Microsoft might promise free upgrades for Windows and simplify its volume licensing with a new agreement, but the influx of cloud services, new devices and mobile apps means software licensing continues to be complex. A recent lawsuit should remind you that you can't afford to lose track of what software your company is using.
Adobe, Autodesk and Corel have sued clothing retailer Forever 21 for "willful, intentional and malicious copyright infringement" for using Photoshop, Acrobat, Illustrator, Autodesk, PaintShopPro and WinZip without paying for enough licenses, "even after being contacted by Adobe regarding the infringement," the lawsuit said.
Pirating software is usually about civil liability. Adobe, Autodesk and Corel are asking for lost revenue and damages, plus court costs. Criminal liability tends to be reserved for cases of software counterfeiting, according to Jodie Kelley, senior vice president and general counsel of BSA, The Software Alliance.
It can get personal
But it's not just the business that will have to pay up -- an officer of the company can also be liable if they personally participated in the infringement or supervised it. For example, "If you could have prevented it but didn't," Kelley explains, and if you had a financial interest in using the copyrighted software. "It's a relatively high standard for personal liability, but it does exist, and the officer is liable to the same degree as the corporation."
Company liability might not end with the cost of paying for the licenses you should have bought and the statutory damages for not buying them, either. There's now an ISO standard for software asset management, which isn't required by any regulations yet. But the 2013 framework for internal controls and corporate governance from COSO, the umbrella organization for accountants and auditors, includes a chapter on software licensing that says your business needs to have "appropriate controls...which may...verify the entity's legal right to use the technology in the manner in which it is being employed."
Most companies have focused on the financial reporting implications in the COSO framework, but it means that software licensing now has to be considered as part of your internal regime rather than just a question for the IT department. And, Kelley warns, "the SEC has announced it will be looking to that framework when it assesses whether internal controls are adequate." That could be a problem for the 65 percent of companies in last BSA Global Software Survey who don't have written policies requiring properly licensed software.
Security and piracy don't mix
It's not just a question of the company doing the right thing by paying for the software it uses to run the business or being efficient about making sure you're not paying for licenses you don't need. Pirated software can make you more vulnerable to security breaches. Part of that is common sense: "If you want to deal with security, the most critical first step you have to take is knowing what you have in your network. If you don't know what you have and you're not managing it, you're extra likely to have a threat."
But if users are downloading cracked software and installing it on their computers, it often brings malware along with it. And too many times even a legitimate copy of the software that's installed may not get security updates, so it won't be as licensed copies. BSA commissioned a study from IDC to look at malware on PCs that shows a correlation between the amount of unlicensed software in a country and the amount of malware on their PCs. http://globalstudy.bsa.org/2013/cyberthreat.html
Bring your own license problem
Pirated software and over installing is obvious when you look for it. But what about the licensing impact of the tablets and smartphones that users bring to work? BYOD, mobile devices and even cloud services make licensing more complex and confusing.
"Most companies aren't trying to cut corners," admits Kelley. "They're struggling with the complexities."
So when Microsoft announced in January that Windows 10 would be a free upgrade for the first year, it quickly emerged that there would be the usual licensing small print. The free upgrade is only for the base Windows 10 edition and the basic business version, Windows 10 Pro. If you have Windows Enterprise and a volume license, you'll need to pay for an upgrade or take out the usual Software Assurance subscription to get the new version.
Microsoft is also still working to define what "the supported lifetime of the device" means. It has clearly documented support lifecycles for operating systems, but OEMs have much shorter support cycles, which makes it hard to find out how long a particular model will be supported for.
You might not be concerned about whether you'll get OEM graphics driver updates in five years' time, but if you're relying on Windows 10 updates on a business PC through an OEM, you need to know how long that'll go on for. That means that even for consumer devices that users are bringing to work, you will still have to think about volume licensing, including VDA licenses that cover devices (like iPads) to get remote access to Windows desktop applications.
The new Windows Enterprise Software Assurance User Subscription Licenses let you license Windows for your users without counting their devices. They use virtual desktops and put Windows Enterprise on any of their devices as long as the screen is no bigger than 10.1 inches. You assign them a primary device that runs Windows 7 or 8 because, as usual, SA is an upgrade from a Windows license that's already been paid for. As the name suggests, this is a subscription you have to keep paying for.
Back at the Office
Things are even more complicated for Office, especially as the promised touch Office apps finally arrive on Windows tablets, with Windows 10 on some devices. But just because the Office apps come free on a device or can be downloaded free from an app store--like the versions of Office already available for iPad and Android--it doesn't mean they're free to use for business.
The apps won't stop users from opening and editing documents or creating new ones. But unless you have the appropriate Office licenses for those users, they'll be breaking the license agreement if they do that for business documents.
These might include a license for an Office 365 tenant like E3, which includes the client software, an Office 365 Pro Plus license or Software Assurance in your Office volume license. It won't include the Office 365 Home Premium license users could buy (and try putting on their expense claim) from inside Office for iPad.
Microsoft solved that problem for Windows RT, which came with a touch version of Office Home and Student that didn't have commercial use rights, by including those use rights in Office 2013 volume licensing. And at the end of 2014, it introduced the Enterprise Cloud Suite, which includes Office 365 Enterprise E3, per-user Windows Enterprise SA subscriptions and the Enterprise Mobility Suite (Intune or System Center Configuration Manager client manage, Azure Rights Management Services for protecting shared documents and Azure Active Directory Premium, which gives you tools like single sign-on, two factor authentication and security reports), all in one agreement.
If you've mastered all that, prepare to prove it when you get audited. Alternatively, if you're prepared to get the ISO certification in software asset management, you can also get certified by BSA. The advantage of that is you'll get a two-year holiday from audits by BSA members. That's a laundry list of enterprise vendors, from Adobe, Apple and Autodesk to Microsoft and Symantec, so it would have kept Forever 21 out of court.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.