Founded By: | _ _______ Guardian Of Time | __ N.I.A. _ ___ ___ Are you on any WAN? are Judge Dredd | ____ ___ ___ ___ ___ you on Bitnet, Internet ------------------+ _____ ___ ___ ___ ___ Compuserve, MCI Mail, X / ___ ___ ___ ___ ___________ Sprintmail, Applelink, +---------+ ___ ___ ___ ___ ___________ Easynet, MilNet, | 31OCT90 | ___ ______ ___ ___ ___ FidoNet, et al.? | File 63 | ___ _____ ___ ___ ___ If so please drop us a +---------+ ____ _ __ ___ line at ___ _ ___ elisem@nuchat.sccsi.com Other World BBS __ Text Only _ Network Information Access Ignorance, There's No Excuse. SECTION III COMPUTER SECURITY CONTROLS AND THE LAW Guardian Of Time NIA---NIA---NIA---NIA---NIA---NIA---NIA---NIA Well I rushed to get this one out in time for Halloween, so here is part III of my series on Computer Security Controls, I hope that you will enjoy it. Lord Macduff, I hope you enjoy ALL of those VAX Manuals you are reading, and don't forget WRITE SOMETHING! NIA---NIA---NIA---NIA---NIA---NIA---NIA---NIA STANDARDS OF DUE CARE The follow the leader strategy of employing generally used controls in data processing is motivated in part by the legal concept of standards of due care. It is becoming possible to lose more in damages from a civil action such as a stockholders' suit or citizens' suit against the government after an accidental or intentionally caused act than directly from the act itself. Liability for the violation by a provider of computer services towards any other ( customer, data subject, affected third party, stockholder ) can arise through a conscious act of malice with intent to cause harm, through reckless disregard of the consequences to the person harmed or through negligent performance or failure to perform. For such liability to attach, a duty of care must be owed to the victim of the act. Once responsibility is established, the provider having the responsibility is requried to act as a prudent person. the action sof another person in the same position or the general practice of the computer services industry are useful in establishing the standard of care against which individual performance will be measured. However, industry practice is not a complete answer. In the TJ Hooper case, which concnerned the failure of a large tug boat operator to use radio receivers in 1932 to avoid inclement weather, Judge Learned Hand Stated: IS IT THEN A FINAL ANSWER THAT THE BUSINESS HAD NOT YET ADOPTED RECEIVING SETS? THERE ARE, NO DOUBT, CASES WHERE COURTS SEEM TO MAKE THE GENERAL PRACTICE OF THE CALLING (INDUSTRY) THE STANDARD OF PROPER DILIGENCE;... INDEED IN MOST CASES REASONABLE PRUDENCE IS IN FACT COMMON PRUDENCE, BUT STRICTLY IT IS NEVER ITS MEASURE; A WHOLE CALLING (INDUSTRY) MAY HAVE UNDULY LAGGED IN THE ADOPTION OF NEW AND AVAILABLE DEVICES. IT ( THE INDUSTRY ) MAY NEVER SET ITS OWN TESTS, HOWEVER PERSUASIVE BE ITS USAGES. COURTS MUST IN THE END SAY WHAT IS REQUIRED; THERE ARE PRECAUTIONS SO IMPERATIVE THAT EVEN THEIR UNIVERSAL REGARD WILL NOT EXCUSE THEIR OMISSION (60F.2D. 737,730) (2ND CIR. 1932, CERT, DENIED 287 US 662 ( 1932 ). No definitive answer or test can establish a standard of due care on grounds of common practice in an industry or on prudence based on use of available devices whether generally adopted or not. In 1955, the Circuit Court of Appeals for the Sixth Circuit held that the failure to use radar by an aircraft in 1948 was excusable because no commercially feasible aircraft radar system was available (Northwest Airlines v. Glenn L. Martin Co. 224, F.2d 120, 129-130). In 1977, the US District court for the Southern District for New York held an airline liable for a robbery for failure to take appropriate precautions, despite the provision of an armed guard in front of the locked unmarked storage area and the argument that the airline had taken the same degree of precautions that other airlines had. (Manufacturers Hanover Trust Co. v. Alitalia Airlines, 429 F.Supp. 964(1977)). Further, professionals may not always rely on generally accepted practices. In US v. Simon (425 F. 2d. 796 [2nd Cir. 1969]) the United States Court of Appeals for the Second Circuit held that, even in a criminal case, generally accepted accounting principles were not necessarily the measure of accountants' liability for allegedly misleading statements in a footnote to the financial statements. The concept of standard of due care will arise w/ in creasing frequency as disputes over computer-related loss end in litigation. Computer security administrators must be aware of standard of due care issues that arise and take acction to conform to the outcome. APPLYING LEGAL CONCEPTS TO COMPUTER SERVICES One area where the courts have had some difficulty in applying legal concepts to computers is in determining exactly how to characterize computer services from a legal point of view. The courts have generally held that basic legal principles requiring a person to exercise reasonable care do not change simply because a computer is involved. The courts have generally stated that those who use computers must do so w/ care, and they have not been sympathetic to defenses asserting good faith mistakes resulting from reliance on faulty computer data. In Ford Motor Credit Co. v. Swarens (447 S.W. 2d. 53 [Ky. 1964]), for example, a finance company wrongfully repossessed the plaintiff's car after he had proven on two occasions that he was current in his payments by showing cancelled checks to agents of the defendant. The finance company defended on the basis that an admitted error w/ respect to the plaintiff's account had ocurred as a result of a computer error. The court rejected this defense stating: FORD EXPLAINS THAT THIS WHOLE INCIDENT OCCURRED B/C OF A MISTAKE BY A COMPUTER. MEN FEED DATA TO A COMPUTER AND MEN INTERPRET THE ANSWER THE COMPUTER SPEWS FORTH. IN THIS COMPUTERIZED AGE, THE LAW MUST REQUIRE THAT MEN IN THE USE OF COPUTERIZED DATA REGARD THOSE W/ WHOM THEY ARE DEALING AS MORE IMPORTANT THAN A PERFORATION ON A CARD. TRUST IN THE INFALLIBILITY OF A COMPUTER IS HARDLY A DEFENSE, WHEN THE OPPORTUNITY TO AVOID THE ERROR IS AS APPARENT AND REPEATED AS WAS HERE PRESENTED. It is clear, therefore, that excessive reliance on computer data w/out proper safeguards to ensure the reliability and accuracy of the information may constitute the failure to exercise due care, and in some cases may even result in the award of punitive damages. PROFESSIONAL STANDARD OF CARE There is clearly a duty to exercise resonable care in using computers. Depending on the legal characterization given to contracts to supply computer equipment and services, a higher standard of care may be required of suppliers of computer services. Such an argument would be based on the teory that programmers and others who provide computer services hold themselves out as professionals w/ special expertise. As such professionals, they arguable should be held to the level of care that would be exercised by a reasonable member of the profession under similar circumstances. In Triangle Underwriters v. Honeywell, Inc (604 F. 2d. 737 [2nd Cir. 1979]) for example, the court found that Honeywell agreed to deliver a completed computer system to Triangle and not to run a continuous data processing service. Triangle tried to argue not only that Honeywell been negligent in failing to design and deliever a workable system, but also that the wrong continued during the period in which Honeywell comployees attempted to repair the malfunctioning system. Triangle argued that Honeywell had engaged in professional malpractice, and that the continuous treatment theory should apply so that the statue of limitations would not commence to run until the professional relationship had ended. The district court noted that the continuous treatment theory had been applied by New York courts to nonmedical professionals such as lawyers, accountants, and architects, but it declined to apply the theory to Honeywell. "In the case at bar ... the necessary continuing professional relationship did not exist. Honeywell was not responsible for the continuous running of a data prcessing system for Triangle." Although the court thus refused to accept the plaintiff's theory of professional malpractice on the facts of that case, the decision leaves open the possiblity that the doctrin might be applied in a future case to person who privide computer services for a client on an ongoing basis. STRICT LIABILITY There is further issue of whether those who provide computer services should be strictly liable in tort for injury to others due to malfunctions of the equipment. The doctrine of strict liability arose out of cases invovling the sale of goods, and it has been said that: PROFESSIONAL SERVICES DO NOT ORDINARILY LEND THEMSELVES TO THE DOCTRINE OF TORT LIABILITY W/OUT FAULT B/C THEY LACK THE ELEMENTS WHICH GAVE RISE TO THE DOCTRINE. THERE IS NO MASS PRODUCTION OF GOODS OR A LARGE BODY OF DISTANT CONSUMERS WHOM IT WOULD BE UNFAIR TO REQUIRE TO TRACE THE ARTICLE THEY USED ALONG THE CHANNELS OF TRADE TO THE ORIGNAL MANUFACTURER AND THERE TO PINPOINT AN ACT OF NEGLIGENCE REMOTE FROM THEIR KNOWLEDGE AND EVEN FROM THEIR ABILITY TO INQUIRE. THUS, PROFESSIONAL SERVICES FORM A MARKED CONTRAST TO CONSUMER PRODUCTS CASES AND EVEN IN THOSE JURISDICTIONS WHICH HAVE ADOPTED A RULE OF STRICT PRODUCTS LIABILITY A MAJORITY OF DECISIONS HAVE DECLINED TO APPLY IT TO PROFESSIONAL SERVICES. THE REASON FOR THE DISTINCTION IS SUCCINCTLY STATED BY TRAYNOR, J., IN GAGNE V. BERTRAN, 43 CAL. 2D 481, 275 P. 2D 15, 20-21 (1954): "[T]HE GENERAL RULE IS APPLICABLE THAT THOSE WHO SELL THEIR SERVICES FOR THE GUIDANCE OF OTHERS IN THEIR ECONOMIC, FINANCIAL, AND PERSONAL AFFAIRS ARE NOT LIABLE IN THE ABSENCE OF NEGLIGENCE OR INTENTIONAL MISCONDUCT. ... THOSE WHO HIRE [EXPERTS] ... ARE NOT JUSTIFIED IN EXPECTING INFALLIBITY, BUT CAN EXPECT ONLY RESONALBE CARE AND COMPETENCE. THEY PURCHASE SERICE, NOT INSURANCE (CT/EAST, INC. V. FINANCIAL SERVICES, INC., 5CLSR 817 [1975]). Under this traditional approach, a finding that an agreement to provide computer equipment constituted either a sale of goods on the one hand or a contract for professional services on the other would appear to decide the issue of whether the doctrine of strict liability would apply. Following this line of reasoning, if an agreement to provide a computer package was construed as an agreement for professional services, then the provider could not be strictly liable in tort for any malfunction. Traditional legal theories, however, cannot always be applied w/out difficulty to novel concepts such as computer agreements. It may be more appropriate, therefore, to adopt the approach used by a federal court in Wisconsin in Johnson v. Sears, Roebuck & Co. (355 F. Supp. 1065 [ED Wis. 1973]). In Johnson, the plaintiff argued that the hospitals that treated her for injuries had done so negligently and that they were strictly liable in tort. The court decided the issue of the applicability of strict liability to the sale of services by analyzing blood transfusion cases that held hospitals strictly liable in tort for providing blood containing impurities to patients. The court rejected the sales/service analysis and stated that the decision to impose strict liability should be made on an ad hoc basis by examining the facts involved in each particular case. The court reasoned that the "... decision should not be based on a technical or artificial distinction between sales and services. Rather, I must determine if the policies which support the imposition of strict liability would be furthered by its imposition in this case." STATUTORY SOURCES OF LIABILITY FOR RELIANCE ON INACCURATE COMPUTER-BASED DATA Regardless of whether suppliers of computer services should be held to a higher standard of care or subject to strict liability in tort clearly the common law duty exists to exercise reasonalbe care to ascertain the accuracy of information furnished by a computer before relying on such data. This duty becomes particularly important when computer data are relied on in making periodic reports required by the federal securities laws. Management has a duty to maintain accurate records and third parties have the duty to verify the accuracy of information supplied by management. MANAGEMENTS RESPONSIBILITIES: Various provisions of the Securities Act of 1933 (the 1933 Act) and the Securities Exchange Acot of 1934 (The 1934 Act) impose liability for making false or misleading statements of a material fact or for failing to state a material fact necessary to make statements made not misleading, in the light of the circumstances under which they were made. These provisions create a duty on the part of reporting companies to file accurate reports and to maintain accurate records. The foreign Corrupt Practices Act of 1977 (FCPA) codified this duty to maintain accurate records. A recent bank embezzlement of 21.3$ million illustrates the importance of complying w/ the FCPA's requirement of establishing a system of internal accounting controls. The management of an entity is responsible for establishing and maintaining adequate internal controls, and it is worth noting that the complaint in a shareholder's derivative suit now being argued before the United States District Court for the Southern District of Texas relies partly on an allegation that management failed to do so. management risks exposure to significant potential liability, therefore, if it fails to institute and enforce internal controls sufficient to comply w/ the FCPA. Internal controls should ensure that data produced by a computer are accurate and reliable. This means that restrictions should be put on access to computer records and on who has the capability to enter information or alter data in the computer. "Audit Trails" should also be used to create documentary evidence of transactions and of who made particular data entry. Finally, electronic record keeping systems are only as trustworth as the people who use them, and it is imperative that a security system be established to help preclude unauthorized person from gaining access to the computer or altering information in the system. ACCOUNTANTS' RESPONSIBILITIES: The 21.3$ million bank embezzlement raises substantial questions about the sufficiency of the auditing procedures of a bank or other company that uses an electronic data processing system for the storage and representation of assets. The role of an accountant performing an independent audit is to furnish anopinion that the accounts of the company being audited are in proper order and that they fairly present the company's financial position. It seems obvious, therefore, that an independent accountant performing an audit of a company that uses an EDP system should examine the reliability of the system and the controls on it before issuing an opinion. Otherwise, the accountant's certification of the company's financial statements would have no reliable basis. The Second Standard of Field Work of the Generally Accepted Auditing Standards approved and adopted by the membership ofthe American Institute of Certified Public Accountants (AICPA) states that "[t]here is to be a proper study and evaluation of the existing internal control as a basis for reliance thereon and for the determination of the resultant extent of the tests to which auditing procedures are to be restricted" (American Institue of Certified Public Accountants, Statement on Auditing Standards No, 1, Sec. 150.02. [1973]). This Standard of Field Work requires an auditor to study and evaluate a corporation's system of interal control to establish a basis for reliance thereon in formulating an opinion on the fairness of the corporation's financial statements, and this basic duty does not vary w/ the use of different methods of data processing as the Standard states: SINCE THE DEFINITION AND RELATED BASIC CONCEPTS OF ACCOUNTING CONTROL ARE EXPRESSED IN TERMS OF OBJECTIVES, THEY ARE INDEPENDENT OF THE METHOD OF DATA PROCESSING USED; CONSEQUENTLY, THEY APPLY EUQLLY TO MANUAL, MECHANICAL, AND ELECTRONIC DATA PROCESSING SYSTEMS. HOWEVER, THE ORGANIZATION AND PROCEDURES REQUIRED TO ACCOMPLISH THOSE OBJECTIVES MAY BE INFLUENCED BY THE METHOD OF DATA PRCOESSING USED. The AICPA has recognized that "[t]he increasing use of computers for processing accounting and other business information has introduced additional problems in reviewing and evaluating internal control for audit purposes," and it has issued a Statement on the Effects of EDP on the Auditor's Study and Evaluation of Internal Control. This Statement provides that: WHEN EDP IS USED IN SIGNIFICANT ACCOUNTING APPLICATIONS, THE AUDITOR SHOULD CONSIDER THE EDP ACTIVITY IN HIS STUDY AND EVALUATION OF ACCOUNTING CONTROL. THIS IS TRUE WHETHER THE USE OF EDP IN ACCOUNTING APPLICATIONS IS LIMITED OR EXTENSIVE AND WHETHER THE EDP FACILITIES ARE OPERATED UNDER THE DIRECTION OF THE AUDITOR'S CLIENT OR A THIRD PARTY. When Auditing a coporation w/ an EDP system, therefore, an auditor should thoroughly examine the system to evaludate its control feautres. To conduct his examination properly, however, the auditor must have sufficient expertise to enable him to understand entirely the particular EDP system invloved. CONCLUSIONS ON APPLYING LEGAL CONCEPTS Everyone who uses or supplies computer services has a common law duty to exercise resonable care to ensure that information supplied by the computer is accurate and reliable. The federal securities laws impose additional duties on management to keep accurate records and to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance w/ management's authorization and are accurately recorded. Finally, accountants who audit companies w/ EDP systems have a duty to review the company's system of internal controls and to disclose any material deficiencies to management and possibly to the public through notes to its certification of financial statements. These various duties illustrate the necessity of taking steps to ensure the reliability of computer systems. A well-designed system of internal control is crucial to safeguard against the improper use of the computer. Internal control begins w/ the computer equipment itself. When converting to an EDP record keeping system, management should get outside advice on the type of system required and on the controls that should be built into the system. Management should fully understand what the computer programs in the system are designed to do and that the computer can do only what it is told and nothing more. This can be an important method of preventing fraud, and management should demand that internal controls be put into the system, b/c otherwise the programmer may not do so. Once controls are built into the computer system itself, internal controls hsould be established and maintained to prevent unauthorized access to the system. The internal controls should cover all phases of EDP and include input, processing, and output controls. An overall plan of organization and operation should be devised containing controls over access to EDP equipment, as well as provisions for effective supervision and rotation of personnel, and the plan should be strictly enforced. Rinally, an internal auditing process should be established to provide independent document counts or totals of significant data fields. The independent accountant plays a major role in preventing unauthorized persons from gaining access to the computer system. Through his review of a company's internal controls, an accountant can detect possible weaknesses and recommend useful changes. It is very important, therefore, that outside auditors closely scrutinize a company's internal control system. A rigorous independent audit makes up the final stage of an overall plan to help prevent the production of inaccurate computer based data. PROTECTING PROPRIETARY INTERESTS IN COMPUTER PROGRAMS Discussions w/ legal counsel at several of the field sites revealed considerable concern about proprietary interests in computer programs. Little communication exists between lawyers and data processing managers, and areas of their mutal concers are not often addressed. Communication is even more important today as programs and data files are increasingly viewed by management as valuable, intangible assets of their organizations. In addition, government and business organizations are increasingly acquiring commercially available computer programs where proprietary interests of providers and users must be protected. Selection of generally used controls will be strongly influenced by the need to preserve proprietary rights to computer programs. PROBLEMS ADDRESSED Protecting proprietary interests in computer programs in a multifaceted task that requires knowledge of the law, computer programs, and security. Few data processing managers have this expertise in-house, but all owners and custodians of computer programs can and should add to their skills and knowledge from other sources of expertise. Those invloved w/ computer programs--owners, users, custodians, employees, and competitors--have two conflicting goals; sometimes the same party pursues both goals simultaneously for different products. One goal is to protect the computer program, either to ensure a competitive advantage by preventing others from using the computer program or to charge for its use or disclosure. The other goal is to ignore protection so that the computer programs can be used and transferred at will and w/out cost. The particular goal sought by an organization depends on its values, purposes, and policies; however, the data processing manager should understand the boundaries of fair and legal business practice that apply to users, custodians, and owners of computer programs, as well as to competitors. THE NATURE OF COMPUTER PROGRAMS Before the types of comptuer programs involved are identified, it is helpful to know why the laws differentiate computer programs from other parts of computer systems. A computer program is a form of intellectual property (a valuable, intangible asset consisting of ideas, process, and methods) that is relatively new and eludes analogy to previously existing products. Debate continues as to whether computer programs are products, technical processes, or professional services. Computer programs are thus unique as a subject of treatment under existing law, and applying the law requires adapting current legal concepts of particular forms of computer programs. Computer programs are developed to run in specific types of computers (such as operating systems) or are machine independent (such as many application programs). They may be in human-readable form or machine-readable form. Some computer programs are translated into different programming languages or converted to run on different computers. FORMS OF LEGAL PROTECTION The five forms of legal protection that can apply to computer programs are patent, copyright, trade secret, trademark and contract. PATENTS:_Patent protection is a federal statutory right giving the inventor or his assignee exlusive rights to make, use, or sell a product or process for 17 years. An invention must meet several criteria to receive patent protection. First, it must involve statutory subject matter (I.E., physical methods, apparatus, compositions of matter, devices, and improvements). It cannot consist merely of an idea or a formual. Furthermore, the invention must be new, useful, not obvious, and must be described according to patent regulations in a properly filed and prosecuted patent application. The status of patent protection for computer programs until 1981 was ambiguous. In three dicisons the US Supreme Court held that parrticular computer programs were unaptentable b/c of failure to meet one or more of the tests described previously. The Court declined to patent what it felt was merely a formula, it had held a process non-patentable for obviousness, and it had refused a patent when the only novelty involved was the form of carrying out a nonpatentable step. In 1981, however, the Supreme Court handed down two decisions that may have some effect on future patentability claims. These cases invlved computer programs that are part of inventions otehrwise eligible for patent. In one case, the Court decided that a process control computer program for curing synthetic rubber should not be denied a patent simply b/c it uses an algorithm (an ordered set of insturctions) and a computer. The US Patent Office must still determine whether the entire process is novel enough to warrant issuing a patent. In a companion case, the Court let stand a lower court ruling that a module of the Honeywell Series 60 Level 64 computer system should be considered for patent. The module, which includes electronic circuits and a computer program fixed in the circuits, is a storage and retrieval device using internal storage registers. Again, the device must meed the novelty requirement before a patent is issued. Note that these decisions invlove computer progams that are part of a patentable device or process; these decisions do not reverse past rulings that computer programs are not patentable. Even if there were a major change in computer programs patent policy, few owners would seek patent status for their computer programs. The patent process is lengthy and expensive and requires full disclosure of the idea. Furthermore, a patent has only a 50% chance of surviving a challenge to its validity in the courts. For those few programs that really do represent technological breakthroughs, however, a patent would provide the exclusive right to use or sell the program for 17 years (patents are nonrenewable). COPYRIGHTS:_Copyright is the federal statutory protection for an author's writings. Written works created since 01JAN78 are protected by the new copyright law, which provides exclusive rights to the author or his assignee for the copyright, publication, broadcast, translation, adaptation, display, and performance of the idea contained in the work from the time it is embodied in tangible form. This protection is lost in the writing is published w/out copyright notice, which consists of the word copyright (or copyright symbol), the date, and the author's name. This notice must be affixed so that it attracts the attention of third parties(I.E., On the first or inside front page of a book or pamphlet). In late 1980 a federal copyright bill was enacted explicitly to cover computer programs and data bases. Copyright is inexpensive and can be obtained quickly. One required and one optinal copy along w/ minor filing fees must be submitted to the Copyright Office. The second copy can be the first and last 25 pages of the program. Although optional, the second coy is a prerequisite for bringing an infringement suit and for some remedies such as statutory damages and the award of attorney fees. The coyright remains in effect for 50 years beyond the death of the author and is nonrenewable. B/c copyright protects only against copying and requires disclosure of the idea, its usefulness is limited for some programs. However, it can be adequate protection for inexpensive package programs sold in the multiple copy market. The function of such programs is not unique; the value to the owner lies in selling thousands of copies. TRADE SECRETS:_A trade secret is a right protected by state rather than federal law. It is defined in many states as a secret formula, pattern, scheme, or device used in the operation of a business that gives the organization a competitive advantage over those who do not know it. computer programs have qualified as trade secrets in a number of court cases. The requirement for trade secret status is that the item must remain secret. Absolute secrecy is not required; for example, if the secret is disclosed only to people bound (by virtue of their relationship or by contract) to keep it confidential, trade secret status is maintained regardless of how many people know it. Confidential realationships include employees, agents in a fiduciary or trust relationship, and thieves. To prevent thieves from profiting from ill-gotten knowledge, the laws hold that they are in a constructive trust relationship. A contract is used to bind licensees and joint venture partners or investors. In some states these people are bound even w/out a contract. Once the secret is disclosed w/out a requirement of confidentiality, or is disclosed to someone who does not know its secret character, the trade secret status is lost forever. (Trade secrets are often disclosed carelessly to user groups and at technical meetings.) If the secret is not disclosed, however, the protection can last forever. Employees who learn the secret in the course of their duties are bound not to misappropriate it b/c of their trust relationship. Many employees do not realize the comprehensive nature of that trust should be educated by their employers before they injure both the employer and themselves by using computer programs developed for an employer for their own purposes. TRADEMARKS:_Trademark protection provides the exclusive right to use a symbol to identify goods and services. Trademark rights take effect upon use in commerce. Registration w/ the US Patent Office or a state agency is not necessary to obtain trademark status, but it helps greatly in exercising trademark rights. Trademark protection exists at both the federal and state levels. The protected symbol can be both a trade name and a logo (E.G. XYZ). The protection afforded by the trademark is limited to the name or logo. The program content itself is not protected. B/c the major benefit of trademark protection is to prevent another product from being given the same name, this protection is useful only for programs that will be marketed. CONTRACTS:_Copies of computer programs are ordinarily transferred to others in the course of doing business (sometimes in source language form); therefore, transfer is frequently accompanied by an agreement to keep the computer program confidential. Patented and copyrighted computer programs can be transferred using contracts that have more restrictive provisions that the patent or copyright laws requires. The owner can, for example, contract w/ another not to disclose copyrighted computer progras. In addition, damages for disclosure or unauthorized copying, complex formulas for royalty payment for legitimate use, and the ownership of enhancements and changes to the computer program can also be delineated in a contract. SELECTING THE RIGHT PROTECTION The type of protection that is best for a particular computer program depends on several factors: (1) The longer the lifespan of the program, the more likely that the expensive investment of patent protection will be worthwhile. (2) The higher the value of the program, the more money that can reasonably be spent of protection (3) Algorithms that must be disclosed widely are (if otherwise worth the investment) best protected by patent, which precludes use as well as duplication. Copyright protects only against copying, and trade secret protection is irrevocably lost if the algorithm is inadvertently disclosed outside a confidential relationship. (4) The most expensive protection is patent; the least expensive is copyright. (5) Patents take the longest time to obtain; the other forms offer almost immediate protection. (6) A patent protects against recreation; trade secret protection is lost if the program can be recreated. These factors are summarized in TABLE 1. UNRESOLVED LEGAL ISSUES Two unresolved but imprtant legal issues affect the analysis summarized in TABLE 1. The first is the patentability of computer programs discussed previously. The data processing manager and corporate counsel should keep track of the continuing legal debate in this area. The second unresolved issue is the legal relationship between copyright and trade secret protection when both are used for the same product. Trade secret protection has been held by the US Supreme Court to be compatible w/ patent protection, but the Court has yet to decide whether a trade secret can be copyrighted to protect the secret in case it is disclosed. TABLE 1. DECISION TABLE FOR TYPES OF LEGAL PROTECTION |---------------------------------------------------------------| |DECISION FACTOR | HIGH | MEDIUM | LOW | |---------------------------------------------------------------| |ESTIMATED LIFESPAN OF THE PROGRAM| C OR TS | P | C OR TS| |VALUE OF THE PROGRAM TO THE OWNER| P, C, TS | P, C, TS| C, TS | |NEED TO DISCLOSE THE PROGRAM | | | | |TO OTHERS | P, C | TS, C | TS | |OWNER'S EXPENSE BUDGET | P, TS, C| TS, C | C | |TIME SENSITIVITY | TS, C | P, TS, C| P, TS | |SUSCEPTIBILITY TO REVERSE | | | | |ENGINEERING | P | P, TS | TS, C | |---------------------------------------------------------------| NOTES C=COPYRIGHT, P=PATENT, TS=TRADE SECRET The policies underlying the two forms of protection conflict: federal copyright protection contemplates disclosure, while state trade secret protection requires nondisclosure w/out an obligation for further disclosure. According to some legal scholars, a court could rule that a copyrighted program is not eligible for trade secret protection. Other legal scholars argue that since the disclosure requirement for federal patent protection has not preempted trade secret protection, the Supreme Court should also uphold the right of computer program owners to receive both trade secret and copyright protection. SUGGESTED CONTROLS B/c of these critical and unresolved legal issues, developers should carefully evaluate the types of protection and rmain alert to changes in the laws. At present,often the best alternative is to copyright computer programs and then license or disclose the computer program using agreements that restrict use, transfer, and disclosure. This approach should not conflict w/ existing copyright law theory, and it achieves the same secrecy afforded by trade secret protection. Embodying the program in electronic circuitry is another alternative that should be considered. It cannot be altered by the user and inhibits copying and user enhancements. In addition, the recent Supreme Court decision suggests that programs in such form can receive patent protection if they are parts of patentable devices. W/out patent protection, they are susceptible to recreation and thus to loss of trade secret status. to provide notice of the proprietary rights of computer-related materials, the owner should put a human-readable notice on all materials a user will see. The notice can be placed on a computer terminal that displays the program, on listings, on manuals, on containers of machine-readable material, and in the program itself. A suggested form of notice is: THIS IS AN UNPUBLISHED WORK PROTECTED UNDER THE COPYRIGHT LAW OF 1976. IT IS OWNED BY XYZ COMPANY, ALL RIGHTS RESERVED. ANY UNAUTHORIZED DISCLOSURE, DUPLICATION, OR USE IS A VIOLATION OF CIVIL AND CRIMINAL LAW. If licensed, a reference to the license can be included in the notice. IF THE WORK IS PUBLISHED, IT SHOULD HAVE THE FORMAL COPYRIGHT NOTICE ATTACHED IN LIEU OF THE ABOVE STATEMENT. THE INTENTIONAL OMISSION OF THE COPYRIGHT WILL CAUSE THE OWNER TO LOSE HIS COPYRIGHT; AN UNINTENTIONAL OMISSION CAN BE REMEDIED. EMPLOYER-EMPLOYEE RELATIONSHIPS Many problems covering computer programs protection arise from the employer-employee relationship, where two philosophies often conflict. One philosophy is that the products of the employee belong to the employer; the other is that employees should be free to change jobs during their careers and to use the expertise gained in one job in new work situations. Although some employers might argue that all work done during employment belongs to them, and some employees might claim that their creations are theirs exclusively, the laws do not generally support either claim. State laws vary on this question; however, the prevailing view is that programs written or developed as a specific task assigned by the employer belong exclusively to the employer, and that programs written or developed solely by the employee, using the employee's own time/resources, belong exclusively to the employee. Most controversy over computer program ownership falls in the gray area between these two positions. The following discussion centers on trade secret law since patent and copyright protection are less helpful. Patent protection for computer programs is ambiguous and hence rarely used, and most companies have a well-established patent assignment policy. On the other hand, the new copyright law is explicit regarding work for hire: IN THE CASE OF A WORK MADE FOR HIRE, THE EMPLOYER OR OTHER PERSON FOR WHOM THE WORK WAS PREPARED IS CONSIDERED THE AUTHOR FOR PURPOSES OF THIS TITLE, AND, UNLESS THE PARTIES HAVE EXPRESSLY AGREED OTHERWISE IN A WRITTEN INSTRUMENT SIGNED BY THEM, OWNS ALL OF THE RIGHTS COMPRISED IN THE COPYRIGHT. Conflicts of trade secret ownership between employers and employees for other than assigned work are usually resolved based on the resources used. Employees who develop new computer programs on their own time, at home, on a personally owned terminal, but using employer computer time may be found to own the programs; however, the employer may be given a royalty-free license to use the programs in its business. A more complex question concerns employees working at home on flextime or w/ an employer-owned terminal or microcomputer. In such cases, proof of whose resources are used in development is more difficult to establish. legal battles over program ownership are very costly to both sides and consume enormous amounts of time/energy. Often a court formulates a compromise so that neither side actually wins. To avoid going to court over program ownership, employers should have an explicit policy regarding employee-developed programs. This policy can be part of an organization-wide trade secret protection plan developed by management and legal counsel. A basic control requires that each employee involved in developing computer programs should be required to sign an agreement concerning ownership of computer programs at the time of hire. A formal emplyment or secrecy agreement or an informal letter to the employer can be used. Since both types of agreement are legally effective, management style should determine which approach is used. The informal letter is friendlier, but the awesome contract form may make a more lasting impression on the employee. If a simple letter is used, the following format is recommended for the key paragraph: ALL COMPUTER PROGRAMS WRITTEN BY ME, EITHER ALONE OR W/ OTHERS, DURING THE PERIOD OF MY EMPLOYMENT, COMMENCING ON _______________, 19__, AND UP TO AND INCLUDING A PERIOD OF ____________ AFTER TERMINATION, WHETHER OR NOT CONCEIVED OR MADE DURING MY REGULAR WORKING HOURS, ARE THE SOLE PROPERTY OF THE COMPANY. This important control prevents misunderstanding and protects the employer against legal action. Employees may use skills developed during previous jobs; however, they may not use trade secrets disclosed to or produced by them during those jobs. This is enjoinable behavior and may result in the award of damages to the former emplyer. Departing employees should take nothing tangible from the old job -- listings, notebooks, tapes, documents, or copies of any kind, including lists of specific customers. Prospective employers should carefully avoid crossing the fine line between hiring someone to provide expertise in a particular area and hiring someone to provide knowledge of a competitor's proprietary products or business plan. Spcial care is required when more than one employee is hired from the same company. Another essential control requires that departing employees should be reminded during the exit interview that no materials or proprietary concepts received during employment can be used at the new job. They should be asked to read and sign a statement that acknowledges their understanding of this point. The statement should also affirm that no materials have been removed from the employer's premises and that all those previoulsy in the employee's possession have been returned. Employers should obtain the employee's new address in case later contract is necessary. During the exit interview, employees should have the opportunity to clarify gray areas -- programs they wrote on their own time using company terminals and company computer time, innovations they developed that the company never used, and so on. Permitting a departing employee to use an invention that will not cause loss of competitive advantage can ensure a friendly and loyal colleague in the marketplace. In any case, legal counsel should be involved in these sessions, b/c an attorne experienced in trade secret law can interpret the naunces of the interview more effectively and can emphasize the consequences of unfair competitive conduct. GUIDELINES FOR COMPUTER PROGRAM USERS Users who obtain computer programs outside of contractual or other confidential relationships that preclude competitive action can legally recreate the programs and use them freely even if they know they are trade secrets. In addition, users who obtain computer programs from third parties w/out any knowledge that they are proprietary are free to use them. In such cases the third party may be liable to the owner for misappropriation. Computer program users should note, however, that intentional wrongful use in this situation may lead to criminal and civil liability for infringement or misappropriation. Patented inventions can only be used w/ the owner's permission. The alleged infringer, however, can challenge the validity of the patent in court and, if successful, can defeat the patentee's exclusive right to use the invention. Another problem concerns the owernship of a user-made change or enhancement that significantly alters the constitution of the computer program. Neither copyright nor trade secret law is explicit n this point. Many vendor-user agreements require the user to return all copies of the computer program at the end of the term; however, few vendores forbid user changes and enhancements or ask for royalties from new works embodying or based on their computer programs. Some agreements contain provisions that any and all changes belong to the vendor. Thus, the computer program user should pay special attention to contract provisions regarding changes and enhancements. In the absence of a specific agreement, the user takes some risk but has a fair chance of surviving a challenge that user-made changes infringe on the vendor's rights. RECOMMENDED COURSE OF ACTION The data processing manager should understand the legal alternatives for protecting computer programs and adopt prudent controls used by others under similar circumstances. If the organization uses computer programs developed and owned by outside parties, this understanding and use of controls can prevent legal problems and can ensure that the terms of the agreement for using the computer programs are proper. for organizations that develop computer programs in-house, a corporate policy based on a thorough knowledge of the laws is a basic control that can prevent misunderstandings between management and development personnel. Such a policy can also ensure that the company does not lose a competitive advantage b/c of unathorized disclosure or copying of programs. B/c the laws in this are are subject to change, the data processing manager should stay in close touch w/ the organization's legal counsel to keep pace w/ the latest developments. Meeting standards of due care and protecting proprietary interests in computer programs are examples of common sources of motivation and need to adopt generally used controls. Consideration of these common sources of motivation and need, as well as the generally used controls (many found in the study of the field sites), leads to a new computer security concept presented in the next section. END OF PART III NIA---NIA---NIA---NIA---NIA---NIA---NIA---NIA---NIA Current List Of BBS's that carry ALL of Network Information Access Files: BBS NAME PHONE NUMBER SYSOP(S) SOFTWARE --- ---- ----- ------ -------- -------- Metamorphis Alpha 713/475-9055 Starchilde/Moonchilde TAG Pier 7 713/477-2681 Slice/Mouser Quick The End Over! 713/821-4174 Chester TAG The Enigma 713/852-7121 Odysseus/Volker/Brutus Telegard Talk Radio 713/941-0917 Sir Lawrence/Lord MacDuff TAG All Boards are 24 Hours unless otherwise noted...