Due diligence

Typical areas

What are the typical areas of due diligence undertaken in your jurisdiction with respect to technology and intellectual property assets in technology M&A transactions? How is due diligence different for mergers or share acquisitions as compared to carveouts or asset purchases?

Typical areas of intellectual property and technology due diligence undertaken in the United States with respect to technology M&A transactions include:

  • identifying all registrations, issuances and applications for IP assets owned by the target and confirming the status, lien status, chain-of-title, expiration date (if applicable), scope of protection, and ownership thereof;
  • identifying all other IP assets owned or used by the target and confirming the ownership thereof, any restrictions thereon, and the target’s scope of rights therein;
  • reviewing and analysing the target’s agreements with past and present employees, contractors and consultants with respect to the creation and ownership of IP assets and the use and disclosure of trade secrets and other confidential information;
  • identifying and determining the scope of inbound and outbound grants of IP rights granted by or to the target;
  • reviewing and analysing all other IP-related agreements (or IP provisions in agreements), including research and development agreements, consulting agreement, manufacturing, supply, and distribution agreements, settlement agreements, and IP licensing and assignment agreements;
  • determining and analysing the target’s process for IP clearance, protection, and enforcement and for protecting trade secrets and confidential information;
  • determining and analysing any past, present, or threatened IP-related claims or disputes involving the target company, such as infringement actions, cease-and-desist letters, requests for IP-related indemnification, disputes with past and present employees or contractors, and claims for remuneration for the creation of intellectual property;
  • reviewing and analysing the target’s processes and procedures for developing software code, including identifying open source or copyleft code, reviewing source code scans and identifying third-party access to code;
  • requesting and analysing agreements and rights with respect to information technology (IT) rights, assets and equipment;
  • reviewing the target’s implementation of commercially reasonable IT programs for known material gaps and vulnerabilities to assess alignment with industry standards;
  • reviewing the target’s compliance with privacy and data protection laws, contractual obligations and company policies;
  • vetting the extent and ramifications of any data privacy breaches or security incidents; and
  • determining whether and what rights to use personal data will transfer to the buyer.

Although the due diligence process for mergers and share acquisitions and carveouts and asset purchases are similar, there are several key differences. Because carveouts and asset purchase transactions require the assignment and transfer of IP rights from the seller to the buyer, the buyer should confirm that all desired IP assets may be transferred (and are properly transferred) under applicable law. For example, intent-to-use trademark applications may only be assigned under certain circumstances and assignments of trade secrets should be coupled with covenants of the seller not to use or disclose such trade secrets post-closing. Moreover, the buyer should ensure that any shared rights in intellectual property are properly allocated or cross-licensed between the parties post-closing.

If source code or data is being transferred, the right of seller to transfer any third-party code (including open source) or third-party data (including personally identifiable information) should be properly vetted, as well as whether the data was rightfully collected by the seller.

The buyer should review material IP and IT contracts to determine whether they include change of control provisions or anti-assignment provisions triggered by the contemplated transaction. In the United States, the rules governing transferability of IP licences where a contract is silent on transferability varies by applicable state law.

If a carve-out or asset purchase transaction does not include all employees or IP assets relevant to the purchased business, the buyer should perform sufficient diligence to confirm that there is no ‘key man’ risk, whether the seller will need to give or receive any transition services, whether any IT systems and/or data will need to be migrated or separated, and whether the buyer will be able to use, maintain and exploit the purchased IP assets post-closing.

Customary searches

What types of public searches are customarily performed when conducting technology M&A due diligence? What other types of publicly available information can be collected or reviewed in the conduct of technology M&A due diligence?

Counsel for the buyer typically conducts:

  • searches of publicly available databases (including the USPTO, the US Copyright Office, any relevant state trademark office databases and domain name registries) to identify and confirm the status, chain-of-title, expiration date (if applicable), scope of protection and ownership of the registered intellectual property purportedly owned by the seller;
  • trademark clearance and availability searches may be performed to identify potential third-party trademark rights and ‘freedom to operate’ searches may be performed to identify potentially problematic patents;
  • Uniform Commercial Code (UCC) lien searches and searches of the USPTO and the US Copyright Office assignment databases to determine if there are any active and unreleased liens or security interests recorded against the seller’s IP assets;
  • searches of public US court dockets to determine whether the seller has been involved in any IP-related litigation or any litigation related to its IP assets;
  • searches of websites owned by the target to analyse privacy policies, terms of service and other publicly available information regarding the target; and
  • if the target is a public company, searches for public filings of material contracts and other public disclosures, such as annual reports and filings with the Securities and Exchange Commission (eg, 10Ks, 10Qs, etc).
Registrable intellectual property

What types of intellectual property are registrable, what types of intellectual property are not, and what due diligence is typically undertaken with respect to each?

In the United States:

  • patents are registrable with the USPTO and issuance of a patent is required for patent protection;
  • copyrights are registrable with the US Copyright Office but registration of a copyright is not required;
  • trademarks are registrable with the USPTO and with state or local trademark offices but registration of a trademark is not required;
  • trade secrets are not registrable;
  • mask works are registrable with the US Copyright Office and registration is required within two years after the date on which the mask work is first commercially exploited; and
  • domain names are registrable with domain name registrars and registration is required.

With respect to registerable intellectual property, the buyer should conduct the searches described in question 5. With respect to trade secrets, know-how and other unregistered intellectual property, the buyers should confirm ownership thereof by the seller and with respect to trade secrets, that the seller has taken reasonable steps necessary to maintain the confidentiality thereof.

Liens

Can liens or security interests be granted on intellectual property or technology assets, and if so, how do acquirers conduct due diligence on them?

Liens and security interests can be granted on IP and technology assets in the US under article 9 of the UCC (as enacted by each state and the District of Columbia), which governs security interests in ‘general intangibles’ (including intellectual property) unless article 9 is pre-empted by US statute, regulation or treaty.

Because the Patent Act and Lanham (Trademark) Act do not expressly pre-empt article 9 of the UCC, US courts have generally held that security interests in US patents and patent applications and federal trademark registrations and applications (as well as other unregistered intellectual property) are perfected by the filing a UCC-1 financing statement with the applicable state where the owner of the IP asset is located and any release or termination of such security interest would be filed with such state. It is also prudent and considered a matter of good practice to file the security agreement (and any release or termination thereof) with the USPTO to ensure notice to subsequent good faith purchasers and mortgagees. In contrast, the Copyright Act pre-empts article 9 of the UCC. Accordingly, security interests in registered US copyrights (and applications therefor) are perfected by filing security agreements with the US Copyright Office. Any release or termination thereof should similarly be filed with the US Copyright Office. Turnaround time for UCC filings can vary by state and type of submission but can be instantaneous (for electronic filings) or may take up to 30 days (for paper forms). Turnaround time for the USPTO and US Copyright Office depends on processing lag time but a filing receipt is typically provided within a day for electronic filings.

Buyers typically conduct due diligence on liens or security interests by performing UCC lien searches as well as searches of the USPTO and the US Copyright Office databases to determine whether there are any active and unreleased liens or security interests recorded against the target’s IP assets. If a financing is being paid off in connection with the contemplated transaction, the parties typically agree that any security interests securing such financing would be released at closing.

Employee IP due diligence

What due diligence is typically undertaken with respect to employee-created and contractor-created intellectual property and technology?

The due diligence typically undertaken with respect to employee-created and contractor-created intellectual property and technology in the context of US technology M&A transactions involves analysing employment or contractor-related agreements under applicable governing law to determine whether the target company or employee or contractor owns the employee or contractor-created intellectual property and whether such intellectual property is material to the target company. The buyer should ensure that the agreements include:

  • a provision stating that all copyrightable work created by the employee or contractor is a ‘work made for hire’ under the Copyright Act (and in the case of a contractor, specially ordered or commissioned for use) and an assignment or waiver of all moral rights and similar rights of attribution;
  • a present assignment of (and future agreement to assign) all work product and intellectual property that does not qualify as a work made for hire;
  • a provision obligating the employee or contractor to cooperate to perform all acts and execute and deliver all documents necessary to effect and perfect all work product and IP ownership;
  • confidentiality provisions governing the use and disclosure of trade secrets and other confidential information;
  • if any trade secrets are disclosed to the employee or contractor, the whistle-blower notice required under the Defend Trade Secrets Act for agreements executed on or after 12 May 2016;
  • sufficient licences under any background intellectual property owned by the employee or contractor that is used or embodied in the work product or intellectual property created by such employee or contractor; and
  • representations and warranties that all work product and intellectual property is original and does not infringe, misappropriate or otherwise violate any third-party IP rights.

In addition, the laws of several states (including California) restrict the scope of employee inventions that may be subject to assignment and require that certain statutory notices be included in agreements purporting to assign employee inventions.

Transferring licensed intellectual property

Are there any requirements to enable the transfer or assignment of licensed intellectual property and technology? Are exclusive and non-exclusive licences treated differently?

Under US law, the express language of the applicable IP licence agreement generally governs whether the licence is assignable. If the agreement is silent or ambiguous with respect to assignability, the analysis depends on governing law, the nature of the licensed intellectual property, whether the licence is exclusive or non-exclusive, whether the contemplated transaction constitutes an assignment under applicable law, and other considerations.

Typically, if an IP licence is silent or ambiguous with respect to assignability, then US courts have generally found that, absent countervailing circumstances that would result in material adverse consequences to the licensee (eg, the licence grant is coupled with various obligations of the licensor to provide assistance or other services or where the assignee is a competitor of the licensee), the licensor has the right to assign without the licensee’s consent; and the licensee does not have the right to assign without the licensor’s consent.

Non-exclusive licences that are silent regarding assignability have generally been found by US courts to be non-assignable by the licensee without the licensor’s consent. However, courts are split on whether exclusive licences should be treated similarly. Although several courts have treated exclusive licences in the same manner as non-exclusive licences with respect to assignability, some courts have held that exclusive licensees should have rights commensurate to the owner of the intellectual property and therefore the right to assign without consent of the licensor because exclusive licences may be considered to be transfers of all rights (particularly with respect to copyrights).

Software due diligence

What types of software due diligence is typically undertaken in your jurisdiction? Do targets customarily provide code scans for third-party or open source code?

Software due diligence typically involves:

  • identifying who created the source code (ie, employees or contractors) and reviewing any agreements governing the development of such source code;
  • determining whether and how the software is used, accessed, stored, licensed or distributed to third parties (including whether it is subject to any source code escrow agreements), including reviewing any agreements governing the foregoing;
  • confirming the confidentiality measures undertaken to protect any proprietary code and unauthorised access thereto or disclosure thereof; and
  • reviewing or vetting any open source code policies and procedures (including reviewing source code scans).

Depending on the materiality of the software code at issue, nature of the transaction, and target industry, targets may provide code scans in the course of due diligence for technology M&A transactions in the United States.

Other due diligence

What are the additional areas of due diligence undertaken or unique legal considerations in your jurisdiction with respect to special or emerging technologies?

Artificial intelligence

Artificial intelligence (AI) algorithms typically ‘learn’ from broad and high-quality data sets, which may be subject to copyright protection. It is important to assess whether an AI system has the right to use, access or reproduce the copyrighted works within an input data set and whether any resulting technology could, therefore, be deemed to be an unauthorised ‘derivative work’.

Because AI systems may be capable of producing more complex and innovative products and services, on the one hand, it is important to consider how inventorship and authorship will be determined where intellectual property results from an AI system. For example, US courts may decline to grant patent or copyright protection to inventions or works created by AI systems (rather than by humans). On the other hand, if a target uses an AI system that makes decisions resulting in damage or harm, it is unclear how liability would be allocated.

Additionally, with respect to privacy and data security, due diligence undertaken with respect to AI typically includes a review of the secure development lifecycle of hardware and software, including analysing implementation of privacy and security by design and by default, as well as legal considerations that may apply when AI drives automated individual decisionmaking, the tracking and profiling of individuals, or the re-identification of previously anonymised personal data.

Internet of things

Internet of things (IoT) relates to connected devices, which are capable of collecting and analysing massive amounts of data and inherently gives rise to legal concerns around consent, privacy, security and discrimination. It is important to consider whether the data collected by an IoT device is personal data and, if so, whether the persons about whom such data is collected have given sufficient consent to the collection, analysis and uses thereof, and whether any of the data or systems are subject to data privacy or cybersecurity regulatory requirements (as often is the case with healthcare or financial information).

Autonomous driving or advanced driver-assisted systems

Autonomous driving or advanced driver-assisted systems (ADAS) may incorporate and rely upon AI and connected devices (ie, IoT) technology; therefore, such systems may be subject to the same unique legal considerations discussed above with respect to IoT and AI. Moreover, such systems incorporate numerous other types of technologies, such as global positioning systems (GPS), light detecting and ranging (LIDAR), telecommunications, data analytics and image processing. Accordingly, purchasers should conduct thorough due diligence to ensure that ADAS technology being acquired is not infringing or misappropriating third-party IP rights.