Intellectual Property and Sarbanes-Oxley?

What does the Sarbanes-Oxley Act of 2002 (or “SOX”) have to do with intellectual property you ask? While these two topics have historically made for strange bedfellows, the importance of managing intellectual property assets and issues surrounding those assets under Sarbanes-Oxley is increasingly becoming a potential trap for the unwary.

Passed into law in 2001 in large response to the then-recent corporate corruption and fraud scandals involving the likes of Enron, WorldCom, HealthSouth, Tyco, Adelphia and others, Sarbanes-Oxley represents one of the most sweeping changes in U.S. securities laws in the past 70 years. In the wake of these scandals, SOX attempted to bolster investor confidence by increasing transparency and accountability in financial accounting involving public companies here in the U.S. SOX has proven, however, to be much more than a law addressing financial accounting. SOX is written broadly to trigger obligations with respect to any and all assets that have a material impact on the financial condition of a public company — including IP assets.  As intellectual property assets have come to comprise an increasingly more material part of the value of most all companies (not just “technology” companies, but all companies that rely on technology to conduct their day-to-day operations), intellectual property has come to play an ever more material role in the financial condition of those companies. As a result, intellectual property assets and the management of those assets and issues relating to those assets has (and will continue) to pose an increasingly more important issue with respect to SOX compliance (notably, even as to companies for which it has not posed an issue in the past). While the issue of SOX and IP will be front and center for public companies, even private companies that plan in the future to become publicly traded or that are planning an exit by merger or acquisition with a public company, should be wary of the potential risks posed by IP under SOX.

Earlier this week I covered this topic and discussed the growing importance of the management of intellectual property assets under Sarbanes-Oxley in a presentation at the 2008 Intellectual Property Institute in Denver. I had the pleasure of sharing the stage for the presentation with Dean Salter, one of my partners at Holme Roberts & Owen and truly the “dean” of the Denver securities law community. As usual when presenting with someone of Dean’s stature, I probably ended up taking away from the presentation just about as much as I contributed. The materials from the presentation are available online if you would like to read more about this topic. We will also be giving the presentation as a webinar later this year. Stay tuned for details.

BusyBox Settlement #2

The Software Freedom Law Center (SFLC) has announced that it has reached an agreement to settle and dismiss the lawsuit filed by Erik Andersen and Rob Landley, two of the principal developers of the popular BusyBox set of open source utilities, against Xterasys Corporation (a manufacturer of wireless routers and other networking products) alleging a violation of version 2 of the GNU General Public License (GPL). This leaves two pending suits by Andersen and Landley, against High-Gain Antennas, LLC (a manufacturer of antennas and other products for use in wireless networking applications) and telecommunications giant Verizon Communications.

As was the case with the settlement with Monsoon Multimedia, Inc., the terms of the Xterasys settlement were not released. However, based on the SFLC press release regarding the settlement, the terms appear to be nearly identical to those in the Monsoon case. While this is yet another case in which we will not see the establishment of binding legal precedent regarding the enforceability and legal interpretation of the GPL here in the U.S. (as has already taken place in Germany), it does appear that we are starting to see the establishment by the SFLC of a de facto precedent for settling cases alleging violations of the GPL. In each of its settlements to date, the SFLC has consistently imposed the following requirements on the defendant:

— The appoint an “Open Source Compliance Officer” to monitor and ensure GPL compliance;

— Publishing of the source code for the version of BusyBox previously distributed in violation of the GPL;

— Undertaking “substantial” efforts to notify previous recipients of BusyBox of their rights to the software under the GPL; and

— The payment of an “undisclosed amount” of financial consideration to the plaintiffs.

Of course, these settlement terms do not carry with them the same legal precedent as would a decision of a court of law. As a practical matter, however, by imposing a consistent set of settlement terms over time, the SFLC has begun to create a sort of standard for resolving future lawsuits alleging violations of the GPL. Defendants in future GPL violation lawsuits (and we are likely to see future suits) will not be legally bound to accept these terms and certainly will be free to attempt to forge their own paths to settlement. However, over time, the terms imposed by the SFLC are likely to represent an increasingly strong lure to those defendants to relatively quickly and cleanly resolve the GPL violation lawsuits against them through an accepted path of least resistance. Not legal precedent, but a strong practical guide for certain.

Stay tuned. The BusyBox cases are driving changes in the open source license enforcement landscape and open source compliance will need to evolve right along with those changes.

OSS Discovery Goes Open Source

Stormy Peters over on the OpenLogic Blog has just officially announced the release of OpenLogic’s OSS Discovery tool as open source software under v3 of the GNU Affero General Public License (AGPL). I know that the folks at OpenLogic have been hard at work on this project for some time and are quite excited about the release. OSS Discovery is a very useful piece of software (now fully open source) that can be used to find installed instances of open source software — either on a single computer or across an entire enterprise network. Having this functionality now available to everyone under an open source license makes OSS Discovery that much more useful (and powerful).

Given the current open source software license enforcement environment, the timing of this move could not have been better. While OSS Discovery may or may not have helped the defendants in the current BusyBox lawsuits — as the allegations in those cases relate to the distribution of BusyBox on consumer electronic devices, not use on an enterprise network — OSS Discovery can help enterprises determine if they are currently using BusyBox or any other open source software on their networks and enable them to take steps to ensure that they are in compliance with the open source software licenses applicable to that software.  Knowledge of open source software usage is a crucial first step in any open source software license compliance process and the availability of a tool like OSS Discovery under the AGPL will be a great help to many enterprises in acquiring this knowledge. I encourage you to check it out.

BusyBox Back For More

The Software Freedom Law Center (SFLC) has announced that it has filed two additional lawsuits on behalf of its clients Erik Andersen and Rob Landley (the two principal developers of the BusyBox open source utility) alleging copyright infringement based on a violation of version 2 of the GNU General Public License (GPL). The defendants in these new lawsuits are Xterasys Corporation (a manufacturer of wireless routers and other networking products) and High-Gain Antennas, LLC (a manufacturer of antennas and other products for use in wireless networking applications). The lawsuits are the second and third GPL enforcement lawsuits respectively ever filed here in the U.S. The first such lawsuit, filed against Monsoon Multimedia in September of this year, was quickly settled out of court on October 30. Both of the current lawsuits were filed November 19 in the United States District Court for the Southern District of New York.

The complaints in the current lawsuits are available online — “Erik Andersen and Rob Landley v. High Gain Antennas, LLC,” (case number 07-CV-10456) and “Erik Andersen and Rob Landley v. Xterasys Corporation” (case number 07-CV-10455). In substance, the current complaints read very similarly to the complaint filed in the Monsoon Media suit. Each of the current complaints alleges that the defendant continued to distribute BusyBox in violation of the GPL (and applicable copyright law) without also distributing the source code for BusyBox, despite having been contacted by SFLC. Each complaint likewise seeks an injunction against the defendant and requests that damages and litigation costs be awarded to the plaintiffs.

These cases are significant in that if either is ever heard before a judge, it will be the first time that a lawsuit alleging a violation of the GPL has gone to trial in the U.S. While these cases may take the route of the Monsoon Media suit — which settled out of court with Monsoon agreeing to remedy its violation of the GPL, ensure future compliance, and financially compensate the plaintiffs — these cases remain highly significant for a number of reasons, not the least of which include:

— It is widely suspected that the list of BusyBox users in violation of the GPL is quite long and that the BusyBox developers have already quietly settled out of court with a number of the companies on this list. With these two new lawsuits, it is clear that the earlier suit against Monsoon Multimedia is not a mere anomaly and that the BusyBox development community is not content to sit quietly as these alleged violations continue. Users of BusyBox are now on notice that they should take care to ensure that they are in compliance with the terms of the GPL as it applies to BusyBox.

— Ensuring compliance with the GPL (and other open source licenses) starts with knowing when and where software subject to the GPL and other open source licenses is in use in your organization. Implementing and maintaining an open source software license compliance program is key to gaining this knowledge. Cases such as these brought by the BusyBox developers underscore the growing importance of implementing and maintaining such a compliance program (and the growing risks posed by not doing so).

— The time line in each of the BusyBox cases has evolved from initial contact by the plaintiffs regarding the alleged violation through to the filing of a lawsuit at a very rapid pace. Unlike many of the “private” open source compliance actions brought in the past by the Free Software Foundation (FSF) it would appear that the SFLC is willing to act quite aggressively in pushing its grievances. Organizations need to respond quickly and decisively to any complaints about violations of open source software licenses, by the SFLC or any other organization.

Now more than ever, if your organization is not taking steps to identify and correct violations of open source software licenses on its own terms, others like the SFLC appear increasingly willing to do so for you on theirs. Remaining ignorant of existing open source software usage and potential open source software license violations, it would seem, is no longer bliss.

And Just Like That, The Games End — First Ever GPL Lawsuit Dismissed

Just as quickly as it began, the Software Freedom Law Center (SFLC) has announced today that an agreement has been reached to dismiss the lawsuit filed by Erik Andersen and Rob Landley, two of the principal developers of the popular BusyBox set of open source utilities, against Monsoon Multimedia, Inc. alleging a violation of version 2 of the GNU General Public License (GPL). In the agreement to dismiss the lawsuit, the SFLC is reporting that Monsoon Multimedia has agreed to appoint an “Open Source Compliance Officer” within its organization “to monitor and ensure GPL compliance, to publish the source code for the version of BusyBox it previously distributed on its web site, and to undertake substantial efforts to notify previous recipients of BusyBox from Monsoon Multimedia of their rights to the software under the GPL.” The SFLC reports that the settlement also includes an “undisclosed amount” of financial consideration paid by Monsoon Multimedia to the plaintiffs.

The settlement is certainly a benefit for the parties involved in that it helps them move forward from what could have been a costly and prolonged litigation. However, while the BusyBox lawsuit will remain significant as first lawsuit ever filed in the U.S. based directly on a violation of the GPL, the settlement itself appears to have done little to advance the law surrounding the enforceability and interpretation of the GPL and open source licenses in general. Indeed, based on the research I did for my presentation on “Open Source License Enforcement Actions” at the Open Source Business Conference (OSBC) earlier this year, the terms of the settlement appear to be very standard and to closely track those sought by the Free Software Foundation (FSF) and other enforcers of the GPL in past out of court settlements. As a result, those of us in the open source legal community who had hoped that the BusyBox lawsuit might begin the process of establishing the type of binding legal precedent regarding the enforceability and legal interpretation of the GPL here in the U.S. that has begun to occur in Germany and other countries are once again left empty handed. Stay tuned, however, as this is likely not the last lawsuit we will see here in the U.S. to enforce the terms of the GPL.

Open Source Policies

For those of you who have not yet seen it, Stormy Peters has a very informative post (as always) on the OpenLogic blog on some of the resources available to help companies in the preparation of open source policies. I particularly like Stormy’s comment about sharing “real, live” open source policies between companies. I often get the same question from clients and potential clients looking for a starting point for their own policies. In addition to not having many clients who are comfortable sharing their open source policies with others (even in a generic form), I have not found it to be very productive — and in some cases have even found it to be counterproductive.

An open source policy, like any company policy, should be tailored to the company. Certainly this means that the policy should be designed to work within and leverage the existing organization and structure of the company. It also means taking into account the business, competitive and regulatory environments in which the company operates. Perhaps more importantly, any open source policy should also be drafted to fit the unique culture of the company. If the company is one heavily oriented around policies and procedures, then the open source policy can follow suit and include greater levels of detail. However, if the corporate culture is not one to adopt and follow rigorous policies in other areas, the open source policy should not try to break this mold. The idea is to prepare a policy that fits the corporate culture in which it will be implemented — and this idea is often the key to the successful adoption of the policy.

Perhaps surprisingly, preparing a policy that fits the culture of your company is not inconsistent with the goal of having a complete and thorough policy. The resources Stormy points to in her post are very helpful in that they really work to help enable the creation of a thorough policy that is also a fit for your company. As an aside, not many know that Stormy and I met when she audited the Copyright Law course I taught at the University of Colorado School of Law. While I cannot take credit for her all of her copyright knowledge (let’s just say I ended up learning a thing or two from her that semester as well), I can certainly vouch for it. I encourage you to take advantage of the resources she highlights in her post.