How Companies Can Safely Use Open Source Software – The National Law Review
Used properly, Open Source Software (OSS) is an excellent tool. It saves your business time and money, enables interoperability of product platforms, and developers love it. But used improperly, it can be financially and operationally devastating. For example, the statutory damages for failure to properly adhere to the OSS copyright notice can be up to $150,000 per act of infringement. Those damages can quickly add up to serious consequences, whether preventing a sale or merger of your company or the destruction of the value of the affected products. Another serious risk is that once OSS is used in your code base and deployed in distributed products, if your tech teams are not monitoring and applying bug fixes, known vulnerabilities become Trojan horses of opportunity for bad actors. The good news is that protecting your company from these types of risks is rather simple. We have outlined below key steps and processes in-house counsel should take to work with your business stakeholders to mitigate these risks.
Establish a documented policy that is vetted and agreed upon by your legal, technical, and compliance teams. Such a policy creates ground rules for the company and its developers regarding usage of OSS across its products and services. More importantly, creating and deploying a policy forces productive discussions and deliberations between different functional groups to align on concerns, goals, and best practices for the company.
You should always know where and how the company is using OSS. This can be done by providing proactive guidance prior to OSS use and periodically conducting audits as part of proper IT hygiene in advance of a need for the results.
Shortly before an impending transaction (M&A or commercial with a customer/partner) is not the time when you want to learn of non-compliance issues. Performing such reviews strictly reactively can present several challenges: (i) this typically leaves little or no time to remediate any identified issues; and (ii) when dealing with third parties, reactive behavior and problematic results can suggest a sense of lack of sophistication/readiness, which may undermine confidence in the company or product and lead to reduction in transaction revenue.
In many cases, it will be easier to stay ahead of OSS issues by treating OSS compliance like other legal or compliance approvals and incorporate it in whatever product development gate reviews/checks are used by your company for other discipline approvals, such as intellectual property (IP) product clearance, safety, quality, etc. This is helpful to force discussions early in the product development process and keeps your product management and engineering teams accountable for proper OSS usage and compliance.
In-house counsel should also look upstream in the product development cycle to identify OSS used in hardware or software components being considered for incorporation into your company’s products. Particularly in the case of procuring software or components that will be material to a product, it is critical to understand OSS exposure well in advance of integration and commercialization of that product. And when vetting competing technologies or providers, consider the extent to which they rely on OSS and how that may impact your use of that OSS, such as imposing copyleft requirements on your own proprietary code, which can require you to publish and similarly grant free licenses to your own code. These licensing consequences should factor into your assessment of the cost and value of such technologies and providers. You should also consider formalizing these commercial understandings and expectations in commercial agreements with third parties, such as contractor, consulting, joint development, and software license agreements.
Finally, a primary challenge in-house counsel may face in deploying an effective OSS program is the sheer administrative effort that the program may impose on the company’s engineering teams to keep up with tracking use of OSS and compliance with the relevant licenses, including avoiding problematic license, creating and publishing license acknowledgement reports, etc. There are a few ways to increase the likelihood that your business stakeholders will prioritize, and your technical/product teams will cooperate with the legal team in, adopting a robust OSS program.
First, partner with your IT and InfoSec organizations. Rather than focusing solely on the intellectual property based risks, in some cases, the potential InfoSec risks of non-compliance, such as the consequences of using out of date OSS components with known vulnerabilities, may be more compelling to your business stakeholders. As such, your InfoSec team may be a strong co-advocate of a proactive OSS program as a means to keep up to date with known vulnerabilities and available patches.
Second, as much as possible, reduce the burden on the engineers and software developers that will be most directly impacted by OSS policies and scans and can often be overlooked by legal teams imposing policies. The reality is that limiting the software available to your developers (i.e., due to licensing restrictions) and demanding extensive scans and resulting remediation after a build can create a lot of work and distract teams from their ongoing product development efforts. This can create friction with engineering/developer groups and lead to resistance or delay in aligning on a policy and adoption of a program. Where possible, incorporate automated OSS checks into software development cycle (e.g., at build time) to raise flags and force conversations among decision makers as the work is being done. Several software packages are commercially available to integrate with your developers’ build tools, manage your established policy decisions on product-by-product bases (after a policy has been developed), and raise any concerns in your engineering project management ticketing systems to drive compliance and remediative action.
The vast majority of commercially available software today includes or is based upon some amount of open source software, which can help developers and engineers more quickly and efficiently create new products. But in-house counsel and compliance organizations should be cautious and measured to monitor and maintain their company’s use of such OSS to avoid significant risks and undesirable consequences of doing so.
About this Author
Marguerite is a seasoned litigator and intellectual property transactional attorney who counsels clients in maximizing the value of their intellectual property and technology assets, including trade secrets, patents, copyrights, and trademarks. She has an emphasis on representing technology companies, particularly in the hardware, software, internet, semiconductor, biotechnology, and medical device industries. Representative matters include: licensing transactions, acquisitions and divestitures, collaborations, joint ventures, strategic alliances and arrangements in…
Greg Penoyer is as Associate at Mintz’ Boston office. He is a seasoned intellectual property counselor whose practice spans nearly all areas of intellectual property and is focused primarily on guiding clients through IP transactions, monetization, diligence, and litigation. In serving his clients, Greg leverages more than a decade of vast experience in all aspects of strategic development, management, and enforcement of intellectual property rights. In addition to working in private practice at other leading law firms, he has served as in-house counsel and trusted…
You are responsible for reading, understanding and agreeing to the National Law Review’s (NLR’s) and the National Law Forum LLC’s Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com intended to be a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional. NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us.
Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review – National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521 Telephone (708) 357-3317 or toll free (877) 357-3317. If you would ike to contact us via email please click here.
