A curious notion about being secure about your software has recently taken root. The idea is to buy insurance so you'll be covered if anything nasty happens to your company or customers on account of some software-related intellectual property, copywrite, or licensing entanglement.
What, me worry about code legality? the insurers seem to be suggesting.
You had better worry about your code. The best and the only solution to software-related risks for the largest software users, sellers, and creators is self-insurance, backed up by an iron-clad ability to audit and manage any code (and associated licenses and use provisions) that touches your business or systems. The ticking time bomb of software-related liability is especially acute in the current age of frequently downloaded code -- as tiny as an XML snippet to as large as an entire enterprise datacenter stack.
This should be pretty obvious, but let's run through some of the logic of software self-insurance via an example near and dear to many of us homeowners. I happen to live in a place, northern New England, where it snows a lot in the winter, and we have lightening storms sometimes in the summer. So do I have snow insurance? Would I rest easy by spending a lot of money to insure myself against snow, let the stuff fall as it may, tally up the lost work and productivity, and get a payment (minus deductible!) from my insurer in June based on how many feet of snow fell the previous season?
Nope, of course not. I have a snow-blower, a set of shovels, a pile of salted sand, a strong back, and a dependable lad with a big plow truck that I pay to move the drifts from my long driveway. (And you do a hellava job, Dan; thanks.) I take care of my own snow. For snow, I am self-insured, at least until global warming makes New Hampshire climatelogically akin to present-day Georgia.
However, for far rarer lightening strikes I have insurance to cover me in the extremely dim possibility that the house will burn down from a bolt from the blue ... err, gray. And the homeowner's policy insists that I have a well-grounded electrical system that meets building codes. So my premiums are pretty low. Works out pretty well for me, the insurer, and the mortgage holder.
So apply this same logic to the notion of insurance and software. Chances are that software happens to you in your business more than snow happens to me at 44 degrees latitude. For a rapidly increasing portion of many businesses, software is, in effect, the business. And as we well know, more open-sourced, mixed-sourced, munged, mingled, mashed-up, and services-enabled via loosely coupled interoperability types of code are in vogue. Find me a software vendor that sells only purely in-house developed code and I'll show you a mom and pop shop. Most all software products are compendiums of software sources. Same for in-house customized development at enterprises.
As a software-intense organization, then, who you gonna call if your software gets you in legal hot water? You shouldn't call anyone, you should do the equivalent of shoveling your own. You should know what's in your own products and additionally protect those downstream from you by telling them what's in thecode you provide. Insurers can't help you do a better job at managing code than you could and should do yourself.
If, therefore, you are a low-level software user as a small business owner, SOHO, or individual, then you don't need software insurance either because you use shrink-wrapped commercial software, or use online services. Your legal problems from software should be rare, so rare that you can also self-insure by making sure that your vendor indemnifies you from any risk or liability. You expect that your vendor has its act together, more than some insurance policy.
So who is really going to need significant software insurance? Would having insurance help or hinder your ability as a vendor or VAR to best manage software risk? Would those holding your mortgage (ie, your investors and stockholders) feel protected by an 85-page insurance policy, or by your internal core competency at knowing what you have for code, what it demands legally for proper use, and how to manage the process across a lifecycle? Can you extend indemnification to your users at low risk to your own business?
I think that procuring software insurance may even increase your risk as a sophisticated user or provider/distributor of code. By buying insurance you may think that you are protected, and become or remain lackadaisical about managing your code's origins and use provisions. That would be a huge mistake, and no insurance would save you.
Meanwhile, the insurance company that has provided someone with software coverage has two options to stay in business: 1) build in lots of loop holes so that your actual coverage is like swiss cheese, or 2) enforce upon the policy holder (at their cost) the tenets of good software hygiene, in effect defining what amounts to proper code conduct and then making sure it's done. In this more likely scenario, the user is really paying the insurance company to define best software practices for you, but if you don't follow the strictures your coverage is void. Gee, thanks.
Do we really want insurance companies to define software use best practices? These are not steam boilers. Frankly, I don't trust an insurance company to figure out how to manage the fast-moving world of mixed-source code and overlapping license legalities. If you have dealt with an insurance company over an automobile involved in any accident, you know where I am coming from.
My advice to enterprises: Do software risk management yourself, hire internal counsel, and begin to avail yourself of the burgeoning new market for tools and services to manage code and software-related risks. This is simply a needed maturity move for the risk-managed use of software in all its permutations. Think of it as Sarbannes Oxley, or general governance, for a key resource and asset: software.
But don't wait for a law, be self-started at self-insurance, and -- as a start -- insist as a consumer that those providing you code under any license be competent at self-insurance, too, and expose what they have under the hood so you can manage your own proper use and customizations.
One of the best ideas I've seen on this needed drive to self-enable management of the core and essential asset of software is the methodologies and logic of IPIngredients.org. The notion -- far better than software insurance -- is to simply strongly encourage those providers and distributors of software to list definitively what code and licenses exist in a distribution. If you are buying it or downloading it, shouldn't you know what you are ingesting in your own systems?
Palamida Inc. is the driving force behind IPIngredients.org, and they also have a commercial rationale for promoting good software hygiene. Their products help assess and manage code intellectual property. I'd frankly rather see an IP risk solution come from a company that enables software self-insurance than have lawyers hired by an insurance company define best practices, and charge me to enforce it myself.
Let's have some entity like IPIngredients.org define software IP best practices and help band together the consumers and providers of software to determine the natural evolution of the industry for the best. Perhaps IPIngredients.org could evolve further into the equivalent of an Underwriters Lab for software use. Does anyone worry when they buy a toaster that it will burn the house down? Not since some standards and best practices enforcement was developed. I'd just like to see the whole phase of having an insurance industry further involved in software be sidestepped altogether.
Indeed, seems to me that the software insurance companies would be the first to line up and demand that all the ingredients in software be identified in such a way as advocated by IPIngredients.org anyway. Let's adopt by mutual assured protection full visibility into software ingredients now, and cut the insurance companies out before they get in with some sort of unneeded tax (which is what a lot of insurance ends up as) on what you should do as a responsible user and seller of code anyway.
For once code ingredients are clearly labeled and tracked, the empowerment of self-insurance and indemnification will become a self-regulating and mutually reinforcing necessity. The day should not be far off when the only code any responsible business or supplier uses is that which is properly identified and managed.