By UpCounsel Technology Attorney Thomas View

This is the second part of a two-part series on software audits. To read part one, click here.

Three Areas of Opposition

If you were to simply ball up and discard the demand letter, you would eventually receive a summons to federal court. While the BSA and SIAA are not the police, they work for the software companies. Your license agreement with the software company permits some form of audit. Chances are good that this audit was not initiated randomly. That is, a random audit will yield far smaller profits than targeted audits. Typically, the software publisher has some basis (i.e. informant report, crash report, proprietary algorithm etc.) for believing that you are using software assets that you have not paid for.

In chess, one does not defeat his opponent by attacking the opponent’s pieces; rather, he or she wins by attaching the opponent’s strategy. Such is the case with a software audit. There are five themes to keep in mind as you formulate your executive-level strategy for skillful defiant opposition:

1. Don’t Guess—Know

In the example of the police sobriety stop, a driver is only equipped to fight the officer’s strategy if armed with concrete facts at the time she’s stopped. These facts would include accurate knowledge of alcohol levels and volumes of beverage consumed, the exact time -window of consumption, her own rate of metabolization, whether or not and how informants might have precipitated the stop (i.e. good Samaritan bartender who served alcohol vs. vindictive ex who spotted her across the bar), understanding of Supreme Court Car Cases involving the 4th Amendment (search and seizure) and the 5th Amendment (due process and right to remain silent applied to automobile stops), rules of the road in the jurisdiction where she was stopped and the limits for blood alcohol in this jurisdiction. Only if she understands all of this should the driver—as matter of legal opinion—speak at all.

Similarly, when you receive an audit letter, your responses should be informed by facts and procedures such as:

  • A recent internal inventory of software licenses
  • A legal opinion on the scope of your licenses
  • A recent report that is properly authenticated by authorized personnel attesting to the fact that the relevant terms and conditions of every license in use conform to a software asset inventory that is maintained in a manner that is admissible in court

2. Engage Legal Counsel in Negotiations

Lawyers will understand the ambiguity in certain legal terms like the scope of the audit, terms and conditions of the audit, the extent of the license grant, etc. A lawyer will understand how to greatly reduce the scope of the audit and interpret its terms in a light most favorable to your company’s interests. Most importantly, nothing that an attorney says can be used against you. You might argue that settlement conversations with auditors are protected by the rules of evidence which often excludes settlement conversations from evidence in a trial. However, an attorney is able to proffer information to the opposing side and represent your circumstances in hypothetical scenarios that would have no impact on your ability to testify at trial. By the same token, you making the exact same statements can be treated as admissions of party opponents and statements against interest which are fully admissible against you at trial.

3. Limit Scope

In the initial stages of the audit, the auditor’s initial volley of questions is designed to uncover information that opens the door to more issues, thereby increasing the scope of the audit and—in most cases—increasing the yield. Remember, a for-profit audit business model operates based on an “expected gain.” That is, going in, the auditor going in has some sense of the likelihood of finding discrepancies in her favor and an average dollar amount likely to be recovered in cases like yours. This prediction could be guided by actual information (ex. from an informant or a crash report) or based on a statistical algorithm used for companies of a particular size, industry or geographic region. Based on the auditor’s preliminary analysis, there is only so much time and energy that she can justify spending on a given case. If, however, in the opening stages of the conversation, the auditor can uncover certain facts, she may be able to justify applying greater resources to your case, thereby increasing the likelihood of finding more and greater discrepancies. These initial “cracks” are the admissions that are made in the initial stages in an attempt to seem open with nothing to hide.

An extremely simplistic example a scope-limiting tactic is borrowed from a deposition maxim: only answer the question asked. No more!

If you are asked by the auditor whether you know how many licenses you own, your answer should not be “130 seats.” It should be “Yes” or “No” as the case may be. Make him ask: “Will you tell me the number of licenses you have?” “How many licenses do you have?” “Is that 130 seats?” Being hyper-literal seems childish and petty, but, the above exchange increased the amount of time to gain access to information (130 seats) by five times. That makes the inquiry 5X more expensive in the early stages and has an exponential impact on limits of scope. A similar tactic to limit scope is an informed a legal argument that certain terms of the license only justify certain type of inquiry, methods of factfinding, times and frequency of factfinding. This would be analogous to a motion in limine or a suppression motion at trial. By reducing the scope of inquiry, the outcome of the exercise generally is greatly reduced as well.

4. Increase the Time and Expense of an Audit

The auditor’s business model is based on keeping the expenses for the audit lower than the expected gain from a particular subject. The greater the time required to conduct the audit, the lower the profit for the software company. While you are not trying to hide illegally obtained software, you are trying to win a zero-sum arm-wrestling exercise in the arena of laissez-faire capitalism. Remember, this auditor is not a civil servant engaged in a search for truth and justice. This exercise is thought by some to be a predatory business undertaking.

To increase the time and expense, you may have a choice of sending the auditor an inventory of software assets. This would seem like a sensible, civil professional thing to do. And were this a legitimate compliance exercise rather than a profit center, this would be right. You would get it over with sooner and get back to doing what you do best. However, providing the auditor with formatted, synthesized report, virtually increases his budget, scope, and ultimately, yield. If it is determined that the best practice is handing over the information, you might choose to hand over the information in a way that makes it less easy to understand (e.g. raw data, masked, redacted, bundled combined data) . While the idea is not to be maliciously obedient, it is important to understand how influencing the cost and time factors will have a negative impact on the yield.

5. Snitches Get Riches

You should always be aware of the reality of informants in the software audit. Software audit tip lines offer as much as $1,000,000.00 in rewards for information leading to discovery of unauthorized use of licenses. Some IT workers have been known to accept temporary employment assignments where they possess administrative rights with the sole intention of installing pirated software and collecting a reward. More commonly, a temporary worker or disgruntled employee might sabotage your system by installing and reporting unauthorized use which is unknown to you. Sometimes IT staff has downloaded unauthorized software, tools or utilities to facilitate their work unbeknownst to even your technology lead.

Before you respond, you need to investigate. If your investigation reveals that you have an informant, you should resist the instinct to retaliate. Further investigation could reveal some systemic dysfunction in your company. An informant might have been forced to do a multiple installation by an unscrupulous higher up in your organization. Simple retaliation may give you the satisfaction of revenge but may leave deeper flaws in the integrity of your workplace undisturbed. In addition, even if the informant is a lone wolf, he or she might possess rights to act as a whistle blower and against wrongful termination.

Conclusion

As a general counsel or other C-level executive, you will be faced with an infinite array of choices for each question about how to respond on a strategic and tactical level. Every decision should hinge on: 1) a well-informed, legally authentic inventory of all software assets; 2) a legal opinion on the scope of the audit and the nature and extent of responses to initial auditor inquiries;3) A firm grasp of your company’s information security environment; 4) A good factual understanding of the possible informants (i.e. who can be ruled in or out by virtue of purchasing power, installation responsibilities or administrative rights on your system; 5) An educated estimate of the auditor’s business parameters (i.e. how much time, energy and resources this auditor can afford to expend in the absence of concrete facts about licenses discrepancies). Knowing the answers to these questions will help a GC or CEO calibrate her formulation of strategy with outside counsel based on an optimal understanding of your company. While an audit letter can be disconcerting, proactively planning for this event will hold you in good stead.

Above all, keep in mind that you have the right to remain silent.

Get the Ultimate Guide to Structuring Legal Operations

About the author

Thomas View

Thomas View

A graduate of Georgetown University, Mr. View is a highly experienced transactions attorney. His practice focuses on Contract Law and Business Law (incorporation, NDAs, SOWs, MSAs); Technology Transactions( licensing, SaaS, cloud, enterprise hardware, software and professional services, app, website agreements, privacy policies, TOS);IP (TM, (C) and entertainment law.)

Mr. View has helped large organizations like the American Red Cross, media consulting companies serving major labels (Interscope Records, Universal Music Group, Atlantic Records); and technology firms (Capricorn Information Systems, Nu Pulse Technologies) to succeed in technology and entertainment transactions.

View all posts Request a Proposal

Post a Job on
UpCounsel and get
high quality legal work done

Post a Job on UpCounsel
Shares