In a previous blog about SAM processes I mentioned the Human Resources department (HR) as a major participant. Last week I met an HR Manager of a midsize company. Among other topics we talked about my statements regarding the role of HR in SAM processes. She appears to have a good relationship with the IT department (IT). They communicate regularly and, thanks to her input, the software licenses are managed well. In terms of legislation and training there are gaps. Risks that they did not expect.
First about the processes, they are running smoothly. She reports new employees, ‘joiners’, to IT, two weeks before they start. IT prepares a desktop or laptop with all the applications that are standard for the joiner’s function. Employees can request additional software at IT. Their manager approves the request. HR is informed.
For employees who leave the company, ‘leavers’, the procedure is similar. No later than the day after the leaver has handed over his stuff his accounts and email are blocked. Attention is paid to disable Salesforce accounts. If this is not done, the employee, who is already working for another firm, still have access to company critical data.
The licenses of the returned software are released for reuse, in compliance with the rules of the supplier (eg. 90 days at Microsoft).
This company apparently ensures that all employees have the software they need. But what if an employee installs pirated software on his laptop anyway? Is he able to do that in the first place, does he have the credentials? Are laptops checked regularly? Is the company aware of the risks in this area? The response from our HR manager is clear: users have administrator rights, we hardly check and personally I never realized that this would be a risk.
In August 2016, the court ruled in a lawsuit that was prosecuted by Siemens against a customer. * The employer provided a laptop to an external employee. The employee installed and used Siemens software illegally. The employer was not aware of this and finds that he could not prevent it. The court ruled otherwise. The employer had to pay more than € 13,000 to Siemens for missed license and maintenance fees, on top of that the full costs of the proceedings, being more than € 9,000.
This is a recent example, and so there are many more. The company of our HR Manager admittedly does not use Siemens software, but the risk is not any less. A pirated version of an Adobe product is simply downloaded and installed. And they do use Adobe software!
The employer is liable, but what can he do? It starts with a clear statement in the employment or assignment contract that installing and using illegal software is strictly prohibited. Compliance with this prohibition should then be monitored and sanctions must be in violation. Training regarding ethics, compliance, and the like can be used to re-emphasize the impact of this issue.
Fortunately, the HR manager has a good relationship with IT. They will solve this together, with – in this case – HR in the lead!
Hans van der Zanden
Co-founder and CFO of In2SAM BV, The Netherlands
Process guru for 25 years
Expert added to ISO Workgroup 21, co-editor of additions to ISO 19770
* See for a detailed explanation the column by Maarten Menger (Dutch), http://www.mkbservicedesk.nl/10676/ben-aansprakelijk-voor-illegale-software.htm#
The verdict can be found at https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBROT:2016:6240