Depending on the type of software used, even the smallest company with 5-25 users can be subjected to extremely large costs resulting from an audit (or legal fees under a copyright action). In this size company, there is often a lack of qualified staff in-house to manage the situation, or companies this size may outsource their IT role altogether.  In medium and much larger sized organizations, you often have qualified IT staff in place but confusion as to whose functional responsibility it is.  In these organizations, there may be procurement, legal, and financial stakeholders that could conceivably carry some of the responsibility.  One thing is almost certain though–as the size of the organization increases, so does the possible financial exposure from a software audit.

I recently posed the question on a professional networking web site asking for opinions as to whose job it is to manage software licensing.  The responses were interesting because most of the contributors had different answers.  Responses to the question ranged from the CFO to the IT staff, to various other titles throughout an organization.  In some ways, everyone had it right, and in some ways, no-one did.  My opinion and what these varied responses indicate, is that it is everyone’s job. 

Compliance in any sized organization is certainly not easy. Constantly changing environments, technologies, and complex licensing agreements across platforms and business models all contribute to what has become a significant liability for many companies.  One would be well advised to answer the posed question for their particular environment long before receiving an audit letter. 

However, what price is the correct price to use in performing those calculations? Most publishers by default either will give themselves wide discretion to determine the amounts required to resolve an audit (e.g., IBM) or will specify in their agreements that the prices to be used are full retail (e.g., historically, Microsoft). However, in some newer agreements, we have seen publishers reference either marked-up negotiated prices (e.g., newer Microsoft agreements) or the actual rates at which licensees have purchased licenses. Given that level of variability, we typically use MSRP as the starting point for exposure analyses that we prepare for our clients. If the agreements specific to a particular vendor’s products indicate that a different pricing level should be used, then we can make those adjustments as needed.

In addition, some publishers do not stop at license pricing in calculating settlement demands following audits. For instance, publishers’ positions with respect to retroactive maintenance typically vary widely. Some will use it if it is consistent with the licensing framework underlying a settlement demand (e.g., Microsoft may use the Self-Hosted Applications benefit of Software Assurance in connection with deployments found to be used for commercial hosting purposes). Other publishers require maintenance to some extent if support services have been accessed during the audit period (Attachmate and Adobe are good examples). There also are publishers that may not charge retroactive maintenance, but that will require maintenance to be purchased in connection with any licenses needed to resolve an audit (such as Autodesk).

A reliable, default starting point for exposure estimates in most cases will be full retail with no additional charges at the outset, provided a company’s SAM team understands there is a possibility that additional charges could be assessed by the auditors. However, it is always a good idea to review the applicable licensing agreements and policies to determine whether there is a likelihood that back maintenance or other, additional charges (like back interest, in the case of Attachmate) will contribute your audit exposure.

Almost all major software publishers that offer their products for resale and distribution by ISVs or by other solution providers require those resellers to license their products under end-user terms prepared by the publishers. Those terms often include requirements that end users run the software only in connection with the ISVs’ solutions and otherwise in conformance with the publishers’ other restrictions. They also may include provisions requiring end users to cooperate in the event of an audit in providing data regarding their deployments. ISVs that fail to incorporate those terms in their customer agreements may find themselves in the untenable position of having to alienate either their customers or a business-critical vendor in the event of a license review.

However, most required end-user terms do not include all the legal protections that an ISV may want to pursue in order to mitigate audit-related exposure. For example, the terms may not include a clause requiring cooperation by end users, even though the ISV’s agreement with a software publisher may obligate it to provide end-user deployment data during an audit. In addition, no end-user terms that I have seen even attempt to apportion responsibility for license discrepancies among an ISV and its customers. If the publisher’s products are found to have been over-deployed, the ISV typically is left holding the bag.

For those reasons, it is vital for ISVs to take a close look at their customer agreements and to ensure that they provide enough flexibility (1) to respond to an audit that may be initiated under an agreement with a third-party vendor like IBM, Oracle or Microsoft, and (2) to pass through to the ISVs’ customers the responsibility for licensing errors that were committed by those customers.

A tactic that we are seeing increasingly with many software audits is for publishers (1) to announce that audited businesses have incorrectly interpreted their software license agreements and then (2) to explain what the publishers’ “intent” for the agreements really was. For example, a license agreement may prohibit using software for “commercial hosting” purposes without defining what “commercial hosting” consists of. Absent that guidance, a licensee may deploy the software in customer-facing environments but may do so in a way that, based on the licensee’s understanding of the word “hosting,” does not cross the line. Then, in an audit, the publisher informs the licensee that its “intent” for the prohibition was to stop just the sort of deployments used in the licensee’s network and that the licensee therefore was using the software improperly for “commercial hosting” purposes. In other words, while the publisher may have had an opportunity to make its “intent” clear in the license agreement, it instead promulgated a vague license and then used that vagueness as a sword to claim a windfall during the audit.

It is important to remember in such situations that contract law typically does not favor such arguments. For instance, in interpreting contracts, courts in Washington state (the laws of which control the interpretation of Microsoft’s license agreements, among others) “attempt to determine the intent of the parties by focusing on their objective manifestations as expressed in the agreement.” McGuire v. Bates, 169 Wn.2d 185, 188-189 (Wash. 2010). “The subjective intent of the parties is generally irrelevant if [courts] can impute an intention corresponding to the reasonable meaning of the actual words used.” Id. Moreover, to the extent that there exist ambiguities in a written agreement, those ambiguities will be construed against the party that drafted the agreement. Brinson v. Linda Rose Joint Venture, 53 F.3d 1044, 1048-1049 (9th Cir. Wash. 1995). Therefore, to the extent that a court might find that there are no ambiguities in the licensing language in question, either party’s subjective intent for that language would be irrelevant. Conversely, to the extent that a court might find the language to be ambiguous, that ambiguity likely would be construed to be consistent with the licensee’s interpretation, not with the publisher’s interpretation.

For these and many other reasons, it is vital that a company’s legal counsel be involved in any software audit as soon as the company receives an audit notice letter. Software publishers often assert legal positions that are not supported by applicable law, and a company that coordinates its response among IT, procurement, SAM and legal team members stands the best chance of mounting an effective defense.

Most software publishers will refuse to recognize license credit based on invoices from vendors that are not authorized resellers. In the context of a BSA or SIIA audit, this can have two important consequences. First, if audit results are submitted that include documentation of invalid license purchases, the auditor likely will demand payment of a penalty for any software installations that had depended on those purchases. For every software installation that is unsupported by a license, that penalty often is calculated as the license MSRP at a 2x or 3x multiplier. Due to the strict-liability nature of copyright law, the auditors typically do not care whether the company was an innocent victim of the unauthorized reseller. The second consequence can arise after negotiating a settlement of the audit, pursuant to which the audited business almost always is required to submit a certificate of compliance demonstrating that any licensing discrepancies have been remediated. If the business attempts to satisfy its post-settlement compliance obligations by purchasing invalid licenses, the auditor may reject the certificate, forcing the company to re-purchase the licenses from an authorized reseller.

In order to avoid these risks, CIOs and IT teams need set appropriate procurement policies and to do their homework before undertaking any significant license purchases. Three important tips to keep in mind include the following:

• Avoid the Bargain Bin If the prices of licenses advertised on the Internet look too good to be true, they likely are too good to be true. Retail licenses with unit prices that are significantly below MSRP run a much higher risk of being scrutinized and rejected by auditors. Similarly, purchases from vendors selling through third-party sites like eBay or the Amazon Marketplace should be avoided, since there usually is no reliable way to verify that those sellers are offering valid licenses.
• Avoid Old Licenses Many businesses with installations of older-version products that are determined to be unlicensed are inclined to try to obtain licenses for those versions in order to satisfy their licensing obligations. This is another mistake. Publishers typically stop offering licenses for older versions soon after newer products are released, so these offerings often are questionable, especially where several months or years have passed since the older versions were discontinued. One option for businesses in this situation is to pursue license purchases under a publisher’s volume-licensing framework—such purchases often include downgrade rights permitting use of prior versions.
• See What the Publishers Say Most software publishers offer at least some level of guidance on their websites in order to steer customers toward authorized license sources. Those sites include the following:

  Adobe
  http://adobedealreg.force.com/PartnerSearch?lang=en
  Hint: Select “UNITED STATES” in the “Country” drop-down menu, then click “Search.” Click the “Company” column header to sort the results by reseller names.

  Autodesk
  http://usa.autodesk.com/adsk/servlet/ps/searchform?siteID=123112&id=1088201
  Hint: For a longer list, select the largest search radius from the “Location” drop-down menu and "AutoCAD” from the “Product” drop-down menu.

  Mastercam
  https://secure.mastercam.com/findareseller/Default.aspx

  Microsoft
  Guidance only (no reseller list) is available at the following site:
  http://www.microsoft.com/en-us/howtotell/default.aspx

  SolidWorks
  http://www.solidworks.com/sw/purchase/varlocator.htm

  Symantec
  http://partnerlocator.symantec.com/public/search;country=United%20States;v=advanced/
  Hint: For a longer list, select the largest search radius next to “Proximity”.

Problems arise, however, when the auditor insists on the use of a particular tool (often, a tool that is owned and made available by the auditor). I have discussed in the past the perils of deploying the IBM License Metric Tool (ILMT) in support of license-verification activities associated with IBM software products. However, IBM is not the only vendor with a dedicated audit solution.

Recently, Autodesk has requested that businesses provide deployment data from its Autodesk Inventory Advisor (AIA) tool. In some instances, the AIA output sometimes presents an inaccurate picture of a company’s actual Autodesk product deployments. For instance, AIA reports may indicate that there are numerous installations of one of Autodesk’s expensive CAD solutions; however, following a manual inspection may reveal that the only Autodesk products actually installed were free viewer programs that would be largely irrelevant to the outcome of an audit.

Businesses facing Autodesk audits need to remember that they are not without defenses against Autodesk’s aggressive tactics with respect to audit inventory gathering. First, it is important to keep in mind that while Autodesk has the right to demand an inspection of a company’s Autodesk product deployments under the terms of the standard Autodesk EULA, there is nothing in that EULA that requires a company to deploy AIA in response to Autodesk’s audit demands. Second, even if a company agrees to deploy AIA and to provide AIA results to Autodesk, there is nothing to keep the company from deploying a second tool to help verify the AIA output and avoid the prospect of reporting inaccurate audit information. Finally, while Autodesk currently may enjoy a substantial share of the CAD market, companies with concerns regarding Autodesk’s license terms and audit tactics should use those concerns as factors when considering their options for CAD software licensing. Autodesk does what it does because it can. To the extent that companies start transitioning to other products in response to Autodesk’s current licensing positions, the company eventually may respond with more customer-friendly policies.

Don’t count on it.

Initial compliance demands from publishers often are riddled with discrepancies in the factual assumptions underlying those demands or the legal frameworks on which they are supposed to be built, and those discrepancies almost always tilt the scales in the publishers’ favor. For example, it is not at all uncommon for network inventories to include duplicate or mis-classified machines. In the context of a Microsoft audit, this can take the form of internal-use servers being characterized as hosting machines (which would require either SPLA licensing or Self-Hosted Application rights under Software Assurance). If the audit involves a Microsoft Enterprise Agreement (“EA”), Qualified Desktop counts may be inflated by the inclusion of line-of-business machines based on an incomplete review of inventory data or on an overly expansive interpretation of controlling license terms (which can be frustratingly vague).

Even in cases where there appear to be no data errors or mis-applied licensing rules, it seems to be standard practice for publishers to take advantage of ambiguities in the licensing rules they draft in order to maximize the return on their audit investments. Again using Microsoft as a handy example, a company with a large server farm licensed under an EA may face a larger-than-expected settlement demand based on retroactive pricing for Software Assurance (“SA”). Microsoft often uses license pricing based SA being dated from the beginning of the term of an EA enrollment, even though the software in question may have been deployed sometime well after the beginning of the term.

While some of these practices may be consistent with licensing rules and others are not, they all point to the importance of not taking compliance demands at face value. You can bet real money on the fact that publishers will present those demands as unassailable and sacrosanct, but there almost always is room for improvement and negotiation. In cases where the demand is large or the environment is complex, it makes sense to seek the advice of a knowledgeable attorney or licensing consultant in order to identify as many opportunities as possible to attack the assumptions that underlie those demands.

When it comes to being audited – despite any historically warm relations with account representatives or other vendor representatives and regardless of whether the vendors refer to the audits with euphemisms like “license verifications” or “software asset management engagements” – companies must understand that their legal and business interests have been threatened, and they should be prepared to respond in kind. That does not necessarily mean that a legal response is required, but legal teams absolutely must be involved in the audit-response process, and the company should be prepared to defend its interests with a comprehensive audit-response plan. Some of the basic elements of such a plan include the following:

• Communications For larger enterprises, legal team members should assume primary responsibility for all communications with vendors and auditors during the course of any vendor-initiated license verifications. There may be cases where it would be appropriate for business teams to remain on point, but, at the very least, all communications with the vendor should be routed through a single point of contact in order to avoid situations where vendors or auditors receive inconsistent communications from the audited company.
• Pre-Audit Agreements Of equal importance is the necessity of confirming the scope and process for the audit in a written, pre-audit agreement with the vendor and any third-party auditors engaged to conduct the audit. It is very common for the scope of an audit to evolve (and typically expand) over the course of an engagement, and such “scope creep” typically only results in higher exposure for the audited business. Pre-audit agreements often include terms addressing the following:
            o Geographic and technical scope of audit investigations (to be as limited as possible)
            o Litigation forbearance while audit is pending
            o Confidentiality and inadmissibility of audit information
            o Agreed audit-resolution and post-audit compliance steps

However, the most important thing to keep in mind during an audit is the fact that just because a vendor may have the contractual right to conduct an audit, that does not mean that all of its demands will be consistent with agreed audit terms or that there is no possibility to negotiate more favorable terms in the interest of preserving the relationship. A strong audit-response policy can greatly help a business to maximize opportunities for a more favorable outcome.

After that baseline i sdetermined (preferably well before settlement in order to avoid running up against compliance deadlines identified in the settlement agreement), the business has a decision to make: Buy or uninstall? For any software determined to be unneeded for any business purpose, the best course of action in most cases is simply to remove it. Where installations are needed, though, the company should be prepared to buy the licenses it requires in order to support the use of that software. Here are three tips to keep in mind when contemplating a compliance purchase in the context of a software audit:

• Wait. Especially when a business wisely decides to use the audit scan as the baseline for it scompliance initiative, there may be a temptation to pursue a compliance purchase before reaching a settlement with the auditing entity. In most cases, this is a mistake. The release from liability obtained at settlement in BSA and SIIA audits typically allows for a period of time following settlement – usually 30 or 60 days – for the company to make any necessary license purchases. That is the best time to move forward with those transactions, because doing so at an earlier stage may result in a number of licenses that differs from the number of deployments following settlement. In addition, information regarding volume licensing transactions or purchases from publishers rather than from resellers can be reported back to the BSA or SIIA,which could complicate the negotiations process.

• Avoid Spending Money on Paperwork. The BSA and SIIA impose relatively strict requirements for the documentation they will accept as proof of license ownership. However, a business’ inability to meet those requirements during the audit phase does not necessarily mean that the business does not own the licenses it needs for a particular product. Where management is confident the company previously purchased licensing that, for whatever reason, it now is unable to document, the company should hesitate before purchasing licenses merely for the purpose of acquiring one or more license invoices. While it is important for businesses to maintain accurate and reliable records of all software licenses they own, the priority at the compliance stage should be acquiring licenses that are known to be needed to support prospective software installations and access.

• Scrutinize Your Vendors. One of the most costly mistakes that can be made during post-settlement compliance is purchasing licenses from unauthorized vendors. If the documentation attached to a certificate of compliance includes invoices from transactions through eBay or the Amazon Marketplace, the BSA or SIIA may challenge the documentation and may allege that the company has failed to satisfy its obligations under the settlement agreement. In that event, the business may have no other choice but to re-purchase the licenses through a more reputable vendor, such as Dell or CDW. Before proceeding with any license purchase – in any context – it is important to first confirm that the seller is authorized to sell the licenses that they are offering.

Unfortunately, an important step remains: In almost every BSA and SIIA audit, it is necessary for the audited business to sign a certificate following settlement confirming – usually under penalty of perjury – that the business is using only licensed copies of BSA- or SIIA-member software and that no unlicensed software remains on its computers. Though it comes at the very end of the process, this probably is the most important step from the perspective of the software companies represented by the BSA and the SIIA, because this is when they see a return on their member dues. All amounts paid to the BSA or the SIIA in order to settle the audit and obtain a release of liability are retained by the BSA and SIIA, respectively. The audited business does not receive any software licenses in return for that payment or any assurances of prospective compliance. In order to be compliant with applicable licenses and with non-monetary settlement terms, the business needs either to uninstall unneeded software or to purchase licenses for the software that it does need.

Before any software deletions or license purchases occur, though, it is vital for the business to know what software is installed and what licenses are owned, and the best time to collect that information is during the audit. We frequently advise our clients to use the audit inventory as a baseline for prospective compliance work and to use a list of action items based on that inventory in order to take the steps needed to sign the required, post-settlement certificate. As long as the business has minimized any changes to its computer network and has kept good records of any new or decommissioned computers in its environment, then this typically is the most efficient way to address this project. However, in some cases it may be necessary to collect a new inventory in order to be certain that the company is starting with accurate information. Management, IT teams and legal counsel should work together at this stage to determine the most appropriate way to proceed.

In a subsequent posting, I will discuss some of the mechanics of the compliance steps and what business should be prepared to show in the schedules that typically are attached to the compliance certificates.

Section 14 of the EULA includes the following language:

The Software may cause your Computer, without additional notice, automatically to connect to the Internet and to communicate with an Adobe website or Adobe domain for purposes including, but not limited to, license validation and providing you with additional information, features and functionality...Whenever the Software makes an Internet connection and communicates with an Adobe website, whether automatically or due to explicit user request, the Adobe Privacy Policy (http://www.adobe.com/misc/privacy.html) shall apply. Additionally, unless you are provided with Additional Terms of Use, the Adobe.com Terms of Use (http://www.adobe.com/misc/terms.html) shall apply.

It remains to be seen whether such terms will come to be commonplace among consumer-level software license agreements. However, even if they do become commonplace, that is remarkable language from a substantive,legal perspective. Simply by paying for a license and installing an Adobe software product (such as Photoshop or Acrobat), you are agreeing that the software may, at any time, and without your knowledge, connect to and communicate with an Adobe website. Once connected to that website, there is no meaningful limit stated in the EULA as to the kinds or quantity of information that may be reported to Adobe. Furthermore, by connecting to the website the software binds you to Adobe’s Privacy Policy and Terms of Use, both of which documents Adobe is free to amend unilaterally at any time.

Those terms raise a host of privacy-related concerns, especially for businesses that may store sensitive, personal information (such as the kinds of information covered by HIPAA, for example) on the same systems where the Adobe software is installed. Depending on the scope of Adobe software usage and on the architecture of affected IT systems, many businesses may want to consult with counsel to determine whether contemplated and ongoing use of Adobe products licensed under the above terms may be in conflict with relevant contractual or regulatory obligations. It also is important to keep those provisions in mind in the event of an audit, since Adobe previously may have received software-inventory information that could be in conflict with information reported during the audit.

1. Don’t Wait for an Audit. A publisher-requested software audit is the absolute worst time for a business to collect its first comprehensive software inventory. In many cases, the auditor will demand that its own tools and processes be used to collect the audit inventory. In those situations, absent mature and tested internal inventory processes, the audited business will have no practical way to challenge any apparent discrepancies in the auditor’s findings, and the publisher will be loath to consider different inventory information without a compelling reason to do so. In addition, without pre-existing inventory information, it is very difficult to estimate license-related exposure, making it a challenge for accounting teams to prepare for a potentially large compliance purchase. Finally, and perhaps most importantly, collecting an inventory before a compliance investigation begins allows a business to address compliance gaps before those gaps are translated into licensing penalties.


2. Know Your License Metrics. Especially when it comes to servers, modern software-licensing metrics run the gamut from relatively simple installation or “seat”-based licenses, to processor capacity licenses (like IBM’s processor value units or “PVUs”), to concurrent-session or floating-user licenses. One of the effects of this is that it is not enough merely to count how many times a software product is installed in a company’s computer environment. It is vital also to know the characteristics of the computers where those installations are located as well as the numbers and kinds of users connecting to that software. Without that level of detail (which many auditor-deployed inventory tools may be unable to collect), an audit outcome may include unnecessarily high monetary exposure. Businesses need to gather and monitor this information on an periodic, ongoing basis in order to minimize compliance exposure.


3. Select the Right Tool. Especially for large businesses, it is essentially impossible to collect a thorough software inventory without one or more tools to assist with the process. Therefore, especially in light of the need to get a handle on inventory data well before any audits are announced, businesses need to research the tools currently available to gather that data and to select the one that makes the most sense for their IT environments. Many tools offered today are truly robust in terms of their data-gathering capacities, though many also require a level of IT expertise that could make them challenging for smaller companies to deploy. Procurement teams therefore should spend some time considering the resources that they can task to internal software-asset management functions together with the price they are willing to pay for an effective toolset.

We are witnessing an increase in the number of prospective client calls and a surge in our software defense case load during the fourth quarter of 2011. Based on a number of factors including worldwide economic conditions affecting software publishers’ revenues, businesses can expect to receive more software audit requests in 2012 than ever before.

According to The ITAM Review, July 4, 2011, Gartner, a leading technology research company, reported in March 2011 that 61% of their survey recipients were audited by at least one software vendor in 2010. This number was the highest percentage of any comparable Gartner survey. Respondents identified the following companies with the most audits: IBM (41%), Adobe (40%), Microsoft (35%), and Oracle (17%). The Gartner Survey Analysis is available for purchase here.

The trend among the major publishers is to increase the frequency of software compliance audits for customers of all sizes. IBM has boldly embarked on an initiative to audit all customers world-wide while Microsoft has considerably increased audits conducted by its Global Compliance Group evidencing a considerable shift in philosophy from recent years. We are also seeing increases in reseller auditing including IBM OEM agreements and Microsoft SPLA customers.

As companies finalize their budgeting for 2012, they should include funding for software asset management and implementation of SAM policies.

Scott & Scott, LLP recommends the following:

• Create Standardized Agreements With Publishers: Many companies do not realize that they have leverage when negotiating license agreements with publishers. In fact, companies can incorporate less one-sided terms into software license agreements with the assistance of their own legal counsel. Favorable provisions can include "no audit" clauses or voluntary "true-ups" to reduce the costs of compliance management and the total costs of ownership.


• Retain Proofs of Purchase and Keep Accurate Records: Contrary to popular belief, trade associations and publishers only accept dated proofs of purchase, with an entity name matching that of the audited company. Anything less will fall short of publishers' mandated proof of ownership and therefore, repurchase of the assets in question may become necessary.


• Choose Integrated, IT Asset Management Tools: Asset management should be built into every company's ongoing business processes to ensure that this process and license compliance become core competencies. The ability to conduct routine reconciliations is required to ensure software license and Sarbanes-Oxley compliance.


• Obtain Expert Assistance in the Event of An Audit: Audit defense is most effective with the representation of specialized legal counsel to avoid the common mistakes that may jeopardize a company's legal position. Any automated discovery that is conducted under the supervision of legal counsel will be protected by attorney-client and work-product privileges, should an out-of-court resolution not be possible.

Because many software publishers are focusing on license reviews to increase revenues, companies should actively review their compliance with licensing terms. Companies that are proactive with their software asset management programs can minimize the time necessary to respond and reduce the potential exposure that typically results from a software audit.

However, some publishers – IBM among them – have very close relationships with some of their larger customers, to the extent that in some cases IBM will offer to station sales and support personnel at a customer’s location to streamline the deployment and maintenance of software and other IT solutions. This state of affairs can lead to an interesting question: To what extent is a software publisher with intimate knowledge of a customer’s IT environment responsible for bringing license-compliance discrepancies to the attention of the customer’s decision-makers?

This question implicates a legal concept known as “laches,” under which a claimant sometimes may discover that he cannot pursue a claim against an alleged wrongdoer if the claimant waited an unreasonably long time to pursue the claim in court. However, with copyright claims, the availability of a laches defense can be questionable in some states, because the Copyright Act includes an express, 3-year statute-of-limitations period. Some courts (notably, the Fourth Circuit Court of Appeals, which hears federal appellate claims from Maryland, Virginia, West Virginia, North Carolina and South Carolina) hold that laches is essentially unavailable for copyright defendants. Other courts are more permissive, however, especially in cases where a claimant’s delay is found to have been unconscionable.

Therefore, depending on the level of insight that a software publisher has into a company’s software deployments and the amount of time that it allows to pass before bringing a compliance-related issue to the company’s attention, it is possible that a laches claim may be available to counter the significant leverage that a publisher like IBM might be able to wield within the context of an audit. If you find yourself guiding your company through the various pitfalls of an IBM audit in particular (more on that is available here, here, here, here and here), it makes sense to explore the possibility of a laches defense with knowledgeable counsel.

In the trial court, Timothy Vernor filed suit against Autodesk seeking a declaratory judgment that his purchase of unopened packages of Autodesk’s AutoCAD software, and subsequent resale of those packages via eBay, did not constitute a violation of Autodesk’s copyright in the software, based on a copyright-law concept called the "first-sale doctrine" ("FSD"). Under the FSD, a copyright owner’s exclusive distribution right is exhausted after the owner’s first sale of a particular copy of the copyrighted work. The trial court found in favor of Vernor’s argument. However, Autodesk appealed that decision to the Ninth Circuit, which reversed the trial court, holding that "a software user is a licensee rather than an owner of a copy where the copyright owner (1) specifies that the user is granted a license; (2) significantly restricts the user’s ability to transfer the software; and (3) imposes notable use restrictions." The court found that all three of those conditions weighed in Autodesk’s favor, rendering Vernor’s resale via eBay a violation of Autodesk’s copyright interests under U.S. law.

It is important to keep in mind that the Supreme Court’s refusal to hear the case does not mean that the Vernor decision is the law of the land across the entire U.S. Rather, it means that trial courts within the Ninth Circuit (Washington, Oregon, California, Arizona, Nevada, Idaho and Montana) will be required to apply the decision in similar cases. The Vernor decision may be persuasive in other circuits, but trial courts and appellate courts in those circuits will not be required to follow it. The possibility thus exists for different results in different circuits – which could make it more likely that the Supreme Court would decide to take up the issue in another matter – though that possibility currently seems to be fairly remote.

In addition, one item that the Ninth Circuit expressly left undecided in its decision was an argument raised by Vernor at the trial court that Autodesk was committing "copyright misuse" by attempting to shut down his sales of Autodesk software via eBay. Under the copyright misuse doctrine, a copyright holder can be prevented from enforcing its copyright during a period of time in which it uses that copyright offensively for purposes not contemplated in U.S. law. It will be interesting to see if the Vernor trial court – or some other court in a different matter – holds that Autodesk’s license-enforcement practices constitute copyright misuse, especially as they relate to very old software products (like the 15-year-old version of AutoCAD that was at issue in Vernor). These issues remain ones to watch for business owners and practitioners who have concerns about the legitimacy of Autodesk’s practices and those of industry groups like the Business Software Alliance and the Software & Information Industry Association.

Click here for Another Court Ruling Against Autodesk in Software Dispute

Unfortunately, the further you stray from the publishers’ stores in a search for lower prices, the more likely it is that you may make a costly error in your purchasing decisions. Here are three big reasons why:

1.   You may not realize what you are getting. Those high prices and the publishers’ stores come with benefits, one of which usually is assistance with available license types and an assessment of license needs, especially if you are contemplating a higher-cost transaction. If you purchase through third-party sites with lower prices (like Amazon) or through auction or “marketplace” sites (like eBay or, in some cases, Amazon), then you often are on your own in assessing your needs. As a result, some businesses end up purchasing incorrect licenses – such as academic-edition licenses for prohibited commercial purposes or upgrade licenses without a valid, qualifying, full-version license – usually on non-refundable terms. 

2.   You may not be getting anything at all. In some cases – especially at the auction and “marketplace” sites – the advertising sellers may have no right whatsoever to resell the software licenses they are offering, making those licenses worthless to the purchaser. Autodesk in particular is well known for challenging such sales, because its standard license agreement expressly prohibits the transfer of software licenses without its consent. In the event of an audit, invoices from such sales typically not only are rejected as proof of license-ownership but also may damage a business’ credibility in attempting to negotiate a resolution, especially if the price identified on the invoice is far below MSRP. 

3.   You may be getting more than you expected. In the worst cases, and again, most commonly when purchasing software through marketplaces or auction sites, what you receive may actually result in damage to your files or computer systems. It is not unheard-of for software shipped following such sales to consist of unauthorized, corrupted copies or whole-cloth counterfeits of the advertised products. Such software can result in loss of data that may be significantly more valuable than full-price licenses for the software in question. In those situations, businesses may find themselves without the license-proof they need in the event of an audit and without the files they need to service their customers and make money. 

This is not to say that all online license transactions are a bad idea or that business should not attempt to manage their licensing costs when possible and appropriate. However, it is a good, general rule of thumb that the further you get from full MSRP for a software license offered on the Internet, the more cautious you should be before proceeding. In close cases, it also may be worth the effort to get an opinion from your attorney.

In Brasher’s vs. The Software & Information Industry Association, Adobe, Corel, McAfee, Symantec, Idaho Auto Auction, ADP, and Robert Gillespie, plaintiff Brasher’s, the target of an SIIA software audit, filed suit asking the court to determine who is legally responsible for unlicensed software found on its computers during the audit. Brasher’s sues Gillespie, a former IT administrator and presumed informant for his role in installing the software and seeks indemnity from Idaho Auto Auction the company it acquired assets from which included computers with unlicensed software.

This lawsuit provides some valuable lessons.

(1)The plaintiff claims it had no knowledge that the computers contained allegedly infringing software when it acquired the computers. Lack of knowledge or intent is usually not a good defense to a copyright infringement claim when liability attaches without regard to fault or knowledge.

This case highlights the importance of due diligence and properly documenting asset transactions involving the sale of computers with software installed.

(2) The plaintiff alleges that the former IT administrator installed unlicensed software  in violation of company policies.  He was subsequently terminated and thereafter informed SIIA that Brasher’s had pirated software on their computers. The plaintiff alleges a very common fact pattern: IT administrator is terminated and makes a software piracy complaint against the former employer to the SIIA.

It will be interesting to see how receptive the court is to Brasher’s claim that Gillespie should be individually liable for software he installed in violation of the company’s policy. The case against the informant is always a tough call. Most unemployed IT guys are not viable defendants.

(3)The plaintiff alleges that the SIIA repeatedly made demands for payment several times the total retail price of the software and far in excess of any damages suffered by SIIA’s members. Brasher’s claims that they repeatedly offered to settle with the SIIA, including an offer of  $12,500, despite the fact that the retail price of the software allegedly infringed is less than half that amount and that the SIIA rejected their settlement offers.

The SIIA’s multiple of MSRP approach to software audits is under direct attack. I think the court will be receptive to Brasher’s claims that an arbitrary multiple of MSRP is not appropriate for calculating damages in software copyright infringement cases.

Before responding to such requests, organizations must understand both their legal rights with respect to a prospective audit, as well as the various Oracle license grants as they apply to their environments. In many cases, organizations inadvertently become non-compliant over the course of a few years, seemingly without growing their database environment. For example, installing Oracle version upgrades sometimes turns on software features, such as the diagnostic and features packs, which trigger an associated increase in licensing cost. A company’s IT department can significantly increase its Oracle spend during version upgrades without knowing it.

If the Oracle Server Worksheet contains information that concerns LMS, Oracle may ask the customer to allow Oracle to run a set of scripts across its network to perform an in-depth network deployment audit—the mere thought of which should make even the most confident CIO squirm. Organizations should carefully consider any response they make to Oracle to avoid that kind of request. If there are any concerns whatsoever about the state of a company’s Oracle deployments and associated entitlements, consulting with experienced counsel prior to responding to an Oracle license review request is highly recommended.

Software development and solution hosting both can present unique licensing issues for businesses that may not be accustomed to addressing them. It is not uncommon for businesses to overestimate the rights conveyed with certain license types, which can prove to be costly mistakes in the event of a software audit. Microsoft’s licensing rules are a good and fairly prevalent example:

• Software Development. Many businesses recognize that a subscription under the Microsoft Developer Network (MSDN) program often represents an excellent value proposition. MSDN subscriptions include perpetual use rights for a vast array of Microsoft software. However, that software must be used exclusively in connection with the design, development, testing, and demonstration of new programs. In addition, and more importantly from a compliance perspective, each subscription must be assigned to a single software developer, with no sharing among team members, and if any software included in the subscription ever is used for any other, non-development-related purpose, then it must be licensed independently.
• Solution Hosting. Most Microsoft license agreements do not permit users to host software over the Internet to their customers or to rent any software to third parties. Businesses that fail to heed those restrictions typically discover – in the context of a software audit – that Microsoft or the auditing entity (like the BSA) refuses to recognize licenses any erroneously purchased for those prohibited purposes. The most popular way to obtain valid hosting or rental rights is through a Services Provider License Agreement (SPLA) with Microsoft. However businesses considering SPLA licensing must be prepared for a much more involved contracting process with Microsoft and also for the requirement to submit monthly reports that identify all software deployed to customers under the SPLA.

Businesses concerned about their development or hosting entitlements – as well as businesses with reason to believe that those entitlements may represent a significant aspect of a pending audit investigation – should work with licensing counsel to identify any discrepancies from an early stage. Doing so can help to minimize exposure related to compliance deficiencies.

In addition, Attachmate currently is in the midst of pursuing a $2.2 billion acquisition of Novell, Inc., but that transaction has stalled out recently due to a protracted patent review being conducted by the U.S. Department of Justice. The review is part of the government’s due-diligence efforts surrounding the required sale (for antitrust purposes) of 882 patents to a Microsoft-led consortium of competing vendors. As a result, many observers see an increasing likelihood of audit activity going forward – it is not uncommon for software publishers to try to increase revenue through license-enforcement activities. In addition, Novell software is widely deployed throughout many businesses’ IT environments, resulting in what Attachmate’s compliance department likely is expecting to be a fertile hunting ground for software audits.

Attachmate customers should use any distraction of Attachmate’s legal department to their advantage and take steps now to ensure that their software usage-levels do not exceed their license rights. Compliance gaps typically are much easier and less expensive to remedy before a software owner makes first contact regarding an audit, the efficient resolution of which often involves the assistance of counsel.

This audit process often is arduous and involves collecting all available license-purchase documentation for the BSA- or SIIA-member software product installations discovered during the investigation.  However, unlike the IRS’ retention requirement of 7 years for business records, the BSA and SIIA will not recognize license-credit in favor of the businesses they target without dated proof of proper licensing for every installed software product, regardless of when it was purchased.

More troubling for many businesses is the fact that, even if they are able to produce purchase documentation for software installed on their systems, they may receive no credit for that documentation if it appears to have been received from a software vendor that is not an authorized dealer.  Purchasing software from some web sites, such as Amazon.com’s Amazon Marketplace, eBay, or Craigslist, can be risky, especially when the quoted price for a product is less than 80% of its MSRP value. Many of these heavily discounted software products licenses are offered without the authorization of the software publisher and could end up being useless to the business purchasing them, in the event of an audit. The cost can be magnified when, following settlement, the affected companies are required to re-purchase the same software from a reputable vendor.

In rare instances, the BSA and SIIA sue unauthorized resellers. In June, the SIIA worked with the LAPD to bring criminal charges against two individuals accused of pirating SIIA member software and selling it on Craigslist. However, while the BSA and SIIA pursue unauthorized retailers with civil and criminal charges, they are unable to expose all potential unauthorized retailers. Therefore, as a prudent practice, prior to making any software purchases, a company should investigate whether a vendor is an authorized seller of properly licensed software.  Additionally, a company should beware of heavily discounted software.

It is not unusual for a company to discover during the audit process that its current or former employees installed software on company computers without authorization.  Unfortunately, this oversight may lead to substantial financial penalties from the BSA or SIIA for any allegedly unauthorized installations.  During the course of settlement negotiations, the BSA and SIIA routinely fine companies three times the MSRP value of each allegedly unlicensed product.

While no written policy is foolproof against employees installing unauthorized software, a proactive approach includes guidelines and policies to outline proper use of a company’s computers.  This may include provisions banning installing, using, or accessing software unless specifically authorized by the company.  Educating employees to have a better understanding of how to use a company’s resources and technology properly may help to prevent costly penalties in the future.  In addition to a written policy, it also is advisable for a company to routinely conduct an internal audit of its computers to help ensure software compliance.  Once the BSA or the SIIA gets involved, it is typically too late to avoid paying a penalty.

Because computer networks may change rapidly, the auditors need to identify a moment in time for which they can ask the audited business, “Did you have all of the licenses for the software installed on your computers?”  If the answer is yes, the auditing entity will typically close its file.  If the answer is no, the auditing entity will claim the business engaged in copyright infringement on the effective date.  The business’ representation that it was compliant after the effective date has no bearing on whether the business engaged in copyright infringement on the effective date.  If the matter proceeds to a lawsuit, the auditor likely would claim that the business infringed its or its members’ copyrights on the effective date.

The auditing entity typically demands proof of purchase documentation that demonstrates the ownership of a sufficient number of licenses on or before the effective date.  Software purchased after the effective date is not relevant to the audit.  Locating, reviewing, and compiling the proof of purchase documentation is a collective effort that often requires coordination among various individuals and departments within an organization.  In addition, identifying and listing all of the software on the company’s computers as of the effective date may be made doubly difficult when computers contain large amounts of software irrelevant to the audit. It is also important to keep in mind that software environments change as computers are added, decommissioned, and rebuilt with the ebb and flow of HR turnover.

If you have been contacted by an auditing entity such as the BSA, the SIIA, or a software publisher, you should proceed with caution and should familiarize yourself with the typical process for such software audits.  Experienced counsel can help to guide you through that process and to avoid unnecessarily large expenses.

The notion that a business could legitimately purchase software only to be required to re-purchase it following a software audit – in addition to having to pay a penalty to the SIIA or BSA – leads some businesses to seek open source alternatives.  For many of the BSA-member products most commonly found to be at issue during a third-party audit – such as Microsoft Office and Adobe Photoshop – there are analogous open-source alternatives – such as OpenOffice or GIMP – that are available at little or no cost to license.  Although the functionality of these alternatives is not identical to that of the SIIA- or BSA-member products, many consumers determine that those differences are less compelling than the advantage of cutting costs and avoiding future exposure related to third-party audits. However, it is important to keep in mind that, while it may cost nothing to deploy open-source software, the installation and use of those products are still subject to copyright laws and governed by the terms of license agreements (such as the GNU General Public License). The terms of those licenses can have a significant impact on a business’ ability to host, modify or redeploy open-source software products. Therefore, businesses should make an effort – if necessary, with the advice of counsel – to familiarize themselves with the terms of those licenses.

Businesses that deploy software under one or more SPLAs should strongly consider working with an attorney experienced in publisher-initiated software audits before disclosing any information to Microsoft in response to a SPLA audit engagement. Many businesses discover during the course of a SPLA audit that in the past they have either under-licensed or over-licensed some or all of their deployments based on an incomplete grasp of Microsoft’s complex distributed software licensing rules. Learning this information before disclosing any audit results to Microsoft can help to avoid a protracted dispute over past licensing discrepancies. In addition, a third-party software audit taking place at a company’s offices may represent a significant disruption to business activities. For others businesses, unprotected access to or disclosure of company information regarding software deployments and entitlements entails confidentiality concerns that are greater in scope and significance than the concerns that all businesses should keep in mind when disclosing information to a party that could, in some cases, end up on the other side of the aisle in a litigated dispute.

Experienced counsel should have a familiarity with both the substantive licensing rules under SPLA and with the audit procedures Microsoft typically uses in these matters. They also should have a good idea of the various alternative procedures to which Microsoft may be willing to agree in order to resolve the audit request in a way that minimizes adverse impacts on a company’s business operations. Especially in light of the financial exposure that SPLA audits can entail and the business-critical nature of the software products often licensed under a SPLA, attorney consultation in these matters often is vital to achieving a mutually agreeable outcome.

The court rejected NEI’s request for damages for each separate work and concluded that “a plaintiff should not receive a windfall recovery by inflating the number of works infringed from its own compilation.”  The court determined that “when a plaintiff compiles assorted copyrighted products into a new product, the compilation constitutes one work for purposes of copyright infringement.”

NEI’s focus on “whether each item (in a compilation) has an independent economic value and is, in itself, viable” did not sway the court.  Rather, the Court held that “adopting such a test would be to make a total mockery of Congress' express mandate that all parts of a compilation must be treated as a single work for purposes of computing statutory damages.”  The court also declined to apply rulings from cases NEI presented in which defendants, rather than plaintiffs, created compilations of the plaintiff’s works.

If you have been contacted by the Business Software Alliance (BSA), Software & Information Industry Association (SIIA), or another software industry auditing entity, you should contact counsel experienced in negotiating with auditing entities regarding bundled software suites that resemble compilations.

The audit process is lengthy and arduous and often is affected by costly mistakes.  One of those mistakes involves the use of an inadequate tool to conduct the kind of audit called for by the auditing entity. There are many ways a business may tackle the audit process.  It may hire a law firm that specializes in software audits to conduct the review, it may hire external IT consultants, or it may proceed with its own in-house software audit.  The BSA often suggests a number of tools to assist with a self-audit, sometimes including Novell, Symantec, Frontrange Solutions,  Belarc and Spiceworks. Many of those tools are available for little or no licensing fee, making them appear to be attractive alternatives.

However, if a company chooses to conduct a self-audit, it is essential to verify the results produced by the tool deployed prior to submitting any information to the BSA or SIIA.  Often, software audit tools are not sophisticated enough to discern between free trial software or remnants from previous installations and full installations of licensable software products within the scope of the audit.  Over-reporting can carry significant consequences, because each product mistakenly reported as a full version for which a business is unable to demonstrate license ownership typically entails a penalty at settlement based on the MSRP of that product.  The BSA then typically applies a multiplier for each product included in its settlement offer calculations.

For these reasons, it is important when conducting an in-house software audit to carefully look for any mistakes in the audit results and to ensure that those results accurately reflect what was installed as of the effective date of the audit requested by the BSA or SIIA.  If there is any doubt regarding the accuracy of those results, it is vital to seek the advice of a knowledgeable attorney or consultant prior to submitting any information to the auditing entity.

Many businesses that use software published by Autodesk are familiar with the company’s vigorous copyright enforcement program. Autodesk is one of the most active software publishers when it comes to threatening litigation over allegedly unlicensed use of its well-known computer-aided design products, such as AutoCAD, and it regularly targets businesses of all sizes demanding costly and distracting audits and settlements, often based solely on the word of unidentified informants.

In addition to such matters targeted at its past and potential customers, however, Autodesk’s enforcement program also includes efforts to eradicate what it believes to be unauthorized sale of its software. The Washington state federal lawsuit of Vernor v. Autodesk Inc. falls into this category. Here, the plaintiff, Timothy Vernor, had for some time attempted to sell used AutoCAD packages on eBay. However, when he did so, Autodesk sent notices to eBay pursuant to the Digital Millennium Copyright Act that such activity violated Autodesk’s copyrights, and in order to avoid contributory copyright liability, eBay removed the listings. After several such exchanges, eBay eventually terminated Vernor’s account. In response, Vernor filed suit against Autodesk, seeking a declaratory judgment that his sale of used software did not constitute copyright infringement.

In its first substantive opinion in the matter, the Federal Court for the Western District of Washington denied a motion to dismiss in which Autodesk had argued that the software Vernor attempted to sell on eBay had been licensed exclusively to a Seattle architecture firm, that the firm had no authority to transfer the software to any other party, and that Vernor’s activity therefore constituted a violation of its copyrights in the software. The court disagreed, holding that the first sale doctrine under U.S. copyright law protected Vernor from liability. Despite Autodesk’s characterization of the earlier transaction as the transfer of a license, the court ruled that the architectural firm merely had purchased a copy of the product, and first sale doctrine allows the lawful owner of a copy of a work to sell or give it away.

On September 30, 2009, the court essentially repeated this holding in ruling on cross-motions for summary judgment filed by each of the parties. Again relying primarily on the 9^th Circuit’s opinion in United States v. Wise (1977), the court characterized the earlier sale to the architectural firm as just a sale with a restriction as to use. After Wise, the 9^th Circuit held in other cases involving software disputes that software licensees did not “own” their copies. However, the Vernor trial court nevertheless looked to Wise as the controlling precedent, because it was the earliest case to consider the issue and because the 9^th Circuit did not expressly address it in the cases that followed.

A decision by Autodesk not to appeal these rulings by the Vernor court would be surprising, considering what is at stake. The implications of the court’s holding, if allowed to stand, would cast a shadow across the license-enforcement initiatives of not only Autodesk, but also other software publishers and their trade groups, such as the Business Software Alliance and the Software & Information Industry Association. It will be very interesting to see what happens next in this matter.

The audits begin much like those instituted by the BSA or SIIA.  The target of Autodesk’s audit will receive a letter from a law firm representing Autodesk demanding the business’ cooperation in disclosing the number Autodesk installations on its network and the number of Autodesk licenses it owns, including serial numbers.  The law firm will assert it has received information that indicates the business may have more installations of Autodesk software than it is licensed to use.  The letter will go on to describe the various penalties associated with copyright infringement and it may threaten the business with civil litigation.

Targets who receive such letters should treat the matter very seriously.  It is important to know your legal rights and protect your legal position before responding to a request for information from a software publisher who is trying to conduct an audit.  Additionally, many companies who prepare their own responses to Autodesk without the benefit of counsel and before conducting a thorough investigation often receive an unexpectedly high settlement offer from Autodesk. 

In many cases, Autodesk demands a settlement payment calculated as the MSRP of the allegedly unauthorized products installed on the business’ network multiplied by three.  The multiplier, Autodesk argues, is the penalty for using unauthorized software and is assessed in lieu of proceeding with formal judicial resolution.  The use of multipliers as an approximation of damages is a hotly contested issue.

When responding to Autodesk audit requests, companies should work with experienced counsel to thoroughly investigate the software usage on their computers, protect themselves by requesting agreement from Autodesk regarding the use of the materials that will be produced in the audit, and negotiate a resolution geared toward ensuring future compliance. 

Self Audits
Self audits are the least disruptive of all software audits. They are a mechanism often employed by trade associations acting on behalf of software publishers. The trade associations, and in some instances, the publisher itself, requests that the target company conduct a self audit and report the results of the audit to the trade association or publisher. Companies that agree to conduct a self audit must inventory the applicable software on the computers within the scope of the audit and report the number of installations, the number of licenses, and the number of license deficiencies.

When evaluating whether you should cooperate or litigate after a request for a self audit, you should consider the benefits of a self audit compared to the other types of audits. For instance, in publisher and third-party audits, you usually have a contractual obligation to participate in the audit and provide information to the auditors. When conducting a self audit, you have some control over the timing of the audit and the allocation of resources. That flexibility is not always present in other types of audits.

Additionally, outside auditors are not always required to be impartial and may submit incomplete or inaccurate audit results. For these reasons, regardless of the type of audit requested by the software publisher, companies faced with an audit should request the opportunity to provide a self audit rather than an independent audit, a publisher-staffed audit, or (usually) a SAM engagement.

Independent Audits
An independent software audit involves the use of a third-party auditor to gather the facts
relevant to the dispute. This audit method may be the most costly and time consuming option for the audit target.

Many software licenses incorporate audit provisions allowing the software publisher to request an independent audit. Such provisions must be carefully analyzed to determine the potential business impact of the audit and liability that may result from the audit.

In an independent audit, the organization has no input into the selection of the auditor, how long the audit will last, or the scope of the materials the auditors may review. The target company must also bear the costs of the audit if the auditor finds a licensing discrepancy of more than 5%. If the auditors conclude there is a discrepancy, the publisher has the contractual authority to unilaterally determine the license price for the software necessary to become compliant. Independent audits have significant business impacts and should be avoided if possible. Nonetheless, independent audits are preferred over SAM engagements and publisher-staffed audits because the auditor is usually ethically obligated to remain independent.

SAM Engagements
SAM engagements are also conducted by third-party auditors or consultants, but there is no obligation that the auditor in a SAM engagement be independent. The software publisher requests that the target allow a third party to audit its software installations and report the results directly to the publisher. In these engagements, the publisher pays the auditor, and the target is required to purchase licenses to cover any deficiencies in its software licenses. Microsoft’s SAM engagement has been extensively used in lieu of traditional software audits with mixed reviews from the end user’s perspective.

Participation in a properly managed SAM engagement may be in the client’s best interest
because such engagements typically provide some flexibility and a lower total cost of resolution than self audits and independent audits. In many instances, the publisher seeks no compensation for alleged past infringements in exchange for an agreement to come into compliance on a go-forward basis.

Publisher-Staffed Audits
Publisher-staffed audits are the most intrusive and least impartial of all software audits. In these audits, the publisher’s employees collect information relevant to the dispute. In many instances, publishers request a company’s confidential information or access to a company’s network to conduct the audit. Although a publisher may arguably have a contractual right to request that it be allowed to examine its customers’ computer network, it is never advisable to agree to a publisher-staffed audit without examining all of the alternatives first.

The software piracy enforcement groups have developed a standard formula for assessing fines in software piracy audits. It is important to note that these groups such as BSA and SIIA are not governmental entities and have no independent authority to levy an enforceable software piracy penalty or fine. Software piracy penalties are therefore merely offered in settlement to avoid litigation and, like all pre-litigation settlement offers, are negotiable with the help of experienced counsel.

Dated Proof of Purchase Required to Avoid Software Piracy Penalty
Software piracy groups’ methodology for calculating fines starts by treating as unlicensed all software products for which there is a lack of adequate documentation, including dated proofs of purchase. All proofs of purchase must be dated prior to the software piracy audit initial letter to be considered valid evidence. Because companies may not always have access to the requisite dated proofs of purchase, software piracy penalties are often based, in part, on software titles that companies legally own and properly acquired.

Unbundling Software Suites in Software Piracy Penalties
Software piracy groups also unbundle the products in software suites such as Microsoft Office. So instead of proposing a fine based upon one copy of Microsoft Office, the BSA or SIIA proposes a fine for Microsoft Outlook, Microsoft Word, Microsoft Excel, and Microsoft PowerPoint. The result is a proposed software piracy penalty of $1,126 for a product that retails for $339.

The Arbitrary 3x Software Piracy Multiplier
After disallowing credit for valid software without dated proofs of purchase and unbundling all software suites, the software piracy groups then apply an arbitrary multiple of three times the full retail price for each software title. Accordingly, one allegedly unlicensed copy of Microsoft Office will carry a proposed software piracy penalty of $ 2,252.

Software Piracy Attorney’s Fees
To add insult to injury, the software piracy penalties will include a line item for $3,500 to pay the attorney’s fees for the auditing agency. While this is not usually a large number as a percentage, it should be taken into account when considering potential software piracy penalties. To calculate your potential software piracy penalty exposure, use our Business Software Alliance Fine Calculator.

• Hire an Attorney – BSA and SIIA have experienced software piracy attorneys working for them, you should too.
• Preserve Evidence – do not uninstall or change computer configurations until an accurate inventory of in-scope computers has been gathered.
• Avoid Knee-Jerk Purchases – a natural but counterproductive response to a software piracy audit is to run out and purchase software. I advise my clients to avoid making purchases until a complete inventory and case assessment has been completed.
• Maintain Confidentiality – client prepared audit materials and related documentation may be discoverable in a lawsuit. We conduct attorney-supervised audit reports protected by attorney-client and attorney work-product privileges.
• Condition Audit Disclosure – software piracy audit materials should only be disclosed after an appropriate agreement regarding confidentiality and non-use of the information has been signed by the software piracy enforcement agency.
• Estimate Software Piracy Fines – always review the draft audit materials with your attorney before they are produced to make sure everyone is clear on the potential financial exposure involved. Our software piracy fine calculators are available at: BSA Fine Calculator and SIIA Fine Calculator
• Argue Software Piracy Legal Issues – there are many legal issues involved in software piracy audits including what constitutes infringement, who has the burden of proof, how damages should be calculated, what constitutes proof of ownership and many others. We vigorously argue these legal points in an effort to reduce software piracy settlement demands.
• Negotiate Non-Monetary Terms – software piracy audit settlement agreements are incredibly one-sided and unfair to the targets. I advise my clients to carefully consider important issues like future audit obligations, confidentiality of the settlement terms, the nature and scope of the release being offered.
• Focus on Your Business – the only way to be successful in a software piracy audit is to continue to stay focused on running your business and taking care of your clients.

If you have been accused of software piracy please call Scott & Scott, LLP for a free consultation.

Click the link below to listen to the Full Report on Business Software Alliance by ABC News:

 Business Software Alliance Report

The Business Software Alliance (BSA) recently announced that it entered into a settlement agreement with a small-to-medium-sized motor sports dealer and equipment supplier in Greenville, South Carolina, regarding the dealer’s alleged use of unlicensed, Adobe and Microsoft software. The BSA said that under the settlement, the targeted dealer, which apparently owns only 40 to 50 computers, was required to make a settlement payment of slightly more than $72,000.00 and also to agree “to delete all unlicensed copies of software installed on its computers, acquire any necessary replacement licenses and commit to implementing stronger software license management practices.” There was no statement from the dealer included in the press release, a copy of which is available here. There is also a brief article regarding the matter from a local media outlet here.

Businesses that endure software audits initiated by the BSA or by the Software & Information Industry Association (SIIA), often come to the unpleasant realization toward the end of the ordeal that, in addition to the settlement payment, the costs of investigation and diversion of resources, and the legal fees already incurred on the path to reaching a settlement agreement, the auditing entity often demands that it be allowed to publicize the matter in a press release such as the one described above. In the vast majority of cases, the negative value to the business of such publicity is proportionally far greater than any positive value derived from the auditing entity. Nevertheless, the BSA and SIIA both typically demand that businesses pay a high premium to keep the existence of or details regarding an audit settlement from public attention. Businesses that fail to account and plan for such a premium at the outset of an audit engagement may be faced with the grim prospect toward the end of the matter of having to accept terms that include costly negative publicity that, especially in some tech-related industries, can be very damaging to a business’ reputation.

It is important to keep confidentiality in mind at the outset of the software audit process and, after a preliminary exposure estimate is calculated, to determine whether the cost of the bad press that audits often entail will be greater than the price to include confidentiality terms in an eventual settlement agreement. In cases where that price is too high, there may be less-expensive alternatives to explore at settlement, such as inclusion of terms that give the business the right to review and contribute to a press release prior to publication or terms that allow the auditing entity the right to publish the existence of the settlement, but not the details. A knowledgeable software audit attorney can provide valuable assistance in considering these and other options to mitigate the lingering effects of a BSA or SIIA software audit.

In FM Industries, Inc. v. Citicorp Credit Services, Inc., the United States District Court for the Northern District of Illinois determined the existence and extent of infringement of a software program by a business whose license to use the program had expired. In the case, the business at issue claimed that it its use was non-infringing because it initially installed the software with the consent of the publisher. The court rejected this argument, holding that “a user reproduces a program stored in his computer's hard drive merely by launching that program, thereby causing the computer to copy it to Random Access Memory.” The court also cited to a Ninth Circuit opinion in the case of MAI Systems Corp. v. Peak Computer, Inc., where the court there stated:

The district court's grant of summary judgment on MAI's claims of copyright infringement reflects its conclusion that a “copying” for purposes of copyright law occurs when a computer program is transferred from a permanent storage device to a computer's RAM. This conclusion is consistent with its finding, in granting the preliminary injunction, that: “the loading of copyrighted computer software from a storage medium (hard disk, floppy disk, or read only memory) into the memory of a central processing unit (“CPU”) causes a copy to be made. In the absence of ownership of the copyright or express permission by license, such acts constitute copyright infringement.” We find that this conclusion is supported by the record and by the law.

These opinions are at odds with the standard tactics employed by the BSA, the SIIA, Autodesk, and other software auditors. For example, when presented with information that a design firm has repurposed a CAD workstation to a reception desk or, in a perhaps more stark example, decommissioned the machine to a storage closet, the BSA would argue that any design or CAD software remaining on the machine’s hard drive remains relevant for audit purposes, and they would use any such installations as factors in calculating a settlement demand. However, according to the FM Industries and MAI Systems opinions, this methodology is flawed. A correct damages model would not count as “copying” the mere presence of copyrighted software on a hard drive. The relevant inquiry is whether that software is being used by loading it into a computer’s RAM.

When faced with a software audit demand from the BSA, the SIIA, or any other software publisher or industry representative, before disclosing any information regarding the software in use in your business’ computer network, it is important to consult with counsel to determine what is and what may not be within the scope of the audit.
 

The program continues the BSA’s practice of offering rewards of up to one million dollars for qualifying reports of software piracy. Individuals allegedly possessing knowledge about a business’ software compliance practices report information to the BSA which may become the basis of a legal engagement.

Issuance of a Software Policy can also provide the education and training employees need to help the business maintain compliance. Management should clearly delineate the company’s software asset philosophy and process to ensure compliance across the organization. Companies that receive audit letters from the BSA should contact experienced counsel for assistance.

The BSA and SIIA are not the only organizations pursuing business for software copyright infringement. Though it is a member of both the BSA and SIIA, Autodesk, which manufactures the popular design software AutoCAD, often pursues audit targets on its own.

The audits begin much like those instituted by the BSA or SIIA. The target of Autodesk’s audit will receive a letter from a law firm representing Autodesk demanding the business’ cooperation in disclosing the number Autodesk installations on its network and the number of Autodesk licenses it owns, including serial numbers. The law firm will assert it has received information that indicates the business may have more installations of Autodesk software than it is licensed to use. The letter will go on to describe the various penalties associated with copyright infringement and it may threaten the business with civil litigation.

Targets who receive such letters should treat the matter very seriously. It is important to know your legal rights and protect your legal position before responding to a request for information from a software publisher who is trying to conduct an audit. Additionally, many companies who prepare their own responses to Autodesk without the benefit of counsel and before conducting a thorough investigation often receive an unexpectedly high settlement offer from Autodesk.

In many cases, Autodesk demands a settlement payment calculated as the MSRP of the allegedly unauthorized products installed on the business’ network multiplied by three. The multiplier, Autodesk argues, is the penalty for using unauthorized software and is assessed in lieu of proceeding with formal judicial resolution. The use of multipliers as an approximation of damages is a hotly contested issue.

When responding to Autodesk audit requests, companies should work with experienced counsel to thoroughly investigate the software usage on their computers, protect themselves by requesting agreement from Autodesk regarding the use of the materials that will be produced in the audit, and negotiate a resolution geared toward ensuring future compliance.

Autodesk products are typically upgraded frequently and Autodesk usually issues a new, unique serial number with each purchase. When responding to an Autodesk audit, the business that owns Autodesk products may elect to provide the serial numbers in lieu of the invoices. It is important to provide serial numbers for the versions of the products that are installed and in use as of the date of Autodesk’s letter. For instance, if a company upgraded a copy of AutoCAD ® 2000i to AutoCAD ® 2004, the company should not provide both serial numbers to Autodesk in response to the audit request.

It is also important to realize that Autodesk licenses are generally non-transferrable without Autodesk’s written permission. If an audited company is planning to produce a serial number for a product that was not obtained from an authorized Autodesk reseller, there is a strong likelihood that the company will not get credit for the license.

If you have been audited by Autodesk, please seek advice from experienced counsel before responding. For more information, please visit www.scottandscottllp.com.

The first thing a target of a software audit needs to do is preserve the evidence of software products installed on the company’s computers as of the audit effective date. Second, the software installed needs to be reconciled against proof of purchase information to determine whether there is gap between licenses owned and software installed. Third, a decision needs to be made regarding whether to purchase or uninstall any unlicensed software. The auditing entity is only concerned with those products installed as of the audit effective date, and accepts only proofs of purchase dated on or before that date.

I advise my clients that regardless of what was installed on the audit effective date, they only need to purchase software licenses for products that they need to use going forward. Although it will not resolve past liability, companies may choose to uninstall unlicensed products at the conclusion of the audit matter, rather than purchase unnecessary software simply because it was installed on the effective date. At the conclusion of a software audit matter, the target must certify that it has come into compliance through the combination of buying and\or uninstalling the products in question.

The effect of unbundling is to dramatically and artificially inflate the monetary component of an agency settlement because the fines are based upon the MSRP of each component part of the software. In an agency software audit involving Microsoft Office for example, they unbundle the suite by separating Microsoft Outlook, Microsoft Word, Microsoft Excel, Microsoft PowerPoint, and Microsoft Access and then calculate its proposed fine on the basis of the MSRP of each component. This practice results in a proposed fine per installation of approximately $2,000 for a product with a market price ranging from $150 to $350, depending on the version.

In my opinion, the practice of undbundling is completely contrary to law because the software suites of an agency's member publishers are compilations under the copyright law and therefore constitute a single work for purposes of calculating statutory damages for infringement. The U.S. Copyright Act 17 U.S.C. § 101(c) defines a compilation as follows:

A "compilation" is a work formed by the collection and assembling of preexisting materials or of data that are selected, coordinated, or arranged in such a way that the resulting work as a whole constitutes an original work of authorship. The term "compilation" includes collective works.”

The statutory damages provision of the U.S. Copyright Act 17 U.S.C. § 504(c) provides in pertinent part that:

For the purposes of this subsection, all the parts of a compilation or derivative work constitute one work.

Federal court’s have also interpreted these provisions to preclude recovery of statutory damages for the component parts of a compilation. For example, in XOOM v. Imageline, the Court of Appeals for the Fourth Circuit only made one statutory damage award for each compilation of electronic clip art, even though each compilation included thousands of works because “[a]lthough parts of a compilation or derivative work may be ‘regarded as independent works for other purposes[,]’ for purposes of statutory damages, they constitute one work.” XOOM v. Imageline at 285, citing H.R. Rep. No. 94-1476, at 162 (1976).

Similarly, in WB Music Corp. v. RTV Communications Group, 445 F.3d 538 (2d Cir. 2006) the Court of Appeals for the Second Circuit interpreted 17 U.S.C. § 504(c) and discussed the distinction between compilations authorized by the copyright holder that constitute “one work” for statutory damages purposes and collections of separate works compiled by the defendant and never authorized by the copyright holder. Because the software suites implicated in SIIA audits involve separately copyrighted works included in a compilation authorized by the copyright owners, section 504(c) applies and prohibits the award of statutory damages for the component parts of the suite.

One of the top ten questions asked by my clients is “How long does the self-audit process take from start to finish?” Of course I give the standard lawyer answer: it depends. Here are the steps to a typical software audit.

Preparation of Audit Materials (3 to 6 months)
A software audit is a request, under threat of litigation, to compile a listing of software products installed on the audited entity’s computer network as of the Audit Effective Date. The Audit Effective Date is the date on the initial letter requesting an audit. The first step in preparing this information is conducting an automated inventory of the software products installed on all computers owned or leased by the target company, using a software inventory tool such as Scott & Scott's Compliance Manager. Once an accurate inventory is completed, the next step is to reconcile the software inventory information with proofs of purchase dated prior to the audit effective date. While there are various ways to prove ownership of a software license, typically an invoice is considered the best evidence of ownership in a software audit. In the typical case, the software inventory and reconciliation process takes three to six months.

Secure a Confidentiality and Federal Rule of Evidence 408 Agreement (1 week)
With very limited exceptions, we advise the targets of software audits to cooperate with the self-audit process but to do so in a way that does not compromise their position in the event that an out of court settlement is not possible. We do not disclose any information to the audting entity until it signs an agreement regarding the confidentiality of the information disclosed and specifically limiting the entity's ability to introduce the information as evidence in court. In the typical case, this is signed within one week.

Audit Entity Analyzes Self-Audit Materials and Makes a Settlement Demand (3 to 6 months)
After the self-audit materials are submitted by the target, the auditing entity typically takes three to six months to respond. The response provides its interpretation of the self-audit materials and applies a formula for its initial settlement proposal. In many instances, the settlement proposal is substantially more than the target may have expected due to differences of opinion regarding what constitutes valid proof of ownership. In our experience, the auditing entity usually takes three to six months to make substantive response following the submission of the self-audit materials.

Negotiation of Monetary and Non-Monetary Terms of Settlement (6 to 24 months)
After the auditing entity makes its initial settlement demand, there are various monetary and non-monetary terms that need to be negotiated. The obvious material term in every software audit negotiation is the monetary amount to be paid to the auditing entity for alleged past infringement. The most significant non-monetary issue is whether the auditing entity will agree to a confidentiality provision. Such provisions require the auditing entity to keep the existence and details of the audit confidential and preclude the them from issuing a press release. The length of the negotiation process differs from case to case but generally lasts between six months and two years.

The most common mistake we encounter in software audits is the failure to compile and produce accurate installation information. Like all technology projects, collecting the information to produce in response to a request for an audit can be very complicated and time consuming. To begin the audit process, it is necessary for the company to select an automated software discovery tool, such as Scott & Scott's Compliance Manager. Even for small environments, employing a manual process to review the software on each computer is time consuming and unreliable. Any automated discovery that is conducted directly by the client or by a third-party provider will not be protected by the attorney-work product privilege because the privilege only applies to communications between attorneys and their clients. Many tools capture information related to the software installations on a computer network, but produce the results in a format that the company cannot interpret. Even worse, many companies produce the audit results from the free tools provided by the trade associations. These tools, more often than not, inaccurately report the data and fail to exclude information that is outside the scope of the audit request.

Companies also err in the audit process by relying on their IT staff to respond to the request for an audit. Members of IT departments typically prepare audit reports containing information that is incorrect or beyond the scope of what is required to adequately respond. This is particularly problematic because the release of liability contained in most software audit settlement documents is contingent on the accuracy of the results produced during settlement negotiations. If the technology department improperly reports the software installations, the monetary portion of the settlement will be inflated, and the release of liability will be jeopardized.

Another common error audited companies make is submitting improper documentation in an attempt to demonstrate proof of ownership for software licenses. Contrary to popular belief, trade associations and publishers only accept dated proofs of purchase, with an entity name matching that of the audited company, before acknowledging that the company owns a license for a particular product. For this reason, companies should avoid purchasing additional licenses of installed software in response to a request for an audit as these purchases will be irrelevant to the audit. Companies should seek the advice of counsel regarding the purchase of additional software during the audit process and the impact that it may have on the pre-litigation audit and any subsequent litigation that may arise.

Because most clients are not able to properly interpret copyright laws and software licenses without specialized legal assistance, it is critical to involve experienced counsel in the process of interpreting the software installation information gathered by the automated discovery tool and reconciling that data with all available proof-of-purchase information. Once the installation information has been collected, it should be reviewed to determine whether it only includes information within the scope of the audit. Additionally, licensing models are often dependant on the actual use of the product in the company’s specific environment. In other words, you cannot interpret the license without a thorough understanding of the computing infrastructure and how the software is being used from a technical perspective. Other licensing considerations that require specialized knowledge and expertise include client access licensing, upgrade and downgrade rights, and licensing for non-concurrent laptop use.

Without a contractual provision to the contrary, ambiguous terms in a software license will be construed against the software publisher. Provided that there are no other business factors that would make litigation unwise, an ambiguous license agreement is the situation most likely to lead to litigation.

Construction against the Drafter
When dealing with ambiguities, it is important to determine whether the license in question contains a provision indicating that ambiguities will not be construed against the drafter. If there is no such provision, the general rule in most jurisdictions is that ambiguities in software license agreements will be construed against the drafter. If the contract is silent on construction against the drafter, it is important to review any choice of law provision and determine if the specific jurisdiction follows the general rule.

Parol Evidence
The Parol Evidence Rule, which is applicable in most states, provides that when a court determines that a contractual provision is ambiguous, the parties may introduce extrinsic evidence to prove that their interpretations of the contract are consistent with the parties’ intent when entering into the contract.

In a software dispute, parol evidence will include testimony from both the software company and the end user regarding pre-contract discussions and negotiations as well as pre-contract writings including e-mails, faxes, purchase orders and draft license agreements. All of this evidence would be precluded in a contract dispute where there was no ambiguity in the contract. In such instances the court would be confined to what is called the “four corners” of the software license agreement when conducting its interpretation.

Software licenses often discuss technical matters, and are therefore frequently ambiguous. These ambiguities require the parties to develop and present extrinsic evidence in court. Typically, the evidence is developed through pre-trial discovery mechanisms such as requests for production of documents and depositions, which can be very expensive.

Triable Issues of Fact
Contract disputes, including those involving software licenses, are frequently resolved before the trial begins through motions for summary judgment. The interpretation of a non-ambiguous contract is decided as a matter of law by the court. In addition, because the parol evidence rule precludes the introduction of evidence in contravention of the plain meaning of an unambiguous contract, litigation costs are reduced because the extrinsic evidence regarding the parties’ pre-contract intent is not considered by the court.