By Pam Fulmer
Companies suffering through an Oracle software audit are doubtless familiar with Oracle’s overreaches involving an Oracle customer’s use of VMware virtualization software. We have discussed in previous blog posts Oracle’s notorious “Audit Bargain Close” (“ABC”) tactic, and how Oracle uses non-contractual policies to attempt to broaden its contractual rights and claim a huge “shock number” for non-compliance, which it then attempts to leverage against the customer in audit resolution negotiations. We advise our clients to fight against such predatory tactics and to push back hard on all Oracle’s arguments not grounded in the actual contract.
Oracle licensees must pay Oracle a licensing fee when they use the Oracle software. With regard to the processor metric, use is defined by the Oracle license as where the Oracle software is "installed and/or running." Despite this clear and unambiguous language, rather than running audit tools that can detect where Oracle software is installed and/or running in the VMware environment, Oracle's scripts instead grab information and count up servers in the entire VMware cluster. Again this ignores where the Oracle software is actually being used, instead focusing on where it might possibly be used at some speculative date in the future. This is how Oracle calculates its huge "shock number", which it then asserts as the compliance gap seeking to negotiate from there. However, with regard to processors, Oracle has been using the same definition of use since about 2000, well before the advent of widely accepted virtualization technology. And although it has amended its processor definition to include cores, Oracle never amended its processor definition to include speculative future use in a virtualized environment, instead sticking to its definition of use as where Oracle software is "installed and/or running."
A relatively recent lawsuit by health system provider Fairview Healthcare ("Fairview") filed in federal court in Minnesota accuses Quest Software of employing similar improper audit tactics. Fairview accuses Quest of using audit tools "intentionally designed for the bad faith purpose of over-estimating the extent of Fairview’s (and potentially other licensees’) deployment of licensed software, providing a claimed basis for Quest to make an inflated demand for payment of over-deployment fees contrary to the terms of the parties’ agreements." Fairview also alleges in the Complaint that "Quest has become infamous in the software industry for its use of improper audit tactics to pressure its customers to pay inappropriate “over- deployment fees” or to purchase unnecessary additional software licenses and maintenance services—all to increase its revenue without providing any additional services or products."
The Quest license requires that the licensee pay a fee for the use of the Quest software. Fairview contends that the definition of enabled user account similarly anticipates that a license is required for accounts which “use” or are “managed by” the software. However, Fairview claims that the "audit report included any accounts which potentially could interact with the software, without regard to whether those accounts had actually used or interacted with the Active Roles software" resulting in grossly inflated numbers in Quest’s “Reconciliation Summary.” According to Fairview "under Quest’s interpretation of the enabled user account definition, any account in a domain which might potentially be touched by the Active Roles software at some point in the future must be included for purposes of counting over-deployed licenses. This interpretation is illogical and unsupportable."
Our readers will see that both Oracle and Quest are ignoring the plain language of the contract and attempting to claim licensing fees for use that has not actually occurred. Such efforts by software publishers should be strongly resisted by licensees under audit, and licensees should explore whether they have their own claims for unfair trade practices or other causes of action when such predatory tactics are employed.
Fairview also has filed for declaratory relief concerning the identification of the actual governing contract and the interpretation of relevant provisions. We have also seen Quest claim that early licenses granting perpetual licenses were amended by click to agree agreements accompanying updates. Early Quest licenses provided for perpetual licenses and could not be amended unless by a writing signed by both parties. According to the Fairview Complaint the terms of the 2004 SLA explicitly state that the agreement, under which Fairview did purchase licenses, may not be, “modified or amended except by a writing executed by a duly authorized representative of each party" and that "no other act, document, usage or custom shall be deemed to amend or modify this Agreement." Despite this clear and unambiguous language, Fairview claims that Quest is contending that "when Quest made the most recent update of the Active Roles software available to Fairview in 2016, as it was required to do by virtue of Fairview’s purchased licenses, Fairview agreed to the terms contained in the 2015 Software Transaction Agreement (“2015 STA”), a “click-to-accept license agreement” that accompanied the installation of that update (version 6.9) on Fairview’s system."
Over the years Quest has been bought and sold multiple times. We have reviewed many of these licenses and almost every year Quest seems to have amended them to make the terms more favorable to Quest and less favorable to licensees without any additional consideration or true notice to the licensee of the material changes being made to the license. The changes included revisions to important clauses such as governing law and forum selection clauses. These material changes were included in click to accept agreements, associated with annual updates that had already been bought and paid for. We hope that Fairview prevails in its argument that such click to agree agreements executed by low level employees without proper notice of material changes, do not amend the agreements as they do not constitute "a writing executed by a duly authorized representative of both parties."
We wish Fairview well in its fight against Quest's predatory audit tactics. We will continue to monitor the case so check back for periodic updates. The case is Fairview Health Services, Inc. v. Quest Software Inc. and One Identity LLC, Case No. 0:20-cv-01326-SRN-LIB (District of Minnesota).
Sunrise Firefighters' Lawyer Faces Tough Questions From Judge Overseeing Case Against Oracle Defendants
By Pam Fulmer
The lawyer for Plaintiff Sunrise Firefighters was on the hot seat for most of the hearing on Oracle's Motion to Dismiss the Amended Consolidated Class Action Complaint. Judge Freeman appeared skeptical that Plaintiffs have met their pleading burden. Although the Judge acknowledged that Plaintiff had worked hard to revise the Complaint and that some of the revisions were satisfactory, the Court still had some major problems that may result in her ruling to dismiss the lawsuit. There was much back and forth on fine points of securities law, which we won't go into here. Instead, I will focus on what readers of our blog might find interesting.
The Judge seemed to accept that Plaintiffs have established that up to 90% of cloud sales were "engineered sales". However, the Judge said that Plaintiff had failed to establish how much of the engineered sales were a result of discounts, which she had no issue with, or Audit, Bargain, Close ("ABC") sales tactics, which were more problematic. Readers of the business press know that Oracle is notorious in the enterprise software market for its prevalent use of predatory audit tactics against its customers to sell software. Although it is true that Oracle has the absolute right to audit its customers, most Oracle audit clauses provide that the audit cannot unreasonably interfere with the customer's normal business operations. It seems very disruptive to a company's normal business operations to be subject to an invasive, time consuming and oppressive audit where Oracle comes up with a huge compliance gap not grounded in the contract to force its customers into a cloud purchase, which the customer neither needs nor wants, in order to get out from under the audit.
The Oracle defense lawyer argued that if these ABC tactics were so prevalent, why was Plaintiff unable to find a customer that suffered such ABC tactics during the class period to share their experiences in the Amended Complaint? In my opinion, there are several reasons that Oracle customers who have been subjected to predatory audits may not be willing to come forward now. First, is the fear factor. These companies are afraid that if they volunteer information now Oracle will hit them even harder in future audits. Second, who wants to voluntarily get into an expensive war with Oracle now if their audit has been resolved and is behind them? What the courts also need to understand is that many companies have spent years investing in their Oracle infrastructure. Should Oracle retaliate against them by threatening or issuing breach or termination notices if they refuse to buy cloud, their entire business operation would be at risk. Most companies simply won't risk it, and in my opinion Oracle knows that and that is why Oracle has been successful at using oppressive audits to drive unwanted purchases of cloud during the class period.
Plaintiffs' attorney argued that although they didn't include any Oracle customers in the Amended Complaint, they did include several consultants who were unanimous in saying that such ABC engineered deals were ubiquitous in the industry. Oracle's lawyer asserted that such statements constituted layer upon layer of inadmissible hearsay. That may be, but it seem so apparent that an entire Oracle consulting industry has been built around Oracle's predatory audits. Where you see smoke there is likely fire.
Judge Freeman noted that her biggest concern with the Complaint was that Plaintiff has not made the required scienter showing for each individual Defendant. In other words, Plaintiffs had not connected the allegations of falsity to the statements made and the speakers making the statements showing that the speakers knew the statements were false when they were made. Plaintiff pointed out that they had provided a detailed chart with the statements of each individual Defendant and why it was false when made. The Judge noted that she would continue to study the chart but that the key false statements needed to be set forth in the Complaint. The Judge asserted that the Ninth Circuit requires that a litigant must lineup the false statements with the knowledge of the speaker at the time the statement was made and Plaintiff had failed to do so.
At the end of the hearing the Judge noted that she was taking the case under advisement and that she was not issuing a tentative ruling. She did listen carefully to Plaintiffs' scienter arguments and agreed to take another look at them. She noted that these securities class action cases are a big responsibility for a Judge at this stage of the proceedings. She closed by saying the Ninth Circuit does not shy away from long orders, and it will take her a while to rule. If I were a betting person I would put my money on Oracle winning. That is unfortunate as these types of oppressive audits will only end when software publishers are held to account. If you are a company that is currently suffering through an Oracle software audit, or were forced into an unwanted cloud purchase, you may want to consult with us about potential legal strategies for fighting back.
The case is Sunrise Firefighters v. Oracle, et. al. Check back for further updates.
By Pam Fulmer
Judge Hicks granted in part and denied in part Oracle's motion for partial summary judgment on cross use and derivative works. Here Oracle sought partial summary judgment on its first cause of action, copyright infringement, on Rimini’s second affirmative defense (express license) and seventh affirmative defense (fair use), and on Rimini’s first cause of action for declaratory relief. In ruling on this motion, Judge Hicks focused on two specific clients of Oracle, Campbell Soup and City of Eugene, and their Peoplesoft software.
The court concluded that Oracle had established its prima facie case of copyright infringement as it relates to the Campbell Soup environment. According to the Court:
The court next examined whether Rimini had a valid express license defense as it related to making RAM copies of the Oracle software in order to provide support to Campbell Soup. Essentially Rimini as the third party support provider steps into the shoes of Campbell Soup the licensee. But one major requirement of the license is that the updates, fixes and modifications must be for Campbell Soup's "internal information processing". And that is where Rimini hung itself.
Rimini “prototyped” or developed its Patient Protection and Affordable Care Act (“PPACA”) Phase 1 update HCM104286 in Campbell Soup’s environment. But it turned out that Campbell Soup had rejected the update and didn't want to use it. So the court reasoned that if Campbell Soup didn't want the update it could not have been developed for Campbell's internal information processing, and Rimini's use was outside the scope of the license.
Accordingly the Court rejected Rimini's express license defense regarding making RAM copies in this environment.
Express License: Cross Use
The court next examined whether Rimini's use of the HCM104286 update developed in Campbell's development environment was improperly delivered to another Rimini client, Toll Brothers.
Although Rimini argued that the use of of the update created in the Campbell environment and used with another client was only at best a breach of contract and not a copyright infringement, the court rejected that argument. Instead the court found that “internal data processing operations” is a copyright-enforceable condition rather than a contractual covenant and was therefore a copyright infringement because it was outside of the scope of the license. Thus rather than being limited to contract damages, Oracle will be able to realize the full benefits of copyright law at trial.
City of Eugene
Express License: Derivative Works
Oracle argues that Rimini infringed on its exclusive right to create derivative works when
Rimini developed the PPACA Phase 3 update HCM104288. Oracle argued that not only was the individual update a derivative work, but the update as applied to City of Eugene’s environment was also a derivative work. Rimini contended that while the update combined with the development environment may have been a derivative work, the update itself was not and that the development and testing was expressly licensed.
The court rejected Rimini's argument finding that the update was a derivative work and that by using it in City of Eugene's environment as a prototype for other clients, Rimini committed a copyright infringement as the use did not relate to City of Eugene's internal data processing operations. The court expressly rejected Rimini's "know-how" argument.
The court further found that Rimini's cross use of the update developed in the City of Eugene environment also violated the prohibition in the license on no distribution or sale of modifications to the software.
The court again found the "no marketing or sale" provision was a condition and not a covenant making Rimini's use a copyright violation.
Finally, the court rejected Rimini's fair use defense. Weighing each of the four fair use factors, the court found that they were either neutral or weighed in favor of Oracle.
Tactical Law will provide further updates on the court's ruling as they become available.
By: Pam Fulmer
In a 94-page opinion, Nevada Federal District Court Judge Larry Hicks handed Oracle a huge win against arch rival Rimini Street. There are lots of interesting points in the Order that will continue to provide fodder for future blog posts, and I am not intending to cover everything here today. This post will focus on Oracle's "win" involving its cease & desist letter to Rimini barring Rimini from accessing the Oracle support website in order to download patches and updates on behalf of Oracle customers. But first we will describe what has been decided in the motion generally, before we focus in on the legality of Oracle's cease & desist letter.
Both Oracle and Rimini had brought cross-motions for partial summary judgment and the Judge sided with Oracle most of the time giving Oracle key wins on certain claims against Rimini and eliminating certain key Rimini defenses. Oracle filed 5 motions for partial summary judgment and Rimini filed two motions. Both of Rimini's motions were denied. Oracle won its first summary judgment on its cease & desist letter to Rimini outright, and the 4 other motions were both granted and denied in part. This litigation has been extremely hard fought. As the Judge pointed out in his Order, "[this is a massive lawsuit which follows a prior massive lawsuit. Over sixty attorneys have been admitted to represent the two sides in this case alone, approximately thirty for each side, and for the pending seven motions, the briefings exceed 2,800 pages and the supporting exhibits, declarations, and appendices exceed 43,000 pages." It is easy to understand why the motions have been submitted and pending for some time given the scope of what the Judge needed to consider to rule on the motions.
The Judge frames the central issue in the case as follows:
Another key issue in the case concerns a cease & desist letter that Oracle sent to Rimini demanding that Rimini stop downloading updates and patches on behalf of fully licensed Rimini customers. Here is what the Judge had to say on this point:
The court relied on this language and the Facebook case to rule that permission by the Oracle licensee alone was not sufficient to guarantee Rimini's ability to access Oracle's support website. Rimini must also have Oracle's permission for access.
The court also granted Oracle summary judgment on Rimini's claim for intentional interference with contractual relations, but only as it relates to Oracle's cease & desist letter denying access to the Oracle support website. Oracle did not move for summary judgment on Rimini's request for declaratory relief that Oracle interfered with contractual relations by (1) making misrepresentations to Oracle customers that Rimini was acting illegally providing the support in order to try to strong arm the customer into returning to Oracle; and (2) using selective audits to harass Oracle customers who moved their support requirements to Rimini. Those claims for declaratory relief are still alive and have not been adjudicated.
Essentially the Court found that Oracle had an absolute right to deny Rimini access to the support site and thus could not be liable for intentionally interfering with Rimini's contractual relations with its customers.
The court also granted summary judgment on Rimini's Section 17200 claims as they relate to the cease & desist letter under both the unfair and unlawful prongs. Thus that claim is now gone.
Tactical Law will continue to parse this very interesting opinion. Check back for further updates.
Oracle Customers Beware of Potential Legal Risks of Financing ERP Deals Through Oracle Credit Corporation
Readers of our blog know that we are following a very interesting case in San Francisco Superior Court where Barrett Business Services, Inc. (“BBSI”) has sued Oracle for fraud, breach of contract and related claims arising out of a failed ERP installation. One aspect of the case that we have really not blogged on concerns the side litigation involving Key Equipment Finance (“KEF”), arising out of the financing of the ERP deal. Although KEF first brought its Complaint in federal court in Washington, the court there granted BBSI’s motion to dismiss on forum non conveniens grounds and KEF refiled in the San Francisco action involving BBSI and Oracle. When BBSI cross-complained saying that it should not need to pay OCC and its assignee KEF on the financing contract due to Oracle’s fraud and failure to perform, KEF attacked BBSI’s cross-complaint by filing a demurrer (similar to a motion to dismiss in federal court). KEF essentially claimed that as a holder in due course of the assignment, under California law "come hell or high water" BBSI would still need to pay the debt. Last week Judge Ulmer of San Francisco Superior Court overruled the demurrer saying that KEF’s status as a holder in due course under California law is a question of fact that could not be decided on demurrer. According to Judge Ulmer’s Order:
The dispute between KEF and BBSI arose as follows. The ERP contract between BBSI and Oracle was originally financed through an Oracle subsidiary called Oracle Credit Corporation (“OCC”). Sometime after OCC agreed to finance the ERP installation, OCC assigned its rights to receive payment to Key Equipment Finance (“KEF”). Eventually BBSI ceased paying on the financing deal when Oracle failed to deliver the functioning system on time and at the price that it had promised, and KEF brought suit against BBSI to collect the debt arguing that as a holder in due course, BBSI had no right to discontinue payments under the financing contract, even though Oracle did not meet its obligations under the ERP contract. According to KEF’s Complaint:
“Rather than paying out-of-pocket, BBSI opted to finance the purchase of the Oracle America software through a contemporaneous, but separately contracted, payment plan offered by Oracle Credit (the “Payment Plan Agreement” and “Payment Schedule”). As noted in the Ordering Document at Paragraph 18, BBSI was not obliged to sign the Payment Plan Agreement and Payment Schedule; but if it did, the payment terms of the Payment Plan Agreement and Payment Schedule would control. In turn, long before any dispute arose between BBSI and Oracle America, in April 2018, Oracle Credit assigned its rights to the Payment Plan Agreement and Payment Schedule to KEF. The Payment Plan Agreement and Payment Schedule are governed by California law.”
OCC’s assignment of its rights to KEF was not unusual, and OCC seems to be assigning quite a few of these financing deals to third party banking entities. In fact, we have noticed several other assignees of OCC bringing suit recently to collect payments relating to similar financing contracts put together by Oracle and its financing arm, OCC, relating to other Oracle ERP customers. These include several recent suits brought by Banc of America Leasing here in the Bay Area, where we expect that Oracle customers will make similar arguments claiming that they should not have to continue to pay where Oracle either failed to deliver or fraudulently induced the customer into entering into the ERP contract.
Oracle customers who have financed Oracle ERP or other software purchases including Oracle cloud through Oracle’s OCC subsidiary should take note. BBSI’s opposition to KEF’s demurrer does not paint a pretty picture of what Oracle was up to.
“Oracle sought to insulate itself from liability for its misrepresentations through onerous contractual provisions heavily weighted in its favor and then to sever BBSI’s monetary obligations from Oracle’s performance by causing Oracle Credit to assign the subscription agreement to KEF on April 20, 2018.
It was not until June 2018, after Oracle had firmly locked BBSI into a multi-year, multi- million subscription agreement for the HCM Cloud and an implementation agreement with Cognizant, that it was finally disclosed to BBSI that the HCM Cloud was actually riddled with massive design, functionality, interface, integration and performance gaps; that in order to bridge these yawning gaps, customization and implementation would cost $33 million instead of the $5.41 million quoted and that it would take not 1 year but over 2 years to do so.”
Similarly Judge Leighton of the Western District of Washington where KEF had originally filed suit also appeared to recognize the inequities inherent in the Oracle financing deal. In fact in his Order dismissing KEF’s complaint on forum non conveniens grounds, Judge Leighton noted that the arrangement most likely failed for lack of consideration. According to the court:
“[t]his clever arrangement seems designed to subdivide the payment and performance aspects of Oracle’s agreement with Barrett into different contracts, thus ensuring payment even if Oracle fails to deliver the promised services. The result is a disturbingly imbalanced transaction that preserves OCC’s ability to terminate Barrett’s rights to the cloud services if it fails to pay but denies Barrett the same opportunity to avoid payment if Oracle breaches. Unfortunately for Oracle, such an arrangement would likely be illusory or lacking in consideration. See 1 WILLISTON ON CONTRACTS § 4:27 (4th ed.) (contracts are illusory where one party can decide for themselves the nature and extent of performance).” Key Equipment Finance v. Barrett Business Services, Inc., NO. 3:19-cv-05122-RBL, 2019 WL 2491893, (W.D of Washington June 14 2019).”
We were pleased to see that BBSI’s cross-complaint against KEF will go forward, and at least so far Oracle’s “clever arrangement” designed to guarantee payment even where it failed to deliver what it promised, may yet be reviewed by a court.
We will continue to monitor the case, which is Barrett Business Services, Inc. v. Oracle America, Inc. and Cognizant, San Francisco Superior Court, CGC-19-572474 and related cross-claims.
Thryv, Inc. Hits Micro Focus With Texas DJ and Breach of Contract Action over ULA Type Certification
By Pam Fulmer
Those readers who follow the software industry and our blog know that Micro Focus has areputation for its brass knuckles audit tactics deployed against its customers to increase revenues. On a new twist to the Micro Focus audit playbook, Plaintiff Thryv, Inc. ("Thryv") alleges in a new suit that Micro Focus has breached the parties' license agreement and seeks a declaration from the Texas court that it owns certain perpetual licenses arising out of an unlimited license agreement certification process. According to the Complaint Thryv seeks a declaratory judgement "finding that Micro Focus has conveyed perpetual licenses to Thryv under the Agreement consistent with the certification it provided in July 2016, and that Thryv has no further payment obligations under the Agreement." Oracle customers certifying off Unlimited License Agreements ("ULA") may also find this case instructive.
Thryv is a "print and digital marketing company that delivers cloud-based business
software on a subscription basis as well as a host of marketing products to over 400,000 small businesses in the United States." Thryv contends that in late 2014 it "requested a proposal from Micro Focus to supply software for a specific project known as kGen/Monarch." Not knowing the exact configurations for the system, Micro Focus "proposed a "Volume License Addendum (“VLA”), whereby Thryv would be licensed to deploy and use an unlimited amount of specific types of Micro Focus software for a specified period of time." The parties agreed that at the end of the time frame "Thryv was to certify the deployment of the software and Micro Focus would then grant a perpetual license for the actual quantities of software deployed at that time (the “Certification Date”)."
Thryv contends that as the Certification Date approached, and as the contract was vague as to what information would be required, it requested a certification template from Micro Focus. After some delays Micro Focus provided such a template. Thryv claims that "the template was vague and requested information that was not required by the Agreement," and that "Micro Focus did not provide any other information to Thryv on how to complete the certification." The request for information not required by the Agreement is something we see frequently in Oracle ULA certifications. According to the Complaint, "Thryv timely and accurately listed all user counts and core counts that were deployed as of the Certification Date and provided the required certification under the Agreement to Micro Focus. Micro Focus acknowledged receipt of the certification document and indicated in writing that it would contact Thryv when the certification had been reviewed, if it had any questions. Micro Focus did not verify the certification as required by the Agreement. In fact, Micro Focus never contacted Thryv regarding the certification." Thryv alleges that under the Agreement the number of core and user counts specified by Thryv "as of the Certification Date became the maximum entitlement under the perpetual license going forward." Again this is very similar to an Oracle ULA certification.
Thryv contends that in November of 2018, over two years after it completed the certification form, Micro Focus commenced an audit. The Complaint alleges that only In mid-2020, nearly eighteen months after the audit began, "Micro Focus for the first time provided documentation indicating that it had not granted license entitlements for all items listed in the certification." Now Micro Focus claims that it disagrees with Thryv's interpretation of the certification requirements under the contract with Thryv's claimed license entitlement, and that Thryv owes it millions of dollars in licensing fees and back support. Specifically Thryv seeks a "declaratory judgment finding that Micro Focus has conveyed perpetual licenses to Thryv under the Agreement consistent with the certification Thryv provided in July 2016, and that Thryv has no further payment obligations under the Agreement." Thryv also seeks damages of between $200,000 to $1 million, dollars and the recovery of its attorneys' fees pursuant to the license agreement and Texas law.
Certainly a bad fact for Micro Focus is that it never responded to the Certification and apparently gave no indication to Thryv that it did not agree with the user and core count that Thryv had provided, and did not follow-up with any questions concerning the certification. Thryv will no doubt argue that Micro Focus is estopped from changing position now and that it has an express or at least an implied license to use the software given the conduct of Micro Focus.
This is a cautionary tale that American businesses using enterprise software should take note of. Customers certifying off unlimited license agreements involving Oracle, Micro Focus or other software vendors should consider retaining experienced legal counsel to advise them on what the contract requires, and potential risks and how to mitigate those risks involved in the certification process.
Tactical Law will be monitoring the case for further developments. Check our blog for periodic updates about the case. The case is Thryv, Inc. Vs. Micro Focus (Us), Inc., TX District & County - Tarrant District (141st District Court), Case No. 141-319074.
By Pam Fulmer
Recently Rimini filed its opposition to Oracle’s motion for an order to show cause why Rimini should not be held in contempt in the Rimini I litigation. Many of the legal arguments made by Rimini have already been previewed in the briefing on the various motions for summary judgment pending before the court in Rimini II. Below are some observations of some of the key arguments for those following the litigation and this blog.
Rimini claims that it does not host any Oracle software itself but instead accesses the software only from siloed, client hosted and client specific environments. Our readers may remember that the Nevada federal court and the Ninth Circuit took issue with Rimini’s legacy support model (Process 1.0), in which Rimini locally hosted its clients’ software environments on its own systems and used generic development environments to create updates. Rimini contends that under Process 2.0 no copying of Oracle code happens outside of the client’s siloed and specific environments and the client’s Oracle license allows such copying for that client. As a result, Rimini asserts that there is no violation of the injunction in its completely new and redesigned process. As for any objection that the code is copied into RAM, any RAM copies created are not copyright infringement as they are made in the client’s environment, which is fully licensed.
Rimini also asserts that the Process 2.0 was not actually litigated in Rimini I. Rimini argues that where a redesigned process is more than colorably different from that previously adjudicated process, adjudication of that new process in a summary contempt proceeding, which is what Oracle is trying to do, is not appropriate or constitutional. In fact, Rimini filed the Rimini II litigation for the purpose of getting a declaration from the court that its process is legitimate and does not constitute copyright infringement.
Another interesting Oracle argument is that Rimini can’t cross-use what it learns in one customer’s environment to solve a problem in another customer’s environment. Rimini argues that the conduct now accused by Oracle is the re-use of Rimini’s “know-how”, including Rimini work product not containing any Oracle code, gained by performing work for Client A to perform similar work for Client B. Rimini argues that this is not copyright infringement, but Rimini’s own knowledge that cannot be controlled by Oracle. In a heavily redacted Declaration, Rimini’s expert Professor Owen Astrachan has this to say:
Rimini also argues that Oracle’s copyrights have not been infringed as Rimini has not created a derivative work, which would require that Rimini “substantially incorporate protected material from the preexisting work.” That in turn requires that the new work be “substantially similar” to the protected work, requiring a substantial similarity analysis, including analytic dissection, which Rimini argues Oracle has not done. Rimini argues that it is irrelevant that the Rimini file, when later sent to and incorporated into a client’s PeopleSoft environment, causes that modified environment as a whole to become a derivative work (which is licensed and compliant with the injunction) because that does not make the stand-alone file (i.e., something 100% Rimini-created) a derivative work.
Another interesting issue in the litigation that Rimini argues was not litigated and decided in Rimini I involves the issue of cloud hosting. In Rimini I the injunction prohibited Rimini from reproducing, creating derivative works of, or using PeopleSoft software or documentation on, to or from “any computer systems other than a specific licensee’s own computer systems”. This requirement is a creature of the PeopleSoft license and not one of the exclusive rights granted by the Copyright Act. Rimini contends that the client’s cloud account where the software is hosted by Windstream is under the control of the client and thus is compliant with the requirements of the PeopleSoft license, which require the software to be hosted on the client’s “computer systems”. Rimini disputes that the physical hardware in the cloud environment needs to be owned by the client to be part of the client’s “computer systems”, and instead argues that the dispositive issue is control over the virtual environment and not ownership of the physical hardware.
Finally, Rimini argues that it has not violated the part of the injunction prohibiting distribution. For every single file that Oracle alleges Rimini “distributed,” Rimini argues that Oracle does not even contend, let alone prove, that the file contains Oracle code or is substantially similar to an Oracle copyrighted work. Rimini also argues that Oracle software has not been distributed as distribution under the Copyright Act requires proof of several elements, including that the work “changed hands” and that it was disseminated “to the public”, which Rimini claims is not the case here.
Tactical Law will continue to monitor the case. Check back here periodically for updates.
Oracle Hits Rimini With Order to Show Cause Why Rimini Shouldn't Be Held in Contempt For Violating the Injunction
On July 10, 2020, Oracle filed a Motion For an Order To Show Cause Why Rimini Should Not Be Held in Contempt for allegedly violating the Rimini I injunction. Oracle contends that Rimini has violated multiple provisions of the injunction involving its provision of fixes and updates for Oracle's PeopleSoft, J.D. Edwards and Database software products. Oracle contends that Rimini has "cross-used" Oracle software from one customer environment to support another customer in violation of the injunction. Likewise Oracle contends that Rimini has violated the injunction by preparing derivative works in violation of the Nevada court's order. Oracle seeks to bar Rimini from providing further support for its PeopleSoft and J.D. Edwards software product lines. In addition to a bar order, Oracle seeks to impound Rimini's "infringing copies and computer systems". Alternatively if the court declines to impound Rimini's copies and computer systems, then Oracle requests that such copies and systems be put in third party escrow. Oracle customers supported by Rimini may want to keep an eye on the progress of the litigation, and whether Oracle prevails in its motion. Rimini's response to Oracle's motion is due on July 31, 2020, and we will be watching for it.
Although Rimini has not yet filed its Opposition much of what it may say is previewed in various briefs filed in opposition to or in support of summary judgment in the Rimini II litigation. However, so much is redacted from those briefs that it is difficult to follow all of the issues and Rimini's factual assertions.
THIRD PARTY HOSTING
Rimini has opposed Oracle's Motion for Summary Judgment on Rimini's Migration and Windstream Hosting. In Rimini I the court ruled that Rimini could not host its customers' software on its own premises. In order to comply with the Court's ruling, Rimini contends that it moved certain PeopleSoft customer environments out of its own facilities and to third party hosts or clouds, and one of these is Windstream. Oracle contends that the mere act of copying the software to move it to these third party hosting sites was a copyright infringement. Rimini contends it was a fair use to comply with the Court's Order.
Now Oracle also appears to be alleging that for customers with facilities restrictions in their licenses, these customer environments cannot be moved to the cloud or hosted offsite, unless the customer has a physical ownership interest in the building where the software is hosted or owns the computer systems. Rimini claims that this is nonsense, and instead the issue is not who owns the building or computer systems but who exercises control over the software. This seems right to us. According to Rimini:
We look forward to seeing Rimini further flesh out its arguments in its upcoming brief.
Oracle contends that Rimini continues to use the IT environments of a small subset of Rimini customers' to create PeopleSoft updates ("prototype" environment) and then copies the updates into the environments of its other customers ("retrofit" environment). Oracle calls this cross-use and claims it violates the injunction. Rimini pushes back against Oracle's assertions and argues that "cross-use" is not an industry term.
Rimini contends that it now has separate development and QA environments for all clients, which is very different from what the Court found Rimini was doing in Rimini I. According to Rimini:
Although Rimini claims that the facts are different here, the explanation for what is different is redacted, making it hard to assess Rimini's contentions.
Rimini will also likely argue in opposing the Order to Show Cause, that there is no copyright infringement because every Rimini client has a license. And of course, license is a defense to a claim of copyright infringement.
Rimini also argues that contrary to Oracle's assertions it is not creating a derivative work. Citing the Micro Star and Galoob cases, Rimini argues that to constitute a derivative work in the software context, a "work must substantially incorporate protected material from the pre-existing work". Rimini denies that it does so, and expressly claims that the work that Oracle takes issue with is actually Rimini's own work, and does not contain any Oracle code or expression.
To the extent this work product does not contain any Oracle protected expression, Rimini argues that its own work product does not constitute a derivative work.
We look forward to reviewing Rimini's upcoming opposition brief to Oracle's motion. Check back here for future updates about the hotly contested litigation.
Oracle is not the only software company accused of using predatory audit tactics to drive sales of its software products. In 2013 an IBM employee named Paul A. Cimino filed a whistleblower suit under the False Claims Act alleging that IBM used an audit of its customer the Internal Revenue Service ("IRS") to fabricate alleged areas of non-compliance. In 2018 the Complaint was unsealed, and IBM moved quickly to dismiss the Complaint. Unfortunately, the District Court bought IBM's argument that the Complaint did not adequately plead fraud in the inducement, and dismissed the lawsuit. Mr. Cimino appealed to the D.C. Circuit Court of Appeals and the appeal appears to now be fully briefed. I am rooting for Mr. Cimino and his lawyers and truly hope that this injustice can be rectified, if the facts as pleaded are true. Until software companies using predatory and unfair audit tactics to drive software sales are held to account in a court of law, the bad behavior will only get worse.
The facts alleged in the Complaint about IBM's conduct are appalling. According to the Complaint:
Each day we see cases where software companies vastly inflate audit findings in a transparent attempt to obtain leverage over their customers, and force a large software purchase. There are strategies that can be employed before and during the audit to mitigate the risk of such excessive findings. Unfortunately many companies are "penny wise and pound foolish" and don't seek professional help before or during the audit, but instead wait till the issuance of the final audit report. This is a mistake.
Enterprise software customers really need to be proactive in managing their licenses well before the audit notice arrives. And do not let software companies use the audit as a tool to force your company to give up older and perhaps more favorable licenses. In our experience, enterprise software companies sometimes use audits to try to push their customers to migrate from older, more favorable licenses to ones that are better for the licensor. Companies buy perpetual licenses for a reason and should be skeptical of software vendors using inflated audit findings to force a customer to give up valuable contractual rights.
If a software company tells you that they are going to conduct a friendly audit to right size your IT footprint and to optimize your licenses, this should be an immediate red flag. Enterprise software companies are not out to help you, but only to sell more software. Plaintiff here alleges that IBM tried this very trick with the IRS. The IRS also made the mistake of telling IBM too much about its future plans, including that the IRS planned to move off IBM. According to the Complaint, IBM then used this knowledge against the IRS to force it into a new and more expensive contract.
Sometimes software vendors will hire third parties to conduct the audit. And that is what apparently happened here, with IBM hiring Deloitte as the auditor. Oracle on the other hand usually likes to conduct its own audits, through its License Management Services ("LMS") Group.
Before the audit is commenced, the licensee should hammer out the scope of the audit and set some ground rules. Be proactive, take control and most importantly, stand strong. Software vendors do not like squeaky wheels, and prefer easy targets. The more you push back and the harder you make it for the software company, the less likely the software vendor will be to target you in the future.
The Cimino Complaint alleges that the initial audit results found very little in terms of non-compliance. Plaintiff then alleges that IBM "suppressed" these results and "began to look for ways to artificially inflate them". Remember this is an IBM employee who worked on the software deal with the IRS who is making these allegations. According to the Complaint:
We also have observed software companies employing similar tactics during audits. In fact, it is our opinion that this is why Oracle usually comes up with a huge shock number in its Final Audit Report. Oracle does not quantify the shock number in the Final Report but just identifies the number of licenses Oracle claims the customer is under licensed. Oracle leaves it to the licensee to "do the math". In our opinion, this is all part of the Oracle playbook to create leverage for the follow-up by the Oracle Sales Team, which works hand in hand with the Oracle auditors.
The Complaint alleges that in order to avoid paying these penalties, the IRS agreed to enter into a new five-year deal with IBM, at a total cost to the government of $265 million. As a taxpayer and citizen this should be offensive to everyone, if true.
Cimino asserts that the IRS agreed to a new deal with IBM in order to get out from under the audit penalties and the fraudulent audit findings. We see this all the time in our practice. Enterprise software customers will enter into new deals with the software vendor to get out from under the huge "shock and awe" compliance gap. How about an Oracle ULA, anyone? In fact, technical consultants in the industry see the same fact pattern so often that they write extensively about it. Not just private companies fall for this trap. Municipalities and other government agencies also are extremely vulnerable to such tactics.
But in dismissing Cimino's Complaint, the Judge did not find it credible that the IRS would enter into a new and more expensive contract with IBM just to get out from under the audit penalties. Unfortunately the district court judge doesn't understand how these software companies work their customers over during audits. The entire process is designed to strike fear and uncertainty in the hearts of the software customer, and to rush the company into a quick sale to resolve the audit. Also by entering into the new contract with IBM in exchange for having the audit penalties waived, IRS management could basically bury the alleged non-compliance from public view. The penalties would be waived and the IRS would simply be entering into a new enterprise agreement. In other words, nothing to see here and the responsible parties within the IRS would not need to explain to others higher up in the organization or in the federal government why they were allegedly non-compliant. Who in IRS management could predict that an honest employee within the IBM organization itself would be so troubled by the predatory audit practices that he would blow the whistle and file a False Claims Act lawsuit against his employer IBM?
According to the Court, Relator (Cimino) failed to plead causation and to show that the fraudulent audit findings was what induced the IRS to enter into the new contract. As a result, the Court dismissed the Complaint:
Well Judge, you may not believe it, but I do. I think that the Court is wrong here. The Complaint pleads that it was the fraudulent audit findings and the desire to get out from under the audit findings and related penalties that drove the IRS to enter into the new contract. The IRS believed that it was non-compliant in reliance on what IBM and Deloitte were telling them. This is pled clearly in the Complaint. The government in its brief agrees:
In my view, this extremely important whistleblower suit should never have been dismissed at the pleading stage. Cimino should be given the opportunity to take discovery and go forward with his case. Cimino's brief says it best here:
Victims do not always admit they have been defrauded. That rings so true. Give Mr. Cimino his day in court and the chance to prove up his case.
Whether you are a Fortune 500 company or a municipality or governmental entity, you can be a victim of predatory audit practices by aggressive software vendors. We help companies and governmental agencies to fight back against such tactics.
The case is Paul A. Cimino v. International Business Machines Corporation, case number 1:13-cv-00907, in the U.S. District Court for the District of Columbia. Tactical Law will continue to monitor the case. Check our blog for further developments.
By Pam Fulmer
Tactical Law has defended companies being audited by Quest Software, Inc. ("Quest") and has thus far resolved the audits without the necessity of filing litigation. However, we read with interest a recent lawsuit filed by a long time Quest customer alleging that Quest acted in bad faith and engaged in predatory audit tactics during the course of the audit.
Fairview Health Services ("Fairview"), a Minnesota non-profit academic health system hit Quest this week with a declaratory judgment action in federal district court in Minnesota. Sadly, the tale told by Fairview in the Complaint is a familiar one. At the end of 2019 Fairview notified Quest that it was terminating its annual maintenance and support. Almost immediately Quest issued a notice seeking to audit Fairview's use of Quest's Active Roles software. Only two months after Fairview gave notice that it was canceling maintenance and support, Quest produced a "Reconciliation Summary", which purported to find an over deployment of 69,064 licenses above the more than 38,000 license Fairview had purchased from Quest." Quest "claimed Fairview owed a total of $4,183,178.85 in license and "over-deployment fees".
Quest Accused of Bad Faith and Predatory Audit Tactics
Fairview makes some interesting observations on information and belief about Quest's motives, which Quest customers would do well to keep in mind when dealing with Quest. This is not the same company that licensees may have contracted with in the early 2000s, but instead the company has undergone multiple changes in ownership. According to the Complaint:
With almost every change in ownership the governing law of the Quest license agreement seemed to change. We have seen public filings with Quest agreements designating California, Washington and Texas as the governing law. Also, with every new iteration of the license agreement, the terms became more favorable for Quest and less favorable for the licensee. Rather than call these changes out specifically to the customer and request a modification to the contract, Quest appears to have embarked on a sneaky strategy of incorporating major changes in clickwrap agreements, which accompanied their software updates. A big question for the court will be whether these clickwrap agreements somehow superceded or amended the original license agreement, and constituted fair notice to the licensee of major changes to the agreement and a writing signed by duly authorized representatives of both parties. Quest will claim yes, and Fairview will fight that interpretation. Tactical Law has similarly pushed back against such assertions by Quest on behalf of Quest audit customers.
Fairview disputes Quest’s contentions about what constitutes the governing contract and how it can be modified. Fairview points out that the governing agreement is the one it purchased the subject perpetual licenses under, which contains a provision requiring any amendment to be in a writing signed by both parties. This will be a hotly contested issue in the ensuing litigation. Cases involving courts interpreting consent to arbitration agreements may prove instructive.
Fairview asserts that the provisions of the 2004 SLA define software as including "corrections, enhancements, and upgrades to the Software" made pursuant to the Maintenance & Other Services Clause.
Yet Quest has taken the position that when Fairview clicked on the clickwrap agreement accompanying the software updates that somehow changed the governing agreement. In other words, Quest appears to be claiming that it could make major changes to the governing agreement without reasonable notice and without providing the licensee with additional consideration. And Quest is contending that the clickwrap agreement is a writing signed by authorized representatives of both parties.
Allegations of Invasive Audit Tools
Fairview accuses Quest of deploying tools during the audit that impermissibly seek information about Fairview's IT system, which go beyond Fairview's use of the Quest software. According to the Complaint:
This should sound very familiar to Oracle customers who have been targeted with Oracle's prospective licensing assertions involving VMware and the "installed and/or running" language of the processor definition. According to Fairview, Quest's tools sought information about potential interactions with the software but declined to collect data that would show whether those accounts had actually used or interacted with the software. Although we have been informed by technical experts that Quest like Oracle could use tooling capable of detecting where the software has actually been used, Quest and Oracle appear to have no interest in doing so. The reason is apparent. Taking the position that they are entitled to licensing fees for all servers or accounts that might access the software results in the vastly inflated over-deployment numbers about which Fairview complains. These inflated findings are then used as "shock numbers" to create FUD ("fear, uncertainty and doubt") in the heart of the licensee, which can then be used to sell more software and perhaps used as leverage to keep the customer from canceling support. According to the Complaint:
We are of the same opinion about the motivations of software vendors who may use such invasive tools while ignoring data that shows non-use. And it is important that Quest customers realize these overreaches and protect themselves from them during the course of an audit. Licensees should resist turning over confidential information unless it relates to the use of that vendor's software, and the licensor has provided a satisfactory explanation of why they require the information to conduct the audit. Assertions that the vendor always asks for it are irrelevant and do not pass muster. Do not be afraid to probe and question the software company or their auditors as to the relevance of the requested information. And don't let the auditors provide their answers orally. Make them commit in writing, so you have a strong record in the event a dispute arises and you end up in court. A strong record will also help you with negotiating a favorable settlement directly with the licensor. Demand that the auditor specifically identify what provision in the contract entitles them to the requested information. And whatever you do, don't fall for Oracle or Quest relying on policy documents that are not part of the contract as justifications for the request.
The Audit Clause
The language of the 2004 SLA contains an audit clause, which provides that Quest may ask that Fairview verify no more frequently than annually its usage of the software by furnishing a document signed by the Licensee's authorized representative verifying software usage. In addition to demanding the verification, Quest has the right to review Fairview's deployment and use of the software for compliance. The entire clause is focused on current usage and not what may be used in the future. According to the Complaint:
During the course of the Fairview audit, Quest did not request the written verification but instead went right to using its tools to scope out Fairview's IT system. Tools that Fairview contends do not measure actual usage, but instead collect data on how many accounts could potentially access the software in the future. Use of such tools by software auditors should be red flags for the licensee. Ask the auditors exactly what information the tools are collecting and seek to pin the auditors down on what they are seeking and why they are entitled to the information. Misrepresentations about what information the auditor is collecting may be used against the licensor in the event a dispute arises. Again, insist that the auditors provide their answers in writing. Finally, we recommend retaining qualified outside counsel who have the technical experts in place to review the data output prior to sending to the auditors.
Fairview complains that Quest also seeks to take advantage of a phrase "managed by" the software, which is ambiguous and not defined in the contract. Fairview argues that to manage the software at least means that the account must interact with the software in some manner. Fairview should take the position that any ambiguity should be interpreted against Quest the drafter.
When going up against software companies such as Quest and Oracle, it is highly advisable to retain qualified outside counsel familiar with software audits to push back aggressively on any attempted overreaches. Licensees who believe that providing all the information requested by software companies will result in lower over-deployment numbers are in for a rude awakening. Be smart and do not be afraid to stand on your contractual rights.
The case is Fairview Health Services v. Quest Software Inc., Case Number 0:20-CV-01326, venued in the District of Minnesota. Tactical Law will continue to monitor the litigation. Please check back for periodic updates.
Tactical Law Attorneys