By UpCounsel Technology Attorney Thomas View

You have received a letter from the Business Software Alliance (BSA) or Software Industry Information Association (SIAA). The letter claims that you could owe unnamed software publishers hundreds of thousands of dollars. Chances are good that your first instinct will be to disregard this letter. These days, most unsolicited US Mail is junk. This conditional language (e.g. “you might be liable”) and the generic official-sounding organizational name feels more like letter from Publisher’s Clearing house than anything requiring any serious measure of your time and attention.

In fact, these letters should be treated as a top legal priority. The BSA and SIIA are legitimate trade organizations, and copyright infringement is serious matter—in some cases, a serious crime. Depending on the circumstances, infringement could result in personal liability for officers and directors of your company. Certain violations can activate exclusions in your errors and omissions insurance policies leaving directors, officers and board members personally liable.

So now that you know that this is serious business, what should you do?

Assume a Defiant Oppositional Stance

The first order of business it to assume a defiant, oppositional stance. This runs contrary to what we were taught as children. We are taught that if we didn’t do anything wrong, we have nothing to fear by being an open book. In the case of a software audit, this is bad advice.

First and foremost, BSA and SIIA are not the police. In the ideal case, police are neutral civil servants enforcing the law in accordance with strong constitutional safeguards. Whatever BSA and SIIA agents are, they do not possess police power. They are agents of the software company that you may or may not have purchased a license from. Their authority over you—even as a matter of contract law—is limited if it exists at all. While you don’t want to overplay your hand on this point, you do want to be mindful of it

Secondly, this letter is a calculated tactic designed to elicit precisely your compliant, open response; let’s call that stance defensively compliant. Defensive compliance describes that motivation to overly comply with authorities in an effort to prove that we are one of the “good guys.” This posture is rooted in mild sense of indignance about having one’s integrity called into question. We reason incorrectly: “…the more open and forthcoming I am, the quicker the interrogator will realize that I’m a “good guy” and bring this matter to close, perhaps with an apology.”

This behavior is sometimes seen when a person who is stopped by police openly volunteers that he or she has been “drinking but… it was only a few beers after work.”

Defensive compliance is the rooted in a belief that the system is fair and flawless. Most significantly, defensive compliance is based on an unjustified certainty by the subject of interrogation that he or she is 100% innocent.

In fact, in the case of the drunk driver, he often does not know for certain if it was three or four beers. He probably can’t recall the number of ounces and alcohol content of the beverages consumed. He most likely can not accurately recall the timeframe of consumption. Even if the driver is certain about his intake, he almost certainly does not know the precise rate at which his body metabolizes alcohol or how his height, weight and other foods in the stomach will change the blood alcohol levels given the same amount of beer. Ergo, he cannot predict whether or not—as a matter of scientific fact—he is above, below or at the blood alcohol limit. Yet, his belief that he is innocent of DUI leads him to make admissions that will make the government’s case easier to prove, thereby decreasing the driver’s negotiating leverage in the event that he’s wrong.

Similarly, the business owner or general counsel (GC) receipt of such an audit letter may mistakenly believe that his or her company is compliant. Often, this belief is based on a recollection that invoices to a software vendor in question were paid. However, unless the reader of the letter is the person who physically installed these licenses and maintains a regular inventory of licenses, he or she couldn’t possibly know exactly which licenses apply to which machines. He or she could have no way of knowing for sure whether a single license was installed on multiple machines. In an age of virtualization and cloud-based computing, reconciling the license terms and conditions is a technical and legal challenge for even the most sophisticated chief information officer. Therefore, openness with an investigator based on an assumption there are no discrepancies can represent an early and major gaffe.

There is a pretty good probability that there is some discrepancy between the number of licenses and your fees paid. When you freely admit open your inventory to the investigator, you decrease the amount of work that the investigator must do and virtually increase the scope of his investigation.

Your defensive compliance may have resulted in your company’s admission using the software in question in a manner that is fully admissible in court. Under the Federal Rules of Evidence 801, your statement is admissible in court against you as an admission of a party opponent.

This admission seems like a small thing but it is a major blunder in this high-stakes game of chess. Worse still is that this error may have just opened the door to wider investigation. At this point, the publisher is no longer guessing about whether or not your company is using a given number of software licenses. You have stated this fact in a manner that is fully admissible at trial.

Assume that you later sense your mistake and now start to resist. Say you later challenge BSA and SIIA’s right to audit you. You argue that you did not make an agreement with BSA or SIIA. That there is no privity of contract. They might agree that as a technical matter there is no privity of contract. But your victory will be short lived.

BSA or SIIA were sent to you on behalf of their member organizations: Microsoft, Apple, Oracle, Dell. Giants in the world of technology. These goliaths got that way by being deadly serious about collecting monies owed. You can safely assume that your case is no exception. Your license agreement is with the publisher and BSA or SIAA is authorized to conduct the audit as the publisher’s agent pursuant to a software terms and conditions that you signed (or more likely clicked). These agreements are not negotiable unless you negotiated an enterprise version of the software. And now they are armed with an admission to a discrepancy in their favor.

Clearly, your friendly, open, cooperative stance has changed the equation in favor of the vendor. Without your openness, they have no way to prove what licenses you possessed or are currently using. As a result of the friendly open conversation, however, they obtain legal admission of ownership and prior inconsistent statements that can be used at trial to impeach your credibility. These admissions and inconsistent statements can assist the publisher in its attempt to prove willful violation of the terms of the license resulting in up to $150,000.00 in damages per occurrence. At a minimum, these statements justify an increase in the scope of the audit.

Recognize That This Audit Is A Revenue Center, Not an Enforcement or Compliance Expense

Defiant opposition seems like it could be an overly hardball approach. But when we understand that software audits are an emerging profit center rather than an enforcement expense, this stance is more understandable. Traditionally, a software audit was only performed on large, enterprise concerns as a general deterrent to violation of terms and conditions of a software license. That is, the software company’s primary profit center was developing and selling software. Audits (more often the mere right of audit) were seen as a way of keeping customers honest. It was a cost center. In the ideal case, the money spent on audit compliance was a water under the bridge. The possibility of an audit and the reality of an occasional “spot check” was considered a cost of keeping customers compliant. However, two things changed all of this.

First, software companies have reached the point of diminishing returns on features. That is, applications like MS Word or Adobe Photoshop can only be improved so much. Traditionally, large software companies released yearly updated versions of software (i.e. 6.0, 7.0, Vista, 365 etc.) to maintain an edge on competitors. While followers were copying a market leader’s 6.0 version of a particular software application, the leader is releasing 7.0 with more bells and whistles. This continual investment in new features resulted in more profit per unit (i.e. customers will pay more for better bells and whistles) and greater market share (i.e. prospective customers will choose the application with the most bells and whistles). The curve describing the relationship between continual investment in bells and whistles and increasing revenues, profits and market share has begun to flatten. Accordingly, large software companies are looking for new revenue streams (See Fig 1.).

As software companies are seeing smaller and smaller increases in revenue and market share with the introduction of new features, large, mature software developers like Microsoft and Adobe are starting to rely on software audits to extract revenues from the marketplace.

Secondly, software companies have found that they can fine-tune auditing procedures so that the process operates as a predictable profit center. “Originally,” says Roy Goldstein, CEO Capricorn Information Systems, Inc., “compliance audits were a cost center designed to act as a deterrent to prohibited uses of the software. At some point, publishers discovered that the revenues from the audit could exceed the cost of audits in a predictable fashion by doing more of this and less of that. This is no different than the small-town speed trap. Originally, the tickets were just a way to make sure traffic laws were being enforced. At some point the town discovers that putting a full-time officer and car behind a billboard at the bottom of the hill creates a bona fide money-maker that produces a predictable stream of income. Later, if we arm the officer with a radar gun, the yield increases because the cost to prove violations decreases. Finally, when we invest in high-performance police vehicles with crash grills, we catch a higher percentage of violators who might have out run police cars in the past. This is precisely what the software companies are doing. They collect and mine data which gives them insight into how to best optimize this profit center.”

Respond, Don’t Talk

Having recognized the danger in open, friendly communication with the software company auditor, what should you do? Given the very real potential for civil liability, the possibility of criminal liability, the possibility that successful plaintiff might pierce the corporate veil and the likelihood that—should that happen–underlying facts would likely activate the carve-out provisions of your Errors and Omissions policy, what should you tell the auditor?

By “oppositional, defiant stance,” we do not encourage you become rude, unprofessional or unresponsive. “Don’t Talk” does not mean “ignore” or ball the letter up and throw it in the trash. In fact, as “all warfare is based on deception,” your demeanor should be civil to the point of obsequiousness while you violently oppose the auditor at the level of strategy and tactics.

Like it or not, you are an unwitting and unwilling participant in a zero-sum-game. The clock is ticking and anything you say will be used against you. You don’t have an option not to play. You agreed to an audit as a condition of the license agreement. To not play is to lose. To win, however, you must skillfully oppose your opponent. Your failure to play this game well could result in personal liability in the hundreds of thousands of dollars. If you play really badly, you could be the subject of a criminal copyright infringement action by the Department of Justice.

Request a Demo

About the author

Thomas View

Thomas View

A graduate of Georgetown University, Mr. View is a highly experienced transactions attorney. His practice focuses on Contract Law and Business Law (incorporation, NDAs, SOWs, MSAs); Technology Transactions( licensing, SaaS, cloud, enterprise hardware, software and professional services, app, website agreements, privacy policies, TOS);IP (TM, (C) and entertainment law.)

Mr. View has helped large organizations like the American Red Cross, media consulting companies serving major labels (Interscope Records, Universal Music Group, Atlantic Records); and technology firms (Capricorn Information Systems, Nu Pulse Technologies) to succeed in technology and entertainment transactions.

View all posts Request a Proposal

Post a Job on
UpCounsel and get
high quality legal work done

Post a Job on UpCounsel
/* ]]> */