A sense of security

Loose lips sink ships, they say. Likewise, loose security can sink a deal. We ask the experts what to watch out for-and find that to err is human.

According to those on private equity's front lines, a top priority for any private equity manager can be summed up in a word: security. Sounds easy, even simplistic – but the concept of security affects every single step of the acquisition process, and should be at the forefront of every manager's agenda when crafting a deal.

Some of the more basic security issues affect nearly everyone in the business world: the ins and outs of document retention policies, for example. But there is a subset of security concerns which has much more resonance to those in the private equity world. What precautions can a company take in setting up electronic data rooms, which have become more and more the norm during the bidding phase of a merger or acquisition? How can a confidentiality agreement executed at the wrong time hinder or kill a potential deal? What's the wrong way to deal with limited partner communications? A private equity manager needs to drill down for the answers to these and other questions in order to run a truly secure operation.

A room of one's own
Perhaps nothing causes a bigger security headache than the piles of sensitive paperwork that must be made accessible to prospective bidders during the due diligence phase of the acquisition process. The traditional data room is just that: a physical room containing some thousands of pages of records, with a security guard or company associate looking over prospective bidders' shoulders as they spend hours sitting and reading, but not photocopying, the voluminous papers – all the while furiously taking notes during an allotted time period. More recently, that method is being supplanted by the electronic data room – a secure server set up so that a bidder can read the critical material online from their own headquarters.

Sarah Fitts, a partner at the law firm Debevoise & Plimpton and a member of the firm's mergers and acquisitions group, believes that electronic data rooms offer several advantages to the old brick-and-mortar versions. For one thing, documents can be shared with multiple bidders as soon as the information becomes available. ?You can set it up on a streaming basis, because as you locate documents, you post them, and everybody who has access can get a notification e-mail,? she says, ?whereas with a paper data room, it's often like show time: curtain goes up, you arrive for three days, and then you make them leave.?

In a restricted electronic environment, one can also monitor which documents a particular bidder has viewed, and for how long – making it easy to anticipate a bidder's future concerns and keep an eye on potential trouble spots. ?I have heard anecdotally that if there's a particular issue that sellers are aware of, they'll monitor to see if they think the buyer groups have picked up on it,? says Fitts.

Despite these advantages, one can't ignore the threat of determined hackers who are adept at breaking into ostensibly secure computer systems. What can a firm do to guard against them? ?The better ones will hire ?good-guy? hackers to try to break into the systems, and do security audits,? says Fitts. But she cautions that the convenience of electronic data rooms may entail sacrificing a security guarantee: ?I think anyone who's being honest will tell you they can't guarantee that a determined hacker won't get in.?

That said, Fitts cautions that hackers, despite their doomladen reputation, are not the greatest security threat facing electronic data rooms. Sometimes it's simply human error. ?There was a company that forgot to take me off the access list for their data room,? says Fitts. ?So for a year-and-a-half after the transaction closed, I could have peeked. I could have gone and hunted around.?

And ?hunting around? by less-than-serious bidders – that is, subtle corporate espionage – is another potential pitfall, warns Fitts. ?It doesn't cost a lot to say that you're going to bid, and get your access to the data room-as your corporate people sit at their desk and spend the day going through documents and seeing what [they] can learn about competitors,? she says. One way to guard against such underhanded behavior is simply to limit what you put in the data room. ?If there's really things that you think, ?If this got out, that could really be very bad,? don't post it,? says Fitts. ?There's ways, when you're in a serious negotiation, to get the information to the people who need to see it, without going through the data room.?

It may sound a bit Luddite, but simply handing over documents in person – ?Yeah, we still do that,? laughs Fitts – is one sure way to heighten document safety during the bidding phase.

There's even an interesting psychological factor that comes into play, when electronic data rooms are involved, that many managers don't often foresee, says Fitts. ?Sometimes, when the data room is done very well and it's set up and it's easy to use, people forget that that's only the first step in the process,? says Fitts.

People do actually have to absorb and analyze the information, just like in a paper data room, after all. ?Psychologically, it feels like it's so nice and organized and easily accessible,? says Fitts, and that can lead bidders to think that their work is somehow already done for them. ?They still have to read it, and understand it, and put it in context.? It's one of the factors that one must take into account while weighing issues of security, because the convenience and relative security of the electronic data rooms could be a tradeoff – and could, in effect, cause delays in getting to the next leg of the acquisition journey.

Confidentially speaking
When a later stage in the process is reached, the specter of the confidentiality agreement rears its head. The reason for such agreements is clear and straightforward: to safeguard sensitive company knowledge and keep it from getting out for public consumption. ?Obviously, in order to do a transaction of any number of kinds, the company has to talk about its internal machinations,? says Joseph Bartlett, a counsel at the law firm Fish & Richardson. ?It might be going for a loan, it might be going for a private equity investment; it might be talking to a merger partner or to a buyout fund. And the answer to that is a confidentiality agreement – an NDA, or non-disclosure agreement.?

Keeping company information secure is key to a deal's integrity, says Bartlett. ?They're critical to the process, because otherwise you're not going to see anything but public information from the target company, and that's not enough, generally, for a buyout fund to make a decision to take the company private.? But besides the information safeguards, of course, the NDAs perform another key function, says Bartlett. ?A buyout fund or an acquiring company says, 'Look, I'm going to spend a lot of money doing due diligence, and I don't want you taking my bid and simply using that as a chip ?to get more money out of a competing bidder.?

?Nobody will bid unless there's some way of controlling that process,? says Bartlett. The safety of a confidentiality agreement, simply enough, builds a bidder's confidence – needless to say, an absolutely essential factor in any deal.

Managers should also be aware that confidentiality agreements are sometimes used for purposes outside the bounds of mere security. As one expert from a major law firm notes, confidentiality agreements are occasionally crafted in order to make sure that all the private equity players in a deal won't talk to each other – and potentially join together in one massive consortium. And sometimes such agreements are engineered to create bidding consortiums that the target company finds desirable – thus creating, in effect, ?arranged marriages? between potential bidders.

Knowing your limits
Security concerns surrounding legalistic aspects of private equity go beyond the realm of just NDAs. The word ?limited? in the phrase ?limited partner,? for example, can describe more than merely an LP's potential liability. It also should describe the communications he or she has with the general partners. ?If an LP was actively involved in the investment, and something went wildly wrong and some aggrieved third party sued, the LP may have put their limited status at risk? by becoming too involved, says private equity investor Craig Nickles, partner and cofounder of Austin, Texas-based Alignment Capital Group. ?So there's a no-kidding Chinese wall between the GP and LP.?

Limited partner status is so fragile, it can be shattered by a simple phrase uttered between a GP and LP. ?Let's say you're the GP, and you're going to buy Joe's Bubblegum Company,? illustrates Nickles. The GP allowed the LP to get details of this investment strategy, and the LP comes back with strong opinions about the safety of Joe's Bubblegum's products. ?And we get into a big argument, and I [as the LP] say, ?You can't use my money to do that,?? says Nickles. ?I have just now given up my LP [status]. That compromises my limited status within the partnership.?

The best way to avoid compromising an LP's status? Keep the communications simple, advises Nickles. In an ideal situation, the interplay between the two parties should almost be boring. ?The communications are very banal. They might as well be tapioca pudding or something – just very bland,? says Nickles. This is one of the few situations where bland is the best thing for all concerned.

The retaining wall
While more private-equity-centered activities may draw the lion's share of scrutiny from security-conscious readers, it pays to keep in mind some of the basics. Though less exotic than some of the issues already discussed, some of the more mundane concerns can cause unnecessary pain if mishandled.

Document retention, in particular is a case in point. Making sure that every important document, every e-mail, every memo is properly and safely stored can easily become a security nightmare if you don't have a solid system and well understood policy in place. Those bits of information have to be protected from destruction – whether willful or accidental. Paul French, partner at IT consulting firm New Technologies (NTI), has been helping law firms with electronic document discovery since the mid-1990s, and he's seen the critical mistakes that the human factor can introduce. ?The more you can get it out of the users' hands, the more robust your document management's going to be and the more concise, which is obviously the biggest factor,? he says. ?The two biggest things are keeping the data set clean, so you can manage it and you don't have to spend that kind of money on storage and backups; and the other issue is to try and automate as much of it as possible so that you don't just have to send a policy saying, ?Everybody, do it this way.??

Once documents get into the hands of outsiders, anything can happen, warns French. ?At one point or another, you're going to miss documents, or people just simply aren't going to do it, or new people are going to come on and they're not going to know the correct policy.? And though no one likes to think about it, there's always the possibility that documents could be deleted on purpose. ?Of course, there's always going to be the malicious element, where somebody will go in on their last day on the job and try to delete as much as possible,? says French. ?Or they try to delete memos, or something comes up later and they try to change them.?

If a firm ends up in court, automated and secure document access can save the day. French recalls a case where a plaintiff charged that a large investment firm had altered a key sentence in a memo after the fact. But the firm had planned ahead for just this sort of eventuality. ?Fortunately, that data was on a server, and those server tapes were backed up, and those backup tapes were in a secure location where the company did not have access to the tapes,? he says. ?So we were able to show that the document that was produced was the original from three years ago.

?The whole key to that is to get final copies of documents that you want to save,? stresses French, ?to a location where users don't have access.? Removing oneself from the equation can be the greatest security step of all – and that's true in realms outside of the fastidiously ordered world of document retention. It's a lesson that managers can apply to nearly all matters of security.

Whether it's creating a virtual data room and thus taking matters out of the ?real? world, contractually controlling communication between different players, or simply devising a smooth process to wrangle myriad memos, it seems that the key to security may, after all, be deceptively simple. The secret seems to be to take out as much of the human factor as possible – even if it sometimes means a counterintuitive step like taking yourself out of the loop.

Security, perhaps, could be broadly defined as wresting order from the jaws of chaos. Oddly enough, that task rarely appears in any private equity manager's job description – but it seems clear that a successful private equity manager does it every single day.