We all talk about the importance of data as business assets, but when it comes to buying and selling the companies that own them, we seem not to pay much attention. My anecdotal survey reveals that colleagues who focus on mergers and acquisitions confess to a lack of focus on trade secrets.
This may seem odd, even crazy, given the increasing percentage of industrial property represented by intangible assets—up from 17% in 1975 to 84% in 2015. The problem appears to start with the fact that secret information, no matter how central to the success of the business, is mysterious. Unlike the “registered rights” of patent, copyright and trademark, there are no government certificates defining secrets; and valuing them is hard. Add to that the imperative to get deals done faster and cheaper, and it’s easy to see how secrecy may have become the blind spot of transactional IP.
And there are plenty of opportunities to miss things. The statistics for 2018 reflect 49,000 M&A deals worldwide, accounting for $3.8 trillion (yes, trillion) in cumulative value. Given what we know about the extent to which industrial assets are intangible, and given the well-known preference for using secrecy to protect innovations, we would expect that the “due diligence” review for most transactions would include an intense examination of the target company’s trade secret assets and liabilities.
But that’s not what’s happening. I have spoken to quite a few lawyers who participate in this work, and have also reviewed dozens of due diligence “checklists” they typically use to guide their investigations. In many cases I was surprised to learn that trade secrets are not even on the list, crowded out by the “registered” IP rights—patents, trademarks and copyrights—that can be counted and (presumably) more easily valued. And where trade secrets are included, it tends to be a cameo appearance, usually just a note to ask the company how it protects its proprietary information from disclosure. Sometimes, I was told, the “momentum” of a deal leads to a reduction of even these minimal inquiries.
Inattention can have serious consequences. For the target of an acquisition, there is the almost existential risk of exposing core secrets to a suitor who ultimately walks away from the deal and goes into direct competition. But the potential buyer also faces a broad array of hazards, including exposure to information that could compromise its own internal development, failure to uncover liabilities from access to third party data, and ultimately a lack of preparation for the post-closing integration of different confidentiality cultures and processes.
Let’s first consider the target company. It may seem strange, but the target’s first priority should be the risk of success: if the deal goes through, it will have to provide very extensive “reps and warranties”—essentially, guarantees about the security of its information assets and freedom from third-party claims. The target needs to start preparing for this moment early in the process, by revisiting its trade secret protection program as well as its compliance with outstanding nondisclosure agreements (NDAs).
And then there is the more classical risk of the acquirer abandoning the deal after having had a close look at the target’s secret technology, strategies and other data. The best way to address this risk is through what I call progressive incremental disclosure: starting with a non-confidential exchange, and then working gradually through increasingly sensitive information as trust and confidence build. Ultimately, the target needs an NDA with maximum protections, including a broad definition of confidential information and protection for verbal disclosures. Beware of time limits and exceptions like the “residuals clause” (see below).
For the potential acquirer, the primary objectives are to keep options open and avoid unnecessary contamination by the target’s data. That risk is particularly fraught when the company already has an internal development program in place and is going to the market to consider alternatives. The biggest mistake is to include in the deal team people who are also involved in the internal project. Some situations are so sensitive that the potential acquirer may hire a third party to do the due diligence and provide only recommendations, without revealing any of the target’s technology.
The ideal NDA for the suitor is different than for the target, and that initial contract should be very carefully considered and negotiated. To limit administrative burden, obligations of confidentiality should expire after a set time. Verbal disclosures of the target’s secrets, if not forbidden, should be subject to a strict documentation requirement. And where the company has enough leverage, it should insist on a “residuals clause” that allows any use of the target’s information that is “retained in the unaided memory” of the individual participants after all the documents have been returned.
Once confidentiality obligations have been settled, due diligence can begin in earnest. And at least as to trade secrets, this needs to be more than a box-checking exercise. What are the target’s most valuable data assets, how vulnerable are they, and what has the company been doing about that vulnerability? Deploying cybersecurity controls is good but only addresses a fraction of the problem, since the vast majority of losses occur through employees or contractors, or through trusted external relationships. Systems and procedures for managing information risk need to be thoroughly examined.
All of this learning informs not just the decision whether or not to acquire the target company, but also the inevitable challenges that will confront the acquirer after closing the deal, as it attempts to integrate a new group of colleagues who may have been operating under a very different confidentiality regime, or perhaps none at all. The transition plan should account for the policy and process gaps discovered during diligence together with a robust training program to reinforce the new access and security regime.
Participants in the M&A mating dance should not let their enthusiasm for the deal get in the way of a clear understanding of the assets being acquired. There are more than enough business risks to go around, and secrecy management can always be improved. But you have to pay attention to it.