Software comes in all shapes and sizes, serving a diversity of customers broadened by the internet and strengthened by the onset of generations for whom its application is second nature. Whilst selling a software business will meet unique challenges, there are a number of common threads when considering the legal side. This blog covers a range of topics that, if the seller takes on board, could ensure a buyer’s trust and cooperation when negotiating an agreement.
Intellectual Property Rights
A likely first thing on the mind of a buyer will be to understand and secure all intellectual property rights in the target software. This will mean carrying out due diligence and if necessary obtaining an assignment from the owners of such rights. The business and its licensors should own all the relevant rights but if things haven’t been done properly the owners could, for example, be consultants to the business. Difficulties arise when dealing with previous consultants who take such rights with them after leaving the developers or business which originally created such software. A seller should therefore do all it can to review intellectual property rights when creating software that it may one day wish to sell. If all else fails, indemnities may be the only way to ensure a buyer is comfortable with the purchase.
Software often uses licenced-in intellectual property rights from third parties. Having a strong understanding of exactly what these are and whether it is possible to grant sub-licences under them should be considered. This will mean reviewing the software’s process of production to ensure that no such rights are missed.
Open source software (OSS) is software code that is usually made available to developers for free and can be licenced in a variety of ways. It would be an incorrect to assume that OSS is licensed in an unrestricted manner at all times, even though in recent years it has generally become less restrictive. BlackDuck is a tool which offers companies the opportunity to search the source code of products for any OSS. Any unclear licences can then be satisfied and again it is likely that a buyer will want indemnities or warranties to ensure that all the OSS has been dealt with. At the very least OSS usually requires an acknowledgement of the original author.
When selling a software business, a buyer is going to want to assess the revenues of your business, the reliability of such revenue and risks involved with providing services to each customer. Issues likely to arise in customer contracts include:
- Limits and exclusions of liability.
- Post-contract services such as maintenance and support obligations.
- Termination rights – whether through an explicit change of control clause or termination periods, or by unclear drafting in the contract. Much can rest upon whether or not a buyer can rely upon long-term customers to continue to use the software after purchase.
- Non-compete, exclusivity and similar restrictions. As well as affecting the software’s freedom to operate under such restrictions, they may give rise to competition law issues.
Employees can in some cases be as valuable as the software itself, especially if the buyer is looking to develop the software. Employees often have a breadth of knowledge and experience with a piece of software that is difficult to put onto paper. If key employees are lost then as much information as possible should be put down in the software documentation. Employee retention or at least a point of contact with former employees of a software business may well be the pre-requisite of such an acquisition.
The issue of technological infrastructure is changing. Before the existence of such readily available online platforms with which companies can access and build their own software, technological infrastructure was, for the most part, hardware. This meant that infrastructure was often difficult to integrate into a buyer’s system.
A seller needs to consider whether the technological infrastructure is shared with anyone (say a subsidiary or other company in the seller’s group), whether they plan to integrate the software into the buyer’s technological infrastructure and whether the software is in any way being provided by a third party:
- Infrastructure shared with other members of the seller’s group – a number of solutions exist to this issue, the most common being licensing or transitional services arrangement within the group that is often limited in time and to particular services.
- Integration in to buyer’s infrastructure – as well as technical issues of integration and compatibility, if the infrastructure is duplicated, the target should undertake an assessment of whether these duplications can be eliminated and if the seller can terminate relevant supplier contracts.
- Third parties – it used to be the case that companies using software would share a server with other companies and such hardware would have to be maintained to reach the requirements of each company. With the trend towards virtualisation of the computing environment, seller’s will often be beholden to a variety of third-party platforms to provide cloud space and hosting capabilities. Sellers should therefore review their position in relation to all such third parties to ensure they have the necessary rights to transfer ownership of any such agreements.
Data protection is an increasingly important issue for any software business. In assessing your business, and its IT systems, it is important to understand what personal data is handled, the protections and policies surrounding this, including any instances of breach of these policies, and the applicable laws such as the UK GDPR (for information on how Brexit has affected data protection law read our blog). It is attractive for a buyer to know that the seller takes data protection seriously and has built-in mechanisms to support it.
Developments in software supply have accounted for an increased risk in data protection. Subscription based services which often store customer data on the sellers platform (for instance, if it supplies software under a software as a service (SaaS) model) run into such issues as an obligation is created to secure and lawfully process the personal data being stored by the seller. Software often used to be sold anonymously, and without updates, external content, or other means to identify the user, and the seller was not storing personal data for its customers (because there were usually no logins or other data collections linked to a cloud-based platform). Data protection law is forever morphing in response to the rapidly developing technological landscape and so it could be wise to review your position at multiple points along the timeline of implementing the acquisition of a software business.
Cybersecurity is set to become an increasingly important issue for sellers in any software acquisition. On 10 May 2018, the Network and Information Systems Regulations 2018 (SI 2018/506) (NIS Regulations) came into force. They place minimum cybersecurity and incident notification obligations on relevant digital service providers. If the software qualifies as an in-scope digital service provider under the relevant legislation, then it will be important for the seller to understand:
- What network and information systems it relies upon to provide its services.
- What measures it takes to manage the risks posed to the security of those systems (including with a view to ensuring continuity of its digital services).
- What means it has of monitoring and assessing any incidents that have a substantial impact on the provision of its digital service.
- How it reports such incidents to the Information Commissioner’s Office (ICO), the UK regulator in this area, and in what timescales.
- Failure to abide by the minimum cybersecurity standards and incident notification requirements set out in the NIS Regulations, can attract substantial regulatory fines in the UK of up to £17 million. Relevant digital service providers are also under an obligation to ensure that they have adequate documentation available to enable the ICO to verify compliance with the relevant security obligations, meaning that in practice the ICO may request to see (and buyers will want to diligence) various policies including those relating to system security, incident handling, security monitoring, business continuity management, and compliance with international standards.
Here to help
Selling a software business comes with a range of challenges, whether or not it involves software. Software does, however, introduce some specific issues. The greatest change in recent times has been from software sold for on-premises installation, to software being available to sell via, in most instances, a SaaS platform. This means that, as a software business owner, you are more likely to rely upon third parties to deliver your services. Making sure that your relationship with these third parties is transferrable to a buyer is important. Equally significant is the likelihood of intellectual property rights being scrutinised by a potential buyer. Knowing that you own all aspects of the business you intend to sell will always be high on a buyer’s list of assurances. Software has a uniquely high chance of infringing IPR’s without being aware of it. For more information on this read our blogs Open Source Software and Legal Protection of Software.