In a recent press release, the SIIA announced a settlement with a California building-contractor company that it had accused of internally copying and distributing to its employees a newsletter about California occupational health and safety, for which it had purchased only a single subscription. The inclusion or amount of any monetary penalty included among the settlement terms is not mentioned in the press release. However, in our experience the SIIA rarely releases any claim without requiring a targeted business to pay a significant fine. In addition, any kind of copyright-related investigation is almost always disruptive and costly to a business’ daily operations.

Notwithstanding the SIIA’s slickly pejorative labeling of such companies as content “pirates,” many business owners and managers simply are unaware of all of the implications of using or distributing original content that they purchase – be it newsletters or desktop software. In cases where content acquired from third parties is not clearly described in a written license agreement that company management has read and understands, it makes sense to consult with legal counsel before making assumptions about if and how that content may be accessed, copied, distributed, or incorporated with other company deliverables. And if the SIIA comes knocking with an audit demand, the very first call should be an attorney who is knowledgeable regarding the legal and strategic implications of acceding to that demand.

Because computer networks may change rapidly, the auditors need to identify a moment in time for which they can ask the audited business, “Did you have all of the licenses for the software installed on your computers?”  If the answer is yes, the auditing entity will typically close its file.  If the answer is no, the auditing entity will claim the business engaged in copyright infringement on the effective date.  The business’ representation that it was compliant after the effective date has no bearing on whether the business engaged in copyright infringement on the effective date.  If the matter proceeds to a lawsuit, the auditor likely would claim that the business infringed its or its members’ copyrights on the effective date.

The auditing entity typically demands proof of purchase documentation that demonstrates the ownership of a sufficient number of licenses on or before the effective date.  Software purchased after the effective date is not relevant to the audit.  Locating, reviewing, and compiling the proof of purchase documentation is a collective effort that often requires coordination among various individuals and departments within an organization.  In addition, identifying and listing all of the software on the company’s computers as of the effective date may be made doubly difficult when computers contain large amounts of software irrelevant to the audit. It is also important to keep in mind that software environments change as computers are added, decommissioned, and rebuilt with the ebb and flow of HR turnover.

If you have been contacted by an auditing entity such as the BSA, the SIIA, or a software publisher, you should proceed with caution and should familiarize yourself with the typical process for such software audits.  Experienced counsel can help to guide you through that process and to avoid unnecessarily large expenses.

The audit process is lengthy and arduous and often is affected by costly mistakes.  One of those mistakes involves the use of an inadequate tool to conduct the kind of audit called for by the auditing entity. There are many ways a business may tackle the audit process.  It may hire a law firm that specializes in software audits to conduct the review, it may hire external IT consultants, or it may proceed with its own in-house software audit.  The BSA often suggests a number of tools to assist with a self-audit, sometimes including Novell, Symantec, Frontrange Solutions,  Belarc and Spiceworks. Many of those tools are available for little or no licensing fee, making them appear to be attractive alternatives.

However, if a company chooses to conduct a self-audit, it is essential to verify the results produced by the tool deployed prior to submitting any information to the BSA or SIIA.  Often, software audit tools are not sophisticated enough to discern between free trial software or remnants from previous installations and full installations of licensable software products within the scope of the audit.  Over-reporting can carry significant consequences, because each product mistakenly reported as a full version for which a business is unable to demonstrate license ownership typically entails a penalty at settlement based on the MSRP of that product.  The BSA then typically applies a multiplier for each product included in its settlement offer calculations.

For these reasons, it is important when conducting an in-house software audit to carefully look for any mistakes in the audit results and to ensure that those results accurately reflect what was installed as of the effective date of the audit requested by the BSA or SIIA.  If there is any doubt regarding the accuracy of those results, it is vital to seek the advice of a knowledgeable attorney or consultant prior to submitting any information to the auditing entity.

After an SIIA settlement, the audited company must submit a list of software products together with the proof-of-purchase documentation for software it purchased after the date the SIIA sent its initial letter. If the company includes in its list of purchased software any products sold by vendors not authorized to sell an SIIA-member publisher’s software, the SIIA will require the audited company to repurchase the software from an authorized reseller. Companies that do not carefully investigate their vendors’ authorization to sell software may encounter significant unnecessary expenses in repurchasing identical software products. The inability to return most opened software makes purchasing software from unauthorized resellers even more risky.

If your company has been audited by the SIIA, you should contact counsel experienced in guiding companies through the audit matter process to help protect your company from unplanned expenses and unnecessary repurchase of software.

Another way in which publishers or auditing entities raise the amount in controversy in software audits is the attempt to assess separate “fines” for each allegedly infringing installation of a software product. Thus, a company reporting just ten undocumented installations of Office Professional 2007, with no other licensing shortfalls, may receive a settlement offer based on the combined, “unbundled” MSRPs of the component products totaling just shy of $12,000. Moreover, that is before the auditing entity applies any multipliers to that figure (yet another common tactic) or makes any assessments for their claimed legal fees, both of which factors may drive the opening settlement offer in the above example to $40,000 or more.

It is not difficult to see how owners of small to medium businesses who think that they have a handle on their financial exposure in a software audit matter often end up with truly unpleasant surprises after submitting audit materials to the BSA or SIIA that they may have believed would be negotiating on a more equitable basis.

If your business has been accused of software “piracy” and is responding to a software audit demand either from a software publisher like Autodesk or from the BSA or the SIIA, an experienced attorney can give you visibility into the process and help you avoid unpleasant surprises.

Not Considered Valid Proof
1. Copies of Checks to Software Vendors
2. Dated Purchase Orders
3. Undated Software Licenses
4. Credit Card Statements Evidencing Software Purchases
5. Certificates of Authenticity
6. Media, Manuals, or Key-Codes
7. Invoices Bearing and Entity Name Other than the Entity Named in the SIIA’s Initial Letter

Valid Proof of Purchase
1. Dated Invoices in the Name of the Audited Entity
2. Soft Records (online account statements) from Recognized Resellers
3. Signed and Dated License Agreements
4. Soft Records from SIIA Member’s such as Microsoft Licensing Statements
5. Cash Register Receipts for Retail Sales where Product, Version, Quantity and Price Paid are Included.

Understanding how the SIIA analyzes software audit materials is critically important to achieving the most favorable outcome. In our experience, it is the most time consuming and difficult part of the process for clients to handle on their own.

Scott & Scott, LLP is not affiliated in any way with the SIIA.

• Hire an Attorney – BSA and SIIA have experienced software piracy attorneys working for them, you should too.
• Preserve Evidence – do not uninstall or change computer configurations until an accurate inventory of in-scope computers has been gathered.
• Avoid Knee-Jerk Purchases – a natural but counterproductive response to a software piracy audit is to run out and purchase software. I advise my clients to avoid making purchases until a complete inventory and case assessment has been completed.
• Maintain Confidentiality – client prepared audit materials and related documentation may be discoverable in a lawsuit. We conduct attorney-supervised audit reports protected by attorney-client and attorney work-product privileges.
• Condition Audit Disclosure – software piracy audit materials should only be disclosed after an appropriate agreement regarding confidentiality and non-use of the information has been signed by the software piracy enforcement agency.
• Estimate Software Piracy Fines – always review the draft audit materials with your attorney before they are produced to make sure everyone is clear on the potential financial exposure involved. Our software piracy fine calculators are available at: BSA Fine Calculator and SIIA Fine Calculator
• Argue Software Piracy Legal Issues – there are many legal issues involved in software piracy audits including what constitutes infringement, who has the burden of proof, how damages should be calculated, what constitutes proof of ownership and many others. We vigorously argue these legal points in an effort to reduce software piracy settlement demands.
• Negotiate Non-Monetary Terms – software piracy audit settlement agreements are incredibly one-sided and unfair to the targets. I advise my clients to carefully consider important issues like future audit obligations, confidentiality of the settlement terms, the nature and scope of the release being offered.
• Focus on Your Business – the only way to be successful in a software piracy audit is to continue to stay focused on running your business and taking care of your clients.

If you have been accused of software piracy please call Scott & Scott, LLP for a free consultation.

Scott & Scott, LLP is not affiliated in any way with the SIIA.

When a SIIA audit matter is settled, the target is required to certify that the audit results provided during the course of negotiations are true and correct as of the Audit Effective Date. For this reason uninstalling software that was installed on the effective date, or purchasing software products after the effective date have no impact on the SIIA’s calculation of fines in SIIA audits. It is critical to obtain an accurate inventory of the software installed on the target company’s computers as quickly as possible following receipt of the initial letter from the SIIA. Failure to understand the importance of the Audit Effective Date, has caused companies to go on software buying sprees in response to a SIIA audit and to report results to the SIIA reflecting the software installed on a date after the Audit Effective Date. I believe that both of these strategies are mistakes that should be avoided.

Scott & Scott, LLP is not affiliated in any way with the SIIA.

The effect of unbundling is to dramatically and artificially inflate the monetary component of a SIIA settlement because the SIIA calculates its fine based upon the MSRP of each component part of the software. In a SIIA audit involving Microsoft Office for example, the SIIA unbundles the suite by separating Microsoft Outlook, Microsoft Word, Microsoft Excel, Microsoft PowerPoint, and Microsoft Access and then calculates its proposed fine on the basis of the MSRP of each component. This practice results in a proposed fine per installation of approximately $2,000 for a product with a market price ranging from $150 to $350, depending on the version.

In my opinion, the SIIA’s practice of undbundling is completely contrary to law because the software suites of SIIA member publishers are compilations under the copyright law and therefore constitute a single work for purposes of calculating statutory damages for infringement. The U.S. Copyright Act 17 U.S.C. § 101(c) defines a compilation as follows:

A "compilation" is a work formed by the collection and assembling of preexisting materials or of data that are selected, coordinated, or arranged in such a way that the resulting work as a whole constitutes an original work of authorship. The term "compilation" includes collective works.”

The statutory damages provision of the U.S. Copyright Act 17 U.S.C. § 504(c) provides in pertinent part that:

For the purposes of this subsection, all the parts of a compilation or derivative work constitute one work.

Federal court’s have also interpreted these provisions to preclude recovery of statutory damages for the component parts of a compilation. For example, in XOOM v. Imageline, the Court of Appeals for the Fourth Circuit only made one statutory damage award for each compilation of electronic clip art, even though each compilation included thousands of works because “[a]lthough parts of a compilation or derivative work may be ‘regarded as independent works for other purposes[,]’ for purposes of statutory damages, they constitute one work.” XOOM v. Imageline at 285, citing H.R. Rep. No. 94-1476, at 162 (1976).

Similarly, in WB Music Corp. v. RTV Communications Group, 445 F.3d 538 (2d Cir. 2006) the Court of Appeals for the Second Circuit interpreted 17 U.S.C. § 504(c) and discussed the distinction between compilations authorized by the copyright holder that constitute “one work” for statutory damages purposes and collections of separate works compiled by the defendant and never authorized by the copyright holder. Because the software suites implicated in SIIA audits involve separately copyrighted works included in a compilation authorized by the copyright owners, section 504(c) applies and prohibits the award of statutory damages for the component parts of the suite.

Scott & Scott, LLP is not affiliated in any way with the SIIA.

The Software & Information Industry Association specifically includes unintentional business overuse in its definition of software piracy as follows:

“Softlifting occurs when a person purchases a single licensed copy of a software program and loads it on several machines, in violation of the terms of the license agreement.”

Armed with this definition of software piracy, the Software & Information Industry Association pursues global “anti-piracy” campaigns that include the targeting of many small to medium sized companies. The Software & Information Industry Association accuses these companies of engaging in software piracy and threatens them with litigation unless they voluntarily undergo a self audit. In my experience, the vast majority of the companies targeted by the Software & Information Industry Association are not pirates under anyone’s definition, they have merely failed to maintain financial records related to software purchases that no one, including the software companies, ever told them they were required to keep. In addition, the targets of Software & Information Industry Association audits are not pirates because they never intended to violate software licenses or copyright laws.

Scott & Scott’s Definition of Software Piracy

“Software Piracy is the distribution of counterfeit software and/or use or distribution of authentic software constituting the intentional violation of intellectual property laws.”

Our definition of software piracy differs from that used by the Software & Information Industry Association in that our definition adds emphasis to counterfeiting and expressly excludes the unintentional over deployment of software by end users. Piracy implies theft which under the law requires intent. Any definition of software piracy that includes unintentional over deployment should be rejected. The definition used by the software industry and the Software & Information Industry Association improperly characterizes software owners as thieves because they have been, at most, negligent in the management of their software assets and documents. 

Scott & Scott, LLP is not affiliated in any way with the SIIA.

The first thing a target of SIIA audit needs to do is preserve the evidence of SIIA member software products installed on the company’s computers as of the audit effective date. Second, the software installed needs to be reconciled against proof of purchase information to determine whether there is gap between licenses owned and software installed. Third, a decision needs to be made regarding whether to purchase or uninstall any unlicensed software. The SIIA audits only those products installed as of the audit effective date, and accepts only proofs of purchase dated on or before that date.

I advise my clients that regardless of what was installed on the audit effective date, they only need to purchase software licenses for products that they need to use going forward. Although it will not resolve past liability, companies may choose to uninstall unlicensed SIIA member products at the conclusion of the audit matter, rather than purchase unnecessary software simply because it was installed on the effective date. At the conclusion of a SIIA matter, the target must certify that it has come into compliance through the combination of buying and\or uninstalling. 

Scott & Scott, LLP is not affiliated in any way with the SIIA.

Preparation of Audit Materials (3 to 6 months)

A SIIA audit is a request, under threat of litigation, to compile a listing of all SIIA member software products installed on the audited entity’s computer network as of the Audit Effective Date. The Audit Effective Date is the date on the SIIA initial letter requesting an audit. The first step in preparing this information is conducting an automated inventory of the software products installed on all computers owned or leased by the target company. Once an accurate inventory of the SIIA member software products is completed, the next step is to reconcile the software inventory information with proofs of purchase dated prior to the audit effective date. While there are various ways to prove ownership of a software license, typically an invoice is considered the best evidence of ownership in a SIIA audit. In the typical case, the inventory and reconciliation process takes three to six months.

Secure a Confidentiality and Federal Rule of Evidence 408 Agreement (1 week)

With very limited exceptions, we advise the targets of SIIA audits to cooperate with the self-audit process but to do so in a way that does not compromise their position in the event that an out of court settlement is not possible. We do not disclose any information to the SIIA until it signs an agreement regarding the confidentiality of the information disclosed and specifically limiting the SIIA’s ability to introduce the information as evidence in court. In the typical case, the SIIA will sign our standard agreement within one week.

SIIA Analyzes Self-Audit Materials and Makes a Settlement Demand (3 to 6 months)

After the self-audit materials are submitted by the target of a SIIA audit, the Software & Information Industry Association typically takes three to six months to respond. The SIIA’s response provides its interpretation of the self-audit materials and applies a formula for its initial settlement proposal. The SIIA’s formula for calculating fines is generally three times the unbundled full retail price of the software products installed on the target’s computers plus $3,500 for SIIA’s attorney’s fees. In many instances, the SIIA’s settlement proposal is substantially more than the target may have expected due to differences of opinion regarding what constitutes valid proof of ownership. In our experience, the SIIA usually takes three to six months to make substantive response following the submission of the self-audit materials.

Negotiation of Monetary and Non-Monetary Terms of Settlement (6 to 24 months)

After the SIIA makes its initial settlement demand, there are various monetary and non-monetary terms that need to be negotiated. The obvious material term in every SIIA audit negotiation is the amount of any monetary amount to be paid to the SIIA for alleged past infringement. The most significant non-monetary issue is whether the SIIA will agree to a confidentiality provision. Such provisions require the SIIA to keep the existence and details of the audit confidential and preclude the SIIA from issuing a press release. Other non-monetary provisions include future obligations such as certifications of compliance, adoption of a software code of ethics, and production of additional proofs of purchase to the SIIA for purchases made after the audit effective date. The length of the negotiation process differs from case to case but generally lasts between six months and two years.

Scott & Scott, LLP is not affiliated in any way with the SIIA.

The case began in May of 2005 when Solers filed a complaint against “John Doe” alleging one count of defamation and one count of tortious interference with prospective advantageous business opportunities. The complaint requested injunctive relief, compensatory damages, and punitive damages. Solers then issued a subpoena to SIIA seeking production of all documents related to the identity of Doe, Doe's initial report and his ensuing correspondence with SIIA, and all documents believed to be “evidence” of Solers' alleged copyright infringement. SIIA, which is not a party to the underlying suit, filed objections to the subpoena, and, in response, Solers moved to enforce the subpoena. SIIA then filed a motion to quash.  The Superior Court asked Solers to demonstrate financial or economic harm so that it could withstand a motion to dismiss on its claim of defamation. Solers was unable to identify any financial or economic harm at that time without the informant’s identity and the content of the informant’s report. The court dismissed the suit in its entirety for failure to state a claim upon which relief can be granted.

On appeal, the court established that speech on the Internet must be protected as any other speech but that such protection is limited. The right to speak anonymously, on the Internet or otherwise, is not absolute and does not protect speech that otherwise would be unprotected. Tests from other jurisdictions evaluating free speech rights in Internet defamation claims did not satisfy the court’s desire to fairly evaluate Solers’ interest in pursuing its defamation claim, SIIA’s interest in protecting Doe’s identity and, more generally, free speech rights for Internet communication. The court opted instead to develop a hybrid tests based on tests from other jurisdictions faced with the same issue.

When presented with a motion to quash (or to enforce) a subpoena seeking the identity of an anonymous defendant, the D.C. Court of Appeals stated that a court should:

(1) Ensure that the plaintiff has adequately pleaded the elements of the defamation claim,

(2) Require reasonable efforts to notify the anonymous defendant that the complaint has been filed and the subpoena has been served,

(3) Delay further action for a reasonable time to allow the defendant an opportunity to file a motion to quash,

(4) Require the plaintiff to proffer evidence creating a genuine issue of material fact on each element of the claim that is within its control, and

(5) Determine that the information sought is important to enable the plaintiff to proceed with his lawsuit. The court’s test does not require a separate balancing test at the end of the analysis, nor does it require a showing that the plaintiff has exhausted alternative sources for learning the information.

SIIA argued the court’s test would have a chilling effect on informant reports and that such speech would disappear. The court dismissed SIIA’s claims as hyperbole and stated that the test takes SIIA’s concerns into account.

The court determined that Solers need not demonstrate entitlement to judgment in its favor at this stage in the proceedings. Rather, Solers merely must show that it has a viable claim of defamation.  In other words, Solers must show that there is a genuine issue of material fact on each element of the claim that does not depend on knowledge of the defendant's identity. The court vacated the judgment of the Superior Court and remanded the case to give Solers an opportunity to present evidence supporting its claim of defamation.

This case, though not a carte blanche for businesses seeking to obtain the identity of informants who reported the business to the SIIA, BSA, or other software auditors, may prove helpful in recovering damages against informants who breached employment or confidentiality agreements signed with the business.  Alternatively, as in Solers’ case, business may elect to file defamation or interference with contract claims against the informants.

If you have been contacted by a software trade association alleging that your business engaged in copyright infringement, you should contact counsel experienced both in resolving software audit matters and pursuing other forms of relief to which you may be entitled.

Last month, the Software & Information Industry Association (SIIA) announced the first major settlement reached by its Corporate Content Anti-Piracy Program (CCAPP). The settlement was reached with Knowledge Networks, Inc. (KNI), a market research firm based in Menlo Park, California, with fewer than 500 employees nationwide. The SIIA accused KNI of copyright infringement arising out of KNI’s internal distribution to its employees of written content authored by SIIA members, such as the Associated Press, Reed Elsevier, and United Press International, without securing licenses to copy the content. The SIIA learned about the content distribution through a confidential tip from an informant who later received a $6,000 reward from the SIIA. In order to resolve the matter, KNI eventually agreed to pay the SIIA $300,000 and to send its employees to an SIIA-approved “Certified Content Rights Manager” course.

This chain of events – anonymous tip, followed by allegations, negotiation, and, eventually, settlement for money damages – is very similar to what typically occurs in software audit cases initiated by the SIIA, the Business Software Alliance, and some software publishers. What is perhaps more troubling about the SIIA’s new focus on “corporate content” is how small-to-medium businesses, many of whom are completely unaware that any of their actions might constitute copyright infringement, nevertheless could find themselves the targets of SIIA-initiated “content audits.” These companies may be subject to substantial settlements, and become the subject of a widely disseminated press release regarding corporate “piracy.” It appears that a company could targeted if an employee copied and pasted copyrighted text and then hit the “Send” button on an internal e-mail.

It is certainly important to develop and maintain awareness of the content that your employees are distributing internally within your organization. However, if your business has been accused of corporate content “piracy” by any industry association like the SIIA, it is equally important that you consult with an attorney who can provide some insight into the legal arguments and strategies typically employed in similar matters.