We’ve received a tip off that the software publisher Attachmate is suing Mobistar, a Belgian telecommunications company.
It is alleged that Attachmate is claiming 4.5 million Euros (around 6.12M $USD or 3.57M £GBP) for alleged illegal use of a product called ‘ReflectionX’. The dispute is said to have originated from an onsite audit by Deloitte and has now been escalated to Belgian courts.
As a result, Attachmate is said to be auditing all worldwide companies connected to Mobistar via the parent company, Orange/ France Télécom.
ReflectionX is a terminal emulator, allowing users to connect to legacy mainframe operating systems such as IBM, UNIX, OpenVMS, and HP from a Windows machine.
Attachmate have a reputation in the licensing market as hostile and litigious. One ITAM Review reader, an experienced SAM practitioner stated:
“They are the nastiest vendor out there. One of the top four auditing firms actually stopped doing business with Attachmate because their behaviour was damaging their customer relationships” (i.e. even the audit alligators don’t want to work with Attachmate).
“Attachmate is a dying brand with license revenue heavily dependent on audits. They are aggressive and quickly jump to legal action; no holds are barred with Attachmate”.
“For example if an Attachmate customer has mislaid old license records they will make them pay for them again. Back payments start at the first release date of the application even though Attachmate have patchy records prior to 2003. Furthermore interest in charged on back payments at a rate between 12% and 18% depending on local jurisdictions.“
A point reiterated by Daniel Renall, a Software Audit Specialist from New Zealand in an ITAM Review LinkedIn discussion thread:
“A major gotcha was the legacy installs of the reflection products. Watch out for non-compliance penalties and back maintenance charges.”
Attachmate maybe a ‘nasty vendor’ and take an aggressive approach with their customers, but if this lawsuit is verified Mobistar must also face the fact that nobody forced them to install the software. Any fines and time and resources wasted are due to a lack of basic management controls for managing software as an asset.
In particular, be careful when building Attachmate products as part of a standard deployment build or providing access with Citrix Terminal Services or other streaming technologies – if one published desktop has access to Attachmate and no access controls are in place, even if no one has accessed, you face the risk of everyone in the organization being charged. With interest rates applied over a decade, a $1M fine can quickly become $5M fine.
Like most large software publishers Attachmate have a license compliance program and periodically review customers. One ITAM Review reader shared their Attachmate license review / audit letter which stated a focus on completeness and accuracy:
“Verifiable level of comfort that both accuracy and completeness were accomplished”
Attachmate auditors will be looking for exhaustive inventory of your estate to prove installations of their software as well as a level of verification to show that the inventory is accurate.
Rory’s process of the month on scope verification uses anti-virus as a comparison to inventory data to verify data. I would also recommend using Active Directory and / or SCCM. If you compare and contrast three data sources you’ll benefit from stronger inventory and stronger AD and SCCM records.
It is also interesting to note how Attachmate approach the compliance assessment:
“Upon receipt of the [inventory] data, we’ll work to prepare a preliminary deployment table showing installations by product and version. We normally give your organization 1 week to review the report’s accuracy and ask follow up questions. After that time, I will ask for the numbers to be approved by your organization at which point the compliance table summary will be labelled final and work will begin with the Attachmate business team on next steps.“
So once your inventory is complete and verified as accurate you’ll need to move quickly to assess your position. The data is then sent away to the business team to generate a bill / compliance position.
All of this point towards a basic need to have good inventory and license records to defend against such audits. As Tier 1 of the ISO/IEC 19770-1 standard suggests we need “Trustworthy Data”.
Finally, if all else fails and things start to get nasty invite the account reps from Attachmate’s sister brands (Novell, NetIQ and Suse Linux) along to contract negotiations and suggest that if it gets bad for Attachmate it will get bad for everyone.
Attachmate and Mobistar declined to comment. Image source.
I was sent this link for a cheaper, easier to manage alternative. Let me know if you can recommend any others.