Software and Liability
How companies can minimize unauthorized disclosures by technology teams and third parties.
By Keli Johnson Swan
Disputes involving software usage are on the rise for businesses of
all sizes. In some cases, technical teams respond to a software
publisher’s or a third party’s audit request and provide significant
amounts of data without notifying anyone on the corporate governance or
the legal teams. It is critical for those teams to evaluate the
publisher’s legal ability to audit and to identify the data the
publisher is entitled to request.
It is not uncommon for a legal team to discover the existence of a software audit or license verification after the company has received a demand for damages arising from alleged over-usage of software. Often, employees responding to an audit request do not understand the inquiry and provide inaccurate or incomplete information. Once this information is disclosed, it can expose the business to damages claims arising from any license deficiencies. If the information is inaccurate, it is an uphill battle to rectify and reach a resolution.
Here are a few key tips to minimize unauthorized disclosures and avoid potential liability.
communications protocols for third-party inquiries.
Depending on the size of the company, there may be varying resources available to respond to an audit request. Whether a company has a single person in charge of the information technology assets, outsources to a managed services provider or other third-party vendor, or dedicates an entire department to managing software deployments and licenses, it is helpful to institute protocols outlined in an employee handbook (or vendor agreement) that prevents individuals from disclosing information without seeking management’s approval.
Some types of audits appear to be non-threatening “license verifications” or requests for software asset management reviews, which sometimes creates a false sense of security for individuals who may otherwise seek management approval prior to sharing information. Even these seemingly innocent requests should be treated with caution.
It is helpful to have an established protocol that employees can reference when they receive a request for information related to software assets. The teams should be required to notify the legal and governance representatives as part of the protocol. It is also important to ensure in any agreements with third-party IT vendors that they will not release any information without company approval, even if the third party manages all software on the company’s network.
2. Educate business and procurement teams.
Larger companies may dedicate entire departments to the business side of software negotiations, including management and procurement. Inside or outside counsel should always supervise these negotiations. Sometimes, in the course of this process, teams may disclose information regarding the company’s software installations that the publisher later tries to use as leverage in future negotiations. For instance, if the procurement team describes a current use case that is outside the scope of the license grant, the publisher may claim that it is entitled to payment for the past improper usage.
It is crucial that departments are trained on the specific types of information that may be disclosed and to ensure that the information provided is properly vetted for accuracy and legal implications.
3. Routinely conduct in-house
A company should assign a specific individual or team to conduct routine self audits and internally track entitlements to ensure license compliance. The benefits of this process are twofold: (1) if the company receives an inquiry regarding its software licenses, it can quickly and accurately collect the necessary information, and (2) the information can be verified by the IT staff and management prior to disclosing it to a third party.
The first step in receiving a software-related inquiry is to identify what type of information is being requested and whether a response is mandatory. In some of these situations, a company has no obligation to respond. In others, a failure to provide a timely response may escalate the matter to potential litigation. All inquiries should be brought to the attention of both management and the legal department to determine how to proceed.TBJ
This article, which originally appeared on Scott & Scott’s blog, has been edited and is reprinted with permission.
KELI JOHNSON SWAN represents clients involved with intellectual property and technology-related matters, focusing primarily on copyright infringement. She advises clients in various industries to mitigate risk associated with litigation, software licensing disputes, license agreements, and copyright infringement.