You have received a letter from the Business Software Alliance (BSA) or Software Industry Information Association (SIAA). The letter claims that you could owe unnamed software publishers hundreds of thousands of dollars. Chances are good that your first instinct will be to disregard this letter. These days, most unsolicited US Mail is junk. This conditional language (e.g. “you might be liable”) and the generic official-sounding organizational name feels more like letter from Publisher’s Clearing house than anything requiring any serious measure of your time and attention.
In fact, these letters should be treated as a top legal priority. The BSA and SIIA are legitimate trade organizations, and copyright infringement is serious matter—in some cases, a serious crime. Depending on the circumstances, infringement could result in personal liability for officers and directors of your company. Certain violations can activate exclusions in your errors and omissions insurance policies leaving directors, officers and board members personally liable.
So now that you know that this is serious business, what should you do?
Assume a Defiant Oppositional Stance
The first order of business it to assume a defiant, oppositional stance. This runs contrary to what we were taught as children. We are taught that if we didn’t do anything wrong, we have nothing to fear by being an open book. In the case of a software audit, this is bad advice.
First and foremost, BSA and SIIA are not the police. In the ideal case, police are neutral civil servants enforcing the law in accordance with strong constitutional safeguards. Whatever BSA and SIIA agents are, they do not possess police power. They are agents of the software company that you may or may not have purchased a license from. Their authority over you—even as a matter of contract law—is limited if it exists at all. While you don’t want to overplay your hand on this point, you do want to be mindful of it
Secondly, this letter is a calculated tactic designed to elicit precisely your compliant, open response; let’s call that stance defensively compliant. Defensive compliance describes that motivation to overly comply with authorities in an effort to prove that we are one of the “good guys.” This posture is rooted in mild sense of indignance about having one’s integrity called into question. We reason incorrectly: “…the more open and forthcoming I am, the quicker the interrogator will realize that I’m a “good guy” and bring this matter to close, perhaps with an apology.”
This behavior is sometimes seen when a person who is stopped by police openly volunteers that he or she has been “drinking but… it was only a few beers after work.”
Defensive compliance is the rooted in a belief that the system is fair and flawless. Most significantly, defensive compliance is based on an unjustified certainty by the subject of interrogation that he or she is 100% innocent.
Similarly, the business owner or general counsel (GC) receipt of such an audit letter may mistakenly believe that his or her company is compliant. Often, this belief is based on a recollection that invoices to a software vendor in question were paid. However, unless the reader of the letter is the person who physically installed these licenses and maintains a regular inventory of licenses, he or she couldn’t possibly know exactly which licenses apply to which machines. He or she could have no way of knowing for sure whether a single license was installed on multiple machines. In an age of virtualization and cloud-based computing, reconciling the license terms and conditions is a technical and legal challenge for even the most sophisticated chief information officer. Therefore, openness with an investigator based on an assumption there are no discrepancies can represent an early and major gaffe.
There is a pretty good probability that there is some discrepancy between the number of licenses and your fees paid. When you freely admit open your inventory to the investigator, you decrease the amount of work that the investigator must do and virtually increase the scope of his investigation.
Your defensive compliance may have resulted in your company’s admission using the software in question in a manner that is fully admissible in court. Under the Federal Rules of Evidence 801, your statement is admissible in court against you as an admission of a party opponent.
This admission seems like a small thing but it is a major blunder in this high-stakes game of chess. Worse still is that this error may have just opened the door to wider investigation. At this point, the publisher is no longer guessing about whether or not your company is using a given number of software licenses. You have stated this fact in a manner that is fully admissible at trial.
Assume that you later sense your mistake and now start to resist. Say you later challenge BSA and SIIA’s right to audit you. You argue that you did not make an agreement with BSA or SIIA. That there is no privity of contract. They might agree that as a technical matter there is no privity of contract. But your victory will be short lived.
BSA or SIIA were sent to you on behalf of their member organizations: Microsoft, Apple, Oracle, Dell. Giants in the world of technology. These goliaths got that way by being deadly serious about collecting monies owed. You can safely assume that your case is no exception. Your license agreement is with the publisher and BSA or SIAA is authorized to conduct the audit as the publisher’s agent pursuant to a software terms and conditions that you signed (or more likely clicked). These agreements are not negotiable unless you negotiated an enterprise version of the software. And now they are armed with an admission to a discrepancy in their favor.
Clearly, your friendly, open, cooperative stance has changed the equation in favor of the vendor. Without your openness, they have no way to prove what licenses you possessed or are currently using. As a result of the friendly open conversation, however, they obtain legal admission of ownership and prior inconsistent statements that can be used at trial to impeach your credibility. These admissions and inconsistent statements can assist the publisher in its attempt to prove willful violation of the terms of the license resulting in up to $150,000.00 in damages per occurrence. At a minimum, these statements justify an increase in the scope of the audit.
Recognize That This Audit Is A Revenue Center, Not an Enforcement or Compliance Expense
First, software companies have reached the point of diminishing returns on features. That is, applications like MS Word or Adobe Photoshop can only be improved so much. Traditionally, large software companies released yearly updated versions of software (i.e. 6.0, 7.0, Vista, 365 etc.) to maintain an edge on competitors. While followers were copying a market leader’s 6.0 version of a particular software application, the leader is releasing 7.0 with more bells and whistles. This continual investment in new features resulted in more profit per unit (i.e. customers will pay more for better bells and whistles) and greater market share (i.e. prospective customers will choose the application with the most bells and whistles). The curve describing the relationship between continual investment in bells and whistles and increasing revenues, profits and market share has begun to flatten. Accordingly, large software companies are looking for new revenue streams (See Fig 1.).
As software companies are seeing smaller and smaller increases in revenue and market share with the introduction of new features, large, mature software developers like Microsoft and Adobe are starting to rely on software audits to extract revenues from the marketplace.
Respond, Don’t Talk
Having recognized the danger in open, friendly communication with the software company auditor, what should you do? Given the very real potential for civil liability, the possibility of criminal liability, the possibility that successful plaintiff might pierce the corporate veil and the likelihood that—should that happen–underlying facts would likely activate the carve-out provisions of your Errors and Omissions policy, what should you tell the auditor?
By “oppositional, defiant stance,” we do not encourage you become rude, unprofessional or unresponsive. “Don’t Talk” does not mean “ignore” or ball the letter up and throw it in the trash. In fact, as “all warfare is based on deception,” your demeanor should be civil to the point of obsequiousness while you violently oppose the auditor at the level of strategy and tactics.
Like it or not, you are an unwitting and unwilling participant in a zero-sum-game. The clock is ticking and anything you say will be used against you. You don’t have an option not to play. You agreed to an audit as a condition of the license agreement. To not play is to lose. To win, however, you must skillfully oppose your opponent. Your failure to play this game well could result in personal liability in the hundreds of thousands of dollars. If you play really badly, you could be the subject of a criminal copyright infringement action by the Department of Justice.