Originally published 12 February 2010

Keywords: India, outsourcing, IT, BPO, knowledge process offshoring, KPO, R&D,

Despite growing competition from emerging markets around the world, India continues to be the number one destination for outsourcing services involving information technology and business processes (IT/BPO services). In recent years, moreover, a new model of global sourcing known as "knowledge process offshoring" (KPO) has taken hold, and India has quickly become the global leader of KPO services.

KPO involves the offshore outsourcing of knowledge-driven or "high-end" processes that require specialized domain expertise. Today, Indian suppliers of KPO successfully deliver outsourced processes across a growing spectrum of sophisticated disciplines, including research and development (R&D), insurance underwriting and risk assessment, financial analysis, data mining, investment research, statistical analysis, tax preparation, engineering and design, animation, graphics simulation, medical services, clinical trials, legal services and more.

As offshoring of services to India moves up the value chain from IT/BPO to KPO, the protection of intellectual property (IP)—including any trade secrets or confidential information that may be transferred to or created in India in the context of a KPO sourcing—becomes an ever more critical concern for the offshoring customer. IP concerns must be knowledgeably addressed to maximize the benefits and strategic incentives that the offshoring model can deliver without losing control of valuable customer IP. This article identifies key issues that any offshoring customer should carefully assess in order to mitigate the risks associated with offshoring trade secrets and other confidential information to India.

When offshoring a high-end process or functionality to India, knowledge (such as source code, formulae, designs, specifications or experimental data) that is transferred offshore is often confidential in nature and is generally not suitable for local registrations in the form of patents.  Therefore, before initiating an offshoring process, a US customer must seriously consider how it can best protect this information to maintain its competitive advantage. A primary concern for a US customer should be the Indian service provider's ability and willingness to safeguard customer-owned trade secrets and other commercially valuable confidential information against misappropriation, misuse, unauthorized disclosure, sabotage or theft.

India's Existing Legal Framework for Trade Secrets

In the United States, trade secrets are afforded statutory protection at both federal and state levels, with meaningful civil and criminal remedies to counter misappropriation. Penalties for misappropriation can, and often do, include significant compensatory and punitive damages, injunctive relief and attorneys' fees. This is not the case in India, however. Indian law provides no statutory or other legal protection of trade secrets. This non-legal environment presents numerous challenges concerning trade secret protection and enforcement, and it can jeopardize a US customer's IP unless the customer carefully employs certain contractual mechanisms that are enforceable in India.

In the Indian legal context, parties must rely primarily on contracts to protect trade secrets. Indian law recognizes the common law tort of "breach of confidence" irrespective of the existence of a contract. But the tort's utility is limited in an offshore sourcing context because the duty of confidence at issue can be enforced only against a party that is either a fiduciary to the US customer or is in an employer-employee relationship with the complaining party. Also, the duty arguably extends only to the unauthorized disclosure of confidential information to a third party and does not prevent the recipient's own "misappropriation" of the information.

Perils of Subcontracting

Consider a hypothetical situation involving an Indian service provider that has engaged a subcontractor in India to perform the offshored services for a US customer. If the Indian subcontractor discloses or misappropriates the US customer's trade secrets or confidential information, the customer has neither a breach-of-confidence claim against the subcontractor nor a breach-of-contract claim, except in the unlikely event that the US customer has contracted directly with the subcontractor.

The contract between the US customer and the Indian service provider might well hold the provider liable for damages caused by the subcontractor's inappropriate disclosure. But that cause of action still does not directly address or foreclose the subcontractor's past and possibly future misconduct. Essentially, then, the US customer is left without a direct remedy against the Indian subcontractor and without an immediate legal means to effectively stop the disclosure.

Employee Misconduct

Concern for third-party subcontractor misconduct unfortunately exists with respect to the misconduct of employees and ex-employees of the Indian service provider. Surveys reveal that a majority of data-misconduct situations originate with employees or ex-employees of a service provider. Recently reported instances involving the theft of trade secrets belonging to western companies offshoring to India illustrate the gaps in Indian law that expose IP in offshore transactions to real vulnerability.

In 2002, for example, a former employee of Geometric Software Solutions Ltd., an Indian software vendor, attempted to sell proprietary source code owned by SolidWorks, a US client of Geometric, to the client's competitors. The former Geometric employee was caught red-handed in a sting operation, but he could not be effectively prosecuted in India because the source code was considered a trade secret. Indian law did not recognize "misappropriation" of trade secrets, and the US client did not have any contractual arrangements with the former employee with which it could directly enforce its rights.

A similar situation arose in 2004, relative to an employee at an India-based software development center of Jolly Technologies, a US customer. The employee misappropriated portions of the company's IP by allegedly uploading files that contained source code for a key product to her personal Yahoo e-mail account. The theft was detected in time to prevent the employee from distributing the stolen code. But once again, due to gaps in India's IP law the US customer could not successfully prosecute the employee.

These and other cases have drawn close scrutiny and have served as a wake-up call to the global sourcing community and the Indian outsourcing industry. Indian providers have aggressively lobbied their government to strengthen the nation's IP regime and thus to demonstrate to the world's investor community that India is acting to protect foreign IP.

The risks associated with subcontractor and employee misconduct relative to IP in India are very real. It is critical, therefore, for US customers to be aware of this enforcement gap and to address it in their operative contracts with Indian service providers. Customers must also work to carefully scrutinize relevant contracts between Indian service providers and their subcontractors.

Effective Strategies to Safeguard Trade Secrets and Confidential Information Offshored to India

Drafting comprehensive confidentiality and IP ownership agreements that are enforceable in India

Trade secrets and confidential information must be protected with well-constructed contractual arrangements between a US customer and its Indian service provider. It is imperative, too, that any contractual relationship between the service provider and its subcontractors includes an express right of enforcement by the US customer against the subcontractors.

Contract provisions should clearly and effectively prohibit the wrongful disclosure and misappropriation of trade secrets and proprietary data by the service provider and its subcontractors. In addition, the contract should expressly acknowledge the US customer's right to enforce violation of these provisions for damages and of the customer's right to seek to enjoin such wrongful acts locally.

Confidentiality and non-competition covenants are enforceable under Indian law and offer a vital line of defense in the US customer's effort to protect trade secrets and confidential information in India. A US customer must insist upon unambiguous provisions in the operative contract requiring the Indian service provider to ensure specific performance standards. These standards should explicitly oblige the provider to:

  • maintain the customer's trade secrets and confidential information in strict confidence, not only during the term of the contract but also after its termination;
  • permit controlled access on a "need-to-know" basis only, including the customer's right to enforce such obligations directly against service provider personnel having access to the customer's information; and
  • accept contractual responsibility and liability for any breach of confidentiality obligation or misuse of such information by itself, its subcontractors, employees or former employees.

A well-designed operative contract should enable the customer to immediately terminate the agreement in the event of a service provider's failure to comply with its contractual confidentiality obligations. In addition, it should result in uncapped financial consequences to the service provider.

Performing due diligence to avoid chain-of-title issues and to ensure pass-through non-disclosure obligations

Because prevention is better than cure, a US customer should conduct comprehensive due diligence regarding the Indian service provider's track record of maintaining data security. Prior to entering into a final contractual arrangement, the customer should perform due diligence as thoroughly as possible to make sure that the Indian service provider has written agreements in place with its employees and consultants that address IP ownership and non-disclosure obligations. These agreements should be closely scrutinized to ensure they sufficiently protect the US customer's rights and interests and are valid and enforceable under Indian law.

To the extent practicable, and depending on the nature and sensitivity of customer IP involved in the project, a US customer should consider entering into non-disclosure and IP ownership agreements directly with the provider employees and consultants who will be assigned to the project. In that way, confidentiality and IP ownership obligations should remain in force even after the employee or consultant is no longer employed or engaged by the Indian service provider. In addition, the US customer will have contractual privity with such employees and consultants, and it will have legal standing to sue in India (and, presumably, in other venues) in the event of a breach of their obligations.

Imposing non-compete restrictions that are enforceable in India

The operative contract should also include non-competition covenants that restrict the Indian service provider from using competitive technology or personnel in connection with the customer's competitors. The US customer must bear in mind, however, that India has stringent laws against overly restrictive trade practices. The enforceability of a non-compete covenant, then, is subject to a case-by-case determination, and any particular terms cannot in every case be assumed to be enforceable.

The Indian Contract Act provides that a non-compete agreement will not be enforced to the extent that it restrains a person from exercising a lawful profession, trade or business. Judicial precedent under Indian law indicates, however, that an Indian court will enforce a restrictive covenant if it meets what is known as a "reasonableness" test. For example, a restrictive covenant imposed during the period of the subject's employment is more likely to be upheld than is a covenant operating after the termination of employment.

In Niranjan Shankar Golikari v. The Century Spinning & Manufacturing Co. Ltd., the Supreme Court of India upheld a restrictive clause in an employment contract that imposed constraints on the employee not to reveal or misuse during the period of the employment any trade secrets that the employee learned while employed. Similarly, Indian courts tend to apply a stricter level of scrutiny to non-competition provisions in contracts for the provision of services than to contracts solely for the sale of a business or to franchise agreements that restrain the franchisee from dealing with competing goods. This tendency on the part of the courts makes the drafting of non-compete provisions in offshoring contracts a critical and sensitive task.

Enforcing proper checks and balances on subcontracting

Subcontracting by the Indian service provider can dramatically increase the customer's IP risk profile. Therefore, proper checks and balances should be placed on the provider's ability to subcontract any portion of the offshored services.

To the extent possible, the US customer should require that subcontractors enter into contractual commitments that are directly enforceable by the US customer. At the very least, the US customer should insist upon contractual controls that:

  • require prior approval rights with respect to all subcontractors and that retain the customer's right to review the terms of all subcontracts;
  • require flow-down of certain mandatory provisions to safeguard the US customer's rights and interests, such as data privacy, IP ownership and assignment provisions and confidentiality obligations;
  • enable performance of thorough due diligence with respect to subcontractors;
  • require the Indian service provider to be contractually responsible for subcontracted functions; and
  • maximize, to the extent practicable, the customer's chances in India of being positioned legally to enforce contractual protections regarding data privacy, confidentiality and IP ownership directly against the subcontractor.

Implementing effective information governance measures

The US customer should perform a thorough, engagement-specific risk assessment prior to sending any sensitive information offshore. The customer should also develop and implement effective information-governance strategies and internal security measures to control the access, availability and dissemination of trade secrets and confidential information in India. Key measures should include:

  • requiring meaningful background checks to be performed on employees and consultants engaged by the Indian service provider and assigned to the US customer's account;
  • permitting controlled access on a need-to-know basis;
  • managing attrition and turnover rates of employees;
  • briefing employees on security measures and conducting exit interviews of ex-employees to remind them of continuing confidentiality obligations;
  • performing routine audits to verify a service provider's compliance; and
  • to the extent possible, marking hard copy documents and electronic data with "confidential" or "proprietary" legends prior to their circulation.

Given that most security breaches result from internal employee misconduct, the US customer should require its Indian service provider to implement sound personnel security controls. These measures should be implemented via a three-pronged approach of employee screening, rigorous training and robust disciplinary processes.

Assessing need for local patent registrations in India

Before embarking on an offshoring transaction involving India, a US customer should determine whether to protect IP that might be shared or created in India through trade secrets or by obtaining a local Indian patent. In this context, a fundamental question is whether to seek local patent protection for any invention that is either patentable or already patented outside India and that will become available in India as a result of the outsourcing engagement. Similarly, the customer must determine if local patent protection should be sought for any project-related innovations originating in India and if subsequent global filings should be initiated for any India-originated innovations.

By applying a well-considered patent strategy upfront, a US customer can minimize both infringement risk and the risk of potential loss of any global patent rights in light of differing standards of patentability worldwide. To a large extent, the customer's patent strategy will be driven by the nature of the offshoring project and by the degree of critical IP involved. For example, in a KPO in India involving research and development of chemical entities, it may be worthwhile to obtain local patent protection for the chemical entities. Similarly, in a KPO involving the manufacture of drugs in India, the customer may wish to obtain local patent protection for the drug formulations in order to prevent local generic companies from copying the drug.

A key benefit of patent protection is that it provides the patent owner with a bundle of strong statutory rights. These rights may be enforced against any third party in India to stop unauthorized use of the patented technology, regardless of the existence of any contractual or fiduciary relationship.

Furthermore, independent development of a patented technology, unlike a trade secret or a copyright, is not a defense to a claim of infringement. While not usually a significant risk, a US customer in India should generally be aware that Indian patent laws empower the government to grant a "compulsory license" to a private party or a government agency under certain circumstances.

India's patent laws also provide for broad "research and experimental use" exceptions. Customers should be aware that under these exceptions, a third party's experimental use of a patent, even for commercial purposes and without the patent owner's consent, does not constitute infringement in India.

Finally, a US customer must keep in mind that computer programs and business methods continue to be per se not patentable in India. Consequently, they must be protected as trade secrets through appropriate contractual protections.

Other IP considerations

As a practical way to manage IP risk, the US customer should conduct and implement best risk-management practices prior to initiating any KPO arrangement in India. At a minimum, the customer should:

  • perform detailed, upfront due diligence of the Indian service provider to evaluate the entity's track record for protecting IP;.
  • be extremely selective about the IP that is to be offshored and avoid where possible offshoring critical technology;.
  • maintain core components of the offshored IP in the United States; and
  • require frequent disclosure of work-in-progress and periodic receipt of incremental project deliverables during the course of the initiative, in order to avoid being denied access to such technology in the event of a dispute or bankruptcy.

To further mitigate risk, a customer may adopt a "distributed R&D model" by dividing R&D responsibility among multiple supplier entities and, if appropriate, across multiple jurisdictions. The customer should note, however, that distributed R&D can be expensive, since additional capital and resources will be required to manage and integrate results from the various participating entities.

Exploring mechanisms to mitigate enforcement risks in India

The enforcement of the US customer's rights and remedies is always a vital concern, and those concerns can be exacerbated when dealing with an Indian service provider. This is particularly true if the provider has few or no meaningful assets in the United States against which a judgment could be executed.

If the Indian service provider has meaningful assets located in the United States, and if a US plaintiff successfully obtains a judgment in a court of competent jurisdiction, the judgment can be enforced against those US assets with relative ease. If a dispute with an Indian service provider is adjudicated in the United States, however, but the provider's primary assets are located in India rather than in the United States, the customer must seek redress within the Indian legal system to obtain and enforce a judgment against the provider's India-based assets.

Efforts to enforce a foreign judgment in India can be arduous, time-consuming, expensive and unpredictable. If an Indian provider has few meaningful US assets, then it may be advisable for the US customer to institute an initial claim against the provider in India, rather than in the United States. This may obviate the customer's need to re-litigate the claim in India as a means of enforcing a US judgment against the provider's Indian assets.

This approach may be especially true if the US plaintiff is seeking injunctive relief and if time is of the essence. Jurisdiction and enforcement provisions in the operative contract should be thoughtfully crafted to provide the US customer with adequate, flexible rights and remedies consistent with the nature of the business or knowledge process and the underlying customer IP being offshored to India.

The US customer should perform early due diligence to identify the physical location of the Indian service provider's assets. This initial effort will enable the customer to assess its potential ability to enforce rights and remedies with respect to an Indian service provider. It will help the customer determine the extent of the Indian provider's US presence and, correspondingly, to evaluate local provider assets that will be available for the satisfaction of judgments.

To further mitigate enforcement risks, the US customer should explore alternative measures, such as insurance, performance bonding, letters of credit or guarantees from the Indian service provider and its financially responsible affiliates. In addition, the customer should ensure that it retains flexible, rules-based termination rights.

To best mitigate the risk of an Indian service provider seeking refuge in an Indian court and being mired in prolonged litigation and subject to unfamiliar procedures, private arbitration is the preferred means of dispute resolution in an offshore sourcing transaction involving India.

Considering alternative dispute resolution mechanisms to maintain confidentiality

In India, litigation concerning breach of trade secret protection clauses can lead to open disclosure and consequential loss of the trade secrets at issue if the legal proceedings are not closed. For this and other reasons, the operative contract should require that all disputes relating to the US customer's trade secrets and confidential information be subject to confidential mediation or arbitration, rather than to litigation. The contract should also specify that these dispute-resolution measures will, if possible, be conducted in a non-Indian venue and that all IP and information involved in the proceeding will be treated confidentially. The relative ease of enforcing foreign and India-based arbitral awards in India provides an additional compelling reason for adopting arbitration as the formal dispute resolution mechanism in India.

Determining the appropriate offshore delivery model

A potential US customer may consider adopting a "captive" offshoring model involving offshoring through affiliated legal entities in India. Implementation of a captive model may be especially appropriate if the business would experience significant adverse impact and cost as a result of losing control over IP that would be transferred to, or created in, India.

It is not surprising that a high percentage of captive offshoring transactions in India are in IP-intensive sectors such as advanced software, high-tech electronics and pharmaceuticals. Establishing a captive in India will provide the US customer with more control over day-to-day operations and IP.

A customer must balance that benefit, however, against the increased capital outlays and expense inherent in captive models. In addition, a majority of the critical legal issues discussed in this article are as relevant to captives as they are to other outsourcing structures. The need to carefully evaluate and address these issues will be equally critical regardless of the offshore delivery model elected by the customer.

Conclusion

In summary, offshoring to India can not only yield significant cost savings and increased efficiencies but also leverage India's vast knowledge class to perform "high end" KPO services and functions. However, because of the potential risks to a customer's IP that may be transferred to or created in India, a US customer contemplating an offshoring project in India must carefully assess India's IP legal framework vis-à-vis the business or knowledge process that will be offshored, and accordingly determine the necessary and available safeguards to protect its IP, including trade secrets and confidential information. These safeguards may include statutory and common law protections, but carefully crafted and robust contractual provisions combined with practical and enforceable mechanisms to minimize IP-related risk are mission critical and should be an integral component of any offshoring project in India.

Callouts

This non-legal environment presents numerous challenges concerning trade secret protection and enforcement, and it can jeopardize a US customer's IP unless the customer carefully employs certain contractual mechanisms that are enforceable in India.

Subcontracting by the Indian service provider can dramatically increase the customer's IP risk profile.

Jurisdiction and enforcement provisions in the operative contract should be thoughtfully crafted to provide the US customer with adequate, flexible rights and remedies consistent with the nature of the business or knowledge process and the underlying customer IP being offshored to India.

Learn more about our Asia offices and Business & Technology Sourcing practice.

Copyright 2010. JSM, Mayer Brown International LLP and/or Mayer Brown LLP. All rights reserved. Mayer Brown is a global legal services organization comprising legal practices that are separate entities ("Mayer Brown Practices"). The Mayer Brown Practices are: JSM, a Hong Kong partnership, and its associated entities in Asia; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; and Mayer Brown LLP, a limited liability partnership established in the United States. The Mayer Brown Practices are known as Mayer Brown JSM in Asia.

This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein. Please also read the JSM legal publications Disclaimer.