Imagine you head a small company, with just a few dozen employees and computers. One day you receive a letter from a software industry trade group, such as the Business Software Alliance (BSA) or the Software & Information Industry Association (SIIA), informing you that it knows your company has unlicensed--or illegal--software within the network. They tell you to audit your whole system for improperly licensed software and hand over detailed results.
The allegations turn out to be true, albeit unintentional, and you have to pay the software group anywhere from thousands to millions of dollars.
This is no unusual scenario. The BSA says it initiated almost 15,900 enforcement actions globally in 2008 for unlicensed software, and it claims a fifth of all software in the U.S. is pirated. It's not a pretty picture for companies forced to undergo audits.
"It was a horrible process," says an executive at one small company that settled with the SIIA for six figures. "I fear these people."
The executive, who asked for anonymity, says the majority of the improperly licensed programs were accidentally made copies buried within servers and back-up drives.
"[The settlement] just about killed me," he says. The company settled for an undisclosed amount and spent tens of thousands on legal help.
When a software trade association or an individual software vendor discovers a company has unlicensed software, it can sue for copyright infringement or violation of the licensing contract, says Robert Weiss, a partner at Neal, Gerber & Eisenberg. Copyright infringement can accrue up to $150,000 in statutory damages per program infringed. So if a company has five licensed copies and 10 total copies (a low number in audit cases) of a program such as Photoshop, it could owe up to $750,000.
However, software audit disputes rarely make it to court because infringing companies have little chance of winning. Instead, the parties normally settle. Scott & Scott Managing Partner Robert Scott says negotiations tend to start at three times each individual program's full, unbundled price.
To uncover infringers, the BSA runs extensive radio and Web advertisements encouraging people to anonymously report their employers or former employers. The group, which lists software vendors such as Adobe, Apple, Cisco, Dell and Microsoft as members, has drawn criticism for depending on disgruntled or laid-off employees to act as informants. Experts often note the plethora of bitter ex-employees in a recession. Scott says most companies never find out who reported them.
Jenny Blank, the BSA's senior director of legal affairs, rejects the criticism, saying her organization gives people the opportunity to do the right thing.
"Sure, the people who call us are frequently disgruntled," she says. "But you have to distinguish between being disgruntled and telling the truth. The disgruntlement is the motivation to pick up the phone, but it's because they have the tale to tell us."
The organization advertises rewards of up to $1 million, but it takes a settlement of $15 million to reap that much. More often, informants' rewards lie closer to $12,000.
"It's still pretty good money, if you ask me," Blank says.
Despite the steep settlements, corporations rarely steal software intentionally.
"It can be very difficult to control how your software is being used within the four corners of the organization," Weiss says.
A variety of situations, which in-house counsel must work to prevent, can lead to unlicensed programs spreading throughout a company. For example, two businesses merge, and copies from the two formerly separate entities might get crossed among the new unified organization.
"Or one branch of a company buys a program," Weiss says, giving another scenario. "Somebody in another division knows that the first division has that product and says, 'Can we have a copy?' Somebody within the division who purchased the software gives a copy to somebody in that other division, but it wasn't authorized for use there."
Less commonly, a company might find a "too good to be true" Web site that sells software for strangely low prices. Such a vendor might claim to be an authorized reseller, but the software is actually pirated. This is a more easily preventable trap.
"It's exercising some due diligence and common sense on the front end--not just going, 'Wow! I can get this at one-tenth of the price everyone else is getting,'" says Kathy Ossian, information technology law leader at Miller Canfield.
Additionally, Scott says IT employees circumvent software access control technologies--in violation of the Digital Millennium Copyright Act--more often than counsel would expect. Sometimes they use cracked codes or multiple registration keys for company programs.
"You'd be shocked at what you find when you're not looking," he says.
When push comes to shove, the only way to prove software is properly licensed is with the original receipt. Scott says credit card statements, authenticity certificates and license agreements will not cut it.
To stay compliant, Ossian says legal departments need to keep track of how their companies manage software. Even though it's time-consuming and expensive, in-house attorneys should ask the IT department lots of questions before the software groups ever come knocking.
"Can anybody install software or does it have to be done by the information services department? [Ask] those kinds of questions, almost like a self-audit," Ossian says. "If the answers are, 'I don't know,' or, 'Sort of,' then you probably have an issue."
If someone does report your company, the legal team should be the company's liaison with the software people from the moment you receive that audit letter. Weiss warns not to let IT personnel respond directly to the vendors.
"Often they try to be helpful, and they go too far," he adds. "They'll disclose things beyond what the software vendor is asking you to reveal."
Finally, from the BSA's perspective, Blank recommends avoiding knee-jerk reactions to the audit letter. Running out and buying a whole bunch of new software, she points out, won't eliminate the problem.
"Or, God forbid--don't delete all your software, because that would be spoliation of evidence," she says.