It is a well-known fact that mergers tend to exhaust all the parties involved. Once the transaction agreements have at last been executed after lengthy negotiations, the management often fails to give first priority to IT issues in particular, even though highly complex and urgent tasks have to be dealt with there. How can post-merger IT restructuring be implemented successfully and in a legally safe manner?

In order to actually achieve the synergy and savings potential envisaged through the merger, post-merger integration (PMI) should also involve fundamental IT restructuring. The legal aspects of this procedure, however, are as manifold as they are difficult to oversee. In fact, identifying the different problem areas and taking a step-by-step approach can considerably help the implementation of such a project.

First Step: Gain an Overview of Existing Structures

Without diligent preparation, each restructuring will be threatened with IT failures and system breakdowns. In the worst case, inadequate planning may even lead to a severe loss of data and liability claims. Most importantly, therefore, the first thing to do is to gain as comprehensive and detailed an overview as possible of the new company's existing IT structure. In cases where information on existing software, hardware and networks is already available (e.g. as a result of a pre-merger due diligence), such information may serve as the point of departure.

More often than not, however, it will be necessary to add additional details to the data obtained. Graphic illustrations of the network structures are helpful. Besides, all ongoing IT projects and their current status and all external service provider relationships as well as the relevant service level agreements should be identified. Lastly, it will be necessary to analyse and harmonise existing IT safety and compliance policies of the companies involved in the merger.

Second Step: Take Basic Strategic Decisions

On the basis of such information, the management must take the basic strategic decisions. The primary question is how the new company's IT should be structured technically and organisationally, and possibly even integrated into the overall group's IT. This requires, for one thing, a decision as to specifically what software and hardware are needed, and secondly also as to what IT processes will be required in the future, which of those tasks can be performed by own staff and which should be outsourced to external service providers. Where new technologies such as service-oriented architectures (SOA) are to be established, this is the ideal time to chart the course and help implement a future change to such systems.

In regards to ongoing IT projects, such as software developments or migration projects, the management will have to decide which of those projects are of importance to the new company and should be pursued further, and which should be abandoned.

The new company must also establish its future corporate IT governance. Issues like IT security and data protection, but also the specific requirements of national and international compliance rules, must be observed.

Given the difficulty of reaching decisions on some of these issues, it is advisable to obtain timely assistance from expert technical advisors and company lawyers specialising in IT law who are in a position to contribute the necessary know-how when needed.

Third Step: Create Synergies through Efficient Contract Management

From the legal perspective, the first problem usually arises from the fact that the merged entity is a new contracting party for service providers, suppliers and licensors. Under German law, however, a contract made by one of the pre-merger entities might prove difficult to be continued by the new company. The relevant clauses must be checked very carefully. Especially change-of-control clauses may involve unpleasant surprises.

Where entire outsourcing, service or servicing contracts, or merely certain service levels in such contracts are no longer needed, the question is whether, on what conditions and with what consequences such contracts can be terminated. If the contracts are to be continued, however, change management processes might have to be triggered or escalation management and benchmarking regulations adjusted. In this connection it would also be advisable to examine which reporting and monitoring rights have been agreed and whether any improvements are called for.

Other IT projects, such as software developments or migration projects, also deserve particular scrutiny within the context of the restructuring. Where an IT project is to be ended based on the strategic decisions reached before, one will have to look at how the related contract can be terminated. While the pitfalls of German contract law must be carefully heeded, an expert's assessment of possible damages or compensation payments will be required, too. If a contract is continued, it is possible that the contact persons or the competent project groups will have to be newly appointed and notice of such changes provided to the contracting parties so as to enable uninterrupted communication with them.

If a contract can be continued on changed conditions only (because, for instance, certain software now needs additional functionalities), the change management processes as agreed by contract must be triggered. If a project is about to be completed, the agreed test and acceptance procedures and the related time limits should be checked so as to ensure successful completion. In cases of doubt, it will be advisable to agree with the contracting partner to put the project on hold until final clarification of any existing problems.

Forth Step: Examine Options Available to the IT Asset Management

A well-structured IT asset management offers further savings potential. Concerning software, what is most important is proper license management, which also covers the acquired entity. Savings may be achieved by establishing a central office in charge of managing the software licenses; this would also ensure that important license proofs are easily available. If stocktaking reveals that the pre-merger entities licensed redundant software, it must be examined whether any such licenses may be returned or resold. This requires a review of the relevant terms in the license contracts concerned. However, the resale of licenses in particular involves a few legal catches, the circumvention of which necessitates expert legal advice.

If the continued use of software is planned, a sufficient number of valid licenses or a suitable license model must be available. Where necessary, additional licenses must be obtained or renegotiated at short notice. In this context, the scope of the licenses must be taken into consideration. If software is provided via a terminal server, for instance, stand-alone workstation licenses might not be sufficient. Similarly, the backup policies must be in line with the license regulations and requirements of German copyright law. Such measures are all the more important where the licensor has a contractual audit right which allows it to check the licensee's compliance with its license terms. Where an external provider manages software licenses, it must be noted that outsourcing does not preclude liability. Effective indemnification clauses in the relevant contracts may reduce the licensee's liability risk, however. The present situation in the new entity must be examined also with respect to hardware and networks. One important decision is whether the hardware should be financed through acquisition of ownership or leasing.

Fifth Step: Ensure Compliance and Establish IT Risk Management

IT risk management basically means avoidance of liability by way of reasonable means. Under German law, the company's management, i.e. managing board or managing director(s), is personally liable for all damage caused through poor IT security and is therefore, fully responsible for a functioning IT risk management. It is, therefore, obvious that IT risk management must span the entire group, i.e. particularly also the newly acquired entity. Given the broad range of legal requirements to be observed in connection with the use of information technology, it has meanwhile become very difficult to keep an overview of the legal framework conditions governing corporate IT.

The list of the legal requirements set by German lawmakers has grown rather long. For example, when electronically archiving company data, the company must make sure that the "Principles of Proper IT-Based Accounting Systems" (Grundsätze ordnungsmäßiger DV-gestützter Buchführungssysteme (GOBS)) and the "Principles Regarding Data Access and Susceptibility to Verification of Digital Documents" (Grundsätze zum Datenzugriff und zur Prüfbarkeit digitaler Unterlagen (GdPDU)) are fulfilled and that the archiving periods as prescribed in the German Commercial Code (HGB) and in the Fiscal Code are met.

Furthermore, the "Act to Ensure Corporate Control and Transparency" (Gesetz zur Kontrolle und Transparenz im Unternehmensbereich (KonTraG)) and the "Transparency and Disclosure Act" (Transparenz- und Publizitätsgesetz (TransPuG)) provide for more requirements of safety and transparency of corporate processes. If the German company has a U.S. parent, then even the standards of the U.S. Sarbanes Oxley Act (SOX) must be satisfied. In view of this complexity and diversity of the issues, in many cases it will make sense for companies to establish a group-wide IT steering body or equivalent organisation structures for IT governance and IT compliance within the group.

Since the issue of IT security is another important aspect within the IT risk management, the revision of all safety-relevant fields should be very high on the to-do-lists of those corporate officials who are in charge of the restructuring. It is important to analyse the new potential risk faced by corporate IT and on that basis, to introduce new group-wide IT security policies or extend existing policies to the acquired entity. It is essential that such policies already apply during the transition phase, in order to ensure the availability, but also the integrity and authenticity of all sensitive data, especially during such a tricky and risky phase. Adjusted or supplemented disaster recovery plans serve to secure business continuity in case of a breakdown.

In order to effectively implement the new IT safety policies, they should also be immediately communicated to the external service providers. Furthermore, to avoid any misuse, particular attention should be paid to the user accounts. This especially holds true if any staff was laid off during the course of the restructuring.

Conclusion

In the context of an IT restructuring, the management must master not only technical, but also serious legal difficulties. While some of the difficulties have to do with specific regulations of German law, others may arise from contractual arrangements. If such problems are solved and the legal requirements examined diligently, this will contribute considerably to the successful finalization of the merger also in terms of IT. This requires both comprehensive preparation and planning and the resolute implementation of the measures identified. Yet, the legal aspects should be regarded not only as a problem, but also as a chance that may be used to the benefit of the company within the context of the restructuring.