Alessandra (Ali) Harkness
Privacy law compliance and data security are increasingly material considerations in M&A transactions. Purchasers and sellers alike have an interest in mitigating risk and ensuring compliance with applicable laws and standards. Sellers enhance the value of the target business and minimize their indemnification risks when they prioritize privacy and data security and engage in a transparent sales process. Through effective due diligence, purchasers can uncover deficiencies and create a plan to resolve concerns, avoid violations of law, reduce liability, and prevent reputational harm.
In this article, we review the basics of privacy and data security due diligence and common issues that arise in M&A transactions. Finally, we analyze the importance of remedying deficiencies after closing a transaction.
In today’s environment, a business’s attention to the privacy and security of its data and personal information is paramount. The risks and consequences of a data breach or ransomware attack are well-documented. Attention to these issues, therefore, is pivotal when it comes time to sell a business.
Most businesses are subject to a web of laws and regulations enacted by state, federal and international authorities, not to mention generally accepted industry standards and, in many cases, contractual obligations with vendors and customers. In Canada and Europe, comprehensive requirements are imposed by the Personal Information Protection and Electronic Documents Act (PIPEDA) and General Data Protection Regulation (GDPR). In the United States, privacy issues traditionally have been addressed by industry-specific legislation, such as the Health Insurance Portability and Accountability Act (HIPAA), but states are increasingly adopting their own regimes, led by California’s Consumer Privacy Act (CCPA) and Privacy Rights Act (CPRA).
Accordingly, due diligence of a target’s privacy and data security is critical and includes:
Getting to the bottom of a business’s privacy and data security practices, risks, and exposure requires careful attention to detail and persistence.
The most common issue uncovered during due diligence is that a target business does not have written policies governing the protection of personal information in its possession. Closely related is the absence of a chief privacy officer or other personnel responsible for the company’s privacy and data security. Although less common, a more material concern is learning that a business has incurred one or more data breaches or ransomware incidents. Equally, if not more concerning, is when the target has failed to comply—or worse, is currently out of compliance—with applicable law.
In many instances, a target is seemingly in compliance with law and has not suffered a data incident to its knowledge, but its lack of appropriate policies, systems and procedures make it difficult to rely on the target’s assessment of its risks and exposure. For example, a target may be confident that it has not suffered a breach but does not have sufficient monitoring tools in place to reliably detect breaches.
Additional issues arise for businesses that operate in multiple jurisdictions, store data in those various locations, and share or transfer information internally and with third parties.
The lack of a cyber-insurance policy is a red flag in terms of the financial impact on a target following a breach. However, changes in the cyber insurance market may prevent targets from obtaining comprehensive coverage at a reasonable cost.
While a prospective seller may be able to address some of these issues before a transaction is consummated (for example, requiring the company to adequately password-protect access to its systems where it previously has not done so) it will usually fall to the purchaser to implement changes post-closing.
When a purchaser discovers risks and concerns during due diligence, it should have a plan to address them promptly after closing the transaction.
Higher-risk issues, such as gaps in data security infrastructure or any noted violations of applicable privacy laws, should be prioritized and resolved as soon as possible. Purchasers should consider hiring third-party specialists to assess data management systems and establish a plan to ensure compliance with applicable laws and regulations. Penetration and vulnerability testing typically is recommended when, as often is the case, the target has not done so.
In remote work environments, where information may be stored on personal computers, it is even more important to perform a full inventory of data housed on employees’ computers and to develop a framework to centralize the housing of any client or company data post-closing.
Decisions typically have to be made about how the acquired company will use, disclose and protect personal information going forward. The purchaser should adopt written policies (or revise existing ones) that are consistent with its own standards and that account appropriately for the scope and location of the newly acquired business.
Obtaining a cyber-insurance policy, or adding the target to the purchaser’s existing policy, is an important risk mitigation consideration, although system and governance enhancements may be required before the acquired company is eligible for appropriate coverage.
Companies must be conscientious in remediating deficiencies identified during due diligence to limit potential exposure to liability for violations of law and data breaches.
Companies need a thorough due diligence process to determine the risks of a breach, whether there is an ongoing breach—and how the company’s systems would hold up in the event of a breach. However, the knowledge gained during the due diligence process must be implemented at all appropriate stages, including post-closing. Efficiently and effectively implementing post-closing recommendations can shield businesses from legal, regulatory and financial risks to the business and its reputation.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2023 by Torys LLP.
All rights reserved.