In a software licensing case out of the Court of Federal Claims, Senior Judge Edward J. Damich in Bitmanagement Software GMBH v. The United States followed the direction of the Federal Circuit to look at “actual usage” of Plaintiff’s software, and not the cost of a seat license for each installation when awarding damages. In so doing, the Court rejected Bitmanagement’s arguments that it was entitled to over $155,400,000 in damages and awarded $154,400 in total damages instead. The court found that 635 users actually used the software and that a hypothetical negotiation would have set the royalty rate at $200.00 per user. The court then subtracted the number of licenses in the Navy’s entitlement and found that the Navy was 597 users short and awarded damages thereon.
The facts of the case were very interesting. The software was licensed by the Naval Facilities Engineering Command (“NAVFAC”) from a third-party reseller of Bitmanagement called Planet 9 Studios, Inc. (“Planet 9”) and involved “BS Contact Geo” software. The software enables the visualization of geographic information in third-party hardware and software products and renders realistic terrain and city models and allows a user to position virtual objects using geographic coordinates. Bitmanagement primarily licenses its software via "PC" or "seat" licenses, which allow one installation of the software onto one computer per license. Each copy of the BS Contact Geo software includes both a desktop executable file ("EXE version") and a web browser plugin file ("OCX version"). The EXE component launches the software as a standalone application whereas the OCX component launches the software within a web browser. After using the software for a while, the Navy determined that it wanted to put the software on its Intranet instead of loading it on individual computers and wanted more of a “floating license” model. NAVFAC explained to Planet 9 who then explained to Bitmanagement that Bitmanagement's default licensing scheme was incompatible with the Navy's secure intranet because the Navy could not approve BS Contact Geo if, as was Bitmanagement's normal practice, the end user would be required to contact Bitmanagement for a license key in order to use the program on a particular computer. Bitmanagement responded that it was "open for any licensing scheme that suits the US Navy better" and was "willing to do [its] utmost to enable [another] licensing functionality, if requested." NAVFAC explained that it needed a copy of BS Contact Geo that included the license key and that was not PC-specific because the Navy did not know "what machine(s) the application will be tested on." NAVFAC also noted that the Navy anticipated needing "an initial 15 licenses, with a potential for as many as 100 or more licenses later on." In response, Bitmanagement, through intermediary Planet 9, provided BS Contact Geo to the Navy with two licensing keys that were not PC specific. Also in May 2007, at the Navy's request, Bitmanagement provided the Navy with a "silent installer for BS Contact Geo intended for bulk installations," which, Planet 9 explained to Bitmanagement, was "helpful for an administrator to do installations on a large scale even on remote computers connected via intranet or internet." See Bitmanagement Software GMBH v. United States, 989 F.3d 938, 942 (Fed. Cir. 2021) NAVFAC then engaged in discussions about this new licensing model through Planet 9 who interfaced with Bitmanagement. Bitmanagement was open to this licensing model and the three companies engaged in detailed discussions. NAVFAC explained that it had an existing floating license server tracking application, Flexera, that could be used to track BS Contact Geo with no alterations to the program and that Flexera is a server-based program used to limit the number of simultaneous users of a "Flexera enabled"—or "FlexWrapped"—software based on the number of available licenses. When a user opens a FlexWrapped program, the program alerts the Flexera tracking server that the program is in use. The FlexWrapped program sends a similar alert when the program is no longer in use. The Flexera license manager thus theoretically limits the number of users of FlexWrapped software to the number of licenses that a user owns. Ultimately it was agreed that NAVFAC could use the floating model, but needed to use Flexera, which would control the number of users ensuring that at no time could more users use the software than NAVFAC had licenses for. The agreement was never completely documented in one license agreement signed by all parties. However, the parties’ course of conduct demonstrated that all understood the terms of the agreement. Unfortunately for NAVFAC, it did not ultimately use the Flexera software as it had promised Bitmanagement it would do. In July of 2016 Bitmanagement copyrighted the most recent version of its software and sued the government shortly thereafter. After a six-day bench trial from April 22-29, 2019, the Claims Court held that the government was not liable for copyright infringement. Specifically, the Claims Court found: (1) Bitmanagement made a prima facie case of copyright infringement; and (2) no express agreement granted the Navy a license to install BS Contact Geo on all of the Navy's computers; but (3) the Navy had met its burden to show that Bitmanagement authorized the Navy to copy BS Contact Geo version 8.001 across the Navy's NMCI network of computers finding an implied license. Bitmanagement Software GMBH v. United States, 989 F.3d 938, 945 (Fed. Cir. 2021). Bitmanagement Software GMBH v. United States, 989 F.3d 938, 945 (Fed. Cir. 2021). Bitmanagement appealed the judgment and the Federal Circuit agreed with the lower court that there was an implied license, but that the implied license required as a condition precedent the implementation of the Flexera software. When NAVFAC did not meet the condition, it could not claim the protection of the implied license and thereby committed copyright infringement. The Federal Circuit remanded for the purpose of determining damages. In its opinion the Federal Circuit reasoned that “[b]ecause Bitmanagement's action is against the government, it is entitled only to "reasonable and entire compensation as damages . . ., including the minimum statutory damages as set forth in section 504(c) of title 17, United States Code." 28 U.S.C. § 1498(b). This amount may not include non-compensatory or punitive damages. Gaylord v. United States, 678 F.3d 1339, 1343 (Fed. Cir. 2012) ("Gaylord I"). Contrary to Bitmanagement's argument, it is not entitled to recover the cost of a seat license for each installation. If Bitmanagement chooses not to pursue statutory damages, the proper measure of damages shall be determined by the Navy's actual usage of BS Contact Geo in excess of the limited usage contemplated by the parties' implied license. That analysis should take the form of a hypothetical negotiation. See Gaylord v. United States, 777 F.3d 1363, 1368-72 (Fed. Cir. 2015).” Bitmanagement Software GMBH v. United States, 989 F.3d 938, 951 n.5 (Fed. Cir. 2021) Upon remand and using a hypothetical negotiation, Judge Damich rejected Bitmanagement’s damages claim for $155,400,000 and awarded damages on the basis of NAVFAC’s actual usage for a total of $154,400. Ultimately the court followed the appellate court’s instruction to look at “actual usage” and rejected Plaintiff’s argument that “use” is equivalent “to the number that were copied onto Navy computers and accessed as well as those that were downloaded and available for use”. Rather than using Plaintiff’s number of 600,000 copies made, the lower court on remand found a total of 635 actual users. After subtracting the 38 existing Navy licenses, the court found a royalty base of 597 unique unlicensed users. An amount well short of Bitmanagement’s proposed number. The case is Bitmanagement Software, GMBH v. The United States, Case No. 16-840C-EJD (Court of Federal Claims).
0 Comments
Software publishers collaborating together to develop new software products leveraging the technology of both companies are a potential breeding ground for licensing disputes and resulting litigation. Two software publishers known for their aggressive software audits against their enterprise software customers have ended up in their own dust up relating to a software development program. Recently, IBM Corporation (“IBM”) has sued Micro Focus International plc and Micro Focus (US), Inc. (collectively, “Micro Focus” or “Defendants”) in the Southern District of New York for copyright infringement and breach of contract arising out of an IBM development agreement involving IBM’s PartnerWorld program. IBM accuses Micro Focus of copying IBM’s computer programs without authorization and breaching the parties’ development agreement by using its developer access to undertake such prohibited acts. IBM alleges that Micro Focus created the Micro Focus Enterprise Suite by copying IBM’s copyrighted Works, and that Micro Focus promotes and uses the pirated software for financial gain, and in brazen disregard of IBM’s intellectual property rights and Micro Focus’s contractual obligations to IBM.
According to the Complaint, Micro Focus created software called Micro Focus Enterprise Server and Micro Focus Enterprise Developer by using its developer access to copy IBM’s CICS Transaction Server for z/OS (“CICS® TS”) software. IBM offers a general-purpose application server and transaction processing subsystem called the CICS Transaction Server for z/OS, or “CICS® TS,” for its z/OS® operating system environment. IBM holds the copyrights for CICS® TS (the “Works”). IBM claims that the Works feature uniquely expressed source code, object code, structure, architecture, modules, algorithms, data structures, and control instructions, and are creative computer programs, which were the result of IBM’s engineering discretion and substantial skills, resources, and creative energies. The Complaint alleges that the Works also are of great value to IBM and remain integral to the daily business operations of much of IBM’s mainframe system customer base. According to IBM, the developers who participate in the IBM PartnerWorld program (“PartnerWorld”) agree to the IBM PartnerWorld Agreement and Value Package Attachment (the “PartnerWorld Agreement”). IBM contends that along with other agreements, the PartnerWorld Agreement sets the terms under which developers are permitted to use IBM’s computer programs. These terms ensure that IBM and its developers are aligned in their goals: to promote innovative solutions for their mutual customers. IBM’s z/OPD Developer Discount Program (“Developer Discount Program”) similarly provides benefits to third party developers and grants them access to IBM’s valuable mainframe software. Participants in the Developer Discount Program receive access to IBM copyrighted software, including the Works. In exchange, IBM’s developers agree to three different agreements detailing the limited scope of their access and use: (1) IBM’s Client Relationship Agreement (the “CRA”); (2) Attachment for Developer Discount – IBM Z (the “CRA Attachment”); and (3) Addendum to the Attachment for Developer Discount for IBM Z (the “CRA Addendum”). None of these agreements are attached to the Complaint IBM asserts that through these agreements, participants in the Developer Discount Program agree to comply with the terms of the limited license granted to them, and “not us[e] any of the elements of the Program or related licensed material separately from the Program.” Participants are prohibited from “reverse assembling, reverse compiling, translating, or reverse engineering the Program” and making derivative works based on IBM’s software. Further, IBM’s developers promise to use their exclusive access to IBM software for the mutual benefit of the parties and their customers. IBM claims that Micro Focus violated these agreements by copying elements of IBM’s copyrighted Works to create a derivative work in at least Micro Focus Enterprise Developer and Micro Focus Enterprise Server. IBM argues that there is no way such extensive similarity could arise through attempts to meet similar functional requirements, or as a result of coincidence, and that the striking similarities indicate that Micro Focus reverse engineered at least a portion of the CICS® TS software in contravention of Micro Focus’s various contractual obligations to IBM. As a result, IBM terminated Micro Focus’s involvement in the Developer Discount Program by sending a Notice of Non-Renewal on May 31, 2021, and Micro Focus’s membership ended by August 31, 2022. IBM is seeking preliminary and permanent injunctive relief, a finding that Micro Focus infringed its copyrights and breached the development related licensing agreements. IBM also seeks an award of damages and an accounting from Micro Focus, as well as the award of attorneys’ fees and costs. The case is IBM Corporation v. Micro Focus (US), Inc., et. al, venued in the Southern District of New York. Tactical Law will continue to monitor the case. Check back for updates. By Pam Fulmer
Recently PC Connection, Inc. (“Connection”), a seller of IT solutions to governmental entities and small, medium and enterprise companies, sued International Business Machines, Inc. (“IBM”) in New Hampshire federal district court in a fraud and breach of contract action arising out of a failed ERP implementation. Connection alleges that IBM touted its experience as an implementation partner for J.D. Edwards software and recommended that Connection move off of its legacy ERP system into a more recent release. Connection alleges that although IBM represented that it could complete the implementation within 17 months, at a cost of $9.2 million, it completely failed to stay within these estimates. Instead, IBM sought to inflate the contract price by claiming that certain of the fixes were out of scope and would require change orders, which also resulted in significant additional delays. According to the complaint, Connections relied on its existing ERP system which was a J.D. Edwards (“JDE”) system known as “JDE World” for virtually all aspects of its business. As such, the system was absolutely critical to the smooth functioning of the company. JDE subsequently was acquired by Oracle, which continued to support legacy JDE systems while also releasing new software systems. One such system was called Enterprise One (“E1”). The complaint alleges that IBM as a vendor and consultant to Connection began advising the company on upgrading to a new ERP system as early as 2013. As part of that consulting work, IBM recommend that Connection upgrade to E1, which IBM claimed would be faster and less costly to implement than other systems. Connection emphasized to IBM that should it move forward with a new ERP system, the system had to maintain the mission-critical functionality of JDE World, and that the implementation to a new system had to be completed without disrupting Connection’s operations and its ability to service customers. Instead, according to the complaint, “[u]sing a playbook that has resulted in IBM being named in a slew of lawsuits over alleged misrepresentations made in connection with failed ERP implementations, IBM sold itself to Connection by holding itself out as a leading expert in managing similar, global projects concerning the implementation of new JDE systems. IBM claimed to have extensive experience both in helping companies like Connection to assess their business needs and select an ERP system to meet those needs, and in successfully implementing JDE upgrades”. Connection alleges that these representations turned out to be false. Connection green lighted the project and IBM next embarked on a “Discovery Assessment” to develop a project plan for implementation of the JDE upgrade. The complaint alleges that: IBM billed Connection over $600,000 to conduct the Discovery Assessment. Following the Assessment, IBM represented to Connection that IBM had thoroughly analyzed, and understood, the Company’s requirements for its ERP system, and had determined that a “vanilla” upgrade that leveraged “out of the box” E1 software was suitable for Connection. IBM further represented that it had determined, through its investigation, that the E1 platform would not require extensive customizations to provide the functionality offered by JDE World, and that IBM therefore had determined it could complete the implementation project within 17 months at a cost of $9.2 million. Connection alleges that at the time that IBM made these representations it knew them to be false, and that IBM knew instead that the solution would require much more customization. A common problem we see in ERP vendor and implementation partner disputes is the quality of the team deployed for the customer. In short ERP customers are promised the competent “A” team, and instead they get a team that is inexperienced, often located outside of the United States and not up to the task at hand. And that is exactly what Connection alleges here. Rather than the deep knowledge and expertise that IBM had represented it had with regard to implementing E1, the IBM team that was assigned to the project actually had little or no experience with E1. According to the complaint: When it was obvious the E1 problems could not be dismissed as mere “glitches,” IBM promised Connection that it would devote whatever resources were necessary to fix the system and complete the implementation. Specifically, IBM said it would dispatch a so-called “Red Team” comprised of IBM’s most skilled technicians. The “Red Team” never appeared. Instead, IBM assigned the same individuals who had worked on the project, ineffectively, before go-live. IBM shifted most of the burden of undertaking the repairs onto Connection; work that IBM did undertake was assigned to off-shore consultants. An important lesson is to pin down the ERP vendor and implementation partner prior to the execution of the contract, to identify the actual team members, and to ensure that the ERP customer indeed does get the “A” team. Otherwise, the ERP provider and implementation partner promise the sun, the moon and the stars, but ultimately choose to save money by bringing in an offshore team, without the promised experience. And often communication barriers result, as the foreign team cannot communicate adequately in the English language. Connection also alleges that IBM botched the project when it pressed its customer to go live before the solution was really ready for prime time. According to the complaint: In May 2020 IBM represented to Connection that the system was ready for go- live, when IBM knew or should have known that the E1 implementation was not close to completion. IBM’s lead consultants, repeatedly told Connection’s CEO and other executives that the Company’s greatest weakness was its fear of risk, that it had to “rip off the band-aide” and go-live, and that any remaining issues with the E1 system could easily be resolved post go-live through simple “workarounds.” (emphasis added) Hours after the go-live process began on May 15, 2020, critical components of the E1 system within IBM’s responsibility did not function properly or at all. Whereas IBM had represented to Connection that a “roll-back plan” – meaning a plan to revert to JDE World – would be available if problems arose during the transition, IBM did not deliver such a plan. Therefore, as system defects emerged, Connection could not revert to World. Ultimately, the workarounds provided by IBM failed and Connection was forced to spend millions of dollars including $3 million in additional fees to IBM, as well as allocating tens of thousands of manhours of Connection personnel to remediate the defects. Connection also alleges that in order to complete the E1 implementation, it was forced to replace IBM with another implementation partner, at significant additional expense. Connection’s Complaint includes claims for breach of contract, contractual indemnification, breach of the duty of good faith and fair dealing, negligence/professional negligence, fraudulent inducement, fraudulent misrepresentation, negligent misrepresentation, and breach of the New Hampshire Consumer Protection Act. As of the time this blog post was published, IBM had not yet responded to the complaint. Tactical Law will continue to monitor the case. Please check back for further updates. By Pam Fulmer
In our software audit defense practice, we often see in-house counsel advising their client under audit for much of the audit process, without bringing in outside counsel skilled in software audit defense such as Tactical Law. This decision to “go it alone” by Oracle customers in particular may be risky in the event Oracle sues the customer in federal court in California for breach of contract and copyright infringement arising out of an Oracle audit. That is because most Oracle license agreements contain California dispute resolution provisions. California is in the Ninth Circuit, and the Ninth Circuit’s law on when attorney-client privilege applies to in-house lawyers advising their clients is not very protective of the privilege, especially as compared to other circuits. That is because the Ninth Circuit held in the In Re Grand Jury case that “the primary-purpose test applies to attorney-client privilege claims for dual- purpose communications” between in-house counsel and their clients. So, in the Ninth Circuit in order for the privilege to apply to a communication from in-house counsel to a businessperson at the company, the primary purpose of the communication must be legal advice. It is not enough that a purpose of the communication is legal advice. What does this mean for Oracle licensee’s litigating against Oracle in federal court in California? In the event of litigation, Oracle would most likely seek discovery on internal company communications regarding the audit and its findings, including in-house assessments as to the Oracle licensee’s view of its potential exposure, and any admissions of non-compliance. If in-house counsel in advising her client has wrapped in with the legal advice, other related issues which could be viewed as purely business advice, then it is likely that a federal court applying In Re Grand Jury could find that the communication is not privileged, and order that the communication be produced. This could be an absolute disaster of course, especially since Oracle licensees often opt to hire outside licensing consultants to assist with the audit, and Oracle may argue that communications with these consultants even where in house counsel are involved are not privileged because the in-house counsel was wearing their business and not their legal hats when they offered the advice. And of course, any claim of privilege could be weakened even further if the consultants were hired by the business and not the law department. So, the safest course by far is to hire outside counsel to advise on the audit, and allow outside counsel to retain expert consultants to assist in rendering legal advice and to advise the client on legal strategies to push back on audit findings. Oracle auditors are very aggressive and commonly rely on their non-contractual VMware arguments based on Oracle’s Partitioning Policy (among other arguments) to inflate audit findings. As a result, any Oracle customer under audit should anticipate that litigation is a real possibility, especially as Oracle will use hard ball tactics such as threats of license termination and actual breach notices to have its way with Oracle customers. Oracle customers who follow this advice will be in the best position to push back on Oracle, because the Oracle Legal Department mostly advises the Oracle Business on audit related matters, and only rarely does it appear that they bring in outside counsel and usually only for the most contentious audits. As a result, in the event of actual litigation, Oracle customers who protect themselves by hiring outside counsel early, are in the best position to use the Ninth Circuit In Re Grand Jury case against Oracle in discovery proceedings, and to argue that it is the Oracle communications around the audit that may not be privileged, as the Oracle lawyers were wearing their business and not their legal hats in rendering the advice to their client. Oracle of course will resist such discovery, but Oracle does run a risk as their in-house lawyers appear to be intimately involved in the business advice, as well as the legal advice. Recently, the Supreme Court of the United States has granted cert and has taken up the invitation by the U.S. Chamber of Commerce who filed an amicus brief asking the Court to resolve the circuit split involving what test should govern the privilege protections applying to dual purpose client communications with attorneys. Right now, there are three circuit tests: Ninth, D.C., and Seventh Circuit. The D.C. Circuit is the most lenient allowing protection where “a purpose” of the communication is to render legal advice. As discussed above, the Ninth Circuit requires that “the purpose” of the communication be to render legal advice, and not simply "a purpose". The Seventh Circuit is the most restrictive test, and finds that dual communications are not privileged as they do not involve purely legal advice. Obviously, the implications of this split involve much more than software audit defense. The split should be clarified, and one rule should govern, although hopefully not the Ninth Circuit rule. Otherwise, in-house counsel and their clients are put in an impossible situation. As the U.S. Chamber of Commerce noted in its brief: Businesses often rely on their counsel to serve a variety of legal and non-legal roles. And predictability as to the confidentiality of communications with counsel is paramount to ensuring frank and open disclosure to, and proper legal advice from, counsel. Such predictability is especially critical for businesses that operate across jurisdictions and for small businesses that rely on a limited number of employees to perform a wide array of functions. The disagreement among the courts of appeals regarding the proper test for determining whether dualpurpose communications are privileged creates uncertainty. And this uncertainty hinders the business community's ability to operate effectively and efficiently. I also thought that these passages really hit the nail on the head: The practical import of the Ninth Circuit's standard is that businesses and non-lawyers will be less likely to seek legal advice, especially from in-house counsel. Even when an employee with a clear purpose of seeking legal advice communicates with an attorney, if a court later determines that a non-legal purpose was predominant in the employee's mind, the communication will be discoverable. The same holds true if a lawyer responds with legal advice but also includes a greater amount of business advice. Given this cloud that hangs over dual-purpose communications under the Ninth Circuit's standard, the client may choose not to communicate with the attorney at all. [T]he Ninth Circuit's single-purpose standard imposes additional costs on the business community. Only granting privilege protections to communications where legal advice was the primary purpose guarantees inefficiency. Communications with lawyers will need to become siloed, with information needlessly repeated or lost in the process. In-house counsel, whose responsibilities often include a multitude of non-legal tasks, will be marginalized and provide less value to their employers. [citations omitted]. Indeed, companies may decide to opt for the advice of outside counsel more frequently because they traditionally perform more discrete roles that are easier to cabin. [citations omitted] In short, the Supreme Court should clarify the rule. But until they do, for companies facing software audits and especially Oracle audits, the safest bet is to retain outside counsel to advise on the matter. Tactical Law advises companies across the United States in software audits, including those involving the licensing of Oracle software. By Pam Fulmer
Broadcom has announced that it is acquiring VMware for $61 billion. What will this mean for VMware customers? Tactical Law has no crystal ball, but we do know that VMware customers are increasingly being audited, and aggressive software audit tactics have recently been reported by companies under audit. Although VMware has always conducted software audits, they were known for a kinder and more gentle approach, then say Oracle or Micro Focus. Not so much anymore. Instead some business commentators have noted that Broadcom's CEO Hock Tan’s "previous pattern of buying up software companies like CA Technologies and Symantec will repeat itself with the VMware purchase, with a heavy-handed focus on producing profits favored by investors that could include cutting operating expenses and research dollars and raising prices on customers." One way that software publishers increase their profits is by conducting software audits. And that is what the market is seeing in the case of VMware, and the acquisition has not even closed yet. We predict that VMware customers will see more audits in the coming months. Now is the time to get prepared. The Covid pandemic hit suddenly and forced companies to quickly provide a technology solution so that employees could work remotely from home. Unfortunately the imperative to move fast meant that for many companies remote working technologies were deployed first, without determining whether such use was allowed by the relevant license agreement. Now those decisions are coming home to roost, as non-compliance is exposed by software audits. If you have received an audit notice or an adverse non-compliance finding while being audited by VMware, our software licensing dispute attorneys can help. Check back for further updates about VMware's new audit tactics. By Dee Ware
If you are considering entering into an agreement for Oracle/NetSuite (“NetSuite”) Enterprise Resource Planning (“ERP”) software and/or professional services, it is important to check, download, store and read all web pages referenced in the Estimate, Ordering Document, Statement of Work, and any other document provided by NetSuite. NetSuite is likely betting that you will not read or negotiate any of the terms contained in this incorporated material. And, as discussed below, you will definitely want to! Even though often not in blue typeface or underlined, some of the web addresses referenced in the contract documents may be hyperlinks. We advise to click on all addresses. If it is indeed a hyperlink, make sure to save the external page that it links to as this material may not be readily available in the future. The same holds true for other referenced web addresses. This material is usually incorporated into the contract documents and thereby made part of the agreement with NetSuite. Also, you should verify that the date of the referenced material matches what is stated in your contract document(s). That is, if the draft agreement that your company has received from NetSuite says that it is governed by the Subscription Services Agreement v020121, but the link takes you to a Subscription Services Agreement ("SSA") with a different version date, you will want to either get a copy of the version with a matching date to review or ask NetSuite to correct the contract documents. We also cannot emphasize enough the importance of reading what is contained in the referenced material on the NetSuite website before you sign on the dotted line as the terms are likely one-sided. As of the date of writing this blog post, the NetSuite website states that “[i]f your order is placed on or after July 20, 2022 and references the Subscription Services Agreement available at https://www.oracle.com/corporate/contracts/cloud-services/netsuite/, then the June 1, 2022 version of the Subscription Services Agreement applies to that order.” That version of the SSA contains additional hyperlinks (all of which should also be downloaded and reviewed) and, as just a limited example, provides:
These terms and others may be important to your company’s decision-making process, as well as down the road should something go awry. By Pam Fulmer
Well respected San Francisco Plaintiffs’ firm Lieff Cabraser Heimann & Bertstein LLP (“Lieff Cabraser”) has hit Oracle America, Inc. with a massive class action lawsuit alleging several data privacy-based claims including Invasion of Privacy under the California Constitution, Intrusion Upon Seclusion under the common law, violation of Business & Professions Code Section 17200, violation of the California Invasion of Privacy Act and the Federal Wiretap Act, and Unjust Enrichment. Plaintiffs seek a declaratory judgment on behalf of the class that Oracle wrongfully accessed, collected, stored, disclosed, sold and otherwise improperly used private data. Plaintiffs also seek injunctive relief. Outing Oracle as one of the largest data brokers in the world, Plaintiffs paint a grim picture of how Oracle has used its software across the Internet to collect, track and identify consumers, without giving those consumers notice that the information is being collected and the ability to object. The lawsuit alleges that Oracle’s improper use of the most private data of American consumers will only get worse now that Oracle has acquired Cerner and will begin collecting health data as well. The 71-page Complaint alleges that “the regularly conducted business practices” of Oracle amount to a “deliberate and purposeful surveillance of the general population via their digital and online existence.” Claiming that Oracle is “one of the world’s largest data brokers” Plaintiffs allege that “[i]n the course of functioning as a worldwide data broker, Oracle has created a network that tracks in real-time and records indefinitely the personal information of hundreds of millions of people” and that “Oracle sells this detailed personal information to third parties, either directly, or through its “ID Graph” and other related products and services derived from this data.” Plaintiffs further claim that the proposed Classes “lack a direct relationship with Oracle and have no reasonable or practical basis upon which they could legally consent to Oracle’s surveillance.” Complaint ¶1. Plaintiffs assert that as a data broker Oracle “facilitates the buying and selling of digital data, including personal information, among private commercial and governmental entities” and “operates a data management platform called the BlueKai Data Management Platform, which includes two key features: the Oracle Data Marketplace and the Oracle ID Graph. The Oracle Data Marketplace is one of the world’s largest, if not the largest, commercial data exchange, with a broad impact upon the lives of most Americans and many millions of people worldwide.” Citing to Oracle’s own marketing claims, the Complaint recites that “[t]he Oracle ID Graph helps marketers connect identities across disparate marketing channels and devices to one customer. Powered by the Oracle Marketing Cloud and Oracle Data Cloud, the Oracle ID Graph seamlessly pulls together the many IDs across marketing channels and devices that comprise a given person, enabling marketers to tie their interactions to an actionable customer profile. This ID enables the marketer to orchestrate a relevant, personalized experience for each individual across marketing channels and device types.” Plaintiffs accuse Oracle’s business model of having “long roots in the surveillance of ordinary citizens” and claims that “surveillance is central to Oracle’s history and development, and to its current business and marketing plan.” Complaint ¶21. According to the Complaint: “Oracle collects many types of personal information from Internet users including concrete identifiers such as names, home and work addresses, e-mail addresses, and telephone numbers. Oracle also amasses data about peoples’ behavior, including the sites they visit online, their digital and offline purchases, where they shop, and how they pay for their purchases. Oracle gathers this personal information from a suite of its own Internet technologies, including cookies, tracking pixels, device identification, cross-device tracking, as well as from its acquisition of data from other parties. Oracle then processes, analyzes, and monetizes this data.” Complaint ¶27. Plaintiffs further allege that: “Oracle, its partners, and its customers work in parallel to compile personal data and associate that data with specific individuals, effectively creating “dossiers” on people across the world. Oracle accomplishes its dossier building through its multifarious business practices, including not only the functionality of the ID Graph that connects, unifies, and then associates data to a person into a “profile,” but also the functioning of the Oracle Data Marketplace. Oracle’s Data Marketplace is an online store owned and operated by Oracle where Oracle facilitates the buying and selling of data and data-derived services by Oracle and its so-called “premier partners” to private commercial and governmental entities. The Data Marketplace allows the confluence of mass amounts of personal data by which its participants, including Oracle, can continually track people’s activities and enrich people’s dossiers.” Oracle clients utilizing the technology include not only private businesses but “also political campaigns and government agencies seeking to surveil, investigate, or target particular individuals with propaganda” and Oracle markets directly to these public agencies and political parties”, referring to them as “Public Sector Customers.” Complaint at ¶69. According to the Complaint “political campaigns now have “needle-in-the-haystack capabilities” to “microtarget voters on all their devices” using personal information sold by data brokers.” The Complaint claims that during the 2016 election the Trump campaign, “built a 220 million–person database of voter information named “Project Alamo” using Datalogix, a data collection platform owned by Oracle.” Plaintiffs allege that Project Alamo facilitated the Trump campaign’s voter suppression initiatives including highly targeted political advertising to African Americans, white women, and young white liberals in 16 swing states, several of which were narrowly won by Trump” and that through “Project Alamo’s voter suppression efforts, it is estimated that 2 million black voters who voted in 2012 did not vote in 2016.” Complaint ¶70. The Complaint likewise alleges that “in the wake of Dobbs v. Jackson Women’s Health Organization, No. 19-1392, 142 S. Ct. 2228 (2022), the threat data brokers like Oracle pose to the privacy of individuals seeking information about abortions is significantly magnified” and that Oracle’s “trackers on the websites of nonprofits providing abortion resources and services, including Planned Parenthood… may have had their personal information tracked and compiled by Oracle, which Oracle may then make available to law enforcement officials.” Complaint ¶ 81. The Complaint also raises the alarm regarding Oracle’s “$28.3 billion acquisition of electronic health record company Cerner” finding the acquisition “[c]onsistent with Oracle’s plan of engaging in wide-ranging surveillance of the intimate health details of all Americans.” In that regard, “Oracle’s Larry Ellison has announced Oracle’s plan to build “a unified national health records database,” which it is effectuating through its software. According to Oracle’s Ellison, the company is “building a system where the health records [of] all American citizens[] . . . not only exist at the hospital level but also are in a unified national health records database,” apparently to be maintained and controlled by Oracle. Complaint ¶ 82. Finally, the Complaint alleges that: “Oracle sits atop a complex data collection and processing apparatus feeding its labyrinthine multinational data marketplace, making it impossible for ordinary persons to reasonably understand the true purpose and extent of Oracle’s data collection, compiling of digital dossiers, and other data exploitation practices, which are opaque, if not invisible, to ordinary data subjects. Given the complexity and disguised nature of Oracle’s collection and use of personal information, and the lack of any direct relationship between Oracle and the Plaintiffs and Class members, there is no reasonable basis for Plaintiffs and the Class members to know the extent to which Oracle is obtaining their data, tracking them, and selling their data or services derived from their data. Complaint ¶ 86. Our prediction is that Big Red is going to be busy fighting this one for a while. Tactical Law will continue to monitor the case, which is Michael Katz-Lacabe, Dr. Jennifer Golbeck and Dr. Johnny Ryan v. Oracle America, Inc., Northern District of California, Case Number 3:22-cv-04792. Check back for updates. By Pam Fulmer
We have been following a very interesting licensing dispute filed in the Eastern District of New York by Tibco Software Inc. (“TIBCO”) against OptumRx Administrative Services, LLC (“OptumRx”). According to TIBCO’s Second Amended Complaint (“SAC”) its “software facilitates the analysis of data and/or the transfer of data, particularly between software platforms that would otherwise not be able to communicate with one another”. TIBCO is no stranger to litigation arising out of software audits and has filed several lawsuits over the years against its customers for breach of license agreement and copyright infringement related to a software audit. TIBCO alleges that the agreement at the center of the licensing dispute is an Enterprise Agreement. TIBCO’s Enterprise Agreement is similar in certain respects to Oracle’s Unlimited License Agreement (“ULA”). Under each agreement a licensee may sign up for a certain fixed period of time and deploy as many copies as it wants of the licensed software within its IT environment. At the end of the fixed period, here three years, the licensee certifies the number of copies of the software it is using in its environment and that amount becomes its fixed perpetual license entitlement. The parties agreed to additional payment and other terms in the event that an “Extraordinary Corporate Event” occurred during the period of the Enterprise Agreement. An “Extraordinary Corporate Event” was defined as “a corporate transaction which results in Customer acquiring, being acquired by, merged, or otherwise combined with another entity or into another entity's legal or corporate structure (including an acquisition of all or substantially all of the assets of another entity) which, prior to the corporate transaction, was not part of the Customer or its legal or corporate structure.” According to the contract: “During the Enterprise Term, Customer’s right to deploy shall not extend to any Extraordinary Corporate Event unless the process in Section 3 of this Order is followed. For clarity, the process stated in Section 3 will only be applicable if Customer experiences an Extraordinary Corporate Event as defined below and if the new corporate entity (which is not part of the legacy Customer entity) wants to deploy Software pursuant to this Order Form.” (emphasis added) If an Extraordinary Corporate Event occurred during the term, then OptumRx would need to execute a new Order Form and under certain circumstances pay additional licensing fees to TIBCO based on the amount of annual revenues of the acquired companies, which would be deploying the software. “In the event Customer enters into an Extraordinary Corporate Event during the Enterprise Term, it can accommodate additional usage of the Software licensed under this Order Form by executing a subsequent Order Form with Licensor in accordance with pricing schedule stated below (a “Future Order”) provided: (i) the Future Order must represent a binding non-cancelable commitment on the part of Customer with no additional terms and conditions, (ii) Customer must deliver the signed Order Form for the Future Order (substantially in the form set forth herein) to Licensor on or before three (3) years from the Order Form Effective Date, (iii) the Software is still generally available as of the date of the Future Order, and (iv) Customer agrees to purchase the first year annual Silver level Maintenance relating to the Future Order. For the avoidance of doubt, no Future Order form and no reporting is required by Customer in the event Customer enters into an Extraordinary Corporate Event where the new corporate entity wants to license Software under this Order Form and the annual revenue of the new corporate entity (excluding the value of the legacy Customer entity) is less than one billion dollars (as stated in the new corporate entity’s most recent audited statement prior to the Extraordinary Corporate Event).” (emphasis added) TIBCO contends that during the unlimited deployment period, OptumRx acquired 3 companies whose annual revenues exceeded the $1 billion revenue threshold and were using the software and that therefore additional license fees were owed to TIBCO. Although TIBCO does not have concrete evidence that the newly acquired companies were actually using the software, the SAC alleges that “57. On July 20, 2020, pursuant to Section 1 of the Enterprise Agreement, OptumRx provided TIBCO its Deployment Report, which gave notice of the Number of Units of the Licensed Software it had deployed during the Enterprise Term. The numbers OptumRx reported were consistent with a doubling of OptumRx’s production capacity. 58. On information and belief, the large increase in OptumRx’s deployment of the Licensed Software to process additional data reflects OptumRx’s usage of the Licensed Software to process data associated with the Acquired Companies.” In short, TIBCO is alleging that since OptumRx’s production capacity had doubled, it must be using the software to process the data of the newly acquired companies, and therefore owes additional licensing fees to TIBCO for the usage. For its part, OptumRx argues that an Extraordinary Corporate Event only occurs when a new company is acquired with revenues that exceed the thresholds, and that company wants to deploy the TIBCO software. According to OptumRx, none of the acquired companies is deploying the software. Counsel for OptumRx argues this in a related letter brief: “There is no dispute that ORx [OptumRx] acquired three companies with annual revenues above the contractually-specified threshold during the contract term – called Genoa Healthcare, Avella Specialty Pharmacy and Diplomat Pharmacy (the “Acquired Entities”) – but ORx denies that any of those companies wanted to license TIBCO’s Software and further denies that such Software was ever deployed to those companies. Perhaps because it knows these denials are well-founded, TIBCO has advanced an alternative, insupportable interpretation of the Order Form, namely that TIBCO would be owed additional fees if ORx itself used TIBCO Software to process data “from” or “used by” the Acquired Entities, even if ORx never allowed those Entities access to the Software or deployed it to their servers. That rewriting of the language of the Order Form appears to be TIBCO’s primary theory of liability. . .” We are not able to review a copy of the license agreement as it has not been attached to the SAC, although it may be included in those letter briefs filed under seal. However, it appears that TIBCO may not have included any restriction making clear that the software could not be used for the benefit of another company, without paying an additional licensing fee. TIBCO is the master of its own license agreement. It chose to define an Extraordinary Corporate Event as the acquisition of a company that exceeded a certain threshold in revenues and where the acquired company wanted to deploy the software. Had it wanted to do so it could also have included a clause that additional licensing fees would need to be paid if OptumRx used its software to process data for the benefit of these newly acquired companies. However, it does not appear to have done so. TIBCO should be stuck with the contract that it drafted. Readers of our blog may remember that Mars accused Oracle of overreaching in the Mars v. Oracle lawsuit when Oracle tried to take the position during the audit that users who accessed output data manipulated by Agile, should be counted as users requiring a license. Mars pushed back hard on this assertion pointing out the ridiculousness of the Oracle argument that “an employee who lacks an Agile user account, who is not trained on Agile, who never logs into Agile, and who never even touches a machine that uses the software fictitiously becomes a “user of the program” by reading data exported from Agile.” TIBCO is making a similar argument here, by essentially claiming that the companies acquired by OptumRx deploy and use the software even though TIBCO has no evidence that they directly accessed the software or that it was deployed on their servers. In short, enterprise software companies continue to seek to expand the definition of what it means to use their software. We see this all of the time with Oracle’s prospective licensing argument involving VMware and its assertion that Oracle is owed a licensing fee for every server where the Oracle software may be used in the future even if the software is not currently installed and/or running. We predict that enterprise software customers will continue to see software publishers trying to take an expansive view of what it means to use or deploy enterprise software. So be on the lookout for these types of issues, and take steps to protect yourself in the event of an audit. The case is TIBCO Software Inc. V. OptumRx Administrative Services, LLC, Case No. 1:21cv5723, (E.D.N.Y.). Check back periodically for updates. By Pam Fulmer
Oracle licensees are advised to zealously guard their contractual rights and avoid ceding ground to Oracle based on overreaching software audit demands. Oracle is a master at playing the long game and has been known to use its audit findings as leverage to extract contractual concessions from its licensees, which Oracle can later exploit in subsequent audits. For example, we know that Oracle has for years taken a very expansive view of the “installed and/or running” language of the processor definition in its Oracle license agreements. As a reminder, Oracle uses this language to claim that it entitled to a licensing fee for all processors where the Oracle binaries could be installed in the future, even though they are not presently installed. This is Oracle's "available for use" argument. Oracle cites to its Partitioning and other policies to support this argument, which policies are not expressly incorporated into the fully integrated Oracle license agreement, and thus are barred by the integration clause. We also know that Oracle routinely asserts this argument in audits where its customers use VMware virtualization software. And we also know that Oracle has never sued any of its customers to seek to enforce such an extra-contractual interpretation. In fact, the only case that squarely raised this issue was Mars. v. Oracle, which was a case brought by global confectioner Mars seeking declaratory relief from the San Francisco Superior Court that Oracle’s legal argument around VMware and the “installed and/or running” language of the processor definition was not supported by the contract. And we know that Oracle resolved the case very quickly, perhaps to avoid the necessity of publicly going on the record with this argument in an opposition to the preliminary injunction motion brought by Mars. Still some customers will pay Oracle these prospective licensing fees or capitulate to Oracle’s other demands such as providing diagrams of their IT environment solely to get out from under the audit. But such concessions could have major repercussions down the road and may later be used by Oracle against the unsuspecting customer in a future audit. For example, Oracle has been known to reduce its monetary demands provided the customer sign a document that includes what has been called by some a “Declaration of Non-Migration”. The purpose of this Declaration appears to be to make Oracle’s expansive definition of the “installed/and or running” language of the processor definition contractual. Usually, this type of demand is coupled with a request that the Oracle licensee provide a diagram of its virtual environment showing the architecture of such environment. Oracle has included language in the Declaration of Non-Migration that should the customer change the configuration of its environment, it must go back to Oracle and obtain the required licenses. How could Oracle use this language against you the Oracle customer? Well first of all Oracle could claim that the Declaration and the fact that the Oracle customer signed it shows that the licensee agrees with Oracle’s expansive interpretation of the “installed and/or running” definition. Otherwise, why would the Oracle customer sign such a document and agree to go back to Oracle for licenses if it changes its environment? And why would any Oracle customer in its right mind agree to go back and give Oracle a heads up when it changes its environment? Such a notification could lead Oracle to issue a new audit notice and open an entire new can of worms. In essence, Oracle could argue that the customer amended the contract by executing the Declaration and providing the diagram. Oracle could also argue that the Declaration shows a course of performance or dealing, where the Oracle licensee and Oracle recognized that no changes could be made to the environment, unless the customer purchases additional licenses from Oracle. So, Oracle gives the customer a break in one audit, in order to extract a concession (execution of the Declaration of Non-Migrations and production of the diagram) that Oracle uses in a future audit against the customer. Oracle licensees who provide such diagrams and agree to similar language in order to close out the audit, may give Oracle powerful weapons to use against the Oracle customer in future audits. In addition, the concession could lead to expensive and spiraling costs should the Oracle customer wish to expand its virtual environment in the future. In our view, such attempts by Oracle to use audits to extract contractual concessions should be vigorously opposed by Oracle customers during the audit. We can help with that. And if the customer has already signed the Declaration, we have assisted Oracle licensees to develop strategies to push back on these limitations. Importantly we have warned our readers that Oracle is conducting soft audits of its customers use of Java, and Oracle is applying its expansive and non-contractual processor definition to try to ring the bell on a big non-compliance gap for Java. Such soft audits and non-contractual claims involving Java should also be resisted for all the reasons we discuss above and in our previous blog post. Oracle audits are complex and confusing. Tactical Law attorneys assist clients under audit, or who are about to be audited, understand their contractual rights and manage the risk inherent in an Oracle enterprise software audit. By Pam Fulmer and Sara Schlesinger*
This blog post is a continuation of our series on fraud and breach of contract claims that have been brought against Oracle or NetSuite for failed Enterprise Resource Planning (ERP) installations and various defenses Oracle/NetSuite have used to attempt to defeat these claims. Previous blog posts focused on the importance of pleading fraud with particularity, the difference between fraud and non-actionable puffery, and considering the economic loss rule when pleading fraud alongside breach of contract. Another important consideration when pleading fraud related to a failed ERP installation is the general rule that predictions and opinions about future events are not actionable as fraud. ERP providers may use this rule to argue for the dismissal of fraud claims which are based on statements that the provider “could” or “would” deliver a functional product, a product that meets the client’s business needs, or a product by a certain date. Cognizant Worldwide Ltd. v. Barrett Business Services is instructive as an example of the right way to plead fraud based on allegations of broken promises relating to a failed Oracle ERP agreement. Barrett Business Services (“BBSI”) is a professional employer organization (“PEO”) that helps small and medium-sized companies manage human resource functions, provide employee benefits, process payroll, and more. When BBSI sought to update their human resources and payroll system, they at varying times entered into contracts related to the implementation of Oracle’s HCM cloud product with Oracle, and Oracle’s partners KBACE and Cognizant (KBACE’s parent company). BBSI alleged that it only entered into the implementation contracts based upon assurances by KBACE and Oracle that the cloud product would meet and be configured to BBSI’s specific business requirements. BBSI further asserted that Oracle held KBACE out as a company certified and experienced in implementing Oracle’s HCM cloud product, during pre-contract negotiations, including for businesses such as BBSI. Oracle’s touting of KBACE’s capabilities was a major reason why BBSI entered into the contract with KBACE. After entering into the relevant agreements for the Oracle HCM cloud implementation project, BBSI learned that the cloud product was ill suited to its business needs. KBACE subsequently delivered a revised implementation proposal to BBSI with a price tag of over $30 million. Our readers should be aware that these type of cost overruns and requests for expensive change orders are common areas giving rise to disputes that often lead to litigation in the ERP contract context. BBSI then informed Oracle and KBACE that it was rescinding the relevant contracts and ceasing further payments. When Cognizant sued BBSI for nonpayment, BBSI counterclaimed for negligent misrepresentation, innocent misrepresentation, intentional misrepresentation, and other tort and breach of contract claims. Cognizant moved to dismiss the misrepresentation claims, arguing that any alleged misrepresentations were nonactionable statements about future events as they pertained to whether the HCM cloud “would” or “could” meet certain expectations, such as implementation within a certain timeframe and price range. However, the court denied the motion to dismiss the claims finding that BBSI sufficiently alleged that Cognizant and KBACE misrepresented past or existing facts. Namely, the court agreed that BBSI had adequately alleged that Cognizant and KBACE overstated their experience with implementing cloud products and especially implementing cloud products for a company like BBSI. However, the court noted that some of the other alleged misrepresentations might be nonactionable opinions about Cognizant’s future performance. Cognizant v. Barrett demonstrates the importance of pleading past and existing material facts alongside promises of future performance when asserting fraud and misrepresentation claims. It also demonstrates the importance of pinning ERP providers down in pre-contract negotiations concerning exactly what they are promising that they can deliver, and what specific experience they have to deliver on that promise. Aggrieved ERP customers who claim fraud after being misled about an installers future performance would benefit from including misrepresentations that the installer made regarding their relevant past or current experience, if such facts exist. As a final note, it is also true that a statement about a future act that is made with the knowledge or intention that the act won’t occur, is a statement of material fact that is sufficient to support a fraud claim (as highlighted in Chase Manhattan v. Perla) against an ERP provider or implementation partner. As such, even if past or present facts were not represented during discussions that preceded contracting, a company can still have an actionable claim based on misrepresentations about performance if the ERP provider either knew they would not perform or did not intend to perform when they made the promise. However, uncovering such evidence prior to fact discovery, may be difficult, and may need to be raised down the road through an amendment to the licensee’s complaint or counterclaim. Tactical Law attorneys assist our clients in the negotiation and documentation of ERP and related agreements. If you are embroiled in an ERP related dispute involving Oracle or other ERP software publishers or ERP implementation companies we can help. * Sara Schlesinger is a rising 2L law student at Northwestern University School of Law and is a 2022 summer law clerk for Tactical Law Group LLP. |
By Tactical Law Attorneys and From Time to Time Their Guests
|