Software audits in times of economic uncertainty: What Government departments and agencies need to do

Why do you need to consider compliance?

If you licence software from an IT vendor, it is critically important that you are aware of any restrictions that apply to its use.

A computer program is a "literary work" under the Copyright Act 1968 (Cth) (Copyright Act), and so the programmer is the owner of copyright in the program. Copyright protection also extends to published materials accompanying software such as user documentation, website content and software user interfaces.

Under the Copyright Act, the software owner has the exclusive right to:

• make copies of the software;
• publish or communicate the software to the public;
• make adaptations of the software;
• enter into a commercial rental arrangement in respect of the software; or
• license others to do any of the above.

The act of installing software on a device typically involves some kind of copying. Alternatively, if you use a software-as-a-service product, this may involve the right of communication, which under the Copyright Act means making available online or electronically transmitting.

Copyright owners seek to protect their exclusive ownership rights by putting in place licence agreements (often, in the form of an end user licence agreement, or EULA) that describe the extent to which licensees may use their software. To undertake these activities without a licence in place, or in a manner that is contrary to the rights granted, constitutes a breach of the rights of the copyright owner.

Over the past 10+ years software licensing models offered by IT vendors have become increasingly diverse. Licence types vary from the simpler user-based licences (e.g., named user) to the more complex enterprise, capacity, client device and resource value unit (RVU) licence models. The technical and commercial requirements that apply to each of these licence types are often complex and can be difficult to navigate. They regulate a broad range of matters such as the types of technology that must be used to deploy and manage software; the audit tools that must be used; the environment in which software can be deployed; the particular products that can be deployed in bundles; the use of associated technologies; and the physical characteristics and scope of key concepts such as enterprise, users, machines and devices.

To add to this complexity, IT vendors also frequently set out software licensing terms in multiple tiers of documents, most of which are only available via web libraries or through online tools, many of which change regularly. This can make the task of understanding your compliance obligations challenging.

When you factor all of this in with the current global environment and the dynamic way in which organisations are working, it becomes clear that software licence compliance requires significant effort to manage (especially in the case of large organisations), and the risks if you get it wrong can be substantial.

There are many examples of claims being brought by IT vendors against customers for the exercise of software licence rights beyond the scope of a licence that has been granted. This includes the recent case of Bitmanagement Software GMBH v United States (https://ecf.cofc.uscourts.gov/cgi-bin/show_public_doc?2016cv0840-132-0) in the U.S. Court of Federal Claims, in which the Court dismissed a USD $600,000,000 copyright infringement claim against the U.S. Navy for copying more than 400,000 times despite being licensed for only 38 copies.

More recently, the Federal Court in Minnesota has heard claims from health system provider Fairview Healthcare Services (Fairview) against Quest Software, Inc. (Quest) (and its affiliate, One Identity LLC) arising out of an audit by Quest. Fairview argued that after it notified Quest that it was cancelling maintenance services as part of their licensing arrangement, Quest immediately issued an audit notice and made non-compliance findings (in the multi-millions) for exceeding the number of licences allowed, which Fairview disputed. Quest counterclaimed copyright breaches largely stemming from the over-deployment.

Perhaps most interestingly, however, is that Quest (as part of a related transfer order) argued that the click-through agreements that came with new purchases, annual maintenance and support or product updates superseded and replaced previous perpetual licence agreements. It was to Quest’s advantage to do so, as with each passing year it made its licence agreements more favourable to Quest. However, Fairview sought to keep the benefits of what it bought and paid for as part of the earlier perpetual licence agreements. The judge ultimately found in favour of Fairview by reasoning that Quest could not apply later licence agreements to earlier perpetual licences simply by virtue of new purchases, annual maintenance and support or product updates.

What should Government departments and agencies do?

In the current environment, it is critical for Government departments and agencies to be aware of their software compliance obligations, vendors’ entitlements to audit, and how to respond to any non-compliance issues or threatened actions.

So what should Government departments and agencies do? The simple answer is to get your house in order, including by:

1. Understanding the software licensing models that apply to your department or agency: Look very closely at the provisions in your software licence agreements that grant you the right to use an IT vendor’s software and ensure you are complying with your licensing obligations, including the licence metrics. For example, are you using the IT vendor approved virtualisation technologies, are you complying with any certification obligations, are you properly calculating resource value units for the software you are using, are you up to date with what products can be bundled, and do you know the scope of your “enterprise”?
   
   We recommend that Government departments and agencies centralise their software licence compliance activities into a single unit / team and consider undertaking an audit themselves of all software licence agreements (including all addenda and variations) against the actual deployment of software in a department or agency to determine any exposures.
   
   An internal audit (ideally prior to the start of the IT vendor’s audit) can be a helpful tool to determine a baseline for what to expect. This exercise, if performed correctly, can be useful in giving an indication of whether or not you are compliant. The findings and information collated during the internal audit can also be used to identify any discrepancies in an IT vendor’s audit. One of the biggest mistakes a customer can make is to sit back and accept the audit terms, process and results. It pays to be proactive.
   
   In case any non-compliances are identified, it is prudent to seek to preserve legal professional privilege by engaging a law firm as part of any audit.
   
   
2. Considering your audit exposures: IT vendors will often seek to include provisions in contracts which entitle them to access a customer’s IT systems to audit software use and confirm compliance. This is problematic for Government departments and agencies for a number of reasons including in respect of access to sites, system security and compliance with legislative obligations.
   
   We recommend that Government departments and agencies review their key software licence agreements to confirm what audit rights IT vendors have, and develop measures to respond to any audit requests. Do not allow IT vendors access to your premises, systems or data without first seeking legal advice and then strictly limiting the access granted to a vendor to the terms contained in the software licence agreement. Ensure that your own IT department ‘shadows’ the vendor during any audit to ensure that it complies with the agreed audit scope.
   
   
3. Making sure you are complying with certification obligations: As an alternative to audit rights, we have worked with many Government departments and agencies to negotiate a simplified certification process – whereby the customer periodically audits its own compliance and certifies compliance to the IT vendor. In such circumstances, it is essential that certification is undertaken strictly in accordance with the agreed contractual processes and Government’s legal obligations.
   
   We recommend that Government departments and agencies review their processes for certification and ensure they are complied with. Once again, if you discover an issue, you should seek to preserve legal professional privilege by engaging a law firm before approaching the IT vendor.

It is an understatement to say that we are currently experiencing unprecedented change. As this uncertainty carries over into 2021, it is important that we learn from the past and, as history has shown, economic uncertainty can lead to IT vendors shifting their focus from sales to compliance. In such circumstances, it is important that Government departments and agencies consider their software compliance obligations under their contracts and, in particular, are aware of any restrictions that apply.

Given the potential financial, operational and reputational impacts for Government, it is imperative that departments and agencies get their house in order and are ready to respond to any non-compliance issues or threatened actions.