This was one of the questions asked as part of the 2012 NJ IT Survey discussed in a previous blog post. With the potential for risk to intellectual property ownership, contract breaches and other liability, the responses were quite surprising. Fewer than half of the respondents said that they either prohibited the use of copyleft open source or monitored it closely, with almost 40% of respondents acknowledging that they do not monitor use of copyleft open source closely.
For those unfamiliar with the phrase, “copyleft” is a coined term that is used satirically to describe a practice of using copyright law to license copies of a work (and the right to modify it) while requiring that all modified versions of the work be made publicly available. See Wikipedia regarding origin and meaning of “copyleft.” While the term can be applied to any copyrightable work, it is frequently used in referring to open source computer code which is widely available on the Internet. Open source code is attractive to programmers in that it provides pre-developed, readily available and functional code to automate any number of computer functions. For a software developer, this offers the ability to lower development cost and increase the speed at which a final product can be brought into production.
Sounds great, right? Not so fast.
Because of the “copyleft” terms of the licenses for such open source code, unsuspecting users of the code may be surprised to find that their intellectual property ownership and distribution rights in there software product may not be what they expected. For software developers that write software for their customers and are frequently contractually required to deliver intellectual property ownership of the final work product, this creates a breach of contract risk that may not be covered by insurance.
According to Richard Bartlett, President of Bartlett & Company, Inc. (an insurance broker in Philadelphia), many carriers may not cover infringement of software code. Moreover, many carriers also exclude breach of contract claims from their standard form policy. Bartlett has also found that “many companies take a false sense of comfort in purchasing high limits, which are sometimes not necessary.” “I have seen cases where a company has two functions, e.g., software development and IT consulting/staffing, where their policy did not cover the consulting or staffing”, Bartlett says.
I frequently encounter situations in which companies negotiate contractual limitation of liability provisions by referencing their insurance limits. Clearly, companies relying on their insurance policies to cover breach of contract claims in this way should carefully review their policies to determine whether such claims are even covered.
If you think you’ll never get caught? Think again. It is my understanding that software such as Black Duck and Protecode can (among other things) detect the use of open source in various computer programs. In a posting on his own blog, Savio Rodrigues writes “clearly there’s a risk of contaminating a custom enterprise application by misusing open source code.”
With so many companies openly acknowledging a failure to closely monitor their use of open source, I doubt we’ve heard the last of this issue.