The Dreaded Software Audit – did you keep that receipt?
Isn’t it ironic? In the high tech software world, your liability some times come down to whether or not you saved the receipt or the box top. The crackdown on sharing music files has gotten all of the media attention as the recording industry is pursuing massive judgments against college kids and moms. A large $675,000 verdict was recently reduced to $67,500.
The software industry is flying a little lower under the radar, but small to medium-sized businesses are largely in their sights. I obviously don’t support blatant software copying or knowingly buying unauthorized software on the dark side of online auctions (see story here which should be a cautionary tale about buying software online at prices too good to be true). The software industry’s tactics, however, make it burdensome to defend yourself as if you are presumed guilty instead of the other way around.
HOW IT WORKS
Industry groups like the Software & Information Industry Association (SIIA) or the Business Software Alliance (BSA) promise anyone and everyone possible rewards and anonymity for tips on companies who have unauthorized copies of software. So that disgruntled IT guy you recently let go, even though he may have been the one to download or copy a program beyond the number of licenses you are authorized to have, squeals to the industry group to start the process.
The industry group then sends an intimidating letter to the company threatening to file a copyright infringement suit. This gives you two options: cooperate with the industry group or ignore them.
Cooperating means pay for an expensive software audit that reveals when and how many times all of the programs on your computers and your servers were installed. If you ignore them, you likely end up in a federal copyright lawsuit and will have to go through an audit as part of discovery.
I have had a lot of clients take a principled stand challenging someone to come after them. Then, they get the first bill. Being principled is expensive, risky and oftentimes there is something on your system you had no idea was there.
Usually, the cooperation route makes more sense. That means you agree to a process to audit your software, keep it confidential, and give up the goods. The trade group then sends you a demand letter based on the results.
That is just the beginning. The demand includes recovery of the price of the software, statutory penalties and attorneys’ fees. It often includes inflated prices because industry groups unbundle the programs in the demand. By way of example, many companies will by a suite or bundle of programs that gives them 10 software products for $5,000 or $500 per program. If you were to buy those same ten products independently, it would cost you $10,000 or $1,000 per program. If you have an unauthorized copy of the suite on someone’s laptop or computer, then the demand starts at $10,000 and not $5,000. Industry groups will also challenge some of the documentation provided as proof of validity.
After a haggling process and supplementation of paperwork, the company usually has to pay for the price of the licenses and a little something extra for the industry group’s time to avoid litigation, but at a fraction of the original demand. Trust me, it is a pain.
SO WHAT CAN YOU DO?
First, risk avoidance. It sounds simple, but keep the paperwork and audit yourself on occasion. Take steps that prevent employees from downloading programs on your computers or systems without administrative authorization. We do that. It’s annoying when I try to download a media player (to watch what must be a vital video essential to the law firm’s mission) only to be told I don’t have authority to do it. If you are not up to that level technologically, at least educate your employees on the risks and have a policy in place that prohibits the employees from using or downloading unauthorized programs.
Second, risk shifting. If you outsource your IT functions, then make sure your consultant is responsible for maintaining the records and will indemnify, defend and hold you harmless (a fancy way of making them pay for the defense of an audit and related fines). This assumes the consultants will be able to afford the costs of an audit, defending the claim and then paying the fines which can easily add up to six figures.
The last option, the good old days. Scrap the computers and go back to old paper files. Then, you just need to make sure Dunder Mifflin doesn’t come after you.
If you get an industry letter, you should take it seriously and don’t use “What would Michael Scott do?” as your inspiration.