Responding to Software Audits by the BSA, SIIA and Other Technology Vendors: Legal Tips and Strategy
Have you ever received a letter that began something like this?
This law firm has been retained by the BSA / The Software Alliance in connection with its investigation of possible instances of illegal duplication of certain software companies’ proprietary software products….We recently have been advised that [your company] has installed on its computers more copies of [specific software programs] than it is licensed to use.
Although it may read like a bad joke or a scam, in-fact it is a frequent practice by software vendors or their agents such as the BSA or SIIA (Software and Information Industry Association) to demand that you perform an “audit” of the software used at your business, report the results, and pay-up if there is any alleged deficiency in your licensing records.
For over a decade I have represented scores of corporate clients from all over the country in software audits and license disputes. And over these years I have seen audited companies ask many of the same questions and make many of the same mistakes. This article addresses the most common issues experienced in responding to software audits.
This article is adapted from materials I presented before the Minnesota Bar Association is “Computer and Technology Law Institute.”
What is a Software Audit?
By the phrase “software audit,” I mean any inquiry by a software vendor (or their attorney or agent such as the BSA) to a third-party user of the vendor’s proprietary software, usually an acknowledged customer, regarding use of the software. The software audit request will usually call for an inquiry into the type of use, scope of use, volume of use, and copying of such software.
Occasionally, the software vendor or its agent will make a demand to perform the audit itself on-site at the software user’s facilities, although this is quite rare and is usually associated with extreme situations such as suspected reverse-engineering of software by a competitor. Far more common is a request for a “self-audit,” a process by which the software user performs its own investigation, and then reports back to the software vendor. The software vendor usually insists that the self-audit report is signed or affirmed by an officer or executive of the software user.
Do I Need To Cooperate with the Software Audit?
Short Answer: Almost always Yes, at least to a certain extent, because you probably already agreed to cooperate in the software license.
If you acknowledge that you are running any copies of the software vendor’s software, you have probably already agreed to cooperate with an audit when you agreed to the license terms. This agreement may have been in a traditional, hand-signed agreement, but more-often is through a click-wrap or browse-wrap (when license terms are included with a CD Rom) agreement.
Below is a typical audit clause. This example is from Autodesk, maker of the popular AutoCAD software:
Even in the absence of a software license with an audit clause, if you decline to cooperate, you run the risk that the software vendor will proceed directly to litigation and abandon efforts to resolve the matter informally.
Practice Tip: Ignoring the audit request or entirely refusing to cooperate risks escalation to litigation. In my own experience, if a software user responds and remains in communication with the software vendor, the risk of litigation drops dramatically.
Practice Tip: Asking the software vendor to substantiate their audit authority can provide useful information. In most cases I see nothing wrong with asking the software vendor or their agent to provide a copy of any alleged license in question, including any audit clause. This can give insight into what the software vendor knows or believes, and it can give you further justification for a level of cooperation.
Why Did I Get Audited? What Triggers a Software Audit?
Unless the software vendor tells you, you may never truly know what triggers the audit. The most common reasons are:
- A “tip” or report to the software vendor or its agent such as the BSA or SIIA from a purported current or former employee.
- A report from a software reseller or other IT service provider to the software vendor. E.g., “Client X still seems to have 300 employees, but hasn’t purchased any software updates for your product in 5 years.”
- A report from the software itself. Some software has an embedded beacon or other type of technology that “reports back” through the Internet to the software vendor that such software is in use. If the software has indicia of being an illegitimate copy, such as a product ID that has been re-used multiple times, or if the software vendor has no record of any license grants to the apparent software user, the software vendor may follow-up with an audit request.
A BSA advertisement encouraging employees to report suspected software abuse.
How Should I Proceed? How Should I Respond?
Because software vendors and software audits vary so widely as to both approach (friendly vs. hostile) and as to purpose (encourage software sales at standard rates vs. push for maximum damages) there is no single right course. But here are some items to consider:
Gather / Google Information About the Software Vendor.
Are they known for this type of audit? Are they known for being aggressive? What is the software vendor trying to achieve?
Get a Confidentiality Agreement in Place with the Software Vendor / Auditor.
Also, I recommend that you label all communications with the other party or its agents as provided pursuant to Federal Rule of Evidence 408: Offers of Compromise and Negotiation.
The audit target (your company) will in almost all cases have a legal obligation to preserve relevant evidence at this point. This is true regardless of whether the evidence or documents helps you or hurts you.
Focus on the Precise Scope of the Audit.
Be certain you are clear as to which specific entity and/or location is involved. Also be clear as to which specific software programs are at issue. Don’t make your problem worse by over-disclosing. Similarly, if the software vendor has a “tip” that a single item of software is over-installed, push back if the software vendor / auditor requests a self-audit of all software.
Consider How Much to Cooperate; Tailored Cooperation. Push Back on Overbroad Audits.
Some software vendors, in their request for a software audit, ask overbroad questions. While I tend to counsel in favor of limited cooperation, I also believe it is reasonable to push back on overbroad requests. For example, if the software vendor has a “tip” that a single item of software is over-installed, push back if the software vendor / auditor requests a self-audit of all software programs.
Ask the Software Vendor What They Know and for Their Help. Ask for Details of the Tip.
Before the software vendor sends you off on your own self-audit, they should make some effort to provide you with evidence of purchases already known to them. Also, in my opinion, it is always appropriate to ask why the software vendor is asking for the software audit. If they reference a “tip” from a third party, I recommend asking for details regarding the specific allegation as well as the identity of the tipster. (Although, at least in the case of the BSA, they will not disclose the identity of the tipster unless required to do so in formal litigation discovery.)
Ask the Software Vendor for Proof of Copyright Ownership and Registration.
If copyright in the specific software at issue has not been registered, damages drop dramatically.
Take the Time to Get it Right.
Don’t rush to respond. Ask the software vendor for time extensions as needed to gather applicable information.
Conduct any Self-Audit Under the Direction of Legal Counsel.
If you decide to conduct a self-audit, it will presumably be performed by a member of the software user’s IT staff. I recommend that legal counsel is copied on communications, and that the self-audit is conducted at the instruction of legal counsel. This will enhance claims that early findings, drafts and communications are protected from discovery or other use as attorney work-product and/or attorney-client communications.
Capture Subtlety in the Self-Audit.
Not all software installations are created equal, particularly for the purposes of a software audit or potential litigation.
For example, if Computer A, used by Employee A has installed on it one copy of Microsoft Office 2013, but also has one copy of Office 2010 still on it that is inactive and not used, that is significantly different than if those items of software were on two different computers and actively used by two different employees.
Think Creatively for All Relevant Evidence of Software Purchases.
When documenting your software purchases, receipts are great. But do not limit your search to receipts, regardless of what the software vendor may instruct. In negotiations, I take the position that the parties must consider all “relevant” evidence that would be admissible under Federal Rule of Evidence 401:
“Evidence is relevant if: (a) it has a tendency to make a facto more or less probable than it would be without evidence; and (b) the fact is of consequence in determining the action.”
Examples of relevant evidence may include:
- Credit card receipts.
- CD Roms or software boxes / jewel cases.
- “Certificate of Authenticity” sticker on computers.
- “Product key” labels or codes.
- Affidavits or statements of those involved as to recollections of past purchases.
- Bills of sale for hardware or equipment.
- Documentation from prior M&A activity.
Search the website of the software vendor for topics such as “legitimate”, “pirate”, or “how to tell” for additional ideas.
Reach Out to Others Who may Help You.
Here are some examples of others who may provide useful documentation or other evidence or information:
- Computer equipment sellers you have used, such as Apple or Dell.
- Your software reseller.
- IT consultants or others, if they have knowledge of good practices or past purchases by your organization.
Adopt a Computer Use / Technology Policy.
If you don’t have such a policy already, adopt a Computer Use / Technology Policy. This should contain terms such as: “Individual employees must not download software on their own.”
Implement a Software Asset Management Program.
More detail on this will follow in a subsequent article.
Remember, this is a Negotiation, and your Goal is to Persuade.
If the software vendor or auditor believes that you are stonewalling and hiding a bunch of skeletons, they are more likely to demand top-dollar to settle.
Should I Settle? For How Much?
Factors that guide my advice to clients include:
- How much does the software cost? Consider retail and fair market value for older software.
- How good is the evidence of proof of purchase?
- How substantial is the “shortfall” between volume of software actually used, vs. documented (consider all documentation) purchases?
- Has the software vendor provided any persuasive evidence? For example, have they presented an affidavit from a former employee with credible details regarding improper software use?
- Is there evidence of good-faith?
- Is there evidence of bad-faith / fraud? “Willful” infringement?
- Does the client want to make this go away quickly? For example, is there a sale-of-the company event?
Section 504 of the Copyright Act describes the available remedies for copyright infringement. These include:
- Actual damages and profits.
- Statutory damages, per work “in a sum of not less than $750 or more than $30,000, as the court considers just.”
- If the plaintiff sustains the burden to prove “the infringement was committed willfully,” up to $150,000 per work.
- If the defendant sustains the burden to prove inadvertent infringement, the award may be reduced to $200 per work.
What Shouldn’t I Do When I Receive A Software or Technology Audit?
While the software audit may be unwelcome, it is ultimately a manageable issue. Lying is unethical, illegal, and may raise issues of criminal liability. As demonstrated by the Watergate scandal and so many others like it, the cover-up, not the underlying issue, becomes the major problem and liability. And the cover-up is a cloud that will not go away.
Don’t Destroy Evidence, Un-Install Software, or Dispose of Computers.
Same as above. See also duty to preserve evidence.
Don’t Spend too Much Time Trying to Discredit a Suspected Tipster.
While the person you believe to be the tipster might be a jerk or worse, that is unlikely to persuade the software vendor or auditor that this specific allegation by the tipster is false. In fact, some of the “best” and most accurate tips may come from unethical and unsavory current or former employees or vendors. Also, if you are not careful, you may boot-strap your way into a defamation or whistleblower / retaliation claim.
However, the identity and role of the tipster may be more important and relevant if the tipster participated in the improper installation or use of software, or if there are dramatic outside facts (for example: the tipster is an ex-spouse or a business competitor).
I hope the above information is useful in developing your response and strategy to a software audit request. If your business would like legal assistance in responding to a software audit, please contact me at firstname.lastname@example.org or 612.492.7113.