Denver Admits Software Licensing Violations
By Brian Maass
DENVER (CBS4) - Denver taxpayers will be paying millions of dollars more this year for city use of Oracle software after the city admitted it violated its licensing agreements with Oracle and was threatened with a potential $10 million penalty for overuse.
"We are going to look at existing processes and make sure they get better and better," said Scott Cardenas, Chief Information Officer for Denver Technology Services.
Despite repeated requests from CBS4, Cardenas declined to say precisely how the City of Denver got out of compliance with its software licensing and how far out of compliance the city had been.
Denver had contracted with Oracle for years and most recently paid the company about $1 million per year for software and other services. But last summer Oracle informed the city it wanted to audit Denver's use of Oracle software.
Hundreds of pages of emails between the city and Oracle representatives suggest that audit was well underway when Oracle's Richard Luby sent Denver an email in December 2016 saying Oracle had concluded "the current over-deployment would require in excess of $10m (million) to license."
The company went on to say however that it was willing to settle for $3 million "if Denver is in agreement on this number."
Within a short period of time, Denver Technology Services put together a new five-year contract bumping up Oracle's compensation for 2017 to nearly $4 million, quadrupling the previous year's compensation; although city technology administrators insisted the increased contract amount was not a fine or penalty for their overuse of Oracle software.
Appearing before Denver city council's finance and governance committee in February, Cardenas told councilmembers the quadrupling of payments to Oracle this year was a "true-up of our licensing going forward."
However, in meeting with council members, Cardenas also acknowledged, "We were non-compliant with our licensing. We were using licensing that we had not updated our licensing model for."
Asked by councilman Kevin Flynn if the increased payment amounted to a fine being paid to Oracle, Cardenas said, "It is not a fine … it's a true up … to get to the right licensing count."
Jenny Schiavone, a spokesperson for the city, told CBS4, "The old one was an outdated licensing model for the city and the new one right-sized our agreement and modernized the service structure for our current and future needs … this was all part of a normal business model true-up for a technology department."
Craig Guarente, a former Oracle vice president of contracts and business practices, who now runs a consulting firm for government agencies and companies that run afoul of Oracle licensing requirements, said what Oracle did to Denver could have easily been prevented.
"Denver paid a price -- a penalty -- for being out of compliance, and it was millions of dollars", said Guarente.
He made the comments after reviewing contracts between Denver and Oracle and the hundreds of pages of emails obtained by CBS under an open records request.
"And the city thought, "We've been caught, so we need to pay up," said Guarente.
He went on to say that Oracle makes it difficult for their customers to remain compliant with their licenses. He says the company then audits software usage, usually finding massive violations, leading to fat new contracts.
"If they (City of Denver) were on top of this and more proactive they might not have needed to do another deal with Oracle. If you are out of compliance and they find that they use that to pressure you to do things like give them millions of dollar," said Guarente.
Katie Barron, a spokesperson for Oracle, told CBS4 the company would "decline comment at this time."
Guarente said what Denver went through is commonplace for Oracle clients.
"They put a lot of fear and doubt in their client and the client caves. It's like shock and awe," he said.
He said Denver "dropped the ball and got what they got because they weren't keeping their eye on the ball. If they had done what they should have done they wouldn't be paying this money to Oracle."
How did it happen? CBS4 repeatedly asked that question of Cardenas but he would not directly address the question.
"How did you guys get so far out of compliance?" he was asked.
"This was an exercise to get back into compliance," Cardenas responded.
Amber Miller, a spokesperson for Mayor Michael Hancock, in January portrayed what happened between Oracle and Denver as a simple renegotiation with no connection to Denver's mismanagement of software.
"Oracle offered the city the opportunity to renegotiate its bundle of services, and the city is in the process of negotiating with Oracle to right-size its licenses," said Miller.
Cardenas said going forward the city will monitor its software usage more closely, likely reviewing usage on a quarterly basis instead of an annual basis.
"The controls were not as tight as they needed to be," said Cardenas.
Guarente says other municipalities should pay close attention to what just happened to Denver and learn from the experience.
CBS4 has learned that Oracle has now contacted Denver International Airport asking to audit the airport's use of Oracle software.
CBS4 Investigator Brian Maass has been with the station more than 30 years uncovering waste, fraud and corruption. Follow him on Twitter @Briancbs4.