Danger? ... Well, Yes.

As a postscript to the May blog regarding the SAP-Diageo lawsuit that found in favour of SAP a further action has been lodged against Anheuser-Busch Companies in the courts of New York, this time a staggering claim of US$600M (which must be a very confronting scenario for a company running a $150M annual IT budget) alleging license deficiency and misuse as summed up in the Anheuser-Busch Form-20 below: 

On 21 February 2017, SAP America, Inc. (“SAP”) commenced an arbitration in New York against Anheuser-Busch Companies, LLC pursuant to the Commercial Arbitration Rules of the American Arbitration Association. The statement of claim asserts multiple breaches of a 30 September 2010 Software License Agreement (together with related amendments and ancillary documents, the “SLA”) based on allegations that company employees used SAP systems and data—directly and indirectly—without appropriate licenses, and that the company underpaid fees due under the SLA. The statement of claim seeks both reformation of the SLA in certain respects and also damages potentially in excess of USD 600 million. We intend to defend against SAP’s asserted claims vigorously. 

Given SAPs 65,000 customers globally there would appear to be a potential minefield of non-compliance that presents an unenviable opportunity – remedy via lawsuit (with resultant consequences), or go some-way to addressing customer issues. SAP have now at least started to clarify and evolve their licensing to accommodate the inherent issue of how broader access by external parties and devices should be authorised, in their words embarking:

“on a journey to move away from user-based licensing to a more transparent and predictable licensing model focused on outcomes related to our customers’ use of the SAP ERP system”.

 The fundamental principal though – changes or otherwise – remains that you cannot ignore the simple premise that accessing a system, or the data generated by the system, undoubtedly has a cost attached to it in the form of licensing. 

Consider SAPs own definition of ‘Use’ which is the central tenant of the misuse claims:
Use means “to activate the processing capabilities of the Software, load, execute, access, employ the Software, or display information resulting from such capabilities.” Additionally, “Use may occur by way of an interface delivered with or as a part of the Software, a Licensee or third-party interface, or another intermediary system.” Use is defined broadly to cover both direct and indirect access scenarios and any use of the SAP Software requires an appropriate license. 
​
In response SAP identified the three most common indirect access scenarios that they have defined new “transparent and predictable” policy for, being: (1) order-to-cash (meaning the number of sales & service orders processed by the Software annually), (2) procure-to-pay (meaning the number of purchase orders processed by the Software annually), and (3) indirect static read, as represented below: ​

While encouraging to see a major vendor respond to their customers in a progressive way there is no silver bullet – with any installation and any metric there is the potential (or more often likelihood) that changes in your environment over time will generate further exposure. 
​
 So whether your organisation runs a $5M or a $150M IT budget, any sizeable investment in software – and the reputation of your company – surely warrants a robust and regular compliance and review program.