Open Source Risk Management Inc. (OSRM), a New York-based software license compliance analysis vendor, Monday announced the availability of the first risk insurance policy for enterprises who wish to protect themselves from intellectual property lawsuits when they acquire a software company or produce software with open source components.
Open Source Compliance Insurance is the first insurance policy to cover the specialized risks faced by enterprises that rely upon Linux and other open source software in their commercial products or internal IT infrastructure. It will be underwritten by UK-based Kiln PLC and sold by Lloyds of London insurance broker Miller Insurance Services Ltd.
The new insurance initially will offer coverage of up to $10 million for direct loss suffered by the insured following a finding of non-compliance with specific license agreements under which open source code is obtainable, OSRM said.
The insurance also will indemnify the insured for the loss of profits associated with the withdrawal or alteration of a product incorporating non-compliant code, OSRM said.
Cost of the coverage will depend on what each company wants to protect. “It depends upon what each company is doing,” OSRM CEO Daniel Egger told Ziff Davis Internet, “but it generally will amount to about 2 percent per $1 million ($20,000) per year of coverage.”
Not every company using open source is exposed to risks associated with license infringement, Egger said. “But as adoption rapidly increases, it is critical that companies take licenses seriously and fully understand what constitutes violation and therefore exposure,” he added. “I believe it will help eliminate one of the last reasons for corporate resistance to full acceptance of Linux and other open source software.”
More than 30 legal claims involving infringement of open source licenses have been brought worldwide against corporations in the last two years. In each case, plaintiffs have prevailed in enforcing their rights to restrict the use of their code.
One of the more active companies in software IP litigation has been The SCO Group of Lindon, Utah (formerly Caldera Systems), which owns the patent on Unix System V code and has lawsuits in process against IBM, Daimler Chrysler Corp., AutoZone Inc. and others.
Open source compliance is excluded from standard Errors and Omissions insurance and is of particular concern for privately-held technology companies seeking to be acquired in merger and acquisition transactions, obtaining equity financing or going public. It is also a potential material risk for public companies under the Sarbanes-Oxley Act of 2002.
A common risk scenario includes development of proprietary software, such as trading tools or inventory management applications, using one or more open source software components. Simple actions like making these tools available on an extranet, or sending them to external partners or suppliers, constitutes “distribution” under a GPL license and requires a company to open source that proprietary application, making it freely available to competitors, OSRM said.
“The Linksys case is a good example,” Egger said. “When Cisco (Systems) acquired Linksys for $500 million (in 2003), they acquired a toolkit that included a large number of open source GNU “C” libraries. Some of those were sold to customers as a proprietary product. It was simply a mistake at the time. Cisco then rectified the issue by re-distributing the tools (free of charge) to its customers, which is an acceptable form of distribution.
“Now, all deals must have that Linksys clause included, as I call it,” Egger said.
Forrester analyst Michael Goulde told Ziff Davis Internet that the new insurance is too narrowly focused to attract a large number of customers, at least at the start.
“The specific type of coverage that is being offered by Kiln is limited in scope and will appeal mostly to companies that are primarily in the business of distributing software, either directly or embedded in other products,” Goulde wrote in an e-mail.
“They are offering compliance insurance that covers the cost of remediating non-compliant software. Having license compliance measures in place is more important for these companies than for companies using open source internally in business applications. For the latter, the risks are more uncertain, and they are likely to be less interested in the license compliance policies Kiln is selling.”
Does this safeguard open source software enough for old-school enterprises using antiquated systems to consider switching over to it?
“Its a step in the right direction,” Goulde said, “but lets face it: Open source isnt for everyone. Youll probably see those old-timers become more willing to use open source tools fairly soon, but using it in mission-critical applications would be akin to giving up their mainframe addiction.”
Goulde said that Forresters customer surveys indicate that risk around open source licenses and intellectual property is one of the barriers to open source adoption, but not a major one.
“Companies realize that there havent been any major litigations yet, so although the theoretical risk may be there, the actual risk is still fairly low,” Goulde said. “By putting policies into place around open source use and educating developers on how to properly use open source licenses, companies can eliminate many of the potential risks.
“The risks that cannot be controlled are the potential for copyright or patent infringement that exist for any software product. And the danger of a customer getting sued (aka the SCO Group risk) rather than the infringing distributor is really pretty remote.”