By Dan Ingouf, IAITAM
ITAK V4 I4
A realization recently occurred to me that I thought was relevant, kind of ironic and definitely worth sharing. Spring in Ohio has finally started to take hold after a very long and what I rate as a rather brutal winter. With the much anticipated spring-like weather abounding, I started preparing planter areas using bags of composted animal manure that I had purchased at a major home improvement retail store. Oddly, when I was opening the bags, I noticed a prominent bar code and the words “Proof of Purchase” printed above the bar code.
I thought about it, and smiled….how important, and yet common place has proof of purchase become to most industries? This article will focus on just how important proof of purchase is when proving that software possessed was actually purchased through legal means. This could save hundreds of thousands of dollars in legal fees and fines during a compliance audit; or, as I found, proof of purchase can also be referenced to prove that a bag of manure was purchased. I find this wide spectrum of bar code use kind of ironic, yet very much indicative of the immense importance and widespread use of proof of purchase, commonly known as PoP. Let’s look at some examples:
If you have ever returned or exchanged an item in the place of the original purchase of that item, what was the first thing requested from you? Proof of Purchase.
If you purchased electronic equipment, or most anything else for that matter, and part of that purchase transaction involved a savings in the form of a rebate, what is one of the main items that will be requested of you to allow the completion of that rebate? Proof of Purchase.
If you are the Software Asset Manager for an organization that has recently been contacted by a software compliance agency such as the Business Software Alliance (BSA) in reference to claims that your organization is utilizing unlicensed software, what do you think will be one of the most important documents that can be used to refute this claim? Proof of Purchase for all software in question.
While it is true that some retail stores will give credit for lower cost items that are regularly stocked and are being returned without proof of purchase, this is an exception to the rule. Proof of Purchase is just what it sounds like; verification that the item in question has in fact been legally procured. Sensibilities, common business practices, and all software compliance audits demand that proof of purchase must be obtained and maintained for later use as necessary.
Proof of purchase has been in use and deemed necessary since the beginning of the sales industry itself. Normal business practices have for some time entailed the tendering of purchase recognition to the consumer of goods or services; specific proof from the seller or provider that the goods and/or services were in fact paid for.
Armed with knowledge concerning Proof of Purchase necessity, we can now move from the past into the present and future where the need of purchase proof seems to increase exponentially. We will now enter into the age of desktop computing.
Just after the introduction of personal computers and the software programs used to run those computers, software piracy was bred and born though not all are by mass production copying efforts. Those are the insidious entities that chose to illegally use, copy and/or sell software by using other than legitimate means in their endeavors.
Sadly, there are individuals and organizations that also fall into the category of software pirates and don’t even know it. Did you buy your software from a “discount” source on the internet? Did your organization purchase any of their assets from an unscrupulous vendor who practiced hard disk loading or bundle breaking to satisfy your software needs? Were all necessary documents to prove ownership and compliance supplied with the software from your vendor? These are tough questions that must be answered with complete accuracy and truthfulness before you accept delivery on the assets.
Regardless of how a state of non-compliance was reached, the fact remains that a compliance audit can be just a phone call away. With the heightened rewards offered by compliance enforcement agencies, more and more people use this as a reason to call these hotlines.
While the compliance agencies focus their efforts on reports that contain credible evidence, the fact remains that it just takes one phone call to focus the eyes of an enforcement agency on your organization, and if there is reasonable justification, your organization will be pursued by legally authorized authorities who will demand proof of compliance with relentless zeal in their efforts and the law on their side.
In a best case scenario, the organization in question will be forced to respond with the results of a self-audit to satisfy the agency’s request, and hopefully the audit will reveal that the organization is in fact compliant.
No organization wants to find out that they are non-compliant by means of an enforcement agency audit, so the big question arises: how can any organization know that they are compliant before the threat of an audit becomes imminent? That is indeed the unanswered million dollar question, because sadly, there is no universal compliance standard and most organizations fail to negotiate the definition off compliance in their purchase contracts.
The good news is that the answer lies partly in the effectiveness of your Software Asset Management Program. Close attention to detail and following best practice methods for the management of software will mitigate most compliance risks, yet there is still one important factor left to be resolved and that is how to know without a doubt what is necessary to prove compliance. Exactly what does the creator of the software require as proof of compliance?
There is no Clear Standard
Since the inception of computer software as we know it, there have been no clearly defined or universal standards as to exactly what was needed to prove compliancy. The bad news is that not too much has changed to date concerning the universal standardization of compliance factors. It is still up to each organization to decipher what documentation is necessary to prove legal and valid ownership, and that all software is being used in accordance with the software publisher’s End User License Agreement (EULA) or contract T&C’s.
Since the software producers have not been forced by law, and have not yet taken the pro-consumer initiative to list the specific documents necessary to maintain compliance for each specified piece of software, the purchaser must rely on the EULA for the software purchased, negotiated contract agreements, and try to effectively retain all documentation associated with the purchased software. These are the compliance efforts normally seen within an organization’s environment.
Legal Resources Exist to Help You
Beyond the in-house efforts, look for information outside the confines of your organization. Since the question at hand is in fact a legal question, look for information from reputable legal sources as well.
According to legal resources as displayed on www.zimbio.com (http://www.zimbio.com/Software+Audits/articles/4/Proof+License+SIIA+Software+Audits) the Software and Information Industry Association (SIIA), a major software compliance enforcement agency in the U.S., has one main purpose in its existence and that is to verify that the subject organization can prove that they legally own the software in question.
The website shown focuses on SIIA compliance information posted by Robert J. Scott, an attorney who specializes in software audits concerning what is or is not considered as proof of purchase during an SIIA software audit. The information may surprise and possibly even anger you.
According to Attorney Scott, the following 7 items ARE NOT Considered as Valid Proof for a SIIA audit:
- Copies of Checks to Software Vendors
- Dated Purchase Orders
- Undated Software Licenses
- Credit Card Statements Evidencing Software Purchases
- Certificates of Authenticity
- Media, Manuals, or Key-Codes
- Invoices Bearing and Entity Name Other than the Entity Named in the SIIA’s Initial Letter
As per SIIA, the following 5 items WILL BE considered as valid Proof of Purchase and ownership for the purposes of an SIIA audit:
- Dated Invoices in the Name of the Audited Entity
- Soft Records (online account statements) from Recognized Resellers
- Signed and Dated License Agreements
- Soft Records from SIIA Member’s such as Microsoft Licensing statements
- Cash Register Receipts for Retail Sales where Product, Version, Quantity and Price Paid are Included
Additionally, Attorney Scott states: “Understanding how the SIIA analyzes software audit materials is critically important to achieving the most favorable outcome. In our experience, it is the most time consuming and difficult part of the process for clients to handle on their own.”
It is abundantly clear that a strong understanding of what is required as proof of purchase will in many cases prove to be the difference between victory and defeat during software audits. The real problem though, rests on the fact that the end user is not always made aware of what is needed to prove legal possession of software. As previously noted, we saw that the SIIA has indicated what is and what is not acceptable as proofs of purchase. If contacted by the Business Software Alliance (BSA) concerning a software audit, the rules of the game could be quite different than those for the SIIA or the software vendor themselves.
Find and Utilize Resources
There are many legal resources available that can be utilized before, during and after a compliance audit whose focal business function is technology and matters of compliance. Clearly, the best time to utilize legal resources concerning a compliance audit is when the first contact is received. If your organization has legal counsel on staff or on retainer, use them before any other action. If there is no legal entity within your organization that is equipped to deal with audit processes, then seek outside counsel. There are many legal firms available that specialize in matters of compliance audits. Understand and accept the fact that they are the experts and are normally well worth the expense of their services. Do not take a compliance audit lightly.
A brand new one-of-a-kind resource that is available for matters of software compliance is the protection afforded by the IAITAM Information Technology Asset Insurance Program. The product that addresses audit events is the Software Protection insurance agreement. The umbrella of this policy covers comprehensive copyright, trademark, database rights, and infringement coverage for members faced with infringement claims based on their internal use of software – the sort of claims routinely brought by software publishers or their representatives such as the BSA and SIIA.
Ultimately, a Best Practice Program of software compliance readiness is the best proactive stance that any organization can take. Enforcement agencies are out there, and they exist to locate and fine non-compliant organizations. The organization’s mission is to be well armed with information about the resources available and how to best use them. Of equal importance is building a strong IT Asset Management program that uses proper Documentation Management as part of the foundation for achieving software compliance.