Incorporating Ethics into Information Governance Structures
You are a software engineer working on a software product and not sure of how a customer wants a new change request implemented. You try to get clarification, but the customer cannot articulate the request. To short cut the process, your customer provides you with a copy of a user manual from another software product. It turns out that your customer has a license for a product that performs a similar function to the one that he wants you to implement. You review the manual, assess the specifics of the requested function, implement it into your product and everyone is happy. Unfortunately, you and your customer may have stepped over the line regarding certain confidentiality, trade secret and copyright violations.
Depending on the information obtained and the process used to obtain it, you and your company may be violating certain laws and opening yourselves up to legal action on a regular basis. This article discusses why software developers, managers, sales and marketing personnel, corporate officers and lawyers need to pay more attention to what’s happening within their software development, support and training divisions. Doing so will allow you to head off problems long before they escalate.
I am not a lawyer and I am not offering legal advice in this article. I am a management consultant who has spent enough time as a customer, vendor, user and litigation consultant to know that many legal issues linked to the improper use of intellectual property can be sidestepped by staying within prescribed ethical boundaries. Because multiple parties are typically involved in these legal challenges, I will explore how ethical guidelines apply to various corporate IT functions, vendor organizations and individuals. I will also discuss how you can institutionalize ethical behavior within your information governance structure.
Ethical Behavior in the Computer Industry
Ethics are behavioral guidelines that parallel certain legal standards.
While adhering to ethical guidelines will help avoid legal challenges,
management should always consult with in-house or outside legal counsel to
ensure that no laws are being violated. Ethics have been long standing in the
computer field and have been incorporated into various agreements and contracts
for many years. While most people have an innate sense of when they are doing
something wrong, ethical standards can be applied to help assess when certain
actions should or should not be taken with regard to someone else’s
intellectual property.
There are a number of ethical standards within the computer industry that companies and individuals can use as a guide to proper behavior. These sources include the Association of Computer Machinery (ACM), Association of Information Technology Professionals (AITP) and the Independent Computer Consultants Association (ICCA). Following guidelines from these associations can help keep organizations and individuals in the software field out of legal jams.
General Ethical Guidelines
The ACM, AITP and ICCA each offer general guidelines that encourage and
reinforce ethical behavior for computer professionals. Developers and companies
should incorporate these general guidelines into their work processes because
they establish a climate of morality that can fill in gray areas where specific
guidelines are not available. After all, a company has an obligation to not just
stay within legal boundaries, but to set a higher ethical standard that would
make that organization a better vendor, business partner, supplier or customer.
Some excerpts of general ethical guidelines, which the ACM calls moral
imperatives, are shown below.
 | Avoid harm to others, be honest and trustworthy, be fair and take action not to discriminate, and respect the privacy of others (source: ACM) |
| Acquire and maintain professional competence (source: ACM) |
| Accept and provide appropriate professional review (source: ACM) |
| Articulate and support policies that protect the dignity of users and others affected by a computing system (source: ACM) |
| I have an obligation to my employer whose trust I hold, therefore, I shall endeavor to discharge this obligation to the best of my ability (source: AITP) |
| Consultants will be honest and not knowingly misrepresent facts (source: ICCA) |
Some people may think that honesty, trustworthiness, respect for privacy, professionalism and trust are quaint ideals. But if a CEO and corporate board champion these qualities, it is more likely that a company will not cross into questionable territory when dealing in more specific topics such as privacy, security, unauthorized use of intellectual property and confidentiality. These general guidelines espoused by the ACM, AITP and ICCA establish the ethical and moral umbrella for the protection of intellectual property.
Intellectual Property Guidelines
More specific ethical guidelines provide insights into protecting and
disseminating intellectual property and proprietary information. In my
experience, developers, software licensees, managers and a variety of other
professionals are not fully aware of the restrictions typically associated with
the access to and use of certain software products. The ACM, AITP and ICCA
provide ethical guidance in these areas.
| Honor property rights including copyrights and patents (source: ACM) |
| Give proper credit for intellectual property (source: ACM) |
| Respect the privacy of others (source: ACM) |
| I shall not use knowledge of a confidential nature to further my personal interest, nor shall I violate the privacy and confidentiality of information entrusted to me or to which I may gain access (source: AITP) |
| Consultants will install and use only properly licensed software (source: ICCA) |
| Consultants will safeguard any confidential information or documents entrusted to them and not divulge any confidential information without the consent of the client (source: ICCA) |
| Consultants will not take advantage of proprietary information obtained from the client (source: ICCA) |
The impact of these statements is significant when taken seriously by an individual, corporation or vendor. For example, if a consultant vows to not take advantage of proprietary information obtained by a client, then any knowledge gained while using a vendor software product at that client site must be considered confidential. The consultant should not, for example, take that confidential information and use it to reproduce a competitive software product. This of course is subject to the consideration as to what information is confidential and what information is public knowledge. But erring to the side of high ethical standards is the best strategy in all cases.
Contracts & Agreements
By incorporating ethical standards into software contracts or agreements,
corporations, vendors and individuals have specific guidelines that can be used
in a court of law should a violation arise. The ACM specifically states a
professional’s obligations in conjunction with a contract or agreement as
follows.
| Honor contracts, agreements and assigned responsibilities (source: ACM) |
| Know and respect existing laws pertaining to professional work (source: ACM) |
Contracts and agreements come in many variations and most professionals in the computer field have signed one or more of these contracts and / or agreements in the course of their career. In my experience, it is prudent to keep any signed agreements at hand and to review them carefully when taking any action related to that agreement. The types of contracts and agreements typically used within the software industry include the following documents.
| Employee Code of Conduct: This document states how an employee should behave in the course of their job. It may be explicit regarding the acquisition and use of another company’s intellectual property. The Employee Code of Conduct may be brought into a legal case to show how an employee did not live up the spirit of an agreement with an employer. |
| Employee Agreement: An employee typically signs an agreement stating, among other things, that they will not take or misuse intellectual property belonging to the employer or to another company. This typically includes a long list of items including software, documentation and various other trade secret information. |
| Software Non-Disclosure Agreement: When a company agrees to review a vendor’s product, they typically sign an agreement stating that the product, which includes the documentation and software, remains property of the vendor. The product would need to be returned at the end of the evaluation period and all related material would need to be destroyed. |
| Software License Agreement: When a customer licenses a vendor product, they sign a contract stating that the product, which again would include all documentation and software, remains property of the vendor. Depending on the type of agreement and licensee, the contract may restrict use of the product to employees or alternatively accommodate contractors, consultants or clients with access to a customer’s computer system. |
Note that there are certain types of software that do not restrict access to the same degree as other types of software. For example, PC software might not carry the same restrictions that a mainframe product might carry. These variations in the protection of certain intellectual property make it all that more important to abide by all contracts and agreements in force between a company, vendor and / or individual.
Applying Ethics within a Corporate Environment
While unauthorized access and use of intellectual property tends to
surface among vendor organizations, individuals within corporate IT can find
themselves in the middle of these situations as well. Cases arise that involve
the use and dissemination of internal software as well as vendor software. In
either case, individuals and companies can be dragged into long running
disputes that can disrupt daily business activities.
The most direct case is when a company develops a piece of software for internal use and then decides to market that product to other companies. This can be accomplished when a company becomes an application service provider (ASP), where the software is accessed remotely through the Internet, or when the software is actually placed into a customer site. In either case, a company that is not in the business of building and licensing software may not have taken the appropriate safeguards against the use and dissemination of their intellectual property. Common mistakes found at companies moving into a vendor role when it is not their main line of business include:
| Not establishing or obtaining adequate non-disclosure agreements, |
| Allowing open access to software without adequate contractual safeguards, |
| Replicating client-specific changes across multiple customers sites without permission, |
| Not incorporating appropriate protections into software license, employee and related agreements, and |
| Being misinformed as to the responsibilities of a software vendor in relation to managing intellectual property. |
The best way to avoid ethical and legal issues in the above situation is to bring in the management and legal counsel with a working knowledge of the software distribution and licensing process.
A second and more common scenario that a corporation might find itself in is in respect to the use and dissemination of proprietary information associated with a vendor product that they may have licensed. A mid-to-large corporate computing site might have hundreds of software products, on numerous computing platforms, across a large geographical area. Each of these products typically requires a software product license that restricts use or dissemination of the information contained within that product. Administering these products, agreements and the actions associated with these products should be performed judiciously by corporate management.
One of my earlier examples cited a situation where a corporate employee shared a vendor user manual with another vendor to disseminate information about a competitive product. The license agreements for many products typically restrict the sharing of any information to anyone not covered by the license agreement. To avoid these types of violations, companies should ensure that all employees follow some basic principles.
- Communicate software license restrictions to all software users within your company.
- Identify which product components are covered by the license agreement. In the absence of such definition, users should assume that all software, documentation and related materials are covered by the license agreement.
- In addition to communicating restrictions set forth in software product license agreements, management should ensure that all users adhere to any copyright or trade secret notices specified in the software itself or related user manuals.
- Do not let unauthorized personnel, including consultants or other non-employees not covered by a license agreement, gain access to software products to which they have no authorization.
- Verify that any employee or consultant leaving a company no longer has access to any material that might be covered by a software product license.
Special case scenarios may also arise for certain types of companies. A service bureau, for example, might restrict the use of certain products they licensed. Some service bureaus charge a special fee for access to certain products at their site. The service bureau in turn notifies the vendor that a client will be granted authorization. The vendor typically receives additional compensation and retains the right to refuse to allow the service bureau to extend access to certain companies – such as a competitor.
Ultimately, corporate management is responsible for communicating the importance of protecting third party intellectual property – as it were their own – and for articulating specific restrictions for certain vendor products to people in their company.
Applying Ethics within a Software Vendor Environment
Software vendors, particularly in today’s fast moving and competitive
market, carry a "take no prisoners" attitude when going into a
competitive situation with other vendors. The open source model of freely
disseminating software has tempered this cutthroat strategy in some circles.
But much of the software industry still reflects a level of competition that
drives companies to seek information or inventions that might be under
copyright protection, patented or considered a trade secret of a competitor.
Without getting into detailed legalities, I want to offer a layman's explanation of copyrights, patents and trade secrets. Copyrights protect the expression of an idea, but not the idea itself. Copying written expressions belonging to another vendor would be considered a copyright violation. A patent, on the other hand, is an invention protected by an official government designation. Trade secrets are defined as a formula, process or device used in a business, not published or divulged, and thereby providing a company an advantage over its competitors. The processes defined within a software product that are not published or divulged are typically quite numerous and very detailed and, therefore, gives a product a competitive edge.
Over zealous vendors may encourage marketing, sales, training, and development personnel to obtain this type of information from the competition or licensees of the competition. Marketing material, published books, presentations at public forums, or other publicly available materials are not considered to contain trade secrets because the information has been made available to the public. Obtaining manuals, printouts, input formats, output reports, code or other information that would only be available to a licensed product user would, on the other hand, constitute unethical and illicit access to certain trade secrets. Any behavior that steps into this territory is considered unethical and should be avoided.
Vendor management may not formally condone this type of behavior, but vendor personnel may still make it a habit to seek out, obtain and use information from a competitor that is considered copyrighted, patented or a trade secret. In many of these situations, management tends to look the other way. It is critical for executives at software companies to go out of their way to communicate both the legal and ethical implications of such actions and insist that employees do not engage in such activity.
Certainly any vendor that steps over a legal line in the sand would have had to violate ethical standards along the way. If you were a corporate client of a vendor that behaved in such a manner, how would you be able to trust them when they had no standard of ethics? In negotiations involving promises to upgrade certain products or other commitments, you would always be looking askance at a vendor that you felt could not be trusted.
Institutionalizing Ethics into Information Governance
Structures
Ethical behavior or the absence thereof, can become endemic. This is why a
sense of ethics must emerge at the core of the organization. The CEO, board of
directors, and corporate officers must abide by and uphold a strong set of
ethical standards. This commitment must then be carried out to employees and
anyone that a company works with as a business partner, client, supplier or
customer.
Building ethics into your culture and information governance structure takes time. The first step is to take advantage of any reorganization that may be occurring. Management could roll out ethics guidelines along with a new organizational infrastructure. You could also assign the role of ethics coordinator to a senior member of management. Another approach is to include software ethics training in your corporate training program. When doing so, consider and communicate the upside and downside of unethical behavior.
If you have had any software-related legal challenges, consider how the situation might have differed had you and the other party adhered to a higher set of ethical standards. This could be turned into a case study that could be incorporated into standard training for all personnel within your software development and management organization.
It is important to communicate to everyone in your organization the cost of a lawsuit. Even if you settle a legal suit through arbitration or mediation, these costs can still be significant. But as significant as these legal costs may be, the bottom line expenses associated with a lawsuit can have a small impact on a company compared to the time demanded from developers, engineers and management personnel involved in a given lawsuit. Legal action puts stress on all of the participants involved in a case, which can result in lost time and low morale. Employees should be made to understand that sitting in a deposition or on a witness stand, discussing copyright, patent or trade secret violations, is no picnic.
Another measure involves posting a grid on the company Intranet site reflecting various levels of protection for different software products used at your company. This site could also include ethical standards for the use and dissemination of intellectual property. Whatever the means for communicating this message, it is important for management to take this subject very seriously. As the ACM puts it, ethics are a moral imperative.
Finally, anyone found to be violating ethical guidelines within your software organization should be confronted. One way to stem future action of this sort is to assign that person the task of communicating the expectations of ethical behavior to new members of the company. All of these activities should help position ethical responsibility within your software organization as a means of staying out of court and remaining in good standing as a company.