Go to Top

Business Software Alliance (BSA) Audits: Top Ten Things to do if You Receive a BSA Letter

Cube

A software audit firm, working with your counsel, can help you manage a more favorable outcome when responding to a BSA letter.

The Business Software Alliance (BSA) is an industry trade group comprised of software giants that exist to help leading software firms combat software copyright law violations- sometimes referred to as software piracy.  Well-funded and aggressive, the BSA pays hefty rewards to whistleblowers, and levies large fines to violators.  Companies that fail to respond to BSA inquiries face potential litigation or even prosecution for violation of federal copyright infringement laws.

 

What to do if you receive a “Letter” from the BSA indicating they believe you are in violation of software license agreements

  1. Don’t panic!  But don’t ignore the letter.  The problem will not go away, and the BSA can file a federal copyright infringement lawsuit against your company without notice if they believe you are ignoring them.
  2. Notify internal stakeholders, senior management, and your board.
  3. Hire a law firm with BSA audit experience.  Lawyers that have navigated these tricky BSA waters can help you protect the findings of your internal software audit under attorney client privilege, can sometimes negotiate confidentiality language into your settlement agreement with the BSA, and can help you get court relief if you are unable to successfully negotiate the scope of your audit with the BSA.
  4. Partner with an experienced software audit firm.  Avoid the temptation to do the software compliance audit yourself.  Experienced firms will have more sophisticated audit software capabilities, and are seasoned at avoiding errors like incorrectly identifying a free software download as a unlicensed.  Software audit firms will have all of the latest software surveillance scanning tools, and each of those have their own strengths and weaknesses.  In addition, a professionally conducted audit will be more likely to satisfy the BSA’s requirements.  Besides, responding to a BSA audit request can consume a great deal of your IT department’s time.  Don’t they have better things to do?
  5. Create a plan.  Have an internal project lead.
  6. Don’t remediate yet.  The BSA will not give you “credit” for software licenses purchased after the date of your letter.  In addition, they may accuse you of “spoliation” if you tamper with computers or try to fix the problem prior to an audit.  Beyond that, even the best IT professionals can inadvertently tamper with computer evidence that may create the appearance that your company had something to hide.
  7. Begin collecting your entitlement records.  This takes time.  Start your process of compiling your proofs of purchases and software receipts.  Use technology to run scans on your software and hardware to reconcile your hardware purchases (product I.D.’s) and asset tag numbers with hardware purchases to compile a list of licensed software.  Your software audit firm will load this data into their report / findings spreadsheet for reconciliation of compliance gaps.  For best results, run a composite of scans with leading scanning tools from companies like “Spiceworks,” “Lansweeper” and “Recover Keys” to collect a comprehensive list of purchase records.
  8. Run your audit.  Woking with your lawyers, the software audit firm will run network scanning software across your network, often without needing to be physically present.  Again, it is recommended that you do not allow the BSA to have one of their own software firms conduct this audit.  The mere thought of a large software publisher running a script across your network to perform a deployment audit would keep even the most confident IT Director up at night.
  9. Don’t be bullied.  Yes, the BSA can be a formidable adversary, but you have rights.  Push back (through our attorneys) on unreasonable scope requests, or ridiculous deadlines.  Experienced counsel can help you calibrate when the BSA has crossed the line.
  10. Document everything.  This will help you demonstrate good faith if your discussions with the BSA get sideways.

 

 

Want More Info?

Call Jeffrey Hartman at 312-282-4140, or jeff@4Discovery.com

www.4Discovery.com

, , , , , , , , , , , , ,

About Jeff Hartman

Jeff is a 30 year veteran of the corporate security, computer forensics, and eDiscovery community and a co-founder and partner at 4Discovery. 4Discovery is a leading provider of computer incident response and computer forensics services to attorneys, corporate security executives, and the information protection community.