A common question asked by potential virtual data room users is “Can you block the print and save functions, preventing 3rd party visitors from keeping a copy of documents?”
Essential Element of Online Data Rooms?
Preventing 3rd party visitors from copying documents is not an essential element for online datarooms. Many are led to believe it is by vendors, using this as their top promotion for elements in their data rooms. VDRs are developed for collaboration.
Within the world of mergers and acquisitions (M & A), and divestitures, the new Internet medium of data rooms has substantially dismissed the need for paper memorandums, CDs, and as of recently DVDs. More efficient ways of sharing critical confidential data are available. Sharing thousands of documents online securely is obviously important, but is adding more and more levels of security just because technology allows it, really necessary?
Oftentimes, it may hinder the business process. Driving an automobile with a helmet is definitely safer, but is it practical, is it necessary?
Online Data Room Security Practices
Before we look at online data room security practices, consider how secure confidential data is, when shared on physical media which is still done quite often. What control is there on a confidential printed document lying on an office worker’s desk in an office that is frequented by co-workers, visitors, administrative staff, and even cleaning staff in the after work hours? How does the owner of that CD or DVD know that it is not shared or misused by the receiving party?
The answer is they don’t. Yet the custodians of that data, historically and still today, accept that form of data sharing as an acceptable risk. Admittedly, a VDR that disables the “print and save” function makes retaining a secure document more difficult, but that is a bit of a misconception and is it really necessary?
If a document can be viewed on a computer screen, it can be captured, saved, and redistributed. There are many ways this can be done, even if a digital camera is not available, including:
- Cell phone cameras
- Screen captures
- Manual remake
- 3rd party screen monitoring services
Handling DataRoom Information Securely
How should a custodian of secure, confidential data handle that information? The answer is that it should be handled in the same manner that all confidential data is handled.
First of all, one attempts to control those third parties that have visual access to the data. Second, one requires those invited third parties to execute a confidentiality agreement or a non-disclosure statement or agreement (often referred to as a “CA” or NDA”) that contains basic terms regarding the usage of the information provided to the third party.
Typical terms often include the following:
- Definition of what is confidential
- Obligations of the third party regarding confidentiality
- Exceptions to confidentiality required
- Description of who has rights to ownership of the data
- Time restrictions or terms
If someone violates the signed confidentiality agreement, he or she is subject to remedies available to the owner of the confidential data. However, enforcing a CA or NDA is often difficult, time consuming and expensive. Damages can be difficult to establish and prove.
Therefore, the practical advice is again, to be careful and selective about whom you share confidential data with.
What is one to do if a document is so sensitive that one cannot assume the risk of its contents getting copied or saved? It should not be distributed by physical media or be put online. This would be the highest approach to document protection. However, this is not really practical when a business process like a divestiture or M & A requires the sharing of thousands of confidential data and documents with many parties during a short time period.
Electronic Data Room Best Practices for Confidentiality
The best practice is still the same as it was when paper bound memorandums were distributed. Be careful who you share your data with and get those parties to sign a confidentiality agreement or non-disclosure agreement.
Make accessing the data as easy as possible for your potential investors by using a VDR that includes user login, SSL encryption, and a secure site but allows downloading and saving to facilitate and make it easier to review the documents by those third parties that have executed confidentiality agreements.