So what really happens if your company gets audited? I interviewed the guys in charge of compliance auditing at the Business Software Alliance and the Software and Information Industry Association to find out.
Windows IT Pro Magazine Interview with Bob Kruger, vice president of enforcement at the Business Software Alliance (BSA)
Friday, January 21st 2005
Adam Carheden of Windows IT Pro Magazine Interviewed Bob Kruger, vice president of enforcement at the Business Software Alliance (BSA).
Windows IT Pro: What are IT pros’ responsibilities in terms of software licensing?
Kruger: IT pros should always read the license agreement. There are commonalities among license agreements but you can’t go by a “see one license agreement, see them all” strategy. Companies are even competitive in terms of their license agreements, so ideally you should read them even before you purchase software, as one might be more attractive than the other.
Windows IT Pro: Criminal penalties can be up to $250,000 and 5 years in jail. Are these penalties common, and should the average IT pro worry about serving jail time?
Kruger: While that’s an accurate definition of the criminal penalties, the legal action taken would usually be civil, not criminal, if the nature of the infraction is installing the software on more computers than there are licenses to support. Criminal penalties usually come into play when a company or individual is distributing someone else’s software for profit. For civil penalties, it is typically the company that is liable, rather than individuals, although senior corporate officials might find themselves sued in their personal capacity, depending on the extent of their involvement.
Windows IT Pro: So what are the civil penalties for software piracy?
Kruger: Copyright owners can pursue several different approaches to seek damages. One is to seek actual damages, which are tied to the value of the software. Another would be to seek profits made by use of the software. For example, if an engineering firm is using unlicensed CAD software, it may be possible to argue that some or all of the profits of that firm are attributable to the underlying infringing activity. The third option is simply seeking statutory damages, which can be up to $150,000 per software title. In that situation, the copyright holders don't have to prove that they lost money, just that the infringement occurred. BSA typically uses statutory damages as a measure of how much companies that have unlicensed copies of software on their computers should pay.
Windows IT Pro: What happens if an employee gets unauthorized access to installation media and installs the software on their home computers? Do BSA audits ever extend outside the workplace and would the company or the individuals be liable?
Kruger: Generally we focus on the activities in the workplace. We don’t typically bring enforcement actions against individuals for what takes place in their home, with some exceptions. We hope that by educating employees in the workplace about their responsibilities, they will take those lessons with them when they go home. As a practical matter, it would be very difficult do enforcement in the home environment. We look to take action where it will have the greatest impact.
Windows IT Pro: What does a typical BSA audit involve?
Kruger: It all begins with a report to BSA. No investigation begins unless we receive reliable information from a person or persons who have firsthand knowledge of the company’s operations. Most reports come through our hotline or online reporting form. Once we’ve substantiated the claims, the most common action is contacting the company through our outside legal counsel. BSA usually asks for an audit, but we generally let the company do its own audit and provide us with the end results rather than performing the audit ourselves. We compare the results with information that we already have, and if the data seem complete and accurate, we proceed to discuss remedies.
Windows IT Pro: When BSA gets a claim of software piracy, how does it substantiate the claim before contacting a company about an audit?
Kruger: We make every effort to satisfy ourselves that the information is reliable. There are a number of things we can do, some of which we are open about and some of which we’re not. One thing we’ll do in almost every instance is contact all of our member companies, whether their products are involved or not, and ask them to provide us with whatever information they have on the company that was reported. If someone alleged that a company had 40 unlicensed copies of a specific software title, yet the vendor reported the company has purchased many more licenses than were reported, we may know that there was something wrong with the information we received and not pursue an audit.
Windows IT Pro: If a company’s audit results reveal that they were using more copies of software than they have licenses for, do the penalties typically come close to the $150,000 per software title allowed as statutory damages?
Kruger: No; of course, if we tried to collect that much, companies wouldn’t have an incentive to cooperate. The typical BSA settlement involves a few parts. First, a company must delete any unlicensed software and/or purchase licenses (from the marketplace, not from BSA) for all the software they continue to use. Second, they need to implement policies and procedures to ensure that the problem doesn’t reoccur. Third, companies have to pay BSA an amount of money in settlement in exchange for release from liability. This is typically only a percentage of what we could ask for in court. We take into account the value of the software, the extent of the overuse, and how cooperative the company was with the audit.
Windows IT Pro: BSA uses the money it collects to fund its antipiracy efforts. Is that the primary source of your funding?
Kruger: BSA members pay dues, but a significant portion of our funding does come from settlements. BSA members aren’t in the business of antipiracy, though; they’re in the business of software development. The only reason we seek a settlement at all is to create an incentive for other companies to voluntarily comply with licensing agreements.
Windows IT Pro: When a settlement includes adopting policies to stay in compliance, does this usually include using a software inventory management product?
Kruger: Policies include commonsense principles like education and budgeting, but sometimes things get overlooked, so you still need a way to check yourself to see if the policies work the way you want them to. That’s where tools come into play. BSA doesn’t require that a company use a specific product, nor do we endorse any one product over another. Each company may have different requirements, so they must evaluate products based on their needs. BSA’s Web \[www.bsa.org\] site does list vendors who provide services and products in this area.
Windows IT Pro: What is acceptable documentation of how many software installations a company has?
Kruger: Typically, companies provide spreadsheets that list their installations. We understand that in some environments it’s difficult for a company to do an audit computer by computer, user by user, or product by product, but the more granular the audit results the easier it is for us to accept and get the legal matter resolved quickly.
Windows IT Pro: What documentation does a company have to have to prove that it owns licenses for the software it's using?
Kruger: We try to work with the documentation available because we realize that in some cases companies don’t always have the paperwork that they should. Ideally, companies will retain for every software product that they use some type of dated documentation, such as an invoice. Dated documentation establishes not only that the company acquired the software legally, but when the company purchased the licenses. If the company doesn't have something dated, we may be unable to determine if the acquisition was made before or after we contacted the company, which may be relevant to our investigation.
Windows IT Pro: If a company isn’t cooperative with a request for an audit, does the BSA ever take legal or other action?
Kruger: There have been a number of incidents over the years where we have taken the information directly to a district court judge and applied for a court order that allowed us to go to the company unannounced and in the presence of federal marshals to conduct a surprise audit of its computers. We don’t do that too often, and we basically do it to ensure that the evidence of installations isn’t destroyed. That is our most extreme remedy, and even during a surprise audit, we try very hard not to be intrusive or interfere with the company’s business. We typically give the company a chance to communicate to its employees as its sees fit. Some companies have represented to their employees that it is a company audit rather than a BSA audit, and we’ve always gone along with that.
Windows IT Pro: What type of evidence does it take for BSA to get a warrant?
Kruger: Generally speaking, we would need to provide the court with a sworn affidavit from someone who has firsthand knowledge of the company’s actions and is willing to be publicly identified. That narrows the scope of that type of action because, while many people are willing to identify themselves to BSA, not many are willing to be identified publicly.
Windows IT Pro: When BSA performs an audit, does it look for all software or just software titles published by its members?
Kruger: BSA is only granted power of attorney for its members, so we don’t have the right to look for software titles for other companies. However, we do feel that we serve the entire software industry because, typically, companies that get religion about software licensing apply it to all the software they use.
Windows IT Pro: Is there anything else IT pros should know regarding software licensing?
Kruger: Yes. I want people to be aware of our hotline—888-NOPIRACY—and our Web site—www.bsa.org, which can be used not only to report piracy but for information requests as well. If someone calls with a question, we don’t view that as a potential enforcement activity but as a compliance opportunity. We have people available to answer questions from 9:30 A.M. to 6:30 P.M. Eastern time, and we respect callers' anonymity.
Windows IT Pro Magazine
Interview with Keith Kupferschmid, vice president of Intellectual Property Policy & Enforcement at the Software & Information Association (SIIA)
Monday, January 31st 2005
Adam Carheden of Windows IT Pro Magazine Interviewed Keith Kupferschmid, vice president of Intellectual Property Policy & Enforcement at the Software & Information Association (SIIA), and Adam Ayer, President of License Logic, exclusive US provider of the SIIA Certified Software Manager (CSM) course.
Windows IT Pro: What gives the SIIA the authority to perform audits?
Kupferschmid: Our members \[software publishers\] grant us blanket power of attorney to conduct software audits on their behalf. When we receive a report of software piracy that we believe to be valid, we also request specific authority to pursue investigation and settlement for the organization that is the target of the our audit. We provide our members with the information in the report and let them conduct their own investigation by checking their records. In most cases, the companies we represent give us authority to pursue the case. If one of our members objects, we might question the validity of the report and not pursue the case.
Windows IT Pro: How does the SIIA target companies for audits?
Kupferschmid: We operate a hotline and an online form, and we also receive reports through email. We get about 120 reports per month, but we only pursue about 30 or so. We only pursue an organization if we have reliable information that the organization is pirating software. Oftentimes more than one source reports a company for piracy. We also check with our members, and we hire third-party companies to conduct investigations before starting an audit.
Windows IT Pro: Who typically contacts the SIIA with reports of piracy?
Kupferschmid: Employees and former employees often report piracy to us. We also receive reports from our members. You would be surprised (I was when I started) that the primary reasons people report piracy to us isn’t that they’re trying to get even with someone but because they want to do the right thing. Mostly IT pros report to us, but sometimes it’s someone like a chief financial officer (CFO), a sales person, or a lawyer. We have a reward program that offers up to $50,000 to people who report piracy to us. You would think that if you’re offering a reward, most people would want to be eligible for it. Surprisingly, most people do not want to be eligible. They say they’re reporting to do the right thing, and they don’t want the reward. People only want to participate in the reward program in 10 percent to 20 percent of our cases.
Windows IT Pro: How does the SIIA audit process work?
Kupferschmid: After we complete an initial investigation and believe a target organization is pirating software, we send the cases to our outside counsel and have them send a letter to the target company. The letter talks about copyright law, lets companies know that we want to work cooperatively with them, and asks them to work with us to do a software audit. We don’t do the audit ourselves unless they want us to, and most companies don’t. We provide companies with free software to perform the audit that reports what software and how much of it is on that company’s computers.
Windows IT Pro: What audit software do you ask companies to use?
Kupferschmid: The tools we use are listed on our Web site \[www.siia.org\]. We send companies that we audit a list of URLs they can access to download a free copy of the software of their choice, most of which isn't free to the general public. After a company has selected a tool, they send us the audit results, along with proof of their licenses, and we compare the two to determine the shortfall.
Windows IT Pro: Do companies have to use one of the software titles the SIIA provides?
Kupferschmid: Companies aren’t required to use one of the products we provide. If they have their own software, they can use that as long as we’re confident that the results are accurate and that they’ve audited all the machines we’ve asked them to.
Windows IT Pro: When you validate the audit results a company provides, how do you know they have audited all their computers?
Kupferschmid: A lot of times the person who reports the piracy let us know how many computers the company has. We can also get the information from different financial reports. We have a good idea of how many computers they have or how many employees they have and in what offices the piracy is taking place in. A lot of times the sources are current employees of the company, so they let us know how legitimate the audit is. If the CFO or the president decides the company won’t work with the SIIA, the employee reporting the piracy usually contacts us, and we move in immediately.
Windows IT Pro: In that case, would you get a warrant?
Kupferschmid: We wouldn’t necessarily come in with a warrant, but we would threaten to sue immediately. We don’t like to do that, but we will to prevent a company from destroying evidence, which is a separate crime.
Windows IT Pro: What counts as an acceptable proof of licenses?
Kupferschmid: The actual license paper that comes with the software is perfect, of course. If a company purchases software from an SIIA-certified software reseller and they give us permission, we can go to the reseller and get a history of what the company bought. Invoices are also acceptable. We’re not going to be sticklers as long as we feel it’s legitimate. Some companies will give us invoices that are well below the MSRP, which usually means the company bought pirated software. When the invoice is well below the market value of the software and the buyers doesn't get registration numbers or manuals, those are good indications that they're buying pirated software, and any business’s IT or purchasing agent ought to know better. If they don’t, they should take our Certified Software Manager (CSM) course.
Windows IT Pro: Who takes the CSM course?
Ayer: There are about 3000 CSMs worldwide. Typically, people from IT departments take the CSM course, but we’ve also been seeing people from human resources and legal departments taking the course. Some companies even request a CSM designation in job requisitions.
Windows IT Pro: What are the components of an SIIA settlement?
Kupferschmid: We require that at least one person from the company complete the CSM course. We also make them adopt policies and procedures to prevent future piracy, and we ask them to complete a follow-up audit in one year. We ask them to delete unlicensed copies and purchase licenses to legitimate copies of software as well. The fee we ask for is three times the MSRP for each unlicensed copy in use. If we went to court, we could potentially get $150,000 for each pirated software title as statutory damages. They might also have to pay their attorney's fees as well as our attorney's fees. That’s a huge difference from what we ask companies to pay. Because we also give companies free audit software and work with their timelines, we get a high rate of compliance with our audits.
Windows IT Pro: Does the SIIA ever pursue criminal enforcement?
Kupferschmid: In the 5 years that I’ve been with the SIIA, we’ve never pursued a corporation or organization for criminal penalties. We do go after Internet pirates—people who resell software illegally—a lot. Last year we forwarded about 200 such cases to the Federal Bureau of Investigation (FBI).
Windows IT Pro: How does the SIIA differ from the Business Software Alliance (BSA)?
Kupferschmid: We represent about 700 companies, so we have more members than the BSA. In addition to software companies, we also represent content companies and a lot of smaller companies. Our audit process is generally the same, but the BSA often publicizes its results. We typically don’t do that.