Ken Pfeil, CSO at Capital IQ, says the SolidWorks theft case should ring alarm bells at every company that wants to outsource. "You really have to dig on due diligence," he says. "[Require] background checks on employees, look at the company history and financial stability, look at their retention rates for employees." Turrini, the lawyer, recommends putting someone with deep pockets on the hook. For instance, insist on indemnification agreements with the outsourcing provider, and make sure that provider has substantial assets in the United States just in case. Failing that, he recommends, get insurance for source code.

While those steps might sound straightforward, companies often fail to take even basic steps to check on potential suppliers, according to Bill Malik, who spent 11 years as an analyst at Gartner before becoming CTO of Waveset Technologies. He declines to name names but says that "people far too often don't do their due diligence. I've seen organizations that just want to take a pass on the whole thing. They just want to outsource development to the cheapest vendor."

Usually, such hasty decisions are driven by the need to keep up profits and revenue. Looking at short-term financial gains is a huge mistake, Malik says, and cases like the one unfolding in India show why.

Also ahead: a shift in the outsourcing market that will put intellectual property protection in the spotlight. The first wave of software outsourcing has focused on application development and maintenance, both of which have fairly contained levels of risk, outside of the odd rogue employee like Verma. But as companies move more and more types of software development overseas, such as databases and other packaged applications, they need to think about what kind of data they make available for testing. Also, Nasscom members are aggressively seeking out higher-end business process outsourcing (BPO) opportunities, such as call centers and claims processing. India outsourcing did more than $1.2 billion in this type of work last year and expects to generate $16 billion in revenue from BPO in 10 years. These kinds of applications create thorny issues about personal data protection for U.S.-based customers.

Legal eagles such as Bierce say that India and other nations interested in drawing more high-end software work such as BPO need to adopt laws that protect personal information when it's transferred from other countries. "Software development is easy - you don't have data protection problems until you start populating a database," Bierce says. He notes that Nasscom is working on such a law, though it failed to generate one in a similar effort several years ago. The push for call centers, claims processing and other back-office work means that U.S. companies must reassess what's at stake. As offshore vendors deal more and more often with customers and specific customer data, the potential for abuse rises.