• United States



Software Resellers and Information Security Risks

Mar 17, 20112 mins
Data and Information Security

Many organizations are turning to resellers to buy “off-the-shelf” software. These resellers can frequently offer better pricing than could be obtained by purchasing directly from the software developer. In addition, in some cases, the reseller may be the only source for purchasing the software (i.e., the developer will not sell directly to the end user). The primary risk presented by these types of purchases is that the governing terms and conditions for use of the software are frequently presented on a take-it-or-leave-it basis. The reseller generally has no authority to change or negotiate the software license agreement and the original developer takes the position that the contract must be accepted as-is.

Accepting a software license, even one for relatively low cost, off-the-shelf software, can present material risks, including inadequate warranties, lack of protection in the event of an intellectual property infringement claim, and threats information security. It is this last point that I want to emphasize.

As I have written before, most off-the-shelf software license agreements contain little in the way of protection for the licensee’s confidential information and frequently include very broad rights for the licensor and third parties to enter the facilities and access the systems of the licensee to conduct audits. The software may even contain “phone home” functionality that periodically sends undefined data back to the licensor. In short, the license agreement may place the licensee’s data at risk, yet offer no real protection in the form of strong confidentiality and information security obligations.

Based on the foregoing, businesses should look closely at the agreements they are being asked to accept in connection with these types of transactions. In most instances, the business case for the software will outweigh the risks presented by the license agreement. However, in making that assessment, the relevant contracts should be reviewed closely for risks to the business’s data and other confidential information.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author