Got a software license audit letter from BSA - am I screwed?

Our company (manufacturing, 45 employees) just received a letter from the Business Software Alliance demanding a full software license audit within 21 days. They claim they have "credible evidence" of unlicensed software use.

Honestly - yeah, we probably have some compliance issues. When I started as IT manager 8 months ago, software licensing was a mess. Previous IT guy just installed whatever was needed without tracking licenses. I've been trying to clean it up but haven't finished.

I'm pretty sure we have:

• 3-4 unlicensed copies of Adobe Creative Cloud
• Maybe 5-6 extra Windows Pro installs beyond our volume license
• Some AutoCAD installations that might not be properly licensed (our engineers share logins)

The letter says we have to provide a complete inventory of all software, license documentation, and proof of purchase within 21 days or they'll pursue legal action.

What should I do? Ignore it? Respond and hope for the best? Hire a lawyer immediately? How bad can this get?

IP attorney here. DO NOT IGNORE THIS. BSA letters are serious and they absolutely will sue if you don't respond.

Here's what happens next:

1. If you ignore it: They file a copyright infringement lawsuit. Statutory damages can be $750-$150,000 PER SOFTWARE TITLE, plus attorney fees. For even a modest case, you're looking at $100K+ in damages.

2. If you respond and cooperate: You'll likely settle for 2-5x the retail cost of the unlicensed software plus back maintenance/subscription fees. Much cheaper than litigation.

What to do RIGHT NOW:

• Hire an attorney who specializes in software licensing disputes (don't use your general business lawyer)
• Conduct internal audit ASAP to know your actual exposure
• Do NOT delete or uninstall anything - that's destruction of evidence
• Have your attorney respond to BSA requesting extension to gather information
• Start settlement negotiations through counsel

Budget for this: $10K-$30K in legal fees, plus settlement amount which could be $20K-$100K depending on violations. It sucks but it's way less than litigation.

@employeerights_6 $100K+ settlement?? Our CEO is going to lose his mind. We're a $3M/year revenue company, that's huge for us ngl.

Two questions:

2. If I run the audit myself and find we're missing like $15K worth of licenses, can I just go buy them now and then say we're compliant?

Went through BSA audit in 2023. To answer your questions:

1. They usually find out from disgruntled employees who report companies to their hotline. Sometimes IT vendors tip them off. Occasionally it's just industry targeting.

2. NO - don't just buy licenses and pretend you were always compliant. They want proof of WHEN you purchased licenses vs when you installed software. If you try to backdate compliance it looks like you're covering up, which makes settlement harder.

Our situation: We had about $25K in unlicensed Microsoft and Adobe products. Settled for $62K total ($25K for licenses, $18K in back maintenance, $19K penalty). Painful but could've been way worse if we fought it.

The key is cooperating fully and showing good faith. We got credit for immediately buying the proper licenses as part of settlement.

@julia.w_6 - Don't panic about the $100K number. That was worst-case litigation scenario. If you cooperate and settle, it'll likely be much less.

Typical settlement formula:

• Cost of missing licenses (retail price)
• Back maintenance/subscription fees (usually 2-3 years)
• Penalty multiplier (1.5x - 3x depending on severity and cooperation)
• Your legal fees to negotiate

So if you have $15K in unlicensed software:

$15K (licenses) + $9K (3 years maintenance at ~20%) + penalty multiplier of 2x = ~$48K settlement, plus your legal fees (~$8-12K).

The multiplier goes DOWN if you:

• Respond quickly and cooperatively
• Conduct thorough self-audit
• Immediately purchase compliance licenses
• Implement compliance procedures going forward

The multiplier goes UP if you:

• Delay or obstruct
• Destroy evidence
• Underreport violations
• Were previously audited and still non-compliant

Former software asset manager here. For your internal audit, use tools like:

• Microsoft: MAP Toolkit (free) or License Advisor
• Adobe: Adobe License Decoder or manual Creative Cloud admin console review
• General: Lansweeper, Spiceworks, or PDQ Inventory to scan all endpoints

Document EVERYTHING:

• Every installation found
• All license certificates/purchase orders you have
• Email trails showing purchase approvals
• Credit card/invoice records from software vendors

The better documented your audit, the more credibility you have in negotiations. If you show up with a professional inventory and honest accounting, BSA is more likely to be reasonable 🤷.

Update: Talked to CEO and CFO. They're freaking out but agreed to hire an attorney. Got a referral to someone who handles these cases.

Started running inventory scans. It's looking worse than I thought:

• 7 unlicensed Adobe CC seats (we only bought 3, have 10 active)
• 12 extra Windows Pro beyond our volume agreement
• 6 AutoCAD seats vs 4 licenses
• 2 copies of some random engineering software I didn't even know we had

Rough math is like $35K in retail software cost. Based on @employeerights_6 formula I'm looking at $70-100K total exposure. CEO is talking about firing the previous IT guy but he left 2 years ago so probably can't do anything.

CFO perspective: This is why we budget for software compliance audits. Set up recurring calendar reminders to audit your software annually. It's way cheaper to stay compliant than to settle violations.

For going forward after you settle this:

• Implement software request/approval workflow
• Quarterly license reconciliation
• Offboarding checklist that includes returning software licenses
• Employee training on not sharing logins or installing unauthorized software

Most importantly: Document that you've implemented these controls as part of settlement. Shows good faith and reduces penalty multiplier.

@julia.w_6 - $35K in unlicensed software is significant but not catastrophic. You're solidly in settlement territory, not "make an example of them" litigation territory.

Your attorney will likely:

1. Request extension of response deadline (usually granted)

2. Conduct privileged internal audit (protects you from having to disclose everything)

3. Initiate settlement discussions before submitting full response

4. Negotiate payment terms (many settlements allow 12-24 month payment plans)

The fact that you're a small manufacturer, the violations appear negligent rather than intentional, and you're cooperating will all help. Don't be surprised if you settle for $60-80K total including legal fees.

Budget for it, learn from it, implement controls, move on.

Quick update: Attorney sent letter to BSA requesting 45-day extension to compile records. They granted 30 days.

We're finishing the full audit and attorney is already having preliminary settlement discussions. BSA's initial demand was $145K (!!!) but attorney says that's standard - they always start high and expect to negotiate down.

He thinks we'll settle around $65-75K based on our cooperation and the nature of violations. We're also immediately purchasing all the proper licenses we need (~$38K) which will count toward settlement no cap.

Still expensive and painful, but at least there's a path through this that doesn't destroy the company.

For anyone else reading this thread in similar situation: Take software licensing seriously. The BSA is aggressive and they have the resources to pursue companies of any size.

They represent Microsoft, Adobe, Autodesk, Oracle, and dozens of other major vendors. When you see their demand letters, they're not bluffing sadly.

Final resolution: We settled for $68,500 total. Breakdown was:

• $38,000 for proper licenses (we had to buy them)
• $22,000 in back maintenance fees
• $8,500 penalty (they waived most of it due to cooperation)

Plus $11,200 in legal fees. All in, about $80K to resolve.

Payment plan over 18 months. We have to submit quarterly compliance reports for 2 years.

Expensive lesson but could have been way worse. Implementing all the compliance procedures recommended here. Never want to go through this again.

Thanks everyone for the advice, especially @employeerights_6. Hiring the right attorney made a huge difference in the settlement amount.

For DMCA takedowns: the platform has to remove the content "expeditiously" but there's no specific timeline. In practice, most platforms respond within 24-72 hours. If they don't, they lose their safe harbor protection.

Reading this six months late but thank you for posting the full breakdown. We just got our own BSA letter last week (logistics company, ~30 employees) and I felt sick to my stomach until I found this thread.

The $68.5K resolution is sobering but at least it gives me a realistic number to bring to ownership instead of just panicking. Going to start the internal inventory tomorrow and call a few attorneys.

One thing I'd add from going through this last year: the letter you get is usually a self-audit demand, not an actual on-site audit (at least at first). A lot of people read "audit" and assume people are showing up at the door. They're asking YOU to inventory and report.

That distinction matters because it means you have more control over the process than it feels like in the moment. Get counsel, slow it down, and present an organized picture rather than a chaotic data dump.

Question for anyone who's been through this: does the BSA only go after the software they have "evidence" about, or do they want a complete inventory of everything across all vendors?

Our letter specifically mentions Autodesk but the demand language asks for "all software." Trying to figure out how wide we actually have to open the door.

@questions_4u in our case the demand was broad ("all software") even though the tip was about one vendor. Our attorney's view was that the scope of what you're contractually obligated to produce comes from the actual license agreements, not from the demand letter's wording.

So whether you really have to inventory everything depends on which EULAs/volume agreements you've accepted and what audit rights they contain. That's exactly the kind of thing worth paying a lawyer to read before you send anything back. Not legal advice, just what worked for us.

Update from my earlier lurking: we got a similar letter in March and just wrapped it up. Started at a $96K demand, settled at $41K plus our legal fees (~$9K).

Biggest factor in getting it down was that we could prove the unlicensed installs happened under prior management and we'd already started a cleanup project before the letter arrived. Document your good-faith remediation efforts. It genuinely moved the number.

Attorney here (IP/licensing). A few general points for people landing on this thread, none of this is legal advice and software audit practice varies by vendor and jurisdiction.

First, the reason counsel runs the internal audit rather than IT doing it solo is the attorney-client privilege and work-product protection. An inventory you generate yourself can be discoverable; one prepared at the direction of counsel for the purpose of legal advice generally has more protection. Second, the statutory damages range people keep quoting ($750 to $150,000 per work) comes from federal copyright law, but those are litigation maximums a court could award, not what settlements actually look like. Real-world software settlements are usually built from license cost plus back maintenance plus a multiplier, as others described.

And critically: do not uninstall, wipe, or reimage machines after you receive a preservation or audit demand. Spoliation of evidence can hurt you far more than the underlying shortfall.

Does anyone know if having open-source or freeware alternatives installed alongside the paid stuff helps or hurts? We swapped a bunch of paid tools for free ones during cleanup but the old installs are technically still on some machines.

Worried that having both makes it look like we knew we were over-deployed.

@gigworker_sf I'd loop your attorney in before you touch those old installs, for the spoliation reason the lawyer above mentioned. Having a free alternative installed isn't itself a violation, but uninstalling the paid copy after a demand letter is the part that can look bad.

Document the swap with dates and approvals so there's a clean paper trail showing it was a planned migration, not a panic cover-up.

From the finance side: when we settled ours, the settlement agreement included a release. Make sure your attorney confirms exactly what's being released and for what time period. You want the release to cover the audited products and the pre-settlement period so the same vendors can't come back next year for the same installs.

Also negotiate the compliance-reporting obligations down if you can. We initially got handed a 3-year quarterly reporting requirement and got it trimmed to 1 year. That ongoing burden is a real cost people forget to factor in.

Great thread, lots of genuinely useful firsthand experience here. Quick reminder to keep specifics like company names and BSA case numbers out of public posts, both for your own protection and because settlement agreements often have confidentiality terms.

Keeping this one open since people are clearly still finding it helpful. Reminder that everything here is members sharing experience, not legal advice for your specific matter.

The login-sharing detail in the original post is the one that got us too. Our engineers passed around a couple of AutoCAD logins for years thinking a "seat" meant a person actively using it at that moment.

Turns out most of these licenses are per-named-user or per-device, not per-concurrent-user, unless you specifically bought a concurrent/network license. Worth checking your actual license type before you assume how many you're short. We thought we were 4 over and were actually 7 over once we understood the model.

Update on mine: they released the funds on our payment plan question, we got 24 months at no interest after pushing back on the initial 12. If cash flow is tight, ask. The first offer is rarely the final structure.

Also second whoever said to budget for the legal fees separately. Our settlement was $52K but the all-in with counsel was closer to $63K. The fees are not a rounding error.

For the people just getting their letters now: the single best thing we did was build a clean license-to-install reconciliation spreadsheet before talking numbers. Vendor, product, version, licenses owned (with PO numbers and dates), installs found, gap.

When your attorney walks into settlement talks with that, you control the narrative instead of letting BSA's auditors define your exposure. It also surfaces the spots where YOU were actually compliant and they over-counted, which happens more than you'd think.

Coming back to close the loop on my situation since this thread helped me so much. Letter in April, settled this month. Started at $110K demand, landed at $47K plus about $10K in fees.

Three things that mattered most, in case it helps the next person: hire counsel who has actually handled software audits specifically, do the internal inventory under that counsel's direction, and show real remediation (we bought the proper licenses and adopted an approval workflow before the final number was set). Cooperation genuinely is rewarded here. Good luck to everyone still in the middle of it.