Open To Liability

Open-source software is a boon to computer programmers: by sharing the source code for freely released software, anyone (with the skill) can modify it for his or her, or that person's business', own needs. And, as attorneys and business people are aware, the no-longer nascent and quickly growing movement for open-source software has this business-boon tool finding its way into many companies' programming departments.

It's also finding its way into their lawyers' offices, because the licensing requirements of most open-source software are creating new concerns, and new work, for lawyers serving the tech industry.

Keeping Things Open

Under the GNU General Public License (GPL) that governs a large number of open-source products, open-source code can be tightly integrated only into other open-source products, and a condition of using the code is that the user also publish its modified version of the code. But not everyone knows to do that ' or interprets the license's requirements the same way.

Take Cisco Systems Inc. When the hardware giant bought competitor Linksys in 2003, it claims it didn't realize Linksys had been using products that incorporated open-source code. Cisco eventually incurred the wrath of the not-for-profit Free Software Foundation (FSF), which enforces the GPL. Eventually, according to reports published in Forbes magazine and elsewhere, legal wrangling ended with Cisco having to make the costly move of releasing the code.

With the possibility of these kinds of surprises popping up in tech industry acquisitions, new legal services have arisen to reduce the risk. Most recently, a consulting outfit called Open Source Risk Management partnered with Lloyds of London underwriter Kiln and broker Miller Insurance Services to offer insurance against open-source liability.

“Everybody is really recognizing these risks and becoming more and more interested in promoting themselves,” says Stephen Gillespie, a partner at Fenwick & West. “There is somewhat of a jump on the bandwagon among lawyers.”

While some question the need for open-source insurance, there's definitely a lot of money at stake. Apart from related business costs, misusing open-source software can cost $150,000 per violation per copy of the software distributed, Gillespie says. Many lawyers are not sure whether the new insurance will be worth the costs, which include spending $25,000 to $50,000 on risk assessment even before the insurance is purchased.

Along with insurance, there are companies ready to find open-source problems before they become problems. The insurance now offered through Lloyds of London includes a risk assessment, consulting services and additional coverage.

Mark Radcliffe, a partner at DLA Piper Rudnick Gray Cary, says costly open-source insurance might not be necessary for many companies.

“Since there haven't been a lot of lawsuits with big judgments,” he says, “I am not sure the need for insurance is as pointed as it is for large management tools.”

Insurance isn't a one-size-fits-all solution, says James Gatto, a partner at Pillsbury Winthrop Shaw Pittman.

“It's another arrow in the quiver,” he says. “If we find issues, we can mitigate them.”

Dealing With It

It's not clear how often violations of license are enforced in relation to open-source code. So far, the Free Software Foundation's efforts to police violations of the GNU General Public License have been waged mainly through negotiating with companies it identifies as possible violators.

Eben Moglen, who acts as counsel to the FSF, says the organization sends out letters citing possible violations three dozen times a year, and less than half a dozen times a year does it ask a company to make a change.

“Zero times a year do we have to make any substantial demonstration of legal weight,” Moglen, the foundation's general counsel, adds.

“The big hammer that [entities such as the Free Software Foundation] have is injunctions,” says Heather Meeker, a partner at Greenberg Traurig who also represents Open Source Risk Management. Having your product pulled off shelves while fighting a licensing claim is a software maker's biggest fear. “It is almost like nobody has to say it.”

Whether or not that hammer gets used, some lawyers say the insurance might be useful because it's hard to know, while working through a merger, whether open-source problems will emerge later.

Moglen argues that the fact that the insurance exists proves that open-source liability is quantifiable and manageable.

Open-source liability can kill a deal, and it does affect the value of a transaction, according to lawyers. In the absence of insurance, some companies will accept a reduction in deal price.

Another solution is to set up an escrow account with funds to cover potential exposure. Often the escrow accounts for about 10% of the deal price. If a dispute over open-source arises after the close of a transaction, companies often turn to a mediator, who can resolve the dispute and keep it confidential. But insurance, some argue, can keep the problem from going that far.

“Insurance is a way to move this issue off the table rather than arguing over the size of the liability,” says Wilson Sonsini Goodrich & Rosati partner Adit Khorana, who also advises Open Source Risk Management. “The question of liability is only a useful [negotiating] chip because it often is not completely refutable.”

Linux and claims against third parties were at the heart of the highest-profile open-source lawsuit to date. The SCO Group claims it owns the Unix software code that underlies the Linux operating system. It sued IBM for more than $1 billion in damages, contending that in donating modified Unix code to Linux programmers, IBM breached a licensing agreement now controlled by SCO.

Some observers have doubted the strength of SCO's arguments in the complex case, but OSRM Chairman Daniel Egger says it inspired him to create open-source insurance.

“What was striking was the amount of uncertainty and fear caused by a relatively weak claim,” Egger says. “Just because they cried wolf doesn't mean there aren't wolves out there.”

Open-source software is a boon to computer programmers: by sharing the source code for freely released software, anyone (with the skill) can modify it for his or her, or that person's business', own needs. And, as attorneys and business people are aware, the no-longer nascent and quickly growing movement for open-source software has this business-boon tool finding its way into many companies' programming departments.

It's also finding its way into their lawyers' offices, because the licensing requirements of most open-source software are creating new concerns, and new work, for lawyers serving the tech industry.

Keeping Things Open

Under the GNU General Public License (GPL) that governs a large number of open-source products, open-source code can be tightly integrated only into other open-source products, and a condition of using the code is that the user also publish its modified version of the code. But not everyone knows to do that ' or interprets the license's requirements the same way.

Take Cisco Systems Inc. When the hardware giant bought competitor Linksys in 2003, it claims it didn't realize Linksys had been using products that incorporated open-source code. Cisco eventually incurred the wrath of the not-for-profit Free Software Foundation (FSF), which enforces the GPL. Eventually, according to reports published in Forbes magazine and elsewhere, legal wrangling ended with Cisco having to make the costly move of releasing the code.

With the possibility of these kinds of surprises popping up in tech industry acquisitions, new legal services have arisen to reduce the risk. Most recently, a consulting outfit called Open Source Risk Management partnered with Lloyds of London underwriter Kiln and broker Miller Insurance Services to offer insurance against open-source liability.

“Everybody is really recognizing these risks and becoming more and more interested in promoting themselves,” says Stephen Gillespie, a partner at Fenwick & West. “There is somewhat of a jump on the bandwagon among lawyers.”

While some question the need for open-source insurance, there's definitely a lot of money at stake. Apart from related business costs, misusing open-source software can cost $150,000 per violation per copy of the software distributed, Gillespie says. Many lawyers are not sure whether the new insurance will be worth the costs, which include spending $25,000 to $50,000 on risk assessment even before the insurance is purchased.

Along with insurance, there are companies ready to find open-source problems before they become problems. The insurance now offered through Lloyds of London includes a risk assessment, consulting services and additional coverage.

Mark Radcliffe, a partner at DLA Piper Rudnick Gray Cary, says costly open-source insurance might not be necessary for many companies.

“Since there haven't been a lot of lawsuits with big judgments,” he says, “I am not sure the need for insurance is as pointed as it is for large management tools.”

Insurance isn't a one-size-fits-all solution, says James Gatto, a partner at Pillsbury Winthrop Shaw Pittman.

“It's another arrow in the quiver,” he says. “If we find issues, we can mitigate them.”

Dealing With It

It's not clear how often violations of license are enforced in relation to open-source code. So far, the Free Software Foundation's efforts to police violations of the GNU General Public License have been waged mainly through negotiating with companies it identifies as possible violators.

Eben Moglen, who acts as counsel to the FSF, says the organization sends out letters citing possible violations three dozen times a year, and less than half a dozen times a year does it ask a company to make a change.

“Zero times a year do we have to make any substantial demonstration of legal weight,” Moglen, the foundation's general counsel, adds.

“The big hammer that [entities such as the Free Software Foundation] have is injunctions,” says Heather Meeker, a partner at Greenberg Traurig who also represents Open Source Risk Management. Having your product pulled off shelves while fighting a licensing claim is a software maker's biggest fear. “It is almost like nobody has to say it.”

Whether or not that hammer gets used, some lawyers say the insurance might be useful because it's hard to know, while working through a merger, whether open-source problems will emerge later.

Moglen argues that the fact that the insurance exists proves that open-source liability is quantifiable and manageable.

Open-source liability can kill a deal, and it does affect the value of a transaction, according to lawyers. In the absence of insurance, some companies will accept a reduction in deal price.

Another solution is to set up an escrow account with funds to cover potential exposure. Often the escrow accounts for about 10% of the deal price. If a dispute over open-source arises after the close of a transaction, companies often turn to a mediator, who can resolve the dispute and keep it confidential. But insurance, some argue, can keep the problem from going that far.

“Insurance is a way to move this issue off the table rather than arguing over the size of the liability,” says Wilson Sonsini Goodrich & Rosati partner Adit Khorana, who also advises Open Source Risk Management. “The question of liability is only a useful [negotiating] chip because it often is not completely refutable.”

Linux and claims against third parties were at the heart of the highest-profile open-source lawsuit to date. The SCO Group claims it owns the Unix software code that underlies the Linux operating system. It sued IBM for more than $1 billion in damages, contending that in donating modified Unix code to Linux programmers, IBM breached a licensing agreement now controlled by SCO.

Some observers have doubted the strength of SCO's arguments in the complex case, but OSRM Chairman Daniel Egger says it inspired him to create open-source insurance.

“What was striking was the amount of uncertainty and fear caused by a relatively weak claim,” Egger says. “Just because they cried wolf doesn't mean there aren't wolves out there.”