Good Faith Pirates

I'm writing from (rainy & grey?!) San Diego preparing for Day 2 of a Software Asset Manager certification course run by IAITAM (International Association of IT Asset Managers). My Day 1 takeaway is that almost all companies are software pirates. The vast majority are "Good Faith Pirates". Unlike the Bad Faith Pirate who condones or looks the other way when software is used contrary to license agreements, the Good Faith Pirate believes (or hopes) they are in compliance, or that risks of non-compliance don't justify the investment in software asset management (never mind that SAM can drive big cost savings as well as reduce compliance risk).

Given how hard it can be to show compliance across a portfolio of hundreds or thousands of software titles, each with their own fine print, some IT executives are lulled into a false sense of security that the challenge is so daunting, they couldn't possibly be liable for not being ready on a moment's notice to show compliance for any or all titles. Relative to all the hair-on-fire projects, they can't cost-justify proactive software asset management. And without executive support, a SAM project is almost doomed to fail.

The Good Faith Pirate's "failure of imagination" is enabled by some common myths:

Myth #1: There's low risk of us getting caught up in a software compliance event.

Gartner says the risk of an audit for any given company is 40% in a two year period, and getting more likely all the time. So if you follow the law of averages, within five years you're pretty much guaranteed to face an audit from a vendor or their agents: the BSA or SIIA in the US, FAST in the UK, or CAAST in Canada.

Myth #2: I can just uninstall the software if I get wind of an audit.

From the second you open an audit letter, you are legally obligated to cease and desist all changes to any software being questioned, lest you be guilty of tampering with evidence. An external audit that uncovers signs of removed software or a pattern of re-imaged systems can lead to greater fines or even criminal penalties for obstruction of justice. (Tip from IAITAM: prevent a fishing expedition into all your software by quickly asking the auditing entity to specify which software they feel you are out of compliance with. You are only obligated to provide them with data on software titles for which they have credible evidence you are in non-compliance.)

Myth #3: I just can true up if and when they catch me.

True-up costs are just the tip of an iceberg that can include:

• Fines and penalties. Fines and penalties can vary based on what law is being applied. For Title 17 of Federal Copyright Law (invoked by the BSA or SIIA) civil penalties can include up to four times the retail cost for all unlicensed software, plus up to $150K in punitive damages. This is for companies that cooperate. Those that don't may be presumed to be Bad Faith Pirates and hit with up to $250K in criminal penalties and up to five years in prison.
• Emergency self-audit costs. If you don't have automated systems in place, producing the right documentation with right level of reconciliation will be time-consuming. And given the time pressure (remember, you can't make any software changes from the time you receive the letter), you'll pay dearly for getting so much done so quickly. This alone can easily cost hundreds of thousands of dollars in internal and external labor.
• Business disruption. As mentioned, you are legally obligated to cease and desist all changes to any software once you get the letter. Think that might disrupt your business operations?
• Public reputation. Getting caught and fined could appear in a public financial report. SOX auditors can, and increasingly will, include software license compliance among the Section 404 controls they audit.

In addition, most companies underestimate true-up costs. First, you'll have to true up at a higher unit cost than your original agreement. Second, even if you really did purchase enough licenses, if you cannot produce documented proof of purchase reconciled with all that's discovered in your environment, you'll need to rebuy those licenses.

Myth #4: We're an $X billion company, these fines are small compared to our IT budget and are an acceptable risk and a cost of doing business.

Reading BSA and SIIA press releases, it would appear that only small companies get picked on, with fines of tens of thousands of dollars. Well, larger businesses do have an advantage: they have enough money to pay larger settlements to keep them out of the press. But they're paying, and they're paying big – fines and penalties scale up with the size and number of violations. And don't forget the emergency self-audit costs and disruption to business.

Myth #5: We have a large software budget and leverage with our software vendors. Their audit threat would be just a negotiating ploy (they'd audit me at their peril).

Software vendors created the BSA and their ilk as separate entities to chase after revenues that declined after Y2K. The thinking was that these independent auditing groups would insulate vendors from ill will among their customers. But they may have created a few monsters. Offering rewards of up to $200K for internal whistleblowers, they are getting a steady stream of tips on where to target their letters asking for proof of compliance. And they don't make it easy, or even clear, on what level of documentation will satisfy them. Their sole mission in life is to find and make examples out of companies, and those who lack software asset management programs are a soft target.

Myth #6: We negotiate enterprise agreements for all our major software, so we don't need to track compliance at a detailed level.

There are many restrictions on and cost implications for how your enterprise licensed software is actually deployed and used, and if you're not aware of these and tracking them, you're at risk. Also, not all the software you buy is licensed this way. And what about the software you don't know "you" bought, or that no one did? Think your employees aren't downloading and installing applications (or .mp3's) from the Internet? Think again. If you don't have a SAM program, how would you know?

Myth #7: Software audits are voluntary; I can just ignore the letter if I get one.

The BSA operates with the authority of their vendors' license agreements, which are protected by Title 17 of Federal Copyright Law, among other laws. If you decide not to cooperate, Federal Marshals can show up with an injunction and seize all your computers. Yes, this really happens!

Myth #8: We can beat it in court.

Almost no one goes to court over software license compliance. Even law firms who initially thought they'd fight a compliance audit decided to settle once they sized up their challenge. Why?

• The cost of winning is huge: trials can drag on for years, making legal costs far higher than just settling from the outset, not to mention the time commitment, disruption to business, credibility damage from the public exposure
• The chances of winning are slim because software license agreements put the burden of proof on the consumer, which makes proving compliance very difficult.
• The cost of losing is even worse: fines and penalties are more severe, and there is a risk of criminal jail time for officers of the company.

So, we're all guilty until proven innocent, with no affordable day in court to prove our innocence. Software asset management pays many dividends beyond compliance, but at a minimum it can make you a much harder target with continuous, cost-effective proof of innocence.