Defending SIIA Audits

2007 was an exciting and dynamic year for the software asset management industry.
As we enter a new year, the software industry will continue to evolve. Here are my predictions for what will happen in 2008.

1. BSA expands its “no-fine” self-audit program

I will remember 2007 as the year that the BSA increased its reward program for “anti-piracy” leads to up to $1,000,000. With approximately fifty-five million dollars in global revenue showing on its most recent tax return, BSA will continue to be the most important software police organization in the world. Recently, BSA has created a new audit flavor, it’s a self-audit with a twist. Targets are asked to conduct an audit, provide invoices for software purchased as a result of the audit and the BSA agrees to close its file. I call this the “no-fine” self-audit because once the audit is conducted and materials produced to BSA, the file is in fact closed without protracted settlement negotiations over fines and other terms. I predict that the “no-fine” audit will be used with greater frequency 2008.

2. Microsoft Expands SAM Engagement Program

Microsoft’s SAM initiatives have replaced what used to be contractual audits. Under this program, Microsoft hires a consultant to assist the customer in conducting and audit that is the results of which are reported to Microsoft. As many clients continue to struggle to manage compliance with Microsoft licensing, Microsoft will continue to invest time and resources in various SAM initiatives. Although, I have been a critic of the certain aspects of Microsoft’s SAM Engagement, I think publishers like Microsoft that help customers deal with SAM challenges will be most successful in the long run. I think the number of variety of global SAM engagements will increase dramatically in 2008.

3. Adobe to Focus Attention on Fonts

In the recent weeks, we have started to see BSA audit letters specifically requesting audit information regarding installed fonts. Depending on the nature of your business, you may be receiving files that contain proprietary fonts licensed by your company vendors, clients, and partners when they send you documents. Frequently, these fonts wind up remaining on your computers systems creating a potential compliance issue. Adobe has an extensive portfolio of fonts that are used in its industry leading design products. I think that in 2008 the focus on font licensing compliance will continue.

4. Industry Consolidation Accelerates
As we continue to experience the economic ripple effects of the sub-prime meltdown, I think there will be an increased credit squeeze in 2008. As smaller publishers find it harder to borrow funds to fuel growth, continued industry consolidation should occur in 2008. These same economic factors may lead to increased acquisition and divestiture work for software asset managers in all industries.

5. Autodesk Stays Aggressive

In addition to participating in audits conducting by the SIIA and BSA Autodesk maintains its own “anti-piracy” program implemented exclusively by Donahue Gallagher & Woods law firm. While other publishers search for kinder and gentler enforcement strategies, I predict that Autodesk will continue to be aggressive in its approach to enforcement working through the pre-eminent anti-piracy attorneys to implement its heavy-handed strategy.

6. End-Users Benefit from Soft Economy

If the economy weakens and revenue pressure on software publishers increases, end-users will enjoy greater negotiating and bargaining power. The smartest companies will negotiate aggressively with the software industry to secure favorable pricing and licensing terms custom tailored to their business needs. In my experience, senior management at software publishers are more likely to make licensing and pricing concessions when there is a new transaction and considerable cash on the table. A soft economy will force publishers to make concessions to end-users in 2008.

7. Resellers Expand Asset Management Services

To stay competitive, software resellers have had to offer value added tools and services to assist their customers with managing the hardware and software assets they sell. The smartest resellers are learning that the more asset management tools and services they can provide the greater wallet share they will enjoy for hardware, software, and services. Dell’s purchase of ASAP Software and Insight’s purchase of Software Spectrum have started a trend that will continue in 2008.

8. Third-Party Commercial Access Licenses Go Mainstream

In 2007 Microsoft greatly expanded its reseller network for its Service Provider License Agreement Program. This program provides commercial access licenses to Microsoft technology. Traditional client access licenses (CAL) are for internal use and access only. If you provide direct or indirect access to third parties including your customers, vendors, and business partners you should consider whether you need SPLA licensing. In 2008, third party access licensing will become increasingly important under Microsoft SPLA as well as other major publishers licenses.

Recently, the Coalition Against Counterfeiting and Piracy (CACP), a group consisting of heavy-hitting IP stakeholders, such as the Recording Industry Association of America, the Business Software Alliance (BSA), the Software and Information Industry Association (SIIA), and the U.S. Chamber of Commerce, announced its intent to push for rapid improvements in what it perceives to be universally lax enforcement of U.S. laws protecting IP rights. At a news conference on Thursday, June 14, the CACP, through its Chairman, NBC Universal general counsel Rick Cotton, announced that under this "aggressive, comprehensive" effort, the CACP would seek to increase resources for governmental investigation and enforcement of criminal IP laws, to "reform civil and judicial process" (whatever that means), and to educate consumers.

Generally speaking, few would quarrel with the notion that intellectual property is a valuable and important property interest, fully deserving of strong protection. However, in announcing this new, altruistically-titled "Campaign to Protect America," Mr. Cotton verbally expressed a degree of fanaticism that is, in practice, characteristic of many industry organizations that cite to the public interest to justify their sometimes indiscriminate targeting of alleged IP infringers. Mr. Cotton said:

Our law enforcement resources are seriously misaligned...If you add up all the various kinds of property crimes in this country, everything from theft, to fraud, to burglary, bank-robbing, all of it, it costs the country $16 billion a year. But intellectual property crime runs to hundreds of billions a year.

At least Mr. Cotton was kind enough to limit his generalization to "property crimes."

Statements like these should make clear to any business targeted and accused of "piracy" by organizations such as the BSA or the SIIA that the IP "defenders" are more likely to be interested in making examples of their targets, rather than reaching a solution that truly accounts for all the facts (not the least of which is the usually confusing and even deceptive way that software publishers in particular undertake to license and market their content). If your business has been accused of "pirating" software, it is immensely important that you know whom you are dealing with before you divulge any information or sign any agreement.

A copy of the CACP’s press release can be found here.

The targets of SIIA audits frequently believe that they know who reported them to the Software & Information Industry Association. Justifiably angry, they want to know what legal recourse they have against the informant. Because the informants are frequently out of work, having been fired by the target, I advise my clients about the number one rule governing litigation: never sue poor people. Legally speaking, the most probable cause of action against an informant in a SIIA audit would be based upon a breach of an employment agreement containing a confidentiality provision. We have frequently assisted clients in drafting letters to former employees presumed to be the informant, forcefully reminding them of their confidentiality obligations, but have come short of advising clients to file suit against a presumed informant.

Scott & Scott, LLP is not affiliated in any way with the SIIA

If your company has received a letter from the SIIA requesting a software audit, you are probably wondering whether you should cooperate or tell the SIIA to pound sand. I advise my clients to cooperate but to do so in a manner that will not jeopardize their legal position in the event that cooperation does not result in an acceptable out-of-court settlement. This advice is predicated on the fact that business clients almost universally seek a resolution that has the lowest total costs and the most predictability. In SIIA audits, these costs are software licensing fees, fines payable to the SIIA, attorney’s fees, organizational impact, and the potential damage to brand associated with negative publicity. In my experience, a properly handled SIIA audit can always be resolved for a lower total cost through cooperation than through litigation.

Most importantly, cooperation does not preclude litigation in the future if the SIIA is unreasonable in its approach to settlement. In other words, you can always go to court if the out-of-court, lower total cost approach is not satisfactory. However, we have seen audit targets and other lawyers make several mistakes that actually detriment their legal position during negotiations with the SIIA. The two critical success factors to properly handling a SIIA audit or making sure that the information gathered during the process, which would not otherwise be discoverable in a court proceeding, is protected by attorney work-product and attorney client privileges. In addition, no information should be provided to the SIIA unless and until the SIIA agrees that the information is governed by Federal Rule of Evidence 408 and therefore will not be admissible in court if an out-of-court resolution is not reached with the SIIA. The only time I have deviated from this advice has been where the audited entity was not a viable going concern and the principal(s) were judgment proof. If you have been contacted by the SIIA, you should contact an experienced attorney to assist you with strategy.

Scott & Scott, LLP is not affiliated in any way with the SIIA

One of the first things I ask a prospective client is: What is the date on the initial letter you received from the SIIA? The date on the initial in a SIIA letter is often referred to as the Audit Effective Date. This date is important for many reasons. I like to tell my clients that a SIIA audit measures a snap-shot in time – what SIIA member software was installed on the company’s computers as of the Audit Effective Date. Once you have an accurate inventory of what was installed on the Audit Effective Date the next step is to determine what proofs of purchase are available to establish purchases prior to the Audit Effective Date.

When a SIIA audit matter is settled, the target is required to certify that the audit results provided during the course of negotiations are true and correct as of the Audit Effective Date. For this reason uninstalling software that was installed on the effective date, or purchasing software products after the effective date have no impact on the SIIA’s calculation of fines in SIIA audits. It is critical to obtain an accurate inventory of the software installed on the target company’s computers as quickly as possible following receipt of the initial letter from the SIIA. Failure to understand the importance of the Audit Effective Date, has caused companies to go on software buying sprees in response to a SIIA audit and to report results to the SIIA reflecting the software installed on a date after the Audit Effective Date. I believe that both of these strategies are mistakes that should be avoided.

Scott & Scott, LLP is not affiliated in any way with the SIIA

One of the top ten questions asked by my clients is “How long does the SIIA self-audit process take from start to finish?” Of course I give the standard lawyer answer: it depends. Here are the steps to a typical SIIA audit.

Preparation of Audit Materials (3 to 6 months)

A SIIA audit is a request, under threat of litigation, to compile a listing of all SIIA member software products installed on the audited entity’s computer network as of the Audit Effective Date. The Audit Effective Date is the date on the SIIA initial letter requesting an audit. The first step in preparing this information is conducting an automated inventory of the software products installed on all computers owned or leased by the target company. Once an accurate inventory of the SIIA member software products is completed, the next step is to reconcile the software inventory information with proofs of purchase dated prior to the audit effective date. While there are various ways to prove ownership of a software license, typically an invoice is considered the best evidence of ownership in a SIIA audit. In the typical case, the inventory and reconciliation process takes three to six months.

Secure a Confidentiality and Federal Rule of Evidence 408 Agreement (1 week)

With very limited exceptions, we advise the targets of SIIA audits to cooperate with the self-audit process but to do so in a way that does not compromise their position in the event that an out of court settlement is not possible. We do not disclose any information to the SIIA until it signs an agreement regarding the confidentiality of the information disclosed and specifically limiting the SIIA’s ability to introduce the information as evidence in court. In the typical case, the SIIA will sign our standard agreement within one week.

SIIA Analyzes Self-Audit Materials and Makes a Settlement Demand (3 to 6 months)

After the self-audit materials are submitted by the target of a SIIA audit, the Software & Information Industry Association typically takes three to six months to respond. The SIIA’s response provides its interpretation of the self-audit materials and applies a formula for its initial settlement proposal. The SIIA’s formula for calculating fines is generally three times the unbundled full retail price of the software products installed on the target’s computers plus $3,500 for SIIA’s attorney’s fees. In many instances, the SIIA’s settlement proposal is substantially more than the target may have expected due to differences of opinion regarding what constitutes valid proof of ownership. In our experience, the SIIA usually takes three to six months to make substantive response following the submission of the self-audit materials.

Negotiation of Monetary and Non-Monetary Terms of Settlement (6 to 24 months)

After the SIIA makes its initial settlement demand, there are various monetary and non-monetary terms that need to be negotiated. The obvious material term in every SIIA audit negotiation is the amount of any monetary amount to be paid to the SIIA for alleged past infringement. The most significant non-monetary issue is whether the SIIA will agree to a confidentiality provision. Such provisions require the SIIA to keep the existence and details of the audit confidential and preclude the SIIA from issuing a press release. Other non-monetary provisions include future obligations such as certifications of compliance, adoption of a software code of ethics, and production of additional proofs of purchase to the SIIA for purchases made after the audit effective date. The length of the negotiation process differs from case to case but generally lasts between six months and two years.

Scott & Scott, LLP is not affiliated in any way with the SIIA

Proof of License in SIIA Audits

Like all audits, success in a SIIA software audit depends less on what you own and more on what you can prove that you own. Although not required by law, the SIIA takes the position that a target company is out of compliance for each installation of SIIA member software products for which the target company cannot produce a dated proof of purchase. Many clients are dismayed to discover what does and does not constitute valid proof of purchase according to the SIIA.

Not Considered Valid Proof

1. Copies of Checks to Software Vendors
2. Dated Purchase Orders
3. Undated Software Licenses
4. Credit Card Statements Evidencing Software Purchases
5. Certificates of Authenticity
6. Media, Manuals, or Key-Codes
7. Invoices Bearing and Entity Name Other than the Entity Named in the SIIA’s Initial Letter

Valid Proof of Purchase

1. Dated Invoices in the Name of the Audited Entity
2. Soft Records (online account statements) from Recognized Resellers
3. Signed and Dated License Agreements
4. Soft Records from SIIA Member’s such as Microsoft Licensing Statements
5. Cash Register Receipts for Retail Sales where Product, Version, Quantity and Price Paid are Included.

Understanding how the SIIA analyzes audit materials is critically important to achieving the most favorable outcome. In our experience, it is the most time consuming and difficult part of the process for clients to handle on their own.

Scott & Scott, LLP is not affiliated in any way with the SIIA

One of the most controversial tactics the SIIA uses when calculating its settlement demands is its practice of unbundling software suites such as Microsoft Office and Adobe Creative Suite. Unbundling occurs when the target of a SIIA audit is unable to provide acceptable proof of purchase for one or more installation of a software suite.

The effect of unbundling is to dramatically and artificially inflate the monetary component of a SIIA settlement because the SIIA calculates its fine based upon the MSRP of each component part of the software. In a SIIA audit involving Microsoft Office for example, the SIIA unbundles the suite by separating Microsoft Outlook, Microsoft Word, Microsoft Excel, Microsoft PowerPoint, and Microsoft Access and then calculates its proposed fine on the basis of the MSRP of each component. This practice results in a proposed fine per installation of approximately $2,000 for a product with a market price ranging from $150 to $350, depending on the version.

In my opinion, the SIIA’s practice of undbundling is completely contrary to law because the software suites of SIIA member publishers are compilations under the copyright law and therefore constitute a single work for purposes of calculating statutory damages for infringement. The U.S. Copyright Act 17 U.S.C. § 101(c) defines a compilation as follows:

A "compilation" is a work formed by the collection and assembling of preexisting materials or of data that are selected, coordinated, or arranged in such a way that the resulting work as a whole constitutes an original work of authorship. The term "compilation" includes collective works.”

The statutory damages provision of the U.S. Copyright Act 17 U.S.C. § 504(c) provides in pertinent part that:

For the purposes of this subsection, all the parts of a compilation or derivative work constitute one work.

Federal court’s have also interpreted these provisions to preclude recovery of statutory damages for the component parts of a compilation. For example, in XOOM v. Imageline, the Court of Appeals for the Fourth Circuit only made one statutory damage award for each compilation of electronic clip art, even though each compilation included thousands of works because “[a]lthough parts of a compilation or derivative work may be ‘regarded as independent works for other purposes[,]’ for purposes of statutory damages, they constitute one work.” XOOM v. Imageline at 285, citing H.R. Rep. No. 94-1476, at 162 (1976).

Similarly, in WB Music Corp. v. RTV Communications Group, 445 F.3d 538 (2d Cir. 2006) the Court of Appeals for the Second Circuit interpreted 17 U.S.C. § 504(c) and discussed the distinction between compilations authorized by the copyright holder that constitute “one work” for statutory damages purposes and collections of separate works compiled by the defendant and never authorized by the copyright holder. Because the software suites implicated in SIIA audits involve separately copyrighted works included in a compilation authorized by the copyright owners, section 504(c) applies and prohibits the award of statutory damages for the component parts of the suite.

Scott & Scott, LLP is not affiliated in any way with the SIIA

What is software piracy? Like many politically charged phrases, the definition of software piracy is influenced by your financial interests and your viewpoint. The Software & Information Industry Association recognizes several types of piracy, including, softlifting (installing a single licensed copy of software on several machines), unrestricted client access, hard-disk loading, OEM piracy, commercial use of non-commercial software, counterfeiting, CR-R piracy, internet piracy, manufacturing plant sale of overruns, and renting.

The Software & Information Industry Association specifically includes unintentional business overuse in its definition of software piracy as follows:

“Softlifting occurs when a person purchases a single licensed copy of a software program and loads it on several machines, in violation of the terms of the license agreement.”

Armed with this definition of software piracy, the Software & Information Industry Association pursues global “anti-piracy” campaigns that include the targeting of many small to medium sized companies. The Software & Information Industry Association accuses these companies of engaging in software piracy and threatens them with litigation unless they voluntarily undergo a self audit. In my experience, the vast majority of the companies targeted by the Software & Information Industry Association are not pirates under anyone’s definition, they have merely failed to maintain financial records related to software purchases that no one, including the software companies, ever told them they were required to keep. In addition, the targets of Software & Information Industry Association audits are not pirates because they never intended to violate software licenses or copyright laws.

Scott & Scott’s Definition of Software Piracy

“Software Piracy is the distribution of counterfeit software and/or use or distribution of authentic software constituting the intentional violation of intellectual property laws.”

Our definition of software piracy differs from that used by the Software & Information Industry Association in that our definition adds emphasis to counterfeiting and expressly excludes the unintentional over deployment of software by end users. Piracy implies theft which under the law requires intent. Any definition of software piracy that includes unintentional over deployment should be rejected. The definition used by the software industry and the Software & Information Industry Association improperly characterizes software owners as thieves because they have been, at most, negligent in the management of their software assets and documents.

Scott & Scott, LLP is not affiliated in any way with the SIIA

One of the most common mistakes I encounter in SIIA audits is what I call the post-effective date software buying spree. The buying spree occurs in response to a letter from the SIIA’s attorneys requesting a self audit. Many clients are discouraged to learn that software purchases made after the date of the SIIA’s initial letter have no impact in a SIIA audit matter. For this reason, I advise my clients against scrambling to acquire software in response to a SIIA audit.

The first thing a target of SIIA audit needs to do is preserve the evidence of SIIA member software products installed on the company’s computers as of the audit effective date. Second, the software installed needs to be reconciled against proof of purchase information to determine whether there is gap between licenses owned and software installed. Third, a decision needs to be made regarding whether to purchase or uninstall any unlicensed software. The SIIA audits only those products installed as of the audit effective date, and accepts only proofs of purchase dated on or before that date.

I advise my clients that regardless of what was installed on the audit effective date, they only need to purchase software licenses for products that they need to use going forward. Although it will not resolve past liability, companies may choose to uninstall unlicensed SIIA member products at the conclusion of the audit matter, rather than purchase unnecessary software simply because it was installed on the effective date. At the conclusion of a SIIA matter, the target must certify that it has come into compliance through the combination of buying and\or uninstalling.

Scott & Scott, LLP is not affiliated in any way with the SIIA