June 8, 2023
An unaccustomed acquirer may encounter a number of potential pitfalls for technology acquisitions. Failure to promptly identify, assess and potentially mitigate specific issues during diligence can undermine the initial rationale for or valuation of the transaction. Moreover, acquirors need to be careful in any assessment to have a pragmatic and accurate understanding of the issues – such that risks are accurately understood with precision and that an acquirer does not either casually dismiss risk on one hand, or conversely, potentially over-react to a hypothetical worst-case scenario that has a very low probability of coming to fruition.
We detail below a non-exhaustive list of top technology sector-specific legal diligence concerns in acquisitions.
1. Ownership of IP
A primary concern in diligence is confirming the target owns, or otherwise has the right to use, the intellectual property it purports to own. Issues can surface in a variety of contexts throughout the chain of ownership—from creation to subsequent transfers to encumbrances via commercial arrangements. While this article does not delve into every potential issue, as a general matter in technology deals, it is critical to understand what intellectual property the target actually owns, or has the right to use, the rights and obligations attached thereto, the extent and scope of any encumbrances, and the transferability of the intellectual property. Below are a few examples of issues acquirors should consider when completing this analysis.
a. The Proprietary Information and Invention Assignment Agreement (PIIAs) and Consulting Agreements
To ensure employees involved in the development of a target company’s technology no longer own rights in the developments, and that the target has the full rights to exploit its technology, an acquiror will want to review PIIAs executed by each current and former employee of the target, or at least from each employee involved in the development of, or exposed to, the target company’s technology. Each PIIA should include an express, current, and future assignment of all rights, title and interest in inventions developed during employment. PIIAs should also include confidentiality restrictions whereby the employees agree not to disclose proprietary information of their employer. An acquiror must also confirm that founders and officers of the target have effectively assigned their intellectual property rights to the target company and that none of the PIIAs or other inventions assignment agreements exclude intellectual property used in the target company’s business as prior inventions. If any such individuals have left the target company since its inception, to the extent that they were involved in material research and development efforts related to the target company’s business, an acquiror will need to weigh the pros and cons of insisting that the target company seek to intellectual property assignment agreements prior to the signing or closing of the transaction.
Similarly, an acquiror should to evaluate whether all contractors and consultants providing research and development or design services to the target company effectively assigned to the target their intellectual property rights in the results or work product of the services. Often, such consulting services are provided by engineering resources outside of the United States. In such circumstances, an acquiror should consult with local counsel in the relevant jurisdictions to ensure that the operative inventions assignment provisions are enforceable under applicable law and that the obligations of the target are consistent with such local law.
b. Licenses; Encumbrances
Technology companies frequently enter into commercial arrangements with third parties under which the company’s intellectual property is licensed, transferred, or encumbered in some way. An acquiror should pay special attention to agreements that cover research and development, joint ventures, joint development, collaborations, cross-licenses and other arrangements that license intellectual property, where parties covenant not to sue each other, or that may otherwise encumber the target company’s intellectual property. Key considerations include whether the license is transferable or sublicensable; exclusive or nonexclusive; limited geographically or worldwide; limited in duration, irrevocable or perpetual; and royalty-bearing or royalty-free. License terms may include a “springing” license, whereby a counterparty is granted certain licensing rights upon a named event, such as a change in control or assignment. If this springing license is triggered by the contemplated transaction, the acquiror may not receive all of the rights to the intellectual property that it was anticipating, and instead, may have licensing or royalty obligations to a third party or even a competitor. Similarly, the intellectual property may be jointly owned through a joint venture or similar collaboration agreement or subject to development milestones that trigger ongoing obligations or royalties to the counterparty even after the acquiror takes control. The target company’s intellectual property may also be subject to other distinct limitations, such as a covenant not to sue whereby the target agrees not to assert intellectual property rights against the counterparty for particular uses or products.
c. The Upward-Reaching Affiliate Issue
The issue of how “affiliates” is drafted in a target company’s intellectual property license agreements should be carefully considered in the transactional due diligence context. The issue is that the parties often fail to properly define the term “affiliate” or they define this term in a manner that is perhaps unintentionally overly-broad (e.g., includes any entity which controls, is controlled by or is under common control with licensor or licensee), such that, post-closing of the transaction, the license agreement could be deemed to apply to the acquiror’s patent portfolio. Consider, for example, the following scenario:
An acquiror generally would not expect to grant a patent license to third parties as a result of the consummation of an acquisition—in particular if such entity has a valuable patent monetization program or the beneficiary of the upward affiliate issue in a patent license agreement is a direct competitor of or is in litigation with such acquiror.
d. Transfer/Change in Control Restrictions
An acquiror will want to confirm early in the diligence process whether there are any “change in control” or anti-assignment provisions in the target company’s intellectual property agreements that would prohibit or limit the ability to transfer the intellectual property in the manner contemplated by the parties. Even if not expressly prohibited by a change in control clause, the parties should confirm that the transaction will not trigger any anti-assignment prohibitions in the target company’s intellectual property contracts. In general, intellectual property license agreements are deemed to convey rights that are personal to the licensor and non-transferable to a third party absent the consent of the licensor. Thus, the question of whether or not a transfer occurs by virtue of a given transaction or is permitted under the agreement without the consent of the licensor may be important to consider in the context of a material inbound IP license agreement. Some courts have held that a transfer of contractual intellectual property rights in a forward merger constitutes an impermissible transfer that violates anti-assignment prohibitions. While courts in most jurisdictions have generally found that a reverse triangular merger does not trigger an assignment by operation of law, the effect of a reverse triangular merger on anti-assignment provisions should be evaluated, especially if a contract is material. This is particularly true in light of cases such as SQL Solutions Inc. v. Oracle Corporation, where a California court held that a reverse triangular merger could potentially trigger prohibitions on assignments by operation of law in certain circumstances. Provided key issues can be identified early in the process, counsel can implement the necessary structure, and require the necessary consents, to ensure the acquiror achieves its desired result. If a consent cannot be obtained or likely cannot be obtained, understanding the effect on the target company’s business of losing the IP rights (or license fees or royalties associated with the procurement of a new license) will be important to assessing the deal’s valuation.
e. Government or University Funding
Funding from government or university sources such as grants, or even the use of university facilities, can often come with strings attached, including ownership or license rights in favor of the funding source. Applicable statutes, grant terms, faculty employment agreements and university policies should be carefully reviewed to confirm whether a university or government funding source has any consent or intellectual property rights in, or with respect to, the transfer or use of any of the target company’s intellectual property. Further, while during recent years, universities have become more supportive of their professors launching companies, not all universities have updated their policies regarding the same. As a result, an acquiror may need to require a target to obtain certain consents or releases from a government or university funding source as a closing condition to a transaction. Outside the U.S., government funding can create tail liabilities that need to be allocated between the acquiror and seller – for example, in Israel, exporting IP developed using in part funds from the Israeli Ministry of Innovation, Science and Technology for development outside of Israel could likely trigger a non-trivial payment.
2. Open Source Software
Commonly used by software engineers in writing code, certain open source software kernels in a target company’s codebase may come with license terms that can present material issues for a Company looking to incorporate and monetize a target company’s software. The most prominent example is “copyleft” or “viral” open source licenses that, per their terms, require in certain circumstances all modifications to or code incorporated with such code to be released to third parties in source code form. This could cause significant issues if compliance with these terms would result in the disclosure of otherwise proprietary code or, alternatively, require the acquiror to invest significant time and resources in re-engineering the codebase to exclude the copyleft code. If software is a material asset of the target, acquirors should carefully consider engaging an open source vendor to perform a code scan that can flag portions of code in the target company’s software that are subject to potentially problematic open source licenses. Consider having outside counsel engage the consultant to preserve privilege over any findings.
3. Cybersecurity; Data Breach
In today’s environment, all companies are vulnerable to cybersecurity incidents. Even when not consumer facing, a company may house significant and sensitive data regarding its employees, proprietary technology, including source code, customers, suppliers and other counterparties. What may seem at the outset to be a ‘small’ cybersecurity issue often balloons into a problem that requires extensive remediation efforts and can be subject to state-by-state notification and country-by-country reporting and remediation requirements. Further, cybersecurity vulnerabilities that are exploited following the closing of an acquisition can be damaging to the brand and public trust of the acquiror. An acquiror should require a target company to provide a detailed description of its cybersecurity protocols, policies, procedures, audit results and all recent penetration (“pen”) tests and should verify with the target how any issues flagged were remediated. If a recent pen test is not available, an acquiror should strongly consider engaging a consultant to perform one as part of the diligence process.
4. Cyber Insurance
Given the increase in cyber incidents over the years, reviewing a target company’s insurance policies for any coverage from cyber breaches or other incidents has become an important part of any transaction. However, these policies often include large exclusions for issues such as ransomware attacks or nation-state attacks. As such, even with coverage in place, a policy may not provide the expected level of protection. An acquiror, together with counsel, should give careful consideration to how representations and indemnification protections concerning cybersecurity matters, such as pre-closing breaches, are constructed in the definitive agreement. Further, the acquiror must evaluate both the target company’s and its own policies to understand if coverage will exist for historical cyber breaches that are not discovered until after the deal is consummated.
5. Adequate Protection of Trade Secrets
For many technology companies, their most valuable intellectual property asset is source code, which is typically maintained as a trade secret (if not patented or patentable subject matter). Thus, it is important to confirm that the target company engages in industry-standard practices and has implemented adequate controls to protect its trade secrets and has not licensed or disclosed its code in a manner that could enable third parties to gain access to the source code. The target company, may, for example, have agreed to place its source code into an escrow account for the benefit of a third party. Such agreements frequently include provisions that permit the release of source code to the third-party beneficiary in the event of a change of control of the target company. The implications of such agreements should be considered with respect to the extent that the release of such code could impair the value of the trade secrets or would be inconsistent with the acquiror’s intended exploitation of the source code.
6. Data Privacy; Data Use
A target company’s data can be a valuable asset to an acquiror, but this value can be easily diminished if the target company did not secure the appropriate scope of use for such data. An acquiror should pay special attention to the target company’s data privacy policies, sources and methods of procuring data, procedures and compliance, as well as applicable contractual provisions to ensure any planned use of the data by the acquiror is permitted. The diligence exercise also needs to include the identification of, and review for compliance with, all applicable privacy laws such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA) and the ever expanding patchwork of other similar state, national and international laws and regulations. The acquiror should confirm that the data can be transferred in the manner contemplated by the transaction by ensuring that the transfer of data upon consummation of the transaction is compliant with the target company’s privacy policy and any applicable laws and regulations. For example, a target company’s privacy policy may require prior consent from the user to transfer its data in a merger or sale. Some policies may also require erasure of data from non-consenting users, which may preclude the acquiror’s use of such data. Consent may also be required for the transfer of certain types of “sensitive data” (e.g., PHI (protected health information)).
7. Employee Stock Options and 409A Valuations
Technology companies routinely grant employees stock options as part of their compensation packages. To ensure the options are issued with an exercise price no less than fair market value, a target company should be able to provide yearly 409A valuations by a third party consultant setting forth the value of the common stock of the target at the time of evaluation. Note, if the target company experiences a material event, such as a fundraise or execution of a term sheet, the target may no longer be able to reasonably rely on a prior 409A valuation. It is not unusual to discover during diligence that a target company has issued unallocated stock options after receiving and/or executing a term sheet with an acquiror based on a prior 409A valuation that does not incorporate this material, new valuation information. Failure to identity and remedy this issue can result in adverse and unexpected tax consequences for both the target company and the employees that were issued these mispriced options – and create dissatisfaction with such employees in the period after an acquisition’s closing, precisely when an acquiror will be aiming to retain key technical personnel.
8. Trade Compliance/Anti-Corruption
Technology companies frequently are global in their sales, and subject both to export control regimes and anti-corruptions laws, such as the US Foreign Corrupt Practices Act (FCPA), UK Bribery Act and France’s Sapin II. These areas often can be afterthoughts in a long list of diligence issues to tackle – however, if not discovered before closing a transaction, the post-closing penalty can include self-disclosure or, worse yet, a whistleblower-triggered investigation by a regulator, each of which can imperil the acquiror’s overall brand and business, not to mention financial liability. Acquirors, in partnership with legal counsel, should evaluate a seller’s products and relevant export controls (EAR/ITAR in the US) as well as compliance with country and individual sanctions. It is not unheard to discover seemingly ‘immaterial’ transactions to prohibited states that create significant consequences from regulators. Likewise, counsel should review a company’s corruption compliance program, including specifically, training and any prior whistleblower complaints particularly surrounding high risk indicia such as “gift” programs or sponsored travel.
Gibson Dunn has significant experience counseling clients in acquisitions in the technology sector, and our lawyers are available to assist in addressing any questions you may have regarding these issues. Please feel free to contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Mergers and Acquisitions, Private Equity, or Media, Entertainment and Technology practice groups, or the following authors of this article:
Ed Batts – Mergers & Acquisitions, Palo Alto (+1 650-849-5392, [email protected])
Carrie LeRoy – Technology Transactions, Palo Alto (+1 650-849-5337, [email protected])
Charles V. Walker – Mergers & Acquisitions, Houston (+1 346-718-6671, [email protected])
Jessica Howard – Mergers & Acquisitions, Orange County (+1 949-451-4007, [email protected])
© 2023 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.