BSA Audits

The Business Software Alliance (“BSA”) and Software & Information Industry Association (“SIIA”) pursue copyright infringement claims against companies accused of installing unauthorized copies of software. Typically, the BSA and SIIA send letters to businesses and request audits of their computer systems.

This audit process often is arduous and involves collecting all available license-purchase documentation for the BSA- or SIIA-member software product installations discovered during the investigation. However, unlike the IRS’ retention requirement of 7 years for business records, the BSA and SIIA will not recognize license-credit in favor of the businesses they target without dated proof of proper licensing for every installed software product, regardless of when it was purchased.

More troubling for many businesses is the fact that, even if they are able to produce purchase documentation for software installed on their systems, they may receive no credit for that documentation if it appears to have been received from a software vendor that is not an authorized dealer. Purchasing software from some web sites, such as Amazon.com’s Amazon Marketplace, eBay, or Craigslist, can be risky, especially when the quoted price for a product is less than 80% of its MSRP value. Many of these heavily discounted software products licenses are offered without the authorization of the software publisher and could end up being useless to the business purchasing them, in the event of an audit. The cost can be magnified when, following settlement, the affected companies are required to re-purchase the same software from a reputable vendor.

In rare instances, the BSA and SIIA sue unauthorized resellers. In June, the SIIA worked with the LAPD to bring criminal charges against two individuals accused of pirating SIIA member software and selling it on Craigslist. However, while the BSA and SIIA pursue unauthorized retailers with civil and criminal charges, they are unable to expose all potential unauthorized retailers. Therefore, as a prudent practice, prior to making any software purchases, a company should investigate whether a vendor is an authorized seller of properly licensed software. Additionally, a company should beware of heavily discounted software.

Businesses that receive software audit demand letters from auditing entities such as the BSA or SIIA, or from software companies like Autodesk or Microsoft, often contend they cleaned up their network after receipt of the letter and should be released from any further obligation to conduct an audit or communicate with the auditor. Audited business should keep in mind, however, that the auditing entities typically are focused only on the targeted businesses’ software license-compliance status as of the audit effective date – the date on the first letter those entities send to a targeted business. The auditing entities usually will seek confirmation that the businesses were compliant on the effective date, and on no other date.

Because computer networks may change rapidly, the auditors need to identify a moment in time for which they can ask the audited business, “Did you have all of the licenses for the software installed on your computers?” If the answer is yes, the auditing entity will typically close its file. If the answer is no, the auditing entity will claim the business engaged in copyright infringement on the effective date. The business’ representation that it was compliant after the effective date has no bearing on whether the business engaged in copyright infringement on the effective date. If the matter proceeds to a lawsuit, the auditor likely would claim that the business infringed its or its members’ copyrights on the effective date.

The auditing entity typically demands proof of purchase documentation that demonstrates the ownership of a sufficient number of licenses on or before the effective date. Software purchased after the effective date is not relevant to the audit. Locating, reviewing, and compiling the proof of purchase documentation is a collective effort that often requires coordination among various individuals and departments within an organization. In addition, identifying and listing all of the software on the company’s computers as of the effective date may be made doubly difficult when computers contain large amounts of software irrelevant to the audit. It is also important to keep in mind that software environments change as computers are added, decommissioned, and rebuilt with the ebb and flow of HR turnover.

If you have been contacted by an auditing entity such as the BSA, the SIIA, or a software publisher, you should proceed with caution and should familiarize yourself with the typical process for such software audits. Experienced counsel can help to guide you through that process and to avoid unnecessarily large expenses.

The Business Software Alliance (“BSA”), and the Software & Information Industry Association (“SIIA”) pursue copyright infringement claims on behalf of software publishers, such as Microsoft, Adobe, and Autodesk, among many others. Typically the BSA and SIIA send audit letters to companies believed to be using unauthorized copies of software products. In their letters, they demand that the target companies conduct an internal audit of all computers they own to determine whether the auditing entities’ members’ software products are properly licensed.

It is not unusual for a company to discover during the audit process that its current or former employees installed software on company computers without authorization. Unfortunately, this oversight may lead to substantial financial penalties from the BSA or SIIA for any allegedly unauthorized installations. During the course of settlement negotiations, the BSA and SIIA routinely fine companies three times the MSRP value of each allegedly unlicensed product.

While no written policy is foolproof against employees installing unauthorized software, a proactive approach includes guidelines and policies to outline proper use of a company’s computers. This may include provisions banning installing, using, or accessing software unless specifically authorized by the company. Educating employees to have a better understanding of how to use a company’s resources and technology properly may help to prevent costly penalties in the future. In addition to a written policy, it also is advisable for a company to routinely conduct an internal audit of its computers to help ensure software compliance. Once the BSA or the SIIA gets involved, it is typically too late to avoid paying a penalty.

Software copyright infringement litigation (sometimes called software anti-piracy claims) comes in an array of varieties. Frequently, it is functionally indistinguishable from disputes involving literary or audio-visual works and centers on claims that an infringer copied a copyright owner’s work and then sold that work as the infringer’s own in pursuit of an undeserved profit. Software licensing and counterfeiting disputes comprise the majority of such claims and are very common in light of large publisher and trade group initiatives aimed at enforcement in these areas. Moving across the spectrum of complexity, because software is almost universally distributed under a licensing regime, rather than sales of copies, many other actions involve claims that a defendant used software outside the scope of the relevant license and thereby infringed the copyright. These matters usually require a more nuanced approach by a reviewing court, because they require a determination of whether the actions or omissions at issue constituted use outside the scope of the license – and therefore copyright infringement – or merely breaches of independent license terms, for which the plaintiff must seek damages, if any, in contract law.

However, a third class of software copyright litigation – what might be labeled “competing works litigation” – typically requires substantially more effort from the parties and the tribunal than either of the above types of disputes. In these cases, the developer or owner of one program complains that a different product created or distributed by the defendant consists, in whole or in part, of the work in which the plaintiff holds the copyright. These cases on average involve significantly higher stakes than other software copyright disputes, in that they can threaten the defendant with elimination of an entire line of business or even, in some cases, with the cessation of business operations altogether. The legal analyses and factual development in such matters can approach the level of complexity usually associated with patent disputes, and, indeed, many of the considerations in such matters likely would be familiar to dedicated patent law practitioners.

Business owners and managers whose companies have been targeted by IBM for a compliance audit often express surprise at the complex method IBM uses to determine the licensing requirements for many of its server software products, such as WebSphere and Tivoli. Many software vendors employ server software licensing frameworks that would be familiar to most anyone with experience purchasing software licenses: for every installation of a software product on a computer, the owner of that computer must purchase a corresponding license allowing use on that machine. There are some common variations on that general theme used by some publishers – notably, Microsoft – involving connections to server software by other computers on the network. With Microsoft SQL Server, for example, the computer owner must purchase either an appropriate number of client access licenses (CALs) for each user or device accessing the server software or else a “processor” license for each physical processor in a given computer, allowing use by an unlimited number of remote users or devices. (Processor licenses are typically significantly more expensive that CAL-based software licenses, but they may represent a good value for servers with a high number of remote connections.)

IBM previously employed a processor-based licensing formula for its server products, but in 2006 it moved to a licensing model using what it calls “processor value units” (PVUs). Under this model, each server processor is assigned a per-core PVU number that depends on the manufacturer and specifications for that processor. (IBM maintains a chart of per-core PVU numbers here.) That PVU number then is multiplied by the number of physical processor cores embodied in the processor to determine the processor value for the physical processor. For servers with multiple processors, that processor value then is multiplied by the number of processors to determine the server value. It is this final PVU number that reflects the licensing required for each computer, as follows:

Server Description: Dual processor, quad-core Dell PowerEdge SC1435
Server value = 50 PVUs/core x 4 cores/processor x 2 processors = 400 PVUs

IBM terms the formula described above “capacity licensing.” For machines employing virtualization technologies, under which a virtual server hosted on a physical machine may utilize less than all of the physical machines resources, IBM allows its customers to apply “sub-capacity” licensing rules to reduce the number of PVUs required for compliance. However, the sub-capacity rules entail a number of significant requirements, including use of IBM’s License Metric Tool, which reports information about hardware configurations and software deployments directly to IBM.

IBM software licensing involves a significant financial cost, and IBM’s products typically function in business-critical capacities in a company’s network. Companies that find themselves engaged in IBM audits are well advised to discuss their IBM licensing status with knowledgeable outside counsel before disclosing any information to IBM or making any changes to their IBM software deployments.

The Business Software Alliance (BSA) is an organization that pursues copyright infringement claims on behalf of many software publishers against companies it accuses of violating its members’ software license agreements. Because the cost of litigation in most cases outweighs the cost to settle out of court, the BSA often is able to force businesses to comply with an arduous and often arbitrary software audit process that typically culminates in a negotiated settlement entailing a significant settlement payment to the BSA.

Due to the nature of the process and the possibility that a settlement may be misconstrued to reflect misconduct on the part of a company, many companies that settle with the BSA seek to keep the existence and terms of settlement confidential. However, the BSA disfavors confidentiality provisions, because they interfere with its efforts to publicize the results of its license enforcement program. Therefore, the BSA typically demands a higher settlement payment to include such a provision.

Absent a confidentiality provision in the settlement agreement, the BSA generally is free to issue a press release detailing the terms of settlement and name of the company. The BSA often then seeks to publish the release in media outlets relevant to the targeted business’ industry or geographic location, in addition to publishing the press release on its web site.

There are many considerations for a company contemplating a demand for confidentiality. Some larger, more recognizable companies seek confidentiality provisions to offset potentially negative publicity associated with their brand. Under those circumstances, the additional penalty amount may represent an acceptable cost. However, smaller companies often choose to pay a lower settlement amount not inclusive of confidentiality, based on a determination that damage to their brands, if any, likely would be less significant. This is a decision in which a company’s upper management should be given an opportunity to contribute. Finally, on rare occasions, some companies seek to issue their own press releases, detailing the settlement terms, and exposing the BSA’s software auditing process as a warning for other businesses.

Regardless of the strategy a company chooses regarding confidentiality, it is important to be aware of the implications of failing to include a confidentiality provision in the final settlement agreement. When in doubt, it is beneficial to seek counsel from an attorney familiar with the BSA process.

In Nature’s Enterprises, Inc. v. Pearson (2010), the U.S. District Court for the Southern District of New York rejected Nature’s Enterprises (“NEI’s”) request for damages for each component part of a compilation. NEI had alleged that Pearson infringed ten of NEI’s copyrighted DVD movies, of which two comprised compilations of films copyrighted by NEI. NEI requested $10,000 for each of the 10 DVDs and $750 for each of the 45 clips contained in the two compilation DVDs.

The court rejected NEI’s request for damages for each separate work and concluded that “a plaintiff should not receive a windfall recovery by inflating the number of works infringed from its own compilation.” The court determined that “when a plaintiff compiles assorted copyrighted products into a new product, the compilation constitutes one work for purposes of copyright infringement.”

NEI’s focus on “whether each item (in a compilation) has an independent economic value and is, in itself, viable” did not sway the court. Rather, the Court held that “adopting such a test would be to make a total mockery of Congress' express mandate that all parts of a compilation must be treated as a single work for purposes of computing statutory damages.” The court also declined to apply rulings from cases NEI presented in which defendants, rather than plaintiffs, created compilations of the plaintiff’s works.

If you have been contacted by the Business Software Alliance (BSA), Software & Information Industry Association (SIIA), or another software industry auditing entity, you should contact counsel experienced in negotiating with auditing entities regarding bundled software suites that resemble compilations.

The Business Software Alliance (BSA) and the Software & Information Industry Association (SIIA) are organizations that represent software publishers seeking to enforce the copyrights in the products they publish. In furtherance of this goal, these entities routinely send letters to businesses they believe may be infringing their members’ copyrights by failing to satisfy the requirements of applicable software license agreements. In the letter, the BSA and SIIA request audits of all member software products installed on all computers and servers owned by the targeted businesses.

The audit process is lengthy and arduous and often is affected by costly mistakes. One of those mistakes involves the use of an inadequate tool to conduct the kind of audit called for by the auditing entity. There are many ways a business may tackle the audit process. It may hire a law firm that specializes in software audits to conduct the review, it may hire external IT consultants, or it may proceed with its own in-house software audit. The BSA often suggests a number of tools to assist with a self-audit, sometimes including Novell, Symantec, Frontrange Solutions, Belarc and Spiceworks. Many of those tools are available for little or no licensing fee, making them appear to be attractive alternatives.

However, if a company chooses to conduct a self-audit, it is essential to verify the results produced by the tool deployed prior to submitting any information to the BSA or SIIA. Often, software audit tools are not sophisticated enough to discern between free trial software or remnants from previous installations and full installations of licensable software products within the scope of the audit. Over-reporting can carry significant consequences, because each product mistakenly reported as a full version for which a business is unable to demonstrate license ownership typically entails a penalty at settlement based on the MSRP of that product. The BSA then typically applies a multiplier for each product included in its settlement offer calculations.

For these reasons, it is important when conducting an in-house software audit to carefully look for any mistakes in the audit results and to ensure that those results accurately reflect what was installed as of the effective date of the audit requested by the BSA or SIIA. If there is any doubt regarding the accuracy of those results, it is vital to seek the advice of a knowledgeable attorney or consultant prior to submitting any information to the auditing entity.

Many businesses targeted for software audits initiated by the Business Software Alliance (BSA) often make the decision as a result of the audit process to forego the expense and risk associated with using BSA-member software and instead transition to open-source software (OSS) solutions. While OSS may entail some challenges related to hardware and software compatibility, in many cases, those products do not entail any licensing fees, are subject to much less stringent licensing requirements, and may be upgraded at will to the latest versions without the purchase of any support subscriptions or product upgrades. As a result, they present a tempting and cost-effective alternative to other solutions, especially in light of the fact that expensive BSA settlements typically do not include the acquisition of any software licenses that a business may require in order to achieve compliance. However, through the International Intellectual Property Alliance (IIPA) – an IP trade organization of which the BSA and other content-oriented groups like the Motion Picture Association of America and Recording Industry Association of America are members – the BSA appears to be subscribing to the position that the use and endorsement of OSS is the equivalent of software “piracy.”

The IIPA’s position was reflected recently in comments it submitted to influence U.S. trade policy. Each year, the Office of the U.S. Trade Representative (USTR) conducts a review of foreign IP laws – called the Special 301 review – to identify those nations believed to have unacceptably lax copyright policies. Negative treatment in the review can lead to trade sanctions and is intended to exert pressure on foreign nations to adopt more stringent copyright policies. During the review process, the USTR accepts recommendations from interested parties regarding countries they believe should be added to the “blacklist” of poor copyright enforcers. In its 2010 recommendations to the USTR, the IIPA named among the countries to be “watched,” among others, Indonesia, Brazil and India, at least in part, it seems, for endorsing the use of OSS in governmental agency offices. This is in spite of the fact that some nations – Indonesia notable among them – adopted those recommendations in order to curb the use of unlicensed software.

A person could be forgiven for adopting a cynical assessment of the BSA’s motivations in the wake of such an apparent policy endorsement. Under the guise of protecting its members’ valuable copyright interests, the BSA has targeted hundreds of small-to-medium-sized businesses for software audits under the threat of federal court litigation and has labeled many of those businesses “pirates” upon failure to meet the BSA’s unnecessarily strict requirements for proving ownership of software licenses. However, the IIPA’s position with regard to OSS seems to indicate that copyright enforcement may be less of a concern to the BSA than is driving sales of its members’ products.

The BSA has not historically objected to businesses transitioning to OSS in the wake of software audits, but the IIPA’s recommendations to the USTA may be cause for concern. All businesses that have been contacted by the BSA for such audits should consult with counsel to work toward the most reasonable available resolution.

The full text of the IIPA’s recommendations is available here:

http://www.iipa.com/2010_SPEC301_TOC.htm

Many companies choose to pursue an internal audit of software systems after receiving a request from the Business Software Alliance (BSA). When it comes to deciding how to proceed with an audit, there are multiple considerations, including, but not limited to, the size of the company, amount of computers, type of software at issue, IT support, and accuracy of a company’s records.

A small company with few computers is better suited than a larger corporation to conduct its own audit either manually or to take advantage of one of the many free software scan tools available on the internet. There are still risks of inaccuracy involved. One danger is that a company may submit information regarding a free download that may be mislabeled, and inaccurately reported to the BSA as unlicensed software.

This risk is amplified for larger companies with many computer systems and multiple users. If a large company seeks to conduct its own audit, the free scanning tools are still an acceptable choice, as manually checking each computer is both tedious and can lead to mistakes. An alternative is to seek a consultant who specializes in software infringement issues and who can assist with network inventory and sorting through software purchasing invoices and receipts. However, it is important to keep in mind that, unless that consultant is an attorney, he or she may have no duty of confidentiality to the company. Therefore, it is wise either to obtain a comprehensive confidentiality agreement from the consultant or to retain a knowledgeable attorney to assist with the inventory.

In addition to collecting an inventory of software installations, it is important to gather purchasing information to provide to the BSA. If receipts and invoices are not provided for all software installations reported, the BSA will assume the software is unlicensed and will increase its settlement demand. Regardless of the size of a company, if there are concerns about the ability to scan software, locate purchasing information or evaluate audit results, it is advisable to seek outside assistance with the process from an expert.