[TOC]
An engineer—like a doctor or a lawyer—is a licensed professional, who must possess both university degrees and a state license, in order to be allowed to design bridges and ships. So, engineering curricula offer electives on professional ethics, license exam preparation, and government regulations. But computer scientists—even those who work in heavily-regulated fields—are not licensed professionals. As such, no CS curriculum offers law-related electives. Yet, IT practitioners, too, interact with laws on a routine basis, directly or indirectly, knowingly or unknowingly:
This article presents a high level introduction to the aspects of American law that pertain to hands-on technologists practising in IT. This article is also of interest to CS students with career aspirations in IT, because they should, as early as maybe, seek a basic understanding of the interaction between law and technology.
Given the target audience, I elected to forego discussing many other areas of the law that are of interest to the C-level executives, such as corporate law, employment law, agency law, occupational safety law, commerce law, franchise law, tax law, securities law, antitrust law, administrative law, privacy law, national security law, campaign finance law, international law, and the like.
Note that the high-level overview provided herein amounts neither to legal training nor to legal advice.
The American Constitution established the federal government and the state governments as coequals, so that no one entity can prevail upon the others. This conglomerate form of government is referred to as federalism. The Constitution also established three coequal branches within the federal government: the legislative branch under Article I makes the laws; the executive branch under Article II oversees the operations of those laws; and the judicial branch under Article III say what the law is. This division of governmental powers is known as separation of powers, and it ensures that the power is not concentrated in one branch of the government. The legislative branch is headed by the Congress, which comprises two chambers, the House of Representatives representing the People, and the Senate representing the States. The executive branch is headed by the President and his cabinet. The cabinet secretaries manage their respective executive departments. The judicial branch is headed by the Supreme Court, under which lie the federal courts. State governments model themselves upon the federal, tripartite structure.
As it happens, all three federal branches make laws, albeit of different characters. A law made by Congress is called statutory law. A statute is an act of the People—an expression of their will. Congress’s statutory authority emanates from Article I. Statutes are codified into the United States Code (USC). A law made by the Executive, usually a department under his authority, is called regulatory law. A regulation comprises many individual rules. The bureaucrats in executive departments possess the expertise required to fill in the technical, implementation details that are missing from the statutes. The department’s rule-making authority is expressly granted by Congress in the enabling statute that established it. Hence, the Executive’s regulatory authority is not a constitutional power, but a statutory power. Nevertheless, a regulation promulgated pursuant to a statute has the same force of law as that statute. Regulations are codified into the Code of Federal Regulations (CFR). A law made by a court is called common law (or case law). A federal court’s jurisdiction (authority to adjudicate cases arising under federal law) emanates from Article III. The highest federal court is the Supreme Court, and its decisions are published in the United States Reports (USR).
By Article VI, Clause 2, the Constitution asserts itself the supreme law of the land. The next level down are the statutes enacted by Congress. Below the statutes are the regulations promulgated by the Executive. In Marbury v. Madison (1803), Chief Justice Marshall wrote that, “It is emphatically the province and duty of the Judicial Department to say what the law is.” That is, the Supreme Court has the exclusive authority to interpret the Constitution, and it can strike down statutes and regulations that contravene constitutional provisions. This was a uniquely American legal innovation.
Regulatory compliance is a fact of life for IT practitioners, especially those who work in heavily regulated industries like transportation, financial, communication, environmental, and energy sectors. IT-related laws cover a vast array of issues: tax compliance, national security, privacy protection, handicap accessibility, export restriction, government contracts, and countless others. Some well-known IT-related laws include Sarbanes–Oxley, FISMA, HIPAA, etc. These are statutes enacted by Congress. But the laws that actually govern the industry on a day-to-day basis are the regulations that were promulgated by the various executive agencies, pursuant to authorising statutes. From a practical perspective, government regulations demand compliance reporting, compliance reporting requires data aggregation, and data aggregation begets a cottage industry of IT companies making software tools. Consequences of non-compliance can be as benign as remediation orders to as severe as steep fines or even incarceration. In addition to federal regulations, there is also a bevy of state regulations, too.
The law of agency governs the principal-agent relationship between the employer and the employee, and it prescribes the rights and duties of the parties. The word “agency”, here, is a legal term of art that refers to the employer-employee relationship; it does not refer to an organisation, such as a government agency or an insurance agency.
The corporation is legally alive, but practically inert. As such, the employer corporation, as the principal, conducts its business through its agents, who are its employees, from the CEO on down. The employees owe myriad duties to the employer. The most obvious one is the fiduciary duty of the employee toward the employer—the duty to be fair and ethical, the duty to act for the benefit of the company, the duty not to misappropriate the properties of the company.
Companies typically require their new hires to sign, as a condition of their employment, an agreement acknowledging the receipt of information or training on employee code of conduct, outlining the employees duties to the employer, under the law of agency. Such agreements straddle agency law, employment law, and contract law.
Intellectual property (IP) comprises intangible properties like trade secrets, trademarks, patents, and copyrights. Traditionally, trade secrets are protected by state law, but recently Congress extended federal law protection to trade secrets. Trademarks are protected concurrently by federal and state governments. Copyrights are protected by state law before general publication, and alternatively by federal law after general publication. Patents are protected by federal law. In general, if an employee invents something on the job that could be a trade secret or patentable, that intellectual property belongs to the company. Similarly, if an employee produces a written work on the job, the copyright in the work belongs to the company.
Trade secret is some proprietary information—client list, market research, formula, process, algorithm, recipe, etc.—that gives the owner an advantage over the competition and that which the owner takes due care to protect against public disclosure. Legal protection extends as long as the owner maintains secrecy of the information. If an employee or a licensee in possession of that information misappropriated it or unlawfully disclosed it, the owner can seek recompense in court. But the owner of a trade secret has no right to exclude others from making independent discoveries, for instance, when competitors reverse-engineer the company’s non-patented, proprietary, embedded system.
Trademarks are source-identifying marks—logo, name, sound, packaging shape, product colour, etc.—that, by their unique nature, inform consumers of the origin and quality of the product and, by extension, the company’s reputation. A business becomes the owner of a trademark under state law, simply by using the mark on its products. But to secure federal law protection of its trademark, the business must register it with the Patent and Trademark Office (PTO). Trademark protection continues, as long as the mark remains in use. Hence, under trademark law, a company has cause of action against those who clone or imitate the look of their product. The owner, by failing to protect the trademark with timely suits, forfeits legal protection.
American legal system favours free trade and detests monopolies. But the Constitution provides for patents, which are temporary monopolies granted to inventors so that they may profit from their new, useful, and non-obvious inventions. A typical patent term is 20 years. In applying for a patent with the PTO, the inventor must disclose the inner workings of his invention with sufficient details so as to enable other practitioners to reproduce the invention. These temporary, exclusive rights entice creative people to invest substantial amounts of time, effort, and money to create patentable inventions. When the patent term expires, the invention enters the public domain, and it becomes available for anyone to use. This, in the long run, benefits society. In general, IT inventions are software-related designs and software-driven processes. Apple v. Samsung series of user interface design patent infringement cases are well-known among IT practitioners. To expedite the process of drafting patent applications, inventors should document and date their work in adequate detail: design alternatives attempted; methods explored; results obtained; evolution of diagrams and drawings; related ideas that maybe pursued subsequently, and so on.
Copyrights are exclusive rights that inhere in the authors of original writings and the creators of original artworks. The author of programmes, both in compiled form and in source form, obtains copyright simply by persisting the programmes to permanent media, with or without the copyright mark. Copyright protection extends to 70 years after the author’s death. Thereafter, the work enters the public domain. The work made for hire statutory exception grants exclusive copyrights to employers for the works created on the job by their employees. Copyright protection of work-made-for-hire may last up to 120 years from date of creation. While that long-term protection of copyrighted Mickey Mouse character is vital to Disney, it is superfluous in IT, where technologies quickly grow out of date and are soon abandoned. The copyright protection that is relevant to IT is the protection against copying of proprietary programmes. But even this protection is losing its appeal, since software-as-a-product has been largely supplanted by open-source and by software-as-a-service.
Although IT practitioners interact with contracts only indirectly, this area of law is no less impactful: all externally-funded IT work is performed under some form of contract. Contracts are agreements formed under state law. The types of agreements relevant to IT are those that govern alliances, custom software development projects, IP licenses, and service level agreements (SLAs).
An alliance is when a few companies agree to work together on a specific project for a limited stretch of time. One such high-profile project was the Apple-IBM-Motorola (AIM) alliance that created the PowerPC architecture. The alliance was formed in 1991, and PowerPC became a successful CPU in the mid 1990s. But by the late 1990s, Apple’s relationship with AIM had soured. In 2006, Apple transitioned its hardware from PowerPC CPUs to the competing Intel CPUs. Although it is a good idea for technology companies to collaborate in this way, corporate culture mismatch and intra-alliance competition often detail their aspirational, common goal. As such exit clauses in these collaboration agreements are as important as entry provisions.
A custom software development project is initiated when a company contracts with a boutique software house to develop a custom software. The types of projects run under such contracts vary. At one end of the spectrum, the software house runs the project for a flat fee, and assumes the risk of failure. This is analogous to a kitchen remodelling project. This type of projects are rare because, in software projects, risk of loss is inherently undeterminable. At the other end of the spectrum, the software house provides expert development service on an hourly basis, and the hiring company runs the project and assumes the risk of failure. This is analogous to an on-demand maid service. This type of project is more common in software development. But all software contracts in general are no longer as prevalent as they once were in today’s cloud-based software service economy.
IP licensing is another topic of interest to IT practitioners. Sometimes, while creating a product a company discovers that a requisite component is covered by an existing patent, or that a high-quality, trade secret implementation is available. The company may then decide to acquire a license to use that technology. An IP license is a form of contract. IP licensing is non-existent in business computing, since line-of-business systems require no novel inventions. But this practice is common in specialised practice areas like medical devices, financial systems, and the like. On the other hand, copyleft is familiar to all software practitioners. It is an open-source software license that grants others the right freely to use, modify, and distribute one’s software on the condition that they preserve those same rights for others in their derivative works. Copyleft licenses vary in the extent to which the derivative work is deemed subject to the open-source license, and hence non-proprietary.
Perhaps the most important contracts to IT companies are those they make with the federal government, pursuant to the Federal Acquisition Regulation (FAR). The FAR prescribes the policies and procedures for the federal government’s acquisition of products and services, including IT-related products and services. Not surprisingly, the DC Area has the highest concentration of government contractors. These companies are pejoratively labelled “Beltway Bandits”, in reference to the Capital Beltway that surrounds DC. What distinguishes government contracts from private contracts is that many common law contract doctrines cannot be used to prevail upon the sovereign, and that the sovereign always prefers lower price over higher quality. Of the many IT government contract types, the following are common: fixed-price (FP), cost-plus (CP), time-and-materials (T&M), and indefinite delivery, indefinite quantity (IDIQ). An FP contract requires the contractor to complete the work at the negotiated price, thus allocating a high risk to the contractor. This type of contract is used to acquire hardware products or to run IT service programmes where the operating environments are stable and the contractors know the environment well. A CP contract reimburses the contractor for costs incurred during performance, up to the negotiated maximum price. This contract type gives the government the flexibility to ask the contractor to fill some urgent, unanticipated needs, without exposing the contractor to undue risks. A T&M contract pays the contractor for the time expended and the materials consumed to produce results, and reasonable profits are priced in. It offers greater flexibility to the government, and also allocates greater risk to the government. This type of contract is used for exploratory, research projects, where it is impossible to estimate the cost with any certainty, given the novel nature of the work. An IDIQ contract offers the government the greatest flexibility at the lowest risk and price. It allows the government to break up a large contract into small task orders, and when the need arises, asks multiple contractors compete for a task. This type of contract is suited for filling, on-demand, short-term needs for products and services.
When a company hires a top-level IT executive, they require him to sign a non-compete, non-disclosure agreement (NDA) as a precondition of his employment. An NDA is perhaps the most relevant legal document to an IT practitioner. The purpose of this agreement is to protect the company’s trade secrets and to their market position. Most technologists willingly sign NDAs without fully comprehending its scope and restraints. Later, after they have left the company, they end up violating their NDAs, often unwittingly.
An NDA agreement typically forbids the former employee from competing against the company in the same market for one or two years. But the law favours mobility and freedom, so on policy grounds courts often narrowly interpret overly expansive NDAs. For instance, if a Beltway Bandit were to restrain their former employees from working for any other government consultant in the DC area, that NDA may well be invalidated by the court for overreaching.
Nevertheless, it is the fiduciary duty of a former employee to protect the trade secrets and to refrain from misappropriating the company’s goodwill or other intangible assets. And it goes without saying that a person may not do harm to his former employer for the management’s mistreatment he endured during his employment. The evil managers are not the company; the company is a separate “legal person”, to whom the former employee owes a fiduciary duty, long after he left the employ.
Although an average IT practitioner does not deal with the law directly, senior managers have the duty to ensure their workforce—and they themselves—comply with relevant laws. Indeed, many senior managers must partake in legal negotiations, some representing a division, others representing the entire company. Hence, it is beneficial for IT practitioners to be familiar with rudiments of the law.