Incorporating Ethics into Information Governance Structures
By William M. Ulrich
You are a software engineer working on a software product and
not sure of how a customer wants a new change request implemented. You try to
get clarification, but the customer cannot articulate the request. To short cut
the process, your customer provides you with a copy of a user manual from
another software product. It turns out that your customer has a license for a
product that performs a similar function to the one that he wants you to
implement. You review the manual, assess the specifics of the requested
function, implement it into your product and everyone is happy. Unfortunately,
you and your customer may have stepped over the line regarding certain
confidentiality, trade secret and copyright violations.
Depending on the information obtained and the process used to
obtain it, you and your company may be violating certain laws and opening
yourselves up to legal action on a regular basis. This article discusses why
software developers, managers, sales and marketing personnel, corporate officers
and lawyers need to pay more attention to what�s happening within their
software development, support and training divisions. Doing so will allow you to
head off problems long before they escalate.
I am not a lawyer and I am not offering legal advice in this
article. I am a management consultant who has spent enough time as a customer,
vendor, user and litigation consultant to know that many legal issues linked to
the improper use of intellectual property can be sidestepped by staying within
prescribed ethical boundaries. Because multiple parties are typically involved
in these legal challenges, I will explore how ethical guidelines apply to
various corporate IT functions, vendor organizations and individuals. I will
also discuss how you can institutionalize ethical behavior within your
information governance structure.
Ethical Behavior in the Computer Industry
Ethics are behavioral guidelines that parallel certain legal standards.
While adhering to ethical guidelines will help avoid legal challenges,
management should always consult with in-house or outside legal counsel to
ensure that no laws are being violated. Ethics have been long standing in the
computer field and have been incorporated into various agreements and contracts
for many years. While most people have an innate sense of when they are doing
something wrong, ethical standards can be applied to help assess when certain
actions should or should not be taken with regard to someone else's
intellectual property.
There are a number of ethical standards within the computer
industry that companies and individuals can use as a guide to proper behavior.
These sources include the Association of Computer Machinery (ACM), Association
of Information Technology Professionals (AITP) and the Independent Computer
Consultants Association (ICCA). Following guidelines from these associations can
help keep organizations and individuals in the software field out of legal jams.
General Ethical Guidelines
The ACM, AITP and ICCA each offer general guidelines that encourage and
reinforce ethical behavior for computer professionals. Developers and companies
should incorporate these general guidelines into their work processes because
they establish a climate of morality that can fill in gray areas where specific
guidelines are not available. After all, a company has an obligation to not just
stay within legal boundaries, but to set a higher ethical standard that would
make that organization a better vendor, business partner, supplier or customer.
Some excerpts of general ethical guidelines, which the ACM calls moral
imperatives, are shown below.
- Avoid harm to others, be honest and trustworthy, be fair and take action
not to discriminate, and respect the privacy of others (source: ACM)
- Acquire and maintain professional competence (source: ACM)
- Accept and provide appropriate professional review (source: ACM)
- Articulate and support policies that protect the dignity of users and
others affected by a computing system (source: ACM)
- I have an obligation to my employer whose trust I hold, therefore, I shall
endeavor to discharge this obligation to the best of my ability (source:
AITP)
- Consultants will be honest and not knowingly misrepresent facts (source:
ICCA)
Some people may think that honesty, trustworthiness, respect
for privacy, professionalism and trust are quaint ideals. But if a CEO and
corporate board champion these qualities, it is more likely that a company will
not cross into questionable territory when dealing in more specific topics such
as privacy, security, unauthorized use of intellectual property and
confidentiality. These general guidelines espoused by the ACM, AITP and ICCA
establish the ethical and moral umbrella for the protection of intellectual
property.
Intellectual Property Guidelines
More specific ethical guidelines provide insights into protecting and
disseminating intellectual property and proprietary information. In my
experience, developers, software licensees, managers and a variety of other
professionals are not fully aware of the restrictions typically associated with
the access to and use of certain software products. The ACM, AITP and ICCA
provide ethical guidance in these areas.
- Honor property rights including copyrights and patents (source: ACM)
- Give proper credit for intellectual property (source: ACM)
- Respect the privacy of others (source: ACM)
- I shall not use knowledge of a confidential nature to further my personal
interest, nor shall I violate the privacy and confidentiality of information
entrusted to me or to which I may gain access (source: AITP)
- Consultants will install and use only properly licensed software (source:
ICCA)
- Consultants will safeguard any confidential information or documents
entrusted to them and not divulge any confidential information without the
consent of the client (source: ICCA)
- Consultants will not take advantage of proprietary information obtained
from the client (source: ICCA)
The impact of these statements is significant when taken
seriously by an individual, corporation or vendor. For example, if a consultant
vows to not take advantage of proprietary information obtained by a client, then
any knowledge gained while using a vendor software product at that client site
must be considered confidential. The consultant should not, for example, take
that confidential information and use it to reproduce a competitive software
product. This of course is subject to the consideration as to what information
is confidential and what information is public knowledge. But erring to the side
of high ethical standards is the best strategy in all cases.
Contracts & Agreements
By incorporating ethical standards into software contracts or agreements,
corporations, vendors and individuals have specific guidelines that can be used
in a court of law should a violation arise. The ACM specifically states a
professional�s obligations in conjunction with a contract or agreement as
follows.
- Honor contracts, agreements and assigned responsibilities (source: ACM)
- Know and respect existing laws pertaining to professional work (source:
ACM)
Contracts and agreements come in many variations and most
professionals in the computer field have signed one or more of these contracts
and / or agreements in the course of their career. In my experience, it is
prudent to keep any signed agreements at hand and to review them carefully when
taking any action related to that agreement. The types of contracts and
agreements typically used within the software industry include the following
documents.
- Employee Code of Conduct: This document states how an employee
should behave in the course of their job. It may be explicit regarding the
acquisition and use of another company�s intellectual property. The
Employee Code of Conduct may be brought into a legal case to show how an
employee did not live up the spirit of an agreement with an employer.
- Employee Agreement: An employee typically signs an agreement
stating, among other things, that they will not take or misuse intellectual
property belonging to the employer or to another company. This typically
includes a long list of items including software, documentation and various
other trade secret information.
- Software Non-Disclosure Agreement: When a company agrees to review
a vendor's product, they typically sign an agreement stating that the
product, which includes the documentation and software, remains property of
the vendor. The product would need to be returned at the end of the
evaluation period and all related material would need to be destroyed.
- Software License Agreement: When a customer licenses a vendor
product, they sign a contract stating that the product, which again would
include all documentation and software, remains property of the vendor.
Depending on the type of agreement and licensee, the contract may restrict
use of the product to employees or alternatively accommodate contractors,
consultants or clients with access to a customer's computer system.
Note that there are certain types of software that do not
restrict access to the same degree as other types of software. For example, PC
software might not carry the same restrictions that a mainframe product might
carry. These variations in the protection of certain intellectual property
make it all that more important to abide by all contracts and agreements in
force between a company, vendor and / or individual.
Applying Ethics within a Corporate Environment
While unauthorized access and use of intellectual property tends to
surface among vendor organizations, individuals within corporate IT can find
themselves in the middle of these situations as well. Cases arise that involve
the use and dissemination of internal software as well as vendor software. In
either case, individuals and companies can be dragged into long running
disputes that can disrupt daily business activities.
The most direct case is when a company develops a piece of
software for internal use and then decides to market that product to other
companies. This can be accomplished when a company becomes an application
service provider (ASP), where the software is accessed remotely through the
Internet, or when the software is actually placed into a customer site. In
either case, a company that is not in the business of building and licensing
software may not have taken the appropriate safeguards against the use and
dissemination of their intellectual property. Common mistakes found at
companies moving into a vendor role when it is not their main line of business
include:
- Not establishing or obtaining adequate non-disclosure agreements,
- Allowing open access to software without adequate contractual
safeguards,
- Replicating client-specific changes across multiple customers sites
without permission,
- Not incorporating appropriate protections into software license,
employee and related agreements, and
- Being misinformed as to the responsibilities of a software vendor in
relation to managing intellectual property.
The best way to avoid ethical and legal issues in the above
situation is to bring in the management and legal counsel with a working
knowledge of the software distribution and licensing process.
A second and more common scenario that a corporation might
find itself in is in respect to the use and dissemination of proprietary
information associated with a vendor product that they may have licensed. A
mid-to-large corporate computing site might have hundreds of software
products, on numerous computing platforms, across a large geographical area.
Each of these products typically requires a software product license that
restricts use or dissemination of the information contained within that
product. Administering these products, agreements and the actions associated
with these products should be performed judiciously by corporate management.
One of my earlier examples cited a situation where a
corporate employee shared a vendor user manual with another vendor to
disseminate information about a competitive product. The license agreements
for many products typically restrict the sharing of any information to anyone
not covered by the license agreement. To avoid these types of violations,
companies should ensure that all employees follow some basic principles.
- Communicate software license restrictions to all software users within
your company.
- Identify which product components are covered by the license agreement.
In the absence of such definition, users should assume that all software,
documentation and related materials are covered by the license agreement.
- In addition to communicating restrictions set forth in software product
license agreements, management should ensure that all users adhere to any
copyright or trade secret notices specified in the software itself or
related user manuals.
- Do not let unauthorized personnel, including consultants or other
non-employees not covered by a license agreement, gain access to software
products to which they have no authorization.
- Verify that any employee or consultant leaving a company no longer has
access to any material that might be covered by a software product
license.
Special case scenarios may also arise for certain types of
companies. A service bureau, for example, might restrict the use of certain
products they licensed. Some service bureaus charge a special fee for access
to certain products at their site. The service bureau in turn notifies the
vendor that a client will be granted authorization. The vendor typically
receives additional compensation and retains the right to refuse to allow the
service bureau to extend access to certain companies -
such as a competitor.
Ultimately, corporate management is responsible for
communicating the importance of protecting third party intellectual property
as it were their own and for articulating specific restrictions for
certain vendor products to people in their company.
Applying Ethics within a Software Vendor Environment
Software vendors, particularly in todays fast moving and competitive
market, carry a "take no prisoners" attitude when going into a
competitive situation with other vendors. The open source model of freely
disseminating software has tempered this cutthroat strategy in some circles.
But much of the software industry still reflects a level of competition that
drives companies to seek information or inventions that might be under
copyright protection, patented or considered a trade secret of a competitor.
Without getting into detailed legalities, I want to offer a
layman's explanation of copyrights, patents and trade secrets. Copyrights
protect the expression of an idea, but not the idea itself. Copying written
expressions belonging to another vendor would be considered a copyright
violation. A patent, on the other hand, is an invention protected by an
official government designation. Trade secrets are defined as a formula,
process or device used in a business, not published or divulged, and thereby
providing a company an advantage over its competitors. The processes defined
within a software product that are not published or divulged are typically
quite numerous and very detailed and, therefore, gives a product a competitive
edge.
Over zealous vendors may encourage marketing, sales,
training, and development personnel to obtain this type of information from
the competition or licensees of the competition. Marketing material, published
books, presentations at public forums, or other publicly available materials
are not considered to contain trade secrets because the information has been
made available to the public. Obtaining manuals, printouts, input formats,
output reports, code or other information that would only be available to a
licensed product user would, on the other hand, constitute unethical and
illicit access to certain trade secrets. Any behavior that steps into this
territory is considered unethical and should be avoided.
Vendor management may not formally condone this type of
behavior, but vendor personnel may still make it a habit to seek out, obtain
and use information from a competitor that is considered copyrighted, patented
or a trade secret. In many of these situations, management tends to look the
other way. It is critical for executives at software companies to go out of
their way to communicate both the legal and ethical implications of such
actions and insist that employees do not engage in such activity.
Certainly any vendor that steps over a legal line in the
sand would have had to violate ethical standards along the way. If you were a
corporate client of a vendor that behaved in such a manner, how would you be
able to trust them when they had no standard of ethics? In negotiations
involving promises to upgrade certain products or other commitments, you would
always be looking askance at a vendor that you felt could not be trusted.
Institutionalizing Ethics into Information Governance
Structures
Ethical behavior or the absence thereof, can become endemic. This is why a
sense of ethics must emerge at the core of the organization. The CEO, board of
directors, and corporate officers must abide by and uphold a strong set of
ethical standards. This commitment must then be carried out to employees and
anyone that a company works with as a business partner, client, supplier or
customer.
Building ethics into your culture and information
governance structure takes time. The first step is to take advantage of any
reorganization that may be occurring. Management could roll out ethics
guidelines along with a new organizational infrastructure. You could also
assign the role of ethics coordinator to a senior member of management.
Another approach is to include software ethics training in your corporate
training program. When doing so, consider and communicate the upside and
downside of unethical behavior.
If you have had any software-related legal challenges,
consider how the situation might have differed had you and the other party
adhered to a higher set of ethical standards. This could be turned into a case
study that could be incorporated into standard training for all personnel
within your software development and management organization.
It is important to communicate to everyone in your
organization the cost of a lawsuit. Even if you settle a legal suit through
arbitration or mediation, these costs can still be significant. But as
significant as these legal costs may be, the bottom line expenses associated
with a lawsuit can have a small impact on a company compared to the time
demanded from developers, engineers and management personnel involved in a
given lawsuit. Legal action puts stress on all of the participants involved in
a case, which can result in lost time and low morale. Employees should be made
to understand that sitting in a deposition or on a witness stand, discussing
copyright, patent or trade secret violations, is no picnic.
Another measure involves posting a grid on the company
Intranet site reflecting various levels of protection for different software
products used at your company. This site could also include ethical standards
for the use and dissemination of intellectual property. Whatever the means for
communicating this message, it is important for management to take this
subject very seriously. As the ACM puts it, ethics are a moral imperative.
Finally, anyone found to be violating ethical guidelines
within your software organization should be confronted. One way to stem future
action of this sort is to assign that person the task of communicating the
expectations of ethical behavior to new members of the company. All of these
activities should help position ethical responsibility within your software
organization as a means of staying out of court and remaining in good standing
as a company.
|