A Legal Gun in the Open-Source Corral

With users of this software vulnerable to lawsuits, venture capitalist Daniel Egger sees a profit by offering protection

Who says litigation is always bad for business? SCO Group's (SCOX ) lawsuit against sellers or users of the Linux open-source operating system created a market opportunity for venture capitalist Daniel Egger. In the summer of 2003, the Yale University Law School grad funded the Open Source Risk Management group (OSRM). The 10-employee company is building a business around helping companies that use open-source software products get insurance protection against patent-infringement and copyright lawsuits.

BusinessWeek Online Technology Editor Alex Salkever talked to Egger on Nov. 11 about his new company. Edited excerpts of the conversation follow:

Q: So what exactly does your company do?


People have known for a long time about the risk that patents pose to open-source software. There's no one company that owns the code and has a financial interest in defending everyone who is using it. You have hundreds of contributors. There's a gap in the way the licenses work. There's no warranty coverage. So open-source software remains vulnerable to patent lawsuits.

Looking at that, we thought we could create a company that fills that gap. We could provide a warranty for Linux and other open-source software, and we will do exactly what the owner would do if they were going to offer a warranty. We will do due diligence of the code. We will offer a so-called clearance. And we will go out and find people in the insurance industry to take on this risk. We'll make a market on this risk.

Q: That sounds tricky. How does it work?


It might sound tricky, but what we have found is that these are risks that are similar in scope to other risks that the insurance industry covers. They're not radically different, and they're not radically more expensive. It's not cheap, but it's doable.

A company that would want a $5 million maximum loss would pay a $150,000 annual premium and less if they're willing to have a big deductible. We estimate the cost of indemnification built into proprietary software runs around 2% or 3%. You don't see it because it's hidden, but you pay for it.

For example, Microsoft (MSFT ) carries $2 billion worth of reinsurance capacity for this purpose. It's not something people see broken out on their invoice. We would offer this service to large and midsize companies using open-source software that want to minimize their risk.

Q: What has the response been?


For now, we're only offering consulting services, and we're in the process of setting up coverage products with the help of insurance companies. But we've gotten a very positive response not only from potential customers but also from the insurance industry. They know this is a large market.

One insurance executive told me he thought the business could bring in $600 million to $900 million in annual premiums. But [open-source software] is so unfamiliar to the insurance industry that they need technical assistance. A lot of what we have been doing until now is strategic consulting and education to the insurance industry to bring them up to speed.

Q: It's one thing to indemnify against a risk but entirely another thing to make that risk a negligible thing. For example, if you get sued over this stuff, it can cost a company precious brain power as it tries to find the right lawyers and put it IT strategies on hold as it figures out what's going to happen. How can you guard against these additional issues?


That's the key question. Is it possible to construct a solution that not only provides financial protection but also minimizes the hassle? And that is what OSRM is building today.

If you get a demand letter notifying you of a lawsuit, we provide a standardized response to that letter [that is] crafted by experienced attorneys. If you get sued, we recommend counsel who knows how to defend these cases. We can help provide witnesses. The goal is to take the risk of running open source off the table so it just doesn't matter.

Q: But you aren't running a charity. What's in it for you?


We don't actually underwrite the insurance, but we get paid a fee for providing underwriting and loss-control services and to manage the accounts. We're paid to help minimize losses. Loss-control services are typically receiving 7% to 10% of the premium.

Q: So best-case scenario, you are talking about a $90 million-a-year business? That's not exactly eBay (EBAY ).


Most VCs would tell you that if they could get a company to $90 million in revenues in four years they would be pretty happy. It would be a good return on equity. Equally important, we are also motivated to solve a problem that's holding back the high-tech world as a whole. We've been able to attract brilliant people because they see this as an important problem, and they gravitate to that.