Surviving an audit

How to limit the damages when the software police come knocking, accusing you of software licensing violations.

By Michael Overly Network World, 11/17/97

Saron Blakeslee, Thermal Equipment Corp. and Verteq, Inc. are three companies that recently agreed to pay $235,000 in penalties to the Business Software Alliance (BSA). Their crime? All were accused of software copyright infringement and were audited for license compliance. What would you do if it happened to you? The software police could pay you a visit, if they haven't already, so make sure that you're well prepared for scrutiny and negotiations. The Software Publishers Association (SPA), a software vendor trade association, and its offshoot, the BSA, are vigilantly pursuing software licensing abuse. The groups have filed hundreds of lawsuits and recovered millions of dollars in damages and settlements from companies that were caught using software they didn't pay for. Most tips about illegal corporate software usage come from disgruntled employees. The SPA or BSA asks the company in question to agree to a voluntary audit of its computers to assess license compliance. If the company refuses to cooperate, it may invite a lawsuit for breach of licensing agreements and copyright infringement. The trade group may even seek a court order permitting it to seize company computers to preserve evidence. The lawsuit will be based on two pieces of evidence. The first is a sworn statement from the disgruntled employee attesting that there is illegal software on the network. The second is the company's refusal to cooperate, which will be portrayed as an admission of guilt. Given the high cost of defending a lawsuit, most businesses opt to comply with the audit request and pay a penalty for improperly licensed software - usually one to three times the retail price of each illegal program. Verteq, Inc. paid $150,000 for illegal copies of programs. Thermal Equipment and Baron Blakeslee agreed to pay a total of $85,000 to the BSA in exchange for the dismissal of a lawsuit for software copyright infringement.

If you are audited and decide that the safest course of action is to comply, take these five steps to make the process less painful and to avoid certain penalties.

  1. Respond promptly. This shows you are trying to cooperate and have nothing to hide. It also may prevent the seizure of your computers to preserve evidence.
  2. Caution employees. As soon as you receive an audit request, caution your employees not to delete any software from their PCs or the corporate network. In all likelihood, the audit will detect recently deleted software; that will be difficult to explain. It's far better to face a penalty for unlicensed software than charges of destruction of evidence. Minimize the potential for unpleasant surprises by encouraging employees to report unlicensed software to a manager. This will allow you to better assess the extent of the problem.
  3. Negotiate the settlement agreement. After you agree to the audit, the SPA will send you a settlement agreement. The document will define your obligations and specify the penalty for any unlicensed software. It also will require you to institute a compliance program to educate employees about illegally copying software. If you comply with the terms of the agreement, the SPA will release you from further liability for the software on your system at the time of the audit. The agreement and the scope of the audit are negotiable. For example, businesses often try to exclude games from the audit, since employees frequently install them without their employer's knowledge or consent. As part of the negotiation, you may offer to provide the SPA with a sworn statement confirming that you've removed the unlicensed games from your network. Use the same approach to exclude programs that are no longer used but still reside on the network.
  4. Insist on adequate protections. Carefully review the settlement agreement to ensure it includes adequate protections for your company. For example, the SPA should warrant that the audit won't damage data, introduce any viruses or destructive programs, or adversely affect your system. Make the SPA keep all information obtained during the audit confidential and pledge that it won't be used for any other purpose.
  5. Be ready with documentation and records. Most often, the SPA will ask you to conduct the audit yourself using its proprietary software. The program automatically scans the network to iden-tify all software and generates a report that you return for analysis. In some cases, an auditor may come to your business to personally oversee the process. In either instance, you must furnish license documentation or rights to use each program identified during the audit.

Above all, remember the best defense against a software audit is a well-planned and executed compliance program.

Overly is an attorney and freelance writer. He can be contacted at moverly@concentric.net.