Secure sensitive financial information from disclosure: data privacy & security in M&A transactions

Key requirements for protection of M&A documents and due-diligence information
Mergers & Acquisitions (M&A) revolve around the controlled disclosure of documents from a ‘seller’ to potential ‘purchasers’. Or more accurately between those and also their authorized agents (commonly law firms and bankers and venture capitalists).
They are an interesting balancing act between having to make what can be fairly onerous disclosures, or you may later be held to have misled the parties, and yet not have the details leak out into the market or become available to competitors of the organizations involved.
To satisfy other controls you may need to demonstrate which parties had looked at which documents, and that their access to and use of the documents stopped on specified dates – bidding rounds – and may be extended to more serious players or where takeover rules require it.
And most importantly, you need to ensure access to sensitive information ceases automatically after a certain timeframe and that documents can be revoked at any time regardless of where they are located.
Why not document encryption or secure deal rooms for secure document exchange?
Traditionally encryption has been used to protect M&A data by preventing unauthorized access to documents. But that is as far as it goes. Once a document has been decrypted a user has full control of the document including the ability to pass it on to others.
Secure data rooms (also called secure deal rooms or virtual data rooms) are often advertised as the best solution to secure M&A due-diligence information. However they are not as secure as they might first seem.
Secure deal room security issues include:
- they rely on password authentication – users can share login information with others and therefore access to your protected documents
- content is unprotected on the server, secured only during transfer (SSL), and then cached locally on user’s computers in temporary files where it could be recovered
- you have to upload unprotected documents to a cloud server where they could be compromized
- they do not prevent printing to file drivers (i.e. users can create a PDF file by printing to a PDF printer) or stop screen grabbing applications
In addition, users must be online to view documents which may not always be convenient.
Using document DRM to protect M&A documents: secure mergers information & stop disclosure
Locklizard document security provides the controls you need in order to realise the sometimes conflicting requirements of protecting sensitive M&A documents and information.
- Specific machines are licensed, rather than anonymous people logging into a web or cloud based system, so the control is greater, and covers PCs, Macs and BYOD devices as well.
- Access to documents can be stopped and started at any time, even though the documents are downloaded onto machines for performance reasons. So if a new version of a document is produced, access to the old one can be stopped immediately and the new one made available without having to alter customer records.
- Logs of document use are available that link to individual licenses/machines, and they can be downloaded in csv format for your own analysis and backup.
- Documents may be grouped into families (publications) and access to them granted at the publication level as well as the document level. So administering authorised user access is made much simpler.
Naturally, the overall control of such systems is very important, and you can install the whole system on your own server and under your own control so that you are always in charge of the systems and the data.