====== 2-501 ======
Sue GomezScanDisk Corporation If you find this article helpful, you can learn more about the subject by going to www.pli.edu to view the on demand program or segment for which it was written. |
====== 2-503 ======
Introduction |
Compliance with privacy laws and cybersecurity regulations is an essential consideration in merger and acquisition (M&A) transactions. Wise dealmakers consider data privacy and security when establishing the appropriate valuation of the M&A target, particularly when large databases containing consumer, health and financial data is involved. Failure of the target to meet its privacy and data security obligations (under law or its own policies and representations) can present a significant risk to the acquirer. Penetration incidents, such as point of sale attacks, phishing and ransomware, may require significant resources to investigate, defend and mitigate and remediate. Boards and deal teams need to be aware of risk derivative actions, successor private rights of action, regulatory scrutiny and fines. This article sets forth some considerations for counsel in the pre-acquisition due diligence and post-deal phases of the M&A transaction.
Checklist Summary: Top 10 Privacy and Cyber Security Issues in M&A |
#1: | Due Diligence will be grueling |
#2: | Privacy may be just as important as the IP |
#3 | Cybersecurity permeates all aspects of the deal |
#4: | Convergence of privacy and competition law may trip you up |
#5: | What the target hasn’t done can be just as damaging as what they have |
#6: | Target’s third party diligence program will prove important |
#7: | Governance is a differentiator – board minutes, training records and audits are golden |
#8: | When it comes to personal information, the acquiring company’s intentions matter |
#9: | Reputation and trust forms the basis for all things privacy |
#10: | Bad things can and do happen to good companies – be upfront about what happened and what was learned |
====== 2-504 ======
Checklist |
Unfortunately cybercrime, cyber-ransom and data breach are all too commonplace. When personal data is collected and stored by the target, the acquirer will absorb the liability and obligations post-close. ====== 2-508 ====== Privacy depends on security Security without privacy is possible, privacy without security is not Consider the following:
|
Data is the “lingua franca” and currency of sorts in many business deals. The hunger for more “eyeballs,” consumer intelligence, data mining, data analytics, and predictive coding means soaring valuations for web properties that collect, analyze and sell data. It also means that for the buyer, data integrity and data pedigree is as important as traditional intellectual property. As a result privacy should be on every due diligence checklist for review in the data room. Without proper consent, history, expectation of legal acquisition, the data so highly coveted may be worthless. Here are some considerations. During Early M&A Discussions:
During Due Diligence
Post-Merger
|
Privacy may be considered a form of non-price competition, like quality of innovation. Consequently, privacy issues may form the basis for an M&A challenge by the US Federal Trade Commission or the Department of Justice if believed to result in a substantial lessening of competition due to higher prices, lower quality or reduced innovation. |
In fulfilling its mission to promote competition and protect consumers, Section 5 of the FTC Act can involve analysis of potential merger related activities that could lessen privacy related competition. FTC opinions in Google Inc. and DoubleClick and other have laid the framework for review if a merger adversely affected non-price attributes of competition in data-rich companies. |
Companies in mergers and acquisition talks should expect privacy considerations in the antitrust review particularly if there are large databases of consumer information involved. Expect inquiries into to how the data will be used post-merger, how the merger will affect consumer privacy protections, how data will be maintained, protected and used. |
The focus is on whether the transaction could result in decreased privacy protections for the consumers, such as with lower quality of ====== 2-512 ====== |
International investigations tend to focus on whether there is a decrease in privacy competition or the combination of companies would result in a dominant company with less privacy or there is a concern of consumer backlash. In a Privacy and Competiveness in the Age of Big Data (2014) publication, the European Data Protection Supervisor set forth a goal for agencies to assess gaps between EU competition law, consumer protection and data protection policies. |
Be prepared to provide:
|
If the target deploys public cloud for data collection, processing and storage, the key issues may be whether the due diligence, data location, service commitments and right of access and chain of control are robust enough to give the acquiring company comfort that data breach or misappropriation has not or will not occur. With so many providers saying “take it” or “leave it” with their cloud contracts, many companies will “take it” and hope for the best. With respect to third party contracts, the acquiring company should assess: ====== 2-513 ======
|
The use of third party service providers is ubiquitous and inevitable. Most likely target has some functional data stored with a service provider and chances are it contains personal information, worker or financial data. The FTC generally and EU Cloud Directive specifically mandate adequate protections including breach notification and 47 states in the US have specific laws that prescribe what needs to be done upon notice of or suspicion of breach. The EU General Data Protection Regulation (GDPR) is expected in 2018 to give companies 48 hours to notify authorities and/or data subjects of breach. Privacy officers in conjunction with IT Security and Audit departments can make a significant difference in the due diligence process by having documented records of the security checks, analysis and periodic audit/vendor verifications. Among the key issues in cloud and service provider contracts are whether the customer will have control and visibility over subcontracting, the provider’s ability to change the nature of the services provided, the privacy and data security commitments and will the provider be able to suspend services under commercial circumstances such as non-payment or violation of a terms of use policy. Other key terms are the rights to termination assistance/migration to an in-house or replacement solution and if force majeure provisions are one-sided capture of all changes including change of laws. General questions to ask:
|
Governance in the form of general risk & controls plan, privacy and data governance programs is often segregated by type of data or risk. For example, privacy governance may exist as part of the worker (HR) function, which is different from marketing and different from IT and Info Security. M&A privacy due diligence often touches on all these areas requiring the chief human resources, privacy and chief information security officers to work together to respond. Targets should be able to produce documents to illustrate the governance models for data they collect, store and maintain. Minutes of executive and board meetings, trainings, and risk assessments can help explain what has been done. Here are some questions to ask:
|
Understanding what the acquiring company intends to do with the target’s data is critical to assessing gaps and determining what to make available in the data room. Unfair and deceptive practices (Section 5 of FTC Act) can result when a company promises one thing in their privacy statement or consent notifications but actually practices something very different. Hidden cookies, tracking tools or third party networks may be deployed by the company or its service providers without full disclosure to the consumer, agencies or employees. Overly broad representations and warranties in the stock purchase agreement or due diligence documentation may give false promises about the integrity and robustness of the target’s privacy ====== 2-517 ====== Privacy Promises
Web Properties and Social Media
Products Support
Employment Context
|
====== 2-518 ======
This applies to employees, consumers, and regulators alike. Merited or not, allegations can destroy a program and the value of the acquisition. Senior management has to be responsible for caring about and trickling down a culture of compliance, respect for privacy data integrity and security. With fines/penalties set forth in the General Data Protection Regulation expected to be the greater of $20M euro or 4% annual revenue turnover, the stakes couldn’t be higher. Just like Boards that fail to take cybersecurity into their fold do so at their own “peril” (Luis Aguilar, Commissioner SEC in a speech June 10, 2014 to Boards of Directors), regulators will likely not consider exempting or reducing the fines for companies UNLESS they can demonstrate adequate procedures and internal controls to avoid data breaches and meet privacy commitments. Here’s what wise dealmakers can do:
|
Information about the target’s deficiencies can be found during due diligence but the fact that a breach occurred is not in and of itself a deal killer. Instead how the company handles the actual or suspected breach, the lessons learned and respect they have for the personal and sensitive information rights can give the acquirer much needed information about steps to ask for prior to close. Ask the target company to:
|
Conclusion |
In summary, there are numerous reasons and competitive incentives behind mergers and acquisitions, corporate transactions and spin offs. Including privacy rights and reasonable data security program assessments in the transaction due diligence before, during and after the deal helps companies properly handle data assets. Broadly reviewing the target’s practices against acquirer’s intended uses can help prevent surprises on Day 1 and possible successor liability.
Disclaimer: This segment on Top 10 Privacy and Cyber Security Issues in M&A was prepared for and is intended as general guidance for use in the 2016 PLI Institute on Privacy and Data Security Law Conference, San Francisco, CA. The statements and errors are my own and not those of my company and should not be construed as legal advice or serve to establish an attorney-client relationship.