Oracle is not the only software company accused of using predatory audit tactics to drive sales of its software products. In 2013 an IBM employee named Paul A. Cimino filed a whistleblower suit under the False Claims Act alleging that IBM used an audit of its customer the Internal Revenue Service ("IRS") to fabricate alleged areas of non-compliance. In 2018 the Complaint was unsealed, and IBM moved quickly to dismiss the Complaint. Unfortunately, the District Court bought IBM's argument that the Complaint did not adequately plead fraud in the inducement, and dismissed the lawsuit. Mr. Cimino appealed to the D.C. Circuit Court of Appeals and the appeal appears to now be fully briefed. I am rooting for Mr. Cimino and his lawyers and truly hope that this injustice can be rectified, if the facts as pleaded are true. Until software companies using predatory and unfair audit tactics to drive software sales are held to account in a court of law, the bad behavior will only get worse.
The facts alleged in the Complaint about IBM's conduct are appalling. According to the Complaint:
Each day we see cases where software companies vastly inflate audit findings in a transparent attempt to obtain leverage over their customers, and force a large software purchase. There are strategies that can be employed before and during the audit to mitigate the risk of such excessive findings. Unfortunately many companies are "penny wise and pound foolish" and don't seek professional help before or during the audit, but instead wait till the issuance of the final audit report. This is a mistake.
Enterprise software customers really need to be proactive in managing their licenses well before the audit notice arrives. And do not let software companies use the audit as a tool to force your company to give up older and perhaps more favorable licenses. In our experience, enterprise software companies sometimes use audits to try to push their customers to migrate from older, more favorable licenses to ones that are better for the licensor. Companies buy perpetual licenses for a reason and should be skeptical of software vendors using inflated audit findings to force a customer to give up valuable contractual rights.
If a software company tells you that they are going to conduct a friendly audit to right size your IT footprint and to optimize your licenses, this should be an immediate red flag. Enterprise software companies are not out to help you, but only to sell more software. Plaintiff here alleges that IBM tried this very trick with the IRS. The IRS also made the mistake of telling IBM too much about its future plans, including that the IRS planned to move off IBM. According to the Complaint, IBM then used this knowledge against the IRS to force it into a new and more expensive contract.
Sometimes software vendors will hire third parties to conduct the audit. And that is what apparently happened here, with IBM hiring Deloitte as the auditor. Oracle on the other hand usually likes to conduct its own audits, through its License Management Services ("LMS") Group.
Before the audit is commenced, the licensee should hammer out the scope of the audit and set some ground rules. Be proactive, take control and most importantly, stand strong. Software vendors do not like squeaky wheels, and prefer easy targets. The more you push back and the harder you make it for the software company, the less likely the software vendor will be to target you in the future.
The Cimino Complaint alleges that the initial audit results found very little in terms of non-compliance. Plaintiff then alleges that IBM "suppressed" these results and "began to look for ways to artificially inflate them". Remember this is an IBM employee who worked on the software deal with the IRS who is making these allegations. According to the Complaint:
We also have observed software companies employing similar tactics during audits. In fact, it is our opinion that this is why Oracle usually comes up with a huge shock number in its Final Audit Report. Oracle does not quantify the shock number in the Final Report but just identifies the number of licenses Oracle claims the customer is under licensed. Oracle leaves it to the licensee to "do the math". In our opinion, this is all part of the Oracle playbook to create leverage for the follow-up by the Oracle Sales Team, which works hand in hand with the Oracle auditors.
The Complaint alleges that in order to avoid paying these penalties, the IRS agreed to enter into a new five-year deal with IBM, at a total cost to the government of $265 million. As a taxpayer and citizen this should be offensive to everyone, if true.
Cimino asserts that the IRS agreed to a new deal with IBM in order to get out from under the audit penalties and the fraudulent audit findings. We see this all the time in our practice. Enterprise software customers will enter into new deals with the software vendor to get out from under the huge "shock and awe" compliance gap. How about an Oracle ULA, anyone? In fact, technical consultants in the industry see the same fact pattern so often that they write extensively about it. Not just private companies fall for this trap. Municipalities and other government agencies also are extremely vulnerable to such tactics.
But in dismissing Cimino's Complaint, the Judge did not find it credible that the IRS would enter into a new and more expensive contract with IBM just to get out from under the audit penalties. Unfortunately the district court judge doesn't understand how these software companies work their customers over during audits. The entire process is designed to strike fear and uncertainty in the hearts of the software customer, and to rush the company into a quick sale to resolve the audit. Also by entering into the new contract with IBM in exchange for having the audit penalties waived, IRS management could basically bury the alleged non-compliance from public view. The penalties would be waived and the IRS would simply be entering into a new enterprise agreement. In other words, nothing to see here and the responsible parties within the IRS would not need to explain to others higher up in the organization or in the federal government why they were allegedly non-compliant. Who in IRS management could predict that an honest employee within the IBM organization itself would be so troubled by the predatory audit practices that he would blow the whistle and file a False Claims Act lawsuit against his employer IBM?
According to the Court, Relator (Cimino) failed to plead causation and to show that the fraudulent audit findings was what induced the IRS to enter into the new contract. As a result, the Court dismissed the Complaint:
Well Judge, you may not believe it, but I do. I think that the Court is wrong here. The Complaint pleads that it was the fraudulent audit findings and the desire to get out from under the audit findings and related penalties that drove the IRS to enter into the new contract. The IRS believed that it was non-compliant in reliance on what IBM and Deloitte were telling them. This is pled clearly in the Complaint. The government in its brief agrees:
In my view, this extremely important whistleblower suit should never have been dismissed at the pleading stage. Cimino should be given the opportunity to take discovery and go forward with his case. Cimino's brief says it best here:
Victims do not always admit they have been defrauded. That rings so true. Give Mr. Cimino his day in court and the chance to prove up his case.
Whether you are a Fortune 500 company or a municipality or governmental entity, you can be a victim of predatory audit practices by aggressive software vendors. We help companies and governmental agencies to fight back against such tactics.
The case is Paul A. Cimino v. International Business Machines Corporation, case number 1:13-cv-00907, in the U.S. District Court for the District of Columbia. Tactical Law will continue to monitor the case. Check our blog for further developments.
By Pam Fulmer
Tactical Law has defended companies being audited by Quest Software, Inc. ("Quest") and has thus far resolved the audits without the necessity of filing litigation. However, we read with interest a recent lawsuit filed by a long time Quest customer alleging that Quest acted in bad faith and engaged in predatory audit tactics during the course of the audit.
Fairview Health Services ("Fairview"), a Minnesota non-profit academic health system hit Quest this week with a declaratory judgment action in federal district court in Minnesota. Sadly, the tale told by Fairview in the Complaint is a familiar one. At the end of 2019 Fairview notified Quest that it was terminating its annual maintenance and support. Almost immediately Quest issued a notice seeking to audit Fairview's use of Quest's Active Roles software. Only two months after Fairview gave notice that it was canceling maintenance and support, Quest produced a "Reconciliation Summary", which purported to find an over deployment of 69,064 licenses above the more than 38,000 license Fairview had purchased from Quest." Quest "claimed Fairview owed a total of $4,183,178.85 in license and "over-deployment fees".
Quest Accused of Bad Faith and Predatory Audit Tactics
Fairview makes some interesting observations on information and belief about Quest's motives, which Quest customers would do well to keep in mind when dealing with Quest. This is not the same company that licensees may have contracted with in the early 2000s, but instead the company has undergone multiple changes in ownership. According to the Complaint:
With almost every change in ownership the governing law of the Quest license agreement seemed to change. We have seen public filings with Quest agreements designating California, Washington and Texas as the governing law. Also, with every new iteration of the license agreement, the terms became more favorable for Quest and less favorable for the licensee. Rather than call these changes out specifically to the customer and request a modification to the contract, Quest appears to have embarked on a sneaky strategy of incorporating major changes in clickwrap agreements, which accompanied their software updates. A big question for the court will be whether these clickwrap agreements somehow superceded or amended the original license agreement, and constituted fair notice to the licensee of major changes to the agreement and a writing signed by duly authorized representatives of both parties. Quest will claim yes, and Fairview will fight that interpretation. Tactical Law has similarly pushed back against such assertions by Quest on behalf of Quest audit customers.
Fairview disputes Quest’s contentions about what constitutes the governing contract and how it can be modified. Fairview points out that the governing agreement is the one it purchased the subject perpetual licenses under, which contains a provision requiring any amendment to be in a writing signed by both parties. This will be a hotly contested issue in the ensuing litigation. Cases involving courts interpreting consent to arbitration agreements may prove instructive.
Fairview asserts that the provisions of the 2004 SLA define software as including "corrections, enhancements, and upgrades to the Software" made pursuant to the Maintenance & Other Services Clause.
Yet Quest has taken the position that when Fairview clicked on the clickwrap agreement accompanying the software updates that somehow changed the governing agreement. In other words, Quest appears to be claiming that it could make major changes to the governing agreement without reasonable notice and without providing the licensee with additional consideration. And Quest is contending that the clickwrap agreement is a writing signed by authorized representatives of both parties.
Allegations of Invasive Audit Tools
Fairview accuses Quest of deploying tools during the audit that impermissibly seek information about Fairview's IT system, which go beyond Fairview's use of the Quest software. According to the Complaint:
This should sound very familiar to Oracle customers who have been targeted with Oracle's prospective licensing assertions involving VMware and the "installed and/or running" language of the processor definition. According to Fairview, Quest's tools sought information about potential interactions with the software but declined to collect data that would show whether those accounts had actually used or interacted with the software. Although we have been informed by technical experts that Quest like Oracle could use tooling capable of detecting where the software has actually been used, Quest and Oracle appear to have no interest in doing so. The reason is apparent. Taking the position that they are entitled to licensing fees for all servers or accounts that might access the software results in the vastly inflated over-deployment numbers about which Fairview complains. These inflated findings are then used as "shock numbers" to create FUD ("fear, uncertainty and doubt") in the heart of the licensee, which can then be used to sell more software and perhaps used as leverage to keep the customer from canceling support. According to the Complaint:
We are of the same opinion about the motivations of software vendors who may use such invasive tools while ignoring data that shows non-use. And it is important that Quest customers realize these overreaches and protect themselves from them during the course of an audit. Licensees should resist turning over confidential information unless it relates to the use of that vendor's software, and the licensor has provided a satisfactory explanation of why they require the information to conduct the audit. Assertions that the vendor always asks for it are irrelevant and do not pass muster. Do not be afraid to probe and question the software company or their auditors as to the relevance of the requested information. And don't let the auditors provide their answers orally. Make them commit in writing, so you have a strong record in the event a dispute arises and you end up in court. A strong record will also help you with negotiating a favorable settlement directly with the licensor. Demand that the auditor specifically identify what provision in the contract entitles them to the requested information. And whatever you do, don't fall for Oracle or Quest relying on policy documents that are not part of the contract as justifications for the request.
The Audit Clause
The language of the 2004 SLA contains an audit clause, which provides that Quest may ask that Fairview verify no more frequently than annually its usage of the software by furnishing a document signed by the Licensee's authorized representative verifying software usage. In addition to demanding the verification, Quest has the right to review Fairview's deployment and use of the software for compliance. The entire clause is focused on current usage and not what may be used in the future. According to the Complaint:
During the course of the Fairview audit, Quest did not request the written verification but instead went right to using its tools to scope out Fairview's IT system. Tools that Fairview contends do not measure actual usage, but instead collect data on how many accounts could potentially access the software in the future. Use of such tools by software auditors should be red flags for the licensee. Ask the auditors exactly what information the tools are collecting and seek to pin the auditors down on what they are seeking and why they are entitled to the information. Misrepresentations about what information the auditor is collecting may be used against the licensor in the event a dispute arises. Again, insist that the auditors provide their answers in writing. Finally, we recommend retaining qualified outside counsel who have the technical experts in place to review the data output prior to sending to the auditors.
Fairview complains that Quest also seeks to take advantage of a phrase "managed by" the software, which is ambiguous and not defined in the contract. Fairview argues that to manage the software at least means that the account must interact with the software in some manner. Fairview should take the position that any ambiguity should be interpreted against Quest the drafter.
When going up against software companies such as Quest and Oracle, it is highly advisable to retain qualified outside counsel familiar with software audits to push back aggressively on any attempted overreaches. Licensees who believe that providing all the information requested by software companies will result in lower over-deployment numbers are in for a rude awakening. Be smart and do not be afraid to stand on your contractual rights.
The case is Fairview Health Services v. Quest Software Inc., Case Number 0:20-CV-01326, venued in the District of Minnesota. Tactical Law will continue to monitor the litigation. Please check back for periodic updates.
By Tactical Law Attorneys and From Time to Time Their Guests