This is the second part of a two-part series on software audits. To read part one, click here.
Three Areas of Opposition
If you were to simply ball up and discard the demand letter, you would eventually receive a summons to federal court. While the BSA and SIAA are not the police, they work for the software companies. Your license agreement with the software company permits some form of audit. Chances are good that this audit was not initiated randomly. That is, a random audit will yield far smaller profits than targeted audits. Typically, the software publisher has some basis (i.e. informant report, crash report, proprietary algorithm etc.) for believing that you are using software assets that you have not paid for.
In chess, one does not defeat his opponent by attacking the opponent’s pieces; rather, he or she wins by attaching the opponent’s strategy. Such is the case with a software audit. There are five themes to keep in mind as you formulate your executive-level strategy for skillful defiant opposition:
1. Don’t Guess—Know
In the example of the police sobriety stop, a driver is only equipped to fight the officer’s strategy if armed with concrete facts at the time she’s stopped. These facts would include accurate knowledge of alcohol levels and volumes of beverage consumed, the exact time -window of consumption, her own rate of metabolization, whether or not and how informants might have precipitated the stop (i.e. good Samaritan bartender who served alcohol vs. vindictive ex who spotted her across the bar), understanding of Supreme Court Car Cases involving the 4th Amendment (search and seizure) and the 5th Amendment (due process and right to remain silent applied to automobile stops), rules of the road in the jurisdiction where she was stopped and the limits for blood alcohol in this jurisdiction. Only if she understands all of this should the driver—as matter of legal opinion—speak at all.
Similarly, when you receive an audit letter, your responses should be informed by facts and procedures such as:
- A recent internal inventory of software licenses
- A legal opinion on the scope of your licenses
- A recent report that is properly authenticated by authorized personnel attesting to the fact that the relevant terms and conditions of every license in use conform to a software asset inventory that is maintained in a manner that is admissible in court
2. Engage Legal Counsel in Negotiations
3. Limit Scope
In the initial stages of the audit, the auditor’s initial volley of questions is designed to uncover information that opens the door to more issues, thereby increasing the scope of the audit and—in most cases—increasing the yield. Remember, a for-profit audit business model operates based on an “expected gain.” That is, going in, the auditor going in has some sense of the likelihood of finding discrepancies in her favor and an average dollar amount likely to be recovered in cases like yours. This prediction could be guided by actual information (ex. from an informant or a crash report) or based on a statistical algorithm used for companies of a particular size, industry or geographic region. Based on the auditor’s preliminary analysis, there is only so much time and energy that she can justify spending on a given case. If, however, in the opening stages of the conversation, the auditor can uncover certain facts, she may be able to justify applying greater resources to your case, thereby increasing the likelihood of finding more and greater discrepancies. These initial “cracks” are the admissions that are made in the initial stages in an attempt to seem open with nothing to hide.
An extremely simplistic example a scope-limiting tactic is borrowed from a deposition maxim: only answer the question asked. No more!
4. Increase the Time and Expense of an Audit
The auditor’s business model is based on keeping the expenses for the audit lower than the expected gain from a particular subject. The greater the time required to conduct the audit, the lower the profit for the software company. While you are not trying to hide illegally obtained software, you are trying to win a zero-sum arm-wrestling exercise in the arena of laissez-faire capitalism. Remember, this auditor is not a civil servant engaged in a search for truth and justice. This exercise is thought by some to be a predatory business undertaking.
To increase the time and expense, you may have a choice of sending the auditor an inventory of software assets. This would seem like a sensible, civil professional thing to do. And were this a legitimate compliance exercise rather than a profit center, this would be right. You would get it over with sooner and get back to doing what you do best. However, providing the auditor with formatted, synthesized report, virtually increases his budget, scope, and ultimately, yield. If it is determined that the best practice is handing over the information, you might choose to hand over the information in a way that makes it less easy to understand (e.g. raw data, masked, redacted, bundled combined data) . While the idea is not to be maliciously obedient, it is important to understand how influencing the cost and time factors will have a negative impact on the yield.
5. Snitches Get Riches
Before you respond, you need to investigate. If your investigation reveals that you have an informant, you should resist the instinct to retaliate. Further investigation could reveal some systemic dysfunction in your company. An informant might have been forced to do a multiple installation by an unscrupulous higher up in your organization. Simple retaliation may give you the satisfaction of revenge but may leave deeper flaws in the integrity of your workplace undisturbed. In addition, even if the informant is a lone wolf, he or she might possess rights to act as a whistle blower and against wrongful termination.
As a general counsel or other C-level executive, you will be faced with an infinite array of choices for each question about how to respond on a strategic and tactical level. Every decision should hinge on: 1) a well-informed, legally authentic inventory of all software assets; 2) a legal opinion on the scope of the audit and the nature and extent of responses to initial auditor inquiries;3) A firm grasp of your company’s information security environment; 4) A good factual understanding of the possible informants (i.e. who can be ruled in or out by virtue of purchasing power, installation responsibilities or administrative rights on your system; 5) An educated estimate of the auditor’s business parameters (i.e. how much time, energy and resources this auditor can afford to expend in the absence of concrete facts about licenses discrepancies). Knowing the answers to these questions will help a GC or CEO calibrate her formulation of strategy with outside counsel based on an optimal understanding of your company. While an audit letter can be disconcerting, proactively planning for this event will hold you in good stead.
Above all, keep in mind that you have the right to remain silent.