TECHNOLOGY
Software and Liability
How companies can minimize unauthorized disclosures by technology teams and third parties.
By Keli Johnson Swan
Disputes involving software usage are on the rise for businesses of
all sizes. In some cases, technical teams respond to a software
publisher’s or a third party’s audit request and provide significant
amounts of data without notifying anyone on the corporate governance or
the legal teams. It is critical for those teams to evaluate the
publisher’s legal ability to audit and to identify the data the
publisher is entitled to request.
It is not uncommon for a legal team to discover the existence of a
software audit or license verification after the company has received a
demand for damages arising from alleged over-usage of software. Often,
employees responding to an audit request do not understand the inquiry
and provide inaccurate or incomplete information. Once this information
is disclosed, it can expose the business to damages claims arising from
any license deficiencies. If the information is inaccurate, it is an
uphill battle to rectify and reach a resolution.
Here are a few key tips to minimize unauthorized disclosures and avoid
potential liability.
1. Institute
communications protocols for third-party inquiries.
Depending on the size of the company, there may be varying resources
available to respond to an audit request. Whether a company has a single
person in charge of the information technology assets, outsources to a
managed services provider or other third-party vendor, or dedicates an
entire department to managing software deployments and licenses, it is
helpful to institute protocols outlined in an employee handbook (or
vendor agreement) that prevents individuals from disclosing information
without seeking management’s approval.
Some types of audits appear to be non-threatening “license
verifications” or requests for software asset management reviews, which
sometimes creates a false sense of security for individuals who may
otherwise seek management approval prior to sharing information. Even
these seemingly innocent requests should be treated with caution.
It is helpful to have an established protocol that employees can
reference when they receive a request for information related to
software assets. The teams should be required to notify the legal and
governance representatives as part of the protocol. It is also important
to ensure in any agreements with third-party IT vendors that they will
not release any information without company approval, even if the third
party manages all software on the company’s network.
2. Educate business and procurement teams.
Larger companies may dedicate entire departments to the business side
of software negotiations, including management and procurement. Inside
or outside counsel should always supervise these negotiations.
Sometimes, in the course of this process, teams may disclose information
regarding the company’s software installations that the publisher later
tries to use as leverage in future negotiations. For instance, if the
procurement team describes a current use case that is outside the scope
of the license grant, the publisher may claim that it is entitled to
payment for the past improper usage.
It is crucial that departments are trained on the specific types of
information that may be disclosed and to ensure that the information
provided is properly vetted for accuracy and legal implications.
3. Routinely conduct in-house
self audits.
A company should assign a specific individual
or team to conduct routine self audits and internally track entitlements
to ensure license compliance. The benefits of this process are twofold:
(1) if the company receives an inquiry regarding its software licenses,
it can quickly and accurately collect the necessary information, and (2)
the information can be verified by the IT staff and management prior to
disclosing it to a third party.
The first step in receiving a software-related inquiry is to identify what type of information is being requested and whether a response is mandatory. In some of these situations, a company has no obligation to respond. In others, a failure to provide a timely response may escalate the matter to potential litigation. All inquiries should be brought to the attention of both management and the legal department to determine how to proceed.TBJ
This article, which originally appeared on Scott & Scott’s blog,
has been edited and is reprinted with permission.
![]() |
KELI JOHNSON SWAN represents clients involved with intellectual property and technology-related matters, focusing primarily on copyright infringement. She advises clients in various industries to mitigate risk associated with litigation, software licensing disputes, license agreements, and copyright infringement. |