BSA Audits

Many companies choose to pursue an internal audit of software systems after receiving a request from the Business Software Alliance (BSA). When it comes to deciding how to proceed with an audit, there are multiple considerations, including, but not limited to, the size of the company, amount of computers, type of software at issue, IT support, and accuracy of a company’s records.

A small company with few computers is better suited than a larger corporation to conduct its own audit either manually or to take advantage of one of the many free software scan tools available on the internet. There are still risks of inaccuracy involved. One danger is that a company may submit information regarding a free download that may be mislabeled, and inaccurately reported to the BSA as unlicensed software.

This risk is amplified for larger companies with many computer systems and multiple users. If a large company seeks to conduct its own audit, the free scanning tools are still an acceptable choice, as manually checking each computer is both tedious and can lead to mistakes. An alternative is to seek a consultant who specializes in software infringement issues and who can assist with network inventory and sorting through software purchasing invoices and receipts. However, it is important to keep in mind that, unless that consultant is an attorney, he or she may have no duty of confidentiality to the company. Therefore, it is wise either to obtain a comprehensive confidentiality agreement from the consultant or to retain a knowledgeable attorney to assist with the inventory.

In addition to collecting an inventory of software installations, it is important to gather purchasing information to provide to the BSA. If receipts and invoices are not provided for all software installations reported, the BSA will assume the software is unlicensed and will increase its settlement demand. Regardless of the size of a company, if there are concerns about the ability to scan software, locate purchasing information or evaluate audit results, it is advisable to seek outside assistance with the process from an expert.

The Business Software Alliance (BSA) regularly targets small-to-medium sized businesses for expensive software audits to determine whether those businesses are in compliance with their BSA-member software licenses. In furtherance of that effort, the BSA offers cash rewards to disgruntled current or former employees who provide information about allegedly unlicensed software installed on their employers’ computers.

However, in many cases, businesses targeted by the BSA discover that there appear to be significant discrepancies between the information apparently provided by the BSA’s confidential informants and the actual license-compliance status of those businesses. Many businesses suspect that the cause of the discrepancy is the informants’ desire to profit from the BSA’s reward program. Regardless of the cause, however, when the audit materials submitted in an audit matter do not conform to the information supplied by the confidential informant, the BSA typically disputes the results. The business then ends up incurring additional legal fees in an effort to authenticate those results and move the matter forward to a resolution.

Worse, though, even when the BSA discovers that its informant may have provided false information, it typically will not stop pursuing the copyright infringement claims. The BSA’s loose definition of “unlicensed” software covers any software with no proof of purchase. Therefore, even though business records are only required to be kept for seven years for tax purposes, because the BSA requires dated proof of purchase in order to credit a business with license ownership, it effectively expects its business targets to keep their invoices for software license purchases forever. The BSA thus justifies its continued pursuit of businesses, even in the face of an apparently unreliable informant, based less on principles of copyright law than on potentially inadequate accounting practices.

There is usually little recourse against the BSA or the informant for initiating legal action based on false information. In some cases, a company may consider suing the informant on a breach of contract or breach of confidentiality claim, depending on the existence of any prior agreements with the informant, but the expense of such an action would be prohibitive for most businesses. For these reasons and others, it is important for all companies, regardless of whether they are faced with a BSA audit, to be prepared to document their license ownership, to keep confidential all information relevant or potentially relevant to an audit, and to seek the assistance of counsel.

“Software piracy” is a favorite catch-phrase used by the Business Software Alliance (BSA) and the software companies it represents. Most people understand software piracy to involve the intentional copying and, in many cases, distribution of copyrighted software to third parties without permission of the copyright owner. Understandably, the term has extremely negative connotations, and most businesses will go to great lengths to avoid behavior that could reasonably be branded as “piracy.”

Unfortunately, the BSA’s definition of software piracy is considerably more broad than the common understanding and may be confusing to companies audited by the BSA who have never knowingly copied unlicensed software. During a BSA-initiated software audit, the BSA requires the businesses it targets to provide dated proofs of purchase for each software product installed on their computers. There are specific types of documentation the BSA accepts, and it usually rejects purchases from E-bay, Amazon, or similar Internet-based re-sellers. Therefore, if a company unknowingly purchases software from an unauthorized retailer or simply is unable to find receipts for products it purchased, the BSA will penalize the company as though it intentionally violated copyright law and “pirated” the software.

Worse, typically after an audit the BSA will enter into settlement agreements with the companies it accuses of copyright infringement. Unless a provision for confidentiality is included in a settlement agreement (usually only in return for a significant additional amount to be paid at settlement), there is nothing to prevent the BSA from publishing a press release identifying the targeted company, the software products involved, and the settlement amount, and otherwise making express or implied statements that the company is guilty of “software piracy.”

As a general rule, companies should keep all receipts from software purchases indefinitely, and they should purchase software only from authorized dealers. Additionally, recipients of letters from the BSA should seek experienced legal counsel to assist with the audit and to help negotiate a resolution that may prevent the unnecessarily negative publicity that can result from the BSA’s overzealous application of the “pirate” label.

A recent article published by a U.K. business journal suggested that U.K. businesses should refuse to co-operate with demands by the Business Software Alliance (BSA) for information regarding BSA-member software installations and licenses. A copy of that article is available here.

The article’s sources appear to base their suggestions on a combination of personal experience and, perhaps, assumptions about the BSA’s operating procedures in U.K.-based software audit matters. One source is cited as suggesting that “companies being chased to complete audits should only do so if the BSA is willing to disclose why they are being targeted, which is something it would have to do as part of any litigation process.”

However, at least in U.S.-based audit matters, the BSA is generally unwilling in any circumstances short of a federal lawsuit to disclose any information regarding the source of its information. In addition, the BSA in the U.S. operates under powers of attorney signed by the software publisher-members it represents, and it has, in the past, shown itself to be willing to pursue software audit matters in court, in the event that business targets either refuse to co-operate with its audit demands or provide information that materially and significantly diverges from the information obtained from its confidential sources.

Notwithstanding the understandable reservations many businesses may have – and should have – regarding disclosing otherwise confidential information to third parties, businesses confronted by the BSA with allegations of software copyright infringement should, at the very least, engage knowledgeable counsel in an effort to evaluate the advisability of co-operating with such demands based on all of the facts. For most businesses in that situation, it will make more sense to co-operate with the BSA in reaching an out-of-court resolution. Such an informal process allows a business to control the flow of information to the BSA and to preserve the confidentiality of any negotiated resolution. Costs and expenses associated with co-operation also generally are significantly less than those associated with a federal lawsuit, and the potential for a lower agreed settlement amount usually will be greater as well.

There are exceptions, of course, and it is equally important to keep in mind that it may make more sense, for any number of reasons, either to refuse to co-operate or, possibly, to file a pre-emptive lawsuit, usually in the form of a request that a court issue a declaratory judgment regarding the absence of copyright infringement. Again, however, these are decisions that businesses must make only after consulting with an attorney who is knowledgeable regarding the issues presented and the potential for exposure.

Targeted by the BSA? Almost all of my clients wonder how the Business Software Alliance got their name. Have you heard the BSA’s radio campaign offering rewards of up $1,000,000 dollars to disgruntled employees? The BSA entices disgruntled employees to rat on their employers in exchange for the promise of reward money. If you have been contacted by the BSA, a former or current disgruntled employee likely heard the Business Software Alliance’s Blow the Whistle campaign on the radio.

Click the link below to listen to the Business Software Alliance’s Radio Campaign as reported by ABC News:

Business Software Alliance Report

Vigilant monitoring of the BSA’s member list can help you protect your business from unneeded expense associated with a BSA-initiated software audit. The BSA member list changes as software publishers are added to and removed from the BSA’s publicly available list of member software publishers.

Most recently, the newest software publisher to join the BSA is Sheba Distribution, a division of Garmin Ltd., producer of the popular Garmin navigation and communication devices. Avid, EMC Corporation, Parametric Technology Corporation (PTC), and Synopsys have been removed from the BSA member list. Avid publishes popular video and media editing software such as Media Composer Mojo and Symphony Nitris. Avid also owns media and graphics software companies Digidesign, Pinnacle Systems, M-Audio, Sibelius, Sundance Digital, and formerly, Soft Image. EMC Corporation is a technology company offering a range of network, data recovery, and information management products and consulting services. EMC also owns virtual machine software company VMWare. PTC publishes the popular engineering design software PRO/Engineer. Synopsys publishes software and offers services used in the semiconductor industry.

A BSA audit can be a costly engagement for any business. Maintaining software license compliance will help prevent your business from exposing itself to the unneeded expense of a lawsuit or settlement with the BSA. Businesses that do not manage their licenses and installations on an ongoing basis by performing self-audits may find themselves performing an audit in the context of a BSA matter. Businesses should strongly consider deploying software audit solutions that manage both their installations and licenses and protect the information under an attorney-client privilege.

To view the current list of BSA members, click here.

Most BSA Audits begin with a report from a disgruntled employee or former employee. The Business Software Alliance maintains telephone hotlines and a web site to encourage disgruntled employees and vendors to make anonymous reports against companies of all sizes. The BSA dedicates a substantial portion of its revenue marketing on radio stations and the internet to these "rats," promising them confidentiality and the ability to make an anonymous complaint. The current ad on Google reads:

BSA - Official Site

www.BSA.org/reportpiracy Earn up to $1 million for Reporting Pirated Software - All Confidential

The Business Software Alliance investigates all reports of software piracy without confirming the veracity of the information provided or the motive of the person making the complaint.

Once a report is received, the Business Software Alliance makes a decision about whether to request a self-audit or to immediately file suit. In the overwhelming majority of cases, the Business Software Alliance pursues the self-audit approach. Acting either through an internal enforcement attorney or an outside law firm, the BSA will send a letter to the target company requesting a self-audit. The request for an audit is a critical stage in the process, and the time when an experienced attorney can help your business the most.

The Business Software Alliance is aggressively targeting businesses accusing them of software piracy. Businesses around the world are facing off with the BSA as the media continues to raise questions about its questionable enforcement tactics such as offering up to one million dollars in reward money. This ABC News report contains the Business Software Alliances’ Blow the Whistle campaign as well as interviews with BSA officials and me. If you have been targeted in an investigation by the Business Software Alliance, you should seek the advice of an experienced attorney.

Click the link below to listen to the Full Report on Business Software Alliance by ABC News:

Business Software Alliance Report

The Business Software Alliance (BSA) recently lent its support to legislation pending in the U.S. Congress that would expand the scope and power of federal criminal law pertaining to IT security matters. Under the “Cyber-Security Enhancement Act of 2007” (CSEA), section 1030 of the federal criminal code would be amended to include new offenses of extortion based on threats to gain unauthorized access to a computer and of conspiracy to commit any of the IT-related crimes defined in section 1030. More significantly, the bill would create another new offense directed at anyone who:

…intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains a unique electronic identification number, address or routing code, or access device (as defined in section 1029(e)(1)), from a protected computer.
The term “exceeds authorized access” already is defined elsewhere to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” In addition, the bill amends the previous definition of “protected computer” to include any computer “affecting interstate or foreign commerce or communication” (which would seem to include any computer that is publicly accessible through the Internet). Finally, the bill would include all of these offenses, along with the other section 1030 offenses, as predicates for prosecution (as well as civil liability) under the Racketeer Influenced and Corrupt Organizations Act (RICO).

It is undoubtedly important to give law enforcement all the tools that it needs to combat organized efforts to infiltrate secure computer networks and the sensitive personal information that many of them contain (an objective that CSEA also pursues through greater funding for federal investigations into cyber-crime). However, in pursuing this end, the CSEA and its supporters seem to be casting a very wide net indeed. Questions concerning what constitutes “authorized” access or information to which a user is or is not “entitled” on a web-accessible computer could mean that more than just hardened cyber-criminals end up getting caught in CSEA’s sweep. The surprisingly broad scope of the bill, coupled with the new link to RICO and the private civil suits that statute allows, may also mean that we could see an up-tick in IT-related litigation in coming years, should CSEA see its way through to passage. It will be interesting to watch this bills progress in coming weeks and months.

You can read the text of the bill here. Section 1030 as it currently exists is available here.

Many companies who comply with a demand by a software publisher or industry association (such as the BSA or the SIIA) for an internal software audit end up facing significant settlement demands after forwarding their audit materials to the other side. One of the reasons the settlement demands often are so high is the fact that the auditing entities frequently base their demands, in part, on the “unbundled” price of software suites. Thus, where a company may expect to pay a fine based on the MSRP of, for example, one undocumented installation Microsoft Office Professional 2007 ($679), it likely will end up receiving a settlement demand based on the combined MSRPs of each of the components of that undocumented suite: Word ($229), Excel ($229), PowerPoint ($229), Outlook ($110), Publisher ($169), and Access ($229), all totaling $1195. In a typical case these difference add tens of thousands of dollars to the amount in controversy.

Another way in which publishers or auditing entities raise the amount in controversy in software audits is the attempt to assess separate “fines” for each allegedly infringing installation of a software product. Thus, a company reporting just ten undocumented installations of Office Professional 2007, with no other licensing shortfalls, may receive a settlement offer based on the combined, “unbundled” MSRPs of the component products totaling just shy of $12,000. Moreover, that is before the auditing entity applies any multipliers to that figure (yet another common tactic) or makes any assessments for their claimed legal fees, both of which factors may drive the opening settlement offer in the above example to $40,000 or more.

It is not difficult to see how owners of small to medium businesses who think that they have a handle on their financial exposure in a software audit matter often end up with truly unpleasant surprises after submitting audit materials to the BSA or SIIA that they may have believed would be negotiating on a more equitable basis.

If your business has been accused of software “piracy” and is responding to a software audit demand either from a software publisher like Autodesk or from the BSA or the SIIA, an experienced attorney can give you visibility into the process and help you avoid unpleasant surprises.