Another software audit case has gone to court – February 2019 saw the start of a case between Micro Focus v Express Scripts Inc. The document I have access to is a report of the initial summary judgment findings which gives a great insight into the content of the issue but, as this is pre-trial, it doesn’t give any indication to the eventual outcome. Even so, it gives a good idea of what can cause problems with software contracts and also an insight into some of the legal aspects that can come out of software audits.
Express licensed 2 pieces of software from Micro Focus– “Rumba” and “OnWeb Web-to-Host”. In fact, they’d first purchased the software in 2001 from NetManage, who Micro Focus acquired in 2008. Rumba enables users to connect to the mainframe where they must then login to access any data stored on the mainframe.
Express use Resource Access Control Facility (RACF) software to control mainframe access – only a subset of employees received RACF credentials that allow them to actually access the mainframe. Without these RACF credentials, users can launch Rumba but not access the mainframe.
In 2006, Express moved to a centralised environment using Citrix and Windows Terminal Server (now Remote Desktop Services) and purchased licenses for both “thick” and “thin” client deployments. Express had purchased perpetual licenses for:
2009 saw Micro Focus introduce a “site license” for Rumba where customers would no longer need to count individual installations – this was priced at $205,000 for the license + $45,000 annual maintenance and aimed primarily at winning new business.
Early the next year Rocket, a Micro Focus competitor, offered their product to Express as an enterprise license with no limitation on user count. To keep the customer, a counter offer from Micro Focus was made for:
“up to but not to exceed 10,000 Rumba and/or Onweb Web to Host site license for the benefit of Express Scripts users”
at the aforementioned pricing. This was accepted by Express and an official offer (Product Order) from Micro Focus for:
“RUMBA Enterprise v. 8.3.0 for x86 running Win XP, Vista, Windows 7, Server 2003, Server 2008 for 10000 Authorized User License”
was accepted by Express by way of a Purchase Order. The Product Order also stated that:
“[e]xcept as otherwise specified above or agreed in writing by [Express and Micro], Micro Focus End User License Agreement . . . terms shall apply to this Product Order.”
Following this, Micro Focus emailed the installation files to the customer, along with a click-through EULA (End User License Agreement).
This EULA detailed several different licensing metrics but did not include the “authorized user” metric mentioned in the Product Order. Two metrics it did outline were:
Workstation license – This allowed the “install and use one copy of the licensed Software on a standalone workstation” and prohibited installation on a server that allowed use to more than one individual.
Concurrent User license – This restricted use to the maximum number of users paid for – which in Express’ case was 10,000.
Here is an order for $250,000+ where no-one is clear on what has actually been purchased!
Micro Focus began an audit of Express in 2015 and Express reported that all 35,236 users were able to access Rumba via Citrix – but only 4,932 had the RACF credentials needed to access the mainframe. Micro Focus countered that a user was anyone who “could” access the software and so they were well above their limit of 10,000 licenses.
On April 1, 2016, Micro Focus filed suit against Express for:
The Product Order and EULA together are unclear as to what kind of license was sold in this transaction. The former clearly states “authorized user” yet the latter doesn’t include this among the seven metrics outlined – leaving an ambiguous situation. To help resolve contract ambiguity other evidence, such as a party’s own interpretations and conduct, can be considered to help shed light.
The various internal emails from Express that referred to:
Were all on the table in this case.
Typically, this extrinsic evidence is used to clarify intentions of the parties at the time of contract execution and so Express argued it was inadmissible but the court took the view that, as the agreement was a 3 year term with an option to renew:
“the words and acts of Express and Micro’s staff, tasked with implementing or complying with the contract, is probative of each party’s understanding of the contract terms”
This means the way that Micro Focus and Express had acted during the contract, and the contents of the customer’s internal emails – that appeared to show Express believed the licenses to be workstation licenses and also that they were aware they’d “need to change some of the Rumba licenses to include Citrix” – could be used as an indication of what they believed the licensing rules to be.
To the claim that all of Express’ 35,236 users needed licensing, Express claimed that this interpretation was “commercially unreasonable” and “absurd” because “[n]o rational customer would purchase a software license so its users could see a login screen”.
A sentence that I’m sure many who’ve been through an audit involving a Citrix environment can relate to!
Express also asked the court to apply the doctrine of contra preferentem, this is the idea that any ambiguities in a contract must be interpreted against the party that wrote them – in this scenario, Micro Focus. They further stated it was a case of “adhesion” where the contract was drafted unilaterally by the stronger of the two parties (Micro Focus) and offered on a “take-it-or-leave-it” basis however, it was noted in the hearing, that Express are a multi-million-dollar company that “outpaces Micro [Focus] in size and sophistication” so this may not be the case. Additionally, Micro Focus contended that the customer had the opportunity to reject/negotiate terms before accepting the EULA and so had “meaningful choice”, meaning their relative bargaining power didn’t need to be examined.
Ultimately, it was determined that contra preferentem didn’t apply as there was a “genuine issue of material fact” i.e. the meaning of “authorized user”.
Express were able to get summary judgment in their favour for Micro Focus’ claim of copyright infringement – in quite an interesting way. They argued that Micro Focus was not the owner of the copyright but rather it was “Micro Focus IP Development Ltd”, a separate company – meaning Micro Focus couldn’t bring a claim. This was found to be true by the court and, as Micro Focus had missed their opportunity to join Micro Focus ID into the suit, the copyright infringement claim was removed.
The Micro Focus EULA stated that where usage exceeded the agreed terms, Express must pay:
“the then current license and maintenance fees for the use of the additional licenses”
Express asked that this be based on the actual number of simultaneous Rumba users. Micro Focus agreed the damages will be based on:
“the total number of users who may access and use the Licensed Software at any given time”
The two parties had a “robust discussion” about the meaning of “access” and “use” but the decision on those terms was left to be decided at trial.
This was also part of the Nike v Quest suit that I covered here – it aims to prevent someone who has acted unethically from receiving an equitable remedy such as an injunction or specific performance.
Weirton Medical Center Inc v Micro Focus (US), INC – April 2018
In this case, the customer took the vendor to court, seeking judgment that the license agreement was unenforceable and so audit penalties were not required.
Weirton Medical starting using Attachmate software in 2004 and continued to do so following Micro Focus’ acquisition in 2014. During one of the “periodic true-up occasions”, Micro Focus sent the customer a “new, never before seen” Software License Agreement which the customer claims contained “overly burdensome and unconscionable terms” including imposing the laws of Washington State (we’ll see why this is the case shortly!). Following this, Micro Focus determined that Weirton Medical owed $530,530.56 for over-deployment of software.
The total was a combination of:
Interestingly, Micro Focus agreed to forgo the back maintenance due to the fact that the customer wasn’t using the licenses…but still insisted they pay for the over-deployed but not used licenses.
As a side note, Weirton Medical also noted that their IT had been outsourced for at least the past 20 years and so claimed any over-deployment was the result of the 3rd parties’ actions, not their own. While I don’t see this making a difference to the case with Micro Focus, there’s possibly potential for the customer to launch a separate suit against the outsourcing providers.
These examples show that Micro Focus are actively auditing and gives an idea of their tactics – such as adding agreements that impose more favourable (for them) state laws – and areas that you should verify:
It also shows you should always pay double attention when Citrix/RDS is involved, no matter the vendor in question!
Unfortunately, as is so often the case, I don’t know the final outcome of these software audit cases. I’d imagine they have been settled out of court but it would be very interesting to see the final terms.