Reprinted from the October 2003 issue of The Bottom Line with the permission of LexisNexis Canada Inc. Originally titled "Illegal Software Can Cause Major Legal Headaches for Firms."
We all know going to the dentist is painful. Likewise, few of us are happy to receive notice that we’ve been selected for a tax audit. Well, here’s another one to add to the list of life’s unpleasant experiences: the software audit.
According to recent reports, software users are making illegal copies of software at an alarming rate. Each time an illegal copy of software is made a copyright infringement occurs. Copyright infringement costs the software industry billions of dollars and can expose the infringer to substantial monetary penalties. Needless to say, the software industry has taken notice. With the increasing use of software audits, it will not be long before software users begin to take notice as well.
To combat illegal copying of software, software companies have created two groups to enforce their intellectual property rights: the Business Software Alliance ("BSA") and the Software and Information Industry Association ("SIIA"). Each of BSA and SIIA represents a large number of software companies and together they have assumed the role of "software police." Their purposes for existing include educating the public on the dangers of using illegal copies of software and aggressively tracking down software users who have not obtained proper licenses for the software on their computers. For BSA and SIIA, battling illegal copying of software is a very high priority.
As in the case of the IRS, the software industry realizes that the threat of an audit can be extremely powerful in providing an incentive for users to comply with their legal obligations. Without the threat of an audit, one can only speculate how much users would or would not comply with their legal obligations when it comes to software. Frankly, copying software is too easy and the temptation to save money by resorting to illegal conduct is irresistible for many.
A software audit will typically begin with a letter from BSA, SIIA or, in rare instances, a software vendor acting on its own behalf. Unlike the case of the tax audit, where no one questions the government’s authority, most people receiving one of these letters cannot believe the party requesting the audit has the right to search the contents of their computers.
BSA, SIIA or the software vendor will request in their letter that you voluntarily permit them to conduct an audit on your computers. The purpose of the audit, they will tell you, will be to identify the number of copies of all software products on your system. At this point, the instinctive reaction is to just say no. Unfortunately, saying no can be extremely short sighted. In my experience, soon after you say no to a software audit, you will be sued. How can that be so?
As it turns out, the reason you were selected for a software audit in the first place is that the requesting party has received information that you are illegally using software. That information can come from a former employee, from a current disgruntled employee or from any other person who has knowledge about your software usage.
The party requesting the audit will probably have enough information that would enable it to begin a lawsuit. Once the lawsuit is commenced, BSA, SIIA or the software vendor would be permitted to conduct discovery, enabling it to substantially undertake the very audit that was initially requested of you. To provide further incentive for you to cooperate, you may also be offered a "deal." Under copyright law, the penalties for using software illegally can be quite substantial, but users who cooperate with an audit may benefit from lower penalties than those otherwise available.
The "victim" of a software audit, as this point, has a right to complain about this process. The problem is not, however, that the party requesting the audit has a right to sue or even hassle people who are illegally using software. Every reasonable person acknowledges the need to protect a software company’s rights in its products. After all, by granting such protection, society provides an incentive for companies to be creative and develop better products. Without reasonable protection, at a minimum, creativity would be stifled. There is nothing wrong with software companies enforcing their rights.
The problem is the amount of evidence of illegal conduct the auditor has in its possession before it targets a user for a software audit. As far as my experience goes, the software industry does not require much evidence at all. And whatever evidence it does have, does not even need to be very credible. For example, it is not unusual for a user to be targeted for an audit based upon a report from a former employee who was terminated for good cause. How reliable do you think that person is? Nonetheless, BSA, SIIA or the software vendor very well may begin its crusade based upon the testimony of just that type of person without any collaboration.
To add to the injustice, you will typically not learn the source of the information or exactly what he or she said. Auditors will go to great lengths to protect their sources. Although the informant may be described as a former employee, for example, rarely will he or she actually be identified for you. As a result, you can face a very expensive and intrusive audit based upon the word of a person who may or may not be truthful. In fairness to BSA and SIIA, they claim that the credibility of an informant is questioned and considered before requesting an audit.
When facing an audit, the first step should be to confirm the authority of the person requesting the audit. You will want to make sure it is authorized to act on behalf of the companies it claims to be representing. Also, as the audit proceeds, you should make sure the auditor only concerns itself with the products of the software companies represented by it.
The beginning of the process, when the auditor is eager to gain your cooperation, is a good opportunity to request an agreement from the auditor confirming any limitations pm the scope of the audit, the penalty to be paid for any illegal software ultimately found and any other points. The agreement should include the auditor’s promise not to reveal to anyone else the results of its audit, just in case information not relevant to the current audit -- but possibly of interest to others -- might be revealed. Since audits can tend to linger, you may also want to consider a deadline for the auditor -- assuming your cooperation -- to conclude the investigation.
The audit itself will be conducted with software usually provided by BSA, SIIA or the software vendor, although you will frequently be offered an opportunity to use another "approved" product selected by you. In most cases, the party requesting the audit will cover the cost of the product it provides, but you will need to pay for the software if you desire to use another one. It probably does not matter which one you use. Since the auditor reserves the right to approve the software used by you, you know that it will not approve software with which it is unfamiliar or that is going to provide you with any type of meaningful benefit. To save a few dollars, you might as well use the one offered for free by the auditor.
As you go through the software audit, remember that the auditing software can, and is likely to, make mistakes or at least make conclusions that are subject to interpretation. It does not speak the gospel. Common errors from auditing software include double counting computers and confusing software products. For example, in one pending audit, the auditor is insisting that my client is using certain software (which it has not purchased) because an executable program that is used by that software is present on its computers. The truth is that, although that executable program is, in fact, on the computers, it is being used by different software published by the same vendor. Despite overwhelming evidence that my client’s position is correct on this point, the auditor absolutely refuses to acquiesce to our point of view.
Once the results are available from the auditing software, the party requesting the audit will ask for documentation to support your acquisition of licenses. You will need to furnish purchase orders, invoices and whatever else is available to convince the auditor that you have acquired the number of licenses corresponding to the number of copies of the software appearing on your computers. Needless to say, this can be a difficult task, involving tracking down documents that, by the time of the audit, could be quite old. Nonetheless, in order to convince the auditor that appropriate licenses have been acquired, it will be necessary to provide all paperwork.
After the documents are provided to the auditor, you wait for your results. The results will be sent to you in the form of a spreadsheet showing all of the illegal copies of software contained on your computers, along with a bill. The bill will typically require that you purchase a license for the illegal software and pay a penalty. As mentioned previously, the penalty will probably be less than you would could be required to pay under applicable law. But, do not kid self, you will not feel like you’ve received a bargain. By the time you’ve gotten to this point, you’ll feel like the auditor has cheated you many times during the process.
When the audit results are agreed upon, an agreement memorializing the settlement will be signed by the parties. You will want to be sure that the agreement includes a release of all liability for software products represented by the auditor that may have been on your computer as of the date the audit software was run. The prospect of facing an audit covering the same software products a second time is not something you will want hanging over your head.
How would you do in an audit? So far, no one I know who has gone through an audit, has managed to escape without writing a check for some amount. Fortunately, the amounts paid are often much less than that initially requested by the auditor. The reason behind all of this check writing is quite simply that, over time, unauthorized software products can "sneak" onto a computer. Whether it be an employee who brings software from home or an extra (illegal) copy of software made in a pinch, these illegal copies seem to accumulate over time.
There are steps you can take to avoid the headaches of an unsuccessful audit. First, it is advisable to keep a log of all software purchased by you as well as copies of all documentation to support those purchases. Good employee policies are also helpful. In those policies, you should restrict employees from loading software from home onto their computers at the office and limit who can copy existing software at the office. By adopting and enforcing these policies, you will put your employees on notice that illegal copying of software will not be tolerated and be able to demonstrate that you acted in good faith if illegal copying is uncovered during an audit. Good-faith conduct will be an important factor when the software police negotiate your settlement.
A software audit will almost always be an unpleasant experience. By implementing a few fairly inexpensive and easy steps, however, you can avoid a larger headache when the software police comes knocking. You will be glad you did.
Gary M. Schober is a partner at Hodgson Russ LLP and leads its Intellectual Property & Technology Law Practice Group, concentrating his practice in electronic commerce and computer and technology law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.