Data security is moving centre-stage for law firms - with VDR outsourcing set to grow, says Howard Revens.
In the last few months the issue of data security has dramatically jumped up law firms’ agendas. This is due to a confluence of longer-term trends around efficiency and cost control, and short-term developments in relation to security and in particular the Safe Harbour issue.For some years, law firms in London and across Europe have been increasingly realising the benefits of high speed virtual data rooms (VDRs) in streamlining operational efficiency and delivering increased data protection for clients. VDR’s keep highly sensitive due diligence documents secure in areas such as M&A, real estate, intellectual property, corporate finance and litigation.We have always seen some law firms taking the data room process in-house, in order to seek to reduce cost. But current market dynamics look likely to give a boost to outsourcing the VDR function, as law firms perceive some key advantages from this route.
Fixed client transaction budgets, with capped or fixed legal fees, are placing greater pressure on legal costs. High-speed external VDR’s with sophisticated tools have thus become vital in driving law firm operational efficiency. Worldwide data access 24/7 and centralized document provision ensure compliant distribution of documents throughout due diligence.
Managing regulatory change
We all know that corporates are absorbing a huge amount of financial regulation at present. VDR’s can help law firms manage regulatory change, helping organise the huge scale of documents required in any given situation to meet regulatory requirements. A recent example of this is the EU Alternative Investment Fund Managers Directive (AIFMD), which requires lawyers and real estate fund managers to handle up to 2,000 documents from 200 data points throughout a fund’s lifecycle.
The efficiency of a data room in streamlining processes of course depends entirely on high quality technology. Law firms have strong project management skills, but not surprisingly find it difficult to deliver high quality home-made VDR’s. These require technical support available 24/7, with regular platform backups, daily verification and file histories. Given the global nature of transactions, even the largest in-house IT team can struggle to keep up. Unique VDR technology, for example, would include the indexing and OCR tools ,so that parties can use text recognition inside documents to read both the right documents and the right parts of documents more thoroughly, to optimise the risk/efficiency trade off.
Vast amounts of highly sensitive information can change hands in due diligence, with anything from 5-20 parties involved in medium-sized deals, and up to 100 parties in the largest transactions. External VDR’s use highly sophisticated tracking to control and determine access rights to confidential information to a range of competitors throughout the transaction lifecycle. Through supplying documents on a “view only” basis, information cannot be copied and used later by unsuccessful bidders.
A security breach to client documentation is a constant nightmare for any law firm. EU data protection laws mean that personal data from EU countries may not be transferred to non-compliant countries such as the US. The “Safe Harbour” principles in theory protect European data, but recent events and the Safe Harbour review the European Commission is now undertaking clearly question whether this is an adequate solution.
Under the US FISA Act, all documents uploaded onto cloud-based systems or servers within US jurisdiction can currently be accessed without a warrant by American security agencies. Therefore, without rigorous control of data in a fully European data room, transaction data appearing on US servers clearly may pose data security issues.
VDRs have most frequently been managed through Software as a service (SaaS) instead of cloud based solutions, but to deliver full governance, compliance and risk management, VDR documents really have to be protected through server locations that are compliant with EU data protection laws.
Efficiency will continue to be the main driver for time poor lawyers in outsourcing their VDRs to specialist external VDR partners. But there is no doubt that in addition to this long term trend, the current Safe Harbour review is putting a spotlight on the benefits of using an external VDR whose servers are in the EU, and can thus deliver both best-in-class, high speed technology and absolute data security.