Since the target’s technology and intellectual property are the most valuable assets to an acquiring tech company, a thorough and comprehensive due diligence of such assets is essential to ensure future revenue streams and restrict legal actions in the post-merger phase. Such due diligence usually focuses on owned intellectual property, third-party intellectual property, IP disputes and IT assets.
An important feature of the review is analysing the ownership of the intellectual property. Under Belgian copyright law, software is protected for up to 70 years after the death of the author. However, only the form and expression of the idea is protected.
Anyone is allowed to write a program with the exact same functionality, provided that it is based on a self-developed source code. Just because the target company owns the intellectual property of a certain software, does not mean that it is protected against the copying of the idea. A solution could be found in patenting the software but that method is, in the European context, no guarantee, since there is great disagreement about the patentability of software.
The due diligence should not only focus on the ownership and value of the IP rights, but also - and foremost - on their transferability.
The objective of any intellectual property due diligence audit would be to answer one or more of the following questions about the target’s technology assets:
- What was the origin of the technology asset?
- When was the technology asset first conceived and when was the development completed?
- Who are the people who could claim to be an inventor or author?
- What types of IP rights might be available to protect the technology asset and have those rights been protected?
- Has any employee, consultant or other third party used any trade secrets or proprietary technology of others in the development, support, maintenance or enhancement of the technology asset?
- Does any third party have IP rights that could be violated by past or future uses of the technology asset?
- Have any offers of licences or assertions of proprietary rights infringement claims been received and is there any litigation pending or threatened?
Where consultants or independent contractors have been used to develop the technology asset, have adequate measures and agreements been taken to protect the proprietary interests of the hiring party and to ensure that the hiring party owns the rights to the technology asset?
- If any portions of the technology asset were purchased or licensed from third parties, what rights were acquired by the technology company? Are there any obligations that, if breached, could result in a reversion of rights back to the third party?
- Have necessary registrations been made and transfers recorded with the appropriate agency?
- Has the technology asset been used to secure performance of any obligations or are they encumbered by any security interests or liens?
- Do third parties hold any licence rights, joint ownership rights or other rights in the technology asset?
- Is the technology asset substantially similar in function, appearance or coding to the technology asset of others?
- If proprietary materials and documentation of the company are held in escrow, what are the terms of the escrow arrangement (eg, conditions for release).
- Are the technology assets sufficient to operate the licences?
- Are there any restrictions on the company’s technology assets (eg, exclusive rights of first refusal or negotiation, non-competition, pricing restrictions, no-assignment or change-of-control provisions)?
The answer to these questions may affect the value of the technology asset to be acquired and be determining for the decision whether or not to acquire the target company or the technology asset at all.
Another specific area of due diligence that is typically conducted in a technology M&A transaction is privacy and cybersecurity due diligence.
If a target’s data processing activities are not in line with applicable data protection laws, this entails major risks for the buyers. Violations of data protection laws within the European Union are, since the adoption of the GDPR, subject to fines up to €20 million or up to 4 per cent of the total worldwide annual turnover.
Recent high-profile data breaches on companies like Yahoo!, Equifax, Target, Anthem, Uber, Facebook and British Airways have highlighted the risks associated with data security. Data breaches subject companies to significant liability arising from shareholder lawsuits, government investigations, remediation costs and reputational damages. According to Juniper Research, the global cost of data breaches will rise to US$2.1 trillion (€1.8 million) by 2019.
Without sufficiently evaluating whether a target is data protection compliant, buyers risk acquiring a non-compliant business and thus buying into the hazard of serious fines or lawsuits from data subjects.
The only way to understand and mitigate these data protection risks is a comprehensive evaluation of the target. At best, identified non-compliance can be cured prior to closing (eg, by immediate actions of the target curing non-compliant behaviour itself). Where this is not possible or feasible, the identified non-compliance can at least be factored into the risk assessment and valuation in the course of the purchase decision.
For assessing the target’s data protection compliance status, the following documents should be requested by purchasers (or be provided by the seller, respectively) in the due diligence process:
- a record of processing activities (to verify that all of the target’s processing activities were for lawful purposes and whether the data can be processed for other purposes);
- relevant data protection documents (eg, privacy notices, guidelines, works council agreements, consent forms, data processing agreements, joint controller agreements and data sharing agreements);
- IT, data protection and security concept, documentation of technical and organisational measures;
- an expert session with data protection officers or other informed experts, and possibly the contract, description of tasks and place in the target’s organisational chart of the data protection officer;
- documentation of data protection-related self-assessment (eg, on a balance-of-interests test);
- a presentation of data protection organisation and data protection processes (in particular, relating to handling data subjects’ requests or the deletion of personal data);
- documentation of all personal data breaches and evidence of related communications with the data protection authorities and the data subjects;
any data protection impact assessments carried out;
- proof that IT programs used by the target are GDPR-compliant (human resources, payroll software, monitoring equipment and geolocation equipment);
- cybersecurity policies and response policies;
- information on all regulatory or criminal proceedings in relation to data protection issues (eg, correspondence with data protection authorities);
- information on all other disputes with data subjects (eg, civil claims);
- supporting documents that the target secured all essential rights to commercially use personal data and only for current or also for new purposes (eg, provisions in general terms and conditions, individual contracts, in the supply chain); and
- data privacy or cybersecurity insurance coverage.
A third area of specific due diligence that may be more relevant in technology M&A transactions involves the IT systems (eg, encryption, restriction of access, passwords, safeguarding of sensitive data). IT systems will include hardware and software. With respect to hardware, relevant due diligence information could include:
- diagrams of the hardware infrastructure;
- an inventory of the relevant hardware assets;
- relevant third-party agreements (eg, vendor maintenance agreements); and
- possible disaster recovery and business continuity protocols.
With respect to software assets, relevant due diligence could include:
- an inventory of software used by the target, including information on ownership and licences;
- agreements related to software assets such as licences, support, maintenance, development, assignment and escrow agreements;
- documentation, including policies, manuals and information on user access protocols; and
- active or planned development programmes.
With respect to the IT systems, buyers should check that:
- they are bug free;
- they have not had any material security breaches;
- they have not had any material outages affecting business;
- they are in fair condition and sufficient for the normal functioning of the business;
- all necessary licences are in place;
- the maintenance and support agreements are still running; and
- adequate IT investments are budgeted to meet the business plan and be compliant.
This due diligence is usually undertaken by the chief information officer of the buyer and his or her team, who should be involved from the beginning on a technology M&A transaction.
A final area of due diligence that may be more relevant in technology M&A transactions relates to websites, webshops and social media assets. Privacy policies, disclaimers, general terms and conditions, supply and logistics agreements; compliance with applicable laws (eg, information obligations, advertising), investigations, complaints and disputes may need to be reviewed.
The focus of the legal due diligence will vary slightly depending on whether the ultimate transaction is an asset or a share purchase. In an asset purchase the buyer will, of course, only focus on the assets it will purchase. Where in general the due diligence in an asset purchase transaction is not as demanding as in a share purchase transaction, in a technology M&A transaction, special attention will have to be given to the transferability of the intellectual property vested in the sellers’ technology assets (eg, formalities required to transfer intellectual property or no assignment clauses in licensing agreements) or the transferability of certain data assets that qualify as personal data (eg, legal consent of the data subject with the transfer).
Back to top