github / balanced-employee-ip-agreement

GitHub's employee intellectual property agreement, open sourced and reusable
Creative Commons Zero v1.0 Universal
2.14k stars 148 forks source link

IP records protection #86

Open andres-mendez-b opened 2 years ago

andres-mendez-b commented 2 years ago

In section "7. Cooperation" I read:

To help in those situations, you agree to maintain all records relating to the development of any Company IP, and, if the Company asks, to provide those records to the Company.

I think that giving the responsibility for IP record protection to the employee poses the company at risk for different reasons:

1.- Looking at ISO 27002, there is a security control regarding records "18.1.3 Protection of records". That control begins with: "Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements." If there are records relevant to the company regarding IP, the company should require the employee to provide them to the company while at work. By doing so, the company can perform a proper backup of that information, and avoid the employee (or future ex-employee) from losing it.

2.- There is another ISO 27002 security control which which gives a hint about what should be considered when an employee is fired, "9.2.6 Removal or adjustment of access rights". That control ends with: "In cases of management-initiated termination, disgruntled employees or external party users can deliberately corrupt information or sabotage information processing facilities." Again, you can't trust a former employee with keeping those records for the company's good.

3.- Again, thinking about information security, there is another security control affected here, "8.1.4 Return of assets". That gives more hints: "In cases where an employee or external party user purchases the organization’s equipment or uses their own personal equipment, procedures should be followed to ensure that all relevant information is transferred to the organization and securely erased from the equipment (see 11.2.7). In cases where an employee or external party user has knowledge that is important to ongoing operations, that information should be documented and transferred to the organization. During the notice period of termination, the organization should control unauthorized copying of relevant information (e.g. intellectual property) by terminated employees and contractors." Maybe what BEIA proposes sounds good if we are talking that the employee works on open source projects for the employer, and that he works on personal open source projects at the same time. But BEIA says "But BEIPA is not specific to open source", and then we can go into problems (from my point of view).

These are just a few that come to my mind to support my suggestion: it is a VERY BAD idea to delegate IP record management on employees.

BenjamenMeyer commented 2 years ago

To note: version control systems (e.g cvs, git, subversion) and document version systems (e.g livelink, sharepoint) qualify as the means of control - both for document storage and for access.

That doesn't solve your 3rd point or WIP, especially when letting someone go for any reason; but hope that answers the general case at least.

andres-mendez-b commented 2 years ago

@BenjamenMeyer I agree that those tools you mention would get the job done of maintaining records about development. Still, those are tools used for collaboration provided by the company (it's not usual that an employee will deploy those by himself).

So it seems that you support my idea that you shouldn't ask the employee to keep those records, as that is a company's responsibility (for its interest and responsibility). Do you agree?

BenjamenMeyer commented 2 years ago

@BenjamenMeyer I agree that those tools you mention would get the job done of maintaining records about development. Still, those are tools used for collaboration provided by the company (it's not usual that an employee will deploy those by himself).

Correct, the employer deploys them, but work product in those tools are not tied to an individuals system. Worse case the employer may lose a small amount of WIP (work in progress), but generally nothing major.

So it seems that you support my idea that you shouldn't ask the employee to keep those records, as that is a company's responsibility (for its interest and responsibility). Do you agree?

Yes I do agree. Though there is a balance between what is stored in those tools and WIP. When properly struck, the WIP won't generally matter.

Often before someone is let go (layoffs, fired, etc) they are cutoff from those tools to ensure they can't do any damage; the WIP is considered loss and replaceable since allowing them to commit it may create a worse situation for the company than merely redoing the work.

OTOH someone that voluntarily leaves is asked to make sure all their WIP is completed and checked in and transfer knowledge to others as part of the off-boarding process.