. Technology Solutions The suggestions identified above can be implemented without any special technology. However, there are a number of technological solutions that may make implementing those solutions easier or more effective. Protecting information in electronic form can be very challenging. The information can be copied or widely distributed at the click of a button, often inadvertently. Yet sharing information electronically is often the most practical or convenient way of sharing it, especially software, databases or large volumes of information. Encryption can be used to protect electronic information while it is transmitted or stored. However, encrypted information must eventually be decrypted to be shared. Once the information is decrypted, it is subject to all of the risks described above. This is not meant to suggest that encryption is not valuable; it can be very effective in preventing an unauthorized third party from gaining access to information (e.g., by intercepting an communication). Nonetheless, encryption does not prevent the intended recipient 9 (or an employee of the intended recipient) from copying or distributing the information. To fully protect electronic information, a company should consider using digital rights management (DRM) software. DRM software is commonly thought of as applying only to digital media such as music or movies. However, a number of companies are developing DRM software specifically for the purpose of protecting electronic information. DRM software protects information by creating access and copy controls that travel with the information, even if it is transmitted via . These controls determine whether the information can be viewed, copied, printed, or re-transmitted and by whom. They also can limit the number of times or length of time that information can be accessed. Some DRM software even allows the controls to be changed after the information is already distributed (e.g., to revoke access). DRM software also can keep detailed audit trails of how information was accessed or copied. Although the application of DRM software to electronic information is relatively new, a number of vendors are pursuing its development. There are several smaller vendors that focus on DRM software and that have developed commercial software packages, such as Authentica ( Liquid Machines ( and Sealed 4 Intellectual Property & Technology Law Journal Volume 16 Number 1 January 2004

6 Media ( The demand for this type of software also has attracted the attention of large vendors. Both IBM and Microsoft are reported to be developing this software for use by companies. Microsoft has reported that DRM software will be built into its Office 2003 applications, and IBM is integrating DRM software into some of its enterprise software. Other solutions that are similar to DRM software are also available. Several common software applications provide limited access and copy controls, such as Adobe Acrobat. Although the DRM functionality contained in these applications may not be as robust as in the software describe above, they may be sufficient for sharing certain information. There are also vendors that provide secure collaboration servers that allow companies to share their information online in a secure fashion, such as CYA Technologies ( These solutions allow information to be viewed online but prevent it from being downloaded, printed, or otherwise copied. For information that is shared in hardcopy form, information can be printed in a way that makes it difficult to make copies using a photocopy machine. For example, information can be printed in a red font on brown paper in such a way that a photocopy machine will not be able to make a legible copy. However, this method may not prevent a highquality color scanner (or a photocopy machine with similar capabilities) from making copies. To prevent this type of copying, a company should consider using paper with a special coating that prevents copying or scanning. Conclusion A well-drafted NDA is an essential first step to protecting a company s proprietary information, and the suggestions in this article are no substitute. However, companies should view an NDA as the first, and not the final, step in protecting their information. Companies must be vigilant in identifying and implementing additional steps for keeping their information confidential and for preventing others from misusing it. Notes 1. See PricewaterhouseCoopers, US Chamber of Commerce, and ASIS Foundation, Trends in Proprietary Loss, Survey Report (Sept. 2002). 2. This article is not intended to undermine or question the importance of a well-drafted NDA, which the authors believe to be essential when sharing proprietary information. Although a discussion of the terms of a well-drafted NDA is beyond the scope of this article, it should be noted that implementing some of the suggestions in this article may require the terms of the relevant NDA to account for such implementation. 3. See Trends in Proprietary Information Loss, supra. n For example, a company receiving confidential information may intend to comply with the terms of the relevant NDA. However, one of its employees may intentionally violate the terms of the NDA. 5. Ironically, there is often no benefit to marking such information as confidential because such information is typically excluded from the confidentiality provisions of an NDA. 6. In many cases, it may be preferable to include this type of detail in the NDA. However, it may be impractical to do so, especially if the relationship will be long-term or if it is difficult to anticipate the exact scope of information to be disclosed. 7. Strip shredding simply cuts documents into long, thin strips, usually along the length of the document. Crosscut shredding, however, cuts strips in both directions (i.e., along its length and width), producing confetti-like pieces. 8. See Douglas Heingartner, Picking Up the Pieces, N.Y. Times, July 17, 2003, available at 9. The intended recipient must necessarily be given the means to decrypt the information. Volume 16 Number 1 January 2004 Intellectual Property & Technology Law Journal 5