Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

How to Avert or Survive a Software Audit

By Richard Raysman and Peter Brown
August 15, 2003

[Ed. Note: One would expect law firms to consider it beneath them to deliberately have staff members ' or those of an ancillary business ' use illegal software copies. But the potentially high cost and embarrassment that can result from even tacitly permitting violations of software licenses should merit proactive attention by firm management.]

According to a report released earlier this year by the Business Software Alliance, one of every four business software applications installed in the United States is unlicensed, and thus a potential copyright infringement violation. Numbers like these have turned many businesses into targets of software audits in recent years, as software companies have made battling unlicensed software in the workplace a top priority. Armed with the threat of stiff penalties under the copyright law and backed by highly active trade groups, software vendors are increasingly making businesses aware of the unlicensed software problem, and requesting that businesses perform a 'software audit,' in which the trade group will use an express or implied threat of litigation to ask that a company submit to a determination of whether unlicensed software exists on its computer system.

Unlicensed software can make its way onto a company's desktops and servers in a number of ways, most of them far removed from traditional notions of 'software piracy.' Employees may share applications with one another without going through the proper channels, or load personal copies of a program onto their work computers, which copies may then, in turn, be shared. Business entities expand and undergo personnel changes, leading to unauthorized copying; often, the rights granted by a software license are not easy to discern. Of course, deliberate corporate cost-cutting exists as well and licenses can be especially burdensome in this economic climate, but the downturn cuts both ways: software companies are facing new pressures to generate revenue, leading perhaps to zealous pursuit of license fees from their customers.

Justified or not, software audits can be expensive propositions. They can also be embarrassing. Attorneys and businesses should therefore understand the steps that should be taken to avoid a software audit, as well as what to do if an audit letter does arrive.

Who Are the Software Police?

Software companies have banded together to form two powerful watchdog groups to police and enforce their intellectual property rights: the Business Software Alliance (BSA), whose dozen or so members include Microsoft, Symantec, and Adobe Systems, and the Software & Information Industry Association (SIIA), which claims over 1,200 members worldwide. Both groups conduct investigations into allegations of piracy on behalf of their members, and if necessary audit, litigate against, or prosecute offending companies with the assistance of law enforcement.

Both the BSA and the SIIA receive reports of corporate software piracy through their toll-free hotlines and Web sites. Typically, and with apparent frequency, tips come from disgruntled employees or former employees of a company. But they can come from practically anyone with knowledge of a company's software, including computer repair personnel or even unhappy customers. Confidentiality is guaranteed to informants, but extensive questions are in place to establish the credibility of a source before an investigation commences. After a tip is received, an agency will attempt to further confirm that piracy exists by contacting the vendors and examining the license agreements in place with the target business.

While both the BSA and SIIA are extremely active on behalf of their members, some individual software vendors have their own enforcement divisions that have undertaken letter campaigns to customers requesting software audits. Sometimes the vendor's right to an audit is part of a software license agreement; however, even where no express right to an audit exists, some software companies have nonetheless made requests to customers for documentation, again with implied or express reference to litigation if the company does not cooperate.

What Is a Software Audit?

A software audit usually comes in the form of a letter asking a company to prove that it has the requisite licenses to operate all the specified software on its system. The letter may instruct the company not to delete or de-install any of the specified software, and not to attempt to correct the situation by purchasing or updating licenses from the vendor. Most audits require a company to run a proprietary software program on its system that detects the existence of all the programs that are installed on the system. By a certain date, the company is asked to send the results of the software check, along with supporting documentation demonstrating the company's right to use the software found on the system.

Depending on the results of the audit, the vendor or agency will require the company to delete all unauthorized copies of installed software, pay for unauthorized past use of the software, and then obtain legitimate licenses to cover newly installed software. A settlement agreement will set forth the exact terms and deadlines for the payments. While the SIIA keeps settlements with cooperating companies confidential, the BSA often makes some of the terms of the settlement public. Many of the BSA settlements result in payments of over $100,000. See www.bsa.org/usa/press/releases.

While federal law provides for injunctive relief in copyright infringement cases (see 17 U.S.C. '503(a)), and even prejudgment seizures are possible (see U2 Home Entertainment, Inc. v. Chun Pook Tan, 209 F. Supp. 2d 299 (S.D.N.Y. 2002)), forced audits usually come only after a more cooperative track is sought.

How to Respond to an Inquiry

If a demand for an audit comes from the BSA or SIIA, swift but measured cooperation is usually the best course, as the agency will probably have enough information at that point, and certainly the resources, to pursue further legal action. It is unlikely that the company can account for each and every software application installed on its system, and the threat of full-fledged copyright litigation or a forcible audit is a severe risk.

If an audit demand comes from a vendor, the relevant license should be reviewed to determine the vendor's right to the audit. Audit clauses are included in most software licenses, but may vary in such details as the frequency with which they are allowed, who bears the cost of the audit, and the time frame that a company has to respond. These issues should be fully understood before a response is given. If no express right to an audit is found to exist, refusal to cooperate is an option, but a more cautious route might be to try to ascertain the vendor's basis for making the demand and then respond accordingly. At the same time, the company should take steps to ascertain its compliance, and if noncompliance is found, then negotiation with the vendor for an increased license right might be the wisest course regardless of the vendor's right to an audit.

If counsel will be involved in the audit, then the audit letter should of course be turned over to an attorney immediately. Steps should then be taken to preserve the attorney-client privilege over the audit to the extent possible, keeping in mind the possibility of future litigation. Care should be taken to minimize the risk that reports are disclosed within the company without regard to the privilege.

If cooperation is undertaken, this should be communicated to the auditing entity swiftly, to avoid the threat of further action and to keep the situation as amicable as possible. Depending on the structure of the company and other considerations, it may or may not be a good idea to send an e-mail or other communication advising all employees of the audit. On the one hand, employees may be able to alert counsel and management to possible violations at the outset, thus facilitating the audit. On the other hand, employees may get the wrong message and attempt to hide or destroy copies in a way that may further complicate the company's efforts. Whether or not the workforce at large is informed of the audit, it is critical that everyone involved understands their obligation not to destroy records or remove software in response to the audit. Such impulsive reactions may compound any existing problems, as software audit software programs such as the one used by the BSA can easily detect erased programs.

Before any action is taken in response to an audit, it is important to define its scope. Depending upon the terms of the licenses at issue, a company may have responsibility for the compliance of affiliated businesses as well. If the audit comes at the request of a particular software vendor, such as Microsoft, it will be clear enough what applications need to be checked and documented. But an audit undertaken by a trade group should be limited to vendors represented by that group, and the company should make clear that it will be reporting and documenting only those covered applications.

Informal negotiation with the auditing entity can be key throughout the process. The company may be able to exclude certain types of software, such as unlicensed computer games downloaded without permission onto employees' computers, from the audit. While stiff penalties are often unavoidable, there is certainly room for negotiation.

An Ounce of Prevention

There are of course a number of steps that companies can take to avert the threat of a software audit. Foremost are good software management practices that are engrained in the operation of the business. Purchase and recordkeeping procedures should ensure that copies of licenses and invoices and proof of payment for each software product loaded onto all computers are maintained in a central place and kept current.

An inventory of all software applications should be taken periodically. Smaller companies may be able to take inventory manually, but larger companies may want to consider more advanced audit and management tools. The BSA offers a free software audit tool for companies wishing to conduct self-audits. According to the BSA, its new GASP Version 6.2 allows an organization to conduct audits of up to 100 computers for up to 60 days after the download. GASP helps to identify and track licensed and unlicensed software and other files installed on a company's computer systems including desktops, laptops and network servers. Although some may balk at entering any information about one's company in order to download the software, BSA's privacy policy restricts its use of this information (see http://www.bsa.org/%20usa/about/privacypolicy.phtml). Many other commercial products and consultant services are available to assist companies not only with auditing their computer systems, but also for more general management of their software assets.

It is also important to keep on top of the organization's software needs. Regular surveys allow employees to communicate their software needs, and allow the company to meet these needs in a compliant fashion. When employees' software needs go unmet by the organization, the chances go up that unauthorized channels will be pursued, and licenses will go untracked.

Highly publicized internal policies against unauthorized copying serve two functions: they make the company's stance against unauthorized copying clear to all levels of the company, and they can serve to demonstrate good faith in the event that unauthorized copying is uncovered and a settlement needs to be negotiated. The policy should come from a high level of management, be signed by each employee, and should communicate some or all of the following points, among others:

  • The company's software licenses create a right to use software, not ownership of it.
  • The company has zero-tolerance for unauthorized copying of software, and such copying can result in termination.
  • Employees should not bring their own personal copies of software to work without authorization from the company. (If the company benefits from software it did not purchase, and if such use violates a license, BSA views that use as piracy.)
  • All software installations should be done by authorized personnel. This includes the downloading of software onto home or personal computers, which may or may not be allowed under a particular license.
  • Samples of effective policies are available from the SIIA at www.siia.net/piracy/policy/corp_soft.asp, and from the BSA at www.bsa.org/usa/freetools/business/appc.phtml.

Software Truces

Every several months, the BSA offers businesses in several selected cities the opportunity to obtain licenses for all unauthorized software on their systems. Participation will immunize the business from all charges of piracy occurring during or before the 'Grace Period.' See http://www.bsagrace.com/ for details of this program.


Richard Raysman and Peter Brown are partners at Brown Raysman Millstein Felder & Steiner LLP in New York. Peter Scher assisted in the preparation of this article, which appeared in the February 2003 edition of Advising Start-Up & Emerging Companies.

[Ed. Note: One would expect law firms to consider it beneath them to deliberately have staff members ' or those of an ancillary business ' use illegal software copies. But the potentially high cost and embarrassment that can result from even tacitly permitting violations of software licenses should merit proactive attention by firm management.]

According to a report released earlier this year by the Business Software Alliance, one of every four business software applications installed in the United States is unlicensed, and thus a potential copyright infringement violation. Numbers like these have turned many businesses into targets of software audits in recent years, as software companies have made battling unlicensed software in the workplace a top priority. Armed with the threat of stiff penalties under the copyright law and backed by highly active trade groups, software vendors are increasingly making businesses aware of the unlicensed software problem, and requesting that businesses perform a 'software audit,' in which the trade group will use an express or implied threat of litigation to ask that a company submit to a determination of whether unlicensed software exists on its computer system.

Unlicensed software can make its way onto a company's desktops and servers in a number of ways, most of them far removed from traditional notions of 'software piracy.' Employees may share applications with one another without going through the proper channels, or load personal copies of a program onto their work computers, which copies may then, in turn, be shared. Business entities expand and undergo personnel changes, leading to unauthorized copying; often, the rights granted by a software license are not easy to discern. Of course, deliberate corporate cost-cutting exists as well and licenses can be especially burdensome in this economic climate, but the downturn cuts both ways: software companies are facing new pressures to generate revenue, leading perhaps to zealous pursuit of license fees from their customers.

Justified or not, software audits can be expensive propositions. They can also be embarrassing. Attorneys and businesses should therefore understand the steps that should be taken to avoid a software audit, as well as what to do if an audit letter does arrive.

Who Are the Software Police?

Software companies have banded together to form two powerful watchdog groups to police and enforce their intellectual property rights: the Business Software Alliance (BSA), whose dozen or so members include Microsoft, Symantec, and Adobe Systems, and the Software & Information Industry Association (SIIA), which claims over 1,200 members worldwide. Both groups conduct investigations into allegations of piracy on behalf of their members, and if necessary audit, litigate against, or prosecute offending companies with the assistance of law enforcement.

Both the BSA and the SIIA receive reports of corporate software piracy through their toll-free hotlines and Web sites. Typically, and with apparent frequency, tips come from disgruntled employees or former employees of a company. But they can come from practically anyone with knowledge of a company's software, including computer repair personnel or even unhappy customers. Confidentiality is guaranteed to informants, but extensive questions are in place to establish the credibility of a source before an investigation commences. After a tip is received, an agency will attempt to further confirm that piracy exists by contacting the vendors and examining the license agreements in place with the target business.

While both the BSA and SIIA are extremely active on behalf of their members, some individual software vendors have their own enforcement divisions that have undertaken letter campaigns to customers requesting software audits. Sometimes the vendor's right to an audit is part of a software license agreement; however, even where no express right to an audit exists, some software companies have nonetheless made requests to customers for documentation, again with implied or express reference to litigation if the company does not cooperate.

What Is a Software Audit?

A software audit usually comes in the form of a letter asking a company to prove that it has the requisite licenses to operate all the specified software on its system. The letter may instruct the company not to delete or de-install any of the specified software, and not to attempt to correct the situation by purchasing or updating licenses from the vendor. Most audits require a company to run a proprietary software program on its system that detects the existence of all the programs that are installed on the system. By a certain date, the company is asked to send the results of the software check, along with supporting documentation demonstrating the company's right to use the software found on the system.

Depending on the results of the audit, the vendor or agency will require the company to delete all unauthorized copies of installed software, pay for unauthorized past use of the software, and then obtain legitimate licenses to cover newly installed software. A settlement agreement will set forth the exact terms and deadlines for the payments. While the SIIA keeps settlements with cooperating companies confidential, the BSA often makes some of the terms of the settlement public. Many of the BSA settlements result in payments of over $100,000. See www.bsa.org/usa/press/releases.

While federal law provides for injunctive relief in copyright infringement cases (see 17 U.S.C. '503(a)), and even prejudgment seizures are possible ( see U2 Home Entertainment, Inc. v. Chun Pook Tan , 209 F. Supp. 2d 299 (S.D.N.Y. 2002)), forced audits usually come only after a more cooperative track is sought.

How to Respond to an Inquiry

If a demand for an audit comes from the BSA or SIIA, swift but measured cooperation is usually the best course, as the agency will probably have enough information at that point, and certainly the resources, to pursue further legal action. It is unlikely that the company can account for each and every software application installed on its system, and the threat of full-fledged copyright litigation or a forcible audit is a severe risk.

If an audit demand comes from a vendor, the relevant license should be reviewed to determine the vendor's right to the audit. Audit clauses are included in most software licenses, but may vary in such details as the frequency with which they are allowed, who bears the cost of the audit, and the time frame that a company has to respond. These issues should be fully understood before a response is given. If no express right to an audit is found to exist, refusal to cooperate is an option, but a more cautious route might be to try to ascertain the vendor's basis for making the demand and then respond accordingly. At the same time, the company should take steps to ascertain its compliance, and if noncompliance is found, then negotiation with the vendor for an increased license right might be the wisest course regardless of the vendor's right to an audit.

If counsel will be involved in the audit, then the audit letter should of course be turned over to an attorney immediately. Steps should then be taken to preserve the attorney-client privilege over the audit to the extent possible, keeping in mind the possibility of future litigation. Care should be taken to minimize the risk that reports are disclosed within the company without regard to the privilege.

If cooperation is undertaken, this should be communicated to the auditing entity swiftly, to avoid the threat of further action and to keep the situation as amicable as possible. Depending on the structure of the company and other considerations, it may or may not be a good idea to send an e-mail or other communication advising all employees of the audit. On the one hand, employees may be able to alert counsel and management to possible violations at the outset, thus facilitating the audit. On the other hand, employees may get the wrong message and attempt to hide or destroy copies in a way that may further complicate the company's efforts. Whether or not the workforce at large is informed of the audit, it is critical that everyone involved understands their obligation not to destroy records or remove software in response to the audit. Such impulsive reactions may compound any existing problems, as software audit software programs such as the one used by the BSA can easily detect erased programs.

Before any action is taken in response to an audit, it is important to define its scope. Depending upon the terms of the licenses at issue, a company may have responsibility for the compliance of affiliated businesses as well. If the audit comes at the request of a particular software vendor, such as Microsoft, it will be clear enough what applications need to be checked and documented. But an audit undertaken by a trade group should be limited to vendors represented by that group, and the company should make clear that it will be reporting and documenting only those covered applications.

Informal negotiation with the auditing entity can be key throughout the process. The company may be able to exclude certain types of software, such as unlicensed computer games downloaded without permission onto employees' computers, from the audit. While stiff penalties are often unavoidable, there is certainly room for negotiation.

An Ounce of Prevention

There are of course a number of steps that companies can take to avert the threat of a software audit. Foremost are good software management practices that are engrained in the operation of the business. Purchase and recordkeeping procedures should ensure that copies of licenses and invoices and proof of payment for each software product loaded onto all computers are maintained in a central place and kept current.

An inventory of all software applications should be taken periodically. Smaller companies may be able to take inventory manually, but larger companies may want to consider more advanced audit and management tools. The BSA offers a free software audit tool for companies wishing to conduct self-audits. According to the BSA, its new GASP Version 6.2 allows an organization to conduct audits of up to 100 computers for up to 60 days after the download. GASP helps to identify and track licensed and unlicensed software and other files installed on a company's computer systems including desktops, laptops and network servers. Although some may balk at entering any information about one's company in order to download the software, BSA's privacy policy restricts its use of this information (see http://www.bsa.org/%20usa/about/privacypolicy.phtml). Many other commercial products and consultant services are available to assist companies not only with auditing their computer systems, but also for more general management of their software assets.

It is also important to keep on top of the organization's software needs. Regular surveys allow employees to communicate their software needs, and allow the company to meet these needs in a compliant fashion. When employees' software needs go unmet by the organization, the chances go up that unauthorized channels will be pursued, and licenses will go untracked.

Highly publicized internal policies against unauthorized copying serve two functions: they make the company's stance against unauthorized copying clear to all levels of the company, and they can serve to demonstrate good faith in the event that unauthorized copying is uncovered and a settlement needs to be negotiated. The policy should come from a high level of management, be signed by each employee, and should communicate some or all of the following points, among others:

  • The company's software licenses create a right to use software, not ownership of it.
  • The company has zero-tolerance for unauthorized copying of software, and such copying can result in termination.
  • Employees should not bring their own personal copies of software to work without authorization from the company. (If the company benefits from software it did not purchase, and if such use violates a license, BSA views that use as piracy.)
  • All software installations should be done by authorized personnel. This includes the downloading of software onto home or personal computers, which may or may not be allowed under a particular license.
  • Samples of effective policies are available from the SIIA at www.siia.net/piracy/policy/corp_soft.asp, and from the BSA at www.bsa.org/usa/freetools/business/appc.phtml.

Software Truces

Every several months, the BSA offers businesses in several selected cities the opportunity to obtain licenses for all unauthorized software on their systems. Participation will immunize the business from all charges of piracy occurring during or before the 'Grace Period.' See http://www.bsagrace.com/ for details of this program.


Richard Raysman and Peter Brown are partners at Brown Raysman Millstein Felder & Steiner LLP in New York. Peter Scher assisted in the preparation of this article, which appeared in the February 2003 edition of Advising Start-Up & Emerging Companies.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.