Intellectual Property and Sarbanes-Oxley?

What does the Sarbanes-Oxley Act of 2002 (or “SOX”) have to do with intellectual property you ask? While these two topics have historically made for strange bedfellows, the importance of managing intellectual property assets and issues surrounding those assets under Sarbanes-Oxley is increasingly becoming a potential trap for the unwary.

Passed into law in 2001 in large response to the then-recent corporate corruption and fraud scandals involving the likes of Enron, WorldCom, HealthSouth, Tyco, Adelphia and others, Sarbanes-Oxley represents one of the most sweeping changes in U.S. securities laws in the past 70 years. In the wake of these scandals, SOX attempted to bolster investor confidence by increasing transparency and accountability in financial accounting involving public companies here in the U.S. SOX has proven, however, to be much more than a law addressing financial accounting. SOX is written broadly to trigger obligations with respect to any and all assets that have a material impact on the financial condition of a public company — including IP assets.  As intellectual property assets have come to comprise an increasingly more material part of the value of most all companies (not just “technology” companies, but all companies that rely on technology to conduct their day-to-day operations), intellectual property has come to play an ever more material role in the financial condition of those companies. As a result, intellectual property assets and the management of those assets and issues relating to those assets has (and will continue) to pose an increasingly more important issue with respect to SOX compliance (notably, even as to companies for which it has not posed an issue in the past). While the issue of SOX and IP will be front and center for public companies, even private companies that plan in the future to become publicly traded or that are planning an exit by merger or acquisition with a public company, should be wary of the potential risks posed by IP under SOX.

Earlier this week I covered this topic and discussed the growing importance of the management of intellectual property assets under Sarbanes-Oxley in a presentation at the 2008 Intellectual Property Institute in Denver. I had the pleasure of sharing the stage for the presentation with Dean Salter, one of my partners at Holme Roberts & Owen and truly the “dean” of the Denver securities law community. As usual when presenting with someone of Dean’s stature, I probably ended up taking away from the presentation just about as much as I contributed. The materials from the presentation are available online if you would like to read more about this topic. We will also be giving the presentation as a webinar later this year. Stay tuned for details.


McAfee Issues Risk Factor Over Open Source Licenses

Computer security firm McAfee has included a risk factor in its most recent annual report filed last month with the Securities and Exchange Commission (SEC) warning investors of potential risks posed to the company by “ambiguous” license terms governing open source software used in McAfee products. The report notes that “despite having conducted the appropriate due diligence,” these ambiguities “may result in unanticipated [licensing] obligations regarding our products. ” As the report puts it, “to the extent that we use ‘open source’ software, we face risks.” These are interesting comments indeed from a company more accustomed to issuing warnings about the dangers posed by software viruses and bugs to other companies.

McAfee appears to be particularly concerned with the terms of version 2 of the GNU General Public License (GPL), by most measures the most prevalent open source license in the world today. McAfee acknowledges use of open source software under the GPL in its annual report and notes that it perceives that there are risks posed by the fact that “the scope and requirements of the [. . . ] GPL have not been interpreted in a court of law.” They also, however, appear to acknowledge a broader scope of open source usage, indicating that “other forms” of open source software licensing present license compliance risks to McAfee which “could result in litigation or loss of the right to use this software.”

While not noted specifically in the annual report, the reference to “litigation” appears to have been prompted by the recent spate of lawsuits filed by the Software Freedom Law Center (SFLC) on behalf of its clients Erik Andersen and Rob Landley (the two principal developers of the BusyBox open source utility) alleging violations of the GPL. These suits, brought against Monsoon Multimedia, Xterasys Corporation, High-Gain Antennas, and Verizon Communications, represent the first lawsuits brought in the US to enforce the GPL (click here and here for more information about these cases). As a user of software licensed under the GPL, it appears from its annual report that McAfee considers the potential for additional suits by the BusyBox developers (or suits by the owners of other open source software used by McAfee in its products) to pose a potentially material risk to the company. Note that McAfee has also at times been an outspoken critic of open source software and the role they claim it plays in assisting hackers in the development of bots and other malware. Whether McAfee has come to perceive itself as a larger target for such suits as a result of these statements is not mentioned in their annual report.

Of course, McAfee is not the first company to include a cautionary statement regarding open source software or open source licensing in their SEC filings. For example, as InformationWeek notes in an article about McAfee, DVR-maker Tivo warned investors in its 2007 annual report that it may have to discontinue using open source software in its products due to concerns about the GPL. Likewise, many proprietary software companies have made references in their SEC filings to the risks posed by competition created by open source software. In particular, Microsoft created a stir when it noted in a prospectus filed in 2003 that, “the popularization of the open source model continues to pose a significant challenge to our business model.” McAfee itself has also included competition-related open source risk factors in previous filings, and includes one again in another section of its current annual report, warning of increasing “competition from numerous smaller companies, shareware and freeware authors and open source projects” that are developing competing products to those of McAfee.

While not unprecedented, the current filing by McAfee underscores the fact that the BusyBox cases (and the potential for other lawsuits like them) represent a series of changes ongoing in the open source software license enforcement landscape. The fact that McAfee has seen fit to include a risk factor in its annual report regarding the potential risks posed by cases such as these is a good example of how open source compliance practices are beginning to evolve to address these changes. As I have mentioned in the past, now more than ever, companies that do not take note and move to evolve their open source compliance practices to address these changes on their own terms will increasingly find themselves being required to do so on terms imposed by others. McAfee, it would appear, is not content to wait for this to happen.