IT security: M&A transactions are a different matter

Opinion by Jan Hoffmeister

A rather astonishing example of carelessness over data privacy was displayed recently at Bloomberg, escalating the discussion around data security.

A rather astonishing example of carelessness over data privacy was displayed recently at Bloomberg, escalating the discussion around data security.

Bloomberg customers were shocked to find that employees are able to see what terminal users are viewing, and the actions that they were taking.

With the combination of a confidential service, such as Bloomberg's financial information service, and a publishing service, one would assume strict ‘Chinese walls' were used. However a lack of Chinese walls has been a sensitive issue in the past.

A few years ago, a similar issue around investment and research also caused contention. The issue is not one that lies solely with the corporation, but instead is representative of a broader issue around the cultural differences that the US and the EU have with respect to data protection and privacy.

Recent events such as this highlight a significant difference in national data protection laws and in the perception of what data ‘protection' should be. This is becoming a prominent concern amongst businesses, particularly of those that are engaged in a financial transaction or merger.

In Europe, regulations are harmonised by the European Union, and information can be securely stored on servers within the EU without risk of access by third parties. Yet when using US-based servers to store information, the legalities become more complex.

The EU criticism is that the US government has, through the Patriot Act, low-barrier access rights to digital information stored by US companies. Such rules are unmatched in the EU. Storing data with a US company exposes every European firm to the risk of sharing this information with US authorities.

This was a criticism by German officials and the Fraunhofer Report, which stated that it was not adequate for the protection of European companies' data. As corporations – especially in relation to M&A transactions - continue to become increasingly concerned about the location and security of their sensitive data, we are seeing a significant upsurge in enquiries from firms about how best to protect their information.

Our advice is to take the following into consideration when selecting a secure server:

  • Does your provider utilise the cloud to store your data? If so, then what guarantees of security are provided?
  • Is your provider a US-based company or the subsidiary of one? If yes, then be aware that any data stored is potentially accessible to US governmental agencies through the Patriot Act.
  • Does your provider rely on security-challenged third party applications such as Flash and Java? Be aware that these are currently the subject of a number of security concerns.
  • Are you fully cognisant of EU data protection laws and how they protect you? Any breach is potentially a breach of EU regulations punishable by heavy fines. (New EU rules could soon empower authorities to impose fines of up to two per cent of global turnover).
  • In the context of financial transactions, the risk of a privacy breach can be severe. Damages or a failure of the transaction can easily cost the participating parties tens of millions of Euros.

    The IT security considerations on these transactions are structured around potential attacks by strangers and, more significantly, people that are entitled to receive the information. Considering the following should reduce the risks of a security breach:

  • To avoid risks caused by third party products (e.g. browser plug-ins, Java, PDF-Viewers), a standalone data room has obvious advantages.
  • Remote communication via the internet must be secured by an https connection.
  • Files on storage must be encrypted with algorithms such as the Advanced Encryption Standard (AES).
  • Activate full compliance of activities, including a complete audit trail of all changes and viewings.
  • A dynamic watermark on all viewed pages and print outs with username and timestamp makes it possible to track activity to specific individuals.
  • Enable a view only solution to avoid users being able to print/copy/save files.
  • Server infrastructure should be hosted in certified data centres (ISO 27001).
  • Access to any documents must be granted by a granular setting of permissions.
  • Depending on the requirements of the sellers, the level of security should be increased, e.g. by IP filter, two-factor authentication or customised password policies.
  • Data security and privacy will continue to remain a contentious issue. Currently there is a strong American lobby in Brussels to prevent EU data protection laws from increasing in strength, which would have a significant impact on corporations with limited data protection, such as Google and Facebook.

    The data privacy news such as that of Bloomberg is unlikely to be the last, so while the debate continues, it is down to individual businesses to educate themselves on data protection and ensure that they are fully aware of where data is stored and the protection laws that it falls under

    Jan Hoffmeister is co-founder of Drooms


    Find this article useful?

    Get more great articles like this in your inbox every lunchtime

    Upcoming Events