However, in many cases, businesses targeted by the BSA discover that there appear to be significant discrepancies between the information apparently provided by the BSA’s confidential informants and the actual license-compliance status of those businesses. Many businesses suspect that the cause of the discrepancy is the informants’ desire to profit from the BSA’s reward program. Regardless of the cause, however, when the audit materials submitted in an audit matter do not conform to the information supplied by the confidential informant, the BSA typically disputes the results. The business then ends up incurring additional legal fees in an effort to authenticate those results and move the matter forward to a resolution.

Worse, though, even when the BSA discovers that its informant may have provided false information, it typically will not stop pursuing the copyright infringement claims.  The BSA’s loose definition of “unlicensed” software covers any software with no proof of purchase. Therefore, even though business records are only required to be kept for seven years for tax purposes, because the BSA requires dated proof of purchase in order to credit a business with license ownership, it effectively expects its business targets to keep their invoices for software license purchases forever.  The BSA thus justifies its continued pursuit of businesses, even in the face of an apparently unreliable informant, based less on principles of copyright law than on potentially inadequate accounting practices.

There is usually little recourse against the BSA or the informant for initiating legal action based on false information.  In some cases, a company may consider suing the informant on a breach of contract or breach of confidentiality claim, depending on the existence of any prior agreements with the informant, but the expense of such an action would be prohibitive for most businesses.  For these reasons and others, it is important for all companies, regardless of whether they are faced with a BSA audit, to be prepared to document their license ownership, to keep confidential all information relevant or potentially relevant to an audit, and to seek the assistance of counsel.

A small company with few computers is better suited than a larger corporation to conduct its own audit either manually or to take advantage of one of the many free software scan tools available on the internet. There are still risks of inaccuracy involved. One danger is that a company may submit information regarding a free download that may be mislabeled, and inaccurately reported to the BSA as unlicensed software.

This risk is amplified for larger companies with many computer systems and multiple users. If a large company seeks to conduct its own audit, the free scanning tools are still an acceptable choice, as manually checking each computer is both tedious and can lead to mistakes. An alternative is to seek a consultant who specializes in software infringement issues and who can assist with network inventory and sorting through software purchasing invoices and receipts. However, it is important to keep in mind that, unless that consultant is an attorney, he or she may have no duty of confidentiality to the company. Therefore, it is wise either to obtain a comprehensive confidentiality agreement from the consultant or to retain a knowledgeable attorney to assist with the inventory.

In addition to collecting an inventory of software installations, it is important to gather purchasing information to provide to the BSA. If receipts and invoices are not provided for all software installations reported, the BSA will assume the software is unlicensed and will increase its settlement demand. Regardless of the size of a company, if there are concerns about the ability to scan software, locate purchasing information or evaluate audit results, it is advisable to seek outside assistance with the process from an expert.

Therefore, it is an important to keep records of all software purchased, regardless of the vendor or the date purchased. Typical forms that are acceptable to the BSA include receipts of purchase and invoices from authorized vendors. If software is pre-installed on a computer, a company may be able to obtain documentation from the manufacturer showing all such software on that computer.

Once all of the information related to installations and licenses is gathered, it is submitted to the BSA for review. The review may be a lengthy process, usually ultimately culminating in a settlement offer, which is typically negotiated downward. It is therefore key to submit all information proving proper licensing to decrease the total settlement. By obtaining a lower opening settlement offer, a company can reduce total exposure in negotiations.

This process varies depending on the size of the company and the number of computers within the scope of the audit.  A small company with very few computers has more cost-effective options, such as using a free scan tool to inspect their computers, conduct hard drive imaging, or simply logging on to the computers to determine what is installed. 

However, there are numerous methods of inspecting and reporting software installations, and because of the complexities facing companies with many computers, it often is more effective to use a network scanning tool to determine installations on computers.

After selecting and deploying the scanning tool that is most effective for a company’s needs, a company should review the raw inventory results to determine if there are any errors in the results. It is not uncommon for inventory tools to report the presence of a software product on a computer even after the company has taken steps to remove the product. In addition, there are several product-specific pitfalls to avoid. For example, it is common for older versions of the free Adobe Reader to appear in inventory results as the full Acrobat product. Also, a computer may appear to have a full Microsoft Office suite, when one component, such as Microsoft Word, is the only product from the suite that actually is installed.  Each of these items can make a significant difference in a company’s exposure.

Finally, companies also should use a review of their software inventory results to determine which software products they need going forward. BSA settlements typically require companies to certify their compliance with applicable software agreements as of the date of settlement, and it is advisable to begin the compliance review as soon as possible. For example, it is often the case that a company does not require the full Adobe Acrobat, but could meet their needs using the Adobe Reader tool.

Often, one of the most important provisions, aside from the sections resolving a company’s alleged liability for copyright infringement, consists of language (if any) pertaining to confidentiality.  Unless a company requests a confidentiality provision to be included in the settlement agreement, the BSA often will issue a press release detailing the investigation of the company and the terms and cost of settlement.  Many businesses understandably seek to avoid this type of publicity.  If included in the settlement agreement, the confidentiality provision provides protection from the public release of information and prohibits the BSA from disclosing the terms of the settlement.  However, it is important to note that this provision does not protect against court-ordered subpoenas or against the release of information by the BSA to the software companies it represents. 

It is also important to note that this provision often comes at a cost.  The BSA regularly significantly increases the settlement price if a company seeks confidentiality. Companies therefore often choose not to include a confidentiality provision, but they should be prepared for the press release detailing each alleged violation of licensing agreements and the amount paid to the BSA in fines. If the company chooses not to purchase confidentiality, the BSA often will allow the business to review a proposed release prior to publication and to provide a quote to include with the release.

Businesses negotiating the resolution of a BSA-initiated audit matter should carefully consider with counsel whether the benefits of a confidentiality provision outweigh its cost, in light of that business’ location, industry, market share, and financial situation.  

A key part of reaching a settlement agreement is to resolve the potential liability arising from the BSA’s allegations of copyright infringement, so that the BSA cannot later file claims against the company for alleged violations that occurred prior to the settlement agreement. Before the BSA will agree to release its claims, however, the targeted company will need to negotiate an agreed settlement payment to the BSA. The negotiations process can vary in length, depending on the nature of claims, the BSA’s alleged damages, and whether or not the company wants to include certain provisions, such as a confidentiality clause, in the settlement agreement. After the parties reach an agreement on the payment amount, the BSA will propose a written agreement, which include its release of liability. The release is typically contingent on certain actions by the company, as defined in the settlement agreement. These include the company’s certification of present compliance, accompanied by up-to-date proof-of-purchase documentation, and a warranty that the company will continue to comply with licensing agreements in the future, among others. 

It is important to note that if the BSA subsequently learns that a company did not fully disclose all information during the audit process, or that it later did not comply with applicable licensing requirements, it may hold the company in breach of the settlement agreement and pursue legal action. In order to prevent this, it is vital that a targeted company consult with knowledgeable, experienced counsel to assist it with mitigation strategies, settlement negotiation and compliance advice.

The Business Software Alliance’s primary enforcement tool is to send a threatening letter indicating that an investigation has commenced and offering to forego litigation if the target company provides a self-audit. A self-audit consists of a listing of all BSA member software running on a company’s computer networks, appropriate indicia of ownership for the software comprised of dated proofs of purchase for each title. It is important to note that companies are usually under no legal obligation to cooperate with the Business Software Alliance. In most instances, however, cooperation will yield the most cost effective resolution. But, that is not necessarily always the case.

Cooperating Carefully with BSA

I usually advise my clients to cooperate with the BSA, but to do so without compromising any legal rights. Prior to submitting audit materials on behalf of clients we require that the BSA sign a contract protecting the confidentiality of the audit materials and ensuring that the audit materials will not be used in court if the case cannot be settled informally.

BSA Settlement Demands

The Business Software Alliance has developed a standard formula for assessing fines as part of its settlement process. It is important to note that the BSA is not a governmental entity and has no independent authority to levy an enforceable fine. Business Software Alliance fines are therefore merely offered in settlement to avoid litigation and, like all pre-litigation settlement offers, are negotiable with the help of experienced counsel.

The BSA's methodology for calculating fines starts by treating as unlicensed all software products for which there is a lack of adequate documentation, including dated proofs of purchase. All proofs of purchase must be dated prior to the Business Software Alliance's initial letter to be considered valid evidence. Because companies may not always have access to the requisite dated proofs of purchase, the BSA's proposed fines are often based, in part, on software titles that companies legally own and properly acquired.

The Business Software Alliance also unbundles the products in software suites such as Microsoft Office and Adobe Creative Suite. So instead of proposing a fine based upon one copy of Microsoft Office, the BSA proposes a fine for Microsoft Outlook, Microsoft Word, Microsoft Excel, and Microsoft PowerPoint. The result is a proposed fine of $1,126 for a product that retails for $339.

After disallowing credit for valid software without dated proofs of purchase and unbundling all software suites, the Business Software Alliance then applies an arbitrary multiple of three times the full retail price for each software title. Accordingly, one allegedly unlicensed copy of Microsoft Office will carry a proposed fine of $ 2,252.

To add insult to injury, the Business Software Alliance’s proposed fine will include a line item for $3,500 to pay the BSA’s attorney’s fees. While this is not usually a large number as a percentage, it should be taken into account when considering potential exposure. To calculate your potential exposure, use our Business Software Alliance Fine Calculator, http://www.bsadefense.com/resources-fine-calculator.asp.

Questions regarding client access most often arise in relation to installations of certain server-based Microsoft products, such as SQL Server database software, Exchange Server messaging software, and the Windows Server operating system software. License agreements often (though not always) require that business purchase two types of licenses for these products: one license for the server product installation and client access licenses (CALs) for each user or networked device accessing that product. In other words, a Windows-based file server in a network with ten workstations accessing shared files on that server would require one product license for the server installation and ten device CALs to allow the workstations to connect to and access information on the server.

During audit investigations, the BSA usually requests that targeted businesses disclose the number of server product installations, the number of workstations or users accessing those installations, and the number of CALs purchased by the businesses (with proofs of purchase for all licenses claimed). However, that information is essentially inconsistent with the stated aim of most audit engagements, in that a client access instance is not a software product that can be copied – it is, rather, a mechanism that Microsoft uses to increase its revenue from server product licensing based on the nature of a particular product deployment. Unlike the unauthorized installation and use of a software product, which in most cases constitutes copyright infringement, access to a server product without a CAL can only serve as the basis for a claim of copyright infringement to the extent that the CAL rules constitute conditions on the product license or restrictions on the license scope. Were the matter to be litigated, that issue likely would turn into a fact question.

The Ninth Circuit has summarized the legal issue as follows:

Whether this is a copyright or a contract case turns on whether the [license provisions at issue] help define the scope of the license. Generally, a copyright owner who grants a nonexclusive license to use his copyrighted material waives his right to sue the licensee for copyright infringement and can sue only for breach of contract. If, however, a license is limited in scope and the licensee acts outside the scope, the licensor can bring an action for copyright infringement.

Sun Microsystems, Inc. v. Microsoft Corp., 188 F.3d 1115, 1121 (1999).

There is no doubt that the BSA and Microsoft would (and do) argue that the CAL provisions constitute a restriction on the scope of the server product license. However, those arguments likely would not be dispositive at trial, and a court would (or, at least, should) look to other factors, such as the facts that the Microsoft EULAs are essentially one-sided, non-negotiable contracts of adhesion and that the interests protected by the provisions are revenue-oriented, rather than intellectual property-oriented.

However, it is possible that none of those finer legal points will result in significant traction during a BSA investigation and that the BSA will refuse to provide a release at settlement (if necessary) for server product installations without client access information. At this stage, it is essential for a targeted business to carefully weigh the pros and cons of disclosing the CAL information. For larger environments, an absence of documentation for CALs could result in significantly higher exposure at settlement, possibly making a refusal to disclose client access information, even in the face of not receiving a release for the server products, a preferable option. This is an analysis in which the opinion of a knowledgeable and experienced attorney often will be exceptionally valuable.

The article’s sources appear to base their suggestions on a combination of personal experience and, perhaps, assumptions about the BSA’s operating procedures in U.K.-based software audit matters. One source is cited as suggesting that “companies being chased to complete audits should only do so if the BSA is willing to disclose why they are being targeted, which is something it would have to do as part of any litigation process.”

However, at least in U.S.-based audit matters, the BSA is generally unwilling in any circumstances short of a federal lawsuit to disclose any information regarding the source of its information. In addition, the BSA in the U.S. operates under powers of attorney signed by the software publisher-members it represents, and it has, in the past, shown itself to be willing to pursue software audit matters in court, in the event that business targets either refuse to co-operate with its audit demands or provide information that materially and significantly diverges from the information obtained from its confidential sources.

Notwithstanding the understandable reservations many businesses may have – and should have – regarding disclosing otherwise confidential information to third parties, businesses confronted by the BSA with allegations of software copyright infringement should, at the very least, engage knowledgeable counsel in an effort to evaluate the advisability of co-operating with such demands based on all of the facts. For most businesses in that situation, it will make more sense to co-operate with the BSA in reaching an out-of-court resolution. Such an informal process allows a business to control the flow of information to the BSA and to preserve the confidentiality of any negotiated resolution. Costs and expenses associated with co-operation also generally are significantly less than those associated with a federal lawsuit, and the potential for a lower agreed settlement amount usually will be greater as well.

There are exceptions, of course, and it is equally important to keep in mind that it may make more sense, for any number of reasons, either to refuse to co-operate or, possibly, to file a pre-emptive lawsuit, usually in the form of a request that a court issue a declaratory judgment regarding the absence of copyright infringement. Again, however, these are decisions that businesses must make only after consulting with an attorney who is knowledgeable regarding the issues presented and the potential for exposure.

Most recently, the newest software publisher to join the BSA is Sheba Distribution, a division of Garmin Ltd., producer of the popular Garmin navigation and communication devices. Avid, EMC Corporation, Parametric Technology Corporation (PTC), and Synopsys have been removed from the BSA member list. Avid publishes popular video and media editing software such as Media Composer Mojo and Symphony Nitris. Avid also owns media and graphics software companies Digidesign, Pinnacle Systems, M-Audio, Sibelius, Sundance Digital, and formerly, Soft Image. EMC Corporation is a technology company offering a range of network, data recovery, and information management products and consulting services. EMC also owns virtual machine software company VMWare. PTC publishes the popular engineering design software PRO/Engineer. Synopsys publishes software and offers services used in the semiconductor industry.

A BSA audit can be a costly engagement for any business. Maintaining software license compliance will help prevent your business from exposing itself to the unneeded expense of a lawsuit or settlement with the BSA. Businesses that do not manage their licenses and installations on an ongoing basis by performing self-audits may find themselves performing an audit in the context of a BSA matter. Businesses should strongly consider deploying software audit solutions that manage both their installations and licenses and protect the information under an attorney-client privilege.

To view the current list of BSA members, click http://www.bsa.org/country/BSA%20and%20Members/Our%20Members.aspx.