Picture this scenario: Suppose Company A acquires Company B, a hardware vendor that incorporates the Linux kernel into its products. After the acquisition is complete, however, an unfortunate thing happens. Linux developers bring suit against Company B, alleging violations of the Gnu GPL (General Public License). As part of the settlement, Company A agrees to open source all of Company B's code, even the previously proprietary parts.
We could call these companies Cisco and Linksys, but let's keep it hypothetical. With the stroke of a pen, Company A has lost some of the business value of its purchase of Company B. Wouldn't it be neat if Company A could have bought insurance to protect itself against that unforeseen loss?
Almost two years ago, CEO of open source license compliance consultancy Open Source Risk Management (OSRM), Daniel Egger, began going door to door to Global 2000 companies, asking this very question. He garnered a lot of interest, but there was one piece missing. At that time, no such insurance existed.
Today it does. During the past 18 months, Egger has partnered with Kiln, a Lloyd's of London insurance underwriter, and Miller Insurance Services, a Lloyd's broker, to develop a unique insurance product designed specifically for commercial IT vendors that incorporate open source into their products. You may know the Lloyd's name from some of the more gossip-worthy assets it has insured in the past: Betty Grable's legs, for example, or Keith Richards' fingers. But such policies are more than mere publicity stunts. The unique Lloyd's business model - Lloyd's is a kind of marketplace, rather than a single company - allows it to take on such unusual risks. Risks, for example, such as open source software.
"Nobody's ever done anything even close to it before, but it fits naturally into a suite of business that I look at," Kiln underwriter, Matthew Hogg, said. "In the modern knowledge economy, why are companies still buying their property insurance, or whatever, when their risks are actually held in intangible assets?"
The policy OSRM and Kiln have developed takes advantage of the fact that cases like these go to court. "It doesn't pay your legal bills, so there's no incentive to feed the litigation monster," OSRM's Egger said.
Instead, the policy covers the terms of the inevitable settlement. It will either reimburse a company for loss of business value associated with open sourcing proprietary code, as mentioned earlier, or else it will underwrite the cost of re-engineering a product to bring it into full compliance. The policy covers liability of as much as $US10 million, at a cost of about $US20,000 per $US1 million of coverage per year.
Critics say the insurance will only encourage companies to infringe on open source licenses more often, but that's not how it works. Just as an appraiser must judge that a new factory building is sound before it can be insured, OSRM acts as Kiln's appraiser in evaluating potential clients' software environments and practices for good open source citizenship.
"We do a good job for Kiln if we advise the clients on how to be so compliant that they never have any claims," Egger said. "Our approach is to look at what they're doing, and if it's not already completely safe, make recommendations of what they could do."
By eliminating the last element of doubt companies have about using open source, Hogg said, Kiln's insurance makes open source code more freely accessible. And after all, isn't that what open source is all about?