Reverse-engineering and disassembly of IBM mainframe software in breach of software licence (IBM v LzLabs) – Part 2

For the background to this claim see our first article that focuses on whether any of the acts alleged to be in breach of the licence agreement (the ICA) fell within the rights conferred by the Software Directive; and whether Winsopia was in breach of the ICA.

This second article explores the validity of IBM's audit request and subsequent termination of the ICA.

Relevant contractual provisions

The ICA contained the following relevant audit provisions:

• Clause 4.4.1 provided IBM with "the right to verify [Winsopia’s] compliance with … terms of this Agreement (… relating to [Winsopia's] use of ICA Programs at all sites and for all environments in which [Winsopia] installs or uses ICA Programs for any purpose." It also noted that IBM may use an independent auditor to assist with the audit, provided IBM had a written confidentiality agreement in place with the auditor.
• Clause 4.4.2 stipulated that Winsopia “agrees to create, retain, and provide to IBM and its auditors written records, system tools outputs, and other system information sufficient to provide auditable verification that [Winsopia's] installation and use of ICA Programs complies with the Agreement terms, including IBM's applicable licensing and pricing terms.”
• Clause 1.11.5 provided for the exchange of any confidential information to be made under a separate, signed confidentiality agreement.

Accordingly, IBM had the right to request information, but there was no stipulated minimum period of notice required to be given in respect of an audit request (nor a minimum period for compliance).

The ICA contained the following termination provisions:

• Clause 1.11.4 provided that each party would allow the other a reasonable opportunity to comply before claiming that the other had not met its obligations under the ICA; further, that the parties would attempt in good faith to resolve all disputes, disagreements, or claims between the parties relating to the ICA.
• Clause 1.12.2 provided that either party could terminate the ICA if the other did not comply with any of its terms, provided the one who was not complying was given written notice and reasonable time to comply.
• Clause 4.5.3 provided that IBM could terminate Winsopia’s software licence under the ICA if Winsopia failed to comply with the licence terms.

Audit request

After IBM became suspicious that Winsopia had breached the terms of the ICA, IBM's owner (IBM Corp) sent a notice to Winsopia confirming that it would be carrying out an audit and asking for detailed preliminary information to be provided within 30 days, including:

• A list of all ICA and other IBM programs used by Winsopia;
• Details of all machines storing or executing IBM software, and third-party software used in the preceding 36 months;
• A network diagram showing interconnections of the identified machines;
• The names, locations, and employers of all individuals or entities accessing IBM;
• Various assurances, including that LzLabs employees or agents had not used IBM software or information derived from it, that IBM was not used to develop SDM, and that no reverse engineering had occurred.

Winsopia first refused to supply the information requested on the basis that, among other things, Winsopia’s contractual relationship was with IBM and not IBM corp. As such, only IBM had a right to information pursuant to the ICA.

IBM itself then repeated the audit request, as well as giving notice that Winsopia was in material breach of the ICA and that it would terminate the ICA if the requested information was not provided within 30 days.

Winsopia responded again refusing to comply with the audit request on the basis that, in summary:

• The 30-day time frame for compliance was not reasonable and would cause disruption to Winsopia’s business, especially in the context of the pandemic;
• The audit request did not give sufficient details of the provisions in the ICA in respect of which IBM sought information and materials to verify Winsopia's compliance;
• A separate signed confidential agreement between Winsopia and IBM would be required before any confidential information would be exchanged; and
• The verification provisions of the ICA were being used in a wide-ranging way, not merely to verify compliance, but also for IBM’s commercial advantage.

Winsopia's response noted that it was not refusing to provide information or materials to which IBM was contractually entitled, but that it required further details as to the purpose for which the information was sought and the contractual provisions to which the questions related. 

With regard to termination, Winsopia argued that (a) no valid notice of IBM's intent to terminate had been given, since Winsopia was not in breach and (b) the ICA required IBM to allow Winsopia a reasonable opportunity to comply before alleging breach, and to attempt in good faith to resolve all disputes etc, and that this had not been done.

Court's decision

On the validity of the audit request, the court confirmed that IBM (not IBM Corp) had a contractual right to verify Winsopia’s compliance with the ICA through an audit. As such, the second audit request by IBM itself was valid, reasonable and made in accordance with the ICA. While the judgment is silent on the validity of the first audit request, it can be assumed that this was not a valid request given it was made by IBM corp.

The court held that the requests for information and the period allowed for compliance were reasonable.  While a substantial amount of information had been requested, it should be readily available through remote searches. Winsopia had notably failed to provide any requested information, or explain why particular categories of information may be difficult to provide.

The judge found that most of the requested information was not confidential, and a separate confidentiality agreement was only needed if an independent third party conducted the audit.

In addition, the court held that based on the contractual provisions:

• IBM was not required to explain or justify the purpose for which the information was required;
• It was sufficient that IBM had identified the contractual provisions pursuant to which it was entitled to carry out the audit and receive the information requested; and
• The ICA did not contain any express or implied obligations of good faith in respect of the contractual audit right.
• The contractual good faith obligation on both parties to attempt to resolve all disputes did not override IBM's express right to audit.

Accordingly, Winsopia’s refusal to comply with the second audit request constituted a breach of the ICA.

As to termination, the court held that IBM validly terminated the ICA on each/all of the following bases:

1. Clause 1.12.2 allowed either party to terminate the agreement if the other failed to comply with its terms, provided written notice and a reasonable opportunity to rectify the breach were given. Winsopia breached the ICA by failing to comply with IBM’s audit request (in circumstances where IBM had given a reasonable period of compliance).

    

2. Irrespective of the validity of the audit request, clause 4.5.3 permitted IBM to terminate Winsopia’s licence if it failed to adhere to the licence terms under the ICA.The court had found systematic technical breaches occurred over a number of years, including reverse engineering (as analysed in our first article). Since Winsopia did not provide the confirmations sought in the audit notice, IBM was not obliged to allow any further period for Winsopia to remedy its breaches, and the technical breaches were not capable of rectification in any event.

    

3. Alternatively, IBM was entitled to treat Winsopia’s technical breaches as repudiatory and terminate at common law.

Key takeaways

The case is a timely reminder of the importance of incorporating contractual audit rights into contracts involving on-going relationships (such as software licence agreement and IT outsourcing agreements), as well as the benefits of utilising them if you believe that the other party is in breach.  In particular:

(a) audit rights can provide invaluable information regarding a breach of contract without the need for costly court proceedings; and

(b) failure to comply with audit rights can helpfully trigger termination rights in circumstances where other breaches have not yet been proven. 

Here, the audit provisions were broad and did not include a specific minimum period for compliance, which opened the door for arguments regarding the reasonableness of the request.  However, the court took a pragmatic approach and held that 30 days was a reasonable period given the nature and source of the information requested.

This judgment makes it difficult for a licensee to refuse a validly made audit request if the licence agreement provides an absolute right for the software owner to verify compliance, given that the owners subjective reasons for making the request are irrelevant. 

It is important that the party making the request ensures that it is made in accordance with the terms of the agreement. In practice, when making audit requests software owners should:

• Ensure that the correct contracting entity makes the audit request;
• Identify the contractual provisions pursuant to which the audit is made;
• Justify the purpose of the audit, but only if required under the terms of the agreement; and
• Clearly set out the information sought;
• Stipulate the period for compliance, ensuring that this is reasonable or tallies with any minimum periods set out in the agreement); and
• Comply with any notification obligations.

When responding to audit requests, real care should be taken if refusing or delaying compliance with the request, particularly where non-compliance would entitle the innocent party to exercise a contractual right of termination. The basis for any dispute or failure to comply should be set out in the fullest terms possible and appropriate. Consideration should also be given as to whether a blanket refusal is warranted, or whether available information is provided with information that is more difficult to assimilate following at a later date.

In order to avoid disputes regarding the scope of audit rights, considerable care should be taken when negotiating contractual audit rights to ensure that the scope, timing and procedural requirements of any audit are certain. Parties liable to comply with an audit request should also ensue that such rights are properly constrained and deliverable, and parties with the benefit of a right of audit should seek to ensure that the contract expressly identifies their entitlement to access any specific information, documentation and systems that are likely to be critical to the effective conduct of the audit.