Virtual data rooms (VDRs) have in some respects replaced the traditional “brick and mortar” data rooms traditionally used by businesses to share large volumes of confidential information with third parties. While VDRs are most commonly used to allow potential buyers or investors to perform “due diligence” reviews of assets in the context of debt or equity financing, mergers and acquisitions (M&A), or in bankruptcy sales and/or liquidation, VDRs are also increasingly utilized to store and manage discovery materials in document-intensive litigation. There are important issues that the hosting party should consider prior to a VDR going “live,” such as the sensitivity of documents that will be available, whether access to certain information will be limited or restricted based on the stage of the sale or other process necessitating the review, clearly communicating the VDR “rules” to reviewers, and drafting and having executed appropriate confidentiality or disclosure agreements, to name a few.
In the litigation context, VDRs typically come into play in one of two scenarios—either as a tool for assembling and/or producing electronic evidence or as a substantive source of evidence in the dispute. When hosts employ a VDR provider that cannot provide auditing features, or choose not to employ the preventative, defensive-minded measures that are available in current VDR technology, such neglect can complicate future litigation, including efforts to hold reviewers accountable for their misuse of the information disclosed in the VDR. Furthermore, not employing these measures can expose the host to litigation stemming from the information that was or was not provided in the VDR. In re Topps Co. Shareholders Litigation, 926 A.2d 58, 81 (Del. Ch., 2007).
The Governing Documents Define the Rules of Play
By the time a lawsuit actually ensues, the governing documents are usually already in place, leaving the litigator to deal with the advantages or disadvantages of the underlying contract language previously negotiated by the parties. Key provisions for litigators to consider and evaluate in transactions involving VDRs include the terms and scope of the confidentiality and/or nondisclosure agreement, the terms and scope of the noncompete provisions, and warranty and representation provisions.
When Was the Confidentiality Agreement in Effect?
Most confidentiality agreements limit the time period during which information must remain confidential. While there is no “usual” term for a confidentiality agreement, it is rare for the term to be less than one year. Normally, the term is a function of the nature of the business and the specific assets that are part of the potential deal. If information related to the transaction is particularly time-sensitive—meaning that the significance of data has a short life span—then it would not be unlikely to encounter a one- to three-year term. If the information could reveal significant technical or business advantages to endure for an extended period of time, then a longer time frame was probably negotiated and agreed to by the parties. In either event, to be actionable, any alleged breach of the confidentiality agreement must occur within the span of time prescribed under the confidentiality agreement.
What Is the Scope of the Confidentiality Agreement?
Assuming the confidentiality agreement was in effect at the time of the alleged wrongdoing, the litigator must next determine what information disclosed in the VDR, and possibly during the underlying transaction, is considered confidential. Defining what is and what is not confidential is often the most important part of the confidentiality agreement, and the most litigated. An initial determination should be made as to how the confidentiality agreement defines that which is confidential—that is, whether it is limited to that information disclosed by the seller to the reviewer or whether it is defined by the nature of the information, rather than the means by which it was communicated. In other words, does the definition focus on the manner in which the information is conveyed (i.e., provided by the seller or host in the VDR or otherwise) or the inherent confidential character (due to particular sensitivity) of the information, without regard to how or by whom such information is communicated. This latter approach is arguably better from the seller’s standpoint, as it “follows” the information, rather than the means by which the information is communicated.
For example, suppose a host wants to file breach of contract or trademark infringement claims against a VDR reviewer who has used information disclosed during the review in a manner the host believes to be outside the scope of that intended by the parties. It will be important to determine whether the confidentiality agreement covers only information that was disclosed in the VDR or if it is broad enough to cover information that was provided in the course of the transaction by employees or third-party agents of the host, or even outside the transaction by rogue employees or third parties acting outside the scope of any agency relationship. This could be a critical determination in the context of litigation based on the actions of a reviewer given access to the host’s confidential data but with whom a deal ultimately was not finalized. It is not uncommon for potential purchasers or other reviewers to feign interest in the underlying transaction solely to gain access to the information uploaded into the VDR and to which it would otherwise not have access. It is important to determine whether the “veil” of confidentiality remains in place under these circumstances.
Do the Governing Documents Include “Noncompete” Clauses?
After determining the scope of the confidentiality clause, the next determination is whether or not a noncompete provision or other restrictive covenant was included in the governing documents. From the host’s perspective, these clauses help to further safeguard against third parties wrongly using information obtained through a VDR or otherwise exchanged during a sale or other due-diligence process. Several of the considerations described earlier should again be evaluated in the context of restrictive covenants included in the governing documents—i.e., was it still in effect at the time of the alleged breach, who is bound and under what circumstances are those persons bound by the restrictive covenant.
Other considerations include whether a “noncompete” penalty clause was included in the governing documents. Instead of an outright prohibition on competition, such a clause typically provides that in the event of a competitive use of the information, the reviewer will be obligated to pay a specified amount of damages to the host of the VDR providing the confidential information that served as a basis for the transaction. For example, in the context of an oil and gas transaction, some exploration and production (E&P) companies trying to sell assets will require a potential purchaser that views confidential data during the sales process and who later purchases assets from a different entity in the same geographical region to pay the E&P company a specified percentage interest in the assets purchased. Other restrictive covenants often encountered and of which a litigator should be aware are non-solicitation provisions restricting a party from soliciting employees, vendors, or customers and, if the disclosing party is publicly traded, “standstill” provisions that prohibit a reviewer from acquiring any stock of the disclosing party (to prevent a possible hostile takeover) and clauses reminding the reviewer of its duties under applicable insider-trading laws.
What Warranties and Representations Were Made in the Governing Documents?
Breach of warranty and/or misrepresentation claims can arise under circumstances when the invitee alleges that the host failed to provide or misrepresented certain vital information in the VDR prior to his or her purchase of an asset. In analyzing the viability of the claims, the litigator needs to evaluate the warranty and representation section contained in the governing documents to determine what representations and warranties were made relating to the host’s responsibility to disclose material information in the VDR for the reviewers to review. Specifically, the litigator should determine, under the terms of the governing documents and possibly as required by law, what material information must be disclosed, whether the representations or warranties were “clean” or “qualified,” and whether the governing documents provided a disclosure schedule of when and under what circumstances the host would provide material information to the reviewers.
If a “knowledge” qualifier has been used (e.g., “To the seller’s knowledge, no claims are asserted against it or the assets. . . .”), VDRs can be especially important because defining who knew what, when, and how is the essence of a knowledge qualifier. Furthermore, a potential purchaser having viewed a document (this can be traced through the use of a VDR) and therefore having knowledge of a certain key piece of information can prove critical for defending a lawsuit based on the breach of a representation or warranty. Likewise, if a potential purchaser did not have access to certain information (either by being blocked in that section of the VDR or otherwise) and can show such, then this information could prove useful in prosecuting a breach of representation or warranty claim. See In re Topps, 926 A.2d 58, 81.
A VDR’s Security Features
Any claim based on information contained in a VDR will generally involve at least two questions. First, what documents were uploaded to the VDR (and which ones were not), and second, what documents were actually reviewed? The first question is easily answered, regardless of the VDR provider; however, proof of the second question is dependent upon the inherent capabilities of the VDR service provider. Nicholas Renter, a regional sales director for the Greater Texas Region for Merrill DataSite, a VDR provider, believes that when initially analyzing the potential of future litigation, a litigator should request the following information to determine how helpful the auditing features of the particular VDR site purchased will be in developing evidence to either support or defend against future litigation.
It is important to determine whether the VDR provider allows an invitee to search all page-based file types included in the VDR on a page level. This will enable users to realistically review tens of thousands of pages. Alternatively, it will allow the host to analyze what information his invitees have searched based on each invitee’s specific search criteria. In addition, it is important to determine whether your VDR provider can provide a report on which documents were reviewed and printed down to the individual page level. Further, it may be important to determine when, down to 1/100 of a minute, a document page was reviewed by an invitee. When initially setting up the VDR, some consider these features unnecessary. However, should litigation arise, they are absolutely critical.
Track Documents Reviewed
Viewer tracking is a must-have security feature that can diffuse potential “failure to disclose” litigation or substantiate your client’s claims that the not-so-well-intentioned third party used confidential information provided in the VDR in a manner not contemplated by the host. For example, in a trade secrets case, a first line of defense often raised is that the alleged misappropriator did not use the “trade secrets,” but instead based its business decisions on information legitimately obtained from other sources. A VDR can help in this case by easily showing not only thatthe alleged misappropriator viewed confidential information, but also when, for how long, and whether such information was flagged or printed and removed off-site. This could prove crucial for proving that the reviewer accessed the information in the VDR, when it was accessed, and the extent to which it was printed or otherwise downloaded. This evidence, when combined with other evidence or what was publicly or otherwise available, can be compelling in proving the trade secret claim.
Track a Viewer’s Activity in the VDR
Another line of defense is to have your VDR service provider supply reports on a viewer’s activity while inside the VDR. Activity reporting can provide up-to-the-minute information regarding how long a viewer was in the system, what documents were reviewed, how many times they were viewed, how much time was spent reviewing those documents, and whether the documents were printed. In the alternative, activity reporting may show that a reviewer had a practice of logging into the VDR but not actually viewing documents.
One risk that is inherent in any sales process and especially in an auction scenario is “data mining.” This is the practice of a potential purchaser presenting itself under the guise of being interested in pursuing a transaction when it is actually interested only in learning its competitor’s business information, much of which is likely sensitive and confidential, for its own competitive advantage. A VDR feature allowing a host to track the type of information being viewed arms a seller with knowledge that may send signals as to a potential purchaser’s true intent. For example, assume a potential purchaser and the seller are rivals in highly competitive oil and gas play. If the potential purchaser spends the bulk of its time reviewing well data, without reviewing other information that would give a broader picture of the company as a whole, this could be one indicator that the potential purchaser has no intention of making an offer and, instead, is focused on data mining for improper purposes.
Roll Out Information on a Need-to-Know Basis
One way to protect your client’s confidential information from not-so-well-intentioned viewers is to roll out the confidential materials on a staggered or need-to-know basis. This is particularly helpful in an auction context, where bidders are narrowed down from a large pool of initial bidders. The idea is that basic company information on general corporate matters, organization information, capital stock, basic financial information, and tax matters will be initially available to all users. As the pool of serious bidders is narrowed, access can then be given to more sensitive information regarding the assets, contracts, employees, etc. Users should be made aware at each stage of the “unveiling” what type of information will be available.
Require the User to Reaffirm the Confidentiality Agreement
A final security measure to consider, in addition to requiring a VDR user to reaffirm the confidentiality agreement upon log-in, is to require a user to reaffirm the agreement at various stages of review. To do so upon each page may be overly cumbersome, but a periodic reaffirmation upon moving into a new category of information (e.g., general corporate matters and contracts) will reinforce that the material contained therein is subject to a confidentiality agreement and helps overcome a potential argument that a user did not understand what material was and was not covered by the confidentiality provisions.
VDRs are changing the landscape of how corporate transactions are structured and, in turn, are changing the game for deal-related litigation. They can be a powerful tool for managing data and tracking the review of information. With careful thought and planning at the outset, VDR technology can be a powerful tool to protect your client’s interest not only in the underlying transaction for which it is employed, but also in any litigation that may arise out of that transaction.
Keywords: litigation, business torts, technology, virtual data rooms
Copyright © 2011, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).