Regardless of industry or which side you represent in an M&A transaction, significant privacy and cybersecurity concerns can arise at all stages of a proposed deal.
Privacy law reforms in Canada and the U.S., not to mention globally, are steadily rolling out, with new and varied requirements to consider. At the same time, the accelerated digitization of businesses and their supply chains has meant that organizations are increasingly at risk of cyberattacks. Buyers and sellers need to account for all of it: ensuring regulatory compliance and deterring privacy breaches, facilitating and conducting adequate due diligence of privacy and data governance-related matters, including understanding reputational, enforcement and litigation risks related to privacy and data governance—and drafting deal documents thoughtfully to properly allocate risk.
The due diligence process of an M&A transaction requires the seller to disclose certain information to bidders and, ultimately, a buyer. Prior to populating the data room, the seller should consider whether there are any privacy considerations they need to address arising from the buyer’s disclosure requests. For some types of documents or information, privacy concerns are more obvious. Employees’ social security numbers and customers’ credit card information, for example, clearly constitute sensitive personal information that should not be disclosed by the seller to the buyer unless some form of consent has been previously obtained or there is another legal basis to share this information.
Although an absence of breaches or complaints may initially seem like a good indicator of good privacy and cybersecurity management, their absence may be a result of poor testing and detection—and could raise concerns about the cybersecurity and privacy fitness of the seller.
The seller will want determine whether it is even necessary to disclose such personal information to bidders for the purposes related to the transaction. Besides selecting the personal information that’s disclosed to the buyer, the seller may further mitigate risks of breaching privacy obligations to its employees and customers by entering into confidentiality agreements with the buyer, redacting personal information or adding extra password protection to particularly sensitive information. The Canadian PIPEDA prospective business transaction exemption requires that the parties enter an agreement limiting the use and disclosure of personal information, and ensuring safeguards around it, before the information can be disclosed—this is usually documented in an NDA.
Before embarking on a sale process, a seller should be aware of—and ensure it can reasonably demonstrate compliance with—its obligations pursuant to internal privacy policies, if any; relevant privacy and cybersecurity contractual commitments; and applicable privacy laws and industry standards. A seller may have policies specific to information obtained from its employees, customers and vendors, among others. A seller will want to confirm compliance with its own policies, update the policies as appropriate, and prepare to explain any lapses or gaps.
A crucial aspect of the buyer’s due diligence will be understanding the seller’s history of compliance with applicable privacy laws and general “hygiene” when it comes to the security of the seller’s information technology management and data governance systems. Sellers should be ready to answer questions and disclose information about past cybersecurity incidents, complaints received from employees, customers or other stakeholders, and risk assessments done internally or externally.
Buyers should be aware that privacy laws in Canada are dictated at the federal and provincial levels, with certain industries or types of personal information further regulated, such as organizations that handle health information. The privacy law regime in the United States is more fragmented, with some states, such as California and Virginia, adopting stringent privacy laws, while others impose little guidance. Many factors influence the applicability of federal, provincial, state or other local laws, including the location of the target’s operations and its customers, locations of servers and electronic storage facilities and the extent to which the target transmits sensitive data, such as health and financial information. Similarly, businesses operating in areas such as health care or insurance are subject to additional sectoral privacy laws, and sellers and buyers alike should be cognizant of compliance with industry-specific obligations as part of the due diligence process.
Indemnification for regulatory penalties will soon become a more significant issue in Canada given proposed legislative changes that will add financial penalties to privacy enforcement, whereas many U.S. states leave enforcement to the state attorney general.
Now more than ever, it is critical for a buyer to confirm a target’s past and current compliance with applicable privacy laws and obligations. A buyer should calibrate its review for type of acquisition: for share acquisitions, for example, the buyer will assume the target’s liabilities for regulatory violations and data breaches. Buyers should also consider engaging experienced third-party cybersecurity specialists to supplement the due diligence process. Specialists can assess the seller’s policies and procedures, and evaluate the security of the actual software and equipment used by the seller to store, process, and protect personal information.
How should buyers assess their findings from due diligence? To start, a history of privacy breaches, security incidents, customer or employee complaints, or fines from regulators could indicate serious systemic deficiencies in the seller’s internal controls with respect to its privacy and cybersecurity obligations. Understanding the target business’ history of such incidents can inform the buyer of the types of improvements that may need to be implemented pre- and post-closing, as well as potential exposure to any liabilities after the transaction is complete. Such disclosure also allows buyers to determine whether the target company is actively tracking and detecting privacy or cybersecurity problems as they arise. Although an absence of breaches or complaints may initially seem like a good indicator of good privacy and cybersecurity management, an absence of such events as a result of poor testing and detection processes is not helpful for the buyer’s due diligence review and could raise concerns relating to the target’s cybersecurity and privacy fitness.
The buyer should also inquire about any cyber-insurance maintained by the seller, to cover any potential liability arising from breaches or cybersecurity incidents and consider whether it would be prudent to obtain a cyber-insurance policy after the transaction if there is no existing coverage. If the seller has previously tested or audited its cybersecurity measures, the buyer should review the results and note any outstanding issues that have not been addressed.
Concurrent with the due diligence process, the buyer and seller will be drafting and negotiating several deal documents, the central focus of which is the purchase agreement. The buyer’s review of the seller’s privacy and cybersecurity management will inform the types of representations, warranties, covenants, and other rights or obligations that will need to be included in the purchase agreement.
Sellers will typically include knowledge qualifiers in their representations relating to the absence of data breaches in order to reduce the scope of their liability. This may significantly weaken the buyer’s ability to recover losses post-closing for an undiscovered breach. Including look-back periods instead of knowledge qualifiers can help both parties find a balance of managing their liabilities. Conversely, a knowledge qualifier may be appropriate for representations relating to the absence of privacy regulatory complaints, as a seller would not typically be expected to indemnify a buyer for complaints that have not been raised as of closing. The difference here is whether the representation points to an internal failure that may give rise to liability versus an external claim.
If the seller is covered under a pre-existing cyber-insurance policy, claims made during the pre-closing period may be covered, which can be useful if the seller will have few or no assets post-closing to satisfy an indemnity claim by a buyer. In this case, the buyer will want to understand the scope of the cyber-insurance policy’s coverage and ensure it is not eliminated or reduced by the transaction itself.
Canadian privacy legislation PIPEDA requires that a party notify individuals whose information was transferred as part of an asset purchase without their advance consent. This will typically fall on the buyer, as such notice can be provided when re-papering agreements or otherwise announcing new ownership, and should be documented in the purchase agreement.
In the context of M&A transactions, buyers and sellers have differing and occasionally competing priorities when it comes to privacy and cybersecurity considerations. Both parties have the ultimate goal of completing the transaction, and privacy and cybersecurity obligations are an increasingly important aspect of the due diligence process in the face of ongoing global privacy reform, the commercial value of personal information, and relentless cybersecurity threats. The considerations we have outlined here apply not only to the scope and content of the final written agreement, but also any post-closing integration or remediation work that may be required to ensure valuable data can continue to be used and protected by the purchaser.