A few years ago, I was listening to the radio on my way to work.

I wasn’t really paying much attention to what was going on. Until, during one of the commercial breaks, I heard an ominous voice ask:

“Does your company steal software? Do you want to do something about it?

Call 1-800-XXX-XXXX to report your employer and qualify to receive a GAZILLION dollars if your information helps us stop this illegal behaviour. Your anonymity is guaranteed.”

OK, so I may have slightly exaggerated the amount of bounty being offered.

But the point is that there was a bounty being offered, and not just by some obscure ad running on AM radio.

Soon after hearing this commercial, I started to see billboards popping up on the highway and spam email hitting my inbox with the same message.


As far back as 2008, the Business Software Alliance (BSA) was offering up to $1M for software compliance whistleblowers. And they could easily afford to, because the resulting lawsuits were garnering compliance payments between $11M-$13M USD (which is a roughly a gazillion $CAD with todays exchange rate).

Yet the optimists still put on their rose coloured glasses and quoted statistics like:

“Only 20% of whistleblowers disclose their concerns to someone outside the company.”


“92% of reporters turn to somebody inside the company when they first report misconduct, only one in five ever tell someone outside the company, and only 9% of employees report to the government.”

So the margins are small(ish), but that’s just an employee blowing the whistle on an organization.

The software companies are also very active in monitoring compliance. If fact, for some suppliers, compliance fees are a revenue line in their annual projections.

They expect customers to over-deploy and underpay for licenses, the only question is how much the customer will pay to get back on-side.

I know this all sounds very ominous (like the voice on the radio).

But by understanding some basic points about compliance, as they relate to the protections you should have in your contract with the supplier, you’ll see how this doesn’t always have to end in doom and gloom.


Believe me, they have ways. Here are the big three:

  1. Internal whistleblowers.To dissuade people on the inside talking to people on the outside, foster a speak-up culture and provide middle management with the support and guidance they need to handle reports of misconduct.
  2. Code embedded in the software that sends usage reports back to the supplier. Make sure your contract has a clause that states the software will not contain any malicious code, defined as anything that sends any customer data back to the supplier without the customer’s express written permission.
  3. Supplier audits. Make sure your contract has a clause that limits the number of times a supplier can conduct an audit (no more than once a year is a good rule of thumb). Also, the supplier should provide at least 90-180 days advanced written notice if they should choose to conduct an audit.


For starters, it happens to everyone. And somewhere along the way, it’ll happen to you.

Here’s how to minimize the damage:


Most of the time, it’s the Software Sales Execs that will bring up compliance, but rarely ever to say that you’re definitely out of compliance and an audit is imminent.

Instead, they’ll make some vague allusion to the fact that you may be out of compliance when your contract is up for renewal, so wouldn’t it be better to top up your licenses now and avoid the hassle at renewal time?

Here’s an interesting fact, Sales Execs typically aren’t compensated on compliance payments so they often use this ploy to generate net new sales opportunities.


We were once brought in to an organization that was at DefCon-1 because the Sales Exec for their big ERP system said he had usage reports showing over 200 login ids for a software module that was only licensed for 20 users.

The Sales Exec said the fees to get compliant would be north of $5M but he would give the client a deal and let them migrate to an unlimited enterprise version of that module for a mere $1.5M.

My team reviewed the contracts and then asked the Sales Exec to tell us where he got the usage report (which he never did), and then we told him that the 20-user license was for concurrent use, so it didn’t matter how many log-in ids were created as long as only 20 were using the system at any given time.

We also told him that the contract required a 90 day notification period for an audit. We then advised the client they had 90 days to scrub the 200 ids and determine which ones were actually using the software, and then write a small piece of code that would limit the logins to 20 users at any given time.


Sometimes your organization will actually be out of compliance.

When that happens, it’s better to negotiate with the Sales Exec than to deal with a compliance audit. Because if your organization didn’t know it was out of compliance then chances are it doesn’t know how deep the problem is.

Working with the Sales Exec to come up with a resolution is much better than opening yourself up to the unknown in a compliance audit.

At the end of the day, an organization should know exactly what they’ve bought and what they’ve deployed within their environment.

A simple way to do that is by implementing a process that allows you to quickly and easily find your contracts and review the terms that define what you’ve bought and what you can do with it.

The best way to avoid shelling out millions in compliance fees is by building a very simple contract management process. When you know exactly what’s in your contracts, that pesky Sales Exec will think twice before making wild claims.