A decision that must be made early in the transaction process is how to apply information security practices to transaction communications. There are a range of options, and in perception (and often in reality) there is a continuum of trade-offs between convenience and security.
It is critical that security protocols are openly addressed and consistently applied by all parties to govern how information (like due diligence information and question responses) and documents (like agreement versions) will be exchanged and how other transaction-related communications will occur. While everyone should feel some discomfort using unencrypted email, in almost every transaction unencrypted email will be used to exchange at least some information. And surprisingly, a large number of transactions still rely solely on unencrypted email communications!
Secure dataroom and file sharing platforms are available, but use of these platforms is sometimes met with resistance. The two most common concerns are inconvenience and control being in the hands of just one transaction party. We discuss the one-sided control issue in our article One-Sided Solutions Don’t Make Transactions More Efficient. But what about convenience?
There is no question that email is the most pervasive form of communication. Its accessibility on a range of devices is instantaneous and convenient. For this reason, it has a place in every transaction. The challenge is defining when email should be used in the transaction process and how those acceptable email communications should be paired with more secure dataroom and file sharing services.
One thing is clear – unencrypted email should not be used to share confidential or sensitive information. An email containing a link to a document stored on a file sharing platform (that can be accessed by simply clicking that link) should not be acceptable. The simple forwarding of that email would afford another party access to that document. This situation was addressed by a US Federal District Court in Virginia in 2017. In that case (involving Harleysville Insurance Company) the court ruled that documents uploaded to a file sharing platform (which was accessible to anyone who had access to the link) were not protected by “attorney-client privilege.” The rationale for attorney-client privilege – that confidential communications between an attorney and client should be protected – is not that different from the rationale for legal protection of confidential information and trade secrets where diligent steps have been taken to maintain confidentiality. So providing access to a document via a link in an email is not a proper way to handle confidential information.
An element missing in the Virginia case was a password requirement to access the document (or ideally, the file sharing platform itself). While a password or login requirement adds minor inconvenience, it is important for a platform that will store confidential information. It is necessary for legal protection, and more broadly it is essential to reduce the risk of sharing information with unintended parties which could lead to long term business damage. Ideally, password protection for a platform containing highly confidential information would be supplemented with two-factor authentication – which unfortunately further increases the risk that users will be frustrated by perceived inconvenience “slowing down the deal.” The result of an inconvenient approach to file sharing or document encryption is ultimately, and sadly, reversion to traditional unencrypted email.
Apart from legal protection of confidential information, the ultimate goal is the effective and efficient completion of the transaction. The key to achieving this goal while maintaining the security of the information and documents is to define the proper set of transaction participants and make documents and information available to them in a secure and controlled way. Email does not achieve that goal.
What is the solution? Here is what we suggest as the best approach to the security/convenience trade-off:
- Plan from the outset to use a combination of a secure information and document sharing platform and traditional email. We suggest that you look at Transaction Commons as the best solution for transaction information and document sharing platform.
- Assess the overall confidentiality of the information that will be shared. If it is highly confidential, require two-factor authentication for file sharing platform access.
- If only a few documents are highly sensitive, password encrypt those documents (using the native document application) before posting them to a platform without two-factor authentication. Separately share that document password, but not by email.
- Utilize email for notifications, schedule coordination, isolated (and non-confidential) issue discussion, and planning. Do not use email for sensitive substantive discussions or the exchange of transaction documents.
- Carefully define the transaction participants. We recommend uniform access to any file sharing platform for all transaction participants whenever practical. Any other approach creates the risk of incomplete access for some or unintended access for others.
- Develop a standard approach to email communication among the transaction participants. All transaction participants should have notice of the availability of new information or documents (ideally generated by the file sharing platform). Other communications by email should conform to the agreed-upon approach. Recognize that unless all transaction participants are included in all email communications, not everyone will be fully informed.
This combined approach of using email and a secure transaction platform takes advantage of the best of each element – the instantaneous and convenience aspects of email, paired with the improved security and organization of the file sharing platform. It is also consistent with the level of attention required for different transaction functions. Coordination and notification should be quick and easy. Transaction information and document review and negotiation warrant more careful attention – and the exercise of logging on to a secure platform (with or without two-factor authentication) should be viewed as a cautionary reminder, and not as an “inconvenience.”
At Transaction Commons we are focused on overall transaction efficiency. And we would say that convenience does not equal efficiency. Efficiency must be evaluated at the overall transaction level. With a platform like Transaction Commons, what might appear to be an inconvenience (logging on to access documents and information) leads to efficiency in the broader scope of the transaction process through improved organization and consistent communication among the transaction participants. With Transaction Commons, efficiency and convenience can be improved at the same time that better security is implemented – and the perceived trade-off between convenience and security disappears!