Audits

Another Quest audit ends up in court

A Quest Software audit is in court (again).

Here I am, back with another story of a software vendor treating one of their customers in such a way that the whole thing ends up in a court of law. This case first appeared back in September 2023. This article is based on publicly available court documents detailing a case between HealthEquity Inc v Quest Software.

There are 4 main points in contention:

• Which agreement governs
• How to determine the number of required licenses
• What remedies are available to Quest
• What charges are permissible in the event of over-deployment

What is the situation?

In 2019, WageWorks went through a Quest Audit and it was found they did not have proper control over their Quest Toad software. The court documents state that:

“In an effort to eliminate the possibility of being in the same position at a later date, WageWorks discussed with Quest how to go about ensuring license compliance going forward”

and the Quest License Compliance Specialist “provided direction and instructions to WageWorks regarding the tracking of its Quest-licensed software products going forward”. WageWorks, and subsequently Health Equity, based their license compliance system on this advice – using assigned serial keys for each license which were assigned out to individual users to access the Toad software. Without the key, users can see the application but not access or use it; HealthEquity state this was the process recommended by Quest.

When Quest returned in 2023, they told the customer that in fact they needed a license for every employee:

“who could potentially access any server or individual device on which the software products were installed, regardless of whether those individuals could, or did, actually access and utilize the Toad software itself”

And so Quest are claiming liability of just over $1.2 million from HealthEquity.

Purchase Orders

The purchasing relationship with Quest spans 21 years, from 2001 to 2022 – during which dozens of transactions have taken place. Here we see a common issue which we’ve heard from conference attendees all around the world – which terms govern your licenses? As we all know, software vendors change their terms over the years– so newer licenses will refer to newer, often  more restrictive – terms. This is exactly the situation in which HealthEquity found themselves where “licenses purchased in multiple separate transactions over a period of years, as HealthEquity’s licenses were, may be subject to a  number of different, and sometimes conflicting, terms and conditions.”

Quest have stated that the 2018 terms apply to all licenses involved, even though some licenses were purchased before that agreement was created and also that other licenses were purchased when subsequent versions of the agreement were in effect. The court documents give a great example of how the terms change over time:

Are changes allowed?

HealthEquity’s purchase orders stated that no terms could be changed or added except in writing by both parties. Furthermore, Quest’s own terms state that “no other act, document, usage or custom shall be deemed to amend or modify this Agreement”. These two facts together suggest that the terms in place when the orders were made are what must be used to govern the usage of those specific licenses.

The complaint

The complaint also asserts a claim for breach of the implied covenant of good faith and fair dealing, alleging that Quest acted in bad faith and unfairly harmed HealthEquity’s right to receive the benefits of its license purchases. Some key portions of the court documents include:

“HealthEquity soon discovered that Quest’s audit processes were intentionally designed to include numerous individuals in its audit numbers who should not have been included as requiring licenses under the terms of the parties’ agreement”

“Upon information and belief, Quest’s audit practices and interpretation of contract terms to its customers have been intentionally designed for the bad faith purpose of over-estimating the extent of the customer’s deployment and license requirements”

The customer also states they believe that Quest have tools that enable them to see the actual access and use of their software but they choose “not to rely on those tools”.

Key takeaways

This isn’t the first time I’ve seen this and I doubt it will be the last – it’s so important to define the terms used in software licensing agreements. In this scenario, there is a lack of clarity as to what both “use” and “access” actually mean…yet it is precisely these terms on which (much of) the claim rests.

Perhaps spending the time to define all these specific terms with every vendor you work with isn’t feasible (in terms of time and bandwidth) but it is definitely something that should be done with certain key vendors – such as Quest.

Each time your organisation makes a purchase, look to see if the vendor will try and apply a new agreement or modified terms – and nip it in the bud there and then, rather than in several years time.

Audit resources from the ITAM Review

If you’re facing an audit situation like HealthEquity faced – from any vendor – the following resources should help.

• Audit Defence LISA course: Understand the various stages of an audit, what’s involved along the way, and what you can do to keep control and manage the process effectively
• Audit Circle LISA course – a quick practical guide to handling audits
• Ask the auditors webinar – Join Rich Gibbons from ITAM Review, along with Synyega’s team of ex-Vendor & Top4 Auditors as they answer your most pressing audit questions

Can’t find what you’re looking for?