Software Resellers and Information Security Risks

Many organizations are turning to resellers to buy “off-the-shelf” software. These resellers can frequently offer better pricing than could be obtained by purchasing directly from the software developer. In addition, in some cases, the reseller may be the only source for purchasing the software (i.e., the developer will not sell directly to the end user). The primary risk presented by these types of purchases is that the governing terms and conditions for use of the software are frequently presented on a take-it-or-leave-it basis. The reseller generally has no authority to change or negotiate the software license agreement and the original developer takes the position that the contract must be accepted as-is.

Accepting a software license, even one for relatively low cost, off-the-shelf software, can present material risks, including inadequate warranties, lack of protection in the event of an intellectual property infringement claim, and threats information security. It is this last point that I want to emphasize.

As I have written before, most off-the-shelf software license agreements contain little in the way of protection for the licensee’s confidential information and frequently include very broad rights for the licensor and third parties to enter the facilities and access the systems of the licensee to conduct audits. The software may even contain “phone home” functionality that periodically sends undefined data back to the licensor. In short, the license agreement may place the licensee’s data at risk, yet offer no real protection in the form of strong confidentiality and information security obligations.

Based on the foregoing, businesses should look closely at the agreements they are being asked to accept in connection with these types of transactions. In most instances, the business case for the software will outweigh the risks presented by the license agreement. However, in making that assessment, the relevant contracts should be reviewed closely for risks to the business’s data and other confidential information.

Copyright © 2011 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)