Beyond the NDA: Digital Rights Management Isn't Just for Music

Home , Proprietary software

Reprinted with permission from the January 2004 issue of the Intellectual Property & Technology Law Journal. Beyond the NDA: Digital Rights Management Isn’t Just for Music By Adam Petravicius and Joseph T. Miotke

heft of proprietary information causes companies to lose to a particular project, little regard is given to whether the T billions of dollars each year.1 Yet to compete effective- information is actually needed for the project. ly, companies often must share their most valuable secrets Before sharing its proprietary information, a company with third parties, even their fiercest competitors. should carefully consider the scope of information that needs Companies routinely enter into non-disclosure agreements to be shared. This should be done both at the beginning of (NDAs) when sharing their proprietary information but then each relationship and periodically throughout the relation- forget about them shortly after they are signed, assuming ship. When doing so, a company should not just identify that their information is fully protected by the NDA. general categories of information to be shared but should However, there are a number of steps that companies should identify the specific information in each category. For exam- consider taking to protect their proprietary information after ple, if a company decides to share its customer information, signing an NDA. These steps range from simple steps, such it may not be necessary to disclose customer names; names as marking information appropriately, to sophisticated tech- could be withheld or replaced with random, unique identi- nological solutions, such as using digital rights management fiers. (DRM) software. One factor that should be considered when determining Although a well-drafted NDA provides significant legal which information to share is the scope of protection provid- protection to a company’s proprietary information, the best ed by the relevant NDA. For example, if an NDA requires protection is often non-legal security measures.2 Theft or information to be protected for only a limited time, a com- misuse of information is often difficult to detect and even pany should consider whether information to be disclosed more difficult to prove. Legal remedies may be expensive will have value beyond that time. When reviewing the scope and time-consuming to obtain and may not fully compensate of protection, a company should not just look at the duration a company for the harm that it suffers. On the other hand, of protection but also should look at terms regarding the a company may be able to implement security measures that handling of information. In some cases, a company may minimize the risk of theft or misuse in the first place. The decide not to disclose certain information until the NDA is cost of these security measures is relatively low when com- updated to protect the information adequately. pared to the staggering losses that could result from theft or A company may be able to make the process of selective misuse. disclosure more efficient by routinely categorizing its proprietary information in advance of disclosure. The categories to Selective Disclosure be used should be selected to guide decisions regarding dis- The most effective method of preventing a third party closure. One or more categories may be used for informa- from stealing or misusing proprietary information is not shar- tion that should never be disclosed outside of the company. ing the information with it. Although collaborating with a Other categories may be used for information that should third party sharing some of a company’s proprietary informa- not be disclosed unless certain conditions are met, such as tion, companies often disclose more information than they written approval by specified individuals. Finally, categories should. Once an NDA is signed, companies frequently may be used to identify information that can be freely dis- engage in a free flow of information. Although the flow of closed as long as there is an appropriate NDA in place. information may be naturally limited to information relating Limiting the scope of information to be disclosed some- times means that information cannot be disclosed in the form Adam Petravicius is a partner in the Intellectual Property and that it is usually kept. Instead, a company will need to pre- Technology Practice of Jenner & Block LLP. His practice focus- pare the information in a different form (e.g., by redacting es on transactions involving intellectual property or technology, unnecessary information). This is a big reason why compa- including licenses, strategic alliances and joint ventures, and out- nies often disclose more than they should; they simply dis- sourcing agreements. Joseph T. Miotke is an associate in the close information in whatever form it exists at the time of dis- firm, focusing primarily on patent, trademark, trade secret, and closure. The costs of preparing information for disclosure copyright matters.

Volume 16 • Number 1 • January 2004 Intellectual Property & Technology Law Journal 1 will need to be considered when determining what informa- above, calling attention to improper behavior. For example, tion will be shared. However, these costs are usually relative- consider a confidential document that is required to be kept ly small, especially for electronic information. in a certain room. If the document is only marked by use of the word “confidential” in its header, then removing the Proper Marking document may be as simple as covering it with another piece Although it should go without saying, many companies of paper. Removing the document would be much more dif- fail to mark their proprietary information appropriately.3 Yet ficult if it is printed on red paper and bound in a red note- companies may significantly reduce their risk of loss by tak- book with the word “confidential” appearing on the covers ing the simple step of appropriately marking their proprietary and sides of the binder and on the sides of the pages of the information as confidential. Marking information will likely document itself. prevent it from being inadvertently stolen or misused (e.g., In addition to marking information as confidential, a com- because the individual or company doing so did not realize pany may wish to include markings that specify restrictions the information was confidential). Perhaps more important- applicable to the information. In the red notebook example ly, it deters intentional theft or misuse by making it difficult above, the document would be much better protected if it for an individual or company to claim ignorance about the contained equally conspicuous markings indicating that the confidential nature of the information after being caught. document was not to be removed from the specific room. If For individuals acting on their own, 4 intentional behavior information is subject to numerous restrictions, it may be may also be deterred by the real, or even perceived, increase easier to include a reference to the applicable NDA or other in the likelihood of being caught because the markings may document that identifies the relevant restrictions. However, call attention to behavior that would otherwise go unno- referring to another document only works if the other docu- ticed. Finally, the terms of many NDAs require information ment is actually read. As a result, it may be preferable to to be marked in a certain way in order to be protected by the include all of the essential restrictions on the document itself, confidentiality provisions in the NDA. even if doing so requires attaching a separate instruction When marking its proprietary information, a company sheet (e.g., as a cover sheet). should do so in a manner that clearly and conspicuously iden- A company should take care not to mark information tifies it as confidential. At a minimum, this should include a indiscriminately. It should avoid marking as confidential prominent placement of the word “confidential” or similar information that is in fact not confidential or of little value to words on every page of information. A company should also it. By indiscriminately marking this type of information as consider adding its name or a project or code name next to confidential, a company may undermine the effectiveness of the word “confidential.” Doing so eliminates confusion marking its truly confidential information and, as a result, about the source of the information and the corresponding lose the benefits of marking described above. For example, restrictions that go with it. For example, an employee who it may be difficult for a company to rely on a marking to finds a document simply marked “confidential” may assume prove that someone knew its information was confidential it belongs to the employee’s own company (and not to the when the company has frequently put the same marking on competitor with which the employee’s company is collabo- publicly available information.5 Perhaps more importantly, rating). Although the employee will likely treat the informa- the individuals handling proprietary information (whether a tion in accordance with the company’s policies, this treat- company’s own employees or the employees of a third party ment may go far beyond what was permitted by the NDA to which information is disclosed) may stop treating informa- between the company and the competitor and may never be tion as confidential simply because it is marked as “confiden- detected by either the company or the competitor. The com- tial.” petitor could have avoided this situation by simply adding its Another form of marking that may be used for more sen- name to the confidentiality legend. sitive information is to apply unique numbers or other iden- A company should consider additional ways to identify its tifiers to each copy of information that is disclosed (e.g., a information as confidential and distinguish it from any other unique number on each copy of a document). The individ- company’s confidential information. This may include using ual recipients of each document should then be tracked using watermarks, colored ink or colored paper, or special bindings the document number or identifier. When done overtly, this or containers. The more sensitive the information, the more may deter improper behavior by individual recipients because a company should do along these lines. When considering they realize that it may be easier to trace their improper additional ways to mark its information, a company should behavior back to them. When done covertly, this may help a pay particular attention to one of the purposes discussed company discover, and therefore correct, the source of any

2 Intellectual Property & Technology Law Journal Volume 16 • Number 1 • January 2004 improper behavior after it has occurred. Covert markings instructions may include, for example, keeping the informa- include, for example, changing the wording of a document tion in a locked room or locked file cabinet. without changing its meaning so that each copy is worded slightly differently or adding dummy data or information Documentation (e.g., fake customer names or unused software code) to a A company should keep a record of all of its proprietary document in a way that does not undermine the usefulness of information that it discloses to a third party. This record may the information. be necessary to prevent the third party from misusing that information. For example, if a company is unable to demon- Access and Copy Controls strate that it provided certain information to a third party, it Although an NDA may contain provisions that restrict may not be able to prevent the third party from using that access or copying, a company should also consider security information. measures that do the same. The most effective way to con- The manner in which information is documented will trol access and copying is to retain control over the informa- depend on the type of information. Information in hardcopy tion. Sharing information does not necessarily require shar- or electronic form can be documented by keeping separate ing control. For example, a company could keep its informa- copies of all of the information that is shared. Alternatively, tion at its own premises and require third parties to review this information can be documented in a log that identifies the information there. The company could even provide by title or other unique identifier each item that was shared. workspace as needed. If it is impractical to keep the informa- Information that is disclosed orally or by observation (e.g., a tion at its own facilities, a company can still retain control of plant visit) must later be described in writing. In fact, many information that is given to a third party. For example, the NDAs require the information to be described in writing company could require the third party to provide space for before it will be protected by the NDA. In all cases, the doc- the information and allow the company to control access to umentation should identify the date on which the informa- that space. Alternatively, the company could install its own tion was disclosed and, if possible, to whom. In some cir- security devices at the third party’s facilities. For example, if cumstances, it may also be desirable to obtain written a company is sharing its proprietary software, instead of pro- acknowledgement of receipt of the information. viding an installation disk and allowing the third party to install it, the company could deliver a computer with the soft- Return and Destruction Procedures ware pre-installed. Not providing the installation disk may A well-drafted NDA will include a provision to address make it difficult for the software to be copied. The compa- how information should be handled at the end of a relation- ny can take further steps to prevent copying by removing all ship. In most cases, the NDA will simply state that the infor- external drives, modems and network access cards from the mation must be returned or destroyed. If an NDA allows computer and locking the case so that the hard drive cannot information to be destroyed instead of returned, a company be removed and no drives can be added. The company could should consider specifying how the information should be take steps to limit access by installing access controls on the destroyed. Some methods of destruction are more secure computer such as password systems or hardware key devices. than other methods. For example, a third party may decide In any case, the company will likely need ongoing access to to destroy information by shredding it. However, confetti or the third party’s facilities to make its control over its informa- cross-cut shredding is much more secure than simple strip tion effective. shredding.7 Shredding itself may be an insecure method of If it is impractical for a company to retain actual control destruction. There are now commercially available services over its information, it should consider exercising control that use software to piece together shredded documents.8 over how its information is handled. The language in most When information is transmitted or stored electronically, a NDAs regarding the handling of information is very general. company will need to give special consideration to how that They usually contain a provision requiring information to be information will be returned or destroyed at the end of a rela- handled with a “reasonable degree of care” or in the same tionship. This information will likely be automatically copied manner that the other party uses to handle its own informa- numerous times by the computer systems through which it is tion but often do not provide any further detail. In these transmitted or on which it is stored. For example, email cases, a company should consider providing additional servers may automatically retain copies of emails and com- instructions regarding how its information should be han- puter networks are frequently backed up, creating multiple dled. In other words, a company should consider specifying copies of any information stored on the network. Deleting what it believes is a “reasonable degree of care.”6 These files from a computer often does not physically remove the

Volume 16 • Number 1 • January 2004 Intellectual Property & Technology Law Journal 3 information from the computer, making it possible to employees. A company may also wish to train its own retrieve the information at a later time. employees on the treatment of a third party’s information. To avoid these problems, a company may decide not to The more a company can demonstrate that it is taking steps transmit information via email and not to permit information to protect a third party’s information, the more steps the to be stored on a network or otherwise backed up. For third party may take to protect the company’s information. example, if information is stored on a single hard drive and never copied, then returning the information can be as sim- Technology Solutions ple as returning the entire hard drive. Destroying the infor- The suggestions identified above can be implemented mation can be as simple as using a special software program without any special technology. However, there are a num- that physically removes information from a hard drive, mak- ber of technological solutions that may make implementing ing it nearly impossible to retrieve. those solutions easier or more effective. Another potential solution is to encrypt the information Protecting information in electronic form can be very whenever it is transmitted or stored. Destroying the infor- challenging. The information can be copied or widely dis- mation can then be accomplished by destroying the encryp- tributed at the click of a button, often inadvertently. Yet tion keys (which are needed to decrypt the information) sharing information electronically is often the most practical without having to destroy every copy of the information itself or convenient way of sharing it, especially software, databas- (which is encrypted). Even though the information may still es or large volumes of information. physically reside on a computer system, it cannot be accessed Encryption can be used to protect electronic information without the encryption keys and is, therefore, effectively while it is transmitted or stored. However, encrypted infor- destroyed. However, care must be taken to ensure that all mation must eventually be decrypted to be shared. Once the copies of the keys are destroyed, which may present a similar information is decrypted, it is subject to all of the risks set of challenges. There is also the risk that it becomes pos- described above. This is not meant to suggest that encryp- sible in the future to decrypt the information without the tion is not valuable; it can be very effective in preventing encryption keys. For example, a flaw may be discovered in an unauthorized third party from gaining access to the encryption method that was used or computer processing information (e.g., by intercepting an email communication). power may increase to the point that cracking the code Nonetheless, encryption does not prevent the intended becomes a trivial exercise. recipient9 (or an employee of the intended recipient) from copying or distributing the information. Employee Training To fully protect electronic information, a company should Training its employees is a key step for a company to take consider using digital rights management (DRM) software. to protect its proprietary information. A company may adopt DRM software is commonly thought of as applying only to policies to protect its information (such as those suggested in digital media such as music or movies. However, a number this article), but the policies are useless if its employees are of companies are developing DRM software specifically for not familiar with them or do not know how or when to apply the purpose of protecting electronic information. them. A company must educate its employees on what the DRM software protects information by creating access and company considers to be proprietary information. If an copy controls that travel with the information, even if it is employee does not know that certain information is consid- transmitted via email. These controls determine whether the ered proprietary, the employee will likely not follow any of information can be viewed, copied, printed, or re-transmitted the company’s procedures regarding proprietary information and by whom. They also can limit the number of times or when dealing with that information. A company must also length of time that information can be accessed. Some DRM educate employees on how to handle proprietary informa- software even allows the controls to be changed after the tion. Whatever policies a company adopts, it should be sure information is already distributed (e.g., to revoke access). that its employees understand how and when to implement DRM software also can keep detailed audit trails of how them. information was accessed or copied. When sharing information with a third party, a company Although the application of DRM software to electronic should also consider requiring the third party to train its information is relatively new, a number of vendors are pursu- employees how to handle the company’s information. The ing its development. There are several smaller vendors that company’s information may be subject to security procedures focus on DRM software and that have developed commercial that are different from the third party’s procedures and, software packages, such as Authentica (www.authentica.com), therefore, are unknown or unfamiliar to the third party’s Liquid Machines (www.liquidmachines.com), and Sealed

4 Intellectual Property & Technology Law Journal Volume 16 • Number 1 • January 2004 Media (www.sealedmedia.com). The demand for this type of Notes software also has attracted the attention of large vendors. 1. See PricewaterhouseCoopers, US Chamber of Both IBM and Microsoft are reported to be developing this Commerce, and ASIS Foundation, “Trends in software for use by companies. Microsoft has reported that Proprietary Loss,” Survey Report (Sept. 2002). DRM software will be built into its Office 2003 applications, 2. This article is not intended to undermine or question the and IBM is integrating DRM software into some of its enter- importance of a well-drafted NDA, which the authors prise software. believe to be essential when sharing proprietary informa- Other solutions that are similar to DRM software are also tion. Although a discussion of the terms of a well-draft- available. Several common software applications provide lim- ed NDA is beyond the scope of this article, it should be ited access and copy controls, such as Adobe Acrobat. noted that implementing some of the suggestions in this Although the DRM functionality contained in these applica- article may require the terms of the relevant NDA to tions may not be as robust as in the software describe above, account for such implementation. they may be sufficient for sharing certain information. There 3. See “Trends in Proprietary Information Loss,” supra. n. 1. are also vendors that provide secure collaboration servers that 4. For example, a company receiving confidential informa- allow companies to share their information online in a secure tion may intend to comply with the terms of the relevant fashion, such as CYA Technologies (www.cya.com). These NDA. However, one of its employees may intentionally solutions allow information to be viewed online but prevent violate the terms of the NDA. it from being downloaded, printed, or otherwise copied. 5. Ironically, there is often no benefit to marking such For information that is shared in hardcopy form, informa- information as confidential because such information is tion can be printed in a way that makes it difficult to make typically excluded from the confidentiality provisions of copies using a photocopy machine. For example, informa- an NDA. tion can be printed in a red font on brown paper in such a 6. In many cases, it may be preferable to include this type way that a photocopy machine will not be able to make a leg- of detail in the NDA. However, it may be impractical to ible copy. However, this method may not prevent a high- do so, especially if the relationship will be long-term or quality color scanner (or a photocopy machine with similar if it is difficult to anticipate the exact scope of informa- capabilities) from making copies. To prevent this type of tion to be disclosed. copying, a company should consider using paper with a spe- 7. Strip shredding simply cuts documents into long, thin cial coating that prevents copying or scanning. strips, usually along the length of the document. Cross- cut shredding, however, cuts strips in both directions Conclusion (i.e., along its length and width), producing confetti-like A well-drafted NDA is an essential first step to protecting pieces. a company’s proprietary information, and the suggestions in 8. See Douglas Heingartner, “Picking Up the Pieces,” N.Y. this article are no substitute. However, companies should Times, July 17, 2003, available at view an NDA as the first, and not the final, step in protect- www.nytimes.com/2003/07/17/technology/circuits/17shre ing their information. Companies must be vigilant in identi- .html. fying and implementing additional steps for keeping their 9. The intended recipient must necessarily be given the information confidential and for preventing others from mis- means to decrypt the information. using it.

Volume 16 • Number 1 • January 2004 Intellectual Property & Technology Law Journal 5