• United States



by Ron Exler

Uniform Computer Information Transactions Act (UCITA) Shakes up Software Licensing and E-Commerce

Apr 10, 20005 mins
CSO and CISOData and Information Security

RFG believes the Uniform Computer Information Transactions Act (UCITA) is raising the visibility of ongoing conflicts between vendors and buyers of software and other offerings based on digital information. UCITA is the Uniform Commercial Code (UCC), which has long governed other forms of commerce, applied to digital information. Its recent introduction into several state legislatures creates a sense of urgency for CIOs and their teams to understand the potential ramifications of the act. CIOs should make sure that legislators hear their voices and that their companies understand the legal implications of UCITA.

On March 14 of this year, the Commonwealth of Virginia became the first state to signinto law the controversial Uniform Computer Information Transactions Act (UCITA). In a move widely believed to gratify Virginia’s burgeoning technology economy, Virginia started what may become a chainreaction amongst states vying for prodigious technology jobs. Certainly, few if any of the legislators nor Virginia’s Governor Gillmore pored over the 114-page, 28,000-word act(plus 70 pages of amendments and official comments) to gain sufficient understanding ofits content and potential impacts. Instead, UCITA is now a hot political issue pitting business IT proponents and consumer advocates versus vendors and attorneys.

There is much at stake for IT in the outcomes of UCITA adaptation in the states. If, as its opponents contend, UCITA shifts economic risks from vendors to users, then user businesses will incur higher costs, at times when many are facing flat or shrinking budgets. In any case, IT organizations need to be much more aware of the contracts into which they enter.

The pendulum appears to be swinging toward favoring vendors in contract language suchas UCITA. Furthermore, according to the Society ofInformation Managers (SIM) large vendors are moving toward a standard licensing vehicle that is not negotiable. CIOs should fight such standardization efforts, as they would potentially make each transaction lopsided in the vendor’s favor, while ignoring the unique requirements of each user company.

UCITA originated more than 10 years ago as Article 2B of the Uniform Commercial Code(UCC). The group that drafted the act is The National Conference of Commissioners on Uniform State Laws (NCCUSL), chartered with drafting laws that states can uniformly adopt to simplify conflicting state laws across the US. NCCUSL approved UCITA at its annual meeting in July 1999. The conference is composed of people from eachstate and drafts commercial code law that goes to each state for adoption. Each state hasthe option to sign the bills into law.

Businesses purchase software, both shrink-wrapped and not shrink-wrapped, in large quantities. Both types of software purchases require diligent purchasing guidelines andtight control to avoid a management mess of monumental proportions. While companies typically negotiate contract terms for enterprise technologies, shrink-wrapped solutions often sneak in under the radarscope. As vendors begin to use UCITA as the foundation forall of their contracts, companies should exert care in allowing shrink-wrapped purchases. Purchasers can often not view the license governing a shrink-wrapped package until afterthe package is open. CIOs considering enterprise software licenses should insist uponretaining the right to modify contracts during the negotiation process, regardless of UCITA.

States trying to woo high-tech companies are using UCITA as a way to show thetechnology community they are attractive sites for their companies. Without much apparentanalysis, these legislatures are considering signing UCITA into law.

UCITA includes a provision for electronic repossession of software. This “self-help” remedy allows software providers to disable their programs electronically using “time bombs” or remote access through “backdoors” programmed into the software by its developers. While notice is required under UCITA before execution of such actions, CIOs should be concerned about the existence of such openings in their software systems as potential security breeches.

However, some large software vendors use what amounts to an honor system for license compliance. Measurement tools are often not available to track usage and many vendors avoid controversy with looser policies. However, this often leaves customers without a way to know if they comply with licenses. (See the RFG Research Note “Complyingwith Oracle Database Licenses” Aug. 9, 1999.)

Negotiating a software license involves significant due diligence. IT managers must besure the contract protects the company in the event something goes wrong. Contracts mustclearly delineate service levels and escalation procedures as well as costs for additional upgrades, maintenance, training and services. CIOs should have staff in IT or the legal department that understands software contracts in particular, as they are different fromother contracts.

RFG believes UCITA represents a potential threat to IT departments and others purchasing large software licenses. However, there is also much hype on both sides of theissue. CIOs should gain a firsthand understanding of the act and be sure legal departments are familiar with UCITA to evaluate the potential impacts on their companies.

© 1999 Robert Frances Group. All rights reserved.

Ron Exler is a Principal Analyst at the Robert Frances Group. He can be reached at 203-291-6900 or