Source: securityboulevard.com – Author: John Gary Maynard III
Many commercial disputes are launched with a demand letter. The form of those letters is familiar: The author describes the circumstances of the parties, identifies a breach of contract or other injury allegedly caused by the letter recipient, demands an amount to settle the dispute and threatens court action otherwise. If a breach of contract is alleged, the demand letter typically describes the contract damages to which the aggrieved party is purportedly entitled. Those damages will be calculated in ways familiar to lawyers everywhere. They may consist of (1) a claim for rescission of the contract and restitution of amounts paid, (2) a demand for the aggrieved party’s lost profits or perhaps (3) a demand for payment of “liquidated damages” specified in the contract. If the aggrieved party complains of a statutory violation—e.g., of a trade secret law or the Copyright Act—the letter will similarly describe and claim the kinds of damages specified by those statutes. In many cases, the party serving the demand letter also will cite relevant cases purportedly establishing its right to the relief it requests. The goal of such a discussion is to show the recipient the principles that will guide a court (and ensure the recipient’s defeat) if there is no settlement.
Obviously, a software user who has “failed” an audit is embroiled in a type of commercial dispute. The alleged noncompliance identified by the software vendor allegedly constitutes a breach of the relevant license agreement(s). Often the alleged noncompliance also will amount to a violation of the Copyright Act as well.
Yet in almost all cases, the software user on the wrong end of an audit will not receive a traditional demand letter from the vendor. Generally, there will be no description of the amount of or basis for contract damages, nor any mention of the Copyright Act and statutory remedies. No relevant cases are likely to be cited and, usually, no court action will be threatened. Demand letters, and the familiar “settlement paradigm” they represent, will be ignored entirely.
Instead, the vendor—acting pursuant to license terms like those we discussed in our first article—will simply invoice the user for the amount the vendor claims is due. That amount may well have been calculated using a formula (created by the vendor) which may or may not appear in the relevant license agreement(s). From the vendor’s perspective, this is all a simple sales transaction, so an invoice is appropriate—the software audit has identified products or services that were used, but that the user never paid for. There is no need to discuss any dispute or any settlement, much less the relevant law; it is instead simply time for the “buyer” to pay up.
The “Sales Transaction Paradigm”
It’s easy to see why this “sales transaction paradigm” is preferred by software vendors seeking compensation in the wake of audits. The vendor, like any seller, lays claim to the unilateral right to declare the price of the “sale.” Even more importantly, the price calculated and declared by the vendor need not be tethered to any real economic impact, i.e., to any wrongful gains by the user or to any lost profits of the vendor. Put more simply, the vendor can potentially recover a windfall.
If the vendor had sent a conventional demand letter, by contrast, the vendor would have been expected to justify the amount of the settlement demand through some reference to relevant law and the likely result in court. And broadly speaking, courts applying relevant damages law will focus on remedying only actual economic harm (if any) and will avoid granting windfalls to litigants.
As an example to show how the choice of paradigm matters, suppose that a year ago a user paid for a 10-seat subscription for software and related maintenance services. Unfortunately, the user inadvertently installed the software on a server where 30 people could access the product, in clear violation of the terms of the license—and an audit has now revealed this fact. Suppose further that the additional 20 persons with access to the software not only never used it, they actually had job functions completely unrelated to the use of the software, and thus never would have used it.
Under the sales transaction paradigm, the vendor will present the user with an invoice charging the user for the additional 20 seats, plus the additional maintenance fees associated with them, along with whatever other fees and charges the vendor’s policies dictate. Yet under the traditional settlement paradigm, it would be very difficult indeed for the vendor to write a convincing demand letter on these facts, because this would be what litigators call a “no damages” case. True, the user violated the terms of the license, so liability for breach of the agreement (and perhaps violation of the Copyright Act) probably exists. But the user certainly gained nothing from the server error, and the vendor arguably lost no potential profits. A court applying the relevant law will not be particularly interested in compensating the vendor in this scenario.
It is true that, if the vendor were forced to state its claim using the settlement paradigm, the vendor could argue that the invoiced amount was calculated according to the terms of the license agreement(s), and therefore constitutes “liquidated damages.” Generally, liquidated damages are pre-estimated damages, spelled out in a contract, that are awarded in case of breach. Contract law does indeed allow parties to agree on liquidated damages, and courts will award them—but there are limits. Courts generally refuse to award liquidated damages that amount to a “penalty,” and in practice, a windfall unrelated to actual harm may well be determined to be a penalty.
In sum, every software audit is different, but in our experience, resolving most of them will involve an interplay of the three factors we have identified in these articles.
The terms of the license agreement(s) must be understood and applied; the parties’ business relationship and circumstances (and the resulting economic leverage) will likely “drive the bus” with respect to any resolution; and the battle of paradigms will play a critical role in generating expectations, framing the issues and resolving any disputes.
Douglas M. Garrou, partner in the Energy Litigation group of Hunton Andrews Kurth, co-wrote this article.
Recent Articles By Author
Original Post URL: https://securityboulevard.com/2023/07/adventures-in-software-audits-part-three-the-paradigm-battle/
Category & Tags: CISO Suite,CISO Talk,Cybersecurity,Security Awareness,Security Boulevard (Original),audit disputes,audit resolution,commercial dispute,Licensing agreements,sales transaction paradigm,Software audits – CISO Suite,CISO Talk,Cybersecurity,Security Awareness,Security Boulevard (Original),audit disputes,audit resolution,commercial dispute,Licensing agreements,sales transaction paradigm,Software audits
Views: 0