Attorneys-at-Law TRUST. CIOs Guide to Survive and Exit from Problematic IT Audits by Jan Lindberg

Jan Lindberg, attorney LLM Helsinki, M.Jur (Oxford) tel. +358 40 823 6031 Attorneys-at-Law TRUST. Jan.Lindberg@theTRUST.fi

Bulevardi 12B 00100 Helsinki Finland

Jan Lindberg is one of the leading Finn-ish experts in IT and technology law, mergers & acquisitions and private equity. He works closely with patent-intensive business sectors in particular, such as tel-ecom, high-tech, cleantech and pharma-ceutics, advising clients on different transactions and their financing, joint ventures, EPC and construction con-

tracts, licensing, co-operation arrange-ments and outsourcing, as well as on con-tentious and non-contentious IP and technology law assignments, IT disputes in particular. In addition, Mr. Lindberg acts in corporate advisory roles in several start-ups, boards and management teams. Jan Lindberg has negotiated numerous international technology arrangements and transactions with top industry players in various fields of technology and in var-ious locations from the U.S. to Japan. Jan Lindberg is listed as one of Finland’s leading professionals in his field in sever-al rankings and publications, including Best Lawyer, IAM 250 World’s best Pa-tent and Technology Lawyers and Cham-bers Europe and Chambers Global and is currently the Vice President of the Finn-ish Industrial Property Association (STY).

Recent reference cases:

• advised management in several listed and private Finnish companies in their IT au-dit disputes against all leading IT software vendors from Oracle to Microsoft;

• advised in the divestment of Suunto Bene-lux to its current management;

• advised in the IT infra outsourcing of a Nasdaq OMX listed Finnish company;

• represented a Nordic consumer brand in an unfair competition litigation in the Markets Court.

Attorneys-at-Law TRUST.

Scope Planning the right strategy to survive third-party licence audits is essential to minimizing your expenses that arise out of third-party audits. In this article, we aim to provide experiences from recent IT disputes from the customer’s or target company’s perspective, as well as tools for handling different technology licensing related breach of contract and copyright infringement claims after licence audits. We also look at these issues from the per-spective of a listed company and provide guidance when an IT dispute could “ma-terially affect” the value of the company’s securities and try to provide assistance when an IT dispute would have Securities Law consequences. At the end of the day, while many of these cases seem to interest also the top management due to typically high financial requirements, for us IT law experts these constitute business as usual, though taking into account that corporate governance and notification requirements may occasionally need to be considered. In summary, we claim that it is possible to save significant amounts of money in IT disputes with proper preparation and pre-liminary measures put in effect in the drafting phase and, at the end, we provide a list of key recommendations for IT au-dit-specific cases to help you navigate through the main risks. Moreover, an NDA with the auditor plays a crucial role in many respects and is very important to negotiate properly due to the fact that it also determines what may be reviewed and how much information may be disclosed to the IT vendor that is about to review your environment. Here, the customer approach should typically be a three-party agreement with the audi-

tor, IT vendor and your company. We have a more detailed checklist on these NDA issues available, so please send an e-mail if you are interested. Industry Trends affecting Technology Licensing There are several reasons why IT vendors have recently been more aggressive in en-forcing their licensing policies. The eco-nomic situation is naturally one of the most significant factors. We have also seen at TRUST in Finland that this au-tumn the number of requests from certain IT vendors to perform audits has signifi-cantly increased. It should also be noted that a general in-dustry trend seems to be that there is less room for negotiating standard software licences, and it is more or less a question for a customer whether to choose a spe-cific software component for a project or not. In this new paradigm, the role of li-cence terms is just that of one factor af-fecting the final decision rather than a standard starting point for negotiations. This development seems to increase li-censing deficit risks. Also organizational restructurings, mer-gers and acquisitions, as well as mere trends regarding usage of private clouds or centralization of IT assets and person-nel to separate legal entities, e.g., for the purposes of providing group-wide IT ser-vices on a SaaS basis (Software as a Ser-vice) have meant that old licence agree-ments may not have followed the actual organizational developments contributing to the increased risk of disputes.

Attorneys-at-Law TRUST.

A Typical Story after a Licence Audit One hypothetical case could be that after an audit an IT vendor claims that the back-up environment of Customer Ltd, a publicly listed Finnish company, that was used in connection with environment transition, was not properly licensed and due to such licence deficit, the IT vendor requires customer to pay, e.g. €Xk for the lack of appropriate licences and €Yk for the unpaid maintenance. We can also safely assume that at least in the first pro-posal, these payment obligations are cal-culated retrospectively making the total sum exceptionally high. If this case does not sound familiar, we can easily adapt these facts to a case where additional software components were found from the servers of the Cus-tomer Ltd which were not originally pur-chased (or even wanted) by the customer, or there might be a situation that Cus-tomer Ltd’s own SaaS supplier does not seem to have valid third party licences for its operations. If we return to our hypothetical case, the other facts of this case could be, for ex-ample, the following:

• During 2008, both the IT vendor and Customer Ltd were engaged in negotiations concerning licences that the customer needs to acquire for its IT environment.

• Based on these negotiations, Cus-tomer Ltd acquired the licences af-ter having received a licence rec-ommendation from the IT vendor’s Sales Manager.

• We can establish that there have been discussions in 2008 on the back-up environment, but we are not able to show evidence as to

how long such back-up environ-ment would be operational or as to whether it has been the intention that no separate payment should accrue. However, this transition work or failover was known by the IT vendor at the time when the IT vendor gave its licence recommen-dations.

• The agreement contains an express provision on a failover environ-ment (back-up environment) stat-ing that any use of failover envi-ronment exceeding twenty (20) days must be separately licensed.

• We can assume that disputes will be finally resolved in the District Court of Helsinki and the govern-ing law is Finnish law and that the agreement contains a limitation of indirect damages for the benefit of customer.

Specific Issues in Transitional Work One important issue that seems to be missing from many even large-scale IT procurement agreements is a clause that makes it possible for the customer to temporarily exceed the agreed licence amount for the purposes of performing transitional work, for example, regarding changes in the IT environment. This can be solved partly by choosing a licensing matrix based on user numbers as the number of effective users still natu-rally remains at the same level despite such transitional work. It should also be noted that even in this case there might be so-called “fail-over clauses” addressing or limiting the customer’s possibilities to use back-up environments which may cover transitional periods requiring, e.g., payment of additional licence fees.

Attorneys-at-Law TRUST.

When does an IT Dispute Have Securi-ties Law Consequences? An IT dispute can have Securities Law consequences either (i) as a litigation that has to be disclosed or (ii) another matter that has a material impact on the compa-ny, its cash flow or prospects. As a gen-eral rule, all circumstances and decisions that may have a material impact on the value of the company’s securities need to be disclosed without undue delay. Breach of the disclosure rules may lead to dam-ages liability, official warning or fine or imprisonment in the worst case scenario. The evaluation on the significance of the matter is always done beforehand. There-fore, the company needs to have a strate-gy or a disclosure policy for administering disclosure, e.g., in relation to IT disputes and claims. As Securities Law questions need to be resolved on a case-by-case ba-sis, only some rules of thumb can be giv-en to facilitate the decision-making. First, the company’s disclosure policy needs to be consistent; if you have dis-closed similar matters earlier on, you must also disclose them now. Second, if the IT system is critical to the company’s operations, the monetary value of a dis-pute may not be the real concern; the real issue is rather the disruption to the com-pany’s ongoing operations. Third, you should not disclose too early on. A poten-tial dispute does not normally have to be disclosed prior to the actual filing of the case. In uncertain situations disclosure may create more confusion than clarity regarding issues. Fourth, the company should note how the investors have react-ed to earlier disclosed information and how they will likely react, considering the business that the company is in. Fifth, if payment liability is likely, it may affect the

company’s profits and cash flow. This may require issuance of a revised profit forecast. However, this route is not often advisable, as it might be construed as ad-mittance of the potential liability. If the potential impact is material, and the issues are being negotiated prior to the settlement or filing of the case, the parties should ensure the confidentiality of the matter and the negotiations. This should preferably be structured as a “transaction-specific insider register”. However, it should be noted that the disclosure should be made at the latest when the of-ficial procedure is commenced. Customer Toolbox for Solving Audit-related IT Disputes In our hypothetical case, the IT vendor who has performed the audit could have two possible avenues for remedies but be-fore that one issue should be ensured. Namely, if there is an audit or IT dispute (like in any other dispute), you must en-sure that your company speaks with “one voice”. So instruct all your team that only specific persons have the right to discuss the matter with the vendor. This is very critical point. The IT vendor could argue that Customer Ltd has committed a breach of contract and is therefore liable for damages, or it could argue that there is merely an in-fringement of the IT vendor’s copyrights as the additional use was unlicensed and therefore the the IT vendor would be en-titled to compensation under the relevant sections of the Copyright Act. We look at these two cases separately.

Attorneys-at-Law TRUST.

Breach of Contract If you face with breach of contract claim from your IT vendor, then, for example, the following arguments could be used to support Customer Ltd’s case:

• Interpretation of the agreement under Finnish law is also subject to general contractual principles and in one form these are illustrated in the Finnish Sale of Goods Act, which is not, however, directly ap-plicable to licensing. Despite the exact wording of the agreement, the intention of the parties is the most relevant factor.

• It could be conceivable to argue that it was the intention of the par-ties that the agreed price already included the transitional period and utilization of a back-up envi-ronment during such time as this transition work or failover was known by IT vendor as outlined above and the Sales Manager gave its license recommendations ac-cordingly.

• In the Sale of Goods Act, the seller (in this case the IT vendor) has no-tification obligation to the buyer (in this case Customer Ltd) on any is-sues that may affect the sale, and this obligation is actually legally “stronger” than Customer Ltd’s ob-ligation to investigate whether this situation is properly covered by a license or not. Therefore, we could also argue that if any separate pay-ments concern such transition or failover, such terms should have been brought expressly to the at-tention of customer, especially if the Customer Ltd put an emphasis on that in the negotiation phase.

• Under Finnish law, it is widely held that the parties can create an “implied agreement” by their con-duct and business practice (e.g., clarifying the content of the origi-nal agreement). Therefore, there might be such a term implied into a contract that there is no pay-ments arising out of transition work.

• The actual sizes and negotiation position of the companies are not specified. In some cases it could be possible to argue that if these sums are exceptionally high, these addi-tional payment terms for fail-over are onerous and strict provisions in standard terms. In such case Finn-ish law requires that such terms be separately communicated to the contracting party in order to incor-porate such terms as part of the agreement. It could also be argued that the additional payment terms are unreasonable under the Con-tracts Act S.36.

• Under Finnish law, all claims must be made within a “reasonable time” and, therefore, even if this claim would be valid, the IT vendor itself should have notified Customer Ltd on any payments regarding transi-tion work or failover. The IT ven-dor has not done so within a rea-sonable time, and therefore it has lost its right to claim compensation as outlined in the report.

• However, when lost profits are ex-cluded from liability, the IT vendor has to limit its damages claim to di-rect damages and, naturally, this is something significantly less than “list fees” for missing licenses.

In a real-life situation, we also need to take into account the arguments that

Attorneys-at-Law TRUST.

weaken our case, such as express wording of the agreement and the fact that both parties may be in equal position in this case as to size and legal competence, re-sulting in that the courts are hesitant to apply the reasonableness argumentation in a business-to-business environment. Copyright Infringement: If you are faced with a copyright in-fringement claim from your IT vendor, then, for example, the following argu-ments could be used to support Customer Ltd’s case:

• If this case would go to the court, it may be difficult to say in advance whether an issue is classified as a contractual matter or as copyright infringement. This is relevant as it determines also the available rem-edies that an IT vendor can actual-ly claim form the Customer Ltd.

• While this is an open legal issue, our standpoint is that this case should most probably be classified as a contractual matter, and there-fore there is an increased litigation cost risk for the IT vendor (this is also reflected in Swedish case law, see for example, T-21342-02).

• On the basis of copyright in-fringement, the IT vendor could be entitled to “reasonable compensa-tion” and other damages if it can proof negligence or intention.

• The amount of reasonable com-pensation could be significantly lower than the amount of payments required by the IT vendor (exclud-ing maintenance as there is not breach of copyright).

Some Conclusive Remarks

• Negotiate your NDA well as it will determine part of the audit’s scope and make sure that all disclosure between you, the auditor and the vendor is covered.

• Communication with “one voice” to avoid any risks that your em-ployees might give useful (or, from your perspective, potentially harm-ful) information for the auditor.

• It is possible to argue that the risk that the IT vendor will raise an of-ficial claim against the customer in Finland is in practice relatively low (as generally IT vendors have not been very aggressive in the imple-mentation of their licensing poli-cies on the Finnish market in the past). Of course, this is not to say that this could not happen.

• However, if such a claim is raised and the IT vendor is able to pre-sent convincing a calculation of damages, then the customer should reconsider its position. According to our experience, in many cases these “post-audit notifications” are merely presented to gain additional revenues without actual legal justi-fication.

• If there is a real claim, Customer Ltd should naturally pay as it is a reputable company but, at this stage, we would be inclined to rec-ommend that Customer Ltd con-tinue to contest both the grounds and amounts presented by the IT vendor to be paid for the back-up environment of customer.

• Even if additional payment re-quirements are not fully waived by the IT vendor, arguments support-ing the reduction of fees are out-lined above, which at least hopeful-

Attorneys-at-Law TRUST.

ly enable you to reach a reasonable compromise.

Checklist for Avoiding Pitfalls in Advance Ensure the IT vendor’s knowledge and understanding of the IT architecture keeping in mind that the sales person may not have sufficient technical background. Try to get express a contract clause that the vendor has reviewed your IT envi-ronment and allocated the licences ac-cordingly. Even an e-mail confirmation that vendor’s licensing model corre-sponds to your IT architecture may prove to be very valuable as, under Finnish law, it is the intention of the parties that is rel-evant in case of interpretation of the agreements. Ensure that information flow from the li-cence purchase to installation is uninter-rupted in particular if different companies provide these. Ensure free allocation of licences within the group if this can be done with reason-able cost as licences tend to be forgotten in corporate restructurings. Save all e-mails and file these so that, de-spite employee changes, such documents can be easily retrieved. If you must pay, ensure that a written set-tlement agreement for all these cases is in place before making any payments or oth-erwise you may soon be faced with the same case again. While settlement agreements are in these cases typically pro-competitive, limita-tions imposed by competition law should, as always, be taken into account.

**** JL

The views expressed in this market update are of a general nature and should not be considered legal advice or relied upon in a specific situation. Any actual situations should be evaluated legally on a case-by-case basis.