A recent court decision shows that software vendors can face legal challenges when undertaking software audits. Challenges may form part of a customer’s strategy for handling a request to audit or undertake some other software asset management exercise.
Vendors such as Microsoft, SAP and Oracle frequently undertake software audits that are problematic for CIOs. Wigley + Company
Although vendors have a legitimate interest in checking that customers are not using more licences than they have paid for, many CIOs feel that they are the victim of unduly complicated licensing models and audits that don’t take into account a more holistic approach to the customer’s licensing position. They feel that the vendor’s audit operation is just another profit centre.
The situation is compounded by the fact that large vendors are often experts at playing the audit game, taking a careful and tactical approach. Customers can end up feeling like they have few options but to comply with each and every request or demand surrounding an audit.
This need not be the case. A strong understanding of the licensing position and audit requirements, against the specifics of how the software is actually deployed, can help protect a customer from a vendor that overreaches. It also equips the customer to robustly check and challenge the results of an audit.
Customers can end up feeling like they have few options but to comply with each and every request or demand surrounding an audit. This need not be the case.
There are strong legal, commercial and technical components in responding to an audit. The lawyers and IT team need to work closely to assess the situation and respond appropriately and strategically at each stage. After all, organisations often end up having to line up complicated license agreements and models against complicated environments and deployment scenarios.Read more: Xero taps artificial intelligence for SMBs across the globe
The case below illustrates how there can be options for challenging the vendor’s audit clause. This sort of approach could be an option to consider as part of the overall audit response strategy.
The English judgment, 118 Data Resource v IDS Data Services, shows that vendors can face real problems when relying on the audit clauses in their contracts. Essentially, these clauses tend to be quite short form, and leave gaps to be filled. In the English case, the court refused to fill those gaps. The court went further and said that, even if the gaps were filled, it wouldn’t force the customer to enable access to allow the audit to be done. The net result was that the customer stopped the audit proceeding.
The case involved 118 Data licensing a database to IDS. The principles are the same for software licences. Under the licence agreement, the licensee could retain only one copy of the database and could sub-licence the database so long as particular terms were met, such as that there was to be no sub-licence to a competitor of 118 Data, the licensor. However, in breach of the licence, the licensee did sub-licence the database to a competitor of the licensor. The licensor suspected wider breaches as well.
The licensor required an audit under this clause in the licence agreement:Read more: Panama Papers: Legal implications for your organisation’s cybersecurity
“[The licensee] undertakes and agrees with [the licensor] that it will… permit any duly authorised representative of [the licensor] on reasonable prior notice to enter into any of its premises where any copies of [the database] are used, for the purpose of ascertaining that the provisions of this Agreement are being complied with.”
That’s not a lot of detail. In particular, the clause was silent or uncertain around the following:
- How wide could the audit go, given there was confidential information the licensor shouldn’t see? The agreement didn’t expressly deal with this.
- What could the licensor do with what it obtained on the audit? Again, the agreement was silent.
- Could the audit deal with sub-licensing in breach of the licence? No said the court, controversially in our view, given that was one of the key terms in the licence.
Courts can fill gaps by (a) implying terms in the agreement (e.g. limiting the scope of the audit right to what is necessary and reasonable); and (b) adding further details as machinery to make the agreement work. But the courts can only go so far in plugging the gaps and it wasn’t prepared to do that here. In this case, the brief detail was too sketchy. So the licensor didn’t get orders requiring the licensee to facilitate the audit.Read more: Contract management for CIOs: Exiting (or untangling) the incumbent
Even if the audit terms were detailed enough, the court would have refused to make the enforcement orders for two other reasons:
- Just because there are clear contract terms, it doesn’t follow that the terms are certain and clear enough for enforcement orders to be made (usually these are specific performance orders but they can be injunctions too).
- In any event, if getting damages is an adequate remedy, the courts usually won’t make such specific performance or injunction orders.
This English case was for an interim type of judgment called summary judgment and so it is not the final word, but it indicates that vendors will sometimes struggle to force their customers to allow audits.
While each case is fact specific and often differ from the clause here, typical software audit clauses are relatively short form and therefore raise similar issues of interpretation. In some cases, the courts will refuse to fill the gaps. They may also not require the customer to allow the audit, despite what the contract says. This English judgment provides some helpful angles to consider as part of formulating the strategy for responding to a software audit.
Michael Wigley (firstname.lastname@example.org) is the Principal of Wigley + Company, a law firm specialising in ICT.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.