As software continues to advance and permeate the patent space, source code review has become an increasingly necessary part of patent litigation. Yet, source code is frequently subject to protective orders as it is often considered highly valuable, sometimes even the "crown jewel" of a company's assets. So, experts involved in source code review often must travel to designated locations—frequently counsel's office—to review the source code in a secure environment.
This combination of restrictions generally requires Courts to employ a balancing act when crafting such protective orders, to assure both relatively convenient access by both parties and security of the source code. Meanwhile, however, many companies involved in these suits operate internationally. So, source code invoked in these conflicts may be housed in different countries across the world. And, this source code may never have been brought to the United States.
When determining appropriate source code review location for internationally stored source code, courts must balance convenience, security, and efficiency of review. Courts may look to existing protective orders and the Hague Convention on Taking Evidence Abroad in Civil and Commercial Matters when deciding source code review location for internationally stored source code. This can be a difficult task that often ends with neither side getting exactly what it wants. Indeed, Courts often expect parties to set the location for source code review themselves and only order a review location when parties are unable to agree.
Balancing Convenience, Security, and Efficiency
When deciding source code review location, courts need to balance security concerns with party convenience and efficiency. In Saxon Innovations, LLC v. Nokia Corp., 6:07-CV-490, 2008 WL 11346472 (E.D. Tex. Aug. 18, 2008), the Plaintiff sought source code review from multiple Defendants, including Nokia Corp. and RIM. The parties filed competing motions for protective orders, where Defendants argued that to maintain the security of the source code, each defendant "should [] be able to select their own secure site for the source code [review]." But, Defendants selected eight different sites around the world for source code review. Plaintiff argued that "it would be unduly burdened if it had to access Defendants' source code at eight different sites around the world," and proposed that all defendants should be required to produce source code at single, secure, third-party site.
The District Court agreed that "it would [] be extraordinarily costly for Plaintiff's expert(s) to travel to multiple locations around the world to review Defendants' source code." So, to promote efficiency, the Court adopted a compromise that allowed each Defendant to "select a secure third-party storage site in Boston." The District Court also found "Defendants' arguments regarding security somewhat disingenuous," because multiple Defendants "already have source code stored in a third party facility in Dallas" and the District Court "s[aw] no reason why they, or any other Defendant, could not find a secure site in Boston." This case demonstrates that convenience and efficiency may outweigh a party's interest in source code security. When source code review will be extremely inefficient or unduly expensive, a court may require source code to be moved from the producing party's desired storage location for review.
Guidance From Existing Protective Orders
Existing protective orders also strongly influence a court's determination of source code review location. Local patent rules often include model or default protective orders for highly sensitive information, and those model orders may be automatically implemented during source code discovery. For example, the Northern District of California has a "Model Protective Order for Litigation Involving Patents, Highly Sensitive Confidential Information and/or Trade Secrets." The Model Protective Order includes a provision that sets forth protocols for source code inspection, including that "any source code produced in discovery shall be made available for inspection ... at an office of the Producing Party's counsel or another mutually agreed upon location." Ordering the production of source code at the office of the producing party's counsel is a common practice, and model protective orders such as the Northern District of California's can strongly influence a court's final decision on source code review location. But the provisions of model protective orders are not always mandatory.
Courts may modify protective orders to grant additional protections for source code inspection. For example, in Berkheimer v. Hewlett-Packard Company, 12-CV-9023, 2014 WL 12959469 (N.D. Ill. Apr. 7, 2014), Defendant sought to modify the default protective order that "is automatically entered in patent infringement cases," under the local rules. Under the default protective order, there were no provisions specifically addressing source code, so Defendant sought to modify the default protective order to grant heightened protection for its source code in the form of review on a stand-alone computer at counsel's office. Plaintiff argued that no modifications to the default protective order were needed.
The District Court granted Defendant's requested modification, finding that Defendant had shown good cause for the additional protections because Defendant "has never licensed the source code to a third party or publicly disclosed any portion of the source code," Defendant's source code "is stored in a secured development environment," and Defendant "consistently has maintained that its source code should be accorded a high level of protection in other lawsuits where its source code was at issue." The Court also noted that "Plaintiff's proposal that Defendant provide electronic copies of its source code increases the risk of unintentional disclosure or copying" and "is an unnecessary risk to take in this case." As demonstrated by the Berkheimer case, courts often exercise wide discretion to establish discovery procedures and may grant additional protection not provided in default protective orders to source code, if a party can establish good cause.
Applicability of the Hague Convention
The Hague Convention on Taking Evidence Abroad in Civil and Commercial Matters is a multilateral treaty that establishes methods of evidence production between member states. Under the Hague Convention, member states receive evidence requests from judicial authorities requesting evidence. The member state can then determine if the evidentiary request is appropriate and may ask that special procedures be employed in the production of the requested evidence, such as a request that source code must not be taken out of the country.
The Supreme Court has established that the Hague Convention does not automatically supersede the Federal Rules of Civil Procedure and that the party seeking implementation of Hague Convention procedures bears the burden of "demonstrating appropriate reasons for employing convention procedure." Société Nationale Industrielle Aérospatiale v. United States Dist. Ct. for the S. Dist. Of Iowa, 482 U.S. 522 (1987). The Supreme Court also noted that courts should consider "sovereign interests and likelihood that resort to [Hague Convention] procedures will prove effective," when deciding whether to implement Hague Convention procedures.
In Autodesk, Inc. v. ZWCAD Software Co., Ltd., 5:14-cv-01409, 2015 WL 2265479 (N.D. Cal. May 13, 2015), the defendant, ZWCAD, sought to implement Hague Convention Procedures for review of source code located in China. ZWCAD argued that removal of the source code from China would break Chinese state secrecy and privacy laws. The District Court disagreed, finding that ZWCAD provided only "generalized allegations that production of its source code ... may subject it to liability under Chinese laws," which were "insufficient to establish that a genuine sovereign interest [was] at issue." While the Hague Convention is only applicable in limited circumstances, litigants should be aware of its existence and limits, in appropriate circumstances. The Hague Convention could be useful tool to protect source code from invasive discovery requests, such as a request to produce of source code in a foreign country like the United States, if the removal of source code to the foreign country would negatively impact sovereign interests.
Courts Leave Source Code Review Location Unpredictable
Source code's secrecy is of paramount importance to its value. And, foreign governments may have an interest in maintaining source code secrecy. These interests argue in favor of maintaining source code at its origin, to avoid security risks from transportation of code across international borders. Yet, the most stringent security procedures for source code review during litigation are likely to cause delay and expense. In some cases, severe inefficiency and undue expense may be enough to outweigh these security interests, and courts may order that source code be brought to the United States for review, regardless of the potential threat to its security. In some cases, the court may offset this risk by having the reviewing party bear the expense of secure transportation procedures for the source code.
Because weighing these competing interests is fact-specific, a decision on source code review left to the courts leads to significant uncertainty for both parties. To avoid an unexpected adverse outcome and to limit expenses, parties should cooperate early in litigation to balance security risks with efficiency. Ideally, parties can reach compromise for source code review, avoiding a mutually detrimental court decision.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
