By Adrian Palmer, Managing Partner at Proven Legal Technologies (the corporate forensic investigation and e-disclosure firm) and e-disclosure firm, part of Consilio
2015 saw a record-breaking level of deal making, with $4.2 trillion worth of transactions pending or completed. With a staggering 37,212 mergers and acquisitions (M&As) taking place throughout the year, the activity looks set to continue as 2016 begins. There were more “mega-deals”— those valued at $20 billion or above—than ever before, and although this year is likely to see deals of a lower value, the number of transactions is still escalating.
While the prospect of M&A activity is exciting and the objectives positive, high-profile organisations embarking in major reshuffles or overhauls face a number of risks. As deals take place, banks are at high risk of jeopardies to confidential information, crucial data and valuable intellectual property.
Uncertainties can never be explicitly predicted or planned for, but it is crucial for companies of all sizes to understand where the dangers lie when taking part in mergers, acquisitions or reshuffles.
Libraries and liabilities
Recent regulatory crackdowns have seen banks increase data security, both in physical and electronic forms, leading to vast amounts of data being stored. The intention is that this will bring reassurance that data is accessible for internal use or, if necessary, for investigative procedures. However, many organisations aren’t aware that this behaviour could cause severe complications and huge cost implications during M&A activity.
Large data logs are not only costly and cumbersome to store but are a serious liability to any business should it become embroiled in commercial litigation, employment law issues or regulatory document requests. Upon completion of a merger or acquisition, all data liabilities are transferred to the new company, so large trails of data can bring weighty responsibilities and place businesses in difficult positions should investigations arise further down the line. With such high-risk liabilities, the attraction of a company to an investor is dramatically diminished, affecting the overall valuation or deterring companies from merging altogether. For this reason, acquirers should ensure that due-diligence processes include a thorough check of all IT (information technology) processes and stored or archived data to avoid taking on heavy baggage and unwanted responsibilities.
Even when restructurings are internal, data histories can muddy the waters and prove a procedural nightmare if enquiries prove necessary. To avoid these difficulties and the potential threat to the organisation’s value, data should not be stored when it is no longer needed nor has a legitimate purpose. Unnecessary data retention can be diminished by reasonable document deletion in accordance with standard business practices. If information is granted necessary-to-store status, it can be transferred to a live document-management system, which makes retrieval and examination more viable and cost-effective.
Although there is a general fear about discarding archived data, there is also less information to be stored, and therefore less to protect against breaches, putting companies in a much stronger position.
Protecting private information
M&A or restructuring can see a number of employees join or leave the organisation, posing another concern around company-owned data. Individuals who have previously had access to sensitive material will move on to positions elsewhere—potentially competitors. This is a common problem during any restructuring, so it is crucial that attention is paid to protecting confidential data.
Whether employees have been let go or poached by rival firms, they may attempt to make use of previous client relationships, inside knowledge and confidential information. Intellectual property is also under threat, as individuals may attempt to utilise their knowledge of new products or business-development strategies in their new employment.
Furthermore, with technology allowing for flexible BYOD (bring your own device) policies and cloud-based computing, employees can both accidentally and purposefully take and share sensitive information. When data is transferred to cloud systems or removable devices, it can become extremely hard to trace and keep track of.
When staff depart, electronic devices must be managed closely. Mobile phones, laptops and tablets must be monitored carefully and company-owned devices seized from individuals leaving the company. In the run-up to their departure, rigorous communication monitoring is essential to ensure employees are not sending sensitive documents to personal email accounts or downloading them onto external hard drives.
Carefully considering remote working policies and controlling which employees have access to certain files can minimise the likelihood of sensitive data being stored or moved elsewhere. IT teams must be given plenty of warning as to when employees are due to leave, so they can ensure the correct records of which devices are assigned to which employees and the necessary preparations are in place. Whether it’s a small number of employees moving on or several hundred redundancies being made, data should be managed effectively so sensitive material is never left untraceable.
Doable data management
In today’s world, banks are responsible for more data and confidential information than ever before. Although this is a sign of innovation and prosperity, it also increases threats and obligations to protect the data. Public-security breaches and subsequent fines have ensured that banks are more aware than ever of the consequences of data breaches, but they must take an informed approach to managing all forms of private information effectively during restructurings.
With M&A activity showing no signs of slowing, financial organisations should embrace the opportunities for development but ensure they have clear procedures for data storage and management. All necessary protective measures must be implemented to ensure confidential information is always traceable and secure, and does not become accessible to unauthorised third parties at any point.
A full understanding of the risks and thorough preparation is essential for a successful and smooth merger and acquisition, whatever the size of the deal. Although security and storage best practices should be adhered to at all times, it is particularly crucial when M&A activity takes place. Management and all necessary teams should be informed in advance to ensure device monitoring is comprehensive and data storage is reviewed ahead of any significant changes.
Organisations being acquired should keep in mind that a backlog of unnecessary data history can decrease their valuation, and those doing the acquiring should understand the implications of taking on excess data baggage and ensure due-diligence processes are extensive.