It makes sense that the BSA’s policy is to support endeavors which will aid its enforcement efforts. It remains to be seen what any future agreement may say about intellectual property right protection and increased enforcement, however one thing is clear–those whose operations exist in both the US and EU should scrutinize software license entitlements and their environments to ensure compliance.
]]>
Some ignore the letter, assuming it to be some kind of spam or marketing ploy. This is not advisable. Audit demands from the BSA and SIIA generally are very serious matters, and they can result in federal court litigation if they are neglected or if the auditors determine that a company is not cooperating in good faith.
]]>Some ignore the letter, assuming it to be some kind of spam or marketing ploy. This is not advisable. Audit demands from the BSA and SIIA generally are very serious matters, and they can result in federal court litigation if they are neglected or if the auditors determine that a company is not cooperating in good faith.
Some companies take the opposite approach and provide all of the requested information to the auditors. While we typically advise our clients to cooperate with the BSA and the SIIA, it is important to know where to draw the line in the information-gathering process to ensure that only relevant data is provided to the auditors. The management of a software audit therefore can be time-consuming and expensive, depending on the size of the business or the IT environments at issue.
Given the prospect of that burden and expense, many companies justifiably are very interested in discovering opportunities to “short-circuit” the software audit by sharing information that makes the auditors go away without going through the full audit process. In our experience, those opportunities are few and far between, though they may be worth exploring in particular cases. For example, it is possible (though relatively rare) that the auditors may provide detailed information regarding the software products alleged to be in use without sufficient licensing. Under those circumstances, it may be possible to provide equally detailed information regarding installations of only those products and the associated licenses owned by the company without discovering and detailing the deployments and licenses of all BSA- or SIIA-member products installed on the company’s computers. As another example, if the audited business is confident that it knows the identity of the auditor’s confidential informant, and if it has information to discredit any allegations that informant may have made to the auditors (such as evidence that the informant installed unlicensed software on the company’s computers before being terminated), then it may be possible to convince the auditors to suspend the audit by attacking their key witness’ credibility.
However, in the vast majority of BSA or SIIA audits, a negotiated outcome requires the submission of information of software installed and licensed owned for all products within the scope of the audit demand. Companies stand a better chance of having realistic expectations in such matters by working with knowledgeable counsel.
]]>However, as with Oracle’s recent addition to the BSA”s member list, it would not surprise me to see IBM included among lists of companies whose products must be included within the scope of BSA-initiated software audits. Its products also are commonly deployed by businesses of all sizes across many different industries, making them likely subjects of confidential tips that the BSA actively solicits from unnamed informants. And as with Oracle, the fact that IBM maintains an active, internal audit initiative does not mean that its products would be less likely to be included in BSA audits.
IBM products can be prohibitively expensive, and there are myriad different licensing metrics currently used by IBM. Therefore, the potential for audit exposure arising from IBM products is high. This would be an ideal time for companies with IBM product deployments to take a close look at those installations and to confirm that they all are being used within the scope of valid entitlements.
]]>
However, it would not surprise me to see Oracle included among lists of companies whose products must be included within the scope of BSA-initiated software audits. Its products are commonly deployed by businesses of all sizes across many different industries, making them likely subjects of confidential tips that the BSA actively solicits from unnamed informants. Moreover, the fact that Oracle maintains an active, internal license-verification program is not indicative of the likelihood of a BSA audit including its products – Microsoft, Autodesk and Adobe, all of them also long-standing BSA members, all maintain their own aggressive audit programs and all routinely are named in audit-notice letters sent by the BSA to unsuspecting business owners.
As many Oracle users are aware, its products can be quite expensive, and they also can be very easy for company employees to download without the approval or knowledge of company management. While businesses always should maintain comprehensive policies and procedures pertaining to authorized software usage on company computers, this might be an especially good time for them to take a closer look at Oracle product deployments, if any, and to confirm that they all are being used within the scope of their valid entitlements.
]]>]]>
I doubt that. A more likely explanation, in my opinion, is that the BSA and its members invented the alleged “wave” by ramping up their enforcement efforts. During the recent recession that hit the U.S. economy and throughout the prolonged recovery, we have noticed that almost all major publishers have sought to shore up their revenues by auditing their customers and demanding large compliance purchases to address any shortfalls. The BSA and its members are no different. Most BSA audit matters have a lifespan of anywhere from 6 to 18 months, so the settlements referenced in the press release likely arose from audits that were initiated while the economy was in worse shape than it is now.
In addition, it is important to keep in mind the fact that settlement with the BSA does not mean that infringement has occurred. In many cases, businesses simply are unable to produce documentation for software licenses that they previously purchased, and they make a calculated business decision to resolve the audit with a payment to the BSA in lieu of the immense costs that would be associated with forcing the BSA to prove its case in court through litigation.
Businesses contacted for software audits by the BSA or by its attorneys need to tread carefully with the assistance of counsel in order to avoid needlessly amplifying their audit-related legal exposure.
]]>Regarding its increased concentration on combating software piracy, BSA President and CEO Robert Holleyman said, “We also are expanding our focus as the industry’s premier anti-piracy organization, because new technology architectures in cloud and handheld computing are creating new challenges for protecting intellectual property”.
We recommend companies prepare for the inevitable audit. To see if you are ready for a software audit, take this Audit Readiness Assessment:
Companies that have effectively mitigated the risks of software audits can answer “yes” to the above questions. Being proactive can save headaches and expense.
]]>Many of our clients seek to avoid the negative publicity associated with software-audit settlements by negotiating the inclusion of confidentiality clauses in written settlement agreements with auditing entities. The BSA (along with its competitor industry group, the Software & Information Industry Association (SIIA)) typically resist efforts to include any language in those agreements that would limit their ability to publicize the settlements. However, in our experience the auditors usually end up agreeing to prohibitions against the kind of press release issued by the BSA in return for additional amounts to be paid to settle the matters.
There is no way to know whether the subject of confidentiality ever was raised during the PCS-CTS settlement negotiations as our firm was not involved in this case. Given the size of the settlement amount, even if PCS-CTS did raise the issue, it is possible that the BSA refused to consider any publicity restrictions in this case. However, in almost every BSA settlement negotiation it is important to raise the confidentiality demand clearly and early in the process. The BSA especially values the ability to issue press releases (especially press releases regarding noteworthy settlements), and raising the issue late in the game can complicate efforts to resolve the audit. Also, it is important to keep in mind the fact that while the BSA usually gives the audited business advance notice of a planned release, it almost never accepts substantive revisions to the release that would tend to obscure the magnitude of the settlement or to call into question the BSA’s tactics or enforcement program. Therefore, it is vital that an audited business carefully determine the value of such a prohibition after receiving a settlement demand from the BSA and decide how far it wants to go in demanding that a confidentiality clause be included in the settlement agreement.
]]>
The contest with three distinct entry periods began November 1 and ends January 31, 2012. Each month a prize winner from a random drawing will receive $1,000. The entry form requires no purchase or payment just the type of alleged piracy, the name of the company, address, company website, phone number, employees, name of CEO, number of computers, software number installed, number of licenses, why you think the software is unlicensed and does management know. The only optional information on the entry and the only whistleblower info is their email address should they choose to provide it. I question the credibility of the informants who respond to the BSA's campaign.
The Report Piracy Now page (https://reporting.bsa.org/r/report/add.aspx?src=us&ln=en-us&intcmp=irphp000043) contains a recorded interview with an actual BSA informant—an IT consultant who reported his client to the BSA after he installed what he believed to be pirated software on his client’s computers. The unnamed informant’s perspective in the promotional interview was “coming forward is the right thing to do” and “he would do it again if he could”. The conduct of the informant appears to be unethical and potentially illegal. Why didn’t the informant refuse to install the software that he believed to be illegal? The informant was in a relationship of trust and confidence with the client, violating that trust to enter a prize drawing is not the right the thing to do.
Companies should prepare for the inevitable audit. To see if you are ready for a software audit, take this Audit Readiness Assessment:
Companies that have effectively mitigated the risks of software audits can answer “yes” to the above questions. Being proactive can save headaches and expense.
]]>SOPA would enable the government to issue orders compelling Internet service providers (ISPs) and website operators to ban foreign web sites accused of software piracy or copyright infringement without a formal hearing. Kaspersky objects to the broad scope of powers the legislation would bestow on the government, and it is making its opposition known through its actions.
By contrast, SOPA supporters argue that the legislation would be an effective tool to combat software piracy and online copyright infringement and that it would work in tandem with the Digital Millennium Copyright Act (“DMCA”). However, despite its stated support for the bill, the BSA has acknowledged that the legislation may require some revisions in order to ensure that privacy and security interests are adequately protected.
]]>The House Judiciary Committee heard arguments regarding SOPA from various interested entities on November 16. Critics of the proposed law, which would enable the government to block access to foreign web sites accused of copyright infringement, argue that it is overbroad as drafted and that it would chill First Amendment rights.
The BSA’s main concerns mirror some of the critics’ arguments about limiting the scope of the law to target only online copyright infringers. "Valid and important questions have been raised about the bill," stated BSA President Robert Holleyman. "It is intended to get at the worst of the worst offenders. As it now stands, however, it could sweep in more than just truly egregious actors."
The BSA has been a strong advocate for strict enforcement of copyright laws. If passed, SOPA could significantly impact copyright-enforcement efforts both by the government and by third parties. For example, the law would grant immunity to businesses that choose to cease conducting business with companies accused of copyright infringement.
As they have been, developments with regard to SOPA and its sister bill in the Senate – the PROTECT IP Act – should prove to be very interesting.
]]>Generally, the BSA’s settlement demands are premised on a lump-sum payment. However, many businesses often find themselves unable to pay expensive settlement fees. Therefore, negotiating extended settlement-payment terms can be an important way to make the settlement fee more affordable. Depending on the size of the settlement payment and financial situation of the company, settlement payments may be spread out over 3 to 6 months or even more, in some cases. However, extended terms often are available only if the business is able to demonstrate an inability to pay the full lump sum. That demonstration often requires the disclosure of balance sheets or profit & loss statements, which company officers may be hesitant to disclose.
The process to negotiate a settlement with the BSA – regardless of the inclusion of any special provisions pertaining to confidentiality or payment terms – can be complex. It is important to seek legal counsel who has experience negotiating with the BSA in order to secure the most palatable settlement.
]]>Because computer networks may change rapidly, the auditors need to identify a moment in time for which they can ask the audited business, “Did you have all of the licenses for the software installed on your computers?” If the answer is yes, the auditing entity will typically close its file. If the answer is no, the auditing entity will claim the business engaged in copyright infringement on the effective date. The business’ representation that it was compliant <em>after</em> the effective date has no bearing on whether the business engaged in copyright infringement on the effective date. If the matter proceeds to a lawsuit, the auditor likely would claim that the business infringed its or its members’ copyrights on the effective date.
The auditing entity typically demands proof of purchase documentation that demonstrates the ownership of a sufficient number of licenses on or before the effective date. Software purchased after the effective date is not relevant to the audit. Locating, reviewing, and compiling the proof of purchase documentation is a collective effort that often requires coordination among various individuals and departments within an organization. In addition, identifying and listing all of the software on the company’s computers as of the effective date may be made doubly difficult when computers contain large amounts of software irrelevant to the audit. It is also important to keep in mind that software environments change as computers are added, decommissioned, and rebuilt with the ebb and flow of HR turnover.
If you have been contacted by an auditing entity such as the BSA, the SIIA, or a software publisher, you should proceed with caution and should familiarize yourself with the typical process for such software audits. Experienced counsel can help to guide you through that process and to avoid unnecessarily large expenses.
]]>Due to the nature of the process and the possibility that a settlement may be misconstrued to reflect misconduct on the part of a company, many companies that settle with the BSA seek to keep the existence and terms of settlement confidential. However, the BSA disfavors confidentiality provisions, because they interfere with its efforts to publicize the results of its license enforcement program. Therefore, the BSA typically demands a higher settlement payment to include such a provision.
Absent a confidentiality provision in the settlement agreement, the BSA generally is free issue to a press release detailing the terms of settlement and name of the company. The BSA often then seeks to publish the release in media outlets relevant to the targeted business’ industry or geographic location, in addition to publishing the press release on its web site.
There are many considerations for a company contemplating a demand for confidentiality. Some larger, more recognizable companies seek confidentiality provisions to offset potentially negative publicity associated with their brand. Under those circumstances, the additional penalty amount may represent an acceptable cost. However, smaller companies often choose to pay a lower settlement amount not inclusive of confidentiality, based on a determination that damage to their brands, if any, likely would be less significant. This is a decision in which a company’s upper management should be given an opportunity to contribute. Finally, on rare occasions, some companies seek to issue their own press releases, detailing the settlement terms, and exposing the BSA’s software auditing process as a warning for other businesses.
Regardless of the strategy a company chooses regarding confidentiality, it is important to be aware of the implications of failing to include a confidentiality provision in the final settlement agreement. When in doubt, it is beneficial to seek counsel from an attorney familiar with the BSA process.
]]>The IIPA’s position was reflected recently in comments it submitted to influence U.S. trade policy. Each year, the Office of the U.S. Trade Representative (USTR) conducts a review of foreign IP laws – called the Special 301 review – to identify those nations believed to have unacceptably lax copyright policies. Negative treatment in the review can lead to trade sanctions and is intended to exert pressure on foreign nations to adopt more stringent copyright policies. During the review process, the USTR accepts recommendations from interested parties regarding countries they believe should be added to the “blacklist” of poor copyright enforcers. In its 2010 recommendations to the USTR, the IIPA named among the countries to be “watched,” among others, Indonesia, Brazil and India, at least in part, it seems, for endorsing the use of OSS in governmental agency offices. This is in spite of the fact that some nations – Indonesia notable among them – adopted those recommendations in order to curb the use of unlicensed software.
A person could be forgiven for adopting a cynical assessment of the BSA’s motivations in the wake of such an apparent policy endorsement. Under the guise of protecting its members’ valuable copyright interests, the BSA has targeted hundreds of small-to-medium-sized businesses for software audits under the threat of federal court litigation and has labeled many of those businesses “pirates” upon failure to meet the BSA’s unnecessarily strict requirements for proving ownership of software licenses. However, the IIPA’s position with regard to OSS seems to indicate that copyright enforcement may be less of a concern to the BSA than is driving sales of its members’ products.
The BSA has not historically objected to businesses transitioning to OSS in the wake of software audits, but the IIPA’s recommendations to the USTA may be cause for concern. All businesses that have been contacted by the BSA for such audits should consult with counsel to work toward the most reasonable available resolution.
The full text of the IIPA’s recommendations is available here:
]]>Unfortunately, the BSA’s definition of software piracy is considerably more broad than the common understanding and may be confusing to companies audited by the BSA who have never knowingly copied unlicensed software. During a BSA-initiated software audit, the BSA requires the businesses it targets to provide dated proofs of purchase for each software product installed on their computers. There are specific types of documentation the BSA accepts, and it usually rejects purchases from E-bay, Amazon, or similar Internet-based re-sellers. Therefore, if a company unknowingly purchases software from an unauthorized retailer or simply is unable to find receipts for products it purchased, the BSA will penalize the company as though it intentionally violated copyright law and “pirated” the software.
Worse, typically after an audit the BSA will enter into settlement agreements with the companies it accuses of copyright infringement. Unless a provision for confidentiality is included in a settlement agreement (usually only in return for a significant additional amount to be paid at settlement), there is nothing to prevent the BSA from publishing a press release identifying the targeted company, the software products involved, and the settlement amount, and otherwise making express or implied statements that the company is guilty of “software piracy.”
As a general rule, companies should keep all receipts from software purchases indefinitely, and they should purchase software only from authorized dealers. Additionally, recipients of letters from the BSA should seek experienced legal counsel to assist with the audit and to help negotiate a resolution that may prevent the unnecessarily negative publicity that can result from the BSA’s overzealous application of the “pirate” label.
]]>However, in many cases, businesses targeted by the BSA discover that there appear to be significant discrepancies between the information apparently provided by the BSA’s confidential informants and the actual license-compliance status of those businesses. Many businesses suspect that the cause of the discrepancy is the informants’ desire to profit from the BSA’s reward program. Regardless of the cause, however, when the audit materials submitted in an audit matter do not conform to the information supplied by the confidential informant, the BSA typically disputes the results. The business then ends up incurring additional legal fees in an effort to authenticate those results and move the matter forward to a resolution.
Worse, though, even when the BSA discovers that its informant may have provided false information, it typically will not stop pursuing the copyright infringement claims. The BSA’s loose definition of “unlicensed” software covers any software with no proof of purchase. Therefore, even though business records are only required to be kept for seven years for tax purposes, because the BSA requires dated proof of purchase in order to credit a business with license ownership, it effectively expects its business targets to keep their invoices for software license purchases forever. The BSA thus justifies its continued pursuit of businesses, even in the face of an apparently unreliable informant, based less on principles of copyright law than on potentially inadequate accounting practices.
There is usually little recourse against the BSA or the informant for initiating legal action based on false information. In some cases, a company may consider suing the informant on a breach of contract or breach of confidentiality claim, depending on the existence of any prior agreements with the informant, but the expense of such an action would be prohibitive for most businesses. For these reasons and others, it is important for all companies, regardless of whether they are faced with a BSA audit, to be prepared to document their license ownership, to keep confidential all information relevant or potentially relevant to an audit, and to seek the assistance of counsel.
]]>A small company with few computers is better suited than a larger corporation to conduct its own audit either manually or to take advantage of one of the many free software scan tools available on the internet. There are still risks of inaccuracy involved. One danger is that a company may submit information regarding a free download that may be mislabeled, and inaccurately reported to the BSA as unlicensed software.
This risk is amplified for larger companies with many computer systems and multiple users. If a large company seeks to conduct its own audit, the free scanning tools are still an acceptable choice, as manually checking each computer is both tedious and can lead to mistakes. An alternative is to seek a consultant who specializes in software infringement issues and who can assist with network inventory and sorting through software purchasing invoices and receipts. However, it is important to keep in mind that, unless that consultant is an attorney, he or she may have no duty of confidentiality to the company. Therefore, it is wise either to obtain a comprehensive confidentiality agreement from the consultant or to retain a knowledgeable attorney to assist with the inventory.
In addition to collecting an inventory of software installations, it is important to gather purchasing information to provide to the BSA. If receipts and invoices are not provided for all software installations reported, the BSA will assume the software is unlicensed and will increase its settlement demand. Regardless of the size of a company, if there are concerns about the ability to scan software, locate purchasing information or evaluate audit results, it is advisable to seek outside assistance with the process from an expert.
]]>Therefore, it is an important to keep records of all software purchased, regardless of the vendor or the date purchased. Typical forms that are acceptable to the BSA include receipts of purchase and invoices from authorized vendors. If software is pre-installed on a computer, a company may be able to obtain documentation from the manufacturer showing all such software on that computer.
Once all of the information related to installations and licenses is gathered, it is submitted to the BSA for review. The review may be a lengthy process, usually ultimately culminating in a settlement offer, which is typically negotiated downward. It is therefore key to submit all information proving proper licensing to decrease the total settlement. By obtaining a lower opening settlement offer, a company can reduce total exposure in negotiations.
]]>This process varies depending on the size of the company and the number of computers within the scope of the audit. A small company with very few computers has more cost-effective options, such as using a free scan tool to inspect their computers, conduct hard drive imaging, or simply logging on to the computers to determine what is installed.
However, there are numerous methods of inspecting and reporting software installations, and because of the complexities facing companies with many computers, it often is more effective to use a network scanning tool to determine installations on computers.
After selecting and deploying the scanning tool that is most effective for a company’s needs, a company should review the raw inventory results to determine if there are any errors in the results. It is not uncommon for inventory tools to report the presence of a software product on a computer even after the company has taken steps to remove the product. In addition, there are several product-specific pitfalls to avoid. For example, it is common for older versions of the free Adobe Reader to appear in inventory results as the full Acrobat product. Also, a computer may appear to have a full Microsoft Office suite, when one component, such as Microsoft Word, is the only product from the suite that actually is installed. Each of these items can make a significant difference in a company’s exposure.
Finally, companies also should use a review of their software inventory results to determine which software products they need going forward. BSA settlements typically require companies to certify their compliance with applicable software agreements as of the date of settlement, and it is advisable to begin the compliance review as soon as possible. For example, it is often the case that a company does not require the full Adobe Acrobat, but could meet their needs using the Adobe Reader tool.
]]>Often, one of the most important provisions, aside from the sections resolving a company’s alleged liability for copyright infringement, consists of language (if any) pertaining to confidentiality. Unless a company requests a confidentiality provision to be included in the settlement agreement, the BSA often will issue a press release detailing the investigation of the company and the terms and cost of settlement. Many businesses understandably seek to avoid this type of publicity. If included in the settlement agreement, the confidentiality provision provides protection from the public release of information and prohibits the BSA from disclosing the terms of the settlement. However, it is important to note that this provision does not protect against court-ordered subpoenas or against the release of information by the BSA to the software companies it represents.
It is also important to note that this provision often comes at a cost. The BSA regularly significantly increases the settlement price if a company seeks confidentiality. Companies therefore often choose not to include a confidentiality provision, but they should be prepared for the press release detailing each alleged violation of licensing agreements and the amount paid to the BSA in fines. If the company chooses not to purchase confidentiality, the BSA often will allow the business to review a proposed release prior to publication and to provide a quote to include with the release.
Businesses negotiating the resolution of a BSA-initiated audit matter should carefully consider with counsel whether the benefits of a confidentiality provision outweigh its cost, in light of that business’ location, industry, market share, and financial situation.
]]>A key part of reaching a settlement agreement is to resolve the potential liability arising from the BSA’s allegations of copyright infringement, so that the BSA cannot later file claims against the company for alleged violations that occurred prior to the settlement agreement. Before the BSA will agree to release its claims, however, the targeted company will need to negotiate an agreed settlement payment to the BSA. The negotiations process can vary in length, depending on the nature of claims, the BSA’s alleged damages, and whether or not the company wants to include certain provisions, such as a confidentiality clause, in the settlement agreement. After the parties reach an agreement on the payment amount, the BSA will propose a written agreement, which include its release of liability. The release is typically contingent on certain actions by the company, as defined in the settlement agreement. These include the company’s certification of present compliance, accompanied by up-to-date proof-of-purchase documentation, and a warranty that the company will continue to comply with licensing agreements in the future, among others.
It is important to note that if the BSA subsequently learns that a company did not fully disclose all information during the audit process, or that it later did not comply with applicable licensing requirements, it may hold the company in breach of the settlement agreement and pursue legal action. In order to prevent this, it is vital that a targeted company consult with knowledgeable, experienced counsel to assist it with mitigation strategies, settlement negotiation and compliance advice.
]]>The Business Software Alliance’s primary enforcement tool is to send a threatening letter indicating that an investigation has commenced and offering to forego litigation if the target company provides a self-audit. A self-audit consists of a listing of all BSA member software running on a company’s computer networks, appropriate indicia of ownership for the software comprised of dated proofs of purchase for each title. It is important to note that companies are usually under no legal obligation to cooperate with the Business Software Alliance. In most instances, however, cooperation will yield the most cost effective resolution. But, that is not necessarily always the case.
Cooperating Carefully with BSA
I usually advise my clients to cooperate with the BSA, but to do so without compromising any legal rights. Prior to submitting audit materials on behalf of clients we require that the BSA sign a contract protecting the confidentiality of the audit materials and ensuring that the audit materials will not be used in court if the case cannot be settled informally.
BSA Settlement Demands
The Business Software Alliance has developed a standard formula for assessing fines as part of its settlement process. It is important to note that the BSA is not a governmental entity and has no independent authority to levy an enforceable fine. Business Software Alliance fines are therefore merely offered in settlement to avoid litigation and, like all pre-litigation settlement offers, are negotiable with the help of experienced counsel.
The BSA's methodology for calculating fines starts by treating as unlicensed all software products for which there is a lack of adequate documentation, including dated proofs of purchase. All proofs of purchase must be dated prior to the Business Software Alliance's initial letter to be considered valid evidence. Because companies may not always have access to the requisite dated proofs of purchase, the BSA's proposed fines are often based, in part, on software titles that companies legally own and properly acquired.
The Business Software Alliance also unbundles the products in software suites such as Microsoft Office and Adobe Creative Suite. So instead of proposing a fine based upon one copy of Microsoft Office, the BSA proposes a fine for Microsoft Outlook, Microsoft Word, Microsoft Excel, and Microsoft PowerPoint. The result is a proposed fine of $1,126 for a product that retails for $339.
After disallowing credit for valid software without dated proofs of purchase and unbundling all software suites, the Business Software Alliance then applies an arbitrary multiple of three times the full retail price for each software title. Accordingly, one allegedly unlicensed copy of Microsoft Office will carry a proposed fine of $ 2,252.
To add insult to injury, the Business Software Alliance’s proposed fine will include a line item for $3,500 to pay the BSA’s attorney’s fees. While this is not usually a large number as a percentage, it should be taken into account when considering potential exposure. To calculate your potential exposure, use our Business Software Alliance Fine Calculator, http://www.bsadefense.com/resources-fine-calculator.asp.
]]>
Questions regarding client access most often arise in relation to installations of certain server-based Microsoft products, such as SQL Server database software, Exchange Server messaging software, and the Windows Server operating system software. License agreements often (though not always) require that business purchase two types of licenses for these products: one license for the server product installation and client access licenses (CALs) for each user or networked device accessing that product. In other words, a Windows-based file server in a network with ten workstations accessing shared files on that server would require one product license for the server installation and ten device CALs to allow the workstations to connect to and access information on the server.
During audit investigations, the BSA usually requests that targeted businesses disclose the number of server product installations, the number of workstations or users accessing those installations, and the number of CALs purchased by the businesses (with proofs of purchase for all licenses claimed). However, that information is essentially inconsistent with the stated aim of most audit engagements, in that a client access instance is not a software product that can be copied – it is, rather, a mechanism that Microsoft uses to increase its revenue from server product licensing based on the nature of a particular product deployment. Unlike the unauthorized installation and use of a software product, which in most cases constitutes copyright infringement, access to a server product without a CAL can only serve as the basis for a claim of copyright infringement to the extent that the CAL rules constitute conditions on the product license or restrictions on the license scope. Were the matter to be litigated, that issue likely would turn into a fact question.
The Ninth Circuit has summarized the legal issue as follows:
Whether this is a copyright or a contract case turns on whether the [license provisions at issue] help define the scope of the license. Generally, a copyright owner who grants a nonexclusive license to use his copyrighted material waives his right to sue the licensee for copyright infringement and can sue only for breach of contract. If, however, a license is limited in scope and the licensee acts outside the scope, the licensor can bring an action for copyright infringement.
Sun Microsystems, Inc. v. Microsoft Corp., 188 F.3d 1115, 1121 (1999).
There is no doubt that the BSA and Microsoft would (and do) argue that the CAL provisions constitute a restriction on the scope of the server product license. However, those arguments likely would not be dispositive at trial, and a court would (or, at least, should) look to other factors, such as the facts that the Microsoft EULAs are essentially one-sided, non-negotiable contracts of adhesion and that the interests protected by the provisions are revenue-oriented, rather than intellectual property-oriented.
However, it is possible that none of those finer legal points will result in significant traction during a BSA investigation and that the BSA will refuse to provide a release at settlement (if necessary) for server product installations without client access information. At this stage, it is essential for a targeted business to carefully weigh the pros and cons of disclosing the CAL information. For larger environments, an absence of documentation for CALs could result in significantly higher exposure at settlement, possibly making a refusal to disclose client access information, even in the face of not receiving a release for the server products, a preferable option. This is an analysis in which the opinion of a knowledgeable and experienced attorney often will be exceptionally valuable.
]]>The article’s sources appear to base their suggestions on a combination of personal experience and, perhaps, assumptions about the BSA’s operating procedures in U.K.-based software audit matters. One source is cited as suggesting that “companies being chased to complete audits should only do so if the BSA is willing to disclose why they are being targeted, which is something it would have to do as part of any litigation process.”
However, at least in U.S.-based audit matters, the BSA is generally unwilling in any circumstances short of a federal lawsuit to disclose any information regarding the source of its information. In addition, the BSA in the U.S. operates under powers of attorney signed by the software publisher-members it represents, and it has, in the past, shown itself to be willing to pursue software audit matters in court, in the event that business targets either refuse to co-operate with its audit demands or provide information that materially and significantly diverges from the information obtained from its confidential sources.
Notwithstanding the understandable reservations many businesses may have – and should have – regarding disclosing otherwise confidential information to third parties, businesses confronted by the BSA with allegations of software copyright infringement should, at the very least, engage knowledgeable counsel in an effort to evaluate the advisability of co-operating with such demands based on all of the facts. For most businesses in that situation, it will make more sense to co-operate with the BSA in reaching an out-of-court resolution. Such an informal process allows a business to control the flow of information to the BSA and to preserve the confidentiality of any negotiated resolution. Costs and expenses associated with co-operation also generally are significantly less than those associated with a federal lawsuit, and the potential for a lower agreed settlement amount usually will be greater as well.
There are exceptions, of course, and it is equally important to keep in mind that it may make more sense, for any number of reasons, either to refuse to co-operate or, possibly, to file a pre-emptive lawsuit, usually in the form of a request that a court issue a declaratory judgment regarding the absence of copyright infringement. Again, however, these are decisions that businesses must make only after consulting with an attorney who is knowledgeable regarding the issues presented and the potential for exposure.
]]>
Most recently, the newest software publisher to join the BSA is Sheba Distribution, a division of Garmin Ltd., producer of the popular Garmin navigation and communication devices. Avid, EMC Corporation, Parametric Technology Corporation (PTC), and Synopsys have been removed from the BSA member list. Avid publishes popular video and media editing software such as Media Composer Mojo and Symphony Nitris. Avid also owns media and graphics software companies Digidesign, Pinnacle Systems, M-Audio, Sibelius, Sundance Digital, and formerly, Soft Image. EMC Corporation is a technology company offering a range of network, data recovery, and information management products and consulting services. EMC also owns virtual machine software company VMWare. PTC publishes the popular engineering design software PRO/Engineer. Synopsys publishes software and offers services used in the semiconductor industry.
A BSA audit can be a costly engagement for any business. Maintaining software license compliance will help prevent your business from exposing itself to the unneeded expense of a lawsuit or settlement with the BSA. Businesses that do not manage their licenses and installations on an ongoing basis by performing self-audits may find themselves performing an audit in the context of a BSA matter. Businesses should strongly consider deploying software audit solutions that manage both their installations and licenses and protect the information under an attorney-client privilege.
To view the current list of BSA members, click http://www.bsa.org/about-bsa/bsa-membership/bsa-global-members.
]]>Once a report is received, the Business Software Alliance makes a decision about whether to request a self-audit or to immediately file suit. In the overwhelming majority of cases, the Business Software Alliance pursues the self-audit approach. Acting either through an internal enforcement attorney or an outside law firm, the BSA will send a letter to the target company requesting a self-audit. The request for an audit is a critical stage in the process, and the time when an experienced attorney can help your business the most.
]]>Click the link below to listen to the Business Software Alliance’s Radio Campaign as reported by ABC News:
Business Software Alliance Report
Click the link below to listen to the Full Report on Business Software Alliance by ABC News:
]]>The Business Software Alliance (“BSA”), a trade association representing a number of software manufacturers, routinely updates its published member list list of members on its website. Staying current on the BSA's list of active members is important because the list indicates which software publishers may be included in a BSA-initiated software audit. The BSA generally provides in its initial notice letter to a business an enumerated list of the software publishers at issue in the matter. However, new publishers will become members of the BSA, and will be included in audits initiated by BSA members. Knowing which software publishers the BSA represents will help a business respond appropriately to a BSA audit.
Currently, Corel is listed as a BSA member. Corel publishes the widely-used software CorelDRAW Graphics Suite ® and the office productivity suite WordPerfect Office ®. EMC Corporation is a new addition to the BSA's list. EMC publishes the document management product ApplicationXtender and its web interface, WebXtender.
Siemens PLM (Product Lifecycle Management) recently acquired UGS Corporation, making both BSA members. Other new members include Synopsis, Inc., SAP, Quest Software, Inc., Parametric Technology Corporation (PTC), Monotype Imaging, and Quark Inc., producers of QuarkXpress ®.
Keeping an eye on the BSA member list will provide your business with visibility into what publishers would be implicated in a BSA audit. Counsel experienced with handling BSA matters can help your business manage its software licensing and avoid potential losses associated with a BSA investigation.
]]>
The Business Software Alliance (BSA) recently lent its support to legislation pending in the U.S. Congress that would expand the scope and power of federal criminal law pertaining to IT security matters. Under the “Cyber-Security Enhancement Act of 2007” (CSEA), section 1030 of the federal criminal code would be amended to include new offenses of extortion based on threats to gain unauthorized access to a computer and of conspiracy to commit any of the IT-related crimes defined in section 1030. More significantly, the bill would create another new offense directed at anyone who:
…intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains a unique electronic identification number, address or routing code, or access device (as defined in section 1029(e)(1)), from a protected computer.
The term “exceeds authorized access” already is defined elsewhere to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” In addition, the bill amends the previous definition of “protected computer” to include any computer “affecting interstate or foreign commerce or communication” (which would seem to include any computer that is publicly accessible through the Internet). Finally, the bill would include all of these offenses, along with the other section 1030 offenses, as predicates for prosecution (as well as civil liability) under the Racketeer Influenced and Corrupt Organizations Act (RICO).
It is undoubtedly important to give law enforcement all the tools that it needs to combat organized efforts to infiltrate secure computer networks and the sensitive personal information that many of them contain (an objective that CSEA also pursues through greater funding for federal investigations into cyber-crime). However, in pursuing this end, the CSEA and its supporters seem to be casting a very wide net indeed. Questions concerning what constitutes “authorized” access or information to which a user is or is not “entitled” on a web-accessible computer could mean that more than just hardened cyber-criminals end up getting caught in CSEA’s sweep. The surprisingly broad scope of the bill, coupled with the new link to RICO and the private civil suits that statute allows, may also mean that we could see an up-tick in IT-related litigation in coming years, should CSEA see its way through to passage. It will be interesting to watch this bills progress in coming weeks and months.
You can read the text of the bill here.
]]>
Many companies who comply with a demand by a software publisher or industry association (such as the BSA or the SIIA) for an internal software audit end up facing significant settlement demands after forwarding their audit materials to the other side. One of the reasons the settlement demands often are so high is the fact that the auditing entities frequently base their demands, in part, on the “unbundled” price of software suites. Thus, where a company may expect to pay a fine based on the MSRP of, for example, one undocumented installation Microsoft Office Professional 2007 ($679), it likely will end up receiving a settlement demand based on the combined MSRPs of each of the components of that undocumented suite: Word ($229), Excel ($229), PowerPoint ($229), Outlook ($110), Publisher ($169), and Access ($229), all totaling $1195. In a typical case these difference add tens of thousands of dollars to the amount in controversy.
Another way in which publishers or auditing entities raise the amount in controversy in software audits is the attempt to assess separate “fines” for each allegedly infringing installation of a software product. Thus, a company reporting just ten undocumented installations of Office Professional 2007, with no other licensing shortfalls, may receive a settlement offer based on the combined, “unbundled” MSRPs of the component products totaling just shy of $12,000. Moreover, that is before the auditing entity applies any multipliers to that figure (yet another common tactic) or makes any assessments for their claimed legal fees, both of which factors may drive the opening settlement offer in the above example to $40,000 or more.
It is not difficult to see how owners of small to medium businesses who think that they have a handle on their financial exposure in a software audit matter often end up with truly unpleasant surprises after submitting audit materials to the BSA or SIIA that they may have believed would be negotiating on a more equitable basis.
If your business has been accused of software “piracy” and is responding to a software audit demand either from a software publisher like Autodesk or from the BSA or the SIIA, an experienced attorney can give you visibility into the process and help you avoid unpleasant surprises.
]]>
If your company has received a letter from the BSA requesting a software audit, you are probably wondering whether you should cooperate or tell the BSA to pound sand. I advise my clients to cooperate but to do so in a manner that will not jeopardize their legal position in the event that cooperation does not result in an acceptable out-of-court settlement. This advice is predicated on the fact that business clients almost universally seek a resolution that has the lowest total costs and the most predictability. In BSA audits, these costs are software licensing fees, fines payable to the BSA, attorney’s fees, organizational impact, and the potential damage to brand associated with negative publicity. In my experience, a properly handled BSA audit can always be resolved for a lower total cost through cooperation than through litigation.
Most importantly, cooperation does not preclude litigation in the future if the BSA is unreasonable in its approach to settlement. In other words, you can always go to court if the out-of-court, lower total cost approach is not satisfactory. However, we have seen audit targets and other lawyers make several mistakes that actually detriment their legal position during negotiations with the BSA. The two critical success factors to properly handling a BSA audit or making sure that the information gathered during the process, which would not otherwise be discoverable in a court proceeding, is protected by attorney work-product and attorney client privileges. In addition, no information should be provided to the BSA unless and until the BSA agrees that the information is governed by Federal Rule of Evidence 408 and therefore will not be admissible in court if an out-of-court resolution is not reached with the BSA. The only time I have deviated from this advice has been where the audited entity was not a viable going concern and the principal(s) were judgment proof. If you have been contacted by the BSA, you should contact an experienced attorney to assist you with strategy.
]]>
One of the first things I ask a prospective client is: What is the date on the initial letter you received from the BSA? The date on the initial in a BSA letter is often referred to as the Audit Effective Date. This date is important for many reasons. I like to tell my clients that a BSA audit measures a snap-shot in time – what BSA member software was installed on the company’s computers as of the Audit Effective Date. Once you have an accurate inventory of what was installed on the Audit Effective Date the next step is to determine what proofs of purchase are available to establish purchases prior to the Audit Effective Date.
When a BSA audit matter is settled, the target is required to certify that the audit results provided during the course of negotiations are true and correct as of the Audit Effective Date. For this reason uninstalling software that was installed on the effective date, or purchasing software products after the effective date have no impact on the BSA’s calculation of fines in BSA audits. It is critical to obtain an accurate inventory of the software installed on the target company’s computers as quickly as possible following receipt of the initial letter from the BSA. Failure to understand the importance of the Audit Effective Date, has caused companies to go on software buying sprees in response to a BSA audit and to report results to the BSA reflecting the software installed on a date after the Audit Effective Date. I believe that both of these strategies are mistakes that should be avoided.
]]>
Preparation of Audit Materials (3 to 6 months)
A BSA audit is a request, under threat of litigation, to compile a listing of all BSA member software products installed on the audited entity’s computer network as of the Audit Effective Date. The Audit Effective Date is the date on the BSA initial letter requesting an audit. The first step in preparing this information is conducting an automated inventory of the software products installed on all computers owned or leased by the target company. Once an accurate inventory of the BSA member software products is completed, the next step is to reconcile the software inventory information with proofs of purchase dated prior to the audit effective date. While there are various ways to prove ownership of a software license, typically an invoice is considered the best evidence of ownership in a BSA audit. In the typical case, the inventory and reconciliation process takes three to six months.
Secure a Confidentiality and Federal Rule of Evidence 408 Agreement (1 week)
With very limited exceptions, we advise the targets of BSA audits to cooperate with the self-audit process but to do so in a way that does not compromise their position in the event that an out of court settlement is not possible. We do not disclose any information to the BSA until it signs an agreement regarding the confidentiality of the information disclosed and specifically limiting the BSA’s ability to introduce the information as evidence in court. In the typical case, the BSA will sign our standard agreement within one week.
BSA Analyzes Self-Audit Materials and Makes a Settlement Demand (3 to 6 months)
After the self-audit materials are submitted by the target of a BSA audit, the Business Software Alliance typically takes three to six months to respond. The BSA’s response provides its interpretation of the self-audit materials and applies a formula for its initial settlement proposal. The BSA’s formula for calculating fines is generally three times the unbundled full retail price of the software products installed on the target’s computers plus $3,500 for BSA’s attorney’s fees. In many instances, the BSA’s settlement proposal is substantially more than the target may have expected due to differences of opinion regarding what constitutes valid proof of ownership. In our experience, the BSA usually takes three to six months to make substantive response following the submission of the self-audit materials.
Negotiation of Monetary and Non-Monetary Terms of Settlement (6 to 24 months)
After the BSA makes its initial settlement demand, there are various monetary and non-monetary terms that need to be negotiated. The obvious material term in every BSA audit negotiation is the amount of any monetary amount to be paid to the BSA for alleged past infringement. The most significant non-monetary issue is whether the BSA will agree to a confidentiality provision. Such provisions require the BSA to keep the existence and details of the audit confidential and precluded BSA from issuing a press release. Negotiations over confidentiality provisions can be extremely protracted as the BSA agrees to such provisions in only very limited circumstances. Other non-monetary provisions include future obligations such as certifications of compliance, adoption of a software code of ethics, and production of additional proofs of purchase to the BSA for purchases made after the audit effective date. The length of the negotiation process differs from case to case but generally lasts between six months and two years.
The effect of unbundling is to dramatically and artificially inflate the monetary component of a BSA settlement because the BSA calculates its fine based upon the MSRP of each component part of the software. In a BSA audit involving Microsoft Office for example, the BSA unbundles the suite by separating Microsoft Outlook, Microsoft Word, Microsoft Excel, Microsoft PowerPoint, and Microsoft Access and then calculates its proposed fine on the basis of the MSRP of each component. This practice results in a proposed fine per installation of approximately $2,000 for a product with a market price ranging from $150 to $350, depending on the version.
In my opinion, the BSA’s practice of unbundling is completely contrary to law because the software suites of BSA member publishers are compilations under the copyright law and therefore constitute a single work for purposes of calculating statutory damages for infringement. The U.S. Copyright Act 17 U.S.C. § 101(c) defines a compilation as follows:
“A "compilation" is a work formed by the collection and assembling of preexisting materials or of data that are selected, coordinated, or arranged in such a way that the resulting work as a whole constitutes an original work of authorship. The term "compilation" includes collective works.”
The statutory damages provision of the U.S. Copyright Act 17 U.S.C. § 504(c) provides in pertinent part that:
For the purposes of this subsection, all the parts of a compilation or derivative work constitute one work.
Federal court’s have also interpreted these provisions to preclude recovery of statutory damages for the component parts of a compilation. For example, in XOOM v. Imageline, the Court of Appeals for the Fourth Circuit only made one statutory damage award for each compilation of electronic clip art, even though each compilation included thousands of works because “[a]lthough parts of a compilation or derivative work may be ‘regarded as independent works for other purposes[,]’ for purposes of statutory damages, they constitute one work.” XOOM v. Imageline at 285, citing H.R. Rep. No. 94-1476, at 162 (1976).
Similarly, in WB Music Corp. v. RTV Communications Group, 445 F.3d 538 (2d Cir. 2006) the Court of Appeals for the Second Circuit interpreted 17 U.S.C. § 504(c) and discussed the distinction between compilations authorized by the copyright holder that constitute “one work” for statutory damages purposes and collections of separate works compiled by the defendant and never authorized by the copyright holder. Because the software suites implicated in BSA audits involve separately copyrighted works included in a compilation authorized by the copyright owners, section 504(c) applies and prohibits the award of statutory damages for the component parts of the suite.
A New Definition of Software Piracy
What is software piracy? Like many politically charged phrases, the definition of software piracy is influenced by your financial interests and your viewpoint. The Business Software Alliance defines software piracy as:
“The illegal use and/or distribution of software protected under intellectual property laws.”
The Business Software Alliance specifically includes unintentional business overuse in its definition of software piracy as follows:
“End-user piracy occurs when an individual or organization reproduces and/or uses unlicensed copies of software for its operations.”
Armed with this definition of software piracy, the Business Software Alliance pursues global “anti-piracy” campaigns that include the targeting of many small to medium sized companies. The Business Software Alliance accuses these companies of engaging in software piracy and threatens them with litigation unless they voluntarily undergo a self audit. In my experience, the vast majority of the companies targeted by the Business Software Alliance are not pirates under anyone’s definition, they have merely failed to maintain financial records related to software purchases that no one, including the software companies, ever told them they were required to keep. In addition, the targets of Business Software Alliance audits are not pirates because they never intended to violate software licenses or copyright laws.
Scott & Scott’s Definition of Software Piracy
“Software Piracy is the distribution of counterfeit software and/or use or distribution of authentic software constituting the intentional violation of intellectual property laws.”
Our definition of software piracy differs from that used by the Business Software Alliance in that our definition adds emphasis to counterfeiting and expressly excludes the unintentional over deployment of software by end users. Piracy implies theft which under the law requires intent. Any definition of software piracy that includes unintentional over deployment should be rejected. The definition used by the software industry and the Business Software Alliance improperly characterizes software owners as thieves because they have been, at most, negligent in the management of their software assets and documents.
]]>
The first thing a target of BSA audit needs to do is preserve the evidence of BSA member software products installed on the company’s computers as of the audit effective date. Second, the software installed needs to be reconciled against proofs of purchase information to determine whether there is gap between licenses owned and software installed. Third, a decision needs to be made regarding whether to purchase or uninstall any unlicensed software. The BSA audits only those products installed as of the audit effective date, and accepts only proofs of purchase dated on or before that date.
I advise my clients that regardless of what was installed on the audit effective date, they only need to purchase software licenses for products that they need to use going forward. Although it will not resolve past liability, companies may choose to uninstall unlicensed BSA member products at the conclusion of the audit matter, rather than purchase unnecessary software simply because it was installed on the effective date. At the conclusion of a BSA matter, the target must certify that it has come into compliance through the combination of buying and\or uninstalling.
]]>