ACC HOUSTON CHAPTER SOFTWARE AUDIT PRESENTATION Sean Johnson Nexen Petroleum U.S.A. sean.johnson@nexenusa.net Peter Quittmeyer Sutherland Asbill & Brennan LLP peter.quittmeyer@sutherland.com Robert Pile Sutherland Asbill & Brennan LLP robert.pile@sutherland.com I. INTRODUCTION Software licensing has grown very complex because of technology-specific license rules e.g., processor, core, server, node, and authorized user. The pace of change in individual licensing practices and pricing is rapid. According to one survey, 42% of software licensors reported that they have changed their pricing and licensing strategy in just the last 18-24 months. This can easily lead to confusion or misunderstanding. According to an Ernst & Young report, 70% of software licensees believe this complexity is a cause of non-compliance. Software owners are employing the software audit as a significant revenue opportunity. Software audits can be very expensive so take them seriously. Ernst & Young reported that 63% of software licensors regard revenue generation as an objective of their software audits. Software audits are legal, not purely technical or IT matters, because the outcome is determined by the language of the license agreement. The contract language contained in a license agreement frequently is subject to different interpretations and positions. Often the commercial terms (i.e., what has actually been licensed such as seats, concurrent users, etc., and pricing) are spread out in multiple documents (e.g., purchase orders, usage guides, technical support policies, and policy announcements) that are separate from the legal terms and conditions and are sometimes posted on a website instead of being attached to contract documents. As a result, corporate counsel and IT managers often lack the full picture and must depend on the licensor s sales representative for answers.
Get the legal department involved early and keep the legal department in the middle of any communications with the licensor, working closely with the IT and procurement departments. Even if additional software is licensed under an existing agreement, it is a good idea to have the legal department review the transaction for basic things, like making sure the same terms apply as before, price protection is carried forward, and prior licenses are not superseded. II. WHAT IS A SOFTWARE AUDIT? It is a verification by a software licensor that the installation and use of software is in compliance with license agreements. Ordinarily, the primary purpose of the audit is either to collect money or obtain leverage for negotiation. The software audit can be collaborative, or highly adverse, or something in between. According to Ernst & Young, the average time required to support a software audit is about 200 hours, but the figure is closer to 500 hours in some cases. In the absence of litigation, a software licensor does not have a right to conduct an audit. Almost all software license agreements now contain audit terms. There is generally a playbook that a licensor follows for its audit program. There is a corresponding playbook available to the licensee. Practice Note: Try to limit the licensor s right to audit to no more than once every 12 months and never allow the vendor access to your system (i.e., have your IT people run the audit). If you request, the licensor is usually happy to walk the licensee s people through the process, but the licensee should consider insisting on adjustments to the audit process if they are necessary for the licensee to stay informed and preserve balance. III. JARGON Practice Note: It is important to know the jargon because some licensors insist on using it and will glide past important distinctions and assumptions by subjecting you to jargon. For today s presentation, we will try not to use the jargon too much, but someday it may make a difference to understand it. The parties are the licensor and the licensee. Sometimes the licensor engages an auditor to help gather and analyze information. License rights are called entitlements. The license documents or purchase records are called entitlement records.
Practice Note: The licensor will sometimes initiate an audit without first confirming which contracts are in place. A first order of business for the licensee should be to make sure the parties both have the same contracts. For older software, it sometimes happens that the licensor cannot locate the original contracts and therefore attempts to resort to current policy. The terms of the entitlements are based on license rules or metrics. Examples of license metrics include restrictions based on: Number of copies or installations Site or territory Equipment (class or model) Processor type or quantity (including virtual processor restrictions) User (type or quantity) Use (e.g., internal use only; prohibitions on third-party access, use or hosting) Entity (e.g, single entity vs. enterprise, change of control restrictions) A software licensee s usage of software in relation to these license metrics is called deployment. Any difference between a software licensee s entitlements and deployment is called a gap. Practice Note: While not an interest to a licensor, the licensee should use the audit to determine how much software is being licensed or supported under maintenance, but is not used. Additional fees that a software licensee must pay to close a gap are called true-up penalties. Software licensors expect software licensees to employ some type of software asset management policy in order to maintain entitlement records and monitor compliance. Such a policy can be informal or formal. The simplest policy is manual. According to Flexera, 42% of software licensees indicate that they do self-audits at least once per year. Some software licensors have electronic registration and monitoring systems (called tools) to perform this function.
But approximately half of the software licensors do not have technology in place to know which product version or platform their customers are using. IV. WHY HAVE AUDITS BECOME SO COMMON AND SO EXPENSIVE? First and foremost, software verification and true-up is a multi-billion dollar per year business for software companies, large and small. According to a Flexera report, 64% of software licensees report they have been audited in the last 18-24 months. According to one report, 11% of current software spending by U.S. software licensees is for true-up penalties. It is interesting that the same software licensees report that 11% or more of their current software spending goes to software that is not used ( shelfware ). Some large licensors have a history of strictly enforcing change of control restrictions and third-party hosting restrictions, leading to six- and seven-figure settlements. According to Ernst & Young, almost 40% of organizations have had audits in the last year that resulted in true-up penalties. According to Flexera, 24% of software licensees reported that their total true-up costs exceeded $1 million in the past year, and 5% said theirs was over $5 million. About five years ago, the larger multi-line software companies, like IBM, Oracle, SAP, and others, initiated system-wide audit programs with well-planned playbooks, dedicated resources, and financial objectives. Among software licensees that reported they had been audited, the audits involved Microsoft 51% of the time, Oracle 27% of the time, IBM 24% of the time, SAP 22% of the time, and Adobe 19% of the time. There have been dramatic improvements in equipment and architecture in the last 20 years, but the license rules for associated software have not always kept up, leading to unexpected and expensive gaps. Examples include virtualization and cloud platforms. V. SEVERAL FACTORS HAVE CONTRIBUTED TO THE DRAMATIC GROWTH IN SOFTWARE AUDITS First the technology associated with how software is used has transformed and grown more complicated. Examples: use of networking, virtualization, co-location or hosting, and offshoring.
This has led to very complicated license metrics, which are often imprecise, fluid, reinterpreted from year to year, and insufficient to cover new technologies. For example, the reference to CPU which was very normal in the 1990s now can mean at least three different things a single computer system that contains multiple physical processors, a single processor, or a single virtual processor operating in a virtualized environment. In other words, the language of the license contract can be out-of-step with the technology being used. Another example is the internal use only restriction and prohibitions on thirdparty processing, use for service bureau purposes, and the like. With the growth of wireless technologies, smart devices and wireless computing across multiple networks, and the rapid adoption of co-location and cloud services, it may be hard to argue that any software is accessed/used only internally these days. Second the courts have adopted rules of enforcement and interpretation that heap a lot of responsibility on the licensee. Some cases hold that the licensee is responsible for showing entitlement to support its deployment, and create a presumption of infringement if the entitlement cannot be shown and explained. Another example of pro-owner legal principles is the recent blurring by the courts of the meaning of access and use in a way that potentially causes older license agreements to be narrower than originally intended. In the case of The Compliance Source, Inc. v. Greenpoint Mortgage Funding, Inc., 624 F.3d 252 (5th Cir. 2010), the court held that a third party s access and use of document production software was unlicensed, even if the access and use was for the sole benefit of the licensee. Third Licensors overwhelmingly believe that their software is more valuable to a licensee than what a licensee pays. At the same time, licensors believe that 23% of their customers do not manage their software compliance at all, and they believe another 49% of their customers do so only manually. VI. PET PEEVES FROM A LICENSEE S PERSPECTIVE The license terms and restrictions have become so jargon-y that it takes an IT expert and a seasoned licensing attorney to understand them. A major cause of noncompliance is misunderstanding of license terms by IT managers. It is difficult or impossible to negotiate changes to many of the legal terms and licensing rules with some large and powerful software licensors, unless the deal is big enough to affect quarterly or annual revenue. Many of the licensors distribute contracts and drafts in PDF, so it takes effort even to get a Word document that can be revised. It is also rare for the licensors to provide redlines showing their changes. If you want either of these, you have to ask upfront.
The lead salesmen for some of the big licensors are trained to contact whomever they want in the licensee s organization to get information or make a sale, which can bypass procurement, IT management, and the legal office. If you don t want them to do that, you have to tell them upfront. The conditions and discounts relating to support fees (sometimes called software maintenance) have grown very complicated. For example, IBM and Oracle have all or none rules. IBM discounts (for licenses and support) depend on the licensee s total annual dollar charges. For larger licensees, the determination of support fees is an annual negotiation. The timing of maintenance fees in a pilot or implementation can create an extra hidden cost for the project. Support policies are almost always in a separate document and are almost always subject to change upon notice. Liability limitations have always been a big deal to licensors because software is so often critical to a business, and problems can have huge consequences. But the limitations are still negotiable to some degree. Also negotiable are the exceptions to the liability limitations such as for IP infringement, or a breach of privacy or confidentiality. Many licensors are converting some or all of their contracts to website terms and conditions. These are often voluminous and so hard to review quickly. It is too common for the website terms and conditions to contain gotchas, like terms permitting unilateral amendment by the licensor, effective upon posting. VII. CASE STUDIES Case Study #1: The software audit of the large software company. Licensor s playbook : Audit request Collection of information, sometimes by auditor Sometimes the licensor approaches the audit as a compliance true-up, but there are other approaches. A lot of licensors will first request oral or written verification of software utilization, often communicating directly with the licensee s IT users, then follow that verification exercise with a complete audit. Another soft approach comes when the licensor says let us take a look at your system, see what you are running, and see if we can save you some money. Bypass attorneys wherever possible the licensor uses compliance managers instead and has trained the auditor to follow licensor policy
Get licensee to sign off on deployment before revealing the gap or the cost of trueup penalties Gap report Invoice at full list price, with back maintenance for maximum number of years Licensee s response: Always demonstrate good faith Confidentiality Communications Verification of entitlement records If questions about particular situations, investigate the history of procurement Challenge the gotchas Negotiate the pricing based on all relevant circumstances Possible leverage points: Dependency on vendor for maintenance, other services, or new software License keys or time bombs Impact on other transactions or IT plans Licensor s desire to continue or expand business with the licensee Case Study #2: The troll. Hard to define even large software licensors can act like trolls with regard to a product line that is being sunset or a policy change that is important enough to risk customer goodwill. With a troll, the parties communications and analysis will ordinarily be more litigation style. Basically, you cannot trust that the outcome will be reasonable and businesslike, because the troll is opportunistic. Examples: Open source licensor s attempt to obtain royalties from dual distribution channel Post-acquisition strategy for milking a legacy software product or sunsetting a retired or superseded program
Situations where new technology and new uses create a big gap between old contract terminology and new use Downloaded software containing personal use, home use, or trial use restrictions Case Study #3: The change of control (i.e., acquisition, merger, divestiture) General legal principles: A license is not assignable unless assignment is specifically permitted. A merger may or may not be construed to be an assignment. There is a split of authority on the subject. Typical license restrictions (like internal use only ) have been construed to prevent certain types of sharing and collaboration, including outsourcing, hosting, and transition services. Opportunity for the licensor to extract additional change of control fee if consent is required. Also an opportunity for the licensor to evaluate license compliance for the preacquisition operation of the business and how it will operate post-closing. An agreement by a seller to provide transition services that include use of licensed software by the acquirer may establish a license violation or expansion of use that justifies an additional license fee. VIII. CONCLUSION: KEY TAKEAWAYS Software licensing has grown very complex because of technology-specific license rules. New directions in technology, like virtualization and use of the clouds, lead to uncertainty and create gaps. Software audits are common and expensive so take them seriously. Successful defense of a software audit requires a team effort involving the IT group and legal.
Sean Johnson Senior Counsel Corporate, Technology Control Officer Nexen Petroleum U.S.A. Inc. 832.714.5040 sean.johnson@nexenusa.net Sean Johnson is Senior Counsel Corporate and Technology Control Officer for Nexen Petroleum U.S.A. Inc. ( Nexen ), the Gulf of Mexico exploration and production arm of CNOOC Limited. In his role as Senior Counsel he supports several aspects of Nexen s business including IT, Human Resources, Insurance, Operations, Supply Chain, HS&E, Integrity and Compliance. In his role as Technology Control Officer he is responsible for Nexen s day-today compliance with US export control laws. Prior to Nexen Sean was in-house counsel for Spectra Energy Corp for seven years. Before Spectra he practiced in the Houston office of Baker Hostetler LLP. Sean is currently President Elect of the Houston Chapter of the ACC and Chair of the Law Department Best Practices practice group. Sean was one of 25 lawyers, and one of only two in-house lawyers, under 40 named by the Texas Lawyer as a 2013 Legal Leader on the Rise and was a finalist in the Houston Business Journal s 2012 Best Corporate Counsel Awards. He received B.B.A.s in Marketing and Management from Texas A&M University and his J.D. from South Texas College of Law. Peter C. Quittmeyer Partner Sutherland Asbill & Brennan LLP 404.853.8186 peter.quittmeyer@sutherland.com Mr. Quittmeyer, a member of Sutherland s Corporate Practice Group, is one of the pioneers in the field of software licensing and computer law. He is nationally recognized for his work with technology transactions, including outsourcing and service transactions, domestic and international licensing and distribution, asset transfers and software disputes. His practice includes both transactions and client counseling. He focuses on procurement, supply chain and e-commerce, including manufacturing, supply, distribution, web marketing and compliance. He is the principal author of one of the leading treatises in the field of computers, software and information technology. Mr. Quittmeyer handles mergers and acquisitions, ranging from small to multibillion dollar transactions, and venture capital transactions on both the issuer and investor side primarily involving technology-based and biotech businesses. He has, for several decades, been a leading authority on Georgia s no-compete and trade secret laws. Mr. Quittmeyer also serves as an expert witness regarding trade practices in the software industry in court and arbitration cases. Peter has served as adjunct professor for the Computer Law Seminar at Emory University Law School (spring 1996, 1998, 2000), as lecturer for the Licensing Seminar at Emory University
Law School (spring 1997), as lecturer in Intellectual Property for the Erasmus University Executive MBA Program at Georgia State University (June 1996), and contributor to the Entrepreneurship Seminar of the MBA Program of Georgia Institute of Technology (fall 1999). Mr. Quittmeyer received his B.A. from University of Virginia and his J.D. at University of Virginia School of Law. Robert J. Pile Partner Sutherland Asbill & Brennan LLP 404.853.8487 robert.pile@sutherland.com Mr. Pile, a member of Sutherland s Corporate Practice Group, focuses on business transactions with an emphasis on joint ventures, acquisitions, strategic relationships, and technology services. Bob has particular experience with clients in the payment card industry, notably in connection with the development and acquisition of new products and technologies, and the negotiation of licensing and services arrangements among financial services providers, financial institutions, and payment networks. Bob is a former Chairman of the Georgia Bar s Business Law Section and Legal Counsel to the Atlanta Bar Association. Bob received his B.A. from Stetson University and his J.D., with honors, from the University of Florida College of Law.