Business and Technology Law

Arguably as a result of the Obama administration’s call for federal data privacy and security legislation, a number of bills have been introduced this year in both the House and Senate to address consumer-data privacy issues. Introduced earlier this spring were the Do Not Track Online Act, discussed here previously, and the comprehensive, Commercial Privacy Bill of Rights Act sponsored by political heavyweights Senators John Kerry and John McCain. A new crop of bills introduced this summer focuses on data-protection procedures and breach-notification requirements. Highlights from these entries, by Senators Leahy and Pryor and Representative Bono Mack, are outlined below.

Personal Data Privacy and Security Act – Sen. Leahy

• Preempts state breach notification statutes
• Criminalizes intentionally or willfully concealing a data breach
• Breach notification to be made “without unreasonable delay”

Secure and Fortify Electronics (SAFE) Data Act – Rep. Bono Mack

• Preempts state breach notification statutes
• 48 hour breach notification requirement, in some cases
• Civil penalties available; capped at $5M

Data Security and Breach Notification Act – Sen. Pryor

• Similar form to the SAFE Data Act
• 60 day breach notification requirement
• Includes special rules for “Information Brokers”

Whether any of these become law by the end of this year’s session is not clear. However, the 48-hour breach-notification requirement proposed by Rep. Bono Mack seems to be generally unworkable in practice, making the requirement unlikely to be a component of any enacted law. What is clear, however, is that with recent, highly publicized and scrutinized data breaches at Lockheed Martin and Sony, greater-than-average political will exists in Congress to approve some form of federal data privacy and security legislation this year.

Starting on September 1, 2012, businesses handling electronic protected health information (ePHI) in Texas will be subject to more stringent data privacy and security regulations and harsher penalties than those imposed by federal HIPAA regulations. Among other things, the new bill, signed into law in June 2011 by Governor Rick Perry, expands on the HIPAA definition of a “covered entity.”

Under the new law, “covered entities” are broadly defined as any organization that handles electronic health records. This expanded definition has the potential to impact many organizations that are not currently “covered entities” under HIPAA, such as SaaS and cloud providers who market to health care organizations. In addition to complying with HIPAA requirements, covered entities are required to provide custom training sessions within 60 days of hire. In addition, the time period for responding to patients’ written request for copies of EHR is reduced from 30 days under HIPAA to 15 days. The new law also includes an explicit ban on selling patient records for profit, and a breach-notification requirement similar to that recently enacted under the Health Information Technology for Economic and Clinical Health Act (HITECH).

In addition to the more stringent regulations, there are harsher civil penalties available under the new law. Depending on the degree of intent exhibited in committing a violation, penalties can range from $1,500 to $1.5M per year for disclosure of PHI. The monetary penalties are in addition to any penalties levied by the federal government under HIPAA/HITECH, and they can also include license revocations.

Although the law will not be effective until September 2012, I recommend taking time this year to revisit your organization’s status under the new law and to determine if your current compliance policies and procedures are sufficient to address any new requirements.

A number of consumer groups – including the Electronic Frontier Foundation, the Consumer Federation of America, the American Library Association, Association of Research Libraries, Association of College and Research Libraries, U.S. Public Interest Research Group, and Public Knowledge – recently filed a “friend of the court” brief asking the Supreme Court to reconsider the Ninth Circuit’s decision in Autodesk v. Vernor. Those groups are asking the Court to determine what they consider to be an important question: What is the impact of technology licensing on the First-Sale Doctrine?

The Supreme Court will determine whether it will reconsider the Ninth Circuit Vernor opinion holding that an owner of a copyrighted work may license its work and retain ownership and control over its distribution. The Ninth Circuit overturned a lower court ruling that the First-Sale Doctrine applied to software sales, and that purchasers of software licenses were entitled to transfer, distribute, or sell the software. The First-Sale Doctrine allows an owner of a copy of copyrighted work to transfer or sell the copy, unlike a license, which restricts the transferability of a copyrighted product. The consumer groups are petitioning the Supreme Court to grant a hearing to determine whether the First-Sale Doctrine applies to the sale of software, and grants the owner of the copy the right to sell, rather than a license to use the product.

The Supreme Court will evaluate whether so-called “magic words” contained in an End User License Agreement (“EULA”) undermine a consumer’s right to own and distribute a copyrighted work. These “magic words” are terms relating to licensing restrictions in the EULA. If the Supreme Court decides there is merit in the arguments set forth in the brief, it may grant a hearing to consider the Vernor case. If the Supreme Court grants the petition, it will likely set a date to hear oral arguments from each party before making a final ruling.

A new decision in the Vernor case may potentially have far-reaching implications for copyrighted works, especially software. If the Supreme Court determines that purchasers of software own a copy of the work, rather than just a license, consumers might be free to sell or transfer their copies of copyrighted works without regard to the restrictions in the EULA. The consumer groups who filed the brief argue that “after an individual copy has been sold, the first sale doctrine puts further dispositions of the copy beyond the reach of the copyright owner.”

If you are facing a copyright infringement claim from a software publisher, you should contact experienced counsel to assist you with evaluating your rights and the appropriate strategy for your defense.

Correct licensing for Microsoft SQL Server database software can be a complex undertaking, and in light of the prices charged for certain kinds of SQL Server licenses, it also is an undertaking where mistakes can be extremely costly.

SQL Server actually is a package of various software components with different functions in creating and managing a SQL database, so one of the more challenging aspects of analyzing SQL Server license obligations is determining how many licensable SQL Server instances are installed on company computers. Some of those components can be installed, effectively, on an unlimited number of network computers, provided that the core components are correctly licensed. Those “free” components include:

• Business Intelligence Development Studio
• Client Tools Backward Compatibility
• Client Tools Connectivity
• Client Tools SDK Management Tools - Basic
• Management Tools - Complete
• SQL Client Connectivity SDK
• Microsoft Sync Framework
• SQL Server 2008 R2 Books Online

However, the core components of SQL Server – the Database Engine and the Reporting, Integration and Analysis Services – all require separate licensing. This means that if a company wants to separate the core SQL Server components across several different servers (for security or workload-distribution reasons, for example), then it must purchase the same number of SQL Server licenses that it would need to purchase if it were deploying all of the core components on each of those machines. Those licensing costs can add up very quickly (per-processor licenses for certain editions of SQL Server can cost between $25,000 and $50,000 per physical processor that is activated on the servers where the software is installed).

Complicating matters is the fact that some automated software-inventory products sometimes report the “free” SQL Server tools and the “paid” SQL Server components the same way. That can lead the users of those inventory products to believe that the number of SQL Server product installations for which they need to purchase licenses is lower that it really is, resulting in a licensing gap and potential audit-related exposure.

Businesses with questions about licensing for SQL Server and other costly, mission-critical software owe it to themselves to discuss their requirements with knowledgeable licensing counsel before proceeding with license purchases that may be either inadequate, in terms of quantities acquired, or incorrect, in terms of product versions, editions and license types included in a purchase order.

When it comes to Microsoft licensing, we are frequently asked how to license for a situation where a Microsoft server resource is to be accessed both by internal company employees and external non-employee affiliates. Our typical legalese answer to this perfectly reasonable question: “It depends.” The correct answer (read: most-cost-effective-while-still-being-compliant answer) requires an examination of the circumstances surrounding the required access (number of users, manner of access, specific server products implicated) and a grasp of company’s current licensing environment with Microsoft.

In most cases, the threshold question to answer is this: “Are my affiliates paying me for access to the Server resource?” If the answer is yes, then we will generally suggest to our clients to engage with Microsoft in a Service Provider License Agreement, or SPLA. Though designed for use by “hosting or application service providers,” the SPLA can be used for other organizations as well. Essentially, the non-hosting/service providing company will form an affiliate entity that licenses the software from Microsoft under a SPLA, then turns around and provides software services to both internal employees and external affiliates. It’s a fairly straightforward process, but it does increase the transaction costs somewhat. In the right situation, however, the benefits gained from licensing in this manner will outweigh any upfront costs.

On the other hand, if the answer to the “paying for access” question is “no,” then factors such as the number of users and the nature of the required access will determine the best course of action. One model is to purchase user CALs for each employee and affiliate user who will be accessing the resource. Another option is to purchase CALs for internal users, and an External Connector license for those outside the organization. In other cases, a processor license along with an external connector license becomes the more economical choice, from both licensing spend and licensing management perspectives.

The point is, there is no one “right way” to license for this usage environment. The model that is right for a given organization requires thoughtful examination of the facts. To make matters more complicated, it has been our experience that resellers, and many times Microsoft representatives themselves, do not completely understand the intricacies of these licensing schemes, and sometimes inadvertently give technically or financially bad advice because of it. However, our experience is that once you break through the first or second levels of licensing discussion and talk directly with Microsoft’s licensing experts, they are willing to work with you to find the optimal solution.

Microsoft offers its employees an opportunity to buy discounted software if they agree to restrictive usage terms when purchasing from the Microsoft Company Store. In addition to the online Microsoft Company Store, employees may go to one of a few different physical locations, including one near the Microsoft campus visitor center. The Microsoft Company Store is separate and distinct from the online Microsoft Store, which is aimed at the general public.

The Microsoft End User License Agreement (“EULA”) outlines terms controlling the use of each of its products. Many of its products allow commercial use in a business setting. Although anyone can go to the Microsoft Company Store, only Microsoft employees are allowed to purchase discounted Microsoft software. These products sold to Microsoft employees are specifically restricted from use in a commercial setting, limiting usage to personal only.

Although it is unlikely that the general public could accidentally purchase software from the Company Store, some users are confused by the non-commercial restrictions for software purchased at the “Microsoft Store.” Additionally, Microsoft employees should be cognizant of potential licensing pitfalls if attempting to use any of the software in a commercial setting or if they buy software for their friends and relatives to use in a corporate setting. The terms of use on the products sold explicitly prevent commercial use.

Software licensing is a complex issue that may cause complications for consumers or businesses seeking to properly comply with licensing terms. If you are facing a copyright infringement claim from a software publisher, or simply seek information related to software compliance and licensing, you should contact experienced counsel to assist you with evaluating your rights.

In the past, I have covered some of the most problematic aspects of standard IBM software license agreements. However, IBM software licensing can be a recurring nightmare for procurement teams and IT administrators for reasons that extend beyond the four corners of those agreements. Three of the more “global” challenges associated with correct licensing of IBM software products include the following:

1. You will be assimilated. Though IBM has a wide array of current software-product offerings, a large part of that catalog is the result of a substantial number of acquisitions of other companies (e.g., Tivoli, Lotus, Guardium, SPSS, ILOG, Cognos, Rational, Informix) that developed innovative software products. As a result, IBM’s software products often have very little in common with one another, either from an architectural or a business-model perspective. Licensing metrics and restrictions vary substantially across the product line, requiring software asset managers to become proficient in a stack of licensing rules that rival the Oxford English Dictionary for fine print.


2. Good luck with discovery. The variability of IBM’s software-product architectures means that it can be extremely difficult to deploy a software asset discovery tool that is capable of identifying all IBM software installed on company computers. IBM’s License Metric Tool (ILMT), in theory, at least, is one product designed to facilitate the discovery process. However, ILMT can be challenging to deploy and configure correctly, especially in virtualized environments (where its use typically is mandatory, if a business wants to take advantage of sub-capacity licensing). In addition, it is worth being at least a little suspicious of discovery tools that are developed and distributed by the same companies that naturally would like to maximize their customer’s software-licensing expenditures.


3. Resource drain. Many of the products published by IBM are mission-critical software tools. A company’s entire customer-facing business operation may be constructed on top of WebSphere Application Server, and its repository of customer data may be stored in a DB2 database. Consequently, IBM software products often are very widely distributed throughout corporate IT environments, meaning that IT administrators often must choose between the lesser of two evils: either (a) license all servers to full processing capacity, which maximizes the likelihood of license compliance at the expense of higher licensing charges, or (b) devote IT manpower to configuring and monitoring processor usages, which maximizes the likelihood of licensing efficiency at the expense of human resource costs. Pick your poison.

Software licensing for medium to large companies is complicated. Not only are the software license agreements often hard to read and understand, but the terms frequently change with little notification to the user. Deploying software across an entire enterprise, therefore, can be exceedingly complex, and it requires both technical expertise and a thorough understanding of the practical application of the terms and conditions of the licenses. Many organizations, relying on their senior IT professional to make software purchasing recommendations, fail to submit the licensing agreements to legal review. For those that do submit the licenses to legal, the lawyers reading the agreements often will understand the typical contract language—the indemnities and limitations of liabilities of the world—but they often will not fully appreciate the practical effect of the license on implementation, deployment, and compliance. Over the coming weeks, I will use Microsoft’s volume licensing agreements as an example to highlight some of the legal and practical issues arising from enterprise-level software licensing agreements—issues that affect how companies deploy software, develop and test software solutions, report usage, design data centers, etc.

To ease some of the pain of licensing software for large organizations, Microsoft developed the Enterprise Agreement (“EA”). At its core, the Microsoft EA was created to standardize licensing across all of an organization’s PCs. It accomplishes this by forcing the company to purchase a pre-defined bundle of software titles, the “Desktop Platform,” for each desktop or user considered “qualified” under the agreement. These bundles include a Microsoft operating system, an Office Suite (Professional or Enterprise), and a Client Access License Suite (Core CAL or Enterprise CAL).

Under the standard EA, Qualified Desktops are all desktop computers owned by the company. Another option is to license not by desktop, but by user. Qualified Users are defined as any user that accesses any of the organization’s server software or online services. This means that every desktop (or user) within an organization must be licensed for one of the pre-defined bundles.

Unfortunately, sometimes organizations get into these agreements without fully appreciating what this means to their organization. Many companies have different classes of users—some require the full Office Suite to perform their job tasks, while others may only need intermittent access to e-mail or Word. The standard flavor of EA would roll-out the same desktop platform to every qualified user or desktop; resulting in dramatically underutilized software deployments. With careful evaluation of internal needs along with a heavily negotiated EA, organizations can avoid these overdeployments and can more successfully take advantage of the discounts and licensing efficiencies originally offered by the EA.