Tactical Law has defended companies being audited by Quest Software, Inc. ("Quest") and has thus far resolved the audits without the necessity of filing litigation. However, we read with interest a recent lawsuit filed by a long time Quest customer alleging that Quest acted in bad faith and engaged in predatory audit tactics during the course of the audit.

​Fairview Health Services ("Fairview"), a Minnesota non-profit academic health system hit Quest this week with a declaratory judgment action in federal district court in Minnesota. Sadly, the tale told by Fairview in the Complaint is a familiar one. At the end of 2019 Fairview notified Quest that it was terminating its annual maintenance and support. Almost immediately Quest issued a notice seeking to audit Fairview's use of Quest's Active Roles software. Only two months after Fairview gave notice that it was canceling maintenance and support, Quest produced a "Reconciliation Summary", which purported to find an over deployment of 69,064 licenses above the more than 38,000 license Fairview had purchased from Quest." Quest "claimed Fairview owed a total of $4,183,178.85 in license and "over-deployment fees".

Quest Accused of Bad Faith and Predatory Audit Tactics

Fairview makes some interesting observations on information and belief about Quest's motives, which Quest customers would do well to keep in mind when dealing with Quest. This is not the same company that licensees may have contracted with in the early 2000s, but instead the company has undergone multiple changes in ownership. According to the Complaint:

954604a.jpg

With almost every change in ownership the governing law of the Quest license agreement seemed to change. We have seen public filings with Quest agreements designating California, Washington and Texas as the governing law. Also, with every new iteration of the license agreement, the terms became more favorable for Quest and less favorable for the licensee. Rather than call these changes out specifically to the customer and request a modification to the contract, Quest appears to have embarked on a sneaky strategy of incorporating major changes in clickwrap agreements, which accompanied their software updates. A big question for the court will be whether these clickwrap agreements somehow superceded or amended the original license agreement, and constituted fair notice to the licensee of major changes to the agreement and a writing signed by duly authorized representatives of both parties. Quest will claim yes, and Fairview will fight that interpretation. Tactical Law has similarly pushed back against such assertions by Quest on behalf of Quest audit customers.

Fairview disputes Quest's contentions about what constitutes the governing contract and how it can be modified. Fairview points out that the governing agreement is the one it purchased the subject perpetual licenses under, which contains a provision requiring any amendment to be in a writing signed by both parties. This will be a hotly contested issue in the ensuing litigation. Cases involving courts interpreting consent to arbitration agreements may prove instructive.

954604b.jpg

Fairview asserts that the provisions of the 2004 SLA define software as including "corrections, enhancements, and upgrades to the Software" made pursuant to the Maintenance & Other Services Clause.

954604c.jpg

954604g.jpg

Yet Quest has taken the position that when Fairview clicked on the clickwrap agreement accompanying the software updates that somehow changed the governing agreement. In other words, Quest appears to be claiming that it could make major changes to the governing agreement without reasonable notice and without providing the licensee with additional consideration. And Quest is contending that the clickwrap agreement is a writing signed by authorized representatives of both parties.

Allegations of Invasive Audit Tools

Fairview accuses Quest of deploying tools during the audit that impermissibly seek information about Fairview's IT system, which go beyond Fairview's use of the Quest software. According to the Complaint:

954604d.jpg

​This should sound very familiar to Oracle customers who have been targeted with Oracle's prospective licensing assertions involving VMware and the "installed and/or running" language of the processor definition. According to Fairview, Quest's tools sought information about potential interactions with the software but declined to collect data that would show whether those accounts had actually used or interacted with the software. Although we have been informed by technical experts that Quest like Oracle could use tooling capable of detecting where the software has actually been used, Quest and Oracle appear to have no interest in doing so. The reason is apparent. Taking the position that they are entitled to licensing fees for all servers or accounts that might access the software results in the vastly inflated over-deployment numbers about which Fairview complains. These inflated findings are then used as "shock numbers" to create FUD ("fear, uncertainty and doubt") in the heart of the licensee, which can then be used to sell more software and perhaps used as leverage to keep the customer from canceling support. According to the Complaint:

954604e.jpg

We are of the same opinion about the motivations of software vendors who may use such invasive tools while ignoring data that shows non-use. And it is important that Quest customers realize these overreaches and protect themselves from them during the course of an audit. Licensees should resist turning over confidential information unless it relates to the use of that vendor's software, and the licensor has provided a satisfactory explanation of why they require the information to conduct the audit. Assertions that the vendor always asks for it are irrelevant and do not pass muster. Do not be afraid to probe and question the software company or their auditors as to the relevance of the requested information. And don't let the auditors provide their answers orally. Make them commit in writing, so you have a strong record in the event a dispute arises and you end up in court. A strong record will also help you with negotiating a favorable settlement directly with the licensor. Demand that the auditor specifically identify what provision in the contract entitles them to the requested information. And whatever you do, don't fall for Oracle or Quest relying on policy documents that are not part of the contract as justifications for the request.

The Audit Clause

The language of the 2004 SLA contains an audit clause, which provides that Quest may ask that Fairview verify no more frequently than annually its usage of the software by furnishing a document signed by the Licensee's authorized representative verifying software usage. In addition to demanding the verification, Quest has the right to review Fairview's deployment and use of the software for compliance. The entire clause is focused on current usage and not what may be used in the future. According to the Complaint:

954604f.jpg

​During the course of the Fairview audit, Quest did not request the written verification but instead went right to using its tools to scope out Fairview's IT system. Tools that Fairview contends do not measure actual usage, but instead collect data on how many accounts could potentially access the software in the future. Use of such tools by software auditors should be red flags for the licensee. Ask the auditors exactly what information the tools are collecting and seek to pin the auditors down on what they are seeking and why they are entitled to the information. Misrepresentations about what information the auditor is collecting may be used against the licensor in the event a dispute arises. Again, insist that the auditors provide their answers in writing. Finally, we recommend retaining qualified outside counsel who have the technical experts in place to review the data output prior to sending to the auditors.

Fairview complains that Quest also seeks to take advantage of a phrase "managed by" the software, which is ambiguous and not defined in the contract. Fairview argues that to manage the software at least means that the account must interact with the software in some manner. Fairview should take the position that any ambiguity should be interpreted against Quest the drafter.

When going up against software companies such as Quest and Oracle, it is highly advisable to retain qualified outside counsel familiar with software audits to push back aggressively on any attempted overreaches. Licensees who believe that providing all the information requested by software companies will result in lower over-deployment numbers are in for a rude awakening. Be smart and do not be afraid to stand on your contractual rights.

The case is Fairview Health Services v. Quest Software Inc., Case Number 0:20-CV-01326, venued in the District of Minnesota. Tactical Law will continue to monitor the litigation. Please check back for periodic updates.

Originally published 11 June, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.