Courtesy of Compliance Pipeline From time to time over the years, I've received ominous letters from the Business Software Alliance (BSA) questioning whether I had illegal software on my computers. I laughed all the way to the paper shredder, since all but two of the thousands of software products I've used over the years either arrived preinstalled on computers or were provided without charge by software vendors. I paid for the other two. But legions of others aren't so lucky. Whether you're a large enterprise or a one-person business, software licensing agreement (SLA) goblins may be coming at you with a vengeance. The Scope of the Problem According to Robert J. Scott, managing partner in the law firm Scott & Scott LLP, organizations typically have difficulty adequately proving the legitimacy of 10 to 90 percent of their installed software. The most common way a company violates software licenses and copyright laws, says Scott, is by failing to implement controls and procedures to prevent unauthorized installation of software. "A typical large enterprise has 15,000 to 30,000 unique software titles installed, while only 800 may be necessary for business operations," says Scott. "Other problems include using software beyond the trial period, installing the wrong version of a product relative to what was purchased, failing to ensure no new products are installed that are not covered by the original agreement, and failing to maintain adequate procurement records." Jose Negron, technical director at IT auditing software developer Layton Technology, cites a global software piracy study conducted by the BSA in 2004. More than $59 billion was spent on commercial packaged PC software, yet more than $90 billion was installed, meaning that more than one-third of software in use on PCs worldwide is pirated (a term that includes intentional and unintentional alleged infringement). Other sources for this story suggest that pirated software is in the range of 23 to 33 percent, even disregarding unpublished settlements. "That is a lot of lost money at the expense of software providers," says Negron, "and beware...they are fighting back!" Organizations are responsible for conducting internal audits to compare install counts to their SLAs. Directly or through third-party associations, software publishers can conduct audits with little or no evidence of noncompliance on the company's part. Businesses may receive a notice that they must prove compliance, or law enforcement officers may appear unexpectedly. Negron warns, "Sooner or later, companies that fail to adhere to the SLA will get fined." Serious Penalties For Noncompliance If your company is found in violation of an SLA, you face back-payment license fees at punitive levels plus damages, according to Brian McCarthy, VP of marketing for IT auditing software maker Centennial Software in the Americas. Fines range from $10,000 to $150,000 per unlicensed application. Criteria for determining the amount of the fine include the egregiousness of the circumstances, whether the infringement is for desktop or enterprise-class products (such as server apps), and other, less predictable factors. According to Scott, the fine generally is two to three times a product's retail price. SLA Compliance Challenges According to Centennial's McCarthy, most organizations find themselves out of SLA compliance because they don't have the necessary visibility into all the software installed across a network. It's common to be both under-licensed and over-licensed at the same time. The second challenge is controlling and educating staff about the risks of downloading illegal software. Although employees may download or share software and other applications without malice, doing so puts organizations at risk. Other major challenges faced by IT departments include understanding software license terms from multiple vendors, controlling software acquisition and installation companywide, keeping up with internal recordkeeping and reporting, and getting senior management buy-in for all these measures. The rise of USB thumb drives and other portable storage devices have exacerbated these headaches. Getting Audited The BSA, which has represented companies such as Adobe, Apple, IBM, and Microsoft, and the Software & Information Industry Association (SIIA) lead the pack on SLA audits and enforcement, but others are aggressive, too. Yossi Aloni, product marketing manager at Peregrine Systems, a maker of IT management software, notes some of the other major players: The U.K.-based Federation Against Software Theft (FAST); U.S. enforcement agencies such as the Secret Service, the U.S. Marshals, the FBI, and the Department of Justice; and individual software publishers McCarthy explains, "Acting on anonymous reports, the organizations work on behalf of leading software publishers to audit a company's software compliance." Most of these audits are prelitigation "self-audits" in which the target company must compile a list of all the software installed on its network and reconcile that list with procurement records. The process may take up to a year. According to Scott, most audits begin with a tip from a disgruntled employee or vendor. Both the BSA and the SIIA offer financial incentives to tipsters -- now up to $200,000 for the BSA, according to Scott. "The promise by the SIIA and BSA to pay disgruntled employees a percentage of a recovery in a software audit is the most disturbing development in recent years," says Scott. "These agencies compete for market share." If a company cannot provide adequate proof of purchase for its software during a self-audit, the auditing agency usually proposes a fine. According to Scott, the BSA typically imposes fines that are two times the unbundled full retail price of each product, while the SIIA typically fines three times the retail price of the products. See the following sites for BSA and SIIA fine calculators: BSAdefense.com; SIIAdefense.com. Ensuring Compliance And Avoiding Audits Centennial's McCarthy notes that the first step to compliance is to educate employees with a software usage policy. Explain the consequences of downloading software illegally. Understanding the assets on the network is key to managing them, so the next step is to gain 100 percent visibility of software assets with a network discovery or IT asset management product. These tools can perform regular internal audits and correct over- or under-licensing. By actively tracking software use to licenses, according to McCarthy, a company can greatly reduce the chance of an audit and, if audited, demonstrate compliance. McCarthy recommends that companies implement a software asset management (SAM) strategy like the following: 1. Perform a network audit. 2. Analyze the audit information by entering, updating, and normalizing inventories. 3. Apply BSA and SIIA audit requirements and purchase information to the data. 4. Analyze application use against license agreements. 5. Uninstall applications or purchase additional titles as necessary. 6. Conduct regular network audits to ensure ongoing compliance. Scott notes that the total cost of compliance management runs between $50 and $150 per computer for most organizations. David S. Bloch, partner in the Silicon Valley office of the law firm McDermott Will & Emory LLP, urges employing a part- or full-time compliance officer, if possible. For organizations whose budgets don't support that, periodic internal audits or spot-checks may help. Contrary to some other experts, Bloch feels that centralized control of computers sounds good in theory, but may be unworkable in practice. Solutions To The SLA Nightmare While SLAs won't be going away any time soon, some organizationsare exploring new software licensing options. Chris Wagner, manager of presales and software licensing at CDW, observes that many companies have begun to choose SLAs through annuity plans instead of paying up front as a means to better predict software expenses and plan for future needs. On the producer and licensor side, Bloch urges companies to explore alternative licensing and pricing strategies that make it easier for customers to comply without being ensnared. "Subscription services, for example, are a plausible way forward, at least for some software companies," he says. Bloch also would welcome a cooperative program in which auditors such as the BSA conduct a "free" audit with no consequences for detected violations, perhaps on the understanding that the subject company will agree to a second BSA audit 12 to 18 months later with fines or lawsuits only if the second audit detects problems. Scott predicts that the failure of proprietary software makers to be sensitive to the needs of business consumers regarding compliance management will drive explosive growth in open-source software. The industry should do more to alleviate the compliance management burden, he says, by simplifying licensing rules, adding unique identifiers to registry information and procurement records to enable automation of the reconciliation process, and educating users regarding the types of documentation to retain. Until the industry works together to awaken from our continuing SLA nightmare, we must make dealing with SLAs as painless as possible. The following tips can help. Four Tips To Better Manage Software Licensing Agreements CDW's Wagner offers these hints to manage your SLAs within the realities of current IT practices: 1. Automate license tracking. When choosing a license-tracking program, look for the ability to send expiration alerts, run customized reports, and record whom the licenses are assigned to, the key codes, and purchase history. 2. Have a renewal strategy. Large enterprises should have a renewal strategy in place a minimum of six months before licenses expire; small and medium-sized businesses should aim for three months in advance. This time allows you to assess future software needs and match them with your budget resources. In some volume programs, purchasing more licenses up front can save money in the long run. 3. Understand Microsoft Software Assurance. During the past year, Microsoft's Software Assurance program received press scrutiny questioning the program's value. Under Assurance, participants are eligible for free product upgrades. While Assurance may not be for everyone, many customers are unaware of the full range of benefits, such as home usage rights and extra training options. 4. Investigate pricing options. Businesses are moving away from shrink-wrapped software in favor of subscription models. Be aware that, with your spending levels, you may be eligible for multiple discount programs. Some programs can be paid through annuity plans.