Oracle and SAP are currently going head-to-head in the US courts over actions taken by TomorrowNow, a SAP subsidiary. It is alleged that TomorrowNow, a third party supporter of Oracle systems – and duly authorised to download material from Oracle on behalf of its customers - used its customers’ usernames and passwords to download more than it should.
I won’t go into this case in detail (Oracle’s full complaint can be found here) – in practice SAP appears to have confirmed that some “extra” downloads were made – and I suspect that the case will focus on trying to assess the level of losses Oracle incurred as a result (somewhere between SAP’s zero figure and Oracle’s $1 billion). But is there potential for the problem to be repeated – possibly with different players – in the UK market?
Clearly yes – and there are some big players that are open to such problems. Most large players’ senior management would not endorse TomorrowNow-type activities, and many make the access limits clear to their staff. In practice however, “Chinese walls” between operating divisions are easily broken by individual staff that “help a mate” or “return a favour”.
In Radius I remember that, when one of our customers out-sourced the running of one of our applications and sought to unilaterally assign all licence rights and obligations to the out-sourcer, Radius would always insist on the original customer retaining a responsibility for TomorrowNow-type breaches (we also built in additional protection for both our original customer and Radius – something that was subsequently proved to be highly beneficial for some of our customers).
We never used those clauses in anger, but their objective was to ensure that the contract between customer and out-sourcer included clauses to try to prevent TomorrowNow-type breaches by the out-sourcer’s staff. The clauses were a bit like a burglar alarm – if the alarm was ever set off by a burglary, the alarm has failed in its main role of deterrence.
The advice for customers using third-party software maintainers and out-sourcers is clear. Ensure that you contracts include not just the legal requirements, but also processes and procedures to be carried out by the third party’s management to educate and monitor their staff to follow the legal guidelines on access to other suppliers’ confidential information.
The advice for third-party software maintainers and out-sourcers is also clear – you must not only ensure that you make the importance of strict confidentiality abundantly clear to staff, but also put in place processes and procedures to monitor staff access to other’s confidential information. Rogue employees have always been, and always will be, one of the biggest problems for established suppliers – procedures to educate and then robustly supervise their actions are the only solution – particularly if those staff are off-shore.