Thursday, June 21, 2007

What's an acceptable "out of compliance" number?

I was privy to an interesting conversation a few weeks ago...the topic was "What level of non-compliance is acceptable?". Basically the basis for the discussion was that being illegal on some licenses was to be expected but at what level does it become an issue.

Before jumping into all sorts of morality issues, I'll stop myself and instead put this in the context of...assuming it will cost me money to prove every single license, is there a point at which I can say "under this amount is not worth the cost"?

Now, morally I don't feel there is a number greater than zero that can be acceptable. If you can't prove licensing for a single product, you owe it to yourself and the publisher who invested their time and resources into its creation to buy the product (and then keep better records).

Getting off my moral high horse I will point out that running even a single copy of software that you can't prove licensing for is a risk to you and your organization. As with any risk to your organization, your organizations risk assessment framework should address this topic for you. But remember - you can't manage what you don't know and you can't apply a risk assessment if you don't have the details!

What are your thoughts?


ダンスの鳥 said...

A friend of mine, now working at Microsoft, always used to say "You cannot be "just a little bit pregnant". That funny sentence is 100% true when we talk about unlicensed software. One pirated copy is piracy. One non-compliant copy immediately raises risks.

In Russia, where I reside, one unlicensed copy lets police arrest your equipment. Can you stand being out of business? And for USD 2000 unlicensed value you can spend 2 years in jail.

So what's and acceptable "out of comliance" number then? :)

Kris Barker, CEO, Express Metrix said...

In response to Ms. Farren's question: any amount of unlicensed software is tantamount to theft. It's like asking whether it's OK to shoplift from a dollar store. But whereas shoplifting penalties generally vary based on the value of the property stolen, even if the actual dollar value of the license deficit is low, a software vendor can sue for copyright infringement penalties of up to $150,000 per infringed-upon software title. So “trivial” offenses are not so trivial after all.

It does, however, get a bit murkier if you don't KNOW whether you're out of compliance, and you are weighing the costs of making that determination. This is where the law makes things easier for us--the law exists to promote "ethical" behavior; and in business, we have an obligation to our shareholders to ensure we are minimizing financial risk by complying with the law. If you don't know whether you're compliant, you are therefore obligated to a) ensure all employees are familiar with your policy regarding the installation of unlicensed software (i.e. zero tolerance), and b) implement processes and/or tools to help determine your license position and ensure that you're compliant on an ongoing basis. Implementing such controls should be a routine cost of doing business, plain and simple, just like tax accounting, SEC reporting, security policies, legal counsel, etc. It's exactly the kind of governance you would expect to see at any reputable company--it's meant both to enforce "ethical" behavior among workers and avoid financial liabilities that put the interests of shareholders and honest employees at risk.

No amount of unlicensed software is acceptable. It's every company's obligation to ensure that all software is legitimate; and if you become aware of an issue, there's no justification for not correcting it, no matter how trivial it may seem.