- Email: [email protected]
A report from the United States — Part 1
LEGAL GSUES
..... TY COMPUTERSE URI.
A REPORT FROM THE UNITED STATES -
Most major companies now do business in other countries; data security abroad requires much attention. While some nations have excellent police forces, others are not so careful, and security is a matter for constant vigilance. For example, in some nations, there is organized copying of proprietary software; this could expose the company to liability for breach of its license agreements with suppliers.
2 M A N A G E M E N T PROBLEMS While all the matters considered in this article are management problems, there are some legal issues with which the data security officer should be familiar that are particularly appropriate concerns for management. (a) Corporate record keeping. Business lives on the records it maintains, particularly as to accounts receivable and accounts payable. These records are generally admitted into court proceedings as business records kept in the ordinary course of business, provided the business relies on them. However, with computerized records in which the material is updated periodically without hard copy, there may be difficulty in proving the accuracy of the records, particularly if considerable amounts of money are involved and the opposing party in a lawsuit questions the validity of the records. To prove the records' authenticity, it may be necessary for the company's lawyer to show how the programming was performed, that all patches were fully documented, that input controls were in place, and that the hardware functioned properly. (There is an Australian statute outlining what must be shown to a court in South Australia in order to prove that the computerized records are reliable. While American courts are not as particular in their proof requirements, such kinds of proof could be required if the validity of the computer system is questioned.) Failure to prove satisfactory security measures may also prevent recovery. 1 The Internal Revenue Service (IRS) has also established rules for
PART 1
corporate recordkeeping, and failure to observe the requirements of Revenue Procedure 91-59 and Revenue Ruling 71-20 may prevent the corporation from relying upon its computerized records when audited by the IRS. Revenue Procedure 6412 requires that the system must have the ability to produce a detailed audit trail at a later date, and (2) that the company completely document the system. There are specific rules for database management systems. Revenue Ruling 71-20 requires that punched cards, magnetic tapes, disks, and other machine-sensible data media used for recording, consolidating, and summarizing accounting transactions be kept by the company so long as the contents may become material in the administration of the internal revenue laws. The IRS will make agreements with companies as to what tapes must be presented and for how long, and the company's tax or accounting department will lay down these rules for the particular organization. However, the security of this information and its availability could well fall within the responsibilities of the data security officer. (b) Labour and management relations. In some companies, unions represent data processing employees, especially input personnel. It is particularly important when dealing with unionized personnel that the requirements of the collective bargaining agreement as to disciplinary action and consultation on work rules be followed; the advice of the company's labour attorney is essential. In any situation where employees (union or non-union) are in conflict with management, it is possible that attempts may be made to compromise or damage the company's computer system; the company should have in place mechanisms to prevent damage in such situations. Personnel who service computer systems may also be unionized; there have been reported instances of injury to a customer's computer system when the employees of a computer company were engaged in a dispute with their employer. Again, contingency plans to protect against such situations should be designed and implemented when appropriate. There are statutory limitations on the amount of information that an organization can obtain about a prospective employee. These vary from state to state, and the data security officer should consult with the company's legal and personnel departments to determine how much of a background check can be made for potential employees who will have sensitive roles in the information processing area. One area particularly worth pursuing is the applicant's resume; many people have faked their educational backgrounds. From a security viewpoint, it might be nice to administer each potential employee a polygraph and drug test. However, the use of lie detectors is strictly regulated, particularly by the Employee Polygraph Protection ACt of 19882 which generally prohibits such tests of employees or prospective employees, and discrimination against an individual who refuses to take the test. This act applies to employers in interstate or foreign commerce except governments, organizations concerned with national security, and private security companies.
361
NOV - DEC
THE COMPUTER LAW AND St~UR~TY REPORT
As to drug tests, the validity of requiring such from an employee or potential employee may well depend on the sensitivity of the specific position. At least two federal cases have struck down efforts by the federal government to make data processing employees take such tests. 3 However, when the person involved is in a very sensitive position, drug testing may be allowed. 4 Insistence on drug testing can be expensive; when the Southern Pacific Railroad fired a programmer who refused to give a urine sample, the jury awarded her $485 000; this was affirmed as appropriate for the invasion of her privacy, s Departing employees create a special problem. If the employee is fired, is leaving in anger, or is quitting to go into competition, he or she may attempt to destroy files or to copy them for use in the competing business. An exit interview is the minimum step to be taken; the employee should acknowledge in writing that he or she does not have any copies of confidential papers or trade secrets and, will not disclose any trade secrets after leaving. In addition, when the employee has access to confidential computerized data, consideration should be given to terminating this access immediately, particularly if there is a possibility of injury to or destruction of the data. 6 The recently enacted W.A.R.N. Law7 requires that companies in interstate commerce with more than 100 employees give 60 days notice before mass layoffs. If some of those to be laid off have access to important data or programs, there could be a major security problem that must be solved before the layoff is announced. Immediate reassignment before the layoff may be the best solution. Many companies have agreements with employees protecting the company's trade secrets and inventions. As discussed later, the protection of trade secrets requires considerable vigilance so that these valuable proprietary rights are not lost, including procedures for making sure that valuable papers are locked up at night and that access to them is limited at all times to those with a need to know. Methods of ensuring that such papers are not removed, particularly when employees are terminated, should be instituted. The same security considerations apply to independent contractors who are hired to work on specific projects. A written agreement is particularly important here because, under the copyright law as noted later, the independent programmer may own the program unless there is a specific written agreement to the contrary. Many companies have found it economic to hire non-citizens for various kinds of work. The immigration laws of the United States have been tightened recently in some areas and loosened in others (particularly as regards Canadians and Mexicans). Failure to comply with these laws can create substantial problems for the company. 8 Whatever policies are adopted they must be enforced. In a Canadian case the court held an employee was wrongfully fired when her password was used to gain fraudulent access to a bank account. The court found that the company had no rules on password security, that its computers were close together - a person with average eyesight could have read anyone's password - and this is what happened. The court also awarded the employee punitive damages. 9 (c) Networks. The development of the network creates special problems, since eavesdropping is often possible, particularly in
I:1996/ 12 Cf.S~R
wireless networks that are now coming online. Technical protective measures are discussed in other chapters. However, the failure to anticipate such interceptions and resulting loss of confidential information could expose the company's management to personal liability in suits by angry stockholders. (d) Outsourcing. Outsourcing is now the common term for having some or all data processing work performed by an independent company. However, the legal aspects of security issues involved are the same as when there was batch processing by service bureaus, timesharing, and facilities management. While the data security officer is not responsible for the preparation of the outsourcing contract, he or she must, if possible, review not only the outside contractor's legal commitments as to security, but also the actual security measures that company enforces. And the security officer should have a continuing right to inspect the enforcement of these commitments. If the effect of the outsourcing agreement will result in some present employees losing their jobs, the precautions suggested above for those who receive advance warning of their layoffs should be implemented. The legal department should also carefully review the licenses under which the company uses proprietary software. Lawsuits have been brought in both the United States and England to prohibit the fired facilities manager from using programs originally supplied to the company. 1° (e) Personal injury. In addition to the standard problems of personal injury, such as an employee slipping on a wet floor, there are some problems created by the computer itself. While primarily a problem for the Human Resources Department, the data security officer should be aware that there have been a number of carpal tunnel syndrome injuries caused by the extended use of a keyboard. There have also been allegations (and some evidence) that the computer may cause radiation injury, particularly in pregnant women. Faced with increased emphasis by government on these issues, and aware of the numerous suits by allegedly injured people, the competent security officer will work with the company's risk manager, and its legal and personnel departments, to minimize risks to employees, independent contractors, visitors, and others who may be on the premises (liability for erroneous programming is discussed in the section on legal liabilities in a future issue of CSLR.) (f) Insurance against legal liabilities. The early 1990s have been tough for insurance companies: hurricanes in the Southeast and Hawaii, floods in the Midwest, and fires, riots, and earthquakes in California. Losses have been high and payments large. While protection from these disasters is the purpose of insurance, the insurance companies have had to watch their pennies very carefully. This means they will construe their policies as favourably as possible to themselves; however, the courts may not agree with these interpretations. Two clauses likely to be found in an insurance policy require that security precautions be taken and that the insurer will have the right to inspect the insured's premises to be sure these precautions are being taken. Failure to take required protective measures, if the failure contributes to the injury, may well discharge the insurer from liability.
362
Rather than view the insurance company as an opponent, the data security officer should work with the insurer's inspectors to make sure that possible sources of injury are eliminated whenever possible. Not only will this help reduce premiums and avoid denial of a claim, but such efforts will improve employee morale within the company itself. Some companies have insured themselves against copyright infringement in their advertising. The courts have held that these policies do not protect the company against intentional infringement of software copyrights. ~
3 PROPRIETARY RIGHTS AND OBLIGATIONS. Probably the most important part of the security officer's duties from a legal point of view are those concerned with guarding the company's proprietary rights in its software and complying with the company's contractual commitments in the protection of software belonging to others. (a) Legal forms of protection. Two major ways are used to protect proprietary rights in software: trade secrets and copyrights. (In certain unique situations, a patent for software may be available.) Trade secret law, a state developed and enforced doctrine, is based on the concept of confidentiality: when a business discloses its secrets to another in confidence, the person to whom disclosure is made must keep that information confidential. Copyright, on the other hand, is established under a federal statute and proceeds from the concept that in order to make information available to the public, some method of remunerating its author must be established. Copyright, therefore, protects the 'method of expression' used by the author but not the ideas that are disclosed. Copyright and trade secret complement each other: trade secret protects the idea disclosed in confidence, and copyright protects the way that idea is expressed, whether privately or to the public. However, in certain situations the copyright law may preempt the trade secret, and trade secret protection may be unavailable. 12 The most common case is when the information is expressed in writing (or program code), and the copyright owner sues for misappropriation of both copyright infringement and misappropriation of the trade secret; the court is likely to decide that the owner is trying to get same relief in two ways, and therefore the copyright law takes precedence. However, if there is a separate agreement under which a trade secret not embodied in the written information is disclosed, then the plaintiff's trade secret claim is not based on copyright, and will not be thrown out. (b) Trade secret protection. The standard legal definition of trade secret is: A trade secret may consist of any formula, device, or compilation of information which is used in one's business, and which gives an opportunity to obtain an advantage over competitors who do not know or use it. It may be a formula for a chemical compound, a process of manufacturing, treating or preserving materials, a pattern for a machine or other device, or a list of competitors. 13 Trade secrets are often also protected by statute, and theft of a trade secrets may well be a criminal act. For example, in Massachusetts the larceny statute specifically defines a trade secret as follows:
The term 'trade secret' means and includes anything tangible or electronically kept or stored, which constitutes, represents, evidences or records a secret scientific, technical, merchandizing, production, or management information, design, process, procedure, formula, invention or improvement.14 A well-reasoned federal court decision involving the copying of a computer program gave the following definition: Trade secret protection may be afforded to any idea, process, or compilation of information valuable and useful in one's business which is not generally known. A trade secret is any special knowledge developed through skill and ingenuity and the expenditure of money and effort which, by being secret, gives the owner an advantage over his competitors. 15 The judge in this case also pointed out that in deciding whether a particular program was entitled to protection, the court must consider not only the information, but: • The degree of secrecy imposed by the developer. •
The amount of effort the developer expends in developing the secret and preserving secrecy.
•
Its value to the developer.
•
How difficult it would be for others to duplicate the trade secret. In this case the judge found that the organization of the program, called JMS, combined with particular features within the system and the procedures employed in its use, were complex and unique. Plaintiff licensed the program to a gas company that had signed an agreement to "treat as confidential all programs, documents and other information relating to JMS;" all JMS licenses included such language. An employee of the gas company, Vaill, learned to use the program, and even helped demonstrate it to potential customers. But the court found that this employee's knowledge, and the information given at the demonstrations, were so limited that listeners could not understand "the program's design and architecture". Vaill teamed up with a programmer who developed a similar program in less than a month. Both programs used many of the same terms, although these were not standard industry lingo. After setting out the facts, Judge Zobel said, "the conclusion that they copied substantial portions of JMS is inescapable. Vaill does not seriously contest that he was bound by the confidentiality agreement... I find he did violate that relationship". 16 (c) The company's needs. When the company develops its own software, precautions must be taken to protect trade secrets. This rule applies when application programs are used in the company's computer systems in its daily operations; even more so when the company itself is involved in the software business. To protect trade secrets, eternal vigilance is necessary because the accidental disclosure of a trade secret can lead to its loss. The only practical way to protect a trade secret disclosed outside the company is by contractual agreement. While there is an implied duty of employees not to disclose trade secrets, most companies concerned with protecting these rights require employees to sign an explicit agreement under which they are obligated to respect the confidentiality of the company's information.
363
NOV - DEC
T[-IE COMPUTER LAW AND SECURITY [~EPORT
Courts have held that the company has a duty to advise employees of what it considers a trade secret. Not every bit of information will qualify, and selection of what is to be protected is a matter for decision by management. An attempt to classify everything as a trade secret will undoubtedly make it very difficult to prove that anything actually qualifies. On the other hand, failure to make clear what are trade secrets and, particularly, failure to take appropriate security precautions with respect to these secrets, will lead the court to declare that the company did not make sufficient efforts to protect its rights, and that the information is no longer secret.17 Therefore their disclosure - even accidentally - can lead to the loss of the secrets. (d) Software Locks. When a programmer, particularly an independent software company, prepares a customized program for a company, the program may contain a disabling feature, often called a software lock, that may be activated externally or by the passage of time or the occurrence of an event. Often these locks are not disclosed to the customer; should they be activated without the user's knowledge, considerable damage to the company can occur from an unforeseen system shutoff. As a first step, the customer should require the software company to state contractually whether there is or is not such a lock; and if there is, what will cause it to function. The data security officer should review all programs acquired by the company, and, if the license agreement, or the programming contract, do not discuss this question, it should be raised immediately. The courts have not looked favourably upon undisclosed software locks. Not only have the customers received cash remuneration for damage caused by the operation of the lock, but the perpetrator of the lock may face criminal sanctions. 18 Analogous to software locks, but not as commonly used today as in years past, is the copy-protected program. While some companies fear that providing programs that can be copied only a few times will adversely affect sales, British experience indicates this is not so. 19 (e) Copyright protection. Computer programs and manuals are also protected under the Federal Copyright Act, which protects the way the words (and code) are expressed but not the ideas themselves, which are the subject of trade secret protection. The copyright begins at the moment the source code or the manual is written and belongs to the employer. (When programs or manuals are prepared by outside consultants, particular care is required to make sure the company retains the copyright on these products by way of contract.) When a copyrighted work is published (i.e. offered for sale or voluntarily disclosed to a wide audience), the law used to require that a copyright notice be included, or the company could lose its copyright protection and find that the program or manual was in the public domain, to be copied freely by anyone. This law was changed when the United States became a party to the Berne Copyright Convention on 1 March, 1989. But while a notice is no longer required, it is advisable in any document that will be widely circulated to use a notice like the one at the foot of this article. The inclusion of such a notice makes it much more difficult for an infringer to plead innocence.
{1996 i 12 C[.SR
However, until the copyrighted work is published (with or without a copyright notice), the author's or other copyright owner's rights are protected under the federal law in almost the same way as if the document disclosed a trade secret. While copyright protects the expression and not the ideas, the effect may be very similar, and the procedures that the company should use in protecting these 'unpublished' documents are much the same.
(f) Security techniques to protect proprietary rights. Among the procedures that a data security officer should consider are: • Numbering each copy of the trade secret or unpublished copyrighted document. •
Keeping a log of to whom the document is issued.
•
Checking the files and workstation of each recipient to be sure that the document is being treated as confidential.
•
Making sure that all unissued documents are locked up and their distribution controlled.
•
Instituting appropriate safeguards to prevent employees to whom such documents are issued making copies for any reason. Since a failure to take appropriate security precautions can lead to the loss of a trade secret, the security officer should give more attention to documents disclosing trade secrets than to unpublished works that do not contain trade secrets but are protected by copyright (such as systems manuals). The major problem in distributing unpublished copyrighted documents is the possibility that the document will be so widely distributed that the company's copyright will be lost at that time. How wide a distribution will cause the document to lose its protection depends on the nature of the document, the method of distribution, and the length of time that such distribution continues. However, if someone steals the document and makes it public, the law does provide the company with a remedy against all who copy the document. The same relief is not available when a trade secret is widely distributed against the wishes of its owner. Appropriate security precautions for copyrighted products that are not being distributed to the public is a logical responsibility of the security officer.
(g) Contractual commitments to protect proprietary rights. When computer programs are supplied by a software developer or other computer company, the programs are usually licensed and not sold outright. The license agreement often contains a number of provisions relating to the security of the programs and manuals. Failure to observe these requirements can lead to termination of the license and can expose the company to substantial monetary liability if, through its failure to observe security requirements, the proprietor of the software loses its trade secrets and profits that would otherwise have been earned. Similarly, when a piece of hardware is leased or rented or is the subject of a service contract, there may be certain commitments the user undertakes that concern the security officer. In January 1991 IBM issued a new general form contract covering hardware sales, software licenses, and maintenance; the agreement has since been somewhat revised, and the following excerpts are from the March 1993 version.2° Among
364
NOV - DEC
THE CO~PUTER ~AW AND SECU~TY I~EPORT
the maintenance provisions of this form are the following requirements: • When the customer does not own the machine, it must obtain the owner's consent before IBM will service it. • Before IBM's maintenance people provide service, the customer must "secure all programs, data, and funds contained in the machine". • The customer has to tell IBM when and where the machine is moved. The standard form also states, "All information exchanged is non-confidential. If either of us requires the exchange of confidential information, it will be made under a signed confidentiality agreement." Among other customer responsibilities are compliance with "all applicable government export laws and regulations" (discussed under government controls) and "to provide us [IBM] with full, free and safe access to your facilities for us to fulfill our obligations". Both IBM and the customer are obligated to notify the other promptly if one of them "becomes aware of any unsafe conditions or hazardous materials to which the other's personnel would be exposed at any of its facilities". Except for specific exceptions, the customer's use is limited to the United States and Puerto Rico. When we get to programs and code, IBM's restrictions are very clear. Some of its machines use 'Licensed Internal Code' abbreviated 'code'. IBM states clearly, • We own copyrights in code. We own all copies of code, including all copies made from them. Under each license we authorize you do only the following: I. execute the code to enable the specific machine to function according to its specifications; 2. make a backup or archival copy of the code (unless we make one available for your use), provided you reproduce the copyright notice and any other legend of ownership on the copy. You may use this copy only to replace the original, when necessary. And the company is also specific about what the customer cannot do: You may not do, for example, any of the following. I. otherwise copy, display, transfer, adapt, modify, or distribute the code (electronically or otherwise), except as we may authorize in the Specific Machine's Specification or in writing to you; 2. reverse assemble, reverse compile, or otherwise translate the code; 3. sublicense or assign the license for the code, or 4. lease the code or any copy of it. Similar restrictions apply to programs, as well as limiting the use to designated machines: For each program, you agree to: I. ensure that anyone who uses it (accessed either locally or remotely) does so only for your authorized use and complies with our terms regarding programs, 2. maintain a records of all copies, and 3. if it is a licensed database, allow access to the information contained in it only to your employees, agents or subcontractors, and only in support of their work for you. And, at the end of the license, the customer agrees to destroy
[~996I ~2 CI.SR
all copies of the program within three months, except for an archival copy. Clearly, these commitments, and others like them that will be found in many other licenses, require that the data security officer prepare, execute, and revise periodically a plan for ensuring compliance with the rules of the supplier. It is important that the data security officer be aware of all the contractual commitments on security required by software licensors, hardware licensors and maintenance companies. He or she should find out what these are and institute appropriate precautions to see that they are followed. Sometimes, for example, a software license will require that employees who have access to the program sign a non-disclosure agreement. If these precautions are not taken, the company may find itself being sued for failure to protect highly proprietary programs and databases. With software license fees running in the tens of thousands of dollars, the liability for loss of trade secret protection and infringement of copyright can be in the millions. Failure to protect the licensor's copyrights and trade secrets properly can cost a company dearly. For example, in January 1993, Data General was awarded over $27 million for copyright infringement of its diagnostic software and misappropriation of its trade secrets; to this the judge added $9 million under a special Massachusetts law for the trade secret misappropriation. To this was added almost $16 million in pre-judgment interest, and Data General's attorneys fees! 21 Particularly important are license requirements limiting the use of programs to specific machines, specific locations, or specific applications (e.g. the IBM requirement that the programs be used only in the United States and Puerto Rico and only on designated machines). The licensors requirements should be examined and strictly adhered to (e.g. IBM's requirement that the customer maintain records of the number and location of all copies). These may include requirements for printing copyright notices (the IBM license does), and this must be followed. Recently, software companies have licensed a program in blocks, mostly for use on networks - for example, the right to use 500 copies simultaneously. While monitors are available to count the number in use at one time automatically, and prevent overuse by queuing up those who want to use the program, the security officer should be particularly concerned with the accuracy of that machinery. If such a monitor is not in use (perhaps the program is being used on stand-alone PCs), a system must be developed both to monitor the usage and to prevent unauthorized copying. Even if the software's confidentiality is not compromised, failure to follow these rules may result in the licensor revoking the license and demanding the return of all the software. If these programs are integral to the customer's data processing operations, the result could be disastrous. In international operations, the data security officer's job is even tougher. While the copyright laws of many nations protect programs, trade secret protection is not available in many, and enforcement of the laws can be spotty. The European Union (formerly the European Economic Community), together with other European nations, has enacted a Software Directive that protects programs but, in certain situations, specifically permits decompiling the program.
365
NOV ~ DEC
I~-~E COMPUTER LA.W AN{) S~-.£~}URFfY~EPORT
(h) Enforcement efforts. Efforts to enforce proprietary rights in software are strong, and becoming stronger. The Software Protection Association (SPA in Washington, DC, has been formed by major companies and has commenced and concluded quite successfully a number of suits for infringement of proprietary rights. This organization will also assist users in making sure their software is properly licensed, and provides a free 'Self-Audit Kit' complete with software. Whether such assistance should be sought before internal efforts are made to make sure that everything is properly licensed is a matter for serious consideration by management. On the international front, the Federation Against Software Theft (FAST), headquartered in London, and the Business Software Alliance (BSA), headquartered in Washington, are carrying on similar warfare against software pirates around the world. (i) Personal computers. The security considerations with personal computers in the business organization are much the same as with mainframes. However, unauthorized copying of software is likely to be less controlled than in the mainframe environment, particularly when managers who are not under control of the information services department can buy their own hardware and software. As noted above, SPA, BSA, and
11996i llJ~ C/.SR
FAST are pursuing these cases. But every company with personal computers, and particularly those with laptops, or who have personnel who 'telecommute' should establish a policy on acquisition and use of programs, making sure that this policy is widely circulated and enforced within the company. A particularly important consideration for the security officer is removal of proprietary information from the hard disk when one disposes of the computer. Some years ago, the author was considering buying a particular kind of PC, and the reseller loaned me a second-hand one to test. When we ran C:~ dir, the directory showed that the hard disk still included the next year's budget and business plan for the previous owner, a major research organization. In another incident, surplus equipment sold by the Lexington, Kentucky, office of the US Attorney still contained much sensitive information, including the names of agents and witnesses.
Robert P. Bigelow This paper is extracted from Legal Issues in Computer Security O. Wiley & Sons) © 1984, 1995 by Robert P. Bigelow, Report Correspondent. All Rights Reserved.
366
NOV ~ DEC
Tile COMPUTER LA.W 4ND SECURIIY REPORT
I1996/ ~12 CI.SR
BOOK REVIEW EUROPEAN COMPUTER LAW European Computer Law, by IT Law Group/Europe, 1996, loose-leaf binder, Transnational Publishers Inc. US$225, ISBN 057105023X. As the authors point out in their introduction, "Information technology impacts on every business, often raising complex legal questions and problems. Realistic solutions to the issues requires specialist computer lawyers who understand the legal, technological and business issues relating to the supply and use of computer-related products and services. In today's global market place, there is an increasing need for legal advice and support across a number of countries." It is in response to this need that the Information Law Group/Europe was established in 1989 a specialist computer law network with member firms in 15 countries across the European Union, Scandinavia and Eastern Europe. This text is a joint project by members of the Group, whose network is designed to give suppliers and users of computer-related products and services speedy access to specialist computer lawyers throughout Europe on a 'one stop' basis. The aim of this text is to provide its readers with a single reference point that will help them identify the legal issues and problems relating to the exploitation, use
and proprietary protection of computer hardware, software and multimedia products. The work is divided into two sections, part one dealing with international chapters and, part two, national chapters. The international chapters deal with the EC Directive on the Legal Protection of Computer Programs; the EC Directive on the Legal Protection of Databases; patentability of computer software under the European Patent Office; international trademark protection, and the EC Directive on trademarks; EC law affecting the distribution of software; and computer law in central and eastern Europe. A common structure has been introduced for the national country chapters covering Belgium, Czech Republic, Denmark, France, Germany, Greece, Italy, the Netherlands, Poland, Portugal, Spain, Sweden, Switzerland and the United Kingdom. Accessing the work is not altogether easy as there are no detailed contents pages. A breakdown of the headings for each chapter incorporated at the beginning would have been valuable. Available from Transnational Publishers Inc. 1 Ridge Street, Irvington-on-Hudson, NY 10533, USA.
367
..... TY COMPUTERSE URI.
A REPORT FROM THE UNITED STATES -
Most major companies now do business in other countries; data security abroad requires much attention. While some nations have excellent police forces, others are not so careful, and security is a matter for constant vigilance. For example, in some nations, there is organized copying of proprietary software; this could expose the company to liability for breach of its license agreements with suppliers.
2 M A N A G E M E N T PROBLEMS While all the matters considered in this article are management problems, there are some legal issues with which the data security officer should be familiar that are particularly appropriate concerns for management. (a) Corporate record keeping. Business lives on the records it maintains, particularly as to accounts receivable and accounts payable. These records are generally admitted into court proceedings as business records kept in the ordinary course of business, provided the business relies on them. However, with computerized records in which the material is updated periodically without hard copy, there may be difficulty in proving the accuracy of the records, particularly if considerable amounts of money are involved and the opposing party in a lawsuit questions the validity of the records. To prove the records' authenticity, it may be necessary for the company's lawyer to show how the programming was performed, that all patches were fully documented, that input controls were in place, and that the hardware functioned properly. (There is an Australian statute outlining what must be shown to a court in South Australia in order to prove that the computerized records are reliable. While American courts are not as particular in their proof requirements, such kinds of proof could be required if the validity of the computer system is questioned.) Failure to prove satisfactory security measures may also prevent recovery. 1 The Internal Revenue Service (IRS) has also established rules for
PART 1
corporate recordkeeping, and failure to observe the requirements of Revenue Procedure 91-59 and Revenue Ruling 71-20 may prevent the corporation from relying upon its computerized records when audited by the IRS. Revenue Procedure 6412 requires that the system must have the ability to produce a detailed audit trail at a later date, and (2) that the company completely document the system. There are specific rules for database management systems. Revenue Ruling 71-20 requires that punched cards, magnetic tapes, disks, and other machine-sensible data media used for recording, consolidating, and summarizing accounting transactions be kept by the company so long as the contents may become material in the administration of the internal revenue laws. The IRS will make agreements with companies as to what tapes must be presented and for how long, and the company's tax or accounting department will lay down these rules for the particular organization. However, the security of this information and its availability could well fall within the responsibilities of the data security officer. (b) Labour and management relations. In some companies, unions represent data processing employees, especially input personnel. It is particularly important when dealing with unionized personnel that the requirements of the collective bargaining agreement as to disciplinary action and consultation on work rules be followed; the advice of the company's labour attorney is essential. In any situation where employees (union or non-union) are in conflict with management, it is possible that attempts may be made to compromise or damage the company's computer system; the company should have in place mechanisms to prevent damage in such situations. Personnel who service computer systems may also be unionized; there have been reported instances of injury to a customer's computer system when the employees of a computer company were engaged in a dispute with their employer. Again, contingency plans to protect against such situations should be designed and implemented when appropriate. There are statutory limitations on the amount of information that an organization can obtain about a prospective employee. These vary from state to state, and the data security officer should consult with the company's legal and personnel departments to determine how much of a background check can be made for potential employees who will have sensitive roles in the information processing area. One area particularly worth pursuing is the applicant's resume; many people have faked their educational backgrounds. From a security viewpoint, it might be nice to administer each potential employee a polygraph and drug test. However, the use of lie detectors is strictly regulated, particularly by the Employee Polygraph Protection ACt of 19882 which generally prohibits such tests of employees or prospective employees, and discrimination against an individual who refuses to take the test. This act applies to employers in interstate or foreign commerce except governments, organizations concerned with national security, and private security companies.
361
NOV - DEC
THE COMPUTER LAW AND St~UR~TY REPORT
As to drug tests, the validity of requiring such from an employee or potential employee may well depend on the sensitivity of the specific position. At least two federal cases have struck down efforts by the federal government to make data processing employees take such tests. 3 However, when the person involved is in a very sensitive position, drug testing may be allowed. 4 Insistence on drug testing can be expensive; when the Southern Pacific Railroad fired a programmer who refused to give a urine sample, the jury awarded her $485 000; this was affirmed as appropriate for the invasion of her privacy, s Departing employees create a special problem. If the employee is fired, is leaving in anger, or is quitting to go into competition, he or she may attempt to destroy files or to copy them for use in the competing business. An exit interview is the minimum step to be taken; the employee should acknowledge in writing that he or she does not have any copies of confidential papers or trade secrets and, will not disclose any trade secrets after leaving. In addition, when the employee has access to confidential computerized data, consideration should be given to terminating this access immediately, particularly if there is a possibility of injury to or destruction of the data. 6 The recently enacted W.A.R.N. Law7 requires that companies in interstate commerce with more than 100 employees give 60 days notice before mass layoffs. If some of those to be laid off have access to important data or programs, there could be a major security problem that must be solved before the layoff is announced. Immediate reassignment before the layoff may be the best solution. Many companies have agreements with employees protecting the company's trade secrets and inventions. As discussed later, the protection of trade secrets requires considerable vigilance so that these valuable proprietary rights are not lost, including procedures for making sure that valuable papers are locked up at night and that access to them is limited at all times to those with a need to know. Methods of ensuring that such papers are not removed, particularly when employees are terminated, should be instituted. The same security considerations apply to independent contractors who are hired to work on specific projects. A written agreement is particularly important here because, under the copyright law as noted later, the independent programmer may own the program unless there is a specific written agreement to the contrary. Many companies have found it economic to hire non-citizens for various kinds of work. The immigration laws of the United States have been tightened recently in some areas and loosened in others (particularly as regards Canadians and Mexicans). Failure to comply with these laws can create substantial problems for the company. 8 Whatever policies are adopted they must be enforced. In a Canadian case the court held an employee was wrongfully fired when her password was used to gain fraudulent access to a bank account. The court found that the company had no rules on password security, that its computers were close together - a person with average eyesight could have read anyone's password - and this is what happened. The court also awarded the employee punitive damages. 9 (c) Networks. The development of the network creates special problems, since eavesdropping is often possible, particularly in
I:1996/ 12 Cf.S~R
wireless networks that are now coming online. Technical protective measures are discussed in other chapters. However, the failure to anticipate such interceptions and resulting loss of confidential information could expose the company's management to personal liability in suits by angry stockholders. (d) Outsourcing. Outsourcing is now the common term for having some or all data processing work performed by an independent company. However, the legal aspects of security issues involved are the same as when there was batch processing by service bureaus, timesharing, and facilities management. While the data security officer is not responsible for the preparation of the outsourcing contract, he or she must, if possible, review not only the outside contractor's legal commitments as to security, but also the actual security measures that company enforces. And the security officer should have a continuing right to inspect the enforcement of these commitments. If the effect of the outsourcing agreement will result in some present employees losing their jobs, the precautions suggested above for those who receive advance warning of their layoffs should be implemented. The legal department should also carefully review the licenses under which the company uses proprietary software. Lawsuits have been brought in both the United States and England to prohibit the fired facilities manager from using programs originally supplied to the company. 1° (e) Personal injury. In addition to the standard problems of personal injury, such as an employee slipping on a wet floor, there are some problems created by the computer itself. While primarily a problem for the Human Resources Department, the data security officer should be aware that there have been a number of carpal tunnel syndrome injuries caused by the extended use of a keyboard. There have also been allegations (and some evidence) that the computer may cause radiation injury, particularly in pregnant women. Faced with increased emphasis by government on these issues, and aware of the numerous suits by allegedly injured people, the competent security officer will work with the company's risk manager, and its legal and personnel departments, to minimize risks to employees, independent contractors, visitors, and others who may be on the premises (liability for erroneous programming is discussed in the section on legal liabilities in a future issue of CSLR.) (f) Insurance against legal liabilities. The early 1990s have been tough for insurance companies: hurricanes in the Southeast and Hawaii, floods in the Midwest, and fires, riots, and earthquakes in California. Losses have been high and payments large. While protection from these disasters is the purpose of insurance, the insurance companies have had to watch their pennies very carefully. This means they will construe their policies as favourably as possible to themselves; however, the courts may not agree with these interpretations. Two clauses likely to be found in an insurance policy require that security precautions be taken and that the insurer will have the right to inspect the insured's premises to be sure these precautions are being taken. Failure to take required protective measures, if the failure contributes to the injury, may well discharge the insurer from liability.
362
Rather than view the insurance company as an opponent, the data security officer should work with the insurer's inspectors to make sure that possible sources of injury are eliminated whenever possible. Not only will this help reduce premiums and avoid denial of a claim, but such efforts will improve employee morale within the company itself. Some companies have insured themselves against copyright infringement in their advertising. The courts have held that these policies do not protect the company against intentional infringement of software copyrights. ~
3 PROPRIETARY RIGHTS AND OBLIGATIONS. Probably the most important part of the security officer's duties from a legal point of view are those concerned with guarding the company's proprietary rights in its software and complying with the company's contractual commitments in the protection of software belonging to others. (a) Legal forms of protection. Two major ways are used to protect proprietary rights in software: trade secrets and copyrights. (In certain unique situations, a patent for software may be available.) Trade secret law, a state developed and enforced doctrine, is based on the concept of confidentiality: when a business discloses its secrets to another in confidence, the person to whom disclosure is made must keep that information confidential. Copyright, on the other hand, is established under a federal statute and proceeds from the concept that in order to make information available to the public, some method of remunerating its author must be established. Copyright, therefore, protects the 'method of expression' used by the author but not the ideas that are disclosed. Copyright and trade secret complement each other: trade secret protects the idea disclosed in confidence, and copyright protects the way that idea is expressed, whether privately or to the public. However, in certain situations the copyright law may preempt the trade secret, and trade secret protection may be unavailable. 12 The most common case is when the information is expressed in writing (or program code), and the copyright owner sues for misappropriation of both copyright infringement and misappropriation of the trade secret; the court is likely to decide that the owner is trying to get same relief in two ways, and therefore the copyright law takes precedence. However, if there is a separate agreement under which a trade secret not embodied in the written information is disclosed, then the plaintiff's trade secret claim is not based on copyright, and will not be thrown out. (b) Trade secret protection. The standard legal definition of trade secret is: A trade secret may consist of any formula, device, or compilation of information which is used in one's business, and which gives an opportunity to obtain an advantage over competitors who do not know or use it. It may be a formula for a chemical compound, a process of manufacturing, treating or preserving materials, a pattern for a machine or other device, or a list of competitors. 13 Trade secrets are often also protected by statute, and theft of a trade secrets may well be a criminal act. For example, in Massachusetts the larceny statute specifically defines a trade secret as follows:
The term 'trade secret' means and includes anything tangible or electronically kept or stored, which constitutes, represents, evidences or records a secret scientific, technical, merchandizing, production, or management information, design, process, procedure, formula, invention or improvement.14 A well-reasoned federal court decision involving the copying of a computer program gave the following definition: Trade secret protection may be afforded to any idea, process, or compilation of information valuable and useful in one's business which is not generally known. A trade secret is any special knowledge developed through skill and ingenuity and the expenditure of money and effort which, by being secret, gives the owner an advantage over his competitors. 15 The judge in this case also pointed out that in deciding whether a particular program was entitled to protection, the court must consider not only the information, but: • The degree of secrecy imposed by the developer. •
The amount of effort the developer expends in developing the secret and preserving secrecy.
•
Its value to the developer.
•
How difficult it would be for others to duplicate the trade secret. In this case the judge found that the organization of the program, called JMS, combined with particular features within the system and the procedures employed in its use, were complex and unique. Plaintiff licensed the program to a gas company that had signed an agreement to "treat as confidential all programs, documents and other information relating to JMS;" all JMS licenses included such language. An employee of the gas company, Vaill, learned to use the program, and even helped demonstrate it to potential customers. But the court found that this employee's knowledge, and the information given at the demonstrations, were so limited that listeners could not understand "the program's design and architecture". Vaill teamed up with a programmer who developed a similar program in less than a month. Both programs used many of the same terms, although these were not standard industry lingo. After setting out the facts, Judge Zobel said, "the conclusion that they copied substantial portions of JMS is inescapable. Vaill does not seriously contest that he was bound by the confidentiality agreement... I find he did violate that relationship". 16 (c) The company's needs. When the company develops its own software, precautions must be taken to protect trade secrets. This rule applies when application programs are used in the company's computer systems in its daily operations; even more so when the company itself is involved in the software business. To protect trade secrets, eternal vigilance is necessary because the accidental disclosure of a trade secret can lead to its loss. The only practical way to protect a trade secret disclosed outside the company is by contractual agreement. While there is an implied duty of employees not to disclose trade secrets, most companies concerned with protecting these rights require employees to sign an explicit agreement under which they are obligated to respect the confidentiality of the company's information.
363
NOV - DEC
T[-IE COMPUTER LAW AND SECURITY [~EPORT
Courts have held that the company has a duty to advise employees of what it considers a trade secret. Not every bit of information will qualify, and selection of what is to be protected is a matter for decision by management. An attempt to classify everything as a trade secret will undoubtedly make it very difficult to prove that anything actually qualifies. On the other hand, failure to make clear what are trade secrets and, particularly, failure to take appropriate security precautions with respect to these secrets, will lead the court to declare that the company did not make sufficient efforts to protect its rights, and that the information is no longer secret.17 Therefore their disclosure - even accidentally - can lead to the loss of the secrets. (d) Software Locks. When a programmer, particularly an independent software company, prepares a customized program for a company, the program may contain a disabling feature, often called a software lock, that may be activated externally or by the passage of time or the occurrence of an event. Often these locks are not disclosed to the customer; should they be activated without the user's knowledge, considerable damage to the company can occur from an unforeseen system shutoff. As a first step, the customer should require the software company to state contractually whether there is or is not such a lock; and if there is, what will cause it to function. The data security officer should review all programs acquired by the company, and, if the license agreement, or the programming contract, do not discuss this question, it should be raised immediately. The courts have not looked favourably upon undisclosed software locks. Not only have the customers received cash remuneration for damage caused by the operation of the lock, but the perpetrator of the lock may face criminal sanctions. 18 Analogous to software locks, but not as commonly used today as in years past, is the copy-protected program. While some companies fear that providing programs that can be copied only a few times will adversely affect sales, British experience indicates this is not so. 19 (e) Copyright protection. Computer programs and manuals are also protected under the Federal Copyright Act, which protects the way the words (and code) are expressed but not the ideas themselves, which are the subject of trade secret protection. The copyright begins at the moment the source code or the manual is written and belongs to the employer. (When programs or manuals are prepared by outside consultants, particular care is required to make sure the company retains the copyright on these products by way of contract.) When a copyrighted work is published (i.e. offered for sale or voluntarily disclosed to a wide audience), the law used to require that a copyright notice be included, or the company could lose its copyright protection and find that the program or manual was in the public domain, to be copied freely by anyone. This law was changed when the United States became a party to the Berne Copyright Convention on 1 March, 1989. But while a notice is no longer required, it is advisable in any document that will be widely circulated to use a notice like the one at the foot of this article. The inclusion of such a notice makes it much more difficult for an infringer to plead innocence.
{1996 i 12 C[.SR
However, until the copyrighted work is published (with or without a copyright notice), the author's or other copyright owner's rights are protected under the federal law in almost the same way as if the document disclosed a trade secret. While copyright protects the expression and not the ideas, the effect may be very similar, and the procedures that the company should use in protecting these 'unpublished' documents are much the same.
(f) Security techniques to protect proprietary rights. Among the procedures that a data security officer should consider are: • Numbering each copy of the trade secret or unpublished copyrighted document. •
Keeping a log of to whom the document is issued.
•
Checking the files and workstation of each recipient to be sure that the document is being treated as confidential.
•
Making sure that all unissued documents are locked up and their distribution controlled.
•
Instituting appropriate safeguards to prevent employees to whom such documents are issued making copies for any reason. Since a failure to take appropriate security precautions can lead to the loss of a trade secret, the security officer should give more attention to documents disclosing trade secrets than to unpublished works that do not contain trade secrets but are protected by copyright (such as systems manuals). The major problem in distributing unpublished copyrighted documents is the possibility that the document will be so widely distributed that the company's copyright will be lost at that time. How wide a distribution will cause the document to lose its protection depends on the nature of the document, the method of distribution, and the length of time that such distribution continues. However, if someone steals the document and makes it public, the law does provide the company with a remedy against all who copy the document. The same relief is not available when a trade secret is widely distributed against the wishes of its owner. Appropriate security precautions for copyrighted products that are not being distributed to the public is a logical responsibility of the security officer.
(g) Contractual commitments to protect proprietary rights. When computer programs are supplied by a software developer or other computer company, the programs are usually licensed and not sold outright. The license agreement often contains a number of provisions relating to the security of the programs and manuals. Failure to observe these requirements can lead to termination of the license and can expose the company to substantial monetary liability if, through its failure to observe security requirements, the proprietor of the software loses its trade secrets and profits that would otherwise have been earned. Similarly, when a piece of hardware is leased or rented or is the subject of a service contract, there may be certain commitments the user undertakes that concern the security officer. In January 1991 IBM issued a new general form contract covering hardware sales, software licenses, and maintenance; the agreement has since been somewhat revised, and the following excerpts are from the March 1993 version.2° Among
364
NOV - DEC
THE CO~PUTER ~AW AND SECU~TY I~EPORT
the maintenance provisions of this form are the following requirements: • When the customer does not own the machine, it must obtain the owner's consent before IBM will service it. • Before IBM's maintenance people provide service, the customer must "secure all programs, data, and funds contained in the machine". • The customer has to tell IBM when and where the machine is moved. The standard form also states, "All information exchanged is non-confidential. If either of us requires the exchange of confidential information, it will be made under a signed confidentiality agreement." Among other customer responsibilities are compliance with "all applicable government export laws and regulations" (discussed under government controls) and "to provide us [IBM] with full, free and safe access to your facilities for us to fulfill our obligations". Both IBM and the customer are obligated to notify the other promptly if one of them "becomes aware of any unsafe conditions or hazardous materials to which the other's personnel would be exposed at any of its facilities". Except for specific exceptions, the customer's use is limited to the United States and Puerto Rico. When we get to programs and code, IBM's restrictions are very clear. Some of its machines use 'Licensed Internal Code' abbreviated 'code'. IBM states clearly, • We own copyrights in code. We own all copies of code, including all copies made from them. Under each license we authorize you do only the following: I. execute the code to enable the specific machine to function according to its specifications; 2. make a backup or archival copy of the code (unless we make one available for your use), provided you reproduce the copyright notice and any other legend of ownership on the copy. You may use this copy only to replace the original, when necessary. And the company is also specific about what the customer cannot do: You may not do, for example, any of the following. I. otherwise copy, display, transfer, adapt, modify, or distribute the code (electronically or otherwise), except as we may authorize in the Specific Machine's Specification or in writing to you; 2. reverse assemble, reverse compile, or otherwise translate the code; 3. sublicense or assign the license for the code, or 4. lease the code or any copy of it. Similar restrictions apply to programs, as well as limiting the use to designated machines: For each program, you agree to: I. ensure that anyone who uses it (accessed either locally or remotely) does so only for your authorized use and complies with our terms regarding programs, 2. maintain a records of all copies, and 3. if it is a licensed database, allow access to the information contained in it only to your employees, agents or subcontractors, and only in support of their work for you. And, at the end of the license, the customer agrees to destroy
[~996I ~2 CI.SR
all copies of the program within three months, except for an archival copy. Clearly, these commitments, and others like them that will be found in many other licenses, require that the data security officer prepare, execute, and revise periodically a plan for ensuring compliance with the rules of the supplier. It is important that the data security officer be aware of all the contractual commitments on security required by software licensors, hardware licensors and maintenance companies. He or she should find out what these are and institute appropriate precautions to see that they are followed. Sometimes, for example, a software license will require that employees who have access to the program sign a non-disclosure agreement. If these precautions are not taken, the company may find itself being sued for failure to protect highly proprietary programs and databases. With software license fees running in the tens of thousands of dollars, the liability for loss of trade secret protection and infringement of copyright can be in the millions. Failure to protect the licensor's copyrights and trade secrets properly can cost a company dearly. For example, in January 1993, Data General was awarded over $27 million for copyright infringement of its diagnostic software and misappropriation of its trade secrets; to this the judge added $9 million under a special Massachusetts law for the trade secret misappropriation. To this was added almost $16 million in pre-judgment interest, and Data General's attorneys fees! 21 Particularly important are license requirements limiting the use of programs to specific machines, specific locations, or specific applications (e.g. the IBM requirement that the programs be used only in the United States and Puerto Rico and only on designated machines). The licensors requirements should be examined and strictly adhered to (e.g. IBM's requirement that the customer maintain records of the number and location of all copies). These may include requirements for printing copyright notices (the IBM license does), and this must be followed. Recently, software companies have licensed a program in blocks, mostly for use on networks - for example, the right to use 500 copies simultaneously. While monitors are available to count the number in use at one time automatically, and prevent overuse by queuing up those who want to use the program, the security officer should be particularly concerned with the accuracy of that machinery. If such a monitor is not in use (perhaps the program is being used on stand-alone PCs), a system must be developed both to monitor the usage and to prevent unauthorized copying. Even if the software's confidentiality is not compromised, failure to follow these rules may result in the licensor revoking the license and demanding the return of all the software. If these programs are integral to the customer's data processing operations, the result could be disastrous. In international operations, the data security officer's job is even tougher. While the copyright laws of many nations protect programs, trade secret protection is not available in many, and enforcement of the laws can be spotty. The European Union (formerly the European Economic Community), together with other European nations, has enacted a Software Directive that protects programs but, in certain situations, specifically permits decompiling the program.
365
NOV ~ DEC
I~-~E COMPUTER LA.W AN{) S~-.£~}URFfY~EPORT
(h) Enforcement efforts. Efforts to enforce proprietary rights in software are strong, and becoming stronger. The Software Protection Association (SPA in Washington, DC, has been formed by major companies and has commenced and concluded quite successfully a number of suits for infringement of proprietary rights. This organization will also assist users in making sure their software is properly licensed, and provides a free 'Self-Audit Kit' complete with software. Whether such assistance should be sought before internal efforts are made to make sure that everything is properly licensed is a matter for serious consideration by management. On the international front, the Federation Against Software Theft (FAST), headquartered in London, and the Business Software Alliance (BSA), headquartered in Washington, are carrying on similar warfare against software pirates around the world. (i) Personal computers. The security considerations with personal computers in the business organization are much the same as with mainframes. However, unauthorized copying of software is likely to be less controlled than in the mainframe environment, particularly when managers who are not under control of the information services department can buy their own hardware and software. As noted above, SPA, BSA, and
11996i llJ~ C/.SR
FAST are pursuing these cases. But every company with personal computers, and particularly those with laptops, or who have personnel who 'telecommute' should establish a policy on acquisition and use of programs, making sure that this policy is widely circulated and enforced within the company. A particularly important consideration for the security officer is removal of proprietary information from the hard disk when one disposes of the computer. Some years ago, the author was considering buying a particular kind of PC, and the reseller loaned me a second-hand one to test. When we ran C:~ dir, the directory showed that the hard disk still included the next year's budget and business plan for the previous owner, a major research organization. In another incident, surplus equipment sold by the Lexington, Kentucky, office of the US Attorney still contained much sensitive information, including the names of agents and witnesses.
Robert P. Bigelow This paper is extracted from Legal Issues in Computer Security O. Wiley & Sons) © 1984, 1995 by Robert P. Bigelow, Report Correspondent. All Rights Reserved.
366
NOV ~ DEC
Tile COMPUTER LA.W 4ND SECURIIY REPORT
I1996/ ~12 CI.SR
BOOK REVIEW EUROPEAN COMPUTER LAW European Computer Law, by IT Law Group/Europe, 1996, loose-leaf binder, Transnational Publishers Inc. US$225, ISBN 057105023X. As the authors point out in their introduction, "Information technology impacts on every business, often raising complex legal questions and problems. Realistic solutions to the issues requires specialist computer lawyers who understand the legal, technological and business issues relating to the supply and use of computer-related products and services. In today's global market place, there is an increasing need for legal advice and support across a number of countries." It is in response to this need that the Information Law Group/Europe was established in 1989 a specialist computer law network with member firms in 15 countries across the European Union, Scandinavia and Eastern Europe. This text is a joint project by members of the Group, whose network is designed to give suppliers and users of computer-related products and services speedy access to specialist computer lawyers throughout Europe on a 'one stop' basis. The aim of this text is to provide its readers with a single reference point that will help them identify the legal issues and problems relating to the exploitation, use
and proprietary protection of computer hardware, software and multimedia products. The work is divided into two sections, part one dealing with international chapters and, part two, national chapters. The international chapters deal with the EC Directive on the Legal Protection of Computer Programs; the EC Directive on the Legal Protection of Databases; patentability of computer software under the European Patent Office; international trademark protection, and the EC Directive on trademarks; EC law affecting the distribution of software; and computer law in central and eastern Europe. A common structure has been introduced for the national country chapters covering Belgium, Czech Republic, Denmark, France, Germany, Greece, Italy, the Netherlands, Poland, Portugal, Spain, Sweden, Switzerland and the United Kingdom. Accessing the work is not altogether easy as there are no detailed contents pages. A breakdown of the headings for each chapter incorporated at the beginning would have been valuable. Available from Transnational Publishers Inc. 1 Ridge Street, Irvington-on-Hudson, NY 10533, USA.
367