1

1

Don't Let Open Source be the Deal Breaker in Your M&A Deal

2

A. Background: Casting the Net B. Why Should You Care About This? C. Impact on Due Diligence and Schedules D. Impact on Deal Terms and Definitive Agreement E. What Should You Be Doing Now? F. Final Thoughts

Overview

3

A.  Background: Casting the Net

•  Software+ •  Transactions •  Business Models •  Inadvertent Software Companies

4

•  More than just open source software •  Typically any third party in-licensed software •  Commercial, freeware and open source •  In any form: Object code, binary code, source code, firmware,

microcode, drivers, libraries, routines and subroutines •  Extends to: APIs, SDKs, protocols, specifications and interface

definitions •  Not just embedded, but also for development and internal use •  Covers inbound SaaS offerings •  Sometimes applies to:

•  Hardware •  Data •  Inbound content

Background - Casting the Net: Software+

Really any in-licensed software/service (or more) for developing, maintaining, supporting and offering your

products and services

5

•  Applies to all sorts of transactions •  Mergers & Acquisitions

•  Divestitures

•  Financings, including VC/PE investments

•  Loans

•  IPOs

•  Customer agreements

Background - Casting the Net: Transactions

6

•  Applies to all sorts of business models

•  Traditional distributed

•  Hosting •  SaaS •  PaaS •  IaaS

•  Internal use •  In support of professional services

Background - Casting the Net: Business Models

7

EVERYONE

Automotive

Retail

Healthcare

Software

Infrastructure

Banking & Financial Services

Internet of Things

Mobile

Background - Casting the Net: Software is Everywhere…

8

Background - Casting the Net: Even Where You Don’t Expect It…Inadvertent Software Companies

Agriculture Banks and Financial Services

Automotive

Design/Custom Products - 3D printing

- DNA sequences

Hardware - Medical Devices

- Lab and Diagnostics Equipment

- POS terminal/bar code reader

Content Provider

- Media Companies

- Publishing Companies

- Universities

Consumer Products

- TVs - Internet of Things

- Wearables - Toys

- Greeting Cards - Locks

Mobile Apps; SaaS Platforms; Code on the devices Distributing and/or Hosting Code

9

B. Why Should You Care About This?

•  The Underlying Risks •  Licensing and Compliance Risk •  Security Risk •  Business and Operational Risk •  Remediation Risk

•  Overall Impacts on the Deal •  It’s Not Theoretical Anymore: Recent Litigation

10

Why Should You Care About This?: The Underlying Risks - Licensing and Compliance Risk •  Use beyond scope of license

•  Breach of licenses; automatic termination since no materiality

•  Copyright infringement

•  ‘Viral’ infection of proprietary code

•  Automatic grant of licenses to certain of your patents

•  Defensive patent termination rights

•  Transfer/assignment/change-of-control issues

•  Under licensing; not enough seats/licenses

•  Combinations of components under incompatible licenses

•  Notice and attribution non-compliance

•  Failure to comply with licenses for “fourth party” components

11

Why Should You Care About This?: The Underlying Risks - Security Risk •  Avoid unknowingly using third party software with known security

vulnerabilities •  Any vulnerabilities associated with the components?

•  Which components? •  What are the vulnerabilities? •  Any patches available?

•  May have more vulnerabilities since the source code is available or

fewer vulnerabilities since more people are looking

12

Why Should You Care About This?: The Underlying Risks - Business and Operational Risk •  Dependence on code from competitor/hostile party

•  Think ahead to integration and running the business or things can become very difficult

•  Changing the offering model •  Standardizing on certain components

•  May be expensive or impossible to collect the key information later

13

Why Should You Care About This?: The Underlying Risks - Remediation Risk

Code Remediation

•  Removing, rewriting or replacing code

•  Costs: Engineering, time

Legal Remediation

•  Amending/terminating agreements, seeking clarifications, seeking waivers of past liability, re-licensing components and obtaining new licenses

•  Often hard to remedy past non-compliance

•  Costs: Legal, time, fees to licensors

Risk Mitigation/Allocation

•  Additional representations and warranties

•  Remediation-focused closing conditions and best efforts covenants

•  Specific indemnities •  Additional escrows

14

Why Should You Care About This?: Overall Impacts on the Deal

Macro Impacts:

•  Delay •  Signing •  Closing

•  Reduce Price •  By expected cost of remediation

•  By estimate of past non-compliance

•  Plus a premium for the unknown

•  Deal certainty •  Due to conditions •  Dependence on third parties

•  Kill the deal •  Upset the build vs. buy decision

Diligence/Scheduling Impacts:

•  Inability to provide basic materials requested in diligence and for schedules •  List of in-licensed

software with license and usage for each item

•  Open source policy •  Surprises discovered

during diligence •  Inability to cleanly

make reps

Lead to Additional:

•  Diligence, such as a code scan

•  Reps and warranties •  Remediation

covenants and closing conditions

•  Specific indemnities •  Escrows

15

•  Shifting landscape of open source license enforcement •  No longer brought for ideological reasons; now commercial

software companies on both sides with hundreds of millions at risk

•  Recent cases with much in common:

Why Should You Care About This?: It’s Not Theoretical Anymore: Recent Litigation

Continuent v. Tekelec XimpleWare v. Versata Software Filed July 2013 November 2013

Likely Settled February 2014 February 2015

Licensing Model Dual Commercial & GPL Dual Commercial & GPL

Claims GPL violations, copyright infringement, etc.

GPL violations, copyright infringement, etc.

Alleged Damages "All profits" In excess of $150MM for the copyright suit

Remediation Appeared trivial Patch released in 2 weeks

Transaction Oracle bought Tekelec prior to suit Trilogy bought Versata prior to suit

16

C. Impact on Due Diligence and Schedules

•  Diligence Requests •  Requests for Policies and Procedures •  Typical Scheduling Requirements

17

•  Conduct a review of third party in-licensed software •  Initial step is to request list of in-licensed software, with license and

usage for each component •  Time to provide the list is important

Impact on Due Diligence and Schedules: Diligence Requests

18

•  Request third Party in-Licensed software policy (or lack thereof)

•  Quickly learn a great deal about a company’s business, legal and engineering practices

•  Date implemented •  Written •  Approval process •  Documentation function •  Mechanism for on-going compliance

Impact on Due Diligence and Schedules: Requests for Policies and Procedures

19

Identify All In-Licensed Software Components •  Incorporated, embedded or integrated •  Used to offer any Company product/technology •  Sold with any Company product/technology •  Otherwise distributed by Company •  Used or held for use by Company, including use for

development, maintenance, support and testing

Impact on Due Diligence and Schedules: Typical Scheduling Requirements

20

Impact on Due Diligence and Schedules: Typical Scheduling Requirements

Information for Each Component:

•  Applicable versions •  Applicable license agreement •  How incorporated, embedded or integrated •  How used internally •  How distributed or bundled; distinguish source and binary •  Linking •  How modified •  How hosted; allow others to host •  Relevant Company products/technologies •  Payment obligations •  Audit rights

21

List of Contracts Pursuant to Which:

•  Company has agreed to create or maintain interoperability or compatibility with any third party software/technology

•  Company has the right to access any software as a service, platform as a service, infrastructure as a service, cloud service or similar service

•  Company has the right to access, link to or otherwise use data or content

Impact on Due Diligence and Schedules: Typical Scheduling Requirements

22

Exceptions:

•  Generally available commercial off-the-shelf software with value of less than $1000-$5000

•  Fourth party code; without knowledge •  Internal use only, non-development related software (e.g.

CRM, HR and accounting software); may be covered elsewhere

•  In-licensed software incorporated into office equipment or other equipment/products purchased or leased

Impact on Due Diligence and Schedules: Typical Scheduling Requirements

23

D. Impact on Deal Terms and Definitive Agreement

•  Reps and Warranties •  Covenants and Closing Conditions •  Specific Indemnities •  Additional Escrows

24

Except as scheduled, Company has not:

•  Incorporated third party software into, or combined third party software with, any Company product/technology

•  Distributed or modified any third party software in conjunction with or for use with any Company product/technology

Impact on Deal Terms and Definitive Agreement: Reps and Warranties

25

Impact on Deal Terms and Definitive Agreement: Reps and Warranties

Company has not accessed, used, distributed, hosted or modified any third party software in such

a manner as to: •  Require disclosure or distribution of any Company product/technology in

source code form •  Require the licensing of any Company product/technology for the purpose of

making derivative works/modifications •  Grant the right to decompile, reverse engineer or otherwise derive the source

of any Company product/technology •  Require distribution of any Company product/technology at no charge or

with limited usage restrictions •  Limit in any manner the ability to charge fees or seek compensation in

respect of any Company product/technology •  Place any limitation on the right of the Company to use, host or distribute any

Company product/technology

26

The Company:

•  Has no plans to do any of the foregoing •  Is in compliance [in all material respects] with

the licenses •  Has not been subjected to an audit, nor

received any notice of intent to conduct any such audit

•  Has no payment obligations, except as scheduled

Impact on Deal Terms and Definitive Agreement: Reps and Warranties

27

•  Commercially reasonable or best efforts covenant •  Actual closing condition •  Typically remediation focused:

•  Code remediation •  Legal remediation

Impact on Deal Terms and Definitive Agreement: Covenants and Closing Conditions

28

•  Specific indemnities •  At a minimum for errors/omissions and breaches/non-

compliance with in-licensed software related reps •  In respect of certain agreements, licensors and components •  Often included in IP indemnity and pushes amount higher

•  Additional escrows •  Set aside for specific issues and to back-stop specific

indemnities •  Often included in general transaction escrow and pushes

amount higher

Impact on Deal Terms and Definitive Agreement: Specific Indemnities and Escrows

29

E. What Should You Be Doing Now?

•  Best Practices •  Sell-Side: Seller/Investee •  Buy-Side: Buyer/Investor

30

What Should You Be Doing Now?: Best Practices •  Have a plan to identify, quantify and mitigate third party software-

related risks •  Conduct periodic in-licensed software audits and code scans •  Develop written polices and procedures for using and releasing

open source •  Implement for both internal code and transactions •  Include appropriate protections in contracts:

•  Reps and warranties •  Indemnification •  Schedules of in-licensed software •  Rights to complete code scans

31

•  Conduct an in-licensed software audit/code scan now •  Identify •  Analyze •  Plan/Remediate

•  Put in place a written in-licensed/third party software policy •  Review compliance

•  Prepare for diligence •  Consider industry practices •  Know your likely buyer/investor •  Address the red and yellow flags

What Should You Be Doing Now?: Sell-Side: Seller/Investee

32

•  Develop a game plan •  Timing is critical •  Kick-off diligence process early •  Prioritization is key

•  Update due diligence request lists •  Update reps and warranties •  Develop policies regarding acceptable third party

software usage

What Should You Be Doing Now?: Buy-Side: Buyer/Investor

33

F. Final Thoughts

34

Your Software

Application

Internally Developed

Proprietary Code

OSS Community

3rd Party Commercial Code

Outsourced Code Development

Final Thoughts: Protecting and Assessing the Code Base

35

Final Thoughts:

Use of open source software is unavoidable and can have a major impact on a transaction

Often insufficient to rely on reps

alone

The more you look the more

you find

Almost impossible to

undo the impact of poor

practices

A little can go a long way

36

Anthony Decicco Member

GTC Law Group 617.314.7892

adecicco@gtclawgroup.com www.gtclawgroup.com

Thank You