Software Compliance After BSA and SIIA Settlements
Your business has just finished spending the last year of its corporate life responding to a software audit demanded by the Business Software Alliance (BSA) or the Software &Information Industry Association (SIIA). It has devoted substantial time and internal resources in an effort to gather an accurate inventory of software installations, together with all available documentation of license purchases. It also has incurred legal fees in order to obtain counsel regarding the audit process and to protect its rights during settlement negotiations. Management understandably is ready to move on.
Unfortunately, an important step remains: In almost every BSA and SIIA audit, it is necessary for the audited business to sign a certificate following settlement confirming – usually under penalty of perjury – that the business is using only licensed copies of BSA- or SIIA-member software and that no unlicensed software remains on its computers. Though it comes at the very end of the process, this probably is the most important step from the perspective of the software companies represented by the BSA and the SIIA, because this is when they see a return on their member dues. All amounts paid to the BSA or the SIIA in order to settle the audit and obtain a release of liability are retained by the BSA and SIIA, respectively. The audited business does not receive any software licenses in return for that payment or any assurances of prospective compliance. In order to be compliant with applicable licenses and with non-monetary settlement terms, the business needs either to uninstall unneeded software or to purchase licenses for the software that it does need.
Before any software deletions or license purchases occur, though, it is vital for the business to know what software is installed and what licenses are owned, and the best time to collect that information is during the audit. We frequently advise our clients to use the audit inventory as a baseline for prospective compliance work and to use a list of action items based on that inventory in order to take the steps needed to sign the required, post-settlement certificate. As long as the business has minimized any changes to its computer network and has kept good records of any new or decommissioned computers in its environment, then this typically is the most efficient way to address this project. However, in some cases it may be necessary to collect a new inventory in order to be certain that the company is starting with accurate information. Management, IT teams and legal counsel should work together at this stage to determine the most appropriate way to proceed.
In a subsequent posting, I will discuss some of the mechanics of the compliance steps and what business should be prepared to show in the schedules that typically are attached to the compliance certificates.