dcsimg

Role of Risk Management

Recently, a company named Open Source Risk Management (OSRM, located at http://www.osriskmanagement.com) conducted an extensive review of the Linux 2.4 and 2.6 kernels and concluded that the kernels contain no copyrighted code. With their review complete, the company is now offering indemnification for legal costs associated with open source software, at a rate of $30,000 for $1 million of coverage.

Recently, a company named Open Source Risk Management (OSRM, located at http://www.osriskmanagement.com) conducted an extensive review of the Linux 2.4 and 2.6 kernels and concluded that the kernels contain no copyrighted code. With their review complete, the company is now offering indemnification for legal costs associated with open source software, at a rate of $30,000 for $1 million of coverage.

While some have accused OSRM of building on fears generated by SCO to sell a product that no one really needs — in effect soiling the purity of Linux with excess commercial baggage — OSRM’s insurance is a product that’s needed and its arrival is a sign of the maturity of Linux. Headed by Yale-educated attorney Daniel Egger, a venture capitalist, OSRM is working with open source leaders, as well as Global 500 CIOs, to remove a serious, but less-discussed obstacle to the adoption of Linux and other open source technologies: risk management.

Previously, if a far-thinking (or paranoid) CIO had questioned his or her IT staff about legal liabilities surrounding the use of Linux, the responses would likely have been a shrug and a convinced (albeit erroneous) “that can’t happen.” Now, whatever the outcome of SCO v. IBM, the case has caused users to set aside Pollyanna views about Linux, sparking concerns about trade secrets, security hazards, errors and omissions, infringement of copyrights, trademarks, and patents.

To be sure, these concerns aren’t limited solely to Linux. A business must limit its risk and liability in all aspects of its operation. Indeed, risk management (and its government corollary, regulations) is a part of every industry.

For example, the auto industry spends a lot of time measuring accident rates per highway mile and talking with product liability attorneys to mitigate the risks and liabilities incumbent with manufacturing and marketing automobiles. At the same time, you mitigate your own risk and liability as the owner and operator of an automobile by purchasing auto insurance (and asking legislators to require auto insurance of every driver).

While companies such as Red Hat and Novell manufacture and market a very different product, many of the incumbent risks and liabilities are the same as, say, a General Motors or Ford. So we can hardly expect Linux to emerge as a full-fledged “industry” without adopting the same types of risk management infrastructures that businesses in other industries use to plan their cash flow and protect their assets.

The software industry already has good models for managing technical risks: many Linux vendors provide comprehensive technical support contracts, 24/7 phone support, one hour response time, on-site replacement, and other “insurance” measures. And businesses already manage risks related to legal liabilities. But up until now, they’ve been unable to include their open source products in the picture. That was a glaring omission: with patent infringement suits running into the millions of dollars and the ownership of open source code in question — after all, who owns an open source project, and who are the likely defendants? — no CIO could predict what kinds of lawsuits to expect.

The indemnification programs discussed in May 2004′s “On the Docket” are another form of risk management. Indemnification is one assurance vendors can offer to reduce fears and prevent potential users from fleeing Linux because of liability concerns. But those programs are necessarily limited, either to one company’s products, to one type of legal liability, or in other ways.

With their analysis of the Linux kernel completed, OSRM will soon be able to insure a broad range of open source developers and end-users. They hope to interest re-insurers (specialists that insure the insurance companies) in the near future and create a new insurance market based on the expertise they’re developing in this niche. OSRM covers all sorts of legal liability related to open source products, including trade secrets, copyright, security breaches, unfair competition, and errors & omissions, as well as defense of patent infringement suits. And OSRM provides coverage without regard to whose open source products you purchased.

To provide its policies, OSRM employs its own team of open source legal experts, who can evaluate claims and defend clients as suits arise. OSRM is also working with CIOs to develop best business practices so that employees are less likely to take actions that expose their companies to liability.

Providing insurance changes the dynamics of lawsuits: it makes settling a case more likely in many situations; it levels the playing field between businesses of different sizes; it discourages nuisance suits by defining the legal landscape in an unsettled field of law. In the end, OSRM’s Egger hopes that it will lead to more rapid adoption of open source technologies by a broader range of organizations.

Some may bemoan the advent of open source insurance as a sign of rampant pending litigation and cynicism, but it also means more of the necessary business infrastructure will surround Linux.

Like your father’s quip about you paying for your own auto insurance, it’s all a part of growing up.



Nicholas Wells has written numerous books on Linux, Apache, network security, and related topics. You can reach Nick at nwells @law.gwu.edu.

Comments are closed.