I used a library licensed under GPL v3 in a client’s closed-source SaaS product. The client was audited during an acquisition, and the buyer’s lawyers found the GPL code. They are demanding the client open-source their entire codebase or rewrite the software. The client is suing me for the $200,000 rewrite cost and the “diminished value” of their IP.
Key Takeaways
- IP Infringement: Misusing a license is a form of copyright infringement.
- Professional Negligence: Failing to check the license compatibility is a professional error.
- “Viral” Licenses: GPL infects the whole codebase. The damages are massive because the client’s proprietary code is now technically “free.”
- Mitigation: Insurance pays for the “rectification” (the rewrite) to avoid the larger lawsuit of losing the IP.
The “Why”: The Intellectual Property Extension
The Trap: Some E&O policies exclude “Copyright Infringement” unless it’s specifically endorsed.
You need a policy that covers “Intellectual Property Liability” arising from your software development services.
Note: Some policies exclude “Open Source violations” specifically. You must check the fine print for “OSS Exclusion.”
The Investigation: I Quoted 3 Major Carriers
1. CNA (Tech Choice)
- My Analysis: They are sophisticated. They understand open source. Their “Information Risk” policy usually covers the liability from “unintentional violation of software license agreements.”
2. The Hartford
- My Analysis: They have a specific endorsement for “Software Copyright.” As long as you didn’t do it maliciously (knowing it was GPL and hiding it), they cover the negligence.
3. Embroker
- My Analysis: Tech-focused startup policies here usually include this. They know modern coding is 90% libraries.
[IMAGE: Diagram showing “Copyleft” viral effect on proprietary code]
Comparison Table: License Violation Liability
| Carrier | Covers OSS Violations? | Exclusion Check | Cost | Best For… |
| CNA | Yes | Check “OSS Exclusion” | | Enterprise Devs |
| Hartford | Yes | Standard IP | | Agencies |
| Generic | No | IP Exclusion | $ | Avoid |
Step-by-Step Action Plan
- Isolate the Library: Identify exactly which dependency is GPL.
- Estimate Rewrite: How many hours to swap it for an MIT/Apache alternative?
- Notify Carrier: Report “Copyright / License Breach Claim.”
- Do Not Open Source It: Don’t let the client release their code yet. Fix the library first.
FAQ
Is this a crime?
No, it’s a civil breach of copyright license.
I used a package manager (npm). Am I liable?
Yes. You are responsible for the dependency tree you import.
Will insurance pay for the rewrite?
Yes, if it mitigates the larger claim of “Your IP is worthless.”