IBM’s Standard Audit Clause is a Time Bomb
It is standard practice for software vendors to include clauses in their license agreements giving the vendors the right to invoke audits or some other mechanisms to ensure that the licensed products are used in a way that is consistent with agreed licensing restrictions. Most software consumers would agree – perhaps grudgingly – that such provisions make sense. After all, a software vendor’s life blood is its products, and if it allows those products to be used without adequate licensing, it risks both financial loss and damage to the value of its intellectual property.
However, some vendors take the audit concept and apply it in a way that borders on the unconscionable. IBM is perhaps the best example of this, both due to its dominant market share in some segments and also due to the shocking scope of its standard audit clause.
IBM’s standard EULA is the International Program License Agreement (IPLA). It provides the following:
Licensee agrees to create, retain, and provide to IBM and its auditors accurate written records, system tool outputs, and other system information sufficient to provide auditable verification that Licensee’s use of all Programs is in compliance with the IPLA Program Terms…Upon reasonable notice, IBM may verify Licensee’s compliance with IPLA Program Terms at all sites and for all environments in which Licensee uses (for any purpose) Programs subject to IPLA Program Terms…IBM will notify Licensee in writing if any such verification indicates that Licensee has used any Program in excess of its Authorized Use or is otherwise not in compliance with the IPLA Program Terms. Licensee agrees to promptly pay directly to IBM the charges that IBM specifies in an invoice for 1) any such excess use, 2) support for such excess use for the lesser of the duration of such excess use or two years, and 3) any additional charges and other liabilities determined as a result of such verification.
Take a moment to consider the last sentence of the last paragraph appearing above. Here is a shorter version: “If we determine you are using our software in a way that we determine to be inconsistent with the IPLA, you will pay us whatever amount we specify in a written invoice.” Most software vendors set some kind of boundary around what can be required in order to resolve an audit. The quoted language from the IPLA effectively has no such constraint.
Now in Scott & Scott’s experience, IBM typically does not play ball as hard as the IPLA theoretically would allow, and audited IBM customers often are able to negotiate settlements that bear some relation to a reasonable outcome. However, a CIO in the position of licensing new network architectures needs to seriously assess his or her company’s ability to manage its licensing obligations before settling on IBM products to support those architectures. Especially given the complexity of IBM licensing rules, that is a decision carrying millions of dollars in potential consequences, even for non-enterprise-level companies.