Law firms are increasingly deploying their own Internet-based virtual data rooms (VDRs), as part of their basic document management solution. This is a good idea in theory because it keeps confidential documentation in-house, leading to a sense of greater control. It also expands the use of the VDRs beyond the relatively small number of service providers that operate facilities. Often, the firms use white-label VDR technology supplied by a vendor.

Interestingly, some of the most active law firms with internal data rooms are still contracting dataroom services.

We took a look at the three main reasons for this phenomenon:

Reason #1: Service

Creating an internal VDR takes knowledge, project management and human resources. Law firms may have all three at their disposal, but it’s challenging to duplicate the services offered by an experienced Virtual Data Room Provider, including:

  • Project management for each transaction including a dedicated deal co-ordinator if required
  • Scanning and indexing assistance from experienced personnel
  • Technical support available 24/7 that isn’t reliant on the law firm’s business hours or IT department
  • Platform uptime supported by load balancing and failover systems, hardware redundancy and AlwaysOntechnology
  • High availability, with regular backups, daily verification and file histories.

To enjoy the same level of competency in-house as that supplied by a qualified vendor, law firms would need to employ staff with specialised knowledge and experience. Unless the workload is sufficient to keep the staff occupied full-time, you’re likely to end up with expensive redundancy that outweighs the cost savings gained with DIY data rooms.

Reason #2: Accountability

Most law firms work mainly with client documentation, particularly when involved in a merger or acquisition for which the company provides legal counsel. The need to retain accountability over sensitive data in-house frequently drives firms to consider implementing their own VDRs. It’s a misconception, however, that a data room is more secure because it is managed internally. In fact, the opposite could apply, if you consider the risks posed by the ‘human factor’ to VDR managers who are less than expert at their work.

These risks include social engineering, which is divided into technology-based deception and human-based and covers behavioural issues such as:

  • Hacking and other electronic risks, which are difficult to overcome without having several appropriate measures in place
  • Access by unauthorised people, such as junior staff or an unvetted janitorial crew
  • Password sharing among ’trusted’ colleagues
  • Shoulder ‘surfing’ in open-plan office environments, once again relying on trust of co-workers to assume they aren’t snooping.

The legal team involved in a client’s transaction is responsible for the safekeeping of the data, and if it is leaked or compromised in any way it can cost the client—and the law firm—a significant amount of money, not to mention the harm to their reputations.

Reason #3: Security

Few private companies have the ability to provide the level of security needed to protect the information in virtual data rooms. A professional VDR provider has an obligation (and a service level agreement) to ensure client information is safe in all respects, including:

  • Having secure premises for the servers, where they are protected from fire, theft and other physical hazards
  • Strong firewalls and intrusion defence mechanisms to protect sensitive data against hacking
  • Employees trained in the security requirements of a VDR
  • Good access controls and data segmentation to enable only authorised personnel to view sensitive material
  • A sound document management policy with active version control

Unless your law firm is able to guarantee all the operational benefits of using an external data room, it’s best to leave this critical task to the experts and focus on the legal aspects of your clients’ activities.