796 lines
45 KiB
Plaintext
796 lines
45 KiB
Plaintext
|
|
Founded By: | _ _______
|
|
Guardian Of Time | __ N.I.A. _ ___ ___ Are you on any WAN? are
|
|
Judge Dredd | ____ ___ ___ ___ ___ you on Bitnet, Internet
|
|
------------------+ _____ ___ ___ ___ ___ Compuserve, MCI Mail,
|
|
Ø / ___ ___ ___ ___ ___________ Sprintmail, Applelink,
|
|
+---------+ ___ ___ ___ ___ ___________ Easynet, MilNet,
|
|
| 31OCT90 | ___ ______ ___ ___ ___ FidoNet, et al.?
|
|
| File 63 | ___ _____ ___ ___ ___ If so please drop us a
|
|
+---------+ ____ _ __ ___ line at
|
|
___ _ ___ elisem@nuchat.sccsi.com
|
|
Other World BBS __
|
|
Text Only _ Network Information Access
|
|
Ignorance, There's No Excuse.
|
|
|
|
SECTION III COMPUTER SECURITY CONTROLS AND THE LAW
|
|
Guardian Of Time
|
|
|
|
NIA---NIA---NIA---NIA---NIA---NIA---NIA---NIA
|
|
|
|
Well I rushed to get this one out in time for Halloween, so here is part III
|
|
of my series on Computer Security Controls, I hope that you will enjoy it.
|
|
|
|
Lord Macduff, I hope you enjoy ALL of those VAX Manuals you are reading, and
|
|
don't forget WRITE SOMETHING!
|
|
|
|
NIA---NIA---NIA---NIA---NIA---NIA---NIA---NIA
|
|
|
|
|
|
|
|
|
|
|
|
STANDARDS OF DUE CARE
|
|
|
|
The follow the leader strategy of employing generally used controls in data
|
|
processing is motivated in part by the legal concept of standards of due
|
|
care. It is becoming possible to lose more in damages from a civil action
|
|
such as a stockholders' suit or citizens' suit against the government after
|
|
an accidental or intentionally caused act than directly from the act itself.
|
|
Liability for the violation by a provider of computer services towards any
|
|
other ( customer, data subject, affected third party, stockholder ) can
|
|
arise through a conscious act of malice with intent to cause harm, through
|
|
reckless disregard of the consequences to the person harmed or through
|
|
negligent performance or failure to perform. For such liability to attach,
|
|
a duty of care must be owed to the victim of the act. Once responsibility
|
|
is established, the provider having the responsibility is requried to act as
|
|
a prudent person.
|
|
|
|
the action sof another person in the same position or the general practice
|
|
of the computer services industry are useful in establishing the standard of
|
|
care against which individual performance will be measured. However,
|
|
industry practice is not a complete answer. In the TJ Hooper case, which
|
|
concnerned the failure of a large tug boat operator to use radio receivers
|
|
in 1932 to avoid inclement weather, Judge Learned Hand Stated:
|
|
|
|
IS IT THEN A FINAL ANSWER THAT THE BUSINESS HAD NOT YET ADOPTED RECEIVING
|
|
SETS? THERE ARE, NO DOUBT, CASES WHERE COURTS SEEM TO MAKE THE GENERAL
|
|
PRACTICE OF THE CALLING (INDUSTRY) THE STANDARD OF PROPER DILIGENCE;...
|
|
INDEED IN MOST CASES REASONABLE PRUDENCE IS IN FACT COMMON PRUDENCE, BUT
|
|
STRICTLY IT IS NEVER ITS MEASURE; A WHOLE CALLING (INDUSTRY) MAY HAVE UNDULY
|
|
LAGGED IN THE ADOPTION OF NEW AND AVAILABLE DEVICES. IT ( THE INDUSTRY )
|
|
MAY NEVER SET ITS OWN TESTS, HOWEVER PERSUASIVE BE ITS USAGES. COURTS MUST
|
|
IN THE END SAY WHAT IS REQUIRED; THERE ARE PRECAUTIONS SO IMPERATIVE THAT
|
|
EVEN THEIR UNIVERSAL REGARD WILL NOT EXCUSE THEIR OMISSION (60F.2D. 737,730)
|
|
(2ND CIR. 1932, CERT, DENIED 287 US 662 ( 1932 ).
|
|
|
|
No definitive answer or test can establish a standard of due care on grounds
|
|
of common practice in an industry or on prudence based on use of available
|
|
devices whether generally adopted or not. In 1955, the Circuit Court of
|
|
Appeals for the Sixth Circuit held that the failure to use radar by an
|
|
aircraft in 1948 was excusable because no commercially feasible aircraft
|
|
radar system was available (Northwest Airlines v. Glenn L. Martin Co. 224,
|
|
F.2d 120, 129-130). In 1977, the US District court for the Southern
|
|
District for New York held an airline liable for a robbery for failure to
|
|
take appropriate precautions, despite the provision of an armed guard in
|
|
front of the locked unmarked storage area and the argument that the airline
|
|
had taken the same degree of precautions that other airlines had.
|
|
(Manufacturers Hanover Trust Co. v. Alitalia Airlines, 429 F.Supp.
|
|
964(1977)). Further, professionals may not always rely on generally
|
|
accepted practices. In US v. Simon (425 F. 2d. 796 [2nd Cir. 1969]) the
|
|
United States Court of Appeals for the Second Circuit held that, even in a
|
|
criminal case, generally accepted accounting principles were not necessarily
|
|
the measure of accountants' liability for allegedly misleading statements in
|
|
a footnote to the financial statements.
|
|
|
|
The concept of standard of due care will arise w/ in creasing frequency as
|
|
disputes over computer-related loss end in litigation. Computer security
|
|
administrators must be aware of standard of due care issues that arise and
|
|
take acction to conform to the outcome.
|
|
|
|
APPLYING LEGAL CONCEPTS TO COMPUTER SERVICES
|
|
|
|
One area where the courts have had some difficulty in applying legal
|
|
concepts to computers is in determining exactly how to characterize computer
|
|
services from a legal point of view. The courts have generally held that
|
|
basic legal principles requiring a person to exercise reasonable care do not
|
|
change simply because a computer is involved. The courts have generally
|
|
stated that those who use computers must do so w/ care, and they have not
|
|
been sympathetic to defenses asserting good faith mistakes resulting from
|
|
reliance on faulty computer data. In Ford Motor Credit Co. v. Swarens (447
|
|
S.W. 2d. 53 [Ky. 1964]), for example, a finance company wrongfully
|
|
repossessed the plaintiff's car after he had proven on two occasions that he
|
|
was current in his payments by showing cancelled checks to agents of the
|
|
defendant. The finance company defended on the basis that an admitted error
|
|
w/ respect to the plaintiff's account had ocurred as a result of a computer
|
|
error. The court rejected this defense stating:
|
|
|
|
FORD EXPLAINS THAT THIS WHOLE INCIDENT OCCURRED B/C OF A MISTAKE BY A
|
|
COMPUTER. MEN FEED DATA TO A COMPUTER AND MEN INTERPRET THE ANSWER THE
|
|
COMPUTER SPEWS FORTH. IN THIS COMPUTERIZED AGE, THE LAW MUST REQUIRE THAT
|
|
MEN IN THE USE OF COPUTERIZED DATA REGARD THOSE W/ WHOM THEY ARE DEALING AS
|
|
MORE IMPORTANT THAN A PERFORATION ON A CARD. TRUST IN THE INFALLIBILITY OF
|
|
A COMPUTER IS HARDLY A DEFENSE, WHEN THE OPPORTUNITY TO AVOID THE ERROR IS
|
|
AS APPARENT AND REPEATED AS WAS HERE PRESENTED.
|
|
|
|
It is clear, therefore, that excessive reliance on computer data w/out
|
|
proper safeguards to ensure the reliability and accuracy of the information
|
|
may constitute the failure to exercise due care, and in some cases may even
|
|
result in the award of punitive damages.
|
|
|
|
PROFESSIONAL STANDARD OF CARE
|
|
|
|
There is clearly a duty to exercise resonable care in using computers.
|
|
Depending on the legal characterization given to contracts to supply
|
|
computer equipment and services, a higher standard of care may be required
|
|
of suppliers of computer services. Such an argument would be based on the
|
|
teory that programmers and others who provide computer services hold
|
|
themselves out as professionals w/ special expertise. As such
|
|
professionals, they arguable should be held to the level of care that would
|
|
be exercised by a reasonable member of the profession under similar
|
|
circumstances.
|
|
|
|
In Triangle Underwriters v. Honeywell, Inc (604 F. 2d. 737 [2nd Cir. 1979])
|
|
for example, the court found that Honeywell agreed to deliver a completed
|
|
computer system to Triangle and not to run a continuous data processing
|
|
service. Triangle tried to argue not only that Honeywell been negligent in
|
|
failing to design and deliever a workable system, but also that the wrong
|
|
continued during the period in which Honeywell comployees attempted to
|
|
repair the malfunctioning system. Triangle argued that Honeywell had
|
|
engaged in professional malpractice, and that the continuous treatment
|
|
theory should apply so that the statue of limitations would not commence to
|
|
run until the professional relationship had ended. The district court noted
|
|
that the continuous treatment theory had been applied by New York courts to
|
|
nonmedical professionals such as lawyers, accountants, and architects, but
|
|
it declined to apply the theory to Honeywell. "In the case at bar ... the
|
|
necessary continuing professional relationship did not exist. Honeywell was
|
|
not responsible for the continuous running of a data prcessing system for
|
|
Triangle."
|
|
|
|
Although the court thus refused to accept the plaintiff's theory of
|
|
professional malpractice on the facts of that case, the decision leaves open
|
|
the possiblity that the doctrin might be applied in a future case to person
|
|
who privide computer services for a client on an ongoing basis.
|
|
|
|
STRICT LIABILITY
|
|
|
|
There is further issue of whether those who provide computer services should
|
|
be strictly liable in tort for injury to others due to malfunctions of the
|
|
equipment. The doctrine of strict liability arose out of cases invovling
|
|
the sale of goods, and it has been said that:
|
|
|
|
PROFESSIONAL SERVICES DO NOT ORDINARILY LEND THEMSELVES TO THE DOCTRINE OF
|
|
TORT LIABILITY W/OUT FAULT B/C THEY LACK THE ELEMENTS WHICH GAVE RISE TO THE
|
|
DOCTRINE. THERE IS NO MASS PRODUCTION OF GOODS OR A LARGE BODY OF DISTANT
|
|
CONSUMERS WHOM IT WOULD BE UNFAIR TO REQUIRE TO TRACE THE ARTICLE THEY USED
|
|
ALONG THE CHANNELS OF TRADE TO THE ORIGNAL MANUFACTURER AND THERE TO
|
|
PINPOINT AN ACT OF NEGLIGENCE REMOTE FROM THEIR KNOWLEDGE AND EVEN FROM
|
|
THEIR ABILITY TO INQUIRE. THUS, PROFESSIONAL SERVICES FORM A MARKED
|
|
CONTRAST TO CONSUMER PRODUCTS CASES AND EVEN IN THOSE JURISDICTIONS WHICH
|
|
HAVE ADOPTED A RULE OF STRICT PRODUCTS LIABILITY A MAJORITY OF DECISIONS
|
|
HAVE DECLINED TO APPLY IT TO PROFESSIONAL SERVICES. THE REASON FOR THE
|
|
DISTINCTION IS SUCCINCTLY STATED BY TRAYNOR, J., IN GAGNE V. BERTRAN, 43
|
|
CAL. 2D 481, 275 P. 2D 15, 20-21 (1954): "[T]HE GENERAL RULE IS APPLICABLE
|
|
THAT THOSE WHO SELL THEIR SERVICES FOR THE GUIDANCE OF OTHERS IN THEIR
|
|
ECONOMIC, FINANCIAL, AND PERSONAL AFFAIRS ARE NOT LIABLE IN THE ABSENCE OF
|
|
NEGLIGENCE OR INTENTIONAL MISCONDUCT. ... THOSE WHO HIRE [EXPERTS] ... ARE
|
|
NOT JUSTIFIED IN EXPECTING INFALLIBITY, BUT CAN EXPECT ONLY RESONALBE CARE
|
|
AND COMPETENCE. THEY PURCHASE SERICE, NOT INSURANCE (CT/EAST, INC. V.
|
|
FINANCIAL SERVICES, INC., 5CLSR 817 [1975]).
|
|
|
|
Under this traditional approach, a finding that an agreement to provide
|
|
computer equipment constituted either a sale of goods on the one hand or a
|
|
contract for professional services on the other would appear to decide the
|
|
issue of whether the doctrine of strict liability would apply. Following
|
|
this line of reasoning, if an agreement to provide a computer package was
|
|
construed as an agreement for professional services, then the provider could
|
|
not be strictly liable in tort for any malfunction.
|
|
|
|
Traditional legal theories, however, cannot always be applied w/out
|
|
difficulty to novel concepts such as computer agreements. It may be more
|
|
appropriate, therefore, to adopt the approach used by a federal court in
|
|
Wisconsin in Johnson v. Sears, Roebuck & Co. (355 F. Supp. 1065 [ED Wis.
|
|
1973]). In Johnson, the plaintiff argued that the hospitals that treated
|
|
her for injuries had done so negligently and that they were strictly liable
|
|
in tort. The court decided the issue of the applicability of strict
|
|
liability to the sale of services by analyzing blood transfusion cases that
|
|
held hospitals strictly liable in tort for providing blood containing
|
|
impurities to patients. The court rejected the sales/service analysis and
|
|
stated that the decision to impose strict liability should be made on an ad
|
|
hoc basis by examining the facts involved in each particular case. The
|
|
court reasoned that the "... decision should not be based on a technical or
|
|
artificial distinction between sales and services. Rather, I must determine
|
|
if the policies which support the imposition of strict liability would be
|
|
furthered by its imposition in this case."
|
|
|
|
STATUTORY SOURCES OF LIABILITY FOR RELIANCE ON INACCURATE COMPUTER-BASED
|
|
DATA
|
|
|
|
Regardless of whether suppliers of computer services should be held to a
|
|
higher standard of care or subject to strict liability in tort clearly the
|
|
common law duty exists to exercise reasonalbe care to ascertain the accuracy
|
|
of information furnished by a computer before relying on such data. This
|
|
duty becomes particularly important when computer data are relied on in
|
|
making periodic reports required by the federal securities laws. Management
|
|
has a duty to maintain accurate records and third parties have the duty to
|
|
verify the accuracy of information supplied by management.
|
|
|
|
MANAGEMENTS RESPONSIBILITIES: Various provisions of the Securities Act of
|
|
1933 (the 1933 Act) and the Securities Exchange Acot of 1934 (The 1934 Act)
|
|
impose liability for making false or misleading statements of a material
|
|
fact or for failing to state a material fact necessary to make statements
|
|
made not misleading, in the light of the circumstances under which they were
|
|
made. These provisions create a duty on the part of reporting companies to
|
|
file accurate reports and to maintain accurate records. The foreign Corrupt
|
|
Practices Act of 1977 (FCPA) codified this duty to maintain accurate
|
|
records.
|
|
|
|
A recent bank embezzlement of 21.3$ million illustrates the importance of
|
|
complying w/ the FCPA's requirement of establishing a system of internal
|
|
accounting controls. The management of an entity is responsible for
|
|
establishing and maintaining adequate internal controls, and it is worth
|
|
noting that the complaint in a shareholder's derivative suit now being
|
|
argued before the United States District Court for the Southern District of
|
|
Texas relies partly on an allegation that management failed to do so.
|
|
management risks exposure to significant potential liability, therefore, if
|
|
it fails to institute and enforce internal controls sufficient to comply w/
|
|
the FCPA.
|
|
|
|
Internal controls should ensure that data produced by a computer are
|
|
accurate and reliable. This means that restrictions should be put on access
|
|
to computer records and on who has the capability to enter information or
|
|
alter data in the computer. "Audit Trails" should also be used to create
|
|
documentary evidence of transactions and of who made particular data entry.
|
|
Finally, electronic record keeping systems are only as trustworth as the
|
|
people who use them, and it is imperative that a security system be
|
|
established to help preclude unauthorized person from gaining access to the
|
|
computer or altering information in the system.
|
|
|
|
ACCOUNTANTS' RESPONSIBILITIES: The 21.3$ million bank embezzlement raises
|
|
substantial questions about the sufficiency of the auditing procedures of a
|
|
bank or other company that uses an electronic data processing system for the
|
|
storage and representation of assets. The role of an accountant performing
|
|
an independent audit is to furnish anopinion that the accounts of the
|
|
company being audited are in proper order and that they fairly present the
|
|
company's financial position. It seems obvious, therefore, that an
|
|
independent accountant performing an audit of a company that uses an EDP
|
|
system should examine the reliability of the system and the controls on it
|
|
before issuing an opinion. Otherwise, the accountant's certification of the
|
|
company's financial statements would have no reliable basis. The Second
|
|
Standard of Field Work of the Generally Accepted Auditing Standards approved
|
|
and adopted by the membership ofthe American Institute of Certified Public
|
|
Accountants (AICPA) states that "[t]here is to be a proper study and
|
|
evaluation of the existing internal control as a basis for reliance thereon
|
|
and for the determination of the resultant extent of the tests to which
|
|
auditing procedures are to be restricted" (American Institue of Certified
|
|
Public Accountants, Statement on Auditing Standards No, 1, Sec. 150.02.
|
|
[1973]). This Standard of Field Work requires an auditor to study and
|
|
evaluate a corporation's system of interal control to establish a basis for
|
|
reliance thereon in formulating an opinion on the fairness of the
|
|
corporation's financial statements, and this basic duty does not vary w/ the
|
|
use of different methods of data processing as the Standard states:
|
|
|
|
SINCE THE DEFINITION AND RELATED BASIC CONCEPTS OF ACCOUNTING CONTROL ARE
|
|
EXPRESSED IN TERMS OF OBJECTIVES, THEY ARE INDEPENDENT OF THE METHOD OF DATA
|
|
PROCESSING USED; CONSEQUENTLY, THEY APPLY EUQLLY TO MANUAL, MECHANICAL, AND
|
|
ELECTRONIC DATA PROCESSING SYSTEMS. HOWEVER, THE ORGANIZATION AND PROCEDURES
|
|
REQUIRED TO ACCOMPLISH THOSE OBJECTIVES MAY BE INFLUENCED BY THE METHOD OF
|
|
DATA PRCOESSING USED.
|
|
|
|
The AICPA has recognized that "[t]he increasing use of computers for
|
|
processing accounting and other business information has introduced
|
|
additional problems in reviewing and evaluating internal control for audit
|
|
purposes," and it has issued a Statement on the Effects of EDP on the
|
|
Auditor's Study and Evaluation of Internal Control. This Statement provides
|
|
that:
|
|
|
|
WHEN EDP IS USED IN SIGNIFICANT ACCOUNTING APPLICATIONS, THE AUDITOR SHOULD
|
|
CONSIDER THE EDP ACTIVITY IN HIS STUDY AND EVALUATION OF ACCOUNTING CONTROL.
|
|
THIS IS TRUE WHETHER THE USE OF EDP IN ACCOUNTING APPLICATIONS IS LIMITED OR
|
|
EXTENSIVE AND WHETHER THE EDP FACILITIES ARE OPERATED UNDER THE DIRECTION OF
|
|
THE AUDITOR'S CLIENT OR A THIRD PARTY.
|
|
|
|
When Auditing a coporation w/ an EDP system, therefore, an auditor should
|
|
thoroughly examine the system to evaludate its control feautres. To conduct
|
|
his examination properly, however, the auditor must have sufficient
|
|
expertise to enable him to understand entirely the particular EDP system
|
|
invloved.
|
|
|
|
CONCLUSIONS ON APPLYING LEGAL CONCEPTS
|
|
|
|
Everyone who uses or supplies computer services has a common law duty to
|
|
exercise resonable care to ensure that information supplied by the computer
|
|
is accurate and reliable. The federal securities laws impose additional
|
|
duties on management to keep accurate records and to devise and maintain a
|
|
system of internal accounting controls sufficient to provide reasonable
|
|
assurances that transactions are executed in accordance w/ management's
|
|
authorization and are accurately recorded. Finally, accountants who audit
|
|
companies w/ EDP systems have a duty to review the company's system of
|
|
internal controls and to disclose any material deficiencies to management
|
|
and possibly to the public through notes to its certification of financial
|
|
statements.
|
|
|
|
These various duties illustrate the necessity of taking steps to ensure the
|
|
reliability of computer systems. A well-designed system of internal control
|
|
is crucial to safeguard against the improper use of the computer. Internal
|
|
control begins w/ the computer equipment itself. When converting to an EDP
|
|
record keeping system, management should get outside advice on the type of
|
|
system required and on the controls that should be built into the system.
|
|
Management should fully understand what the computer programs in the system
|
|
are designed to do and that the computer can do only what it is told and
|
|
nothing more. This can be an important method of preventing fraud, and
|
|
management should demand that internal controls be put into the system, b/c
|
|
otherwise the programmer may not do so.
|
|
|
|
Once controls are built into the computer system itself, internal controls
|
|
hsould be established and maintained to prevent unauthorized access to the
|
|
system. The internal controls should cover all phases of EDP and include
|
|
input, processing, and output controls. An overall plan of organization and
|
|
operation should be devised containing controls over access to EDP
|
|
equipment, as well as provisions for effective supervision and rotation of
|
|
personnel, and the plan should be strictly enforced. Rinally, an internal
|
|
auditing process should be established to provide independent document
|
|
counts or totals of significant data fields.
|
|
|
|
The independent accountant plays a major role in preventing unauthorized
|
|
persons from gaining access to the computer system. Through his review of a
|
|
company's internal controls, an accountant can detect possible weaknesses
|
|
and recommend useful changes. It is very important, therefore, that outside
|
|
auditors closely scrutinize a company's internal control system. A rigorous
|
|
independent audit makes up the final stage of an overall plan to help
|
|
prevent the production of inaccurate computer based data.
|
|
|
|
PROTECTING PROPRIETARY INTERESTS IN COMPUTER PROGRAMS
|
|
|
|
Discussions w/ legal counsel at several of the field sites revealed
|
|
considerable concern about proprietary interests in computer programs.
|
|
Little communication exists between lawyers and data processing managers,
|
|
and areas of their mutal concers are not often addressed. Communication is
|
|
even more important today as programs and data files are increasingly viewed
|
|
by management as valuable, intangible assets of their organizations. In
|
|
addition, government and business organizations are increasingly acquiring
|
|
commercially available computer programs where proprietary interests of
|
|
providers and users must be protected. Selection of generally used controls
|
|
will be strongly influenced by the need to preserve proprietary rights to
|
|
computer programs.
|
|
|
|
PROBLEMS ADDRESSED
|
|
|
|
Protecting proprietary interests in computer programs in a multifaceted task
|
|
that requires knowledge of the law, computer programs, and security. Few
|
|
data processing managers have this expertise in-house, but all owners and
|
|
custodians of computer programs can and should add to their skills and
|
|
knowledge from other sources of expertise.
|
|
|
|
Those invloved w/ computer programs--owners, users, custodians, employees,
|
|
and competitors--have two conflicting goals; sometimes the same party
|
|
pursues both goals simultaneously for different products. One goal is to
|
|
protect the computer program, either to ensure a competitive advantage by
|
|
preventing others from using the computer program or to charge for its use
|
|
or disclosure. The other goal is to ignore protection so that the computer
|
|
programs can be used and transferred at will and w/out cost. The particular
|
|
goal sought by an organization depends on its values, purposes, and
|
|
policies; however, the data processing manager should understand the
|
|
boundaries of fair and legal business practice that apply to users,
|
|
custodians, and owners of computer programs, as well as to competitors.
|
|
|
|
THE NATURE OF COMPUTER PROGRAMS
|
|
|
|
Before the types of comptuer programs involved are identified, it is helpful
|
|
to know why the laws differentiate computer programs from other parts of
|
|
computer systems. A computer program is a form of intellectual property (a
|
|
valuable, intangible asset consisting of ideas, process, and methods) that
|
|
is relatively new and eludes analogy to previously existing products.
|
|
Debate continues as to whether computer programs are products, technical
|
|
processes, or professional services. Computer programs are thus unique as a
|
|
subject of treatment under existing law, and applying the law requires
|
|
adapting current legal concepts of particular forms of computer programs.
|
|
Computer programs are developed to run in specific types of computers (such
|
|
as operating systems) or are machine independent (such as many application
|
|
programs). They may be in human-readable form or machine-readable form.
|
|
Some computer programs are translated into different programming languages
|
|
or converted to run on different computers.
|
|
|
|
FORMS OF LEGAL PROTECTION
|
|
|
|
The five forms of legal protection that can apply to computer programs are
|
|
patent, copyright, trade secret, trademark and contract.
|
|
|
|
PATENTS:_Patent protection is a federal statutory right giving the inventor
|
|
or his assignee exlusive rights to make, use, or sell a product or process
|
|
for 17 years. An invention must meet several criteria to receive patent
|
|
protection. First, it must involve statutory subject matter (I.E., physical
|
|
methods, apparatus, compositions of matter, devices, and improvements). It
|
|
cannot consist merely of an idea or a formual. Furthermore, the invention
|
|
must be new, useful, not obvious, and must be described according to patent
|
|
regulations in a properly filed and prosecuted patent application.
|
|
|
|
The status of patent protection for computer programs until 1981 was
|
|
ambiguous. In three dicisons the US Supreme Court held that parrticular
|
|
computer programs were unaptentable b/c of failure to meet one or more of
|
|
the tests described previously. The Court declined to patent what it felt
|
|
was merely a formula, it had held a process non-patentable for obviousness,
|
|
and it had refused a patent when the only novelty involved was the form of
|
|
carrying out a nonpatentable step.
|
|
|
|
In 1981, however, the Supreme Court handed down two decisions that may have
|
|
some effect on future patentability claims. These cases invlved computer
|
|
programs that are part of inventions otehrwise eligible for patent. In one
|
|
case, the Court decided that a process control computer program for curing
|
|
synthetic rubber should not be denied a patent simply b/c it uses an
|
|
algorithm (an ordered set of insturctions) and a computer. The US Patent
|
|
Office must still determine whether the entire process is novel enough to
|
|
warrant issuing a patent.
|
|
|
|
In a companion case, the Court let stand a lower court ruling that a module
|
|
of the Honeywell Series 60 Level 64 computer system should be considered for
|
|
patent. The module, which includes electronic circuits and a computer
|
|
program fixed in the circuits, is a storage and retrieval device using
|
|
internal storage registers. Again, the device must meed the novelty
|
|
requirement before a patent is issued. Note that these decisions invlove
|
|
computer progams that are part of a patentable device or process; these
|
|
decisions do not reverse past rulings that computer programs are not
|
|
patentable.
|
|
|
|
Even if there were a major change in computer programs patent policy, few
|
|
owners would seek patent status for their computer programs. The patent
|
|
process is lengthy and expensive and requires full disclosure of the idea.
|
|
Furthermore, a patent has only a 50% chance of surviving a challenge to its
|
|
validity in the courts. For those few programs that really do represent
|
|
technological breakthroughs, however, a patent would provide the exclusive
|
|
right to use or sell the program for 17 years (patents are nonrenewable).
|
|
|
|
COPYRIGHTS:_Copyright is the federal statutory protection for an author's
|
|
writings. Written works created since 01JAN78 are protected by the new
|
|
copyright law, which provides exclusive rights to the author or his assignee
|
|
for the copyright, publication, broadcast, translation, adaptation, display,
|
|
and performance of the idea contained in the work from the time it is embodied
|
|
in tangible form. This protection is lost in the writing is published w/out
|
|
copyright notice, which consists of the word copyright (or copyright symbol),
|
|
the date, and the author's name. This notice must be affixed so that it
|
|
attracts the attention of third parties(I.E., On the first or inside front
|
|
page of a book or pamphlet). In late 1980 a federal copyright bill was enacted
|
|
explicitly to cover computer programs and data bases.
|
|
|
|
Copyright is inexpensive and can be obtained quickly. One required and one
|
|
optinal copy along w/ minor filing fees must be submitted to the Copyright
|
|
Office. The second copy can be the first and last 25 pages of the program.
|
|
Although optional, the second coy is a prerequisite for bringing an
|
|
infringement suit and for some remedies such as statutory damages and the
|
|
award of attorney fees. The coyright remains in effect for 50 years beyond
|
|
the death of the author and is nonrenewable.
|
|
|
|
B/c copyright protects only against copying and requires disclosure of the
|
|
idea, its usefulness is limited for some programs. However, it can be
|
|
adequate protection for inexpensive package programs sold in the multiple
|
|
copy market. The function of such programs is not unique; the value to the
|
|
owner lies in selling thousands of copies.
|
|
|
|
TRADE SECRETS:_A trade secret is a right protected by state rather than
|
|
federal law. It is defined in many states as a secret formula, pattern,
|
|
scheme, or device used in the operation of a business that gives the
|
|
organization a competitive advantage over those who do not know it.
|
|
computer programs have qualified as trade secrets in a number of court
|
|
cases.
|
|
|
|
The requirement for trade secret status is that the item must remain secret.
|
|
Absolute secrecy is not required; for example, if the secret is disclosed
|
|
only to people bound (by virtue of their relationship or by contract) to
|
|
keep it confidential, trade secret status is maintained regardless of how
|
|
many people know it. Confidential realationships include employees, agents
|
|
in a fiduciary or trust relationship, and thieves. To prevent thieves from
|
|
profiting from ill-gotten knowledge, the laws hold that they are in a
|
|
constructive trust relationship. A contract is used to bind licensees and
|
|
joint venture partners or investors. In some states these people are bound
|
|
even w/out a contract.
|
|
|
|
Once the secret is disclosed w/out a requirement of confidentiality, or is
|
|
disclosed to someone who does not know its secret character, the trade
|
|
secret status is lost forever. (Trade secrets are often disclosed
|
|
carelessly to user groups and at technical meetings.) If the secret is not
|
|
disclosed, however, the protection can last forever.
|
|
|
|
Employees who learn the secret in the course of their duties are bound not
|
|
to misappropriate it b/c of their trust relationship. Many employees do not
|
|
realize the comprehensive nature of that trust should be educated by their
|
|
employers before they injure both the employer and themselves by using computer
|
|
programs developed for an employer for their own purposes.
|
|
|
|
TRADEMARKS:_Trademark protection provides the exclusive right to use a
|
|
symbol to identify goods and services. Trademark rights take effect upon
|
|
use in commerce. Registration w/ the US Patent Office or a state agency is
|
|
not necessary to obtain trademark status, but it helps greatly in exercising
|
|
trademark rights. Trademark protection exists at both the federal and state
|
|
levels. The protected symbol can be both a trade name and a logo (E.G.
|
|
XYZ). The protection afforded by the trademark is limited to the name or
|
|
logo. The program content itself is not protected. B/c the major benefit
|
|
of trademark protection is to prevent another product from being given the
|
|
same name, this protection is useful only for programs that will be
|
|
marketed.
|
|
|
|
CONTRACTS:_Copies of computer programs are ordinarily transferred to others
|
|
in the course of doing business (sometimes in source language form);
|
|
therefore, transfer is frequently accompanied by an agreement to keep the
|
|
computer program confidential. Patented and copyrighted computer programs
|
|
can be transferred using contracts that have more restrictive provisions
|
|
that the patent or copyright laws requires. The owner can, for example,
|
|
contract w/ another not to disclose copyrighted computer progras. In
|
|
addition, damages for disclosure or unauthorized copying, complex formulas
|
|
for royalty payment for legitimate use, and the ownership of enhancements
|
|
and changes to the computer program can also be delineated in a contract.
|
|
|
|
SELECTING THE RIGHT PROTECTION
|
|
|
|
The type of protection that is best for a particular computer program
|
|
depends on several factors:
|
|
|
|
(1) The longer the lifespan of the program, the more likely that the
|
|
expensive investment of patent protection will be worthwhile.
|
|
|
|
(2) The higher the value of the program, the more money that can
|
|
reasonably be spent of protection
|
|
|
|
(3) Algorithms that must be disclosed widely are (if otherwise worth the
|
|
investment) best protected by patent, which precludes use as well as
|
|
duplication. Copyright protects only against copying, and trade secret
|
|
protection is irrevocably lost if the algorithm is inadvertently
|
|
disclosed outside a confidential relationship.
|
|
|
|
(4) The most expensive protection is patent; the least expensive is
|
|
copyright.
|
|
|
|
(5) Patents take the longest time to obtain; the other forms offer almost
|
|
immediate protection.
|
|
|
|
(6) A patent protects against recreation; trade secret protection is lost
|
|
if the program can be recreated.
|
|
|
|
These factors are summarized in TABLE 1.
|
|
|
|
UNRESOLVED LEGAL ISSUES
|
|
|
|
Two unresolved but imprtant legal issues affect the analysis summarized in
|
|
TABLE 1. The first is the patentability of computer programs discussed
|
|
previously. The data processing manager and corporate counsel should keep
|
|
track of the continuing legal debate in this area. The second unresolved
|
|
issue is the legal relationship between copyright and trade secret
|
|
protection when both are used for the same product. Trade secret protection
|
|
has been held by the US Supreme Court to be compatible w/ patent protection,
|
|
but the Court has yet to decide whether a trade secret can be copyrighted to
|
|
protect the secret in case it is disclosed.
|
|
|
|
TABLE 1.
|
|
|
|
DECISION TABLE FOR TYPES OF LEGAL PROTECTION
|
|
|---------------------------------------------------------------|
|
|
|DECISION FACTOR | HIGH | MEDIUM | LOW |
|
|
|---------------------------------------------------------------|
|
|
|ESTIMATED LIFESPAN OF THE PROGRAM| C OR TS | P | C OR TS|
|
|
|VALUE OF THE PROGRAM TO THE OWNER| P, C, TS | P, C, TS| C, TS |
|
|
|NEED TO DISCLOSE THE PROGRAM | | | |
|
|
|TO OTHERS | P, C | TS, C | TS |
|
|
|OWNER'S EXPENSE BUDGET | P, TS, C| TS, C | C |
|
|
|TIME SENSITIVITY | TS, C | P, TS, C| P, TS |
|
|
|SUSCEPTIBILITY TO REVERSE | | | |
|
|
|ENGINEERING | P | P, TS | TS, C |
|
|
|---------------------------------------------------------------|
|
|
NOTES C=COPYRIGHT, P=PATENT, TS=TRADE SECRET
|
|
|
|
The policies underlying the two forms of protection conflict: federal
|
|
copyright protection contemplates disclosure, while state trade secret
|
|
protection requires nondisclosure w/out an obligation for further
|
|
disclosure. According to some legal scholars, a court could rule that a
|
|
copyrighted program is not eligible for trade secret protection. Other
|
|
legal scholars argue that since the disclosure requirement for federal
|
|
patent protection has not preempted trade secret protection, the Supreme
|
|
Court should also uphold the right of computer program owners to receive
|
|
both trade secret and copyright protection.
|
|
|
|
SUGGESTED CONTROLS
|
|
|
|
B/c of these critical and unresolved legal issues, developers should
|
|
carefully evaluate the types of protection and rmain alert to changes in the
|
|
laws. At present,often the best alternative is to copyright computer
|
|
programs and then license or disclose the computer program using agreements
|
|
that restrict use, transfer, and disclosure. This approach should not
|
|
conflict w/ existing copyright law theory, and it achieves the same secrecy
|
|
afforded by trade secret protection.
|
|
|
|
Embodying the program in electronic circuitry is another alternative that
|
|
should be considered. It cannot be altered by the user and inhibits copying
|
|
and user enhancements. In addition, the recent Supreme Court decision
|
|
suggests that programs in such form can receive patent protection if they
|
|
are parts of patentable devices. W/out patent protection, they are
|
|
susceptible to recreation and thus to loss of trade secret status.
|
|
|
|
to provide notice of the proprietary rights of computer-related materials,
|
|
the owner should put a human-readable notice on all materials a user will
|
|
see. The notice can be placed on a computer terminal that displays the
|
|
program, on listings, on manuals, on containers of machine-readable
|
|
material, and in the program itself. A suggested form of notice is:
|
|
|
|
THIS IS AN UNPUBLISHED WORK PROTECTED UNDER THE COPYRIGHT LAW OF 1976. IT
|
|
IS OWNED BY XYZ COMPANY, ALL RIGHTS RESERVED. ANY UNAUTHORIZED DISCLOSURE,
|
|
DUPLICATION, OR USE IS A VIOLATION OF CIVIL AND CRIMINAL LAW.
|
|
|
|
If licensed, a reference to the license can be included in the notice.
|
|
|
|
IF THE WORK IS PUBLISHED, IT SHOULD HAVE THE FORMAL COPYRIGHT NOTICE
|
|
ATTACHED IN LIEU OF THE ABOVE STATEMENT. THE INTENTIONAL OMISSION OF THE
|
|
COPYRIGHT WILL CAUSE THE OWNER TO LOSE HIS COPYRIGHT; AN UNINTENTIONAL
|
|
OMISSION CAN BE REMEDIED.
|
|
|
|
EMPLOYER-EMPLOYEE RELATIONSHIPS
|
|
|
|
Many problems covering computer programs protection arise from the
|
|
employer-employee relationship, where two philosophies often conflict. One
|
|
philosophy is that the products of the employee belong to the employer; the
|
|
other is that employees should be free to change jobs during their careers
|
|
and to use the expertise gained in one job in new work situations.
|
|
|
|
Although some employers might argue that all work done during employment
|
|
belongs to them, and some employees might claim that their creations are
|
|
theirs exclusively, the laws do not generally support either claim. State
|
|
laws vary on this question; however, the prevailing view is that programs
|
|
written or developed as a specific task assigned by the employer belong
|
|
exclusively to the employer, and that programs written or developed solely
|
|
by the employee, using the employee's own time/resources, belong exclusively
|
|
to the employee. Most controversy over computer program ownership falls in
|
|
the gray area between these two positions.
|
|
|
|
The following discussion centers on trade secret law since patent and
|
|
copyright protection are less helpful. Patent protection for computer
|
|
programs is ambiguous and hence rarely used, and most companies have a
|
|
well-established patent assignment policy. On the other hand, the new
|
|
copyright law is explicit regarding work for hire:
|
|
|
|
IN THE CASE OF A WORK MADE FOR HIRE, THE EMPLOYER OR OTHER PERSON FOR WHOM
|
|
THE WORK WAS PREPARED IS CONSIDERED THE AUTHOR FOR PURPOSES OF THIS TITLE,
|
|
AND, UNLESS THE PARTIES HAVE EXPRESSLY AGREED OTHERWISE IN A WRITTEN
|
|
INSTRUMENT SIGNED BY THEM, OWNS ALL OF THE RIGHTS COMPRISED IN THE
|
|
COPYRIGHT.
|
|
|
|
Conflicts of trade secret ownership between employers and employees for
|
|
other than assigned work are usually resolved based on the resources used.
|
|
Employees who develop new computer programs on their own time, at home, on a
|
|
personally owned terminal, but using employer computer time may be found to
|
|
own the programs; however, the employer may be given a royalty-free license
|
|
to use the programs in its business. A more complex question concerns
|
|
employees working at home on flextime or w/ an employer-owned terminal or
|
|
microcomputer. In such cases, proof of whose resources are used in
|
|
development is more difficult to establish.
|
|
|
|
legal battles over program ownership are very costly to both sides and
|
|
consume enormous amounts of time/energy. Often a court formulates a
|
|
compromise so that neither side actually wins. To avoid going to court over
|
|
program ownership, employers should have an explicit policy regarding
|
|
employee-developed programs. This policy can be part of an
|
|
organization-wide trade secret protection plan developed by management and
|
|
legal counsel.
|
|
|
|
A basic control requires that each employee involved in developing computer
|
|
programs should be required to sign an agreement concerning ownership of
|
|
computer programs at the time of hire. A formal emplyment or secrecy
|
|
agreement or an informal letter to the employer can be used. Since both
|
|
types of agreement are legally effective, management style should determine
|
|
which approach is used. The informal letter is friendlier, but the awesome
|
|
contract form may make a more lasting impression on the employee.
|
|
|
|
If a simple letter is used, the following format is recommended for the key
|
|
paragraph:
|
|
|
|
ALL COMPUTER PROGRAMS WRITTEN BY ME, EITHER ALONE OR W/ OTHERS, DURING THE
|
|
PERIOD OF MY EMPLOYMENT, COMMENCING ON _______________, 19__, AND UP TO AND
|
|
INCLUDING A PERIOD OF ____________ AFTER TERMINATION, WHETHER OR NOT
|
|
CONCEIVED OR MADE DURING MY REGULAR WORKING HOURS, ARE THE SOLE PROPERTY OF
|
|
THE COMPANY.
|
|
|
|
This important control prevents misunderstanding and protects the employer
|
|
against legal action.
|
|
|
|
Employees may use skills developed during previous jobs; however, they may
|
|
not use trade secrets disclosed to or produced by them during those jobs.
|
|
This is enjoinable behavior and may result in the award of damages to the
|
|
former emplyer. Departing employees should take nothing tangible from the
|
|
old job -- listings, notebooks, tapes, documents, or copies of any kind,
|
|
including lists of specific customers. Prospective employers should
|
|
carefully avoid crossing the fine line between hiring someone to provide
|
|
expertise in a particular area and hiring someone to provide knowledge of a
|
|
competitor's proprietary products or business plan. Spcial care is required
|
|
when more than one employee is hired from the same company.
|
|
|
|
Another essential control requires that departing employees should be
|
|
reminded during the exit interview that no materials or proprietary concepts
|
|
received during employment can be used at the new job. They should be asked
|
|
to read and sign a statement that acknowledges their understanding of this
|
|
point. The statement should also affirm that no materials have been removed
|
|
from the employer's premises and that all those previoulsy in the employee's
|
|
possession have been returned. Employers should obtain the employee's new
|
|
address in case later contract is necessary.
|
|
|
|
During the exit interview, employees should have the opportunity to clarify
|
|
gray areas -- programs they wrote on their own time using company terminals
|
|
and company computer time, innovations they developed that the company never
|
|
used, and so on. Permitting a departing employee to use an invention that
|
|
will not cause loss of competitive advantage can ensure a friendly and loyal
|
|
colleague in the marketplace. In any case, legal counsel should be involved
|
|
in these sessions, b/c an attorne experienced in trade secret law can interpret
|
|
the naunces of the interview more effectively and can emphasize the consequences
|
|
of unfair competitive conduct.
|
|
|
|
GUIDELINES FOR COMPUTER PROGRAM USERS
|
|
|
|
Users who obtain computer programs outside of contractual or other
|
|
confidential relationships that preclude competitive action can legally
|
|
recreate the programs and use them freely even if they know they are trade
|
|
secrets. In addition, users who obtain computer programs from third parties
|
|
w/out any knowledge that they are proprietary are free to use them. In such
|
|
cases the third party may be liable to the owner for misappropriation.
|
|
Computer program users should note, however, that intentional wrongful use
|
|
in this situation may lead to criminal and civil liability for infringement
|
|
or misappropriation.
|
|
|
|
Patented inventions can only be used w/ the owner's permission. The alleged
|
|
infringer, however, can challenge the validity of the patent in court and,
|
|
if successful, can defeat the patentee's exclusive right to use the
|
|
invention.
|
|
|
|
Another problem concerns the owernship of a user-made change or enhancement
|
|
that significantly alters the constitution of the computer program. Neither
|
|
copyright nor trade secret law is explicit n this point. Many vendor-user
|
|
agreements require the user to return all copies of the computer program at
|
|
the end of the term; however, few vendores forbid user changes and
|
|
enhancements or ask for royalties from new works embodying or based on their
|
|
computer programs. Some agreements contain provisions that any and all
|
|
changes belong to the vendor. Thus, the computer program user should pay
|
|
special attention to contract provisions regarding changes and enhancements.
|
|
In the absence of a specific agreement, the user takes some risk but has a
|
|
fair chance of surviving a challenge that user-made changes infringe on the
|
|
vendor's rights.
|
|
|
|
RECOMMENDED COURSE OF ACTION
|
|
|
|
The data processing manager should understand the legal alternatives for
|
|
protecting computer programs and adopt prudent controls used by others under
|
|
similar circumstances. If the organization uses computer programs developed
|
|
and owned by outside parties, this understanding and use of controls can
|
|
prevent legal problems and can ensure that the terms of the agreement for
|
|
using the computer programs are proper. for organizations that develop
|
|
computer programs in-house, a corporate policy based on a thorough knowledge
|
|
of the laws is a basic control that can prevent misunderstandings between
|
|
management and development personnel.
|
|
|
|
Such a policy can also ensure that the company does not lose a competitive
|
|
advantage b/c of unathorized disclosure or copying of programs. B/c the
|
|
laws in this are are subject to change, the data processing manager should
|
|
stay in close touch w/ the organization's legal counsel to keep pace w/ the
|
|
latest developments.
|
|
|
|
Meeting standards of due care and protecting proprietary interests in
|
|
computer programs are examples of common sources of motivation and need to
|
|
adopt generally used controls. Consideration of these common sources of
|
|
motivation and need, as well as the generally used controls (many found in
|
|
the study of the field sites), leads to a new computer security concept
|
|
presented in the next section.
|
|
|
|
END OF PART III
|
|
|
|
NIA---NIA---NIA---NIA---NIA---NIA---NIA---NIA---NIA
|
|
|
|
|
|
Current List Of BBS's that carry ALL of Network Information Access Files:
|
|
|
|
BBS NAME PHONE NUMBER SYSOP(S) SOFTWARE
|
|
--- ---- ----- ------ -------- --------
|
|
Metamorphis Alpha 713/475-9055 Starchilde/Moonchilde TAG
|
|
Pier 7 713/477-2681 Slice/Mouser Quick
|
|
The End Over! 713/821-4174 Chester TAG
|
|
The Enigma 713/852-7121 Odysseus/Volker/Brutus Telegard
|
|
Talk Radio 713/941-0917 Sir Lawrence/Lord MacDuff TAG
|
|
|
|
All Boards are 24 Hours unless otherwise noted...
|
|
|
|
|
|
|
|
|