As directors and executives at U.S. public companies, we’ve all got plenty of items to worry about—risk assessment, internal controls, stock option expensing, and the litany of other governance and compliance issues.
Unfortunately, I’ve just discovered another.
Fortune Magazine recently ran a cover story that discussed SCO Group’s lawsuit against IBM, claiming ownership of portions of the Linux operating system that IBM resells.
Most directors and executives probably assume that the suit is IBM’s problem, right? Nope. Turns out, it’s everyone’s problem.
And it’s a board issue that you shouldn't neglect.
A Quick Briefing
Open Source Software is growing by leaps and bounds, and is finding itself embedded almost everywhere.
And for good reason. Software developers are under tremendous pressure to be productive. And Open Source Software, which is made generally available via the Internet in source code form, is a practical way to reuse high-quality source code rather than start each project from scratch. And because there is no charge for downloading the code, developers can easily avoid the internal controls that would normally be triggered by procurement processes.
But it turns out that "without charge" does not mean "free from restriction."
Each "project," as open source modules are called, comes with a license that governs its use. The licenses are basically designed to ensure that development efforts that incorporate Open Source Software are—upon distribution—contributed back to the community in source code form and made available without charge.
However, due to the reality of rapid software development projects, many developers ignore the license terms for the Open Source Software that they use.
And since their managers probably do not know that the Open Source Software has been integrated into the code base, they too remain blissfully unaware of the exposure.
Ask your CEO in your next board meeting about the level of compliance with Open Source Software licenses, and he or she will give you a blank stare.
So, is this an issue? In short: Yes. And it's an issue even if your company doesn't have a staff of developers cranking out code.
Putting IP At Risk
Open Source Software discovered in a due diligence review can put the value of an organization's intellectual property at risk.
Information about Open Source compliance issues could, if made public by an unhappy employee or if discovered by an Open Source advocate, could have a material impact on the value of a public company's stock.
Forrester Research has even suggested that it “borders on criminal neglect” not to deploy resources to manage this risk.
And, by the way, you’re not safe just because your company doesn’t develop software.
How do you know that the software applications that you buy do not incorporate Open Source Software? SCO recently extended their lawsuit to companies that are using Linux because users are just as liable as the distributors for copyright infringement.
Four First Steps
The battle lines are being drawn. So what can you do about it? Here are four quick steps:
Increase Awareness
Seek advice from knowledgeable legal counsel to understand the issue and to establish a plan of action for your company that includes both internal development and procurement processes.
Testa, Hurwitz & Thibeault, for example, a law firm based in Boston, Mass., happens to have a group of technically and legally savvy attorneys that specializes in this area.
There are other law firms and consulting companies who are developing an expertise in this area.
Establish Processes
Software developers and their managers need training on proper use and documentation of Open Source Software. And “code reviews” should be used to verify compliance.
If you're not ahead of the issue, like most companies, you still can donduct "after-the-fact" searches for copyright and license notices in software code. Several companies, including Black Duck Software in Waltham, Mass., offer services that provide identification and documentation capabilities that automate portions of the compliance process in real-time.
Your software compliance and risk management processes should be documented as part of your SOX 404 compliance.
Run Reviews
Make sure your company creates and maintains an Open Source Review Committee, known as an “OSRC,” to establish policies and processes to police the use of Open Source Software.
Policies should cover not only internal applications and system development projects, but also software acquired from third parties.
Reduce The Risk
Several insurance companies have digital rights and errors and admissions products to insure against certain IP and Open Source Software exposure.
A thorough review should be conducted of your existing insurance policies to verify coverage.
The use of Open Source Software is not something to be avoided—after all, it’s quickly becoming an invaluable part of corporate infrastructures. It's not a surprise, therefore, that the Open Source movement has been embraced by most IT vendors, including IBM, Hewlett Packard, NEC, Intel, Computer Associates, Fujitsu and Hitachi.
The challenge, however, is to manage its use so that you can enjoy its many benefits while minimizing risks.
And making sure your management team is getting ahead of the issues will be critical to the success of those efforts.
This column should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.
No comments yet