GPL 3 Good For SOX?
Page 1 of 1
The GPL open source license does not increase legal risk to companies that are governed by the Sarbanes-Oxley Act of 2002 (SOX), according to the Software Freedom Law Center (SFLC).
In fact, the GPL may well be on track to actually improving its applicability for usage concerning SOX compliance, thanks to proposed new additions in the draft of the GPL version 3 license.
Embedded software maker Wasabi Systems has alleged in a pair of whitepapers that violations of Linux's GPL license are, for public companies, violations of U.S. Securities Law, whether the executives of the violating company are aware of any violations.
The SFLC argues in a whitepaper called "Sarbanes-Oxley and the GPL: No Special Risk" that there is in fact no additional risk to SOX-regulated companies and that arguments on the contrary are "pure antiGPL FUD" (Fear.Uncertaintly.Doubt).
Eben Moglen, chair of the SFLC and one of the authors of the GPL, wrote in a statement that there is no new need for concern for users of GPL-licensed software.
"The fact remains that no criminal charges on the basis of violating the SOX Act have ever been brought against a GPL user," Moglen stated.
The SFLC paper contends that for an enterprise that files Securities and Exchange Commission (SEC) reports, they don't necessarily have to disclose particulars of license usage in a filing if the usage of the license is deemed to be immaterial to the business.
The paper also notes that SOX-mandated companies bear the cost of compliance with SOX no matter what software licenses they use.
Potential violations of the GPL may well pose less financial risk than violations of proprietary software licenses.
"Historically, GPL violations have not triggered massive lawsuits for damages the way that violations of proprietary license agreements have," the SFLC's paper states.
"The primary enforcer of the GPL is the Free Software Foundation (FSF), who has never used a GPL violation as the basis to go to court to seek a large damage award or enjoin software distribution."
"The FSF's stated policy is to ensure compliance, not to prevent software distribution or to seek damages."
The SFLC's paper also notes that, " the dangers of accidental criminal liability under SOX are no greater for GPL'd software than for nonGPL'd Software."
"While GPLv3 isn't final. We anticipate that it will include a 60-day cure provision, which would make the possibility of getting caught up in an accidental SOX violation even more remote," SFLC attorney Karen Sandler told internetnews.com.
A Wasabi Systems spokesperson was not immediately available for comment. It should be noted that Wasabi's Certified BSD product competes against embedded Linux.
The stakes for embedded Linux players are high, as the market according to one analyst group is worth at least $100 million dollars a year and is still growing.