Seven strategies for managing intellectual property risks in software development

• Ideally you would possess a documented audit trail showing a clear and unbroken chain of title to your software products.  Patents are subject to national and/or international registration, whereas copyrights are not subject to registration outside the US.  If a patent has been granted in respect of your software invention, evidencing title is more straightforward.  In relation to copyright in the software, you should be able to account for how, when and by whom each software product was developed.  You should have a record of who wrote that software and, in particular, whether they are external consultants or employees (current or former).
  
  
• Check IPR assignment provisions in consultancy agreements because the position (under English law at least) is that external consultants will own the IP they create unless there are relevant provisions in a consultancy agreement assigning the rights to the customer who commissioned the development of the software.
  
  
• Although copyright created in the course of employment will belong to an employer under English law, this is not necessarily the case in other jurisdictions and so it is good practice to include assignment provisions in employment contracts, along with robust confidentiality obligations and disclosure requirements in relation to any ideas, inventions and discoveries the employee generates relevant to your business.
  
  
• For proprietary software that your business acquires, it is important to conduct thorough due diligence and receive contractual protection in the form of a full set of intellectual property warranties and indemnities in respect of those assets from the relevant seller.  See our next article in the series for further details on due diligence issues in an M&A context.

• Open source software (OSS).  Incorporation of OSS into your software products is one of the key areas in which unauthorised IP usage could arise.  This is because certain OSS licences include terms under which the licensee is required to make the source code to derived works (e.g. works that incorporate, or are based on, modified or unmodified copies of the particular OSS) freely available under the terms of the OSS licence (aka "copyleft" terms).  Whether or not copyleft terms present a possible problem may depend in part on whether the software is distributed under a traditional "on-premise" basis or whether it is made available on a SaaS basis. Either way, you should have robust policies and procedures in place that govern the identification and use of OSS and compliance with OSS licence terms.  Consider undertaking an OSS audit as it is not always apparent what OSS is being used or the extent of its use.  Companies such as BlackDuck also offer tools that can search through source code to highlight whether they incorporate OSS.  OSS risks are considered in more depth in this earlier briefing in the series.
  
  
• Licence terms.  You need to track and keep a record of any other third party IPRs incorporated in your products, together with relevant licence terms and indemnities to establish that you have the necessary rights to exploit your products in your markets e.g. by reference to territory, business sector, specific products, number of users and sublicensing to customers.  

The surge in the use of generative AI products, such as GitHub Copilot, to perform common developer tasks, as well as bringing substantial benefits - increasing productivity, saving time and costs, and encouraging innovation - also present additional intellectual property challenges: 

• There is more uncertainty around ownership of copyright in computer-generated works than for works created by a human.  In the UK, the Copyright, Designs and Patents Act 1988 expressly provides for computer generated works. It provides that, where a work is generated by a computer in circumstances where there is no human author, the author is "the person by whom arrangements necessary for the creation of the work are undertaken" (although there is then some uncertainty around whether that person is the developer of the AI tool or the person providing the prompts).  Other jurisdictions however do not have an equivalent provision, and do not recognise works which have been solely created by a computer as qualifying for copyright protection – there needs to be a human authorship in some form. For further information, please see this article.  Record-keeping and policies will be important to enable you to demonstrate how code was created and the necessary human involvement in this regard. 

• The terms and conditions under which GenAI tools are provided should be checked thoroughly to ensure that your organisation owns outputs, that the AI provider maintains confidentiality and does not overreach in respect of the access that it has to your inputs (to protect your trade secrets and prevent your inputs from benefitting competitors).
  
  
• There is a copyright infringement risk if the code suggested by an AI-assisted coding tool amounts to a substantial copy of third party code on which the AI model has been trained. In practice, the principal concern relates to breach of OSS licences where AI models have been trained on open source software.  Even "permissive" open source licences generally require identification and attribution of the original work (whereas some AI tools strip the code of its licences) and the risk is even more acute if the original open source software is subject to a "copyleft" open source licence. These issues are currently being considered by the courts, including a class action in the US brought against GitHub, OpenAI, and Microsoft.  As described in section 2 above, where possible, ask vendors whether their models are trained on OSS and consider scanning software to audit it for OSS. 

Software development inherently lends itself to the reuse and adaptation of existing materials and there are a vast number of opportunities for sharing code.  Your contracts, policies and a regular training programme for your developers must all underscore the importance of not using confidential information or proprietary information or code of a third party in an unauthorised manner.  This applies not only in relation to software code but also to all text, graphics etc as well.  

For key products, particularly where you've identified a competitor with a similar product or working in the same technological space, consider undertaking "freedom to operate" assessments.  These tend to be expensive and can be an imperfect tool because (i) patent registers are not always reliable for identifying up-to date prior art because of the time lag between filing and publication of a patent and (ii) computer-implemented inventions can be presented in patent claims in many different ways, which also makes identifying similar inventions difficult.

Another strategy could be to create a defensive patent portfolio serving as an important bargaining chip if you are threatened with patent infringement.  Filing a large number of poorly drafted patents is unlikely to be helpful however. 

An IP audit is a systematic review of the IP that your business owns and uses and involves identifying IP assets and assessing their nature and scope to evaluate potential risks (and opportunities). In many ways, it is similar to an IP-specific due diligence review for an M&A deal (for further information on which, please look out for our next briefing in the series).  It can help identify potential gaps, systemic issues and provide an impetus to adopt best practices.

This briefing is written from a UK perspective but it is important to remember that intellectual property is territorial and different rules apply in different jurisdictions.  If your organisation is international you are likely to need local law advice.

Get in touch

The Technology & Commercial Transactions team at Travers Smith has considerable expertise and experience in helping businesses from many sectors with the complex legal problems faced in the creation and development of software. We also have a network of high calibre international law firms who we call upon to assist with global transactions and multijurisdictional advice and disputes.