Mon, 20 Apr 2026 10:41:26 -0700WeeblySun, 19 Apr 2026 11:20:07 GMThttps://www.tacticallawgroup.com/oracle-software-audit-blog/oracles-newest-java-audit-demand-your-vmware-topology-and-what-california-law-says-about-itBy Pam Fulmer

​A pattern is now appearing in Oracle’s Java licensing enforcement that every in-house counsel with an Oracle footprint needs to understand. On the sales side, Oracle is offering customers what is, in substance, a two-track choice. Customers willing to subscribe on the new per-employee Java SE Universal Subscription metric can do so without producing information about their virtualization environment. Customers who want to remain on — or return to — Oracle’s legacy Named User Plus or Processor-based Java metrics may be required by Oracle to first disclose extensive data covering the entire VMware farm, not only the servers where Oracle software is installed or actually running. A Java licensing conversation is, in other words, being converted into a VMware full environment disclosure.

The scope of that demand is the tell. Even under the legacy Named User Plus and Processor options, Java compliance is verified by reference to the servers where Oracle Java is actually installed and/or running. When Oracle asks for data about the full virtualized environment — including hosts that do not run Oracle software at all — the data is being collected for a different purpose. This post explains that purpose, why it is dangerous, and the California legal arguments customers can use to push back.

What Oracle Is Asking ForThe audit-side of this pattern is now documented in the trade press. Redress Compliance has reported that Java audit letters ask for “a full list of all VMware or other virtualized platform hosts, whether they have Java installed or not”. House of Brick has documented Oracle asking for vCenter exports and cluster configuration data during Java audits and tying those requests back to Oracle’s aggressive position on VMware licensing. And The Register’s 2024 coverage of Java audit letters to Fortune 100 companies signaled the scale of the escalation.

The structure of the choice Oracle is offering customers with meaningful Java dependencies deserves a closer look, because it functions as a Hobson’s choice. Accepting the per-employee metric avoids any VMware inquiry, but it has made Oracle Java dramatically more expensive for most enterprises than the legacy arrangements. Declining that metric in favor of Named User Plus or Processor-based licensing may require the customer to hand over data on the full VMware environment — including hosts that have nothing to do with Oracle software. And walking away from Oracle Java altogether is, for many customers, not a short-term option: a disciplined migration to OpenJDK or another supported distribution takes time, requires engineering and testing work, and introduces business risk that cannot be absorbed on Oracle’s negotiation timeline.

Customers have understandably balked at the VMware-disclosure path. Producing whole-farm topology to Oracle at any stage of a Java engagement raises the risk that the inquiry will expand beyond Java, or that Oracle will use the data to assert compliance claims about other Oracle products running in the same environment — most obviously Oracle Database. That is the subscription-side extension of the pattern we described in “Oracle Java Licensing Enforcement: How ‘Friendly Outreach’ Is Driving Significant Compliance Risk” and in “How Oracle Uses Online Agreements for ‘Free Software’ to Trap Companies”: Oracle’s outreach is not just pre-litigation intake — in some instances it has become pre-audit intake, with the subscription transaction itself used as the lever.

Why It Is DangerousThe purpose of the VMware request is Oracle’s long-running “soft partitioning” position on database licensing — the whitepaper theory, never codified in customer agreements, that any physical core in a VMware cluster where Oracle software could theoretically run must be fully licensed. Under its more aggressive expressions, according to Oracle, every host connected to the same vCenter, or reachable by vMotion, must be licensed for any Oracle software running anywhere in the environment. For a customer running a modest Oracle Database footprint on a large VMware estate, the resulting compliance gap is often very large.

That position has never been tested in court with a court ruling, and independent specialists — House of Brick prominent among them — have argued forcefully that Oracle’s soft-partitioning theory is inconsistent with how VMware actually works. But the economic pressure to settle rather than litigate is enormous, and Oracle knows it. A customer who hands over complete vCenter topology during a Java audit has, in practical terms, already pre-calculated the database compliance claim Oracle will assert three months later. The Java audit is the delivery vehicle. The database claim is the payload.

California Legal Arguments That MatterFor Oracle customers — many of whom operate under Oracle agreements that select California law by an express choice-of-law provision — California provides a particularly strong toolkit for pushing back on this conduct. As California lawyers, we are intimately familiar with this toolkit.
​
The Unfair Competition Law, Business & Professions Code § 17200, is the most flexible and most important of those tools. Section 17200 prohibits any “unlawful, unfair, or fraudulent business act or practice.” The “unfair” prong reaches conduct that violates public policy or causes substantial injury, even where no specific statute has been violated. Conditioning the sale of a Java subscription — priced on a metric entirely unrelated to virtualization — on the customer’s disclosure of VMware topology that will predictably be used to construct a separate, much larger claim appears to fit the “unfair” framework cleanly. Post-Proposition 64, a UCL plaintiff must show actual injury; a customer who paid an inflated subscription price, or who was forced into a database compliance settlement the disclosure made possible, can satisfy that requirement.

The implied covenant of good faith and fair dealing is a second, and often underused, angle. Every California contract includes an implied covenant prohibiting either party from acting to deprive the other of the benefits of the bargain. When Oracle invokes the audit clause from one agreement — an Oracle Master Agreement, a database OLSA, or an OTN license — to extract information whose only function is to build claims under a separate product line, the implied covenant may be available as a basis for a claim. Audit rights exist to verify compliance with the agreement that granted them. Using them as reconnaissance for a different product’s claims is not what the parties agreed to, and California courts take that distinction seriously.

Finally, economic duress. California recognizes the doctrine where one party uses a wrongful act or threat to force another into a transaction it would otherwise refuse, and where the coerced party has no reasonable alternative. Rich & Whillock, Inc. v. Ashton Development, Inc. (1984) 157 Cal.App.3d 1154 remains the foundational authority. The choice Oracle is presenting — an expensive new metric, or a whole-VMware farm disclosure that will foreseeably build claims elsewhere, or abandoning a business-critical platform on an infeasible timeline — fits that framework. Most often the scope of Oracle’s demanded disclosure has no legitimate relationship to the Java transaction, and a customer whose Java dependencies cannot be unwound on Oracle’s timeline has no reasonable alternative. Duress is a particularly valuable defense because it attacks the enforceability of any settlement Oracle later extracts from data produced under coercion.

What To Do When the Pattern AppearsA few practical steps apply whether the demand arrives in a formal audit letter, a GLAS follow-up, or a sales-team email holding up a subscription quote. Stop providing VMware information in any Java communication. Demand in writing that Oracle identify the specific contract clause authorizing the request and the specific Oracle product whose compliance is being verified; if Oracle cannot answer, the request is a fishing expedition. Document any conditioning of a subscription sale on disclosure — that documentation is the foundation of any UCL, implied-covenant, or duress argument later. And involve counsel before information leaves the company. Early, counsel-led responses are the single strongest predictor of a favorable outcome in this pattern.


Closing ThoughtThe Java audit is increasingly not about Java. Oracle’s enforcement program is a data-gathering operation with a sales objective attached, and the whole-farm VMware demand is the most aggressive expression of that strategy we have yet seen. California law gives customers real tools to resist it — but those tools only work if the customer reaches for them before the data has been delivered.
 

Tactical Law Group LLP represents enterprise software licensees in Oracle and other software publisher licensing matters, audit defense, and commercial negotiations. Nothing in this post is legal advice or a comment on the specific circumstances of any customer or transaction. If your organization is facing an Oracle Java audit — or is being told a Java subscription is conditioned on VMware or other environmental disclosure — please contact us directly.]]>Sun, 19 Apr 2026 09:36:54 GMThttps://www.tacticallawgroup.com/oracle-software-audit-blog/2026-the-year-oracles-java-audits-get-realBy Pam Fulmer

For three years, we have been writing about Oracle’s Java licensing enforcement as a slow-motion campaign — one that began with “friendly” compliance emails, continued through a series of escalating sales-team overtures, and rarely produced a formal audit letter. That campaign is now changing character. In 2026, the soft outreach is giving way to formal audit notices issued under Oracle’s license management function — what used to be called LMS, and is now branded Global Licensing and Advisory Services, or GLAS. The letters are arriving. They look and feel different from what Oracle Java customers have seen for the last several years. And the pattern of who is getting them is not random.

Our view, which we have previewed in earlier posts, is that this moment has been structurally inevitable since early 2023 — the year Oracle replaced its prior Java SE subscription with the Java SE Universal Subscription, a per-employee model that made Java dramatically more expensive for most enterprises and fundamentally changed Oracle’s enforcement economics. This post explains why the formal audits are finally here, what they actually look like, and what Oracle Java customers should be doing before — or, if the letter has already arrived, during — the audit.

How We Got Here
The current story starts with Oracle’s decision, announced in January 2023, to move Java SE off a per-user and per-processor model and onto a per-employee model covering every employee, contractor, and agent of a subscribing entity — whether or not they actually use Java. We wrote about the immediate commercial effect in Oracle Changes Java SE Licensing Rules and Prices Explode, and the practical upshot has not changed: for most enterprises the cost of Oracle Java increased dramatically, in many cases by a multiple of what the prior subscription had charged. Many companies concluded, reasonably, that the new model was not for them. They began evaluating OpenJDK, Amazon Corretto, Azul Zulu, and other supported alternatives. Some migrated. Some did not.

What happened next was not a quiet period. It was a campaign. As we described in Oracle Java Licensing Enforcement: How “Friendly Outreach” Is Driving Significant Compliance Risk, Oracle’s sales and compliance teams began contacting organizations with pointed but informal questions about their Java deployments. Those inquiries were frequently positioned as helpful — an offer to “clarify” licensing status, or a suggestion that the company might qualify for a “special transition” subscription. In Warning to Oracle Customers: Don’t Be Fooled By Oracle’s Java Playbook, we explained why that framing was — and is — dangerous. The calls and emails were not customer service. They were pre-litigation intake.

Why the Formal Audits Are Finally Coming
Three things have changed in 2025 and 2026 that are now driving formal audit letters in volume.
​
First, Oracle has had three years to gather data. As we discussed in How Oracle Uses Online Agreements for “Free Software” to Trap Companies, Oracle tracks downloads of Java binaries in detail — IP addresses, corporate domain associations, download timestamps, and whatever account information was used at download. It also logs the automatic update check-ins made by every installed copy of Oracle Java that has not been affirmatively disconnected from Oracle’s servers. Three years of that telemetry, cross-referenced against whatever the friendly outreach emails extracted from the company directly, is now a usable audit foundation. The companies Oracle is sending formal letters to in 2026 are not being chosen at random.

Second, the soft-outreach stonewall has produced a target list. Companies that responded to the friendly outreach by buying the subscription on Oracle’s terms were never going to receive a formal audit letter — they were already paying. Companies that simply did not respond, or that responded with a polite “we use non-Oracle Java,” were implicitly telling Oracle that the only way to convert them was through the audit clause in their existing Oracle agreements or through the click-wrap terms they accepted when they downloaded Oracle Java. Three years later, that target list is mature.

Third, Oracle has business reasons to push harder now. As we wrote in our recent coverage of the Rimini Street settlement, Oracle’s financial story has pivoted to a cloud and AI infrastructure business whose margins are widely understood to be thinner than its legacy support business. The support and subscription revenue line — the line that includes the Java SE Universal Subscription — has become more, not less, critical to Oracle’s investor narrative. Converting long-resistant Java customers into subscription customers, via audit, is directly aligned with that strategy.

There is a fourth factor worth naming separately. We have seen an emerging pattern — which we flagged earlier and which the trade press has since confirmed — of Oracle declining to sell Java subscriptions to certain customers unless those customers first disclose detailed usage and employee-count information. In some instances, companies that tried to buy their way into compliance have been told, in effect, that compliance is not available to them without first producing the data that typically comes out of an audit. That is not a sales process. It is a structure for manufacturing non-compliance, and in-house counsel should treat it as such.

What a Formal Java Audit Letter Looks Like
The formal audit letters arriving in 2026 look meaningfully different from the outreach emails that preceded them. They are typically addressed to a named C-suite executive — CIO, CFO, or General Counsel — and signed by an Oracle GLAS representative rather than a salesperson. They cite an audit clause either in the company’s existing Oracle Master Agreement (if the company holds other Oracle products) or in the Oracle Technology Network License Agreement that governed the original Java download. They name an audit window — commonly forty-five days — and specify whether the review will be conducted directly by GLAS or through a designated third-party auditor. And they set an expansive scope: global employee counts, deployments by version, installation inventories, virtualization and cloud environments, and anything Oracle believes relates to its employee-metric calculation. For readers who want a deeper walk through how Oracle conducts these engagements generally, our earlier post Oracle Knows More About You Than You Think: Lessons from Oracle v. Kelkar remains directly on point.

What Oracle Java Customers Should Be Doing Now
Whether or not a formal letter has already arrived, a few things are worth doing now.
Inventory your own Java deployments before Oracle tells you what they are. The most damaging audit outcomes we see are the ones where the company learns the size of its Java footprint from Oracle — usually at a moment when the company has lost most of its negotiating leverage. Counsel-led internal discovery, done under privilege, almost always produces a more favorable result.

Understand which license terms actually govern your Java usage. Not every Java installation is governed by the same agreement. Versions and licenses have changed several times since 2019, and what you downloaded in 2018 is almost certainly not what you downloaded in 2024. Older, more permissive license grants still exist in many environments. Identifying them is often the single most important step in a Java audit defense.

Do not respond to “friendly outreach” without counsel. The consistent pattern we see is that informal responses to Oracle’s pre-audit inquiries become the foundation of the formal audit that follows. If an email from an Oracle Java team member has landed in your inbox and you have not yet responded, treat it the way you would treat a preservation letter.

If the formal audit letter has arrived, assert the procedural protections you are entitled to. Oracle audit clauses are negotiable in practice, even if they look one-sided on the page. Scope, timeline, choice of auditor, and handling of proprietary data are all areas where experienced counsel can substantially change the trajectory of an audit.
​
Closing Thought
None of this was unpredictable. We wrote, in Java Audits Likely Will Increase as Oracle Seeks to Move Java Users onto its Total Employee Metric, that the shift to the employee metric would eventually produce a wave of formal audits, and that the quiet soft-outreach period was not a feature of Oracle’s enforcement posture but a phase of it. That phase is now closing. The companies that treated the last three years as a chance to prepare — to inventory, to analyze their contracts, and to reduce their dependence on Oracle Java where alternatives exist — are in a materially stronger position than those that assumed the outreach would simply go away. It did not. It never does.

Tactical Law Group LLP represents enterprise software licensees in Oracle and SAP licensing matters, audit defense, and commercial negotiations. Nothing in this post is legal advice. If an Oracle audit letter has arrived at your organization — or if you are receiving the “friendly” pre-audit emails that tend to precede one — please contact us directly.]]>Fri, 17 Apr 2026 14:17:20 GMThttps://www.tacticallawgroup.com/oracle-software-audit-blog/the-oracle-rimini-settlement-and-what-it-means-for-oracle-customersBy Pam Fulmer

When Oracle and Rimini Street announced their confidential settlement in July 2025, the headlines framed the moment as the quiet close of a decade-plus copyright saga. For the lawyers who lived through the case, that was certainly true. But for the Oracle customers who have watched this litigation from the sidelines — often while writing twenty-two-percent-of-license-cost checks to Oracle each year — the settlement is not the end of anything. It is the beginning of a new round of questions about who controls the cost of enterprise software support, and who is going to pay for it.

We have written before about the litigation and the Ninth Circuit’s December 2024 opinion that forced the parties to the table. This post is about what comes next. The short version: the Ninth Circuit handed Oracle a loss on the law. The settlement handed Oracle something it arguably wanted more — a clear off-ramp for one of the largest pools of customers who had found a cheaper alternative to Oracle’s support machine. The question Oracle customers should be asking is whether that trade will show up in their renewal invoices.

A Quick Refresher
The settlement has three load-bearing pieces: Oracle returned approximately $37.8 million of the attorneys' fees the lower court awarded to Rimini Street; Rimini agreed to wind down its third-party support for Oracle PeopleSoft by July 31, 2028; and both sides dropped their remaining claims with neither admitting wrongdoing. The parties reached this deal after the Ninth Circuit vacated nearly every material copyright ruling against Rimini, reversed the Lanham Act judgment, and set aside the injunction. The court called the district court’s reading of “derivative work” “hopelessly overbroad,” and held that “mere interoperability isn’t enough” — a party must actually, substantially incorporate copyrighted material to infringe the right to prepare a derivative work. On the law, the third-party support industry walked out of the Ninth Circuit in a stronger position than it walked in. Which is precisely why the settlement terms — and the PeopleSoft wind-down specifically — are interesting.

Oracle’s Support Business, and Why It Matters Here

Anyone who has read Oracle’s recent annual reports understands a simple fact: the company’s revenue is no longer dominated by new software license sales. The overwhelming majority of what Oracle takes in every year comes from cloud services, subscriptions, and — critically for this discussion — license support. Support and subscription revenue is not a sideline for Oracle. It is the business. And it is a remarkably profitable one. Software support — the recurring fee Oracle collects in exchange for patches, bug fixes, and portal access — carries famously high margins by enterprise software standards, meaningfully above Oracle’s already-robust overall margin. When you compound those margins over decades of paid-up license bases, you see why Oracle’s investor story has for years been less about selling new software and more about keeping the existing customer base inside the paying support tent.

The mechanics are worth spelling out. Oracle’s standard Premier Support fee is twenty-two percent of the net license fee, charged annually — a figure codified in Oracle’s own published support policies, which also reserve Oracle’s right to raise that fee annually based on “inflationary” adjustments Oracle itself sets. Historically modest, those annual uplifts have in recent years trended meaningfully higher than conventional inflation. Over a ten-year horizon on a large license base, the compounding effect is substantial — the difference between a support budget that stays roughly flat in real terms and one that quietly doubles.

Why the Settlement Terms Favor Oracle, Even If the Law Did Not
Read against that financial backdrop, the 2028 PeopleSoft sunset is not a footnote. It is the point. PeopleSoft is a mature product set Oracle acquired in 2005. Many PeopleSoft customers have paid-up perpetual licenses, no interest in migrating to an Oracle cloud suite on Oracle’s timeline, and every reason to keep their existing systems running on a leaner support contract. That profile — stable, installed, resistant to re-platforming — is exactly what third-party support is built for, and exactly what is most valuable to Oracle if it can be kept on Oracle Premier Support for as long as possible. By securing a firm date by which one of the largest third-party support providers will stop supporting PeopleSoft, Oracle has effectively put a clock on a slice of the third-party support market it cares about most. Those customers will be deciding between 2026 and 2028 whether to return to Oracle support, move to another third-party provider, accelerate a replatforming project, or run unsupported.

Nothing in the Ninth Circuit opinion compelled that outcome. The court’s holding cuts the other way — it makes copyright doctrine a harder tool for Oracle to use against third-party support providers. What the settlement did is trade a legal theory that was failing in court for a commercial concession extracted at the bargaining table. A rational outcome for a sophisticated plaintiff. But worth looking at clearly from the customer’s side.

A note on Rimini: we have enormous respect for the role the company has played — and continues to play — in giving Oracle and SAP customers a meaningful alternative to vendor support. Rimini did not lose this litigation in any conventional sense. The company vindicated the legality of independent third-party support at the Ninth Circuit, survived a fifteen-year campaign from one of the best-resourced plaintiffs in technology, and continues to serve thousands of customers across Oracle, SAP, and other enterprise software product families. The PeopleSoft wind-down is a defined, manageable transition. The narrower question for Oracle customers is not whether Rimini survived — it is whether Oracle’s pricing leverage on its most captive installed base just got stronger.

The Pricing Question
​There are two plausible reads on what happens to Oracle support pricing over the next three to five years.

The optimistic read: the third-party support market is bigger and more robust than ever, with more credible providers serving more customers across more product lines than when the Rimini litigation began. Competitive pressure — from Spinnaker Support, Support Revolution, Rimini itself, and others — keeps Oracle from pushing support fees arbitrarily without accelerating customer defections. The twenty-two-percent fee plus modest annual uplifts stays roughly where it is.

The cautious read: the PeopleSoft sunset is a signal. For those customers specifically, Oracle now has a defined window in which a meaningful share will be forced to make a decision, with every incentive to make the return-to-Oracle option attractive up front while positioning for price increases once those customers are back inside the tent. More broadly, if Oracle concludes that commercial-term negotiations with third-party providers can substitute for a failing copyright strategy, similar dynamics may play out in other product lines. And Oracle’s public posture is not subtle: its reliance on support and subscription revenue is increasing as its growth narrative pivots to cloud and AI infrastructure whose margins are widely understood to be thinner. When margins compress in one place, there is a natural pull on management to protect margins elsewhere.

We do not yet know which read is closer to right. But customers who assume the settlement is simply “news” — a 2025 storyline requiring no action — are taking a position that the next three years of renewal cycles may test.

What This Means for Oracle Customers
​A few things flow from all of this. First, the legal ground under third-party support is firmer, not softer, after the Ninth Circuit opinion — customers still hesitant about the legal risk should understand the highest recent appellate statement runs the other way. Second, PeopleSoft customers on Rimini support should be planning now, not in 2027; a thoughtful transition takes longer than most organizations expect and benefits from being planned before leverage shifts toward the deadline. Third, every Oracle renewal conversation from here forward is a pricing conversation, and customers who want to hold the line need to build leverage well before the renewal window. Finally — and this is the piece our firm spends the most time on — the support-cost question is inseparable from the audit-risk question. Oracle’s audit practice and its support renewal practice are two sides of the same revenue engine, and serious customers have to manage both together.

The Rimini Street settlement is, narrowly, a story about one provider and one product line. Broadly, it is a story about who bears the cost of Oracle’s transition to being an AI-and-cloud company financed by a support annuity business. The Ninth Circuit made clear that copyright law is not going to do that work for Oracle. The settlement shows that commercial leverage might. None of this is reason to panic. It is reason to stop treating enterprise software support as a fixed cost line that simply renews itself each year — and to start treating it as a contract that is actively managed, aggressively negotiated, and regularly benchmarked against a growing and legally-vindicated ecosystem of alternatives. The customers who engage early keep control of their own budgets.
 

Tactical Law Group LLP advises enterprise software licensees on Oracle and SAP licensing, audit defense, and commercial negotiations. Nothing in this post is legal advice. If you have questions about your organization’s Oracle support or audit posture, please contact us directly.]]>Tue, 14 Apr 2026 10:12:35 GMThttps://www.tacticallawgroup.com/oracle-software-audit-blog/oracle-knows-more-about-you-than-you-think-lessons-from-oracle-v-kelkarBy Pam Fulmer

On April 9, 2026, Oracle filed a federal lawsuit in the Eastern District of North Carolina against its former employee, Pravin Kelkar, alleging trade secret misappropriation and breach of contract. The case, Oracle America, Inc. v. Kelkar(Case No. 5:26cv236), reads like a corporate thriller: a terminated employee threatening to sell Oracle's proprietary databases to the highest bidder. But buried inside the drama is a revelation that should concern every Oracle customer. Oracle's own Complaint lays out, in remarkable detail, just how much information Oracle collects about its customers and how central that data is to Oracle's sales machine.

What the Complaint Alleges
Pravin Kelkar worked at Oracle for over five years, most recently in a sales operation’s role supporting Oracle's Life Sciences businesses. When Mr. Kelkar got caught up in Oracle’s recent massive layoff (Oracle eliminated his position on March 31, 2026), the Complaint alleges that Kelkar responded by sending threatening messages to Oracle's HR team and senior executives. He claimed to have transferred Oracle's entire "install base" database to a personal device and threatened to sell it to Oracle's competitors unless Oracle met his demands for two years of full salary, benefits, and immediate vesting of his restricted stock units.

Oracle attempted to resolve the matter without litigation, contacting Kelkar by letter and phone, requesting that he return the data and submit his personal devices for forensic inspection. Kelkar refused to fully cooperate, at one point claiming his threats were made "in jest," while simultaneously declining to return the materials or allow an inspection. Oracle filed suit nine days later, seeking emergency injunctive relief under the Defend Trade Secrets Act.

The Real Story: What Oracle Considers Its "Install Base"
The most revealing aspect of this Complaint is not Kelkar's conduct. It is Oracle's own detailed description of what its "install base" databases contain and why Oracle considers them to be among its most valuable trade secrets.

According to Oracle's Complaint, the install base databases include granular, confidential details about Oracle's customer relationships, covering information such as which products and services each customer uses, where those products are deployed, confidential pricing and contract terms, support identifier numbers for each customer, sales history broken down by fiscal quarter and week, product-use information, contract status and renewal timing, forecast and pipeline information, account ownership and sales representative contact information, and facility or site-level deployment details.

Oracle maintains separate install base databases for its North America region, its Oracle Health business (formed after Oracle's 2022 acquisition of Cerner Corporation), and its Fusion product lines. The company describes these databases as representing years of ongoing development, built and maintained at substantial time, effort, and expense by its sales and operations teams.

Oracle's Complaint explains that these databases exist for a specific purpose: to provide Oracle's sales and operations teams with the information they need to facilitate the maintenance and growth of customer relationships, track sales and renewal schedules, and provide critical data on software revenue and profitability. In other words, Oracle is not simply storing this data for record-keeping. It is actively using it to drive sales strategy, identify upsell and cross-sell opportunities, and time its outreach around contract renewals.

Why This Should Concern Oracle Customers
Oracle's Complaint makes clear that the company views its customer data as a competitive weapon. Oracle itself alleges that a competitor could use this information to uproot its customers by reviewing what products they use, what their impending needs are, what prices they pay, and when their contracts end.

Turn that sentence around: if a competitor could use this data to target Oracle's customers, Oracle itself is certainly using this same data to target its own customers for additional sales. Oracle knows what you have deployed, what you are paying, when your contracts come up for renewal, and what your usage patterns look like. That is an extraordinary informational advantage in any negotiation.

For Oracle customers, the implications are significant. Every interaction with an Oracle sales representative, every support ticket, every deployment discussion is potentially feeding a database that Oracle uses to craft its sales approach. When Oracle contacts you about a renewal or a new product offering, it is not making a cold call. It is working from a detailed dossier on your entire Oracle footprint.

What Companies Should Do
The Oracle v. Kelkar case is a wake-up call for any organization running Oracle software. Oracle is meticulously tracking your data, and it is using that data to maximize its revenue from your account. Companies that want to level the playing field should consider the following steps.

Control the flow of information to Oracle. Establish clear internal policies about what employees can and cannot share with Oracle sales representatives. Not every conversation needs to include details about your deployment plans, budget cycles, or technology roadmap. Train your teams to understand that information shared with Oracle does not disappear; it goes into a database.

Centralize your Oracle relationship. Designate a small team or a single point of contact responsible for managing Oracle communications. This prevents Oracle from gathering intelligence across multiple departments and assembling a more complete picture of your organization than any one person intended to provide.

Understand your contractual position before Oracle does. Oracle knows your renewal dates, your pricing history, and your deployment footprint. You should know these things at least as well as Oracle does. Conduct regular internal audits of your Oracle estate so that you are never negotiating from a position of informational disadvantage.

Be strategic about support and deployment conversations. Technical support interactions and implementation discussions can reveal information about how you use Oracle products, where you are experiencing growth, and what your future needs might look like. Be thoughtful about what details are shared and through which channels.
​
Engage experienced counsel before Oracle comes knocking. Whether you are facing an audit, negotiating a renewal, planning a migration, or simply trying to understand your rights under your existing agreements, having advisors who understand Oracle's playbook can make an enormous difference in outcomes.

How Tactical Law Can Help
At Tactical Law, we have deep experience advising companies on their Oracle relationships. We understand how Oracle structures its sales organization, how it uses customer data to drive its licensing and audit strategies, and how companies can protect themselves from being outmaneuvered.

Whether you are preparing for an Oracle license audit, negotiating a complex renewal, evaluating a migration to Oracle Cloud or away from Oracle entirely, or simply trying to get a handle on your current Oracle exposure, our team can help you develop a strategy that protects your interests and your budget.

Oracle has a database full of information about you. We help you make sure the playing field is level.
​
Contact Tactical Law today to learn how we can help your organization take control of its Oracle relationship.


Disclaimer: This article is provided for informational purposes only and does not constitute legal advice. The discussion of Oracle v. Kelkar is based on allegations contained in the publicly filed Complaint and does not represent findings of fact by any court.

]]>Fri, 10 Apr 2026 11:00:26 GMThttps://www.tacticallawgroup.com/oracle-software-audit-blog/is-sap-using-its-audit-rights-to-drive-your-next-purchaseBy Pam Fulmer

This is the first in a series of articles from Tactical Law examining the SAP licensing landscape and what it means for your organization.

If your company runs SAP, there's a good chance you'll face a license audit in the next few years — and the outcome may cost you far more than you expect.

SAP's license audit program has become one of the company's most effective tools for generating new revenue. Buried in most SAP contracts is a clause granting SAP the right to review your license compliance, typically on an annual basis. While not every customer is audited every year, SAP's Global License Audit & Compliance team selects targets strategically — and when they come knocking, the financial stakes can be significant.
​
How the Audit Becomes a Sales Conversation
Here's what many SAP customers don't realize until they're in the middle of it: an audit finding isn't a fine. It's the opening move in a negotiation.

When SAP identifies a licensing shortfall — whether that's too many users, the wrong user classifications, or unlicensed system integrations — the compliance team works in coordination with SAP's sales organization. The shortfall creates urgency. The sales team then presents the remedy: additional licenses, a conversion to RISE with SAP, adoption of a new licensing model, or an expanded cloud subscription. Customers mid-migration to S/4HANA are particularly exposed, because they're already committed to a massive project and have limited leverage to push back.

Where SAP Focuses Its Audits
SAP's audit teams have become increasingly sophisticated about where they look. Four areas dominate current audit activity:

Indirect access is the most consequential. Whenever a third-party system — your e-commerce platform, CRM, supplier portal, or any external application — reads from or writes to SAP, SAP takes the position that those interactions require licensing. Under their Digital Access model, this is measured by counting business documents like sales orders and invoices created by outside systems. For companies with heavily integrated environments, the exposure can be substantial.

User classification is another frequent finding. SAP licenses are tiered by the transactions a user is permitted to run, and each tier carries a different price. If an employee classified at a lower tier has executed even a single transaction reserved for a higher tier, SAP will argue that person should have been licensed at the more expensive level — across your entire user base, these reclassifications add up quickly.

S/4HANA migration compliance has become a major focus as SAP's 2027 end-of-support deadline for the older ECC system approaches. Companies running both systems in parallel during migration face the risk of double-counting licenses, and SAP's licensing metrics change between ECC and S/4HANA — meaning what was compliant under the old system may not be under the new one.

HANA memory consumption rounds out the list. As data volumes grow, SAP checks whether your actual database memory usage exceeds what you've licensed.

Why This Matters Now
The 2027 ECC end-of-support deadline is accelerating everything. Every company still running the older SAP system faces a decision — migrate to S/4HANA, move to SAP's cloud offering, or find an alternative. SAP's audit activity tends to intensify during these transition windows, because customers facing a deadline are far more likely to settle compliance disputes quickly in exchange for favorable migration terms.

In short, the audit isn't just about compliance. It's a strategically timed part of SAP's commercial playbook.
​
How Tactical Law Can Help
Navigating an SAP audit requires a clear understanding of your contractual rights, your actual usage patterns, and SAP's negotiating tactics. Many organizations go into these conversations underinformed and come out having agreed to terms they didn't need to accept.

Tactical Law works with companies to evaluate their licensing exposure, prepare for audit engagements, and negotiate from a position of knowledge rather than surprise.

Whether you're facing an active audit, planning an S/4HANA migration, or simply want to understand where you stand, we can help you see the full picture before SAP defines it for you.

​Have questions about your SAP licensing situation? Contact us to start a conversation.

]]>Thu, 26 Mar 2026 11:51:21 GMThttps://www.tacticallawgroup.com/oracle-software-audit-blog/you-have-to-keep-paying-no-matter-what-why-that-clause-in-your-oracle-financing-agreement-may-not-be-enforceable-in-california

By Pam Fulmer

If your business financed an Oracle NetSuite ERP implementation through Oracle Credit Corporation or Oracle America, Inc. and received a collection demand from Banc of America Leasing & Capital, LLC or Bank of America N.A., or another bank, you may have been told that you must keep making payments even if the software was never delivered, never worked, or was sold to you through misrepresentation. There are ways to attack the clause under California law, but Oracle and its assignees have developed a clever scheme that shifts risk to the Oracle customer and gives Oracle leverage in settlement discussions.

​When a NetSuite implementation fails — and industry litigation makes clear that this seems to happen with some frequency — Oracle customers quickly discover an uncomfortable reality. The company that sold them the software and promised a successful implementation has already sold off the right to collect their payments. Oracle Credit Corporation (OCC), Oracle's captive financing subsidiary or Oracle America, Inc. itself (collectively “Oracle”), assigned the payment stream to a third-party bank almost immediately after the contract was signed. That bank, often Banc of America Leasing & Capital, LLC (“BALC”) or Bank of America N.A. (“BANA”) or a Wells Fargo entity, now shows up demanding full payment and citing a clause in the financing agreement that says, in effect, you agreed to pay the Assignee no matter what. At last count since 2020, BALC had filed over 70 collections lawsuits in San Mateo Superior Court in California alone seeking to enforce these assignments against Oracle customers.

This clause — sometimes called a "hell or high water" provision or a "waiver of defenses" clause — is a deliberate piece of transaction engineering. Although we do not have the actual agreement between Oracle and the Bank of America entities (yet), it appears from public filings that Oracle monetizes the payment stream almost on day one, mitigating its own financial exposure for failed implementations and leaving customers with an ongoing obligation to a bank that claims it bears no responsibility for Oracle's performance. The practical effect of this arrangement is to exert enormous pressure on the Oracle customer—it finds itself fighting a battle on the one hand to get Oracle to right the project and deliver the promised solution, and on the other it faces a possible collections action and a hit to its credit.  Third party banks pressing for payment give Oracle leverage in settlement discussions with its customer.  This creates cash flow pressure and a tactical advantage for Oracle.  The clause shifts risk and inconvenience to the customer but doesn't eliminate their legal rights against Oracle — it just makes exercising those rights more expensive and burdensome. 

The question California courts must answer is whether that arrangement is actually enforceable. Legal arguments exist that it may not be.

What the Clause Actually Says
We are able to ascertain the language of the typical OCC Payment Plan Agreement from public court filings.  Here is a screenshot of the actual clause, which was a part of an exhibit to a Complaint brought by BALC against an Oracle customer.

​
 
BALC's litigation position rests entirely on that clause. Its argument is that the customer contractually waived every defense it could ever raise against Oracle — fraud, breach of contract, failure to deliver — and that BALC, as assignee, is entitled to enforce that waiver. In legal terms, BALC is claiming the functional equivalent of "holder in due course" status: the right to collect a payment obligation free from any defense related to the underlying transaction. And indeed that is the argument that some of these Oracle assignees have raised in litgation against Oracle customers. Although the Oracle customer can still assert defenses in litigation against Oracle, it shifts the burden to the customer.  It makes it risky for the customer to stop paying when Oracle fails to perform and thereby puts Oracle in the driver’s seat.

However, BALC’s argument may fail under California law for at least five independent reasons.

Why the Clause May Not Hold Up
The statute that could save BALC expressly requires good faith and lack of notice — conditions BALC cannot meet.

California Commercial Code Section 9403 governs exactly this situation: waiver-of-defense clauses in assigned financing agreements. It makes such clauses enforceable by an assignee, but only if that assignee took the assignment for value, in good faith, and without notice of the defense being waived. This is not a loophole — it is the core of the statute.

​BALC has filed over 60 collection actions against Oracle customers arising from Oracle/OCC assignments in San Mateo County Superior Court alone. Multiple court cases, legal industry publications, and news coverage appear to document Oracle's pattern of overselling NetSuite's capabilities and failing to deliver working implementations. By no later than 2021, any institutional lender systematically acquiring OCC assignments had access to — and reason to know of — that pattern. That is because when the banks try to collect the customers explain that Oracle failed to deliver a working system, and the customers tell that directly to BALC or BANA when they try to enforce the assignment.  The response—too bad. Pay anyway or face a contract where payments have been accelerated and a collections action. Under these circumstances where the banks are aware of a multitude of implementation failures with multiple Oracle clients claiming fraud, it makes any argument that these banks were innocent strangers to the transaction seem implausible. The statute that would make the clause work against customers may expressly deny the banks the benefit of it.

California Civil Code Section 1668 voids any clause that purports to exempt a party from its own fraud.
This statute is unambiguous: contracts that have the object, directly or indirectly, of exempting anyone from responsibility for their own fraud are against the policy of California law and are void. If Oracle's sales representatives misrepresented NetSuite's capabilities as multiple Plaintiffs in lawsuits against Oracle contend, then a clause in a subsidiary's financing agreement that requires the customer to keep paying regardless of that fraud is precisely what Section 1668 prohibits. OCC is either a subsidiary or affiliate of Oracle. BALC is OCC's assignee. Neither can stand at a greater legal distance from Oracle's fraud than Oracle itself.

The clause was procured through the same fraud it purports to waive.
Even setting aside public policy, a contractual waiver signed under the influence of fraudulent misrepresentation is itself voidable. No rational businessperson agrees, in the abstract, to pay in full for software that is never delivered. Court cases allege that customers signed these agreements because Oracle's representatives told them the implementation would succeed, that the SuiteSuccess methodology was proven, and that their industry's needs would be met out of the box. Oracle customers have alleged that those representations were false. If the entire contract — including the embedded waiver clause — was induced by that fraud, California law allows customers to rescind it on that basis.

The clause is unconscionable.
California Civil Code Section 1670.5 allows courts to refuse to enforce a contract clause that was unconscionable at the time it was made. Arguments can be made that the "hell or high water" clause satisfies both requirements. Procedurally, it appears in a pre-printed, non-negotiable financing form presented to a small or mid-sized business by one of the world's largest software companies at the tail end of a long DocuSign — there is no meaningful opportunity to negotiate. Substantively, a clause requiring unconditional payment even in the face of fraud, total non-performance, and a completely non-functional ERP system is so one-sided that it eliminates the most basic protection a contracting party has: the right to withhold payment when the other party doesn't perform.

California's Supreme Court has held that the more substantively oppressive a clause, the less procedural unconscionability is needed to strike it down. This clause is arguably about as substantively oppressive as commercial contract terms get.
Enforcing the clause would constitute unjust enrichment.

​California does not permit a party to be enriched at the expense of another under circumstances where it would be unjust to retain the benefit. Allowing BALC to collect the full contract price for software that was never implemented — while the customer simultaneously had to find and pay for an alternative ERP system — would give Oracle and BALC the economic benefit of a transaction whose only consideration was never delivered. That is textbook unjust enrichment, and California law provides equitable remedies for it.

The Broader Picture
These five arguments are not alternative theories of the same claim — they are independent, stacking grounds for relief, each sufficient on its own. Together, they reflect a California legal framework that has never been designed to let one contracting party use a subsidiary and an affiliated bank to insulate itself from the financial consequences of its own fraud and breach.

The "hell or high water" clause is not meaningless in every context. If Oracle delivered a working implementation and the customer simply regretted the purchase, the clause would likely hold. But in the case of systematic misrepresentation, total implementation failure, and an assignee that knew exactly what it was collecting on, California law provides customers with a robust set of defenses — statutory, contractual, and equitable — to attack the provision.

Businesses receiving collection demands from Banc of America Leasing & Capital or Bank of America, N.A., arising from Oracle NetSuite financing agreements should not assume that the presence of this clause in their contract means they have no options. The law in California is more protective than Oracle and BALC's litigation posture suggests.

Tactical Law advises companies in disputes with Oracle assignees over failed Oracle ERP contracts.

---

]]>Sat, 07 Mar 2026 14:56:16 GMThttps://www.tacticallawgroup.com/oracle-software-audit-blog/the-oracle-audit-playbook-exposedBy Pam Fulmer

Your company receives a letter from Oracle’s License Management Services. It is politely worded but unmistakably serious. Oracle is exercising its contractual audit rights and would like your organization to cooperate in a review of your software deployments.

For many companies, the instinct at this moment is to cooperate fully, correct any genuine issues, and resolve the matter quickly. That instinct, while understandable, is exactly what Oracle is counting on.
​
What follows the audit letter is not a neutral compliance review. It is the opening move in a carefully engineered revenue strategy that Oracle’s own employees have described in federal court filings as “Audit, Bargain, Close” — or ABC. Understanding how this strategy works, what rights you actually have, and how experienced legal counsel can level the playing field is the difference between a six-figure settlement on your terms and an eight-figure capitulation on Oracle’s.
 
The “Audit, Bargain, Close” Strategy: What We Know from Court Records

​The term “Audit, Bargain, Close” did not originate with Oracle’s critics. It originated inside Oracle itself. In a class action securities lawsuit against Oracle, a consolidated complaint alleged, based on statements from nine former Oracle employees identified with specificity, that Oracle systematically used coercive audit practices to manufacture cloud subscription revenue.
​
“The sales team would identify large clients they thought they could get more money out of and threaten them with audits… frequently, neither sales nor LMS had real evidence that customers targeted for audits were noncompliant, but the mere threat of an audit would put customers under so much pressure that they had no choice but to agree to Oracle’s demands.” — Former Oracle Employee, Federal Court Filing

This is not a fringe allegation. The complaint describes in granular detail a system in which Oracle’s License Management Services (LMS) also know as Global License Advisory Services (GLAS) — the internal audit arm — and Oracle’s sales division operated in close coordination, with sales identifying audit targets and, in some cases, drafting the threatening audit letters that LMS then sent to customers. A federal court allowed the case to proceed on a narrow securities fraud theory, finding the allegations legally sufficient to state a plausible claim.

The three phases of the strategy, along with what your company should do, break down as follows:
 
AUDIT
Sales/LMS identify target accounts — often with no real evidence of non-compliance. Soft audit inquiry or formal LMS letter sent.

Do not respond informally. Retain legal counsel immediately. Channel all communications through a single designated contact.

BARGAIN
Oracle presents inflated "shock number" compliance gap, then offers a "discount" if you purchase cloud subscriptions or a ULA.

Challenge the methodology. Independently verify all findings. Do not accept Oracle's numbers without scrutiny — they are frequently overstated.

CLOSE
Oracle leverages quarter-end deadlines and fear of copyright litigation to pressure a fast settlement on its terms.

Understand Oracle's fiscal calendar. Deadlines are artificial. A settlement built around your legal position is far stronger than one built around Oracle's timeline.

The result: customers who should never have faced a compliance bill pay millions. And Oracle books it as cloud revenue growth.
 
Five Oracle Audit Tactics Your Legal Team Needs to Know

1. The “Soft Audit” Disguised as a Friendly Review

Not all Oracle audit pressure arrives with a formal LMS letter. Oracle also deploys what the industry calls “soft audits” — informal outreach from Oracle sales representatives framed as a complimentary license review, a compliance health check, or even an account management call.  This is what is going on when you get a call from Oracle about your Java SE deployments.

In practice, an informal review carries no contractual audit protections for the customer. There are no defined timelines, no scope limitations, and no formal dispute rights. Customers who participate under the impression that they have “nothing to hide” frequently discover that Oracle’s sales team has collected enough data to generate a large compliance claim — and a cloud subscription proposal to resolve it.

Legal note: You are not obligated to cooperate with an informal Oracle review. Only a formal audit notice from Oracle’s LMS or legal counsel invokes your contractual audit obligations. Treat any Oracle compliance outreach as potentially adversarial until you have reviewed your contract and consulted counsel.

2. The “Shock Number”: How Oracle Builds Its Opening Position

When Oracle’s LMS presents audit findings, the initial compliance gap figure is almost always dramatically overstated. This is not an accident. Oracle’s auditors appear to be incentivized to identify maximum potential exposure, and they routinely rely on non-contractual policies — particularly the Oracle Partitioning Policy governing VMware virtualization — as if those policies were binding contractual terms.

The Oracle Partitioning Policy states that Oracle software running in a VMware environment must be licensed for every physical processor core in the entire cluster, not just the hosts where Oracle is actually deployed. This policy is not part of Oracle’s standard Master License Agreement. It is a unilaterally published document that explicitly states it “may not be incorporated into any contract” and is subject to change without notice. Yet Oracle’s auditors apply it as if customers agreed to it.

The practical effect: a company running Oracle database on three hosts in a forty-host VMware cluster may receive an audit claim demanding licenses for all forty hosts. The shock number exists to make the eventual settlement — which might only cover the three actual hosts — feel like a victory for the customer, even if the customer overpays relative to its genuine contractual obligations.

Legal note: Oracle’s non-contractual policies cannot expand your license obligations beyond what your actual signed agreements require. A detailed legal analysis of your specific Oracle contracts is essential before responding to any audit findings.

3. Java SE: The New Enforcement Frontier

Oracle’s Java enforcement activity represents one of the most significant changes in the enterprise software audit landscape since 2023. Following Oracle’s shift to a per-employee Java SE subscription model, Oracle launched an aggressive global campaign to identify organizations using Oracle’s Java Development Kit without the required commercial subscription.

Oracle tracks Java downloads by matching IP addresses to organizations. Companies are being contacted for Java compliance regardless of whether they have any other Oracle products. Gartner has projected that by 2026, at least one in five organizations using Java will face an Oracle audit. Oracle has been targeting companies with as few as fifty employees purely over Java usage, and the pricing model — applied per employee across the entire organization regardless of actual Java use — can produce cost increases exceeding 800 percent compared to prior licensing structures.

​Java audits follow the same ABC pattern. The soft audit begins with an inquiry from Oracle’s Java sales team, often referencing Oracle’s download records as evidence of non-compliance. Or the Oracle team says that they are there to help you ensure that your data is secure. Organizations that respond without counsel frequently provide far more information than their contracts require, which Oracle then uses to build a large non-compliance claim.

Legal note: Oracle’s per-employee Java pricing model has been challenged as an overreach relative to actual usage. Companies may have grounds to contest both the scope of Oracle’s audit claims and the retroactive fee demands that frequently accompany them.

4. The Quarter-End Close Pressure

Oracle’s fiscal year ends on May 31. Its quarterly deadlines follow this calendar (August 31, November 30, and then February 28). Oracle’s audit and sales teams know this calendar intimately, and they use it deliberately.

​As Oracle approaches a quarter-end, the pressure on audit targets intensifies. Proposals that were presented as final become “special offers” with deadline language. Sales teams become more accessible. Discounts appear. The implicit message is that the deal available today will not be available next week.

These deadlines are artificial. Oracle’s contractual audit rights do not expire at quarter-end. The “deal” usually does not evaporate but comes back the next quarter and is often better. What Oracle is doing is leveraging its own internal sales cycle against you — creating urgency that has no legal foundation but enormous psychological effect on companies that are not prepared for it.

Legal note: Any settlement offer involving Oracle cloud subscriptions, Unlimited License Agreements, or license true-ups should be reviewed carefully by experienced licensing counsel before signature. Settlements signed under artificial deadline pressure often contain terms that create new and expensive obligations for years afterward.

5. Default-Enabled Features: The Trap Oracle Installs for You

Court filings in Oracle related litigation include an allegation: that Oracle configured its on-premises software products to automatically install additional options and management packs in an enabled state, without informing customers that these features were active or that using them required additional licenses. Once a customer was found “using” these features — even unknowingly — Oracle’s LMS had a basis for a compliance claim.

This pattern is most prevalent with Oracle Database Enterprise Edition, which ships with a wide range of options — Partitioning, Advanced Security, Diagnostics Pack, Tuning Pack, and others — that require separate licenses. Database administrators frequently enable features or run queries that inadvertently activate options. Oracle’s LMS audit scripts are designed to identify these activations, which Oracle treats as evidence of unlicensed use regardless of whether the customer had any knowledge or intent.

Legal note: Unintentional feature activation is a common and frequently challenged basis for Oracle audit claims. The fact that a feature was activated does not necessarily mean a license was required or that the customer is liable for retroactive fees. These findings are defensible with the right technical and legal analysis.
 
Oracle Is Not Alone: Quest Software and the Growing Audit Threat

Oracle is the most prominent practitioner of aggressive software audit tactics, but it is not the only one. Quest Software — which makes widely-used database tools including Toad, Spotlight, and a range of products that manage Oracle and SQL Server environments — has adopted audit strategies that closely mirror Oracle’s playbook.

Quest’s audit activity frequently targets organizations that use Quest tools in virtualized environments or across shared infrastructure, asserting broad license obligations based on deployment configurations that customers did not understand to trigger additional license requirements. Quest, like Oracle, tends to present inflated initial findings and then offer to resolve the matter through subscription upgrades or expanded license purchases.
 
What Oracle Doesn’t Want You to Know: Your Contractual Rights

Oracle’s audit process is designed to feel inevitable and one-sided. It is neither. Your Oracle Master Agreement contains specific provisions that define and limit Oracle’s audit rights, and those provisions exist to protect you. Key rights that companies frequently overlook include:

• Notice requirements. Oracle is typically required to provide written advance notice before initiating a formal audit. The required notice period — often 45 days — is a minimum, not a maximum. You are entitled to the full notice period to prepare.
• Scope limitations. Your contract defines what Oracle can audit and how. Oracle’s LMS scripts collect significant data, and you are not required to run those scripts beyond the scope your contract specifies. Reviewing the script output before providing it to Oracle is both prudent and entirely appropriate.
• Audit frequency limits. Many Oracle agreements include provisions limiting how frequently Oracle can conduct audits. If you have been recently audited, Oracle may not have the right to initiate another review.
• The non-contractual policy problem. If Oracle’s compliance claim relies on the Partitioning Policy, or any other policy document that is not expressly incorporated into your signed agreements, you have grounds to challenge that claim. Policy documents that Oracle unilaterally publishes and reserves the right to change cannot override what your contract actually says.

 
One of the most important things you can do in an Oracle audit is to understand what you agreed to — not what Oracle says you agreed to. Those are frequently very different things.

What to Do Before Oracle Comes Knocking: A Practical Framework Before the Audit Letter:

Proactive Steps

• Conduct an internal license baseline. Understand what Oracle products you are running, where they are deployed, and what your contracts actually say. Knowing your position before Oracle does is the single most powerful advantage in an audit.
• Review your Oracle contracts for audit rights, frequency limitations, and scope provisions. Many organizations have never read these sections carefully. They matter enormously.
• Document your VMware environment and Oracle software deployment boundaries. If Oracle is not installed on certain hosts or clusters, document that technically. Clean documentation is the foundation of a strong audit defense.
• Identify which Oracle products might have default-enabled features in your environment. If your DBAs have been running the Diagnostics Pack or Tuning Pack without realizing it, you want to know that before Oracle does.
• Establish a relationship with experienced Oracle licensing counsel before you need them. The cost of a proactive assessment is a fraction of the cost of responding to an audit without one.

 
When the Letter Arrives: Immediate Response

• Do not respond to Oracle directly without counsel. Every statement you make becomes part of Oracle’s record. The first communication from your organization should be one that establishes the rules of engagement, not one that provides Oracle with data.
• Distinguish between a soft audit and a formal LMS notice. If Oracle’s outreach is informal, you are not obligated to cooperate in the same way as with a formal audit. Treating a sales inquiry as a binding audit obligation is a mistake that Oracle actively encourages.
• Establish a single point of contact. All Oracle audit communications should flow through one person — ideally legal counsel or someone working directly with counsel. Prevent Oracle from speaking informally with your IT staff, who may inadvertently disclose information that strengthens Oracle’s position.
• Review the LMS scripts before running them. Oracle’s data collection tools are designed to capture maximum information. Have your technical and legal teams review what the scripts collect and limit the output to what your contract requires.
• Record everything in writing. Verbal representations from Oracle sales or LMS teams are notoriously unreliable. Every commitment, every deadline, every proposed settlement term should be in writing.

 
During Negotiations: Protecting Your Position

• Challenge Oracle’s findings independently. Oracle’s initial numbers are a starting position, not a final determination. Engage your own technical analysis of what the data actually shows before accepting any characterization of non-compliance.
• Separate genuine compliance gaps from manufactured ones. If you have real license deficiencies, address them. If Oracle’s claim relies on non-contractual policies or overreaching interpretations of your environment, push back aggressively.
• Understand Oracle’s fiscal calendar. Deadlines that appear before Oracle’s May 31 year-end or quarterly closes are not coincidental. You are not bound by Oracle’s revenue calendar.
• Be skeptical of cloud subscription settlement proposals. Purchasing Oracle Cloud licenses as a way to resolve an audit claim is, in many cases, purchasing something you do not need to escape a claim that was overstated to begin with. If a cloud subscription actually serves your business, that is a separate analysis — but it should be conducted on its own merits, not under audit pressure.

 
The Bottom Line: Knowledge Is the Most Powerful Audit Defense

Oracle’s “Audit, Bargain, Close” strategy works because most organizations are unprepared for it. They do not know what their contracts say. They do not understand that Oracle’s non-contractual policies are not legally binding. They do not realize that the shock number is designed to be challenged. They respond to artificial urgency with real concessions.
The companies that fare best in Oracle audits — and in the audits conducted by Quest, IBM, Microsoft, and other aggressive publishers — share a common characteristic: they treat the audit as a legal matter from the first contact, not from the moment they have already provided the publisher with everything it needs to build its case.

Our firm has represented companies across a wide range of industries in Oracle and other audit defense, Oracle and NetSuite ERP litigation, and disputes with other enterprise software publishers. We understand these audit playbooks in depth — including the contractual arguments that work, the technical defenses that matter, and the negotiating strategies that achieve real outcomes.

If your organization has received an Oracle audit letter or an informal inquiry about Java — or if you want to understand your exposure before one arrives — we invite you to contact us for a confidential consultation.
 ]]>Thu, 22 Jan 2026 11:52:19 GMThttps://www.tacticallawgroup.com/oracle-software-audit-blog/how-oracles-sales-model-creates-erp-failure-risk
By Pam Fulmer
​
Failed ERP implementations are often described as “project problems.” Oracle reinforces this framing, pointing to implementation partners, change management challenges, or customer indecision. That narrative is convenient—and misleading. In many NetSuite SuiteSuccess or Oracle Fusion disputes, the root cause of failure is not poor execution. It is how Oracle sells ERP systems in the first place. The sales model itself creates predictable legal and operational risk, long before the first data is migrated.

Understanding that model is critical for executives and in-house counsel assessing litigation risks and rewards, contract termination scenarios, or settlement strategy with Oracle.
This blog post is based on a review of actual litigation filed against Oracle involving its ERP software and failed ERP implementations to demonstrate Oracle’s playbook and identify common themes across the disputes.

Oracle Sells Certainty—While Structurally Avoiding Accountability

Oracle’s ERP sales strategy is built around a fundamental tension:

• Promise certainty to close the deal
• Disclaim responsibility once the deal closes

During the sales cycle, Oracle positions itself as a trusted business advisor and often leads solution design discussions. From these discussions, Oracle identifies required modules. Oracle sales represent that by purchasing this specific set of modules, the customer’s requirements discussed during the sales cycle can be met. Oracle markets NetSuite SuiteSuccess and Oracle Fusion as integrated, proven solutions and emphasizes speed, standardization, and reduced risk.

After contract execution, and once disputes arise, Oracle abruptly changes its posture.  Oracle claims it merely licensed the software and points to implementation partners as the reason for the failures.  Then Oracle relies on contractual disclaimers in its Subscription Services Agreement (“SSA”) to attempt to avoid responsibility.  Many customers are unaware of the SSA, which is the governing agreement because it is buried in a disguised and grayed out hyperlink on the Estimate Form.
This structural disconnect is not incidental—it is the core of many ERP disputes.

The Modular Sales Trap: Selling Pieces as a “Solution”
​
Oracle sells ERP systems as bundled modules, while contractually treating each module as an isolated product. From a business perspective, customers are told the modules work together seamlessly, the configuration supports their industry, and the ERP will deliver defined operational outcomes.

Once a dispute arises and from a legal perspective, Oracle later argues that each module stands alone and that the integration risk belongs to the customer and the customer was solely responsible in determining whether the solution is fit for its business. 

When the combined system does not function as promised, Oracle characterizes the failure as implementation error rather than solution design failure, even when Oracle itself selected the architecture.

SuiteSuccess: Speed as a Sales Weapon, Not a Delivery Reality

SuiteSuccess is Oracle’s most aggressive example of sales-driven risk. It is marketed as:

• Industry-specific
• Preconfigured
• Faster to deploy
• Lower risk than traditional ERP

In practice, many SuiteSuccess failures arise because the standardized configuration does not match real-world operations, critical functionality is missing or immature, extensive customization is required despite promises to the contrary, and the timeline was unrealistic from the outset.  Plaintiffs in these cases against Oracle claim that Oracle used high pressure sales tactics to close the deal, but that Oracle’s scoping was inadequate and incomplete and risks were either minimized or omitted all together.
​
The Partner Buffer: Shifting Risk Without Reducing It

It appears that Oracle’s heavy reliance on implementation partners is not merely operational—it is strategic. Partners allow Oracle to:

• Accelerate sales without staffing delivery
• Shift execution risk downstream
• Preserve subscription revenue regardless of outcome

But this structure does not eliminate risk—it redistributes it to the customer.

However, in many disputes Oracle selected or strongly influenced the choice of partner and relied on partner participation to close the deal during the sales cycle.  But once the deal closed and problems arise, Oracle disclaims all responsibility for the partner’s performance. This creates a risk vacuum, where Oracle controls the sale, the partner controls execution, and the customer bears the consequences when the system fails.

Information Asymmetry: Oracle Knows More Than It Tells
​
One of the most overlooked aspects of Oracle ERP disputes is information asymmetry.
Oracle typically knows how often similar implementations fail and which configurations break down.  Oracle also has knowledge of which modules are immature or unstable and how dependent success is on customization. Customers do not know these things and rely on Oracle’s greater expertise and knowledge.

When Oracle sells ERP solutions without disclosing known risks—or affirmatively minimizes them—it creates fertile ground for claims based on misrepresentation and concealment.
ERP litigation often turns on what Oracle knew, when it knew it, and how much of that information was withheld during the sales cycle.

Why These Disputes Are Predictable—and Repeatable

The same patterns appear across publicly filed Oracle NetSuite and Fusion disputes:

• Aggressive sales timelines
• High pressure sales tactics including the threat that deep discounts will disappear if the deal is not closed on Oracle’s timeline
• Overstated functionality by Oracle sales personnel during the sales cycle
• Partner dependency and customization risk downplayed or not mentioned at all
• Risk shifted contractually after the fact

Then after the contract is signed and the customer encounters severe implementation problems similar patterns emerge.

• If Oracle is doing the implementation, frequent personnel changes that lead to loss of knowledge and inefficiency
• Language barriers with the offshore Oracle team
• Additional third-party software must be purchased to achieve promised functionality
• Costs escalate and balloon well over initial estimates
• Oracle or its assignee enforces subscription payments despite failures and inability to deliver an operational system

These are not one-off anomalies. They are the natural byproduct of a sales model that prioritizes closing deals over the feasibility of delivering the promised functionality. From a legal standpoint, predictability strengthens customer claims—it undermines Oracle’s argument that failure was unforeseeable or partner-specific.

What Executives and In-House Counsel Should Take From This

When an Oracle ERP fails, the most important question is not:
“What went wrong during implementation?”
It is:
“Was this system ever realistically capable of delivering what Oracle sold?”
That question reframes the dispute from project management to sales conduct, risk disclosure, and solution viability—where Oracle is far more exposed.

The Bottom Line

Oracle ERP failures are often not execution mistakes. They are sales-driven failures, rooted in a business model that appears based on the filed cases to separate promise from accountability.
For companies facing NetSuite or Oracle Fusion disputes, recognizing this reality early can fundamentally change:

• Litigation strategy
• Termination leverage
• Damage recovery
• Settlement dynamics

Final Thought: ERP Risk Is Created Long Before Go-Live

By the time an ERP fails in production—or never reaches go-live—the legal issues are already baked in. They were created during the sales cycle, not the implementation phase.
Companies that understand Oracle’s sales model are far better positioned to challenge Oracle’s defenses—and to avoid funding a failed ERP indefinitely.

During the sales cycle it is important to document Oracle’s promises in emails and other communications.  Oracle’s playbook of setting up Zoom calls to do the scoping and requirements gathering often does not leave a paper trail. Oracle customers must create one, and they must preserve carefully these pre-contract communications made by Oracle during the sales cycle.

Our attorneys advise clients on strategies to resolve disputes with Oracle and its partners when a NetSuite SuiteSucces or Oracle Fusion project goes off the rails.

]]>Wed, 21 Jan 2026 13:10:54 GMThttps://www.tacticallawgroup.com/oracle-software-audit-blog/oracle-java-licensing-enforcement-how-friendly-outreach-is-driving-significant-compliance-riskBy Pam Fulmer

Across industries, companies are increasingly reporting a common pattern in Oracle’s approach to Java licensing. What often begins as a polite, informal inquiry about Java usage can quickly escalate into a high-dollar compliance demand—sometimes reaching into the millions of dollars—followed by pressure to purchase enterprise-wide Java subscriptions.

Often in house counsel is not even aware that Oracle has reached out to various IT personnel.  They only become aware when a multi-million dollar licensing demand is escalated to the legal department.  And then much of the damage has already been done.
​
Oracle is able to identify organizations that have downloaded or deployed Java.  An Oracle Java team member initiates contact under the guise of a routine security or licensing discussion, and then leverages information voluntarily provided by the company to assert noncompliance. The risk is compounded by Oracle’s revised Java subscription model, which can dramatically increase licensing exposure based on employee headcount rather than actual Java usage.

​This article explains what is happening in the Java licensing marketplace, why so many companies are caught off guard, and what organizations should do now to reduce risk before Oracle comes calling. And if Oracle is already on your door step, our law firm assists companies in resolving disputes with Oracle over Java.

Oracle’s Shift From Traditional Audits to “Soft” Java Enforcement

Historically, software compliance disputes began with a formal audit letter invoking contractual audit rights. Oracle’s current Java enforcement model looks very different.
Many organizations now report receiving:

• A cordial email requesting a short call about Java licensing
• A message asking the company to “confirm Java usage”
• A discussion framed around Java security updates or licensing alignment

These communications rarely mention audits, noncompliance, or breach. As a result, they are often routed to IT teams or handled informally. That initial informality is precisely what creates risk, and is probably why Oracle chooses this path in order to avoid the legal department and to get to the information that it wants so it can claim a huge non-compliance gap before management or legal even knows about the outreach.

Once Oracle receives deployment information, the engagement often escalates quickly—sometimes moving from a casual inquiry to a significant financial claim within days or weeks.

How Oracle Identifies Java Users

A common misconception is that only companies with existing Oracle contracts are exposed to Java audits. In reality, Oracle’s Java licensing enforcement extends well beyond traditional Oracle customers.

Oracle has visibility into Java activity through various touchpoints, including downloads obtained through Oracle-controlled distribution channels. When Java is downloaded using identifiable credentials or corporate domains, Oracle can associate that activity with a specific organization.

This is why companies that believe they “do not use Oracle software” or “have never purchased Java” are often surprised to receive settlement demands from Oracle. From Oracle’s perspective, download activity alone may be sufficient to justify initiating a licensing discussion.
​
Why the First Response Matters More Than Companies Realize

When Oracle contacts an organization about Java, it typically requests information such as:

• Where Java is installed
• How many users or systems run Java
• Whether Java is used in production, development, or testing

Companies often respond with estimates, partial inventories, or assumptions. That information—once provided—frequently becomes the basis for Oracle’s compliance position and monetary claims.

The problem is not simply whether the information is accurate. It is that:

• Java is often deployed incidentally, not intentionally
• Many organizations lack a centralized Java inventory
• Different Java distributions and versions have different licensing implications
• Some software comes with an embedded Java licenses, so there is no compliance issue

What starts as an attempt to be cooperative can quickly create a record that Oracle later relies on to justify a multi-million dollar licensing demand.

Why Java Compliance Exposure Escalates So Quickly

A. Java Is Embedded Throughout Enterprise IT Environments

Java appears in far more places than most companies expect, including:

• Legacy enterprise applications
• Third-party commercial software
• Developer workstations
• Build servers
• Virtual desktop environments
• Cloud images and containers

Because Java is frequently bundled with other software or installed automatically, organizations often underestimate how widely it is deployed.

B. Oracle’s Java Subscription Model Multiplies Cost

​Oracle’s current Java licensing framework is subscription-based. In recent years, Oracle has emphasized pricing models that can be tied to total employee headcount rather than actual Java installations.

For many organizations, this creates a severe mismatch between usage and cost:

• A limited number of Java deployments can trigger enterprise-wide subscription requirements
• Employee-based pricing dramatically increases exposure for mid-sized and large companies
• The cost to “resolve” an audit may bear little relationship to the business value derived from Java

This is why Java compliance claims routinely reach millions of dollars, even when Java is not mission-critical.

C. Ongoing Confusion About “Free Java”

Despite years of changes to Java licensing, confusion remains widespread. Many companies assume:

• Java is open source
• All OpenJDK distributions are interchangeable
• Upgrading eliminates licensing risk

In reality, Java licensing depends on:

• The specific distribution (Oracle JDK vs. OpenJDK vs. third-party builds)
• The version and update history
• The applicable license terms at the time of use

Mistaken assumptions about “free Java” are one of the most common drivers of compliance disputes.

Oracle’s Leverage Strategy in Java Licensing Disputes

IIn practice, Oracle’s Java enforcement approach often follows a consistent pattern:

1. Identify potential Java usage through download activity or other signals
2. Initiate friendly outreach that does not resemble a traditional audit
3. Request self-reported deployment information
4. Highlight gaps, uncertainty, or risk in the company’s responses
5. Present subscription purchases as the fastest and safest way to resolve the issue

The pressure to “fix the problem” quickly—combined with licensing complexity—often leads companies to agree to broad Java subscriptions without fully evaluating alternatives.

What Companies Are Doing in Response

As Java enforcement has intensified, organizations are increasingly reassessing their Java strategies. Common responses in the marketplace include:

• Standardizing on non-Oracle Java distributions where feasible
• Actively removing Oracle JDK from environments where it is not required
• Tightening controls over Java downloads and installations
• Centralizing Java inventory and license governance

Even companies that ultimately continue using Oracle-licensed Java are approaching negotiations more deliberately, with a clearer understanding of their actual needs and risk profile.

Practical Steps to Reduce Java Audit and Licensing Risk

     Before Oracle Contacts You

Proactive planning significantly reduces exposure.

• Establish a clear policy identifying approved Java distributions
• Limit downloads from Oracle-controlled Java sources unless intentionally licensed
• Inventory Java across servers, desktops, virtual environments, and cloud workloads
• Remove legacy or unused Java installations
• Educate IT and development teams on Java licensing boundaries

       
       If Oracle Has Already Reached Out

The first response often determines the trajectory of the engagement.

• Treat the outreach as a legal and commercial matter, not a technical request
• Do not provide deployment data before completing an internal review
• Designate a single point of contact
• Ask Oracle to clarify the scope and basis of its inquiry in writing
• Retain experience outside counsel who have dealt with Oracle before in disputes involving Java licensing

Early discipline can prevent an informal conversation from becoming an expensive compliance dispute.

Conclusion

Oracle’s Java licensing enforcement is no longer passive or occasional. It is systematic, data-driven, and increasingly detached from traditional audit formalities. Organizations that assume Java is low risk—or that a friendly email requires a friendly response—are often caught unprepared.

Companies that take proactive steps to understand their Java footprint, control deployments, and manage communications are far better positioned to avoid coercive licensing outcomes and unnecessary enterprise-wide subscriptions. However, if your company has already been contacted by Oracle or has shared Java related data with Oracle, then it is time to retain experienced outside counsel to assist the company in resolving the dispute.  

​Tactical Law has assisted multiple clients to resolve Java licensing disputes with Oracle.

]]>Thu, 13 Nov 2025 11:51:24 GMThttps://www.tacticallawgroup.com/oracle-software-audit-blog/brown-v-globallogic-and-oracle-key-allegations-oracle-e-business-suite-and-what-it-means-for-customersBy Pam Fulmer

A new class action filed in the Western District of Texas alleges that GlobalLogic Inc. and Oracle Corporation failed to protect highly sensitive personal information associated with GlobalLogic’s workforce. The complaint, brought by a former GlobalLogic employee, ties the incident to a zero‑day vulnerability that affected Oracle E‑Business Suite (EBS), and it raises significant questions for organizations that run HR, payroll, and finance on Oracle’s flagship ERP platform. A "zero day" (also written as "0-day") refers to a previously unknown software vulnerability that is discovered and exploited by attackers before the software vendor becomes aware of it and has a chance to develop and release a fix or patch. The term "zero day" comes from the fact that the vendor has had zero days to address and remediate the vulnerability. Below is a concise overview of the allegations, the Oracle software at issue, the timeline, and potential implications for Oracle and its customers.

Who the parties are and where the case was filed

• Plaintiff: Arianna M. Brown, a New York citizen and former GlobalLogic employee, sues on behalf of a proposed nationwide class of individuals whose PII was compromised. (p. 3)
• Defendants: GlobalLogic Inc. (Delaware; principal place of business Santa Clara, CA) and Oracle Corporation (Delaware; principal place of business Austin, TX). (p. 3)
• Jurisdiction/venue: CAFA jurisdiction is alleged; venue is the Austin Division of the Western District of Texas based on Oracle’s principal place of business. (p. 3)

What Oracle software is involved?

The complaint squarely focuses on Oracle E‑Business Suite. GlobalLogic allegedly “uses Oracle E-Business Suite, a collection of applications, to manage core business functions such as finance, HR, accounts payable and receivable.” (p. 2) The plaintiff alleges Oracle issued a security advisory on October 4, 2025 concerning a previously unknown zero‑day exploit, that GlobalLogic determined its Oracle instance was exploited, and that the exfiltrated data came from the Oracle platform hosting HR information. (p. 7)
Based on GlobalLogic’s description, the exposed HR data could include names, contact details, dates of birth, nationality and passport information, employee identifiers, SSNs or other national identifiers, salary data, and bank account and routing numbers. (p. 8) For EBS customers, this underscores the sensitivity of the data commonly centralized in HR/payroll modules.

The alleged timeline

• Earliest threat actor activity: July 10, 2025. (p. 7)
• Most recent activity: August 20, 2025. (p. 7)
• Oracle advisory: October 4, 2025 (previously unknown zero‑day). (p. 7)
• Exfiltration identified: October 9, 2025. (p. 7)
• Notification: Began November 7, 2025; at least 10,471 individuals impacted according to a filing with the Maine Attorney General. (p. 8 , p. 8)

GlobalLogic states it activated incident response, engaged third‑party cybersecurity experts, notified law enforcement, and applied Oracle’s patches upon release. (p. 7) The plaintiff alleges that notification lagged roughly 120 days after initial malicious activity. (p. 8)

Alleged harms and risks

The plaintiff claims actual misuse (a ~$520 fraudulent debit card charge in or around September 2025), increased spam/scam outreach, and ongoing time and anxiety related to monitoring. (p. 11) The complaint emphasizes continuing risks of identity theft given the breadth of HR data allegedly accessed and notes that the breach notice advised vigilance, fraud alerts, and potential contact with the FTC and law enforcement. (p. 9)

Theories of liability

The complaint pleads six causes of action:

• Negligence: Alleged failure to implement and maintain reasonable security, to detect unauthorized access, to timely notify, and to adhere to industry standards; foreseeability of harm from compromised PII. (p. 22)
• Negligence per se: Alleged violations grounded in Section 5 of the FTC Act and related FTC guidance regarding reasonable data security. (p. 25)
• Breach of Implied Contract: PII provided as a condition of employment, with implied promises (and policy representations) to safeguard and promptly notify; alleged material breach by failing to safeguard and to notify. (p. 27)
• Invasion of Privacy: Highly offensive unauthorized acquisition and disclosure of highly sensitive PII; alleged knowing inadequacy of security and notification delays. (p. 30)
• Unjust Enrichment (pled in the alternative): Defendants allegedly benefited from employees’ PII and saved costs by underinvesting in security, unjustly retaining the benefit. (p. 32)
• Breach of Fiduciary Duty: Alleged fiduciary obligations to safeguard PII, timely notify, and maintain accurate records; alleged breach through insufficient protection and delay. (p. 33)

Requested relief includes class certification, damages (including punitive where available), restitution/disgorgement, injunctive and declaratory relief, fees, and interest. (p. 34)

What this could mean for Oracle

• Litigation exposure alongside customers: By naming Oracle, the lawsuit highlights a trend where platform vendors may be sued together with customers when a vulnerability is implicated. The complaint asserts that many Oracle customers may have been impacted and that GlobalLogic’s Oracle instance was exploited. (p. 8)
• Spotlight on secure development and advisories: Oracle’s advisory on October 4, 2025 regarding a previously unknown zero‑day will likely focus discovery on secure development lifecycle, vulnerability disclosure, and emergency patching cadence. (p. 7)
• Shared responsibility debates: Expect arguments about the division of responsibilities between Oracle (code/vendor advisories and patches) and customers (configuration, identity and access management, monitoring, segmentation). The complaint advances broad duty allegations against both companies. (p. 20)
• Contract and representations scrutiny: While the complaint quotes GlobalLogic’s privacy policy and recruitment notice to establish data protection representations, plaintiffs may also explore any Oracle contractual terms or security documentation for representations and reliance. (p. 6)

Implications and practical steps for Oracle EBS customers

Given the alleged vector and data at issue, organizations running EBS for HR and finance should consider the following steps:

• Map and minimize HR data in EBS: Identify exactly which PII elements reside in EBS HR modules and assess encryption at rest/in transit, tokenization options (e.g., SSNs, bank details), data minimization, and retention. The complaint’s description of impacted fields illustrates the breadth of sensitive data often centralized in EBS. (p. 8)
• Accelerate zero‑day response: Establish a rapid pipeline for processing Oracle critical advisories—triage, exploitability assessment, emergency change windows—and deploy compensating controls (WAF rules, segmentation) while patching. The timeline suggests adversary activity predating public advisories, reinforcing the need for layered defenses. (p. 7)
• Monitor for exfiltration from EBS: Tune database activity monitoring, DLP, and egress controls to EBS data flows, with alerts for bulk exports or anomalous queries and sufficient logging for forensics. The complaint alleges exfiltration on a particular date, making rapid detection and containment crucial. (p. 7)
• Rehearse breach notification workflows: Coordinate legal, HR, and IT to satisfy multi‑state notification requirements and avoid delays that can exacerbate harm and litigation risk. The complaint flags a roughly 120‑day gap before notices began. (p. 8)
• Revisit vendor contracts and SLAs: Clarify roles and expectations for vulnerability disclosure, patch SLAs, hardening guidance, telemetry, and incident coordination among Oracle, managed service providers, and your team. (p. 7)

What to watch procedurally

Defendants will likely contest class certification and move to dismiss certain claims, particularly around the existence and scope of duties, causation, and damages, and whether Oracle, as a platform vendor, owed duties directly to GlobalLogic’s employees. Expect factual disputes over controls in place, detection/notification timelines, and the extent of any misuse. The court’s treatment of duty and causation in a shared‑responsibility context will be closely watched by Oracle customers and other ERP platform users.

Bottom line

Brown v. GlobalLogic and Oracle places Oracle E‑Business Suite at the center of a high‑stakes data breach class action and highlights the operational and legal risks when zero‑days intersect with platforms that centralize highly sensitive employee data. Regardless of outcome, the allegations provide a timely reminder to EBS customers to tighten zero‑day preparedness, harden identity and access, monitor for exfiltration, streamline notification workflows, and clarify vendor/customer responsibilities.
]]>