Founded By:    |  _                        _______
 Guardian Of Time |  __      N.I.A.   _      ___   ___  Are you on any WAN? are
   Judge Dredd    |  ____     ___    ___    ___     ___ you on Bitnet, Internet
------------------+  _____    ___    ___    ___     ___  Compuserve, MCI Mail,
             /      ___ ___  ___    ___    ___________  Sprintmail, Applelink,
   +---------+       ___  ___ ___    ___    ___________    Easynet, MilNet,
   | 31OCT90 |       ___   ______    ___    ___     ___    FidoNet, et al.?
   | File 63 |       ___    _____    ___    ___     ___ If so please drop us a
   +---------+               ____     _     __      ___        line at
                              ___           _       ___ elisem@nuchat.sccsi.com
        Other World BBS        __
           Text Only            _    Network Information Access
                                       Ignorance, There's No Excuse.

               SECTION III COMPUTER SECURITY CONTROLS AND THE LAW
                                Guardian Of Time

                 NIA---NIA---NIA---NIA---NIA---NIA---NIA---NIA

Well I rushed to get this one out in time for Halloween, so here is part III
of my series on Computer Security Controls, I hope that you will enjoy it.

Lord Macduff, I hope you enjoy ALL of those VAX Manuals you are reading, and
don't forget WRITE SOMETHING!

                 NIA---NIA---NIA---NIA---NIA---NIA---NIA---NIA





STANDARDS OF DUE CARE

The follow the leader strategy of employing generally used controls in data
processing is motivated in part by the legal concept of standards of due
care.  It is becoming possible to lose more in damages from a civil action
such as a stockholders' suit or citizens' suit against the government after
an accidental or intentionally caused act than directly from the act itself.
Liability for the violation by a provider of computer services towards any
other ( customer, data subject, affected third party, stockholder ) can
arise through a conscious act of malice with intent to cause harm, through
reckless disregard of the consequences to the person harmed or through
negligent performance or failure to perform.  For such liability to attach,
a duty of care must be owed to the victim of the act.  Once responsibility
is established, the provider having the responsibility is requried to act as
a prudent person.

the action sof another person in the same position or the general practice
of the computer services industry are useful in establishing the standard of
care against which individual performance will be measured.  However,
industry practice is not a complete answer. In the TJ Hooper case, which
concnerned the failure of a large tug boat operator to use radio receivers
in 1932 to avoid inclement weather, Judge Learned Hand Stated:

IS IT THEN A FINAL ANSWER THAT THE BUSINESS HAD NOT YET ADOPTED RECEIVING
SETS? THERE ARE, NO DOUBT, CASES WHERE COURTS SEEM TO MAKE THE GENERAL
PRACTICE OF THE CALLING (INDUSTRY) THE STANDARD OF PROPER DILIGENCE;...
INDEED IN MOST CASES REASONABLE PRUDENCE IS IN FACT COMMON PRUDENCE, BUT
STRICTLY IT IS NEVER ITS MEASURE; A WHOLE CALLING (INDUSTRY) MAY HAVE UNDULY
LAGGED IN THE ADOPTION OF NEW AND AVAILABLE DEVICES.  IT ( THE INDUSTRY )
MAY NEVER SET ITS OWN TESTS, HOWEVER PERSUASIVE BE ITS USAGES.  COURTS MUST
IN THE END SAY WHAT IS REQUIRED; THERE ARE PRECAUTIONS SO IMPERATIVE THAT
EVEN THEIR UNIVERSAL REGARD WILL NOT EXCUSE THEIR OMISSION (60F.2D. 737,730)
(2ND CIR. 1932, CERT, DENIED 287 US 662 ( 1932 ).

No definitive answer or test can establish a standard of due care on grounds
of common practice in an industry or on prudence based on use of available
devices whether generally adopted or not.  In 1955, the Circuit Court of
Appeals for the Sixth Circuit held that the failure to use radar by an
aircraft in 1948 was excusable because no commercially feasible aircraft
radar system was available (Northwest Airlines v. Glenn L. Martin Co. 224,
F.2d 120, 129-130).  In 1977, the US District court for the Southern
District for New York held an airline liable for a robbery for failure to
take appropriate precautions, despite the provision of an armed guard in
front of the locked unmarked storage area and the argument that the airline
had taken the same degree of precautions that other airlines had.
(Manufacturers Hanover Trust Co. v. Alitalia Airlines, 429 F.Supp.
964(1977)).  Further, professionals may not always rely on generally
accepted practices.  In US v. Simon (425 F. 2d. 796 [2nd Cir. 1969]) the
United States Court of Appeals for the Second Circuit held that, even in a
criminal case, generally accepted accounting principles were not necessarily
the measure of accountants' liability for allegedly misleading statements in
a footnote to the financial statements.

The concept of standard of due care will arise w/ in creasing frequency as
disputes over computer-related loss end in litigation.  Computer security
administrators must be aware of standard of due care issues that arise and
take acction to conform to the outcome.

APPLYING LEGAL CONCEPTS TO COMPUTER SERVICES

One area where the courts have had some difficulty in applying legal
concepts to computers is in determining exactly how to characterize computer
services from a legal point of view.  The courts have generally held that
basic legal principles requiring a person to exercise reasonable care do not
change simply because a computer is involved.  The courts have generally
stated that those who use computers must do so w/ care, and they have not
been sympathetic to defenses asserting good faith mistakes resulting from
reliance on faulty computer data.  In Ford Motor Credit Co. v. Swarens (447
S.W. 2d. 53 [Ky. 1964]), for example, a finance company wrongfully
repossessed the plaintiff's car after he had proven on two occasions that he
was current in his payments by showing cancelled checks to agents of the
defendant.  The finance company defended on the basis that an admitted error
w/ respect to the plaintiff's account had ocurred as a result of a computer
error.  The court rejected this defense stating:

FORD EXPLAINS THAT THIS WHOLE INCIDENT OCCURRED B/C OF A MISTAKE BY A
COMPUTER.  MEN FEED DATA TO A COMPUTER AND MEN INTERPRET THE ANSWER THE
COMPUTER SPEWS FORTH.  IN THIS COMPUTERIZED AGE, THE LAW MUST REQUIRE THAT
MEN IN THE USE OF COPUTERIZED DATA REGARD THOSE W/ WHOM THEY ARE DEALING AS
MORE IMPORTANT THAN A PERFORATION ON A CARD.  TRUST IN THE INFALLIBILITY OF
A COMPUTER IS HARDLY A DEFENSE, WHEN THE OPPORTUNITY TO AVOID THE ERROR IS
AS APPARENT AND REPEATED AS WAS HERE PRESENTED.

It is clear, therefore, that excessive reliance on computer data w/out
proper safeguards to ensure the reliability and accuracy of the information
may constitute the failure to exercise due care, and in some cases may even
result in the award of punitive damages.

PROFESSIONAL STANDARD OF CARE

There is clearly a duty to exercise resonable care in using computers.
Depending on the legal characterization given to contracts to supply
computer equipment and services, a higher standard of care may be required
of suppliers of computer services.  Such an argument would be based on the
teory that programmers and others who provide computer services hold
themselves out as professionals w/ special expertise.  As such
professionals, they arguable should be held to the level of care that would
be exercised by a reasonable member of the profession under similar
circumstances.

In Triangle Underwriters v. Honeywell, Inc (604 F. 2d. 737 [2nd Cir. 1979])
for example, the court found that Honeywell agreed to deliver a completed
computer system to Triangle and not to run a continuous data processing
service.  Triangle tried to argue not only that Honeywell been negligent in
failing to design and deliever a workable system, but also that the wrong
continued during the period in which Honeywell comployees attempted to
repair the malfunctioning system.  Triangle argued that Honeywell had
engaged in professional malpractice, and that the continuous treatment
theory should apply so that the statue of limitations would not commence to
run until the professional relationship had ended.  The district court noted
that the continuous treatment theory had been applied by New York courts to
nonmedical professionals such as lawyers, accountants, and architects, but
it declined to apply the theory to Honeywell.  "In the case at bar ... the
necessary continuing professional relationship did not exist.  Honeywell was
not responsible for the continuous running of a data prcessing system for
Triangle."

Although the court thus refused to accept the plaintiff's theory of
professional malpractice on the facts of that case, the decision leaves open
the possiblity that the doctrin might be applied in a future case to person
who privide computer services for a client on an ongoing basis.

STRICT LIABILITY

There is further issue of whether those who provide computer services should
be strictly liable in tort for injury to others due to malfunctions of the
equipment.  The doctrine of strict liability arose out of cases invovling
the sale of goods, and it has been said that:

PROFESSIONAL SERVICES DO NOT ORDINARILY LEND THEMSELVES TO THE DOCTRINE OF
TORT LIABILITY W/OUT FAULT B/C THEY LACK THE ELEMENTS WHICH GAVE RISE TO THE
DOCTRINE.  THERE IS NO MASS PRODUCTION OF GOODS OR A LARGE BODY OF DISTANT
CONSUMERS WHOM IT WOULD BE UNFAIR TO REQUIRE TO TRACE THE ARTICLE THEY USED
ALONG THE CHANNELS OF TRADE TO THE ORIGNAL MANUFACTURER AND THERE TO
PINPOINT AN ACT OF NEGLIGENCE REMOTE FROM THEIR KNOWLEDGE AND EVEN FROM
THEIR ABILITY TO INQUIRE.  THUS, PROFESSIONAL SERVICES FORM A MARKED
CONTRAST TO CONSUMER PRODUCTS CASES AND EVEN IN THOSE JURISDICTIONS WHICH
HAVE ADOPTED A RULE OF STRICT PRODUCTS LIABILITY A MAJORITY OF DECISIONS
HAVE DECLINED TO APPLY IT TO PROFESSIONAL SERVICES.  THE REASON FOR THE
DISTINCTION IS SUCCINCTLY STATED BY TRAYNOR, J., IN GAGNE V. BERTRAN, 43
CAL. 2D 481, 275 P. 2D 15, 20-21 (1954): "[T]HE GENERAL RULE IS APPLICABLE
THAT THOSE WHO SELL THEIR SERVICES FOR THE GUIDANCE OF OTHERS IN THEIR
ECONOMIC, FINANCIAL, AND PERSONAL AFFAIRS ARE NOT LIABLE IN THE ABSENCE OF
NEGLIGENCE OR INTENTIONAL MISCONDUCT. ... THOSE WHO HIRE [EXPERTS] ... ARE
NOT JUSTIFIED IN EXPECTING INFALLIBITY, BUT CAN EXPECT ONLY RESONALBE CARE
AND COMPETENCE.  THEY PURCHASE SERICE, NOT INSURANCE (CT/EAST, INC. V.
FINANCIAL SERVICES, INC., 5CLSR 817 [1975]).

Under this traditional approach, a finding that an agreement to provide
computer equipment constituted either a sale of goods on the one hand or a
contract for professional services on the other would appear to decide the
issue of whether the doctrine of strict liability would apply.  Following
this line of reasoning, if an agreement to provide a computer package was
construed as an agreement for professional services, then the provider could
not be strictly liable in tort for any malfunction.

Traditional legal theories, however, cannot always be applied w/out
difficulty to novel concepts such as computer agreements.  It may be more
appropriate, therefore, to adopt the approach used by a federal court in
Wisconsin in Johnson v. Sears, Roebuck & Co. (355 F. Supp. 1065 [ED Wis.
1973]).  In Johnson, the plaintiff argued that the hospitals that treated
her for injuries had done so negligently and that they were strictly liable
in tort.  The court decided the issue of the applicability of strict
liability to the sale of services by analyzing blood transfusion cases that
held hospitals strictly liable in tort for providing blood containing
impurities to patients.  The court rejected the sales/service analysis and
stated that the decision to impose strict liability should be made on an ad
hoc basis by examining the facts involved in each particular case.  The
court reasoned that the "... decision should not be based on a technical or
artificial distinction between sales and services.  Rather, I must determine
if the policies which support the imposition of strict liability would be
furthered by its imposition in this case."

STATUTORY SOURCES OF LIABILITY FOR RELIANCE ON INACCURATE COMPUTER-BASED
DATA

Regardless of whether suppliers of computer services should be held to a
higher standard of care or subject to strict liability in tort clearly the
common law duty exists to exercise reasonalbe care to ascertain the accuracy
of information furnished by a computer before relying on such data.  This
duty becomes particularly important when computer data are relied on in
making periodic reports required by the federal securities laws.  Management
has a duty to maintain accurate records and third parties have the duty to
verify the accuracy of information supplied by management.

MANAGEMENTS RESPONSIBILITIES:  Various provisions of the Securities Act of
1933 (the 1933 Act) and the Securities Exchange Acot of 1934 (The 1934 Act)
impose liability for making false or misleading statements of a material
fact or for failing to state a material fact necessary to make statements
made not misleading, in the light of the circumstances under which they were
made.  These provisions create a duty on the part of reporting companies to
file accurate reports and to maintain accurate records.  The foreign Corrupt
Practices Act of 1977 (FCPA) codified this duty to maintain accurate
records.

A recent bank embezzlement of 21.3$ million illustrates the importance of
complying w/ the FCPA's requirement of establishing a system of internal
accounting controls.  The management of an entity is responsible for
establishing and maintaining adequate internal controls, and it is worth
noting that the complaint in a shareholder's derivative suit now being
argued before the United States District Court for the Southern District of
Texas relies partly on an allegation that management failed to do so.
management risks exposure to significant potential liability, therefore, if
it fails to institute and enforce internal controls sufficient to comply w/
the FCPA.

Internal controls should ensure that data produced by a computer are
accurate and reliable.  This means that restrictions should be put on access
to computer records and on who has the capability to enter information or
alter data in the computer.  "Audit Trails" should also be used to create
documentary evidence of transactions and of who made particular data entry.
Finally, electronic record keeping systems are only as trustworth as the
people who use them, and it is imperative that a security system be
established to help preclude unauthorized person from gaining access to the
computer or altering information in the system.

ACCOUNTANTS' RESPONSIBILITIES:  The 21.3$ million bank embezzlement raises
substantial questions about the sufficiency of the auditing procedures of a
bank or other company that uses an electronic data processing system for the
storage and representation of assets.  The role of an accountant performing
an independent audit is to furnish anopinion that the accounts of the
company being audited are in proper order and that they fairly present the
company's financial position.  It seems obvious, therefore, that an
independent accountant performing an audit of a company that uses an EDP
system should examine the reliability of the system and the controls on it
before issuing an opinion.  Otherwise, the accountant's certification of the
company's financial statements would have no reliable basis.  The Second
Standard of Field Work of the Generally Accepted Auditing Standards approved
and adopted by the membership ofthe American Institute of Certified Public
Accountants (AICPA) states that "[t]here is to be a proper study and
evaluation of the existing internal control as a basis for reliance thereon
and for the determination of the resultant extent of the tests to which
auditing procedures are to be restricted" (American Institue  of Certified
Public Accountants, Statement on Auditing Standards No, 1, Sec. 150.02.
[1973]).  This Standard of Field Work requires an auditor to study and
evaluate a corporation's system of interal control to establish a basis for
reliance thereon in formulating an opinion on the fairness of the
corporation's financial statements, and this basic duty does not vary w/ the
use of different methods of data processing as the Standard states:

SINCE THE DEFINITION AND RELATED BASIC CONCEPTS OF ACCOUNTING CONTROL ARE
EXPRESSED IN TERMS OF OBJECTIVES, THEY ARE INDEPENDENT OF THE METHOD OF DATA
PROCESSING USED; CONSEQUENTLY, THEY APPLY EUQLLY TO MANUAL, MECHANICAL, AND
ELECTRONIC DATA PROCESSING SYSTEMS. HOWEVER, THE ORGANIZATION AND PROCEDURES
REQUIRED TO ACCOMPLISH THOSE OBJECTIVES MAY BE INFLUENCED BY THE METHOD OF
DATA PRCOESSING USED.

The AICPA has recognized that "[t]he increasing use of computers for
processing accounting and other business information has introduced
additional problems in reviewing and evaluating internal control for audit
purposes," and it has issued a Statement on the Effects of EDP on the
Auditor's Study and Evaluation of Internal Control.  This Statement provides
that:

WHEN EDP IS USED IN SIGNIFICANT ACCOUNTING APPLICATIONS, THE AUDITOR SHOULD
CONSIDER THE EDP ACTIVITY IN HIS STUDY AND EVALUATION OF ACCOUNTING CONTROL.
THIS IS TRUE WHETHER THE USE OF EDP IN ACCOUNTING APPLICATIONS IS LIMITED OR
EXTENSIVE AND WHETHER THE EDP FACILITIES ARE OPERATED UNDER THE DIRECTION OF
THE AUDITOR'S CLIENT OR A THIRD PARTY.

When Auditing a coporation w/ an EDP system, therefore, an auditor should
thoroughly examine the system to evaludate its control feautres.  To conduct
his examination properly, however, the auditor must have sufficient
expertise to enable him to understand entirely the particular EDP system
invloved.

CONCLUSIONS ON APPLYING LEGAL CONCEPTS

Everyone who uses or supplies computer services has a common law duty to
exercise resonable care to ensure that information supplied by the computer
is accurate and reliable.  The federal securities laws impose additional
duties on management to keep accurate records and to devise and maintain a
system of internal accounting controls sufficient to provide reasonable
assurances that transactions are executed in accordance w/ management's
authorization and are accurately recorded.  Finally, accountants who audit
companies w/ EDP systems have a duty to review the company's system of
internal controls and to disclose any material deficiencies to management
and possibly to the public through notes to its certification of financial
statements.

These various duties illustrate the necessity of taking steps to ensure the
reliability of computer systems.  A well-designed system of internal control
is crucial to safeguard against the improper use of the computer.  Internal
control begins w/ the computer equipment itself.  When converting to an EDP
record keeping system, management should get outside advice on the type of
system required and on the controls that should be built into the system.
Management should fully understand what the computer programs in the system
are designed to do and that the computer can do only what it is told and
nothing more.  This can be an important method of preventing fraud, and
management should demand that internal controls be put into the system, b/c
otherwise the programmer may not do so.

Once controls are built into the computer system itself, internal controls
hsould be established and maintained to prevent unauthorized access to the
system.  The internal controls should cover all phases of EDP and include
input, processing, and output controls.  An overall plan of organization and
operation should be devised containing controls over access to EDP
equipment, as well as provisions for effective supervision and rotation of
personnel, and the plan should be strictly enforced.  Rinally, an internal
auditing process should be established to provide independent document
counts or totals of significant data fields.

The independent accountant plays a major role in preventing unauthorized
persons from gaining access to the computer system.  Through his review of a
company's internal controls, an accountant can detect possible weaknesses
and recommend useful changes.  It is very important, therefore, that outside
auditors closely scrutinize a company's internal control system.  A rigorous
independent audit makes up the final stage of an overall plan to help
prevent the production of inaccurate computer based data.

PROTECTING PROPRIETARY INTERESTS IN COMPUTER PROGRAMS

Discussions w/ legal counsel at several of the field sites revealed
considerable concern about proprietary interests in computer programs.
Little communication exists between lawyers and data processing managers,
and areas of their mutal concers are not often addressed.  Communication is
even more important today as programs and data files are increasingly viewed
by management as valuable, intangible assets of their organizations.  In
addition, government and business organizations are increasingly acquiring
commercially available computer programs where proprietary interests of
providers and users must be protected.  Selection of generally used controls
will be strongly influenced by the need to preserve proprietary rights to
computer programs.

PROBLEMS ADDRESSED

Protecting proprietary interests in computer programs in a multifaceted task
that requires knowledge of the law, computer programs, and security.  Few
data processing managers have this expertise in-house, but all owners and
custodians of computer programs can and should add to their skills and
knowledge from other sources of expertise.

Those invloved w/ computer programs--owners, users, custodians, employees,
and competitors--have two conflicting goals; sometimes the same party
pursues both goals simultaneously for different products.  One goal is to
protect the computer program, either to ensure a competitive advantage by
preventing others from using the computer program or to charge for its use
or disclosure.  The other goal is to ignore protection so that the computer
programs can be used and transferred at will and w/out cost.  The particular
goal sought by an organization depends on its values, purposes, and
policies; however, the data processing manager should understand the
boundaries of fair and legal business practice that apply to users,
custodians, and owners of computer programs, as well as to competitors.

THE NATURE OF COMPUTER PROGRAMS

Before the types of comptuer programs involved are identified, it is helpful
to know why the laws differentiate computer programs from other parts of
computer systems.  A computer program is a form of intellectual property (a
valuable, intangible asset consisting of ideas, process, and methods) that
is relatively new and eludes analogy to previously existing products.
Debate continues as to whether computer programs are products, technical
processes, or professional services.  Computer programs are thus unique as a
subject of treatment under existing law, and applying the law requires
adapting current legal concepts of particular forms of computer programs.
Computer programs are developed to run in specific types of computers (such
as operating systems) or are machine independent (such as many application
programs).  They may be in human-readable form or machine-readable form.
Some computer programs are translated into different programming languages
or converted to run on different computers.

FORMS OF LEGAL PROTECTION

The five forms of legal protection that can apply to computer programs are
patent, copyright, trade secret, trademark and contract.

PATENTS:_Patent protection is a federal statutory right giving the inventor
or his assignee exlusive rights to make, use, or sell a product or process
for 17 years.  An invention must meet several criteria to receive patent
protection.  First, it must involve statutory subject matter (I.E., physical
methods, apparatus, compositions of matter, devices, and improvements).  It
cannot consist merely of an idea or a formual.  Furthermore, the invention
must be new, useful, not obvious, and must be described according to patent
regulations in a properly filed and prosecuted patent application.

The status of patent protection for computer programs until 1981 was
ambiguous.  In three dicisons the US Supreme Court held that parrticular
computer programs were unaptentable b/c of failure to meet one or more of
the tests described previously.  The Court declined to patent what it felt
was merely a formula, it had held a process non-patentable for obviousness,
and it had refused a patent when the only novelty involved was the form of
carrying out a nonpatentable step.

In 1981, however, the Supreme Court handed down two decisions that may have
some effect on future patentability claims.  These cases invlved computer
programs that are part of inventions otehrwise eligible for patent.  In one
case, the Court decided that a process control computer program for curing
synthetic rubber should not be denied a patent simply b/c it uses an
algorithm (an ordered set of insturctions) and a computer.  The US Patent
Office must still determine whether the entire process is novel enough to
warrant issuing a patent.

In a companion case, the Court let stand a lower court ruling that a module
of the Honeywell Series 60 Level 64 computer system should be considered for
patent.  The module, which includes electronic circuits and a computer
program fixed in the circuits, is a storage and retrieval device using
internal storage registers.  Again, the device must meed the novelty
requirement before a patent is issued.  Note that these decisions invlove
computer progams that are part of a patentable device or process; these
decisions do not reverse past rulings that computer programs are not
patentable.

Even if there were a major change in computer programs patent policy, few
owners would seek patent status for their computer programs.  The patent
process is lengthy and expensive and requires full disclosure of the idea.
Furthermore, a patent has only a 50% chance of surviving a challenge to its
validity in the courts.  For those few programs that really do represent
technological breakthroughs, however, a patent would provide the exclusive
right to use or sell the program for 17 years (patents are nonrenewable).

COPYRIGHTS:_Copyright is the federal statutory protection for an author's
writings.  Written works created since 01JAN78 are protected by the new
copyright law, which provides exclusive rights to the author or his assignee
for the copyright, publication, broadcast, translation, adaptation, display,
and performance of the idea contained in the work from the time it is embodied
in tangible form.  This protection is lost in the writing is published w/out
copyright notice, which consists of the word copyright (or copyright symbol),
the date, and the author's name.  This notice must be affixed so that it
attracts the attention of third parties(I.E., On the first or inside front
page of a book or pamphlet).  In late 1980 a federal copyright bill was enacted
explicitly to cover computer programs and data bases.

Copyright is inexpensive and can be obtained quickly.  One required and one
optinal copy along w/ minor filing fees must be submitted to the Copyright
Office.  The second copy can be the first and last 25 pages of the program.
Although optional, the second coy is a prerequisite for bringing an
infringement suit and for some remedies such as statutory damages and the
award of attorney fees.  The coyright remains in effect for 50 years beyond
the death of the author and is nonrenewable.

B/c copyright protects only against copying and requires disclosure of the
idea, its usefulness is limited for some programs.  However, it can be
adequate protection for inexpensive package programs sold in the multiple
copy market.  The function of such programs is not unique; the value to the
owner lies in selling thousands of copies.

TRADE SECRETS:_A trade secret is a right protected by state rather than
federal law.  It is defined in many states as a secret formula, pattern,
scheme, or device used in the operation of a business that gives the
organization a competitive advantage over those who do not know it.
computer programs have qualified as trade secrets in a number of court
cases.

The requirement for trade secret status is that the item must remain secret.
Absolute secrecy is not required; for example, if the secret is disclosed
only to people bound (by virtue of their relationship or by contract) to
keep it confidential, trade secret status is maintained regardless of how
many people know it.  Confidential realationships include employees, agents
in a fiduciary or trust relationship, and thieves.  To prevent thieves from
profiting from ill-gotten knowledge, the laws hold that they are in a
constructive trust relationship.  A contract is used to bind licensees and
joint venture partners or investors.  In some states these people are bound
even w/out a contract.

Once the secret is disclosed w/out a requirement of confidentiality, or is
disclosed to someone who does not know its secret character, the trade
secret status is lost forever.  (Trade secrets are often disclosed
carelessly to user groups and at technical meetings.)  If the secret is not
disclosed, however, the protection can last forever.

Employees who learn the secret in the course of their duties are bound not
to misappropriate it b/c of their trust relationship.  Many employees do not
realize the comprehensive nature of that trust should be educated by their
employers before they injure both the employer and themselves by using computer
programs developed for an employer for their own purposes.

TRADEMARKS:_Trademark protection provides the exclusive right to use a
symbol to identify goods and services.  Trademark rights take effect upon
use in commerce.  Registration w/ the US Patent Office or a state agency is
not necessary to obtain trademark status, but it helps greatly in exercising
trademark rights.  Trademark protection exists at both the federal and state
levels.  The protected symbol can be both a trade name and a logo (E.G.
XYZ).  The protection afforded by the trademark is limited to the name or
logo.  The program content itself is not protected.  B/c the major benefit
of trademark protection is to prevent another product from being given the
same name, this protection is useful only for programs that will be
marketed.

CONTRACTS:_Copies of computer programs are ordinarily transferred to others
in the course of doing business (sometimes in source language form);
therefore, transfer is frequently accompanied by an agreement to keep the
computer program confidential.  Patented and copyrighted computer programs
can be transferred using contracts that have more restrictive provisions
that the patent or copyright laws requires.  The owner can, for example,
contract w/ another not to disclose copyrighted computer progras.  In
addition, damages for disclosure or unauthorized copying, complex formulas
for royalty payment for legitimate use, and the ownership of enhancements
and changes to the computer program can also be delineated in a contract.

SELECTING THE RIGHT PROTECTION

The type of protection that is best for a particular computer program
depends on several factors:

(1) The longer the lifespan of the program, the more likely that the
    expensive investment of patent protection will be worthwhile.

(2) The higher the value of the program, the more money that can
    reasonably be spent of protection

(3) Algorithms that must be disclosed widely are (if otherwise worth the
    investment) best protected by patent, which precludes use as well as
    duplication.  Copyright protects only against copying, and trade secret
    protection is irrevocably lost if the algorithm is inadvertently
    disclosed outside a confidential relationship.

(4) The most expensive protection is patent; the least expensive is
    copyright.

(5) Patents take the longest time to obtain; the other forms offer almost
    immediate protection.

(6) A patent protects against recreation; trade secret protection is lost
    if the program can be recreated.

These factors are summarized in TABLE 1.

UNRESOLVED LEGAL ISSUES

Two unresolved but imprtant legal issues affect the analysis summarized in
TABLE 1.  The first is the patentability of computer programs discussed
previously.  The data processing manager and corporate counsel should keep
track of the continuing legal debate in this area.  The second unresolved
issue is the legal relationship between copyright and trade secret
protection when both are used for the same product.  Trade secret protection
has been held by the US Supreme Court to be compatible w/ patent protection,
but the Court has yet to decide whether a trade secret can be copyrighted to
protect the secret in case it is disclosed.

TABLE 1.

DECISION TABLE FOR TYPES OF LEGAL PROTECTION
|---------------------------------------------------------------|
|DECISION FACTOR                  | HIGH     | MEDIUM  | LOW    |
|---------------------------------------------------------------|
|ESTIMATED LIFESPAN OF THE PROGRAM| C OR TS  | P       | C OR TS|
|VALUE OF THE PROGRAM TO THE OWNER| P, C, TS | P, C, TS| C, TS  |
|NEED TO DISCLOSE THE PROGRAM     |          |         |        |
|TO OTHERS                        |  P, C    | TS, C   | TS     |
|OWNER'S EXPENSE BUDGET           |  P, TS, C| TS, C   | C      |
|TIME SENSITIVITY                 |  TS, C   | P, TS, C| P, TS  |
|SUSCEPTIBILITY TO REVERSE        |          |         |        |
|ENGINEERING                      |  P       | P, TS   | TS, C  |
|---------------------------------------------------------------|
 NOTES C=COPYRIGHT, P=PATENT, TS=TRADE SECRET

The policies underlying the two forms of protection conflict:  federal
copyright protection contemplates disclosure, while state trade secret
protection requires nondisclosure w/out an obligation for further
disclosure.  According to some legal scholars, a court could rule that a
copyrighted program is not eligible for trade secret protection.  Other
legal scholars argue that since the disclosure requirement for federal
patent protection has not preempted trade secret protection, the Supreme
Court should also uphold the right of computer program owners to receive
both trade secret and copyright protection.

SUGGESTED CONTROLS

B/c of these critical and unresolved legal issues, developers should
carefully evaluate the types of protection and rmain alert to changes in the
laws.  At present,often the best alternative is to copyright computer
programs and then license or disclose the computer program using agreements
that restrict use, transfer, and disclosure.  This approach should not
conflict w/ existing copyright law theory, and it achieves the same secrecy
afforded by trade secret protection.

Embodying the program in electronic circuitry is another alternative that
should be considered.  It cannot be altered by the user and inhibits copying
and user enhancements.  In addition, the recent Supreme Court decision
suggests that programs in such form can receive patent protection if they
are parts of patentable devices.  W/out patent protection, they are
susceptible to recreation and thus to loss of trade secret status.

to provide notice of the proprietary rights of computer-related materials,
the owner should put a human-readable notice on all materials a user will
see.  The notice can be placed on a computer terminal that displays the
program, on listings, on manuals, on containers of machine-readable
material, and in the program itself.  A suggested form of notice is:

THIS IS AN UNPUBLISHED WORK PROTECTED UNDER THE COPYRIGHT LAW OF 1976.  IT
IS OWNED BY XYZ COMPANY, ALL RIGHTS RESERVED.  ANY UNAUTHORIZED DISCLOSURE,
DUPLICATION, OR USE IS A VIOLATION OF CIVIL AND CRIMINAL LAW.

If licensed, a reference to the license can be included in the notice.

IF THE WORK IS PUBLISHED, IT SHOULD HAVE THE FORMAL COPYRIGHT NOTICE
ATTACHED IN LIEU OF THE ABOVE STATEMENT.  THE INTENTIONAL OMISSION OF THE
COPYRIGHT WILL CAUSE THE OWNER TO LOSE HIS COPYRIGHT; AN UNINTENTIONAL
OMISSION CAN BE REMEDIED.

EMPLOYER-EMPLOYEE RELATIONSHIPS

Many problems covering computer programs protection arise from the
employer-employee relationship, where two philosophies often conflict.  One
philosophy is that the products of the employee belong to the employer; the
other is that employees should be free to change jobs during their careers
and to use the expertise gained in one job in new work situations.

Although some employers might argue that all work done during employment
belongs to them, and some employees might claim that their creations are
theirs exclusively, the laws do not generally support either claim.  State
laws vary on this question; however, the prevailing view is that programs
written or developed as a specific task assigned by the employer belong
exclusively to the employer, and that programs written or developed solely
by the employee, using the employee's own time/resources, belong exclusively
to the employee.  Most controversy over computer program ownership falls in
the gray area between these two positions.

The following discussion centers on trade secret law since patent and
copyright protection are less helpful.  Patent protection for computer
programs is ambiguous and hence rarely used, and most companies have a
well-established patent assignment policy.  On the other hand, the new
copyright law is explicit regarding work for hire:

IN THE CASE OF A WORK MADE FOR HIRE, THE EMPLOYER OR OTHER PERSON FOR WHOM
THE WORK WAS PREPARED IS CONSIDERED THE AUTHOR FOR PURPOSES OF THIS TITLE,
AND, UNLESS THE PARTIES HAVE EXPRESSLY AGREED OTHERWISE IN A WRITTEN
INSTRUMENT SIGNED BY THEM, OWNS ALL OF THE RIGHTS COMPRISED IN THE
COPYRIGHT.

Conflicts of trade secret ownership between employers and employees for
other than assigned work are usually resolved based on the resources used.
Employees who develop new computer programs on their own time, at home, on a
personally owned terminal, but using employer computer time may be found to
own the programs; however, the employer may be given a royalty-free license
to use the programs in its business.  A more complex question concerns
employees working at home on flextime or w/ an employer-owned terminal or
microcomputer.  In such cases, proof of whose resources are used in
development is more difficult to establish.

legal battles over program ownership are very costly to both sides and
consume enormous amounts of time/energy.  Often a court formulates a
compromise so that neither side actually wins.  To avoid going to court over
program ownership, employers should have an explicit policy regarding
employee-developed programs.  This policy can be part of an
organization-wide trade secret protection plan developed by management and
legal counsel.

A basic control requires that each employee involved in developing computer
programs should be required to sign an agreement concerning ownership of
computer programs at the time of hire.  A formal emplyment or secrecy
agreement or an informal letter to the employer can be used.  Since both
types of agreement are legally effective, management style should determine
which approach is used.  The informal letter is friendlier, but the awesome
contract form may make a more lasting impression on the employee.

If a simple letter is used, the following format is recommended for the key
paragraph:

ALL COMPUTER PROGRAMS WRITTEN BY ME, EITHER ALONE OR W/ OTHERS, DURING THE
PERIOD OF MY EMPLOYMENT, COMMENCING ON _______________, 19__, AND UP TO AND
INCLUDING A PERIOD OF ____________ AFTER TERMINATION, WHETHER OR NOT
CONCEIVED OR MADE DURING MY REGULAR WORKING HOURS, ARE THE SOLE PROPERTY OF
THE COMPANY.

This important control prevents misunderstanding and protects the employer
against legal action.

Employees may use skills developed during previous jobs; however, they may
not use trade secrets disclosed to or produced by them during those jobs.
This is enjoinable behavior and may result in the award of damages to the
former emplyer.  Departing employees should take nothing tangible from the
old job -- listings, notebooks, tapes, documents, or copies of any kind,
including lists of specific customers.  Prospective employers should
carefully avoid crossing the fine line between hiring someone to provide
expertise in a particular area and hiring someone to provide knowledge of a
competitor's proprietary products or business plan.  Spcial care is required
when more than one employee is hired from the same company.

Another essential control requires that departing employees should be
reminded during the exit interview that no materials or proprietary concepts
received during employment can be used at the new job.  They should be asked
to read and sign a statement that acknowledges their understanding of this
point.  The statement should also affirm that no materials have been removed
from the employer's premises and that all those previoulsy in the employee's
possession have been returned.  Employers should obtain the employee's new
address in case later contract is necessary.

During the exit interview, employees should have the opportunity to clarify
gray areas -- programs they wrote on their own time using company terminals
and company computer time, innovations they developed that the company never
used, and so on.  Permitting a departing employee to use an invention that
will not cause loss of competitive advantage can ensure a friendly and loyal
colleague in the marketplace.  In any case, legal counsel should be involved
in these sessions, b/c an attorne experienced in trade secret law can interpret
the naunces of the interview more effectively and can emphasize the consequences
of unfair competitive conduct.

GUIDELINES FOR COMPUTER PROGRAM USERS

Users who obtain computer programs outside of contractual or other
confidential relationships that preclude competitive action can legally
recreate the programs and use them freely even if they know they are trade
secrets.  In addition, users who obtain computer programs from third parties
w/out any knowledge that they are proprietary are free to use them.  In such
cases the third party may be liable to the owner for misappropriation.
Computer program users should note, however, that intentional wrongful use
in this situation may lead to criminal and civil liability for infringement
or misappropriation.

Patented inventions can only be used w/ the owner's permission.  The alleged
infringer, however, can challenge the validity of the patent in court and,
if successful, can defeat the patentee's exclusive right to use the
invention.

Another problem concerns the owernship of a user-made change or enhancement
that significantly alters the constitution of the computer program.  Neither
copyright nor trade secret law is explicit n this point.  Many vendor-user
agreements require the user to return all copies of the computer program at
the end of the term; however, few vendores forbid user changes and
enhancements or ask for royalties from new works embodying or based on their
computer programs.  Some agreements contain provisions that any and all
changes belong to the vendor.  Thus, the computer program user should pay
special attention to contract provisions regarding changes and enhancements.
In the absence of a specific agreement, the user takes some risk but has a
fair chance of surviving a challenge that user-made changes infringe on the
vendor's rights.

RECOMMENDED COURSE OF ACTION

The data processing manager should understand the legal alternatives for
protecting computer programs and adopt prudent controls used by others under
similar circumstances.  If the organization uses computer programs developed
and owned by outside parties, this understanding and use of controls can
prevent legal problems and can ensure that the terms of the agreement for
using the computer programs are proper.  for organizations that develop
computer programs in-house, a corporate policy based on a thorough knowledge
of the laws is a basic control that can prevent misunderstandings between
management and development personnel.

Such a policy can also ensure that the company does not lose a competitive
advantage b/c of unathorized disclosure or copying of programs.  B/c the
laws in this are are subject to change, the data processing manager should
stay in close touch w/ the organization's legal counsel to keep pace w/ the
latest developments.

Meeting standards of due care and protecting proprietary interests in
computer programs are examples of common sources of motivation and need to
adopt generally used controls.  Consideration of these common sources of
motivation and need, as well as the generally used controls (many found in
the study of the field sites), leads to a new computer security concept
presented in the next section.

                                END OF PART III

              NIA---NIA---NIA---NIA---NIA---NIA---NIA---NIA---NIA


Current List Of BBS's that carry ALL of Network Information Access Files:

BBS NAME           PHONE NUMBER    SYSOP(S)                        SOFTWARE
--- ----           ----- ------    --------                        --------
Metamorphis Alpha  713/475-9055    Starchilde/Moonchilde           TAG
Pier 7             713/477-2681    Slice/Mouser                    Quick
The End Over!      713/821-4174    Chester                         TAG
The Enigma         713/852-7121    Odysseus/Volker/Brutus          Telegard
Talk Radio         713/941-0917    Sir Lawrence/Lord MacDuff       TAG

All Boards are 24 Hours unless otherwise noted...