A lawsuit filed in a Texas federal court on Friday is a good illustration of the problems that can arise when two competitors — or even potential competitors — sign Non-Disclosure and Access Agreements (NDAAs) to share sensitive information to ostensibly help mutual customers.
Friday’s filing involved Cognizant Technology Solutions, Colorado-based TriZetto, whose software helps process medical claims, which is now owned by Cognizant, and India-based Infosys. Cognizant is accusing Infosys of having agreed to an NDAA to receive sensitive technology details about TriZetto, and of then using that information to create a competing product.
“Infosys gained access to certain of TriZetto’s closely guarded, proprietary software offerings, and related technical documentation, under the guise of NDAAs that it executed with TriZetto for the limited purpose of equipping Infosys to complete work for certain Infosys clients,” the lawsuit said. “The NDAAs narrowly and strictly define the contours of Infosys’s authorized access to TriZetto’s proprietary information and trade secrets, granting access to a very limited number of Infosys employees for narrowly specified reasons. Yet, in contravention of those agreements, Infosys has misappropriated TriZetto’s trade secrets and stolen its confidential information to develop or enhance its own competing software and service offerings.”
Cognizant’s filing listed some of the trade secret information disclosed to Infosys: “workflows and functionality implemented by the proprietary software; source materials relating to the proprietary software, including the source code, technical documentation, product release notes, link libraries, and development toolkits; test cases for testing the proprietary software; interfaces, connectors and adaptors for the proprietary software, as well as tools for creating such interfaces, connectors, and adaptors; the database, database schema, file structures, data dictionaries and other information relating to the storage of data by the proprietary software.”
For CIOs, the case raises questions about how far a contract, which is all that NDAs and NDAAs are, will protect a company when sensitive data is being shared with a potential rival.
Interestingly enough, the typical element of an NDA violation is not at issue here. There is no accusation that Infosys officials shared the sensitive data with anyone outside their company. Rather, the complaint alleges that they misused the information.
Lawyers point out that, beyond improper disclosure and improper use, a key issue for CIOs to manage is extrapolation, which is typically referred to in legal circles as the fruit of the poisonous tree.
In law enforcement cases, the poisonous tree reference means that if some piece of information is improperly obtained, not only can that information not be used, but anything that is obtained because of that information is also blocked. For example, if the illegally-obtained data causes a law enforcement officer to ask a question that they wouldn’t have otherwise known to ask, or causes them to go to an address that they otherwise would have never known to go to, the resultant data is also blocked.
For the CIO and NDA/NDAAs, the issue is what employees of the company that received the information did with it. What if they don’t disclose the information, but knowledge of that information gives them a product development idea that they would have not otherwise considered? Is the company allowed to create and sell that product?
Brian Levine is an attorney who serves as an Ernst & Young managing director. Levine, who did not review the Cognizant lawsuit and therefore can’t comment on what any of the companies did, said that he sees lot of enterprise CIOs who struggle with the NDA/NDAA issue.
“There is the black letter of what the law or contract requires, and then there’s the purpose, the spirit, what is implied by the contract,” Levine said, adding that CIOs must consider these agreements realistically. Otherwise, “you are going to give the other side ideas.”
“Companies should not assume (with an NDA/NDAA) that it will be complied with. They should ask themselves ‘Does it make sense to go ahead with this course of business?’ Do they have a high degree of trust in the other side?” Levine said. “In many instances, an NDA is kind of a kneejerk reaction and not enough thought is put into it.”
One way for CIOs to deal with that kind of sensitive information exchange is to “narrow the information they are sharing so there is less potential harm,” Levine said.
Another attorney, Mark Rasch, of counsel to Cleveland-based law firm Kohrman Jackson Krantz, said that CIOs must focus on what an agreement says and what it does not spell out.
“Often, what happens with NDAs is that companies try to sneak in language related to non-compete,” Rasch said. “One of the problems you have is that, whenever you are exposed to a partner’s information, you cannot segregate in your mind what you know and what you have learned.”
Rasch advises enterprises to discuss this and negotiate it at the onset, but noted that he hardly ever sees that happening. “This rarely happens because people don’t tend to anticipate this problem.”
For CIOs of companies receiving such information from potential rivals, Rasch recommends putting in place extreme separation efforts. “You have to assign an entirely new team that has nothing to do with that software” to receive the restricted information “and wall off one project from another.”
Read More from This Article: Cognizant sues Infosys for misusing shared information
Source: News