By: Pam Fulmer of Tactical Law Group and Ryan Triplette of Coalition for Fair Software Licensing
Software is inherently technical, but its licensing terms do not have to be. On the contrary, it is a best practice for licensing agreements to be clearly written and easy for customers to understand. That is why the first principle of the Principles of Fair Software Licensing is that “Licensing Terms Should Be Clear and Intelligible.” Unclear Licensing Terms Leave Customers Confused and Vulnerable When licensing terms are not clearly written, customers in the cloud and on-premises are left vulnerable to hidden clauses, stealth or soft audits, and other predatory behaviors. Difficult to find or decipher licensing terms are more common than one might think. The Coalition for Fair Software Licensinghas heard from customers experiencing issues with contract clauses that are not readily apparent or easy to understand. Customers who, despite doing the necessary due diligence prior to signing, are not aware of some of the most important clauses until a problem arises. Given the fact that the only recourse these customers have had to date has been either to purchase products that they do not need or manage litigation, we feel it is important to shine a light on some of these terms For example, Oracle customers who finance their cloud purchases through Oracle Credit Corporation (“OCC”) may not be aware that the standard financing contract allows Oracle to assign the financing agreement to third-party banks. These customers - generally small and medium sized businesses, including retailers and franchisees - have been surprised to learn that the third-party banks expect to be paid in full on the loan “come hell or high water” even if Oracle itself has completely failed to deliver a working ERP solution. Recently, these banks have filed waves of lawsuits against Oracle customers involving such OCC assignments. Judge Leighton of the Western District of Washington presiding over one such lawsuit noted that the arrangement most likely failed for lack of consideration. According to the court: "[t]his clever arrangement seems designed to subdivide the payment and performance aspects of Oracle's agreement with [its licensee] into different contracts, thus ensuring payment even if Oracle fails to deliver the promised services. The result is a disturbingly imbalanced transaction that preserves OCC's ability to terminate [licensee’s] rights to the cloud services if it fails to pay but denies the [licensee] the same opportunity to avoid payment if Oracle breaches. Unfortunately for Oracle, such an arrangement would likely be illusory or lacking in consideration. See 1 WILLISTON ON CONTRACTS § 4:27 (4th ed.) (contracts are illusory where one party can decide for themselves the nature and extent of performance)." Key Equipment Finance v. Barrett Business Services, Inc., NO. 3:19-cv-05122-RBL, 2019 WL 2491893, (W.D of Washington June 14 2019)." The Coalition has also heard from customers struggling to understand the terms and scope of use of the licenses purchased from legacy providers. This includes customers who are seeking to ensure that they are in compliance with their contractual terms, only to be surprised to learn just what that entails. World-renowned analyst Gartner reported that, “[t]here are also restrictions with the use of Microsoft licensing on Azure itself that are often not communicated to customers. For example, customers are not told about restrictive rules under Azure Hybrid Use Benefits in Azure multi-tenant environments.” The company’s most recent licensing changes have created new layers of complexity for providers and customers alike, with new – but unclear and uncertain – limitations. Many customers have also experienced unexpected costs and extended terms with their licensing terms. Even as customers struggle to understand what this most recent round of changes mean to them, another set potentially sit on the horizon. While these are known and well documented issues that customers are experiencing with their contracts, it is worth noting a few others that have not received much coverage to date. Such is the case of some SAP customers seeking to purchase additional product seats to account for new employees and ensure compliance with existing contracts. What they think will be a (relatively) simple process quickly becomes an opportunity for SAP to force them to re-up the entirety of the underlying contract for an extended term. These customers are finding themselves in a Catch-22 position: either remain in compliance but locked in to a longer term relationship with SAP, limiting their ability to choose alternative vendors that better meet their needs in the future, or risk repercussions for operating out of compliance with their contract. What makes this so interesting - if not disconcerting - is that it is occurring just as many customers are having to navigate increased maintenance fees for their products at the very time they are being forced to evaluate their long term relationship with SAP. It is important to understand these issues as backdrop to recent calls by user groups for SAP, “to offer transparent, flexible and scalable cloud agreements with the corresponding metrics, as well as binding statements and roadmaps for product strategies for cloud and on-premise solutions.” One final issue that the Coalition has heard from a number of experts raise in recent weeks is another potential round of changes to Microsoft’s Licensing Mobility program that would preclude customers from any avenue of utilizing their licenses on Listed Providers. It is worth noting that the companies included as Listed Providers just happen to be Microsoft’s most significant competitors - but does not provide any clarity as to the reasoning for their inclusion or whether other providers will be included in the future. That Microsoft includes itself as a Listed Provider does not level the playing field. Indeed, the Azure Hybrid Benefit essentially exempts Microsoft and its customers from any of the Listed Provider restrictions, as long as those customers use Azure. While it is hard to speak to contractual changes that are, at this point, purely conjectural in nature, the current and potential ramifications for customers already managing the impact of the changes made to the integral software’s licensing terms to date highlights the importance and need for clarity and predictability both for existing and future contracts. Straightforward Licensing Terms Help to Support All Customers, Especially Small and Medium-Sized Businesses Having clear and intelligible licensing terms empowers customers. This is especially true for smaller businesses that have limited budgets for digital transformation strategies and do not have the means to wage massive legal battles. The threat of expensive and resource-consuming litigation with legacy software providers causes fear among even the most well-financed enterprise customers. Unfortunately, most customers capitulate to unreasonable demands from these providers and end up paying more money than what is owed. Many customers will even agree to purchase products that they do not need to avoid legal action. Small businesses are particularly vulnerable due to reliance on software providers and often narrow budget margins. For example, Oracle uses its non-contractual partitioning policies during audits to gin up large “shock numbers” for alleged non-compliance involving the customer’s use of VMWare virtualization software, which findings it presents to its customer in final audit reports. Then Oracle magnanimously agrees to waive the audit penalties based on a provision that is not even in the contract, provided that the customer agrees to enter into a new Unlimited License Agreement (“ULA”) with its pernicious total support stream obligation. The customer then pays more money for software that it doesn’t need or want with expensive continuing maintenance and support obligations, just to resolve an audit based upon inflated audit findings. Such predatory audit practices are detailed extensively in the First Amended Complaint in the Sunrise Firefighters securities class action lawsuit in the Northern District of California. This is why the Coalition formed – to provide power in knowledge and numbers and advocate for commonsense best practices that put customers, including small businesses, first. Software Providers Should Adopt the Principles of Fair Software Licensing Ensuring that licensing terms are clear and intelligible is not just common sense, but imperative at a time when customers need maximum contractual clarity and cloud flexibility to manage the budgetary crunch of the recent economic downturn. However, they are not nearly as common as they should be. Customers should be able to easily access and understand their licensing terms upfront and be able to easily determine their licensing costs and obligations. They should not be forced to click through a series of hyperlinks to just understand simple obligations - let alone critical terms related to payment for non-service, compliance implications, and mobility. It is critical for software providers to stand with their customers and adopt the Principles of Fair Software Licensing, which will encourage other software providers to follow suit.
0 Comments
By Pam Fulmer
On its website NetSuite, Inc. (“NetSuite), which is now owned by Oracle, touts that its “NetSuite SuiteSuccess is a total solution designed to manage all aspects of a business in a single system” and that “preconfigured, fixed-fee solutions allow customers to go live quickly, in a predicable time frame — and on budget.” Many NetSuite customers enter into the subscription and professional services agreements with NetSuite believing that they have a fixed price contract, which will not require much of an investment of time or energy on their end to get up and running. They are wowed by the slick pre-sales presentations and demos, and don’t understand that often the solution that is being touted in these discussions is not the base product, but instead is a solution with all the bells and whistles that may cost significantly more than what is being quoted. The fact is that the more a prospective customer wants to customize the software to fit its business, the more it will cost and the more time and effort it will take to implement, along with an increased chance of failure. Oracle appears to be targeting small and medium size businesses with their SuiteSuccess offering. The Oracle/NetSuite sales team talks a good game, and the prospective customer is led to believe that the solution can be implemented quickly and within the fixed price fee quoted. Once the customer signs on the dotted line, often it is presented during contract performance with multiple change orders, which increase the total contract price and delays the ultimate “go live” date. Some customers end up giving up and wanting to terminate the contract and get a refund of monies paid to date. But given the terms of the standard contract, it is not so easy to get out of it and get a refund of fees paid. So, what steps can companies considering contracting with Oracle take pre-contract to attempt to mitigate the risk in case a dispute with Oracle arises?
We hope potential NetSuite customers find this blog post useful. Tactical Law attorneys are experienced with Oracle/NetSuite agreements and assist companies to resolve their disputes with Oracle. In a software licensing case out of the Court of Federal Claims, Senior Judge Edward J. Damich in Bitmanagement Software GMBH v. The United States followed the direction of the Federal Circuit to look at “actual usage” of Plaintiff’s software, and not the cost of a seat license for each installation when awarding damages. In so doing, the Court rejected Bitmanagement’s arguments that it was entitled to over $155,400,000 in damages and awarded $154,400 in total damages instead. The court found that 635 users actually used the software and that a hypothetical negotiation would have set the royalty rate at $200.00 per user. The court then subtracted the number of licenses in the Navy’s entitlement and found that the Navy was 597 users short and awarded damages thereon.
The facts of the case were very interesting. The software was licensed by the Naval Facilities Engineering Command (“NAVFAC”) from a third-party reseller of Bitmanagement called Planet 9 Studios, Inc. (“Planet 9”) and involved “BS Contact Geo” software. The software enables the visualization of geographic information in third-party hardware and software products and renders realistic terrain and city models and allows a user to position virtual objects using geographic coordinates. Bitmanagement primarily licenses its software via "PC" or "seat" licenses, which allow one installation of the software onto one computer per license. Each copy of the BS Contact Geo software includes both a desktop executable file ("EXE version") and a web browser plugin file ("OCX version"). The EXE component launches the software as a standalone application whereas the OCX component launches the software within a web browser. After using the software for a while, the Navy determined that it wanted to put the software on its Intranet instead of loading it on individual computers and wanted more of a “floating license” model. NAVFAC explained to Planet 9 who then explained to Bitmanagement that Bitmanagement's default licensing scheme was incompatible with the Navy's secure intranet because the Navy could not approve BS Contact Geo if, as was Bitmanagement's normal practice, the end user would be required to contact Bitmanagement for a license key in order to use the program on a particular computer. Bitmanagement responded that it was "open for any licensing scheme that suits the US Navy better" and was "willing to do [its] utmost to enable [another] licensing functionality, if requested." NAVFAC explained that it needed a copy of BS Contact Geo that included the license key and that was not PC-specific because the Navy did not know "what machine(s) the application will be tested on." NAVFAC also noted that the Navy anticipated needing "an initial 15 licenses, with a potential for as many as 100 or more licenses later on." In response, Bitmanagement, through intermediary Planet 9, provided BS Contact Geo to the Navy with two licensing keys that were not PC specific. Also in May 2007, at the Navy's request, Bitmanagement provided the Navy with a "silent installer for BS Contact Geo intended for bulk installations," which, Planet 9 explained to Bitmanagement, was "helpful for an administrator to do installations on a large scale even on remote computers connected via intranet or internet." See Bitmanagement Software GMBH v. United States, 989 F.3d 938, 942 (Fed. Cir. 2021) NAVFAC then engaged in discussions about this new licensing model through Planet 9 who interfaced with Bitmanagement. Bitmanagement was open to this licensing model and the three companies engaged in detailed discussions. NAVFAC explained that it had an existing floating license server tracking application, Flexera, that could be used to track BS Contact Geo with no alterations to the program and that Flexera is a server-based program used to limit the number of simultaneous users of a "Flexera enabled"—or "FlexWrapped"—software based on the number of available licenses. When a user opens a FlexWrapped program, the program alerts the Flexera tracking server that the program is in use. The FlexWrapped program sends a similar alert when the program is no longer in use. The Flexera license manager thus theoretically limits the number of users of FlexWrapped software to the number of licenses that a user owns. Ultimately it was agreed that NAVFAC could use the floating model, but needed to use Flexera, which would control the number of users ensuring that at no time could more users use the software than NAVFAC had licenses for. The agreement was never completely documented in one license agreement signed by all parties. However, the parties’ course of conduct demonstrated that all understood the terms of the agreement. Unfortunately for NAVFAC, it did not ultimately use the Flexera software as it had promised Bitmanagement it would do. In July of 2016 Bitmanagement copyrighted the most recent version of its software and sued the government shortly thereafter. After a six-day bench trial from April 22-29, 2019, the Claims Court held that the government was not liable for copyright infringement. Specifically, the Claims Court found: (1) Bitmanagement made a prima facie case of copyright infringement; and (2) no express agreement granted the Navy a license to install BS Contact Geo on all of the Navy's computers; but (3) the Navy had met its burden to show that Bitmanagement authorized the Navy to copy BS Contact Geo version 8.001 across the Navy's NMCI network of computers finding an implied license. Bitmanagement Software GMBH v. United States, 989 F.3d 938, 945 (Fed. Cir. 2021). Bitmanagement Software GMBH v. United States, 989 F.3d 938, 945 (Fed. Cir. 2021). Bitmanagement appealed the judgment and the Federal Circuit agreed with the lower court that there was an implied license, but that the implied license required as a condition precedent the implementation of the Flexera software. When NAVFAC did not meet the condition, it could not claim the protection of the implied license and thereby committed copyright infringement. The Federal Circuit remanded for the purpose of determining damages. In its opinion the Federal Circuit reasoned that “[b]ecause Bitmanagement's action is against the government, it is entitled only to "reasonable and entire compensation as damages . . ., including the minimum statutory damages as set forth in section 504(c) of title 17, United States Code." 28 U.S.C. § 1498(b). This amount may not include non-compensatory or punitive damages. Gaylord v. United States, 678 F.3d 1339, 1343 (Fed. Cir. 2012) ("Gaylord I"). Contrary to Bitmanagement's argument, it is not entitled to recover the cost of a seat license for each installation. If Bitmanagement chooses not to pursue statutory damages, the proper measure of damages shall be determined by the Navy's actual usage of BS Contact Geo in excess of the limited usage contemplated by the parties' implied license. That analysis should take the form of a hypothetical negotiation. See Gaylord v. United States, 777 F.3d 1363, 1368-72 (Fed. Cir. 2015).” Bitmanagement Software GMBH v. United States, 989 F.3d 938, 951 n.5 (Fed. Cir. 2021) Upon remand and using a hypothetical negotiation, Judge Damich rejected Bitmanagement’s damages claim for $155,400,000 and awarded damages on the basis of NAVFAC’s actual usage for a total of $154,400. Ultimately the court followed the appellate court’s instruction to look at “actual usage” and rejected Plaintiff’s argument that “use” is equivalent “to the number that were copied onto Navy computers and accessed as well as those that were downloaded and available for use”. Rather than using Plaintiff’s number of 600,000 copies made, the lower court on remand found a total of 635 actual users. After subtracting the 38 existing Navy licenses, the court found a royalty base of 597 unique unlicensed users. An amount well short of Bitmanagement’s proposed number. The case is Bitmanagement Software, GMBH v. The United States, Case No. 16-840C-EJD (Court of Federal Claims). Software publishers collaborating together to develop new software products leveraging the technology of both companies are a potential breeding ground for licensing disputes and resulting litigation. Two software publishers known for their aggressive software audits against their enterprise software customers have ended up in their own dust up relating to a software development program. Recently, IBM Corporation (“IBM”) has sued Micro Focus International plc and Micro Focus (US), Inc. (collectively, “Micro Focus” or “Defendants”) in the Southern District of New York for copyright infringement and breach of contract arising out of an IBM development agreement involving IBM’s PartnerWorld program. IBM accuses Micro Focus of copying IBM’s computer programs without authorization and breaching the parties’ development agreement by using its developer access to undertake such prohibited acts. IBM alleges that Micro Focus created the Micro Focus Enterprise Suite by copying IBM’s copyrighted Works, and that Micro Focus promotes and uses the pirated software for financial gain, and in brazen disregard of IBM’s intellectual property rights and Micro Focus’s contractual obligations to IBM.
According to the Complaint, Micro Focus created software called Micro Focus Enterprise Server and Micro Focus Enterprise Developer by using its developer access to copy IBM’s CICS Transaction Server for z/OS (“CICS® TS”) software. IBM offers a general-purpose application server and transaction processing subsystem called the CICS Transaction Server for z/OS, or “CICS® TS,” for its z/OS® operating system environment. IBM holds the copyrights for CICS® TS (the “Works”). IBM claims that the Works feature uniquely expressed source code, object code, structure, architecture, modules, algorithms, data structures, and control instructions, and are creative computer programs, which were the result of IBM’s engineering discretion and substantial skills, resources, and creative energies. The Complaint alleges that the Works also are of great value to IBM and remain integral to the daily business operations of much of IBM’s mainframe system customer base. According to IBM, the developers who participate in the IBM PartnerWorld program (“PartnerWorld”) agree to the IBM PartnerWorld Agreement and Value Package Attachment (the “PartnerWorld Agreement”). IBM contends that along with other agreements, the PartnerWorld Agreement sets the terms under which developers are permitted to use IBM’s computer programs. These terms ensure that IBM and its developers are aligned in their goals: to promote innovative solutions for their mutual customers. IBM’s z/OPD Developer Discount Program (“Developer Discount Program”) similarly provides benefits to third party developers and grants them access to IBM’s valuable mainframe software. Participants in the Developer Discount Program receive access to IBM copyrighted software, including the Works. In exchange, IBM’s developers agree to three different agreements detailing the limited scope of their access and use: (1) IBM’s Client Relationship Agreement (the “CRA”); (2) Attachment for Developer Discount – IBM Z (the “CRA Attachment”); and (3) Addendum to the Attachment for Developer Discount for IBM Z (the “CRA Addendum”). None of these agreements are attached to the Complaint IBM asserts that through these agreements, participants in the Developer Discount Program agree to comply with the terms of the limited license granted to them, and “not us[e] any of the elements of the Program or related licensed material separately from the Program.” Participants are prohibited from “reverse assembling, reverse compiling, translating, or reverse engineering the Program” and making derivative works based on IBM’s software. Further, IBM’s developers promise to use their exclusive access to IBM software for the mutual benefit of the parties and their customers. IBM claims that Micro Focus violated these agreements by copying elements of IBM’s copyrighted Works to create a derivative work in at least Micro Focus Enterprise Developer and Micro Focus Enterprise Server. IBM argues that there is no way such extensive similarity could arise through attempts to meet similar functional requirements, or as a result of coincidence, and that the striking similarities indicate that Micro Focus reverse engineered at least a portion of the CICS® TS software in contravention of Micro Focus’s various contractual obligations to IBM. As a result, IBM terminated Micro Focus’s involvement in the Developer Discount Program by sending a Notice of Non-Renewal on May 31, 2021, and Micro Focus’s membership ended by August 31, 2022. IBM is seeking preliminary and permanent injunctive relief, a finding that Micro Focus infringed its copyrights and breached the development related licensing agreements. IBM also seeks an award of damages and an accounting from Micro Focus, as well as the award of attorneys’ fees and costs. The case is IBM Corporation v. Micro Focus (US), Inc., et. al, venued in the Southern District of New York. Tactical Law will continue to monitor the case. Check back for updates. By Pam Fulmer
Recently PC Connection, Inc. (“Connection”), a seller of IT solutions to governmental entities and small, medium and enterprise companies, sued International Business Machines, Inc. (“IBM”) in New Hampshire federal district court in a fraud and breach of contract action arising out of a failed ERP implementation. Connection alleges that IBM touted its experience as an implementation partner for J.D. Edwards software and recommended that Connection move off of its legacy ERP system into a more recent release. Connection alleges that although IBM represented that it could complete the implementation within 17 months, at a cost of $9.2 million, it completely failed to stay within these estimates. Instead, IBM sought to inflate the contract price by claiming that certain of the fixes were out of scope and would require change orders, which also resulted in significant additional delays. According to the complaint, Connections relied on its existing ERP system which was a J.D. Edwards (“JDE”) system known as “JDE World” for virtually all aspects of its business. As such, the system was absolutely critical to the smooth functioning of the company. JDE subsequently was acquired by Oracle, which continued to support legacy JDE systems while also releasing new software systems. One such system was called Enterprise One (“E1”). The complaint alleges that IBM as a vendor and consultant to Connection began advising the company on upgrading to a new ERP system as early as 2013. As part of that consulting work, IBM recommend that Connection upgrade to E1, which IBM claimed would be faster and less costly to implement than other systems. Connection emphasized to IBM that should it move forward with a new ERP system, the system had to maintain the mission-critical functionality of JDE World, and that the implementation to a new system had to be completed without disrupting Connection’s operations and its ability to service customers. Instead, according to the complaint, “[u]sing a playbook that has resulted in IBM being named in a slew of lawsuits over alleged misrepresentations made in connection with failed ERP implementations, IBM sold itself to Connection by holding itself out as a leading expert in managing similar, global projects concerning the implementation of new JDE systems. IBM claimed to have extensive experience both in helping companies like Connection to assess their business needs and select an ERP system to meet those needs, and in successfully implementing JDE upgrades”. Connection alleges that these representations turned out to be false. Connection green lighted the project and IBM next embarked on a “Discovery Assessment” to develop a project plan for implementation of the JDE upgrade. The complaint alleges that: IBM billed Connection over $600,000 to conduct the Discovery Assessment. Following the Assessment, IBM represented to Connection that IBM had thoroughly analyzed, and understood, the Company’s requirements for its ERP system, and had determined that a “vanilla” upgrade that leveraged “out of the box” E1 software was suitable for Connection. IBM further represented that it had determined, through its investigation, that the E1 platform would not require extensive customizations to provide the functionality offered by JDE World, and that IBM therefore had determined it could complete the implementation project within 17 months at a cost of $9.2 million. Connection alleges that at the time that IBM made these representations it knew them to be false, and that IBM knew instead that the solution would require much more customization. A common problem we see in ERP vendor and implementation partner disputes is the quality of the team deployed for the customer. In short ERP customers are promised the competent “A” team, and instead they get a team that is inexperienced, often located outside of the United States and not up to the task at hand. And that is exactly what Connection alleges here. Rather than the deep knowledge and expertise that IBM had represented it had with regard to implementing E1, the IBM team that was assigned to the project actually had little or no experience with E1. According to the complaint: When it was obvious the E1 problems could not be dismissed as mere “glitches,” IBM promised Connection that it would devote whatever resources were necessary to fix the system and complete the implementation. Specifically, IBM said it would dispatch a so-called “Red Team” comprised of IBM’s most skilled technicians. The “Red Team” never appeared. Instead, IBM assigned the same individuals who had worked on the project, ineffectively, before go-live. IBM shifted most of the burden of undertaking the repairs onto Connection; work that IBM did undertake was assigned to off-shore consultants. An important lesson is to pin down the ERP vendor and implementation partner prior to the execution of the contract, to identify the actual team members, and to ensure that the ERP customer indeed does get the “A” team. Otherwise, the ERP provider and implementation partner promise the sun, the moon and the stars, but ultimately choose to save money by bringing in an offshore team, without the promised experience. And often communication barriers result, as the foreign team cannot communicate adequately in the English language. Connection also alleges that IBM botched the project when it pressed its customer to go live before the solution was really ready for prime time. According to the complaint: In May 2020 IBM represented to Connection that the system was ready for go- live, when IBM knew or should have known that the E1 implementation was not close to completion. IBM’s lead consultants, repeatedly told Connection’s CEO and other executives that the Company’s greatest weakness was its fear of risk, that it had to “rip off the band-aide” and go-live, and that any remaining issues with the E1 system could easily be resolved post go-live through simple “workarounds.” (emphasis added) Hours after the go-live process began on May 15, 2020, critical components of the E1 system within IBM’s responsibility did not function properly or at all. Whereas IBM had represented to Connection that a “roll-back plan” – meaning a plan to revert to JDE World – would be available if problems arose during the transition, IBM did not deliver such a plan. Therefore, as system defects emerged, Connection could not revert to World. Ultimately, the workarounds provided by IBM failed and Connection was forced to spend millions of dollars including $3 million in additional fees to IBM, as well as allocating tens of thousands of manhours of Connection personnel to remediate the defects. Connection also alleges that in order to complete the E1 implementation, it was forced to replace IBM with another implementation partner, at significant additional expense. Connection’s Complaint includes claims for breach of contract, contractual indemnification, breach of the duty of good faith and fair dealing, negligence/professional negligence, fraudulent inducement, fraudulent misrepresentation, negligent misrepresentation, and breach of the New Hampshire Consumer Protection Act. As of the time this blog post was published, IBM had not yet responded to the complaint. Tactical Law will continue to monitor the case. Please check back for further updates. By Pam Fulmer
In our software audit defense practice, we often see in-house counsel advising their client under audit for much of the audit process, without bringing in outside counsel skilled in software audit defense such as Tactical Law. This decision to “go it alone” by Oracle customers in particular may be risky in the event Oracle sues the customer in federal court in California for breach of contract and copyright infringement arising out of an Oracle audit. That is because most Oracle license agreements contain California dispute resolution provisions. California is in the Ninth Circuit, and the Ninth Circuit’s law on when attorney-client privilege applies to in-house lawyers advising their clients is not very protective of the privilege, especially as compared to other circuits. That is because the Ninth Circuit held in the In Re Grand Jury case that “the primary-purpose test applies to attorney-client privilege claims for dual- purpose communications” between in-house counsel and their clients. So, in the Ninth Circuit in order for the privilege to apply to a communication from in-house counsel to a businessperson at the company, the primary purpose of the communication must be legal advice. It is not enough that a purpose of the communication is legal advice. What does this mean for Oracle licensee’s litigating against Oracle in federal court in California? In the event of litigation, Oracle would most likely seek discovery on internal company communications regarding the audit and its findings, including in-house assessments as to the Oracle licensee’s view of its potential exposure, and any admissions of non-compliance. If in-house counsel in advising her client has wrapped in with the legal advice, other related issues which could be viewed as purely business advice, then it is likely that a federal court applying In Re Grand Jury could find that the communication is not privileged, and order that the communication be produced. This could be an absolute disaster of course, especially since Oracle licensees often opt to hire outside licensing consultants to assist with the audit, and Oracle may argue that communications with these consultants even where in house counsel are involved are not privileged because the in-house counsel was wearing their business and not their legal hats when they offered the advice. And of course, any claim of privilege could be weakened even further if the consultants were hired by the business and not the law department. So, the safest course by far is to hire outside counsel to advise on the audit, and allow outside counsel to retain expert consultants to assist in rendering legal advice and to advise the client on legal strategies to push back on audit findings. Oracle auditors are very aggressive and commonly rely on their non-contractual VMware arguments based on Oracle’s Partitioning Policy (among other arguments) to inflate audit findings. As a result, any Oracle customer under audit should anticipate that litigation is a real possibility, especially as Oracle will use hard ball tactics such as threats of license termination and actual breach notices to have its way with Oracle customers. Oracle customers who follow this advice will be in the best position to push back on Oracle, because the Oracle Legal Department mostly advises the Oracle Business on audit related matters, and only rarely does it appear that they bring in outside counsel and usually only for the most contentious audits. As a result, in the event of actual litigation, Oracle customers who protect themselves by hiring outside counsel early, are in the best position to use the Ninth Circuit In Re Grand Jury case against Oracle in discovery proceedings, and to argue that it is the Oracle communications around the audit that may not be privileged, as the Oracle lawyers were wearing their business and not their legal hats in rendering the advice to their client. Oracle of course will resist such discovery, but Oracle does run a risk as their in-house lawyers appear to be intimately involved in the business advice, as well as the legal advice. Recently, the Supreme Court of the United States has granted cert and has taken up the invitation by the U.S. Chamber of Commerce who filed an amicus brief asking the Court to resolve the circuit split involving what test should govern the privilege protections applying to dual purpose client communications with attorneys. Right now, there are three circuit tests: Ninth, D.C., and Seventh Circuit. The D.C. Circuit is the most lenient allowing protection where “a purpose” of the communication is to render legal advice. As discussed above, the Ninth Circuit requires that “the purpose” of the communication be to render legal advice, and not simply "a purpose". The Seventh Circuit is the most restrictive test, and finds that dual communications are not privileged as they do not involve purely legal advice. Obviously, the implications of this split involve much more than software audit defense. The split should be clarified, and one rule should govern, although hopefully not the Ninth Circuit rule. Otherwise, in-house counsel and their clients are put in an impossible situation. As the U.S. Chamber of Commerce noted in its brief: Businesses often rely on their counsel to serve a variety of legal and non-legal roles. And predictability as to the confidentiality of communications with counsel is paramount to ensuring frank and open disclosure to, and proper legal advice from, counsel. Such predictability is especially critical for businesses that operate across jurisdictions and for small businesses that rely on a limited number of employees to perform a wide array of functions. The disagreement among the courts of appeals regarding the proper test for determining whether dualpurpose communications are privileged creates uncertainty. And this uncertainty hinders the business community's ability to operate effectively and efficiently. I also thought that these passages really hit the nail on the head: The practical import of the Ninth Circuit's standard is that businesses and non-lawyers will be less likely to seek legal advice, especially from in-house counsel. Even when an employee with a clear purpose of seeking legal advice communicates with an attorney, if a court later determines that a non-legal purpose was predominant in the employee's mind, the communication will be discoverable. The same holds true if a lawyer responds with legal advice but also includes a greater amount of business advice. Given this cloud that hangs over dual-purpose communications under the Ninth Circuit's standard, the client may choose not to communicate with the attorney at all. [T]he Ninth Circuit's single-purpose standard imposes additional costs on the business community. Only granting privilege protections to communications where legal advice was the primary purpose guarantees inefficiency. Communications with lawyers will need to become siloed, with information needlessly repeated or lost in the process. In-house counsel, whose responsibilities often include a multitude of non-legal tasks, will be marginalized and provide less value to their employers. [citations omitted]. Indeed, companies may decide to opt for the advice of outside counsel more frequently because they traditionally perform more discrete roles that are easier to cabin. [citations omitted] In short, the Supreme Court should clarify the rule. But until they do, for companies facing software audits and especially Oracle audits, the safest bet is to retain outside counsel to advise on the matter. Tactical Law advises companies across the United States in software audits, including those involving the licensing of Oracle software. By Pam Fulmer
Broadcom has announced that it is acquiring VMware for $61 billion. What will this mean for VMware customers? Tactical Law has no crystal ball, but we do know that VMware customers are increasingly being audited, and aggressive software audit tactics have recently been reported by companies under audit. Although VMware has always conducted software audits, they were known for a kinder and more gentle approach, then say Oracle or Micro Focus. Not so much anymore. Instead some business commentators have noted that Broadcom's CEO Hock Tan’s "previous pattern of buying up software companies like CA Technologies and Symantec will repeat itself with the VMware purchase, with a heavy-handed focus on producing profits favored by investors that could include cutting operating expenses and research dollars and raising prices on customers." One way that software publishers increase their profits is by conducting software audits. And that is what the market is seeing in the case of VMware, and the acquisition has not even closed yet. We predict that VMware customers will see more audits in the coming months. Now is the time to get prepared. The Covid pandemic hit suddenly and forced companies to quickly provide a technology solution so that employees could work remotely from home. Unfortunately the imperative to move fast meant that for many companies remote working technologies were deployed first, without determining whether such use was allowed by the relevant license agreement. Now those decisions are coming home to roost, as non-compliance is exposed by software audits. If you have received an audit notice or an adverse non-compliance finding while being audited by VMware, our software licensing dispute attorneys can help. Check back for further updates about VMware's new audit tactics. By Dee Ware
If you are considering entering into an agreement for Oracle/NetSuite (“NetSuite”) Enterprise Resource Planning (“ERP”) software and/or professional services, it is important to check, download, store and read all web pages referenced in the Estimate, Ordering Document, Statement of Work, and any other document provided by NetSuite. NetSuite is likely betting that you will not read or negotiate any of the terms contained in this incorporated material. And, as discussed below, you will definitely want to! Even though often not in blue typeface or underlined, some of the web addresses referenced in the contract documents may be hyperlinks. We advise to click on all addresses. If it is indeed a hyperlink, make sure to save the external page that it links to as this material may not be readily available in the future. The same holds true for other referenced web addresses. This material is usually incorporated into the contract documents and thereby made part of the agreement with NetSuite. Also, you should verify that the date of the referenced material matches what is stated in your contract document(s). That is, if the draft agreement that your company has received from NetSuite says that it is governed by the Subscription Services Agreement v020121, but the link takes you to a Subscription Services Agreement ("SSA") with a different version date, you will want to either get a copy of the version with a matching date to review or ask NetSuite to correct the contract documents. We also cannot emphasize enough the importance of reading what is contained in the referenced material on the NetSuite website before you sign on the dotted line as the terms are likely one-sided. As of the date of writing this blog post, the NetSuite website states that “[i]f your order is placed on or after July 20, 2022 and references the Subscription Services Agreement available at https://www.oracle.com/corporate/contracts/cloud-services/netsuite/, then the June 1, 2022 version of the Subscription Services Agreement applies to that order.” That version of the SSA contains additional hyperlinks (all of which should also be downloaded and reviewed) and, as just a limited example, provides:
These terms and others may be important to your company’s decision-making process, as well as down the road should something go awry. By Pam Fulmer
Well respected San Francisco Plaintiffs’ firm Lieff Cabraser Heimann & Bertstein LLP (“Lieff Cabraser”) has hit Oracle America, Inc. with a massive class action lawsuit alleging several data privacy-based claims including Invasion of Privacy under the California Constitution, Intrusion Upon Seclusion under the common law, violation of Business & Professions Code Section 17200, violation of the California Invasion of Privacy Act and the Federal Wiretap Act, and Unjust Enrichment. Plaintiffs seek a declaratory judgment on behalf of the class that Oracle wrongfully accessed, collected, stored, disclosed, sold and otherwise improperly used private data. Plaintiffs also seek injunctive relief. Outing Oracle as one of the largest data brokers in the world, Plaintiffs paint a grim picture of how Oracle has used its software across the Internet to collect, track and identify consumers, without giving those consumers notice that the information is being collected and the ability to object. The lawsuit alleges that Oracle’s improper use of the most private data of American consumers will only get worse now that Oracle has acquired Cerner and will begin collecting health data as well. The 71-page Complaint alleges that “the regularly conducted business practices” of Oracle amount to a “deliberate and purposeful surveillance of the general population via their digital and online existence.” Claiming that Oracle is “one of the world’s largest data brokers” Plaintiffs allege that “[i]n the course of functioning as a worldwide data broker, Oracle has created a network that tracks in real-time and records indefinitely the personal information of hundreds of millions of people” and that “Oracle sells this detailed personal information to third parties, either directly, or through its “ID Graph” and other related products and services derived from this data.” Plaintiffs further claim that the proposed Classes “lack a direct relationship with Oracle and have no reasonable or practical basis upon which they could legally consent to Oracle’s surveillance.” Complaint ¶1. Plaintiffs assert that as a data broker Oracle “facilitates the buying and selling of digital data, including personal information, among private commercial and governmental entities” and “operates a data management platform called the BlueKai Data Management Platform, which includes two key features: the Oracle Data Marketplace and the Oracle ID Graph. The Oracle Data Marketplace is one of the world’s largest, if not the largest, commercial data exchange, with a broad impact upon the lives of most Americans and many millions of people worldwide.” Citing to Oracle’s own marketing claims, the Complaint recites that “[t]he Oracle ID Graph helps marketers connect identities across disparate marketing channels and devices to one customer. Powered by the Oracle Marketing Cloud and Oracle Data Cloud, the Oracle ID Graph seamlessly pulls together the many IDs across marketing channels and devices that comprise a given person, enabling marketers to tie their interactions to an actionable customer profile. This ID enables the marketer to orchestrate a relevant, personalized experience for each individual across marketing channels and device types.” Plaintiffs accuse Oracle’s business model of having “long roots in the surveillance of ordinary citizens” and claims that “surveillance is central to Oracle’s history and development, and to its current business and marketing plan.” Complaint ¶21. According to the Complaint: “Oracle collects many types of personal information from Internet users including concrete identifiers such as names, home and work addresses, e-mail addresses, and telephone numbers. Oracle also amasses data about peoples’ behavior, including the sites they visit online, their digital and offline purchases, where they shop, and how they pay for their purchases. Oracle gathers this personal information from a suite of its own Internet technologies, including cookies, tracking pixels, device identification, cross-device tracking, as well as from its acquisition of data from other parties. Oracle then processes, analyzes, and monetizes this data.” Complaint ¶27. Plaintiffs further allege that: “Oracle, its partners, and its customers work in parallel to compile personal data and associate that data with specific individuals, effectively creating “dossiers” on people across the world. Oracle accomplishes its dossier building through its multifarious business practices, including not only the functionality of the ID Graph that connects, unifies, and then associates data to a person into a “profile,” but also the functioning of the Oracle Data Marketplace. Oracle’s Data Marketplace is an online store owned and operated by Oracle where Oracle facilitates the buying and selling of data and data-derived services by Oracle and its so-called “premier partners” to private commercial and governmental entities. The Data Marketplace allows the confluence of mass amounts of personal data by which its participants, including Oracle, can continually track people’s activities and enrich people’s dossiers.” Oracle clients utilizing the technology include not only private businesses but “also political campaigns and government agencies seeking to surveil, investigate, or target particular individuals with propaganda” and Oracle markets directly to these public agencies and political parties”, referring to them as “Public Sector Customers.” Complaint at ¶69. According to the Complaint “political campaigns now have “needle-in-the-haystack capabilities” to “microtarget voters on all their devices” using personal information sold by data brokers.” The Complaint claims that during the 2016 election the Trump campaign, “built a 220 million–person database of voter information named “Project Alamo” using Datalogix, a data collection platform owned by Oracle.” Plaintiffs allege that Project Alamo facilitated the Trump campaign’s voter suppression initiatives including highly targeted political advertising to African Americans, white women, and young white liberals in 16 swing states, several of which were narrowly won by Trump” and that through “Project Alamo’s voter suppression efforts, it is estimated that 2 million black voters who voted in 2012 did not vote in 2016.” Complaint ¶70. The Complaint likewise alleges that “in the wake of Dobbs v. Jackson Women’s Health Organization, No. 19-1392, 142 S. Ct. 2228 (2022), the threat data brokers like Oracle pose to the privacy of individuals seeking information about abortions is significantly magnified” and that Oracle’s “trackers on the websites of nonprofits providing abortion resources and services, including Planned Parenthood… may have had their personal information tracked and compiled by Oracle, which Oracle may then make available to law enforcement officials.” Complaint ¶ 81. The Complaint also raises the alarm regarding Oracle’s “$28.3 billion acquisition of electronic health record company Cerner” finding the acquisition “[c]onsistent with Oracle’s plan of engaging in wide-ranging surveillance of the intimate health details of all Americans.” In that regard, “Oracle’s Larry Ellison has announced Oracle’s plan to build “a unified national health records database,” which it is effectuating through its software. According to Oracle’s Ellison, the company is “building a system where the health records [of] all American citizens[] . . . not only exist at the hospital level but also are in a unified national health records database,” apparently to be maintained and controlled by Oracle. Complaint ¶ 82. Finally, the Complaint alleges that: “Oracle sits atop a complex data collection and processing apparatus feeding its labyrinthine multinational data marketplace, making it impossible for ordinary persons to reasonably understand the true purpose and extent of Oracle’s data collection, compiling of digital dossiers, and other data exploitation practices, which are opaque, if not invisible, to ordinary data subjects. Given the complexity and disguised nature of Oracle’s collection and use of personal information, and the lack of any direct relationship between Oracle and the Plaintiffs and Class members, there is no reasonable basis for Plaintiffs and the Class members to know the extent to which Oracle is obtaining their data, tracking them, and selling their data or services derived from their data. Complaint ¶ 86. Our prediction is that Big Red is going to be busy fighting this one for a while. Tactical Law will continue to monitor the case, which is Michael Katz-Lacabe, Dr. Jennifer Golbeck and Dr. Johnny Ryan v. Oracle America, Inc., Northern District of California, Case Number 3:22-cv-04792. Check back for updates. By Pam Fulmer
We have been following a very interesting licensing dispute filed in the Eastern District of New York by Tibco Software Inc. (“TIBCO”) against OptumRx Administrative Services, LLC (“OptumRx”). According to TIBCO’s Second Amended Complaint (“SAC”) its “software facilitates the analysis of data and/or the transfer of data, particularly between software platforms that would otherwise not be able to communicate with one another”. TIBCO is no stranger to litigation arising out of software audits and has filed several lawsuits over the years against its customers for breach of license agreement and copyright infringement related to a software audit. TIBCO alleges that the agreement at the center of the licensing dispute is an Enterprise Agreement. TIBCO’s Enterprise Agreement is similar in certain respects to Oracle’s Unlimited License Agreement (“ULA”). Under each agreement a licensee may sign up for a certain fixed period of time and deploy as many copies as it wants of the licensed software within its IT environment. At the end of the fixed period, here three years, the licensee certifies the number of copies of the software it is using in its environment and that amount becomes its fixed perpetual license entitlement. The parties agreed to additional payment and other terms in the event that an “Extraordinary Corporate Event” occurred during the period of the Enterprise Agreement. An “Extraordinary Corporate Event” was defined as “a corporate transaction which results in Customer acquiring, being acquired by, merged, or otherwise combined with another entity or into another entity's legal or corporate structure (including an acquisition of all or substantially all of the assets of another entity) which, prior to the corporate transaction, was not part of the Customer or its legal or corporate structure.” According to the contract: “During the Enterprise Term, Customer’s right to deploy shall not extend to any Extraordinary Corporate Event unless the process in Section 3 of this Order is followed. For clarity, the process stated in Section 3 will only be applicable if Customer experiences an Extraordinary Corporate Event as defined below and if the new corporate entity (which is not part of the legacy Customer entity) wants to deploy Software pursuant to this Order Form.” (emphasis added) If an Extraordinary Corporate Event occurred during the term, then OptumRx would need to execute a new Order Form and under certain circumstances pay additional licensing fees to TIBCO based on the amount of annual revenues of the acquired companies, which would be deploying the software. “In the event Customer enters into an Extraordinary Corporate Event during the Enterprise Term, it can accommodate additional usage of the Software licensed under this Order Form by executing a subsequent Order Form with Licensor in accordance with pricing schedule stated below (a “Future Order”) provided: (i) the Future Order must represent a binding non-cancelable commitment on the part of Customer with no additional terms and conditions, (ii) Customer must deliver the signed Order Form for the Future Order (substantially in the form set forth herein) to Licensor on or before three (3) years from the Order Form Effective Date, (iii) the Software is still generally available as of the date of the Future Order, and (iv) Customer agrees to purchase the first year annual Silver level Maintenance relating to the Future Order. For the avoidance of doubt, no Future Order form and no reporting is required by Customer in the event Customer enters into an Extraordinary Corporate Event where the new corporate entity wants to license Software under this Order Form and the annual revenue of the new corporate entity (excluding the value of the legacy Customer entity) is less than one billion dollars (as stated in the new corporate entity’s most recent audited statement prior to the Extraordinary Corporate Event).” (emphasis added) TIBCO contends that during the unlimited deployment period, OptumRx acquired 3 companies whose annual revenues exceeded the $1 billion revenue threshold and were using the software and that therefore additional license fees were owed to TIBCO. Although TIBCO does not have concrete evidence that the newly acquired companies were actually using the software, the SAC alleges that “57. On July 20, 2020, pursuant to Section 1 of the Enterprise Agreement, OptumRx provided TIBCO its Deployment Report, which gave notice of the Number of Units of the Licensed Software it had deployed during the Enterprise Term. The numbers OptumRx reported were consistent with a doubling of OptumRx’s production capacity. 58. On information and belief, the large increase in OptumRx’s deployment of the Licensed Software to process additional data reflects OptumRx’s usage of the Licensed Software to process data associated with the Acquired Companies.” In short, TIBCO is alleging that since OptumRx’s production capacity had doubled, it must be using the software to process the data of the newly acquired companies, and therefore owes additional licensing fees to TIBCO for the usage. For its part, OptumRx argues that an Extraordinary Corporate Event only occurs when a new company is acquired with revenues that exceed the thresholds, and that company wants to deploy the TIBCO software. According to OptumRx, none of the acquired companies is deploying the software. Counsel for OptumRx argues this in a related letter brief: “There is no dispute that ORx [OptumRx] acquired three companies with annual revenues above the contractually-specified threshold during the contract term – called Genoa Healthcare, Avella Specialty Pharmacy and Diplomat Pharmacy (the “Acquired Entities”) – but ORx denies that any of those companies wanted to license TIBCO’s Software and further denies that such Software was ever deployed to those companies. Perhaps because it knows these denials are well-founded, TIBCO has advanced an alternative, insupportable interpretation of the Order Form, namely that TIBCO would be owed additional fees if ORx itself used TIBCO Software to process data “from” or “used by” the Acquired Entities, even if ORx never allowed those Entities access to the Software or deployed it to their servers. That rewriting of the language of the Order Form appears to be TIBCO’s primary theory of liability. . .” We are not able to review a copy of the license agreement as it has not been attached to the SAC, although it may be included in those letter briefs filed under seal. However, it appears that TIBCO may not have included any restriction making clear that the software could not be used for the benefit of another company, without paying an additional licensing fee. TIBCO is the master of its own license agreement. It chose to define an Extraordinary Corporate Event as the acquisition of a company that exceeded a certain threshold in revenues and where the acquired company wanted to deploy the software. Had it wanted to do so it could also have included a clause that additional licensing fees would need to be paid if OptumRx used its software to process data for the benefit of these newly acquired companies. However, it does not appear to have done so. TIBCO should be stuck with the contract that it drafted. Readers of our blog may remember that Mars accused Oracle of overreaching in the Mars v. Oracle lawsuit when Oracle tried to take the position during the audit that users who accessed output data manipulated by Agile, should be counted as users requiring a license. Mars pushed back hard on this assertion pointing out the ridiculousness of the Oracle argument that “an employee who lacks an Agile user account, who is not trained on Agile, who never logs into Agile, and who never even touches a machine that uses the software fictitiously becomes a “user of the program” by reading data exported from Agile.” TIBCO is making a similar argument here, by essentially claiming that the companies acquired by OptumRx deploy and use the software even though TIBCO has no evidence that they directly accessed the software or that it was deployed on their servers. In short, enterprise software companies continue to seek to expand the definition of what it means to use their software. We see this all of the time with Oracle’s prospective licensing argument involving VMware and its assertion that Oracle is owed a licensing fee for every server where the Oracle software may be used in the future even if the software is not currently installed and/or running. We predict that enterprise software customers will continue to see software publishers trying to take an expansive view of what it means to use or deploy enterprise software. So be on the lookout for these types of issues, and take steps to protect yourself in the event of an audit. The case is TIBCO Software Inc. V. OptumRx Administrative Services, LLC, Case No. 1:21cv5723, (E.D.N.Y.). Check back periodically for updates. |
By Tactical Law Attorneys and From Time to Time Their Guests
|