Software Audits and Harm Reduction

  • October 10, 2017
  • Elisabeth Symons

Having to demonstrate that the software being used by your organisation is properly licensed is, at best, a time-consuming distraction.   In every instance, employee and management effort is required to respond, and in instances when the organisation's records are not in good shape or do not line up with what is installed, there are going to be costs above and beyond employee and management time.  For in-house counsel, thinking ahead and focusing on the prevention of licensing missteps can reduce the costs and disruption of software audits.

Think ahead

The audit provisions in a license agreement are not always marked with a convenient heading that sets out the word “AUDIT” in all caps.  Still, they are easy enough to spot.  They use words like “audit”, “review”, “report” and “inventory”, and they either require the licensee to provide information about the licensee’s use of the software to the licensor or allow the licensor to access the licensee’s records, and in some cases the licensee’s systems, to obtain information about the licensee’s use of the software.

Paying attention to the audit provisions during the negotiation of a license agreement is the first step towards surviving a software audit.  Assuming deletion is not an option, then there are three aspects of audit provisions to address during the negotiation: (i) the scope of the audit, i.e. what will be provided or may be accessed; (ii) the framework for the audit (including any rights and restrictions relating to the conduct of audits (for example, who may conduct it and confidentiality requirements) and related procedural matters (such as schedules, notice requirements and timing); and (iii) the steps to be taken to address the issue if an audit reveals that insufficient or too many licenses have been purchased. A narrow scope minimizes disruption. By providing an agreed path to move forward (one that does not involve threats of lawsuits, inflated estimates of damages or allegations of over-charging), a provision in a licensing agreement that sets out the steps to be taken if a software audit reveals insufficient or too many licenses can benefit both licensee and licensor. Preferences for audit frameworks vary more from organisation to organisation.  An organisation might prefer to self-report its usage quarterly and restrict the licensor’s right to audit to circumstances when the licensor has reasonable grounds to believe that the reports are inaccurate.  Another organisation might have security needs that preclude allowing the licensor to access systems.

Focus on prevention

As an approach, “Just say no to unlicensed software” is overly-simplistic.  Categorically, the goal of no unlicensed software on any computing device is worth pursuing, but a single-faceted approach based on nothing more than a one-sentence prohibition is likely to fail, particularly in larger organisations. Still, an organisation that fosters a culture that values intellectual property through its policies and practices and does not support the use of unlicensed software, will have fewer software licensing missteps. Having a good software asset management program will also help to reduce the impact of any software audit.

A good software asset management program should be multi-faceted and include the following elements.

  • A person responsible for the program – Typically, this will be someone from an organisation’s information technology or procurement personnel who may call upon the organisation's legal counsel for support.

  • Control over the acquisition and installation of software – If any employee can download software by supplying a credit card number and clicking "I agree", the organisation will have an incomplete knowledge of what is on its systems and the license terms that apply.Having and enforcing clear policies on which employees may purchase or install software and combining the policies with technical controls that prevent or flag instances of unauthorized installations will reduce this risk, and help to rebut allegations of intentional wrong-doing in an audit.

  • Complete records relating to software purchases, installations and de-installations – Having a record of software installations and de-installations is key to proving that your organisation has sufficient licenses.For a small organisation with only a few devices, the record might be a simple spreadsheet.For a larger more complex organisation, a software asset management system may be necessary.Proving the existence of licenses depends on the ability to provide documentation for the licenses.Purchase orders, invoices, receipts and license agreements are the most useful types of documentation.Having this documentation for older licenses may also be helpful in an audit, especially if the older license entitles the organisation to upgrade to newer versions of the software.

  • A monitoring program – An organisation's computing devices should be monitored for software that was neither purchased nor installed by an authorized individual.Routine scans should be part of the monitoring program.There are a several scanning tools available.Some are stand-alone and some are part of software asset management systems.They are used to identify every program installed on the computing devices scanned. Scans should also be run immediately following the departure or termination of any IT employee who supervised or was responsible for the installation or de-installation of software.Hands-on checks should also be part of the monitoring program.For example, IT staff should check for and delete unauthorized software as a matter of course every time that they work on one of the organisation's devices. Also, IT staff should de-install all software from devices that are being replaced and removed from active use.

  • Educate employees about intellectual property, licensing and the organisation's policies and practices that require and support the use of licensed software.

Software audits cannot be prevented and not all software audits are equal

An organisation could be perfect in its use of licensed software and still be the subject of a software audit.  Sometimes the selection is random: the organisation is one of a certain percentage of the licensed users picked by the licensor for audit. The audit may be part of crackdown on the use of unlicensed software in an industry.  A disgruntled former employee may decide to phone the tip line of an industry association and file a plausible but false report of infringement.

For the most part, software audits that are requested or conducted by licensors are different than those conducted on behalf of licensors by industry associations like the Business Software Alliance.  Most licensors tend to more pragmatic when conducting software audits.

Licensor-conducted Software Audits

An organisation that has negotiated audits at set intervals can schedule the resources needed to collect the relevant records and make them available to the licensor at the time of the audit.  It is also possible for the organisation to: (i) review the relevant records in advance of the audit; (ii) self-report any issues; and (iii) initiate the sequence of steps set out in the relevant license agreement for what happens if unlicensed copies are identified. 

If an audit request from a licensor comes as a surprise, the situation is not as simple.  The initial steps are:  

  • acknowledge receipt of the letter from the licensor;

  • involve the individuals responsible for software asset management as well as legal counsel;

  • review the relevant license agreement(s), especially the audit provisions;

  • preserve a complete picture of the software installed on your systems, especially if the request includes an allegation of copyright infringement;

  • determine the number of installed copies of the software identified in the audit request and number of licenses held;

  • develop a legal strategy for responding to the audit request; and

  • respond to the letter.

The initial steps need to happen quickly, and it may be necessary to respond before the number of affected works and unlicensed copies is known.  The period between receipt of notice of an audit and the audit set out in many license agreements is often quite short, a few days.  Given that a licensor may choose to treat a failure to respond or allow the audit within that period as a breach of the license agreement, responding within the period set out in the license agreement is a good idea. 

Assuming the audit proceeds, what happens next depends on the results of the audit.  If no unlicensed copies are identified, that is the end unless that outcome entitles the licensee to reimbursement of its audit expenses.  If very few unlicensed copies are identified and very few works are involved, the ensuing negotiation tends to focus on de-installation or the payment of license fees.  If more licensing issues are identified, the negotiation over what happens next may also focus on penalties.

Industry Association-conducted Software Audits

An industry association like the Business Software Alliance acting on behalf of a licensor or licensors also sends out audit requests by letter, and the initial steps are the same as when a licensor requests an audit. 

Also, industry associations tend to escalate their allegations and demands for damages when they believe that they are being ignored, so the acknowledgement of the initial letter needs to be fast and the response to the initial letter needs to happen quickly too. 

After the initial response, there is a negotiation, and if the negotiation fails, litigation.  Some aspects of the negotiation are predictable.  The industry association will: (i) assert any claims that it is making zealously; (ii) push aggressively for the release of information relating to works for which there are unlicensed copies and the number of unlicensed copies of each work; and (iii) express a view of the damages to be awarded if those claims are proven that is unduly optimistic given the current case law.  An organisation's response will depend on its legal strategy.  Counsel with experience in these matters can be useful in shaping that strategy. Knowledge of the awards that are typically made when similar cases are litigated is useful: the range for statutory damages runs from $500 per work to $20,000 per work.

Harm Reduction

A good counsel can help an organisation to achieve a fair outcome when facing a software audit, but a better result (one that more effectively limits financial and reputational harm) can be achieved by thinking ahead when negotiating licensing agreements, fostering a culture that values intellectual property and focusing on the prevention of licensing missteps.   

 

About the author

Elisabeth Symons, Mann Symons LLP

[0] Comments