ARTICLE
24 September 2024

Seven Strategies For Managing Intellectual Property Risks In Software Development

TS
Travers Smith LLP

Contributor

Travers Smith LLP logo
It’s not just law at Travers Smith. Our clients’ business is our business. Independent and bound only by our clients’ ambitions, we are wherever they need us to be. We focus on key areas of work where we are genuinely market leading. If it’s hard – ask Travers Smith.
Explore Firm Details
To manage intellectual property (IP) risks in software development, businesses should ensure clear ownership of software rights, monitor use of licensed-in assets like open-source software, establish generative AI policies, conduct regular IP audits, and consider local laws
United Kingdom Intellectual Property
Louisa Chambers,James Longster,Helen Reddish
+1 Authors
 Your Author LinkedIn Connections

How do you know that your business owns or has the relevant rights to the intellectual property in its software, particularly where the rights are not registrable? What can your business do to manage the risk of its developed software infringing third party intellectual property rights? This briefing looks at key strategies to help manage intellectual property risks in software development.

There are various intellectual property rights that are relevant to software development, principally patents (protecting the functionality of the software rather than the specific code), copyright, database rights and trade secrets. Trade marks and domain names are also relevant to marketing software products, but are beyond the scope of this briefing.

Do you have a clear chain of title for all your key software products?

  • Ideally you would possess a documented audit trail showing a clear and unbroken chain of title to your software products. Patents are subject to national and/or international registration, whereas copyrights are not subject to registration outside the US. If a patent has been granted in respect of your software invention, evidencing title is more straightforward. In relation to copyright in the software, you should be able to account for how, when and by whom each software product was developed. You should have a record of who wrote that software and, in particular, whether they are external consultants or employees (current or former).

  • Check IPR assignment provisions in consultancy agreements because the position (under English law at least) is that external consultants will own the IP they create unless there are relevant provisions in a consultancy agreement assigning the rights to the customer who commissioned the development of the software.

  • Although copyright created in the course of employment will belong to an employer under English law, this is not necessarily the case in other jurisdictions and so it is good practice to include assignment provisions in employment contracts, along with robust confidentiality obligations and disclosure requirements in relation to any ideas, inventions and discoveries the employee generates relevant to your business.

  • For proprietary software that your business acquires, it is important to conduct thorough due diligence and receive contractual protection in the form of a full set of intellectual property warranties and indemnities in respect of those assets from the relevant seller. See our next article in the series for further details on due diligence issues in an M&A context.

To what extent are key products reliant on licensed-in rights?

  • Open-source software (OSS). Incorporation of OSS into your software products is one of the key areas in which unauthorised IP usage could arise. This is because certain OSS licences include terms under which the licensee is required to make the source code to derived works (e.g. works that incorporate, or are based on, modified or unmodified copies of the particular OSS) freely available under the terms of the OSS licence (aka "copyleft" terms). Whether or not copyleft terms present a possible problem may depend in part on whether the software is distributed under a traditional "on-premise" basis or whether it is made available on a SaaS basis. Either way, you should have robust policies and procedures in place that govern the identification and use of OSS and compliance with OSS licence terms. Consider undertaking an OSS audit as it is not always apparent what OSS is being used or the extent of its use. Companies such as BlackDuck also offer tools that can search through source code to highlight whether they incorporate OSS. OSS risks are considered in more depth in this earlier briefing in the series.

  • Licence terms. You need to track and keep a record of any other third party IPRs incorporated in your products, together with relevant licence terms and indemnities to establish that you have the necessary rights to exploit your products in your markets e.g. by reference to territory, business sector, specific products, number of users and sublicensing to customers.

Do you have a clear strategy and policies around the use of generative AI for software development?

The surge in the use of generative AI products, such as GitHub Copilot, to perform common developer tasks, as well as bringing substantial benefits - increasing productivity, saving time and costs, and encouraging innovation - also present additional intellectual property challenges:

  • There is more uncertainty around ownership of copyright in computer-generated works than for works created by a human. In the UK, the Copyright, Designs and Patents Act 1988 expressly provides for computer generated works. It provides that, where a work is generated by a computer in circumstances where there is no human author, the author is "the person by whom arrangements necessary for the creation of the work are undertaken" (although there is then some uncertainty around whether that person is the developer of the AI tool or the person providing the prompts). Other jurisdictions however do not have an equivalent provision, and do not recognise works which have been solely created by a computer as qualifying for copyright protection – there needs to be a human authorship in some form. For further information, please see this article. Record-keeping and policies will be important to enable you to demonstrate how code was created and the necessary human involvement in this regard.
    • You should have a generative AI policy (reinforced by staff training – see section 4 below) stipulating which generative AI tools are permitted in your business and how they can be used e.g. banning consumer versions of AI models. This is crucial to guard against the leaking of proprietary information and code
  • The terms and conditions under which GenAI tools are provided should be checked thoroughly to ensure that your organisation owns outputs, that the AI provider maintains confidentiality and does not overreach in respect of the access that it has to your inputs (to protect your trade secrets and prevent your inputs from benefitting competitors).

  • There is a copyright infringement risk if the code suggested by an AI-assisted coding tool amounts to a substantial copy of third party code on which the AI model has been trained. In practice, the principal concern relates to breach of OSS licences where AI models have been trained on open-source software. Even "permissive" open-source licences generally require identification and attribution of the original work (whereas some AI tools strip the code of its licences) and the risk is even more acute if the original open-source software is subject to a "copyleft" open-source licence. These issues are currently being considered by the courts, including a class action in the US brought against GitHub, OpenAI, and Microsoft. As described in section 2 above, where possible, ask vendors whether their models are trained on OSS and consider scanning software to audit it for OSS.

Software developer training and awareness

Software development inherently lends itself to the reuse and adaptation of existing materials and there are a vast number of opportunities for sharing code. Your contracts, policies and a regular training programme for your developers must all underscore the importance of not using confidential information or proprietary information or code of a third party in an unauthorised manner. This applies not only in relation to software code but also to all text, graphics etc as well.

Take particular care when hiring new employees from competitors that they do not reuse material from their previous employment.

Patent clearance searches and defensive patent applications

For key products, particularly where you've identified a competitor with a similar product or working in the same technological space, consider undertaking "freedom to operate" assessments. These tend to be expensive and can be an imperfect tool because (i) patent registers are not always reliable for identifying up-to date prior art because of the time lag between filing and publication of a patent and (ii) computer-implemented inventions can be presented in patent claims in many different ways, which also makes identifying similar inventions difficult.

It is also worth bearing in mind that, as a very general rule, software is far less likely to be patentable in the UK and Europe than it is in the US, such that patent clearance searches in the UK and Europe are of less value than they are in the US due to the importance of copyright as the most relevant IPR.

Another strategy could be to create a defensive patent portfolio serving as an important bargaining chip if you are threatened with patent infringement. Filing a large number of poorly drafted patents is unlikely to be helpful however.

Conduct IP audits on a regular basis

An IP audit is a systematic review of the IP that your business owns and uses and involves identifying IP assets and assessing their nature and scope to evaluate potential risks (and opportunities). In many ways, it is similar to an IP-specific due diligence review for an M&A deal (for further information on which, please look out for our next briefing in the series). It can help identify potential gaps, systemic issues and provide an impetus to adopt best practices.

Be prepared to take local law advice

This briefing is written from a UK perspective but it is important to remember that intellectual property is territorial and different rules apply in different jurisdictions. If your organisation is international you are likely to need local law advice.

Get in touch

The Technology & Commercial Transactions team at Travers Smith has considerable expertise and experience in helping businesses from many sectors with the complex legal problems faced in the creation and development of software. We also have a network of high calibre international law firms who we call upon to assist with global transactions and multijurisdictional advice and disputes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Louisa Chambers
Louisa Chambers
Photo of James Longster
James Longster
Photo of Dan Reavill
Dan Reavill
Photo of Helen Reddish
Helen Reddish
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More