Introduction
The aggressive enforcer: a vendor's position
The accidental pirate: a customer's position
Managing the problem
Building a successful compliance programme


Introduction

With global corporate spending on software reaching unprecedented levels, businesses are increasingly facing the challenge of how to manage software assets effectively. Many are failing to meet this challenge, resulting not only in wasted expenditure on too many or the wrong type of software licence, but also in increased charges and penalties levied by software vendors for breach of licence terms.

Historically, software vendors have tended to take a more relaxed approach to software 'over-use', but this is changing. Faced with the prospect of declining numbers of new sales as some organisations slash IT budgets, some vendors are adopting an increasingly aggressive stance to licence tracking and enforcement as a means of extracting further value from existing customers.

This update examines this trend in more detail and offers some best-practice tips for building an effective software licence compliance programme and safeguarding against vendor enforcement action.

The aggressive enforcer: a vendor's position

Typically, a software licence will include the right for a vendor to audit the customer in order to verify compliance with the terms of that licence. Any over-use of the relevant software would usually trigger the right for the vendor to invoice for any additional licence fees that may be due (a software audit 'true up').

Over-use in this context may not mean merely exceeding the number of licences purchased; it can also cover indirect unauthorised access to licensed software. For example, under SAP's licensing terms, indirect access will occur when an employee of a licensee, who is not a licensed user, accesses SAP software through a third-party interface. In practice, this might occur in the course of an employee entering data into a SAP system using a non-SAP application.

For a large company, true-up costs can amount to millions of pounds annually in unbudgeted expenses for unpaid licence and support fees. Even for smaller companies, the ramifications can be severe, as the recent fine of £18,000 imposed on First Choice Facilities for unlicensed software use highlights. In this case, the fine itself was the tip of the iceberg, as First Choice had to pay a further £81,000 to purchase additional software licences to cover its use of Adobe, Autodesk, Microsoft and Symantec products. According to First Choice, this did not result from any deliberate action on its part, but instead arose unwittingly following corporate merger activity. In a climate where software vendors are increasingly vigilant as to compliance, and aggressive in the enforcement action that they take, a significant number of companies are finding themselves in a similar situation to that of First Choice, with accidental piracy costing millions in unbudgeted costs.

Although the vendor-initiated audit is not a new phenomenon, it is being wielded with increasing frequency. In March 2011 technology analysts Gartner reported that "61% of [its] survey recipients have been audited by at least one software vendor in the past year – the highest percentage of any comparable survey and up from 54% in 2009".(1) More recent Gartner analysis(2) shows that many software audits lead to lengthy and confrontational discussions with vendors due to complexity and misunderstanding around product use rights and licence metrics.

Why are vendor initiated audits on the rise? One possibility is that the increase derives in part from falling revenues for software vendors that have as a result become more creative in generating alternative income streams. While many might view this as opportunism, the vendors see it as a necessary and legitimate approach to safeguarding their products and shareholder value. In an economic climate where most companies are seeking to maximise efficiency, it is perhaps unsurprising that software vendors are also looking to reassess their income streams and are clamping down on breaches that they may have previously viewed as too minor to be worth pursuing.

The accidental pirate: a customer's position

While most customers do not deliberately set out to infringe licence terms, inadvertent software piracy is not uncommon and arises for a number of reasons:

  • All customers will be familiar with the need to strike a balance when identifying the number of user licences required, a task made more difficult by the typical use by vendors of 'bundles' when selling licences and the need for flexibility (but not extra capacity) within the business. This, coupled with changes within the customer organisation (eg, employee turnover, hardware and software deterioration and upgrades, acquisitions and disposals), means that ensuring that the correct number of licences are in place at any time can be a headache.
  • Software programs can be baffling to all but the most technically minded, and the resulting licensing arrangements (especially around pricing) can be similarly confusing. Software licences tend to be lengthy and comprised of numerous documents (not all of which are in the same place and some of which are subject to change at the vendor's discretion), and vendors are often reluctant to accept amendments to standard terms, making compliance management difficult. On top of this, new technologies and means of delivery – such as virtualisation and the move to the 'cloud' – add further complexity, with some customers failing to get to grips with the new opportunities and associated risks that this presents from a software licensing point of view.
  • Customers often fall foul of licence terms as a result of insufficient due diligence on software licensing agreements on an acquisition. For example, many licence agreements are limited to specific customer group companies and are not transferable, which can lead to an incorrectly licensed environment following an acquisition.

It is perhaps not surprising then that even the largest and most sophisticated companies find it hard to manage the problem. A recent survey by Flexera Software and research group IDC found that 85% of respondents highlighted some level of non-compliance with the terms of their software licence agreements.

Without adequate controls, customers leave themselves open to a number of risks, including the possibility of increased charges and penalties being imposed by the software vendor. And it is not just the unbudgeted licence true-up costs that are an issue. The amount of time required to prepare for and participate in a software audit can be extensive and disruptive to the customer's business. Equally, finding yourself on the receiving end of a potential claim for breach of a licence for a business-critical third-party application could mean that your leverage in any commercial negotiations that follow is severely weakened.

Managing the problem

Traditionally, customers have adopted a purely reactionary approach to audit notifications from vendors. The advantage to customers of this approach was that it led to an understanding between the customer and vendor that was specific to that customer, allowing the customer to take steps towards compliance within the framework defined specifically for it by the vendor. While this remains the most common approach, the disadvantages are clear:

  • Any shortfalls in licences will be immediately billed and may also attract penalties.
  • While internal failings will be highlighted, it will be difficult for the business to deal with these until negotiations with the vendor have concluded.
  • Since the shortfall will be an identified liability, it is unlikely that the business will be able to negotiate favourable rates in respect of the fines or increased charges incurred, or for future licence renewals.

A far better solution is to implement a software asset management (SAM) programme that provides for full control over contract management and software licence entitlement and deployment, thereby avoiding the problem, rather than seeking to fix it after it has occurred. Although this may require time and effort (and hence cost) upfront, it may serve to prevent greater costs and business disruption further down the line. It should also mean that customers will be better equipped to deal with licensing issues as they arise and, in turn, negotiate licence fees at more favourable rates

The use of SAM programmes is widely supported and a number of international organisations, such as the Information Technology Infrastructure and the International Organisation for Standardisation, publish best-practice guidelines for their use. Vendors also recognise the benefits; in a recent statement the British Software Alliance noted:

"There is a remarkable difference of approach, control and maturity with organisations who have implemented Software Asset Management than those who wait for the audit to happen and unsuccessfully try to negotiate themselves out of an embarrassing situation."

In addition to reducing instances of non-compliance, adopting a SAM programme means that customers can properly safeguard software assets throughout their lifecycle and plan for improvement at an ascertainable cost to the business.

Building a successful compliance programme

As far as software compliance is concerned, prevention is better than cure, and implementing an effective SAM programme is a worthwhile investment. For those customers doing it for the first time, as well as for those looking to update or revamp their existing compliance regime, some tips for doing so are as follows:

  • Review existing licensing arrangements in order to understand fully your current commitments.
  • Before entering into any new software licensing arrangements, take the time to carry out thorough due diligence on the proposed arrangements and raise any concerns with the vendors directly.
  • Be proactive and, if necessary, push back on vendor-imposed standard terms. Software providers may be more accepting of negotiated terms than commonly thought, especially if you can demonstrate that you are carrying out your own internal processes to manage software use.
  • Designate a team that has responsibility for managing compliance, including software audits from vendors. That team should comprise representatives from the business, the technology team, the finance team, a contract manager, a software asset manager, an IT security specialist and a legal adviser.
  • For a smaller company, specialist software audit experts can be appointed to run an audit on its behalf.
  • Consider what processes and tools are necessary to maintain proactively licence compliance, including routine internal audits on software use and deployment. Upfront investment in software optimisation technology is more than justified by the financial risks arising from software audits and non-compliance.
  • In the event of any significant change to your business, such as an acquisition, carry out full due diligence of the licensing information for all software installed on the IT network of the target company and consider whether your existing software licence arrangements provide for the extension of user rights to your new corporate structure.

For further information on this topic please contact Andrew Sutherland or Hannah Lowe at RPC by telephone (+44 20 3060 6000), fax (+44 20 3060 7000) or email ([email protected] or [email protected]).

Endnotes

(1) J Disbrow, A Bona, F DeSalvo, F O'Brien, J Rosenberger, "Survey Analysis – Survey Shows Another Increase in Software Vendor Audits; IT Managers Should Prepare Now" (March 2 2011).

(2) J B Disbrow, A Bona, "The Software Vendors That are Auditing Now and What to Do about It" (January 27 2012).

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.