Ten Things: Software Audits – Scary Stuff!

It’s a nice, cool late October morning, the time of year when the shadows grow darker and longer and “spooky” stuff lurks around every corner.  You’re at your desk sipping some coffee and checking emails when a new one comes in from Sarah, the CIO, marked “Urgent.”  She says that she received a letter from some outfit called the Business Software Alliance asking the company to conduct an audit of its use of “Company X” software and threatening legal action and potential damages if the company fails to cooperate.  She attached a copy, so you open it up and read through it for yourself.  Your first thought is WFT? and that this is some kind of scam and you should just toss the letter in the trash and move on.  That would be a mistake.  A very big mistake. Like a going down into the basement alone in the dark to check out odd noises and scratching sounds type of mistake.

Congratulations, you just received your first software audit letter and if you’re like most in-house lawyers what’s ahead for you and the company is going to come as a big, painful surprise.  Much like that opening scene in Night of the Living Dead when someone says “They’re coming to get you, Barbra…”  Yes, indeed, they are.  The software companies that is, not a ghoulish horde of brain-eating zombies (though you may prefer that to the audit).  The good news is that you will likely only see a handful of these letters over the course of your career at any one company.  The bad news is whatever you had planned for the next few days is now on hold as you will need to immediately start to work on how to respond to the letter and preparing for the audit.  I have dealt with a few software audit letters over the course of my in-house career and there are some tried and true things you should do when faced with one.  This edition of “Ten Things” lays out some of the lessons I have learned regarding software audits:

1.   What is a software audit?  Whenever a company purchases software it comes with a license agreement.  This agreement may be a paper contract or it may be a set of online terms and conditions.  Regardless of the form, it sets out many things including, for purposes of this article, things like how many employees can use the software, the price per user, and prohibitions against numerous activities such as downloading for home use.  It almost certainly includes a provision providing for the licensor’s ability to “audit” your company’s compliance with the terms of the license, in particular around how many copies of the software are in use on the company’s systems.  Additionally, it likely includes language stating that the company will pay for any “excess use” of the software.  This last part is key and presents one of the biggest risks to companies licensing and using software.  While an audit may reveal the company is under-utilizing its licenses, more often than not the result is that the company is using more than the allotted number and it has not been paying for that use.

2.  How it starts.  As you may have guessed, a software audit typically starts with a letter sent to the company by one of two organizations, the Business Software Alliance or the Software Industry Information Association.  These are trade groups formed by the licensors of software and one of their functions is to conduct audits on behalf of their members.  Keep in mind that while BSA and SIIA are not law enforcement, nor do you likely have a contract with either, they are agents of the software licensors and your license almost certainly provides for such agents to conduct audits on behalf of the licensor.  In other words, you’re stuck.  Typically, the letter will note which software licensor(s) they represent, e.g., Microsoft or Oracle, and “requests” that you conduct the audit yourself and send the results to counsel for BSA/SIIA.  Why your company was selected can hinge on many things.  Most likely someone reported excess/improper usage to either the BSA or SIIA (they both have bounty programs on their websites encouraging snitches with cash rewards), the licensor had some reason to suspect your company’s non-compliance with the license terms, or the licensor is just auditing everyone as a way of ensuring compliance and, more importantly, generating some additional revenue.  As for the latter, the bad news is that software audits have become substantial revenue streams for both the licensor and either the BSA or SIIA, as they (and their lawyers) get a portion of any monies collected via the audits.  Because there is money on the line (lots of money), these guys do not mess around – like zombies trying madly to bust through the window in your living room.

3.  Don’t ignore the letter.  In case it wasn’t clear already, do not ignore a software audit letter from BSA or SIIA.  You do so at the peril of the company.  Believe or not, the level of cooperation the company exhibits during the audit can favorably impact the final resolution.  So, ignoring the letter is a big red checkmark in the “uncooperative” column.  Second, ignoring the letter will likely lead to a lawsuit.  And, if you’re like most in-house lawyers, you need a lawsuit like you need a hole in your head.

4.  Retain experienced legal counsel.  While it is possible you or someone in the legal department has a lot of experience dealing with software audits, the odds are good that you don’t.  If so, I highly recommend that you immediately engage outside counsel who specialize in this area of the law.  Yes, it has a cost, but you will very happy that you did so and you will likely save your company far more money than the outside counsel cost. Here are just a few reasons why experienced counsel should be your first call:

  • They can run the audit, meaning the reports and documentation generated by the company will be covered by the attorney-client – or work product – privileges.  If the business starts to generate audit documents and reports on their own, those documents are not privileged and you can see the risk of having non-privileged documents floating around during a software audit.  More bluntly, anything you say or write during a software audit can and will be used against you (unless it’s privileged).
  • They will negotiate with the BSA/SIIA to ensure any materials handed over to them are covered by Federal Rule of Evidence 408 and produced for purposes of settlement and, therefore, cannot be used in litigation should that arise.
  • They will negotiate the scope of the audit, i.e., work to minimize the work required to conduct the audit and limit it to the fewest number of computers and users, etc.
  • They will draft the final agreement including negotiating the costs and fines associated with any excess usage, confidentiality, new license terms, future obligations, and the release of liability.

A quick internet search will likely help you find experienced counsel.  You can also ask around for recommendations, especially from other in-house lawyers.  I will put in a plug for Scott & Scott, the firm I have used in the past and who are truly experts in software audits.[1]

5.  Don’t buy/delete software!  The CTO or CFO may be thinking, “let’s start deleting any excess usage” or “let’s buy software so our licenses match the usage.”  Bad ideas.  First, the audit will cover the period up to the date of the letter (the audit “effective date”).  So, receipts for purchases after that date don’t count.  Likewise, basic forensics will reveal if software was uninstalled or deleted and doing so almost proves that that software was improperly installed/used in excess of the (or without a) license, i.e., in lawyer-speak “it looks terrible!”  The smarter play is to just deal with the world “as is.”

6.  “You got a receipt for that?”   Your best friend during a software audit is a receipt or other proof that you have purchased the right amount of licenses for all the software you are using.  Or, put another way, the BSA/SIIA will consider the lack of receipts as proof of excess or pirated use of the software.  If you do not have receipts from an authorized reseller of the software or a document from the licensor directly, receipts are the best way to prove proper use.  Just note that, in the software audit context, things like purchase orders, end-user licensing agreements (“EULAs”), certificates of authenticity, etc. do not count as valid proof of a license.  They may well work in court, but your goal is to avoid going to court if possible.  So, get and keep the receipts!

7.  Cooperate – within reason.  As mentioned above, the resolution of a software audit will include some credit/or penalty for the level of cooperation exhibited by the target.  This doesn’t mean you need to capitulate to every demand of the BSA/SIIA, but you also should not be belligerent and tell them to go do something to themselves and the horse they rode in on.  There is a happy medium, though you want to be careful as the goal of the audit is to get money.  These are not your friends, no matter how nice and pleasant they may seem at the beginning of the process.  This is where experienced counsel can really help, i.e., around the parameters of how best to cooperate.  One of the first places to look is your contract.  At a minimum, you should not do more than is required by the terms of the audit clause in the license.  If you had the opportunity to negotiate the license then, hopefully, you or your lawyers were able to get language placing reasonable limits as to time, place, number of audits, cost-shifting, etc. If so (or even if not), your audit counsel is going to look for ways to do just that, including paring back even further than what’s provided for in the contract’s audit clause.

8.  What is this going to cost the company?  It is highly unlikely you will come out of a software audit squeaky clean with no liability.  That’s just not how it normally goes given all the ways (and the ease with which) software can find its way onto your systems.  There are typically the following costs to consider: a) the cost of additional licenses for the excess software (and assume you will be charged the off-the-shelf price of a single copy of the software, along with back-dated support and maintenance charges if part of the license); b) fines payable to the BSA/SIIA – usually triple the cost of the additional licenses (yes, these are not part of the contract but it’s this or litigation so pick your poison); c) attorneys’ fees to the BSA/SIIA (sometimes a standard flat rate of between $3,000 and $4,000 USD, sometimes a different number); d) the cost of your own counsel; and e) the cost in time, disruption, and distraction for all of the company resources (people and money) diverted to dealing with the audit which, from start to finish, can take anywhere from eight to 24 months on average.  Fortunately, the BSA/SIIA are almost always willing to negotiate the final number (as they know that if the number is too high, the target may well take its chances in court which they want to avoid almost as much as the target does).  Robert Scott writes that the “final” number depends on a few key things:

  • The amount of time the matter had been pending.
  • The overall percentage of “non-compliance” by the company.
  • The willfulness of any violations.
  • The level of cooperation exhibited by the target.
  • The financial circumstances of the target.[2]

So, while the initial number can be frightening, the final number is likely to be something much less so depending on the circumstances and the skill of your negotiator – which is why prior experience is very valuable here.

9.  Common mistakes.  In addition to the problems noted in the above paragraphs, there are a number of common mistakes that in-house counsel should watch out for and try to remediate wherever possible:

  • Focusing only on the money part of an audit settlement.  While the “cost” is important, the proposed settlement will include language and commitments around future audits and will seek to place additional burdens on the company regarding the purchasing and use of software.  Ignoring these elements of the settlement can lead to some big operational impacts down the road and some very unhappy executives.
  • Not keeping the C-Suite informed about the audit.  A software audit is a big deal and can lead to significant costs for the company.  In-house counsel should ensure the senior management of the company is aware of the audit from the get-go as well as the potential exposure so they do not fall out of their chairs and thrash about several months down the road when you tell them what the BSA/SIIA is demanding.
  • Using software provided by BSA/SIIA to conduct your self-audit.  It’s designed to go beyond whatever parameters you may have negotiated regarding the limits of the audit, i.e., it’s a big camel trying to get its nose under your tent to see if there might be some other problems they can cash in on.
  • Not engaging your sales rep or software vendor to help when faced with an audit.  While the BSA/SIIA may be unsympathetic, you can bet that the licensor’s sales team (or your software vendor) will see things differently.  It is in their interest to sell you more software and maintain good relations.  Reaching out to them to help get the audit resolved in a manner favorable to the company can really help.

10.  Create a software asset management program. The best overall defense to a software audit is a comprehensive software asset management program where the company has invested in software and processes that track and document the use of software to ensure compliance with licensing terms.  This is an area where the legal department can show leadership and proactively work to reduce risk.  The first step is to find who in the company is responsible for software management, most likely the CTO or CIO or potentially the procurement team.  Regardless, work with them directly to create a management program.  This will mean identifying software to manage the program and track the use of software, training employees on good software management hygiene, e.g., no downloading software off the internet, no making copies of software to use at home, stop using prior versions of software,[3] and knowing what to do if a software audit letter arrives at the company (give it to the legal department)!  Most importantly, such a program will help ensure you have the necessary receipts or other proof of purchase needed to defend the company when – not if – an audit letter appears on your doorstep.  You can also run your own periodic audits (under the direction of legal counsel) to ensure compliance with your software licenses before the BSA/SIIA comes lurking outside your door.

*****

The above will not make you an expert in software audits.  And just note that software audits occur around the globe – there’s nowhere you can hide.  But, hopefully, you now know what to do if one of those letters finds its way into your hands.  If you want some additional resources, check out the BSA Audit Defense website, Defending Software Audits (YouTube video), the BSA and SIIA website sections dealing with audits, or just search “software audits” online.  It’s worth educating yourself more on this topic.  If you do get an audit letter, don’t panic.  Call experienced counsel right away and then prepare the senior management for what’s coming.  There is no avoiding the pain of such an audit, but there are many things you can do to shut it down faster, limit the scope, or cut a better deal when the process has ended.  Finally, if you hear weird noises down in the basement, don’t go down the stairs.  Send your neighbor.

Sterling Miller

October 22, 2019

Follow me on Twitter @10ThingsLegal and LinkedIn where I post articles and stories of interest to in-house counsel frequently.  

I have three published books: Ten Things You Need to Know as In-House Counsel – Practical Advice and Successful Strategies, The Evolution of Professional Football, and The Slow-Cooker Savant.  Volume 2 of the “Ten Things” book is with the publisher and should be out in a few weeks. I am also available for speaking engagements, coaching, and consulting.

“Ten Things” is not legal advice nor legal opinion and represents my views only.  It is intended to provide practical tips and references to the busy in-house practitioner and other readers.  If you have questions or comments, please contact me at sterling.miller@sbcglobal.net.

Cover

[1] I receive no compensation or consideration for mentioning Scott & Scott.  I just think they are exceptional in this area based on my past experience with them.

[2] See https://bsadefense.com/wp-content/uploads/2017/10/Spotlight-Feature-Software-Disputes.pdf.

[3] Software licenses often do not include the use of prior versions.  Meaning, your company’s continued use of the old version is likely out of compliance with the license.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s