Quest Software Ramping Up Audits And Suing Customers

In the last few years software developer Quest Software, Inc. (“Quest”) has ramped up the number of audits it is conducting against its licensees.  In fact, not only is Quest increasingly auditing its customers, but it is suing them for copyright infringement and breach of contract arising out of the audit.  Within the last year or so at least 4 lawsuits have been filed by Quest against its customers, including suits against Nike, HCL America, Electric Reliability Council of Texas and World Fuel Services Corporation.  We know first-hand that Quest has gotten increasingly aggressive, as we are currently defending software audits brought by Quest against other customers.  

Originally founded in Newport Beach in 1987, Quest is a software company with over 100,000 customers worldwide, which develops and supports software used by database professionals for cloud management, security, workforce mobility and data-driven insights. In 2016 Francisco Partners and Elliott Management acquired the company from Dell. Industry insiders know that Francisco Partners  has a reputation of owning companies that aggressively audit their software customers.   

Although several of the cases brought by Quest settled quickly, the one against Nike appears to have some legs and Nike is fighting back.  Quest filed its complaint on April 24, 2018 asserting claims for copyright infringement, breach of contract and violations of the Digital Millennium Copyright Act and seeking licensing fees of $15,646,191.55 for alleged overdeployment.  In part to support this big number, Quest has taken the position that an “authorized” user under the contract, is anyone that can access the software even if the user has never actually done so.  This is an issue that we often see in audits conducted by Oracle Corporation as well.  In fact, a similar issue was raised by Mars in its motion for preliminary injunction in the Mars vs. Oracle case.

Nike fired back with its own counterclaim for declaratory relief, breach of contract and breach of the implied covenant of good faith and fair dealing on May 31, 2018.  In its counterclaim, Nike accused Quest of predatory audit practices setting forth a number of questionable actions by Quest.  For example, according to Nike, although the license agreement only requires a payment to Quest if the software is used, Quest’s auditors ran scripts that “were not designed to inventory users of Quest Software on NIKE systems – that is, persons who had actually run a Quest Software program. Instead, they were intentionally designed to inventory all persons or machines which had the right to access servers on which Quest Software programs were stored, without regard to whether such persons or machines ever actually used a Quest Software program.”  Nike Counterclaim at ¶ 33.  The counterclaim alleges that “Quest intentionally designed its audit “scripts” for NIKE for the bad faith purposes of creating an improper estimation of overdeployment, in order to support an inflated demand for payment, contrary to the requirements of Section 12 of the SLSA.”  Nike Counterclaim at ¶ 34.  Counting the actual number of users who actually used the software and taking into account other issues, Nike came up with an overdeployment calculation of $348,664.74, which they offered to pay to Quest to resolve the audit.  Counterclaim at ¶ 39.  Quest rejected this offer.  Counterclaim ¶ 40.

In addition, Nike contends that Quest engages in a laundry list of bad faith and predatory audit practices against its licensees including: (a) substantially increasing the number of audits of licensees; (b) in conducting audits, disregarding the contractual terms of its license agreements regarding calculation of amounts due for overdeployment, and demanding grossly exaggerated and unjustified payments from licensees for overdeployment; (c) refusing to accept payment or tender of payment by licensees for overdeployment that has been calculated by the licensees in accordance with contractual terms; (d) demanding payment from licensees for uses of freeware and trialware versions of Quest software, even where such payments are not required under agreements between Quest and the licensees or the terms under which such versions are made available to the public; (e) demanding overdeployment payments in excess of Quest’s published licensing prices where licensees are alleged to have used license keys or other access devices not provided by Quest to access licensed Quest software, even where such use is not prohibited by Quest’s agreement with the licensee; (f) threatening and/or commencing claims against licensees that assert damage claims under the Copyright Act or the Digital Millennium Copyright Act for alleged licensee overdeployment, with knowledge that such claims are not permitted and that Quest’s sole and exclusive remedy for overdeployment is payment by the licensee of amounts due under the licensees’ agreements with Quest; and (g) in order to exert coercive pressure on licensees to accede to Quest’s predatory demands for payment, refusing to provide or renew Maintenance Services to those licensees, even though Quest is aware that such refusals are breaches of the license agreement between Quest and its licensee, and that such refusals damage the licensee by denying it necessary security and software upgrades.”  Nike Counterclaim at ¶ 59.

Many of the arguments made by Quest are similar to ones we have seen in Oracle software audits.  As discussed above, a similar “authorized user” issue was raised in the Mars filing and we have seen it raised with other Oracle customers.  We have also seen Oracle use an expansive interpretation of what it means to be “installed” in the context of its own software audits, especially where licensees are using VMware in a virtualized environment.  Similar issues are apparent in the Quest vs. Nike lawsuit.  For example, Nike contends that “Quest Software, like all operational software, contains executable files. When these files are accessed and executed, the relevant program(s) will run and perform the tasks for which the program(s) are designed and for which NIKE has licensed that software. “Use” of a Quest software program means to run that program and a person who directs the program to run is a ‘user’”.  Counterclaim ¶ 17.  Nike further contends that “the Microsoft Windows operating system, on which Quest Software was installed, creates logs that can be used to identify each occasion on which a Quest Software program was executed, that is, used, on that particular system. Using these logs in correlation with other forensic artefacts on the system permits identification of the users of Quest Software.”  Counterclaim ¶ 18. Nike concludes that it “has not agreed, under the SLSA or otherwise, to pay for licenses for Quest Software for persons or systems who could theoretically access the Quest Software, but who do not actually use the software.” Citing internal data security personnel as one example, Nike contends that one “important reason for this is that although many people and machines within the NIKE system are authorized to access servers on which a copy of a Quest Software program is stored, they have no need to run any Quest Software program and do not use that software.”  Counterclaim ¶ 19.

As pointed out in an earlier July 6, 2017 Tactical Law blog post, Oracle’s Chad Russell, Senior Counsel in Oracle’s Legal Department, took a similar position with its licensee Mars as to what it means to use the software.  Instead of focusing on actual usage, Oracle instead twists the meaning and claims a licensing event where the software “is available for use”. According to Mr. Russell. “Oracle programs are installed on any processors where the programs are available for use.  Third party VMware technology specifically is designed for the purpose of allowing live migration of programs to all processors across the entire environment.  Thus, Oracle Enterprise Edition is installed and available for use on all processors in a V-Center.”  Exhibit 11 to Declaration of Eloise Backer, Mars v. Oracle, San Francisco Superior Court, Case No. CGC-15 -548606.  Essentially, Oracle took the position that the mere fact that Oracle software might possibly be installed and run on one of these processors at some indeterminate time in the future, constituted a present use of Oracle software and a licensing event for which Mars would need to pay a royalty at the time of the audit.

One key take away from both these cases, is that licensees need to carefully control the information that licensors are receiving during software audits and ensure that they are actually entitled to the information under the terms of the license agreement.  Before blindly running scripts, get the auditors to set forth in writing what information the scripts are collecting, and the basis in the contract allowing the licensor access to such data. Licensors conducting software audits may overreach if they can and gather much more information concerning the customer’s IT system than they are entitled to.  This ends up resulting in inflated claims of overdeployment and large dollar expenditures for licensees. If you get a Quest audit notice, consider retaining experienced outside counsel to assist you with successfully navigating the audit.    

We will be monitoring the Quest vs. Nike case for any interesting filings such as motions for summary judgment.  Recently the Judge in the matter, the Honorable Judge Anna Brown, issued a scheduling order setting the fact discovery cut-off on May 16, 2019.  Dispositive motions are due at the end of August 2019.  The parties appear to be engaged in a great deal of discovery, but no formal discovery motions have yet been filed.  The case is Quest Software, Inc. vs. Nike Inc., Case No. 3:18cv721 pending in the U.S. District Court for the District of Oregon.