We saw a few weeks ago that Quest Software have taken Nike to court over their refusal to settle up for license non-compliance discovered during an audit (article here).
Nike have submitted a counter claim and it is full of very interesting details, many of which can apply to the wider ITAM community. In particular, it helps highlight the difference an audit defence strategy, and managing the audit process, can make to the amount of money on the table for a non-compliance settlement.
Nike reveal that the bill presented to them by Quest was $15,646,191.55 – that’s 68,210 pairs of Jordan XXX2 “All Star MVP” trainers.
Nike have countered and said that in fact they owe Quest just $348,664.74 – a 98% reduction.
Quest stated their final total included:
Nike rejected the claim because:
Nike offered to pay the lower amount in September 2017, but Quest rejected the offer.
The shoe giant goes on to say that they “continued in good faith to attempt to resolve this dispute over the subsequent months and responded promptly to Quest’s additional requests for information” but Quest refused to withdraw their initial claim.
The size of the bill centres, in part, on the definition of unauthorised users in Nike’s SLSA (Software License and Service Agreement) with Quest. A large part of the cost is for licenses to cover users who “could” access Quest software, regardless of whether they did or not; a concept familiar to anyone who has looked to license Microsoft desktop applications in a Citrix environment.
Nike state they have:
“…not agreed, under the SLSA or otherwise, to pay for licenses for Quest Software for persons or systems who could theoretically access the Quest Software, but who do not actually use the software”
And go on to point out that:
“People legitimately need to access these servers, but have no need to run Quest software – for example “NIKE’s cyber security and forensics professionals”
A situation that will be common to many organisations worldwide.
Looking at section 12 of the SLSA, the audit clause between Nike & Quest states:
“In the event that an audit conducted as set forth herein discloses that Licensee has caused or permitted access to or use of the System by persons or entities that are not authorized under the terms of this Agreement to such use or access, Licensee shall pay Quest the underpayment, in the amount of the negotiated fee applicable to the particular Software Product or Product to which unauthorized access was permitted, for all such unauthorized users”
It seems Quest are relying on the language that states:
“permitted access to…the System by person…not authorized…to such use or access”
to make their claim that Nike are liable for all potential users based on system access.
Nike, however, are arguing that the clause simply states they must pay for:
“All unauthorized users”
And that the “ordinary meaning of user” is a person or machine that has actually:
“caused a Quest Software program to be executed so as to perform its intended function”
Thus, meaning they are liable only for direct users – not including those who accessed the servers for other purposes.
Quest’s original suit claims that “Nike…used pirated keys to circumvent the Quest License Key System.”
Nike deny this outright.
It is clear that Nike are not going to take this lying down and they certainly seem to be up for a fight. They completely refute many of the allegations, such as that they used pirated keys, and they have included a list of reasons in contradiction of Quest’s claims, including:
Additionally, Nike have put arguments based on the agreements of other Quest customers and precedent set in previous Quest audit lawsuits.
Nike entered into an SLSA with Quest in 2001 – which appears to be a non-standard agreement.
Nike say it “does not restrict NIKE’s ability to download and use evaluation, trialware, or freeware versions of Quest Software, whether in production or non-production environments”, nor does it “restrict NIKE from using license keys or other license access devices not obtained from Quest to access and use Quest Software”.
This is based on the absence of clauses to the contrary – if Quest didn’t want them to do it, they would have specified this in the agreement. Nike point out that agreements between Quest and other customers DO expressly prohibit these activities, which they claim lends weight to their position that omission is permission.
For example, Nike submit a copy of a 2012 “Master Product Agreement” between Quest and World Fuel Services Corporation which states that evaluation software may only be used in non-production environments and has a time limit of 30 days use. The World Fuel Master Agreement also specifies that:
“Customer may not use any license keys or other license access devices not provided by Quest, including but not limited to ‘pirated keys,’ to install or access the products”
Again, this clause is missing from the agreement between Quest and Nike.
Nike also present judgements from the 2011 lawsuit “Quest Software Inc. v. DirecTV Operations, LLC”, when Quest sued DirecTV in a similar manner and use this to show that license over-deployment does not warrant a copyright infringement claim. Even if the contract breach claims go ahead, Nike are seeking to remove the copyright infringement element and the extra potential damages that makes available.
It appears Nike made at least 2 mistakes when it came to the audit process itself:
Nike’s court documents show they:
“provid[ed] Deloitte with access to NIKE’s systems and databases” and “permitted Deloitte and Quest to run (their) scripts on NIKE’s systems and databases and to receive the corresponding inventories of users.”
And, once they received the reports from Quest – with the large non-compliance figures, “NIKE realized…the “scripts…were not designed to inventory users of Quest Software on NIKE systems…(but were)… intentionally designed to inventory all persons or machines which had the right to access servers on which Quest Software programs were stored, without regard to whether such persons or machines ever actually used a Quest Software program”
At this point, Nike performed its own inventory to determine “the number of users who had actually run a Quest Software program but for whom a license had not been purchased”.
This all helps illustrate the importance of having a pre-defined Audit defence playbook and making sure it is followed. Performing internal “mock” audits is key to understanding your licensing position with a specific vendor and it is vitally important that you know this before entering audit negotiations.
Ideally, Nike should have verified the scripts first and confirmed they would only produce required data. Even then, they should have run the scripts themselves and checked the data produced before handing it over to Quest/Deloitte.
Another interesting point in this case is the importance of support and maintenance, and how it is being used as a bargaining chip by vendors.
On December 28, 2017, Quest informed Nike they would not renew any of their maintenance as they were “in the middle of an active compliance…process”.
Quest’s support and maintenance:
Nike point out that “Quest is aware of the importance of its maintenance and support services to its…licensees” and in fact Quest’s marketing positions these services as a “vital aspect of its software and a reason for choosing Quest over its competitors”.
It is reasonable to assume that Nike’s databases are extremely important to Nike, that they are a large profile organisation attractive to hackers and malware creators, and that the Quest software forms a key element of their database infrastructure – and thus that the stability and security of the Quest products is integral to the stability and security of the overall database environment. Therefore, by refusing to offer support and maintenance until the $15 million bill was settled, it could be said that Quest were trying to force their client’s hand to pay an inflated bill.
Nike offered to pay the $348,664.74 they felt they owed for being under licensed – as per section 12 of their SLSA – and so believe Quest were not entitled to refuse maintenance. Nike claim being denied support means they are “injured” due to lack of access to product updates and lack of protection against hacking, malware etc. and so Quest must make remedy for that.
Nike contend that Quest’s refusal to renew support and maintenance was done in bad faith to force Nike to pay amounts “not due” to Quest – the software equivalent of a loan shark threatening to break someone’s legs if they don’t pay up.
The clean-hands doctrine states that someone who violates “equitable norms” cannot then make a claim based on the law of equity. For example, in “Morton Salt Co. v G. S. Suppiger”, the patent holder had used their patent to unfairly restrict competition and thus he was denied “equitable relief” in a subsequent case. Basically, if your claim comes about because you did something unfair – such as over stating the amount of non-compliance to increase fees, you can’t complain when someone does something unfair to you on a related matter – such as refusing to pay that inflated amount.
Acting in bad faith is seen as violating these equitable norms and Nike posit that Quest have performed such bad faith acts by:
Nike also state they believe that the new owners of Quest are using audits, and bad faith tactics, to quickly increase value and profitability of the company. It is interesting to note that the venture capital firm who now own Quest were former owners of Attachmate – another organisation known for its aggressive audit tactics.
The Court should therefore issue an order “declaring, determining and adjudging” that under the SLSA:
Nike say they haven’t breached contract, but Quest have by refusing support.
This is a very interesting case which, if taken all the way to judgement, could have an impact far outside this individual case. Having a court rule on points such as:
Could have far reaching effects across the industry, with other vendors’ practices being brought into question too.
I would expect Quest will make an out of court settlement offer, to prevent such a ruling taking place; that way they can continue these practices with other organisations in the future.
Nike have been very firm in their response, so perhaps an out of court settlement is unlikely. That said, with such a large potential bill on the cards, a reduced settlement may be attractive to Nike to draw a line under the episode.
I will certainly be keeping an eye on this case and writing up further developments. If you’ve got any thoughts on this and/or experience with Quest – get in touch.