How not to engage in a Microsoft Audit

03 May 2018
8 minute read
Best practice

How not to engage in a Microsoft Audit

03 May 2018
8 minute read

Microsoft are suing Community Health Systems (CHS), a Fortune 500 company based in Franklin, Tennessee, USA, for alleged copyright infringement and breach of contract.

What’s the issue?

The court docket from the Central Court of Tennessee Middle District Court says:

“on or about 2016, CHS began divesting entities that were previously CHS subsidiaries or affiliates…despite having no right to do so, CHS intentionally facilitated the continued use of Microsoft software by these divested entities”

Microsoft go on to say that, after 16 months and “repeated requests from the independent auditor and Microsoft”, CHS have produced only a small part of the required information and in fact have been “not responsive to, if not obstructionist of, Microsoft’s contractual right to an independent verification”.

What are the details?

Microsoft claim that CHS “and/or at least one of its affiliates” are using a range of Microsoft software “without sufficient payment”. The programs in question include, but are not limited to:

  • SQL Server 2000/2005/2008/2012/2014/2016 Enterprise Edition
  • Windows Server 2003/2008 Enterprise
  • Windows Server 2016 Datacenter
  • Office Professional 2003/2010/2013
  • Office Professional Plus 2010
  • Office 365 Pro Plus

It’s interesting to see Office 365 included here, as it is often assumed that an organisation can’t become non-compliant when using SAAS (Software As A Service) applications.

Part of this lawsuit is that CHS are accused of hosting software and making it available to unlicensed organisations. Microsoft state “CHS cannot host Microsoft software on its servers for use by entities not covered by the License

Agreements” and the issue at hand is that, when divesting hospitals and other parts of their business, CHS haven’t been removing the software access afforded to their former affiliates. This puts them in the position of hosting software being accessed by organisations that are not licensed to use it.

Failure to respond is bad practice

The court document contains a long list of actions to which Microsoft have taken umbrage; most of them relate to stalling and delaying the process for no apparent reason.

For example, CHS demanded that the auditor (Deloitte) sign a separate NDA – even though the terms of the MBSA (Microsoft Business and Service Agreement) already stipulates that the 3rd party auditor is subject to such an agreement. This was agreed to but then CHS caused it to take 7 months until the agreement was signed.

There are numerous examples of the customer agreeing to provide data by a certain date, failing to do so and then ignoring multiple phone calls and emails. When they did submit data, it was incomplete. However, even this incomplete data indicated that the CHS organisation was 500% larger than had been stated to Microsoft.

Microsoft have taken the actions of CHS to indicate that they were aware they were infringing copyright and also were acting in bad faith to conceal the infringements, all with no intention of fulfilling their contractual obligations. Microsoft also state that “CHS’s activities and the resulting damage to Microsoft is continuing” meaning that the customer hasn’t been seen to make any changes to the infringing scenario during the 12+ months of the audit engagement.

Microsoft’s legal next steps

Intentionally delaying the audit, demanding additional NDAs, only disclosing partial data, mis-representing the size of the organisation and more – all reasons Microsoft are suing CHS for copyright infringement and breach of contract. Microsoft are asking for:

  1. An order forcing CHS, and related parties, to cease infringing Microsoft’s copyright, and prohibiting CHS from using Microsoft software until they pay compensation.
  2. Damages, in an amount to be decided at trial as per 17 U.S.C. § 504(b) or, if decided before trial, statutory damages pursuant to 17 U.S.C. § 504(c) – which allows for up to $30,000 per work.

Microsoft have also asked that the infringement be found to be wilful, which increases the statutory damages up to a maximum of $150,000 per work. There are 23 Microsoft programs listed in the court document – meaning CHS’s liability could reach £3,450,000.

  1. An order that CHS comply with their obligations under the MBSA to provide the requested data and to allow an independent auditor to complete an on-site inspection to verify the data.
  2. All allowable costs and reasonable attorney fees as per 17 U.S.C. § 505 – I’d imagine that Microsoft’s attorney costs won’t be an insignificant amount!

Point 1 is particularly interesting – “prohibiting CHS from using Microsoft software until they pay compensation”. If granted, an order like this would effectively shut the organisation down until payment is made – most likely an attempt to guard against delays in settling.

Points to note

Microsoft refer to the fact that if an organisation is under-licensed by more than 5%, they must:

  1. Reimburse Microsoft for the cost of the “independent verification process”
  2. Purchase all required licenses at 125% of the list price

This is stated in the MBSA – the Microsoft Business & Service Agreement – but isn’t as widely known as it should be amongst partners and customers.

What is the MBSA?

The MBSA isn’t a publicly available document, but it governs all volume licensing contracts and covers topics such as termination and the rights & processes around verifying compliance among others. Find the copy associated with your organisation’s agreement and have a read through – familiarity with the MBSA, alongside the program specific contracts, is an important part of managing a Microsoft estate. Also, whenever an agreement is signed (including a renewal), check whether the MBSA version has changed.

How fast?!

Also interesting is Microsoft’s claim that, on average, it takes 4-6 weeks for a customer to collect all the required data.

This is quite a short turnaround. Does it indicate that organisations have a high level of SAM maturity and are able to quickly and dynamically access current, correct information, or does it indicate that many organisations are simply running a scan and handing the data over without any additional checks and verification?

Conclusion

This case gives an interesting insight into what a vendor will consider poor conduct… “including missing numerous mutually agreed upon deadlines and providing incomplete data, demonstrates its unwillingness to comply with its contractual obligation.” …and shows there is certainly an art to engaging in audit defence tactics. It is often said that communication is key, and this is a clear example of how poor communication made a situation much worse.

It seems CHS was completely unprepared for an audit – with none of the requisite people and processes in place to gather the needed data and probably no SAM tool either. Perhaps they were panicking and trying to buy themselves more time, but ignoring and obstructing Microsoft and Deloitte wasn’t going to do them any favours – antagonising a vendor is rarely a good idea during an audit!

On the other hand, maybe they thought if they dragged it out and made it difficult, Microsoft would give up and move on to other, easy to deal with organisations.

While $3,450,000 for statutory damages is not an insignificant sum of money, it’s relatively small change to an organisation with revenue of over $18 billion and operating income of $860 million. I imagine the amount spent on licenses to rectify the shortfall will be higher; there are 6 different variants of SQL Server Enterprise listed and, for an organisation with over 100,000 users and 158 sites across 22 states, there’s a fair chance the number of unlicensed installs is high. SQL Server 2017 can be up to $19,000 per 2-core license pack and, at the price, just 90 CPUs would be equivalent to the maximum statutory damages available. It certainly looks like rectifying the shortfall + the statutory damages is going to be expensive.

This case really shows the potential for mergers, acquisitions and divestitures to cause significant problems for organisations if not handled correctly, and that audit defence tactics must be used correctly and carefully to be successful.

It will be interesting to see how this progresses and, if it goes to court, what it may mean for future cases. The initial case management conference has been set for June 15, 2018.

Can’t find what you’re looking for?