Has your company assessed new risks due to Covid-19 & software licensing and taken the necessary efforts to ensure compliance with its software vendors?
When the seriousness of Covid-19 led to massive business shutdowns in the middle of March, many businesses and organizations made the seismic shift to supporting large-scale remote access almost overnight. Understandably, the primary concern of businesses across the country was not software licensing compliance but rather the daunting task of moving millions of workers off-site while simultaneously implementing cost-cutting measures. This abrupt process entailed what could charitably be called “a reactive deviation from what would traditionally be considered best practice.” In other words, it was a heroic, if disorganized, scramble to keep business operations afloat.
Unfortunately for businesses of all size and type, “remote access is the easiest way to quickly become non-compliant with many software vendors.” And as the pandemic stretches on with no end in sight to working remotely, monitoring your company’s deployment “is especially important when we consider the longer-term trend now emerging towards permanent remote working.”
In sum, if you aren’t actively resolving emerging software license issues yet, it is past time to start.
Covid-19 & software licensing risks attendant to remote access.
The foreseeable threats to Covid-19 and software licensing compliance are multi-faceted. For example, while it may be obvious that businesses must follow licensing protocol on company-owned devices, it is easy to overlook restrictions for software installed on employee’s personal devices. For example, despite the fact that consumer versions of certain software licenses (such as Microsoft Office 365) exclude “commercial, non-profit or revenue generating activities”, few if any businesses are investigating whether their employees are using personal licenses to do their work.
Further, with increased need for Cloud and SaaS (Zoom, Office 365, and Adobe Creative Cloud, for example), many vendors secured new business engagements with relatively unexamined free trials during the early stages of the pandemic. These vendors can now be expected to not only start levying steep subscription fees but also to undertake the process of tallying precise types and quantities of licenses. It is a near-certainty that many licensees will be surprised at the final price tag for software that they rapidly became dependent on.
Finally, Cloud technology usage has been a software licensing minefield from its infancy. Many cloud vendors not only utilize preposterously complex licensing agreements, certain others (Oracle being a primary culprit) attempt to enforce extra-contractual cloud “policies” that are designed to shift in accordance with the vendors’ will. Remote access and the accompanying unprecedented increase in Cloud technology usage will inevitably lead to ugly and contentious audit disputes in areas where there is little, if any, precedent.
Even as companies and businesses begin to move some of their workforce back on-site, companies must pay close attention to licensing considerations for both scenarios. “The licensing model for these two types of environments is different. And as a result, companies who license applications on a per-user cloud subscription are now much better placed to continue working throughout the Corona crisis than those with perpetual per-device licenses.” Among other things, older “per device” licenses often will not follow all employees from work to home in the manner that a per-user cloud subscription would. In fact, there is a dauntingly rich history of Microsoft coming down hard for software use on a Citrix server, and Micro Focus actually entered into litigation in a matter that had “significant Citrix/RDS element to it.”
Vendors are increasingly desperate for revenue streams due to the effects of Covid-19 on software licensing revenue.
The Covid-19 pandemic has taken an economic toll, and software vendors have certainly not been immune to its impact concerning software licensing. While there may have been some leniency in the early months of the pandemic, it cannot be expected that vendors will continue to exercise clemency. At the most basic level, audits can be a relatively inexpensive manner in which to generate revenue streams at a time when sales are anticipated to drop. For example, some industry observers were tracking SAP’s emergence from a relatively low profile in 2019 (due to the unpopularity of its audits) while slowly beginning to ramp up its audits in 2020 in order to meet Wall Street objectives. While pursuing such audits during the pandemic may prove to be unpopular, some predict that SAP can’t afford to sit another year out hoping to improve its reputation.
Software vendor assurances are rarely useful.
It would be wise to prepare now for future software audits that will likely occur post-pandemic or even earlier as some of the workforce returns to working on-site. While some commentators suggest contacting vendors in order to seek a confirmation of compliance, based on our experience, we do not recommend such an approach. Allowing software vendors, especially the most audit-crazy ones, a free peek at the details of your IT infrastructure can itself lead to license disputes and even generate audits. Further, it is never entirely clear what such an assurance is worth. As we have discovered the hard way in our practice, software vendors often masterfully give licensees vague representations of compliance while studiously avoiding putting anything enforceable in writing. Finally, even if a representation was enforceable, IT architecture is rarely static. Almost any change in an environment can nullify a previous assurance of compliance.
Though an essential tool, Software Asset Management (SAM) Services may not be sufficient.
As of late, automated SAM services have been emerging as an essential tool for companies with complex and emerging IT infrastructures. However, SAM may not protect licensees from the licensing pitfalls of remote access:
[M]ost inventory tools do not account for remote access, nor do they perform adequate analysis of virtual scenarios. As a result, companies will almost certainly require additional work to obtain an accurate and comprehensive usage assessment.
As such, even companies that had the foresight to utilize procedures to monitor software use should consider seeking out specialized services (legal and technical) to ensure that they are prepared for the inevitable aggressive audits that are on the horizon.
* * *
In sum, there are several ways for a business or organization to drift (or even surge) into material non-compliance during these uncertain pandemic times. Companies should assume that vendors will have a laser focus on aspects of noncompliance related to remote workplaces. After struggling to win new business during the pandemic, software vendors will be on the lookout for ways to ‘exercise their audit rights’ and expand their revenue streams. Now is the time to prepare for the inevitable.