Google’s top searches of 2018 included the World Cup, unicorn cakes and 1980’s fashion. While that’s all very exciting, the world of software license compliance had its moments too this year. Here’s a look at our top picks for software license compliance-related stories in 2018.
Our favorite GDPR joke of the year (Editor: Really? GDPR jokes are a thing?) highlights the challenges of ensuring compliance with the standard, which went into effect on May 25, 2018
Can you recommend a GDPR expert?— John 🌈 (@wardrox) April 23, 2018
Great, can you give me their email address so I can contact them?
Despite that blizzard of emails you likely received in the days leading up to that date seeking your OK to continue to email you, studies show most organizations are still struggling to achieve full compliance. More than half of those surveyed in the EY and International Association of Privacy Professionals IAPP-EY Annual Governance Report 2018 who were subject to GDPR (both US-based and European companies) said that they are far from compliance or will never comply. Those numbers jibe with a report from IT Governance, which said that only 29 percent of EU-based organizations have fully implemented GDPR, according to coverage in TechRepublic. In the EY and IAPP survey, respondents named some of the hardest aspects of compliance as the right to be forgotten, fulfilling data subject access requests, and getting explicit consent from users – with the US companies reporting higher difficulty scores, according to coverage in Corporate Counsel.
As evidence that data breaches will find (and continue to make) cracks in the armor, 2018 was a year that saw a lot of major data breaches and questions over data privacy issues. The spring 2018 breach of 150 million Under Armour’s “MyFitnessPal” accounts ranked fourth on BusinessInsider’s list of the “21 Biggest Data Breaches of 2018.” But how Under Armour dealt with that breach separated it from many on that list – it used in-application messaging as a risk management strategy. Instead of simply notifying users by email, it pushed in-app messages about the breach and let users know the application had been compromised through that very application itself. What’s more, its communication not only identified the problem, it presented users with actions to take. It required that users change the password for the application, and recommended that users change their passwords for other “accounts or services that may be the same or similar to that used for the MyFitnessPal app.” (Related Reading: Under Armour Offers Lessons on Leveraging In-App Messaging for Risk Management)
Anyway You Want It was a Journey tune SAP decided did not apply to its software licensing terms in its 2017 win against Diageo in what has become known as the indirect access ruling. Third-party applications (in this case, Salesforce.com) integrated with an SAP backend but accessed by more named users than the company had SAP licenses for needed licenses too, according to the ruling. “Only named users are authorised to use or access the mySAP ERP software directly or indirectly. Named user pricing is the only basis on which the mySAP ERP software was and is licensed to Diageo,” the ruling of the High Court in London states. That same year, SAP settled a similar lawsuit against InBev.
But in the spring of 2018, “driven by unprecedented collaboration with user groups, customers, partners and industry analysts,” SAP announced new sales, audit and pricing models to cover indirect access. In addition to its traditional named user licenses, SAP now offers an option to license software based on transactions/documents processed by “indirect” systems (in which it includes third-party applications like Salesforce.com, along with IoT devices, bots, and more).
Perhaps most interesting in all of this is that SAP said it will put organizational changes in place that separate sales and auditing. What’s more, it plans to roll out features that will enable customers to measure their own usage and license consumption in a self-service manner, according to its blog.
In 2018, growth topped the list of priorities for CIOs, according to Gartner. But growth in malware certainly wasn’t what they had in mind. The BSA’s Global Software survey showed that piracy rates dropped a bit – from 39 percent in 2015 to 37 percent in 2017, and the commercial value of pirated software dropped by 8 percent globally. While those numbers decreased, the trade group also pointed to the increased threat presented by any unlicensed software as a foothold for malware: “organizations now face a one-in-three chance of encountering malware when they obtain or install an unlicensed software package.”
The BSA noted that “improving software compliance is now an economic enabler and security imperative.” For CIOs, protecting their businesses from malware is the main reason they want software to be licensed, and why customers may increasingly take a friendlier look at software licensing audits and requests to remedy contracts that aren’t in line with entitlements.
Telling customers they “sit on a throne of lies,” in the style of Buddy the Elf from the movie “Elf” was increasingly not in vogue in 2018.
While the software vendors conducting the most licensing audits haven’t changed much, according to the most recent survey by the International Business Software Managers Association (IBSMA) (Microsoft, Adobe and IBM still top that list), they have softened their approach to doing so. In fact, two things were of note in this year’s survey – who’s conducting the audits, and how they’re approaching them. Salesforce.com, Google and LinkedIn were all reported as vendors having conducted “something like an audit,” in the past year, Steven Russman, executive director at IBSMA, wrote on his blog.
“We expect software publishers, Oracle for example, to audit in the cloud more often in the coming years,” he wrote. “This is part of the disruption that we see coming in software asset management and compliance.
“Something like an audit,” is a key phrase to focus on, as more and more, auditing itself is not being conducted in its traditional way. Tier 1 vendors are “softening…their approach to compliance and audits,” Russman wrote. “There’s a shift toward working with customers with existing compliance programs to help them fine tune their software asset management processes—certainly not in all cases but we’re seeing it more frequently.”
Adobe – which has said it ended traditional audits – is one example, as its strategy is underpinned by the belief that pirates are often victims who thought they legitimately paid for the software. “The majority of people are shocked that what they have is not genuine,” Adobe’s Richard Atkinson said on a Revulytics webinar, “How Adobe Protects Customers from Software Piracy.” To push these customers back into the pipeline, Adobe uses a powerful combination of compliance and usage intelligence, plus in-application messaging to drive online conversions.
Did we miss your top license compliance story of 2018? Let us know and add a link to the story in the comments below.
Vice President, Products & Strategy at Revulytics
Victor DeMarines brings extensive security product management and marketing experience to Revulytics, where he is responsible for product strategy and direction. He is a frequent speaker and author on topics including piracy, reverse engineering and the protection of intellectual property.
Be sure to start with Episode 4 for part 1 of this conversation! In part 2 of this interview, Michael continues his conversation ...
In part 1 of this interview, Michael talks to former Dassault Systemes Anti-Piracy and Compliance Head Andy Clarkson about ...
Jason and Michael take advantage of the International Trademark Association’s (INTA) annual meeting in Boston to speak with Anand ...