Managing Audits to Prevent Unauthorized Disclosures by Technology Teams
Disputes involving software usage are on the rise for businesses of all sizes. In some cases, technical teams respond to a software publisher’s or a third party’s audit request and provide significant amounts of data without notifying anyone on the corporate governance or the legal teams. It is critical for those teams to evaluate the publisher’s legal ability to audit, and to identify the data the publisher is entitled to request.
It is not uncommon for the legal team to discover the existence of a software audit or license verification after the company has received a demand for damages arising from alleged over-usage of software.
Often, employees responding to an audit request do not understand the request and provide inaccurate or incomplete information. Once this information is disclosed, it can expose the business to a damages claims arising from any license deficiencies. If the information is inaccurate, it is an uphill battle to rectify it and reach a resolution.
There are a few key tips to minimize unauthorized disclosures and to avoid potential liability.
- Institute Communications Protocols for Inquiries from Third Parties
Depending on the size of the company, there may be varying resources available to respond to an audit request. Whether a company has a single person in charge of the IT assets, outsources to a managed services provider or other third party vendor, or dedicates an entire department to managing software deployments and licenses, it is helpful to institute protocols outlined in an employee handbook (or vendor agreement) that prevents individuals from disclosing information without seeking management’s approval.
Some types of audits appear to be non-threatening “license verifications” or requests for software asset management reviews, which sometimes creates a false sense of security for individuals who may otherwise seek management approval prior to sharing information. Even these seemingly innocent requests should be treated with caution.
It is helpful to have an established protocol that employees can reference when they receive a request for information related to software assets. The teams should be required to notify the legal and governance representatives as part of the protocol.
It is also important to ensure in any agreements with a third-party IT vendors that they will not release any information without company approval, even if the third party manages all software on the company’s network.
2. Educate Business and Procurement Teams
Larger companies may dedicate entire departments to the business side of software negotiations, including management and procurement. These negotiations should always be supervised by inside or outside counsel.
Sometimes, during the business negotiations, these teams may disclose information regarding the company’s software installations that the publisher later tries to use as leverage in future negotiations. For instance, if during a business negotiation, the procurement team describes a current use case that is outside the scope of the license grant, the publisher may claim that it is entitled to payment for the past improper usage.
It is crucial that these departments are trained on the specific types of information that may be disclosed and to ensure that the information provided is properly vetted for accuracy and legal implications.
3. Routinely Conduct In-House Self-Audits
Finally, a company should assign a specific individual or team to conduct routine self-audits and internally track entitlements to ensure license compliance. The benefits of this process is two-fold: 1) If the company receives an inquiry regarding its software licenses, it can quickly and accurately collect the necessary information, and 2) the information can be verified by the IT staff and management prior to disclosing it to a third party.
The first step in receiving a software-related inquiry is to identify what type of information is being requested, and whether a response is mandatory. In some of these situations, a company has no obligation to respond. In others, a failure to provide a timely response may escalate the matter to potential litigation. All inquiries should be brought to the attention of both management and the legal department to determine how to proceed.