Document Rights Management

A common question asked by potential virtual data room users is “Can you block the print and save functions, preventing 3rd party visitors from keeping a copy of documents?”

Online Data Room Security Practices

Essential Element of Online Data Rooms?

Preventing 3rd party visitors from copying documents is not an essential element for online datarooms. Many are led to believe it is by vendors, using this as their top promotion for elements in their data rooms. VDRs are developed for collaboration.

Within the world of mergers and acquisitions (M & A), and divestitures, the new Internet medium of data rooms has substantially dismissed the need for paper memorandums, CDs, and as of recently DVDs. More efficient ways of sharing critical confidential data are available. Sharing thousands of documents online securely is obviously important, but is adding more and more levels of security just because technology allows it, really necessary?

Oftentimes, it may hinder the business process. Driving an automobile with a helmet is definitely safer, but is it practical, is it necessary?

Online Data Room Security Practices

Before we look at online data room security practices, consider how secure confidential data is, when shared on physical media which is still done quite often. What control is there on a confidential printed document lying on an office worker’s desk in an office that is frequented by co-workers, visitors, administrative staff, and even cleaning staff in the after work hours? How does the owner of that CD or DVD know that it is not shared or misused by the receiving party?

The answer is they don’t. Yet the custodians of that data, historically and still today, accept that form of data sharing as an acceptable risk. Admittedly, a VDR that disables the “print and save” function makes retaining a secure document more difficult, but that is a bit of a misconception and is it really necessary?

If a document can be viewed on a computer screen, it can be captured, saved, and redistributed. There are many ways this can be done, even if a digital camera is not available, including:

  • Cell phone cameras
  • Screen captures
  • Manual remake
  • 3rd party screen monitoring services

Handling DataRoom Information Securely

How should a custodian of secure, confidential data handle that information? The answer is  Handling Online Data room Information Securely, Secure Data Transferthat it should be handled in the same manner that all confidential data is handled.

First of all, one attempts to control those third parties that have visual access to the data. Second, one requires those invited third parties to execute a confidentiality agreement or a non-disclosure statement or agreement (often referred to as a “CA” or NDA”) that contains basic terms regarding the usage of the information provided to the third party.

Typical terms often include the following:

  • Definition of what is confidential
  • Obligations of the third party regarding confidentiality
  • Exceptions to confidentiality required
  • Description of who has rights to ownership of the data
  • Time restrictions or terms

If someone violates the signed confidentiality agreement, he or she is subject to remedies available to the owner of the confidential data. However, enforcing a CA or NDA is often difficult, time consuming and expensive. Damages can be difficult to establish and prove.

Therefore, the practical advice is again, to be careful and selective about whom you share confidential data with.

What is one to do if a document is so sensitive that one cannot assume the risk of its contents getting copied or saved? It should not be distributed by physical media or be put online. This would be the highest approach to document protection. However, this is not really practical when a business process like a divestiture or M & A requires the sharing of thousands of confidential data and documents with many parties during a short time period.

Electronic Data Room Best Practices for Confidentiality

The best practice is still the same as it was when paper bound memorandums were distributed. Be careful who you share your data with and get those parties to sign a confidentiality agreement or non-disclosure agreement.

Make accessing the data as easy as possible for your potential investors by using a VDR that includes user login, SSL encryption, and a secure site but allows downloading and saving to facilitate and make it easier to review the documents by those third parties that have executed confidentiality agreements.

Comments

  1. Mickey,

    Using the existing insecurity of physical and other means of collaboration to reduce the importance of information security in online data rooms is not a valid argument. In fact, this should encourage people to ensure even more security which does not reduce the risks of collaboration.

    The other thing is that there are remedies available for most of the situations that you have enumerated above i.e.

    Cell phone camera captures – Can be negated by having “Spotlight” technology available with IRM systems as well as some data room service providers like Confidela.

    Screen grabbing including third party tools can be negated again by IRM systems like Seclore FileSecure.

    Manual remake is not controlled and some of the other more process and legal controls can help over there but then one really has to look at not the vulnerability alone but the risk associated with the vulnerability !

    • Mickey Henry says:

      Thank you for your response, and don’t get me wrong, I love technology solutions. However, I think that you missed the main points that I was attempting to make in this article.
      The first point that I intended to make is that all data for all online projects does not require the same level of security. Just because you can add additional layers of document rights technology doesn’t mean that you always need to do so. In fact, adding further layers of security can sometimes hinder a business process and add additional costs to an online data room when it is not necessary to do so. One has to use judgment as to when such more restrictive document security approaches are appropriate.
      My second point was that even though one can “raise the bar” on security by providing additional barriers like the examples that you suggest, that one can never truly protect the confidentiality of a document that is displayed on the screen. If you put a map online with the location of the treasure marked by an “x”, it doesn’t matter what level of document right protection technology that you deploy because that information can be viewed accidentally or unintentionally and then misused.
      Mickey

  2. I agree that the rules for protection cannot be the same for every piece of data.

    The article however is questioning if Rights Management is always necessary for data rooms and my view is that it is always so. If rights management and security are not necessary then why not use email lists instead of data rooms. Much more convenient also !

    Online data rooms are required in situations where secruity and collaboration both have to be implemented at the same time without any being compromised. The “basic” requirement in such a case is a collaboration system and a security system.

Speak Your Mind

*