Business

The Seemingly Trivial Realities Behind Tata Consultancy Services’ Massive Trade Secret Lawsuit

While TCS denies that there was any intellectual property infringement, this case sheds light on how simple measures to prevent conflicts of interest and ringfence customer data can go a long way.

Keeping data secure. Credit: ILO/Flickr CC BY 2.0

Keeping data secure. Credit: ILO/Flickr CC BY 2.0

New Delhi: Move aside, discriminatory-hiring lawsuits. Allegations of corporate espionage have now hit the Indian IT industry.  On Friday, a US grand jury found Tata Consultancy Services guilty in a trade secret lawsuit, slapping the company and its  American arm with two fines that total up to $940 million, or a little over Rs. 6,000 crore.

The lawsuit was initiated by health software company Epic Systems in late 2014 at a US district court in Wisconsin. Epic Systems had accused TCS and Tata America International Corp (the American arm) of “brazenly stealing trade secrets, confidential information, documents and data”.

The Tata Group, for its part, has denied that it infringed on Epic’s intellectual property. The salt-to-software conglomerate has issued a statement that says “while TCS respects the legal process, the jury’s verdict on liability and damages was unexpected as the company believes they are unsupported by the evidence presented during the trial”. Its next step of action will be to vigorously defend its position through appeals to higher courts — a course of action that is normally undertaken in legal situations such as this.

While the final damages awarded, or even the verdict itself, may change as the legal process continues its course, it is instructive to examine the developments of the TCS-Epic Systems case.

Unlike recent, high-profile corporate espionage cases such as the NSA-Petrobras scandal in Brazil, which was very high-tech in nature, the TCS-Epic Systems lawsuit has more to do with the seemingly mundane aspects of data confidentiality: restricting Internet access in client-specific development centres, ensuring proper user authorization and being mindful that creative work-arounds don’t trample over intellectual property agreements.

Much of the details surrounding the case comes from the “Undisputed Facts Section” of the district court order, which says that “unless otherwise noted, the court finds the following facts material and undisputed when viewed in a light most favourable to the non-moving party [TCS] on that issue.”

The crux of the matter

The charges that Epic Systems levies are straightforward: the company believes that TCS used some of its confidential code to build a rival hospital management system software product called ‘Med Mantra’.

However, the case revolves less around whether Med Mantra was built with inputs from Epic Systems and more about how one TCS employee allegedly gained unauthorized access to one of Epic Systems’ internal documentation database called “UserWeb”. UserWeb, according to the court order, “contains product materials, updates, training materials and other documents that detail Epic’s software and its data model.”

The parties involved

The lawsuit, however, isn’t as simple as a TCS employee hacking into Epic’s UserWeb.

The third party that this case revolves around is non-profit healthcare organization Kaiser Permanente, which has over 150,000 employees, and whose subsidiary Kaiser Foundation Hospitals operates a chain of medical centers and hospitals.

In 2003, Kaiser became a customer of Epic after it agreed to license Epic’s software for usage as an electronic health record. Kaiser, as a result, was given access to Epic’s UserWeb database.

In 2005, TCS started working with Kaiser as a consultant and after an episode involving a few TCS employees, the Indian software services company signed a “standard consultant agreement” with Epic wherein TCS agreed that “Epic’s program property contained trade secrets of Epic protected by the operation of law..”

In 2011, Kaiser engaged TCS to start testing Epic software in what is referred to as a “testing center of excellence”. Basically, TCS employees provided testing support for “regularly scheduled Epic releases, major upgrades and steady state maintenance testing”. Under an agreement they signed, TCS America and TCS India were supposed to carry out this work at approved offshore development centers (ODCs) in a few Indian cities including Chennai and Kolkata this agreement.

Point of contention #1

These ODCs were required to come equipped to protect data confidentiality: USB ports were to be disabled to ensure that TCS employees could not copy data, access to the TCS e-mail system and the Internet were to be prohibited, employees were not be allowed to use other people’s log-in information and TCS employees were prohibited from sending emails from Kaiser email addresses to non-Kaiser email addresses.

At this point, TCS and Epic have a difference in views. According to Epic, despite these security requirements, TCS had a number of separate computers inside the ODCs (called “kiosk machines”) that did have access to the Internet, TCS’s network and TCS email. While TCS has maintained these kiosk machines did not have Internet access and that the USB ports were disabled, testimony from a certain TCS employee showed that Internet access was available while an external audit apparently revealed that USB ports were not disabled.

Why was it so important, in this case, to understand whether computers in the ODC could be used to transfer information? Because some of the work that TCS needed to do for Kaiser required information from Epic’s UserWeb. While TCS employees weren’t allowed to access UserWeb directly, what Kaiser employees would do, according to the court order, is “download release notes from UserWeb for TCS employees to access”.

These notes helped TCS employees create “test scripts” for Kaiser. Two TCS employees testified during their depositions that there were times “when relying on either Epic or Kaiser personnel to obtain information [for them] took time”. This cumbersome workaround, however, was used because Epic didn’t allow UserWeb access to TCS employees.

Point of contention #2

The issue of TCS employees gaining access to UserWeb, when TCS hired an employee named Ganesh (name changed) in 2011 and set him to work on the Kaiser-Epic project. Ganesh had earlier worked with another Kaiser client and because of that had registered and was given access to Epic’s UserWeb.

Now, Ganesh, according to the court order, believed that even after shifting jobs and moving to TCS “he still needed direct access to UserWeb. In particular, he believe that lack of access to UserWeb could delay his team’s work [at TCS].”

In violation of the UserWeb user agreement, Ganesh used his UserWeb credentials in order to access and download documents from UserWeb while employed by TCS in Chennai.

According to his testimony, after being blocked from his Kaiser-issued computer, Ganesh used the “TCS kiosk computers to access the UserWeb, view and download documents to the kiosk’s hard drive and then emailing them from his tcs.com email address to his kp.org email address.”

From here started a whole chain of events: Ganesh shared his UserWeb log-in information with a number of TCS employees within his team including his manager. According to court documents, from June 2012 to June 2014, “individuals using Ganesh’s UserWeb credentials downloaded over 6,000 documents and more than 1,600 unique files.”

Epic believes that the downloaded documents “contain detailed information on the features and functionalities of Epic’s software and database systems developed over thirty years”. Ultimately, they believe that the documents that were downloaded could be used to reverse-engineer their own software.

TCS for its part, during its legal defense,  has stated that all of the documents “were of the type necessary for work of the TCS testing team.”

Another bone of contention rests on the fact that a year after Ganesh shifted to TCS, he updated his UserWeb registration details to reflect that he was “now an employee of TCS working for Kaiser” and no longer with his old company. Epic apparently did not reply to this update. During his testimony, an Epic employee stated that “Epic intended to deactivate Ganesh’s account”. This, however, did not happen and Ganesh was able to continue to renew his account every 120 days as was required.

Point of contention #3

The final question revolves around whether the employees of TCS working on the ‘Med Mantra’ project — which could potentially compete with Epic’s own software — had access to the UserWeb documents that were downloaded by the TCS employees working on the Kaiser account.

TCS maintains that all the documents that were downloaded were used solely for the “purpose of performing services for Kaiser”. In its own internal audit, it found no copies of Epic’s documents on any of the computers or servers used by the Med Mantra team.

Epic’s case rests on a number of other instances where its UserWeb documents were shared within the TCS organization: For instance, Ganesh’s boss Harish (named changed) shared information and a number of documents with another TCS employee, Jeeva, who was in charge of preparing a comparative analysis of Epic’s and Med Mantra’s products. This comparative analysis was forwarded to a few TCS employees, one of which is identified as being part of the Med Mandtra’s organizational team.

TCS’s Chief Security Officer Ajit Menon, however, searched the email accounts of these specific employees and “found no indication” that any of the individuals had forwarded the comparative analysis to anybody else.

Keeping data confidential

Ultimately, this case boils down to some of the more mundane aspects of data confidentiality that many taken for granted today. As India’s IT industry continues moving up the value chain from maintaining legacy systems to creating new products, questions of intellectual property infringement and conflict of interest will continue to rise.

For instance, there appears to be little doubt that a number of TCS employees did have seemingly unauthorized access to Epic’s UserWeb system and that a number of computers within the ODC were used to download documents. TCS’ legal defense, as court documents show, rest on the fact that it had “no contractual obligation to notify Epic since the information accessed was not used improperly.”

On its part, Epic appears to have committed a number of simple mistakes, which doesn’t justify the unauthorized downloading, but could have been avoided nevertheless. When Ganesh changed his UserWeb credentials to reflect that he was a TCS employee, the company, as it admits, should have denied Ganesh access but failed to do so.

While this may a case of impropriety, rather than illegality, what the TCS lawsuit does show us that you don’t need to commit top-notch corporate espionage to attract a nearly $1 billion lawsuit. Something much smaller will do.

  • jakeleone

    This is a brazen case of Corporate espionage.

    Further is shows how vulnerable patient information is at Kaiser Permanente. Apparently this worker from India had complete unrestricted access (while fraudulently posing as a Kaiser permanente employee) to all the patient records. You know Social Security number, residence, Date of birth… The kind of information credit thieves need.

    Kaiser really needs to do something about this, I don’t feel comfortable and I discussed this with my spouse who is also very uncomfortable with the callous exposure of patient medical record information, let alone the damage done to the Kaiser system and to other software vendors.