IP Law Essentials

Best Practices: Protecting Your Trade Secrets in the M&A Virtual Data Room


  1. Introduction

Every day, businesses large and small are seeking to be acquired, in whole or in part. (While such efforts are often described broadly as "M&A activity" they are much more commonly aimed at "Acquisitions" than "Mergers"). Naturally, potential buyers of a business will be keenly interested in the nature and value of the seller's assets, including its IP assets, chiefly patents[1] and trade secrets. While there are any number of checklists available online, there is no "one size fits all" resource every potential deal demands close attention to the particular circumstances of both the seller and potential buyers. Does the target company plan to seek multiple bids, or is there a particular buyer who the seller seeks to attract? Will one or more competitor companies be accessing the data room? Will the purchaser be able to self-finance the transaction, or will third-party funding be necessary? Are the seller and buyer public companies? Every scenario comes with its own considerations.

  1. Non-Disclosure Agreements (NDAs) and the M&A Process

The NDA is a well-known tool widely employed by businesses seeking to protect their confidential information, including trade secrets. Here are some points for the parties to bear in mind when crafting NDAs for the M&A process:

  • The seller of a business will always want to have potential buyers execute a carefully drafted NDA before gaining access to any of the selling company's confidential information, but sometimes when two companies are exploring the sale/purchase of a business the parties will want to enter a mutual or "two-way" NDA to protect the security of the information they exchange during the course of negotiations.
    • The seller may be especially interested in gaining access to the buyer's confidential information where the buyer proposes to offer shares of its own stock as part of the consideration, or where the buyer must qualify for third-party financing to make the deal work. In either event, the seller will be keenly interested in assessing the buyer's financial condition.
  • If the seller intends to proceed with a unilateral NDA, consider:
    • A seller that has especially sensitive trade secrets may wish to withhold disclosure of its most important trade secret information until a later stage of negotiations, especially where there are multiple bidders, or when there remains some doubt about whether a single suitor is willing (and able) to pay an acceptable price to acquire the seller's business. Sometimes a second, more targeted NDA may be called for.
    • The seller may wish to specify which individual representatives of the prospective buyer have a "need to know" the seller's trade secret information for the specific purpose (e.g., evaluation of the proposed business transaction) and thus will be granted access to especially sensitive trade secret information. Such a provision may also impose limitations on whether, how and with whom the specified individuals are permitted to communicate regarding that information.
    • The seller should consider whether to include a provision in the NDA that prohibits the prospective purchaser from: (1) reverse engineering the seller's product design or decompiling the seller's source code; and/or (2) using the seller's confidential information as a basis for protection of the prospective buyer's intellectual property (e.g., in a patent application).
    • Any NDA will almost surely have an expiration date, but the selling company should provide an exception so that there will be no expiration of the potential suitor's obligation to maintain the confidentiality of (or to destroy/return and not use) any of the seller's trade secrets for so long as they continue to constitute trade secrets under applicable law.[2] Any obligation to destroy documents containing trade secret information should be accompanied by a requirement that a written and signed certificate of destruction (and perhaps of non-use/non-disclosure) be delivered to the seller.
    • The NDA should specifically cover the seller's remedies in the event of a breach, including the right to injunctive relief and the ability to recover attorneys' fees.
    • Pay close attention to "boilerplate" provisions that are all too often given short shrift. What jurisdiction's law controls? In what forum may any suit for breach of the NDA be filed? What is the availability of equitable relief? Must a bond be posted? Are attorneys' fees in any dispute allocated by contract? These can prove to be of pivotal importance, especially in cross-border agreements in which the seller and a prospective buyer are based in different countries.
  1. The M&A Virtual Data Room

The process by which a business entity seeking to be acquired would make its most confidential business documents and data available to potential purchasers for their due diligence review "used to involve a locked room replete with sensitive documents and guarded 24/7."[3] Nowadays, of course, the "locked room" is still "guarded," but the security is incorporated into an online site's scrupulously designed and maintained safeguards that both provide ready access to the potential purchaser's approved personnel (which may in some cases be limited to "outside counsel's eyes only" respecting especially sensitive confidential information) as they review those and only those materials to which they're permitted access, while insuring that no one can view (let alone download) any information that is meant to be off-limits.

The virtual data room ("VDR") may be hosted by the selling company, a third party (such as an investment banker), or by a VDR service provider. Regardless of which hosting option is chosen, the protection of the selling company's trade secrets during the due diligence process requires that the VDR be organized and equipped with appropriate security measures in place. These include, at minimum:

  • Whatever level of security is required for less sensitive documents/data, access to trade secrets and other highly confidential information should not only be password protected (with access limited to specified individuals consistent with the parties' NDA) and should clearly label each document containing trade secrets as "TRADE SECRET" in filenames and/or watermarked notices on each document.
  • Trade secret information should not be downloadable.
  • Access to trade secret information should be continually monitored and logged, recording for each document when it was viewed, by whom, and for how long.
  • Particularly when the potential buyer is a competitor of the target company, access to trade secret information may be sequenced so that it may only be viewed during the late stages of the due diligence process.
  • The VDR should also feature industry-standard cybersecurity protection all parties to the transaction have a vested interest in preventing cyber-breaches.
  1. Conclusion

Trade secrets are in a class by themselves in the IP universe their value depends entirely on their at all times remaining . . . well, secret. For the business organization that seeks to be acquired, it is imperative that the due diligence process, from beginning to end, be carefully conducted in a way that ensures that the security of its valuable trade secrets is never compromised.


More questions? Contact the authors or visitFish's Intellectual Property Law Essentials.

[1] The focus of this article is on trade secrets. For a discussion of data room security for companies seeking to sell all or part of their patent portfolio, see Chad Shear and Teresa A. Lavoie, The Data Room in Patent Due Diligence: Perspectives from Two Doors, reprinted at https://www.law.com/therecorder/2020/05/29/the-data-room-in-patent-due-diligence-perspectives-from-two-doors/

[2] While some "perpetual" restrictive covenants in a non-disclosure agreement have been found to be unenforceable as an unreasonable restraint on trade, see, e.g., Duo-Fast Carolinas,, Inc. v. Scott's Hill Hardware & Supply Co., 2018 NCBC 2 (N.C. Super. Ct. Jan. 2, 2018) , non-disclosure agreements that pertain specifically to trade secrets have been upheld. See, e.g., Ashland Mgt.,Inc. v.Altair Invs. NA, LLC, 2008 NY Slip Op. 10061 (59 AD3d 97, Dec. 23, 2008), available online at http://www.nycourts.gov/reporter/3dseries/2008/2008_10061.htm (perpetual confidentiality provision in employment agreement was enforceable where "the parties entered into a confidentiality agreement and the proprietary information at issue constitutes a trade secret").

[3] The Evolution of Virtual Data Rooms in M&A, Financier Worldwide (Sept. 2014), available online at https://www.financierworldwide.com/the-evolution-of-virtual-data-rooms-in-ma#.XukbX0VKg2w

Authors: Tommy Jacks, David Morris