Defusing A Software Audit: What To Do When You're Accused Of Copyright Infringement3:51 PM EST Fri. Oct. 19, 2012
When it comes to corporate software piracy, watchdog groups like the Business Software Alliance (BSA) and Software & Information Industry Association (SIIA) work on behalf of major software vendors like Microsoft, Adobe, Symantec and others to make sure businesses aren't engaging in copyright infringement. The BSA and SIIA rely on tips from anonymous sources, usually current or former employees, and then investigate businesses by asking them to submit to a software audit. What should businesses do when they receive a software audit request from the BSA/SIIA? The International Association of IT Asset Managers (IAITAM) offers some advice for dealing with a difficult situation.
For a closer look at software piracy in the channel, see a preview of our exclusive report, "Software Piracy: Are You A Trusted Adviser Or An Accomplice To A Crime?" The full article is available exclusively in the CRN Tech News app.
"Primarily, you should NOT panic," IAITAM wrote in its 2003 document "How To Defuse a Software Audit." The group also advises against a full and complete admission of guilt. Instead, IAITAM recommends that businesses carefully prepare their case so they can negotiate with the BSA or SIIA. That involves immediately forwarding any software audit or non-compliance notices to both corporate legal counsel and any IT managers. Usually these notices accuse the business of engaging in copyright infringement, list the specific software vendors/programs the business is accused of abusing and offer the business a choice of going to court to fight the allegation or submitting to a software audit.
IAITAM recommends convening an "Executive Task Force" to handle all matters related to the software audit. The task force should include top C-level executives, legal counsel and IT staff in charge of managing software assets. The purpose of the task force isn't to assign blame but rather to gather resources and organize an appropriate response to the software audit.
Once the Executive Task Force is in place, it should begin to form action teams, composed of either a single person or a small group, to collect information for the Executive Task Force. For example, a documentation management team would be charged with locating all software-related documents such as license agreements and receipts, while a configuration management team analyzes all computing systems and devices and audits what software is on those machines.
If the action teams find unlicensed software in the IT environment, IAITAM says, don't try to hide it.
"Do not, under any circumstances, delete software or modify system configurations when you are under a formal audit notice," IAITAM wrote. "In many cases, this type of action can be considered spoliation of evidence and could easily escalate the action being taken against you." In other words, instead of paying a small settlement fee, the auditors can sue you for copyright infringement, which could be significantly more costly. Plus, the criminal penalty for copyright infringement is up to five years in jail and a $250,000 fine.
Once the action teams have collected the data (the exact number of licenses, programs, systems, etc.) the Executive Task Force should review all the reports, as well as the licensing terms and conditions for all software products (some vendors license agreements may be different from others). Then the task force must compare the total findings against the allegations of the audit agency. The more detailed and complete the reports are, IAITAM says, the better your defense will be.
IAITAM recommends that once the Executive Task Force has completed its fact-finding and information gathering, legal counsel should contact the audit organization and attempt to clarify the precise accusations against the company. If a business is accused of pirating Microsoft software, for example, ask which specific programs and editions the audit agency claims have been pirated. IAITAM strongly suggests that only legal counsel have any contact with the auditing agency, too. If a business can demonstrate that some of the accusations are baseless -- e.g., being accused of pirating a software product that your business would have no reason to use -- then IAITAM says the auditing agency will often drop the case.
If you've discovered a shortfall in your software licenses, IAITAM says, then you'll need to prepare a reconciliation document detailing the exact number of programs lacking proper licenses so that legal counsel can negotiate a settlement. But, IAITAM warns that the audit agencies may try to intimidate you into a higher settlement fee by threatening legal action. Don't be intimidated, the group says. Be cooperative but firm; if you're unsure of what your rights are, consult with outside counsel knowledgeable of copyright law. Contact your authorized reseller if you have questions about your purchases, or lean on third-party organizations like IAITAM for further advice.