A few years ago, buyers in mergers and acquisitions (M&A) conducted limited privacy1 or cybersecurity diligence, and purchase agreements and their ancillary documents rarely explicitly addressed privacy and cybersecurity risks. Today, substantive diligence in these areas is often imperative, and most transaction agreements now contain robust provisions (and sometimes stand-alone data transfer agreements) relating to these risks. These significant changes have resulted not only from the dramatic increase in devastating cyberattacks and the increased sophistication of hackers,2 but also from the growing number of U.S. and foreign legislative measures addressing privacy and cybersecurity and the focus of regulators on these issues, including in their review of M&A deals.
This article will be featured in our upcoming webinar on Tuesday, August 21, 2018. Register now.
This article discusses the changes in the cybersecurity and privacy3 landscape for M&A transactions and offers best practices practitioners should consider for identifying, managing, and mitigating related risks.
The New Privacy/Cybersecurity Landscape for Target Companies
The privacy and cyber risks associated with an M&A target company’s operations fall within two general categories. First, the company may become (or may already have been) the victim of a cyberattack. Second, the company may not be (or may not have been or may not be in the future) in compliance with privacy and cybersecurity laws, which could expose it to investigations, fines, and behavioral sanctions. These risks may overlap, but should be considered independently; a company may suffer a cyberattack even if it fully complies with privacy and cybersecurity laws, and a company that fails to comply with such laws may never suffer an attack.
Increased Risk Related to Cyberattacks
Cyberattacks can be incredibly costly. First, there is an operational cost, as the company’s data may be temporarily unavailable, destroyed, or even stolen or misused. Second, breached companies face a variety of costs, including those associated with investigations; forensics; complying with breach notification requirements; satisfying reporting obligations for listed companies, if applicable; and managing the public relations fallout. Third, breached companies may face investigations, claims, or fines by the Federal Trade Commission (FTC) or other state or federal regulatory agencies. Fourth, breached companies may face civil litigation, including: (1) class actions on behalf of persons whose data was compromised; (2) claims on behalf of credit card companies and financial institutions, which often cover the losses suffered by consumers; (3) contract disputes (particularly if vendors or other third parties are involved); (4) shareholder class actions (following a drop in stock price after a breach); and (5) shareholder derivative suits against management and boards of directors. Finally, the breached company may suffer a loss of consumer confidence and other reputational damage, which may affect profits.
A buyer in an M&A transaction must consider three potential breach-related risks, both as part of its valuation of the target company and in the drafting of the transaction documents: first, that the target company may already have been breached; second, that it will be breached during the acquisition process (e.g., after signing a transaction but before closing it); and third, that the target company suffers from cybersecurity vulnerabilities that expose it to serious breaches in the future. The first type of risk is the one that has received the most attention so far. According to a 2016 survey of North America–based senior M&A practitioners conducted by West Monroe Partners and Mergermarket, 40 percent of those surveyed had discovered a data security problem after an acquisition closed.4 While in some cases the target company may have been aware of a breach and failed to disclose it, in many cases the target company itself did not know. It can take months, and in some cases years, for a company to detect a breach, and companies commonly learn about breaches not from their own personnel, but from outside sources, such as law enforcement or the media.
Increased Complexity of an Evolving Regulatory Landscape
Separate from cyber risks, a buyer would also want to consider if it can avoid taking on the target company’s liabilities in respect of noncompliance with privacy and data security laws, which could include lengthy and costly investigations, fines, consent orders, and litigation. The regulatory landscape has become increasingly challenging, and companies are often subject to a complex web of requirements, with overlapping and at times conflicting privacy and cybersecurity regimes. A recent survey by the Financial Stability Board (FSB) found that in the 25 international jurisdictions surveyed, there were 56 schemes of regulation and guidance targeted to cybersecurity in the financial sector, with some jurisdictions reporting as many as 10 schemes.5
In the United States, while no comprehensive federal privacy or cybersecurity legislation has been enacted, the FTC has been filing more complaints and entering more consent orders with companies that engage in “unfair or deceptive acts or practices in or affecting commerce,” which is prohibited under section 5 of the FTC Act.6 The FTC’s enforcement activity targets acts and practices related to both privacy (e.g., failure to comply with posted privacy policies) and cybersecurity (e.g., failure to safeguard personal data). In addition, companies in certain industries or who process particular categories of personal data are subject to more specific federal laws and regulations, such as the Health Insurance Portability and Accountability Act and the Children’s Online Privacy Protection Act.
At the state level, U.S. companies are also subject to breach notification laws in every state and other state laws, including laws in Massachusetts and California that apply to companies located outside the state who collect data from the state’s residents.
Outside of the United States, the European Union (EU) and China, among others, have enacted comprehensive regulations in the areas of privacy and/or cybersecurity. The EU General Data Protection Regulation (GDPR) became fully applicable on May 25, 2018, and imposes strict obligations with respect to data security and specific breach notification guidelines on companies subject to the regulation. Furthermore, in case of breach of certain GDPR provisions, data protection regulators in the EU are empowered to levy fines of up to 4 percent of a company’s annual worldwide turnover for the preceding fiscal year.7 China’s comprehensive cybersecurity law came into effect on June 1, 2017, and appears to apply its stringent data protection and security requirements to any company that uses networks to provide services in China.
Companies should expect additional regulations in the near future. In the United States, a coalition of bank, insurance, and retail associations is urging Congress to pass national legislation establishing uniform data protection and breach notification standards, and the U.S. Securities and Exchange Commission (SEC) has signaled a desire to regulate cybersecurity disclosures.8 The aforementioned FSB survey found that 18 of the 25 jurisdictions surveyed plan to issue new cybersecurity regulations, guidance, or supervisory practices within the next year.9
Buyer’s Strategies for Addressing Privacy and Cybersecurity Risks of a Target Company
While target companies themselves face challenges understanding and managing the new cybersecurity and privacy landscape, the task is even greater for potential buyers of such companies. Buyers have limited access to the relevant personnel and information and face the inevitable time, confidentiality, and financial constraints of a deal scenario. While a large diligence exercise may be the only way to get a full understanding of all of the risks, such an exercise will in most cases not be practical or affordable. As a result, a buyer should consider proceeding in three steps: first, develop a risk profile of the target; second, scope the diligence plan based on the risk profile; and third, use the diligence results to craft contractual protections.
Step 1: Develop a Risk Profile of the Target
A risk profile enables a buyer to refine its approach through: (1) data mapping and critical system identification, (2) assessment of the company’s cybersecurity posture, (3) identification of applicable laws, and (4) review of industry standards.
A buyer will of course want to take a different approach with respect to a target that processes large amounts of third-party personal data (e.g., of customers) or possesses commercially valuable data (e.g., trade secrets or customer lists) than it would take with a company whose personal data is limited to that of its employees and which holds little valuable nonpublic data other than its financial data. Therefore, as a first step, depending on the significance of such data, a potential buyer should consider the value of engaging in a data mapping exercise, which involves identifying the type, sensitivity, and volume of personal data (e.g., of customers, clients, employees, contractors, vendors, investors, and others) collected by or on behalf of the target, and could extend to include its sources and manner of collection (including applicable consents), where it is stored, how it is stored, the purpose of its processing, who has access (including vendors), and whether it is transferred across borders. Again, depending on the nature of the target’s business, the data mapping exercise could also identify the type and value of other data assets (e.g., trade secrets) held by the target and who has access to them and how they are protected. Similarly, the buyer could identify the critical systems and applications for which a loss of integrity or availability would pose a risk to the company.
The buyer should probe the target’s history of breaches (actual or, if significant, attempted) and ascertain its level of sophistication and engagement on cybersecurity issues, ideally through a discussion with information security personnel. The inquiry should cover any interaction with regulators regarding any cyberattacks, any known security vulnerabilities, and the target’s plan to address such vulnerabilities, as well as the target’s cybersecurity structure (e.g., whether a chief information security officer has been designated, the mechanisms in place to ensure the target can meet applicable regulatory reporting obligations, and the level of management involvement).
Depending on the importance of these issues to the deal, the buyer should consider identifying all material privacy and cybersecurity laws and regulations applicable to the target. This will necessitate looking beyond the jurisdictions in which the target and its subsidiaries are incorporated to where they operate, collect personal data, process such data, offer products or services, and monitor individuals. As noted above, within each jurisdiction, more than one set of privacy-related laws may apply.
In 2018, it will be especially important to assess the potential applicability of the GDPR. Non-EU companies will be subject to the GDPR to the extent that they (1) process personal data in the context of the activities of an establishment (e.g., a subsidiary or branch) located in the EU, even if such processing occurs outside the EU; (2) offer goods or services (including for free) to individuals in the EU (e.g., by operating an e-commerce website that is available in a language spoken in the EU, enables the delivery of goods to EU addresses, and/or accepts payments in a currency used in the EU); or (3) monitor the behavior of individuals (including through tracking via the Internet) in the EU. Thus, considering the GDPR will be increasingly important even for companies without a physical presence in the EU.
Finally, the buyer should consider identifying any standards in the target’s industry for cybersecurity procedures, such as the Payment Card Industry Data Security Standard (PCI DSS), if applicable. Such standards, while not legally enforceable, may be a benchmark for proper cybersecurity and privacy practices.10
Step 2: Scope the Diligence Plan Based on the Risk Profile
Once a risk profile has been developed, potential buyers should use it to tailor the scope of diligence. This should factor in the buyer’s risk tolerance as well as cost and time constraints. The diligence will require careful coordination among the legal, operational, and IT teams, and should be adjusted as applicable, based on the facts and circumstances of the deal.
General Legal Diligence
In addition to reviewing standard documentation about pending disputes (e.g., existing claims, litigation, and investigations), the buyer should consider including the following in its legal compliance diligence:
- Published Privacy Policies and Statements. Review all current and, under certain circumstances, historic privacy policies, statements, and promises made to third parties for their adequacy and compliance with law, including whether they contain any potentially deceptive statements.
- Internal Policies and Practices. Assess the adequacy of internal policies and practices related to information security and personal data, such as information security policies; incident response plans; and policies related to data retention, data disposal, and customer requests for changes or deletions of data.
- Security Measures. Review whether the target’s technical, administrative, and physical security measures comply with applicable legal requirements and industry standards, including, depending on the target’s business and applicable law, review of the target’s response to known past incidents and the target’s usage of standard protection (such as encryption and multifactor authentication) and information security training for its employees (though the foregoing scope of review can be more limited if a third-party expert is used for operational diligence, as discussed in the next section).
- Contractual Obligations. Understand material contractual obligations with respect to privacy or cybersecurity.
As will be discussed below, it may also be important to identify the particular privacy policies (current and historic) applicable to different data sets. For example, if the personal data itself is one of the valuable assets in the deal, diligence should include the extent of transferability of such data and the buyer’s ability to subsequently use such data as desired.
Diligence of Technical, Administrative, and Physical Security Measures
Depending on the target’s industry, nature of its operations, or risk profile, a buyer’s operational diligence may include hiring a reputable third party to assess the target’s cybersecurity infrastructure. This type of diligence focuses on the target’s technical, administrative, and physical security measures designed to protect the confidentiality, integrity, and availability of its data and information systems and enable cyberattack detection, response, and recovery. Such third party may review the target’s internal risk assessments; review external audits and tests commissioned by the target; review the target’s policies, procedures, and training materials; conduct independent examinations through vulnerability assessments, penetration tests, and audits; execute noninvasive investigations through dark web and network activity research; and review incident response plans and incident reports.
Given that cyber technology may evolve over the course of a deal, a buyer may want to repeat any of the above vulnerability assessments or penetration testing of the target’s cybersecurity infrastructure at later stages of the deal.
Additional Diligence: Vendors; GDPR-Related Diligence
Certain additional diligence may be advisable, depending on the target company’s specific circumstances.
Vendors. When the target uses vendors or service providers, it may be exposed to liabilities resulting from inadequate practices of the vendor. Particular attention should be paid to vendor relationships where the target provides data to the vendor, uses software or equipment received from the vendor, or gives the vendor access to its network.11 A buyer’s review of vendor contracts may include, depending on the importance of the issue, assessing: (1) compliance with legal requirements (certain U.S. laws and the GDPR impose specific due diligence and contractual requirements on the use of vendors); (2) the target’s protections under covenants, indemnities, and representations related to cybersecurity and privacy matters; (3) the vendor’s information security standards, including business continuity standards; and (4) the target’s audit rights. Diligence may also go beyond the contracts themselves to determine whether the target has, in fact, exercised its oversight rights and whether the target has identified any issues with the vendor.12
GDPR. If applicable, the buyer should consider assessing whether the target is in compliance with the GDPR as of May 25, 2018, including by: (1) determining whether current consents obtained from data subjects to the processing of their personal data are sufficient under the enhanced requirements of the GDPR; (2) considering whether consumer- and employee-facing privacy policies require updates; (3) assessing whether existing agreements with vendors that are processing personal data as part of their services need to be amended to comply with the GDPR; (4) reviewing documentation of the target company’s GDPR preparedness activities, including its process for handling requests from data subjects; (5) reviewing the target company’s systems design to ensure the target company will be able to comply with data retention, data minimization, and data breach notification requirements; and (6) confirming the target company has a data protection officer, if it is required to under the GDPR, and, for target companies located outside the EU, an EU-based representative.
Step 3: Use the Diligence Results to Obtain Specific Contractual Protections
In extreme cases, results from diligence could lead a buyer to walk away from the transaction before signing. However, in most instances, buyers should use the results of their diligence investigation to obtain contractual protections or risk allocations (or even a price reduction) for privacy and cybersecurity issues.13 Known issues and vulnerabilities can be addressed through interim operating covenants mandating corrective actions, such as obtaining necessary consents or addressing security vulnerabilities (e.g., software patches), as well as through specific indemnities. Unknown privacy and cybersecurity risks often can be mitigated by well-tailored representations (which may also induce disclosure of critical information) and indemnities crafted to address hidden or undisclosed issues that may arise after closing. For example, the buyer may require the target company (or its seller) to represent that there have been no breaches of security in, or loss of data from, the target company’s information technology systems during a certain look-back period, and may insist that this representation be carved out of any limits on the indemnity coverage. It will be important to consider the appropriate survival period for such representations, given the common time lag, which may be months, for discovery of such issues. In the case of a breach discovered after signing but prior to closing, the contract may include a right to elect not to consummate the transaction, depending on the severity and materiality of the breach.
Strategies to Reduce Privacy and Cybersecurity Risks Related to the Transaction Itself
Separate from the risks associated with the target company’s pre-closing operations, a buyer should consider risks arising from the transaction itself. Such risks tend to relate to noncompliance with privacy laws (i.e., ensuring no privacy laws are violated when the target company’s personal data is transferred to, and subsequently used by, the buyer), though it is worth pointing out that news of a transaction may also make the combining companies more ripe for a cyberattack.
Risks Arising from the Transaction
Transfers of personal data as part of any M&A transaction, whether before or after signing, and even at or after closing, must be carefully considered.
First, before signing, buyers often request large amounts of information as part of diligence. This information can include personal data (of employees in particular). However, in many cases, disclosure of personal data should not be necessary prior to signing (since diligence purposes often do not require such disclosure, in contrast to integration planning, which may necessitate disclosure between signing and closing). Parties to M&A transactions should consider any sharing of information very carefully, as such sharing may lead to violation of privacy laws. If personal data has to be disclosed (e.g., where evaluation of the transaction requires such disclosure), the parties should consult local counsel in the relevant jurisdictions. Even where sharing is permitted, entering into data transfer agreements that protect the shared information, as discussed below, may be advisable.
Second, the transfer of data in preparation for the closing of a transaction is common, and personal data often is included in the transfer (e.g., to facilitate the payroll transition). However, before disclosing any personal data between signing and closing, both parties to an M&A transaction should consider seeking counsel to ensure compliance with all applicable laws, contractual restrictions, and privacy policies.
Finally, whether the transfer occurs before signing, between signing and closing, or at or after closing, cross-border transfers (e.g., from a EU target company to a U.S. buyer) may be prohibited, as more and more countries (including the EU and China) have laws restricting transfers of data out of the country or requiring that certain conditions be met for such transfers.
Risks Associated with Post-Closing Integration
Post-closing integration is another critical step in an M&A transaction that is associated with both data privacy and cybersecurity risks.
With respect to cybersecurity, to the extent the IT system and data protection practices of the target company are less secure and rigorous than the buyer’s, integration (i.e., the sharing of data with the target) could expose the buyer’s own data to a security breach. Thus, any issues discovered during diligence should ideally be remediated prior to closing or, in any case, before integration with the buyer’s data or systems.
With respect to data privacy, problems arise when the target company and buyer have different privacy policies and practices. The buyer’s use of any transferred personal data (even in a merger or stock purchase) may be subject to scrutiny by the FTC as to whether such use complies with promises made by the target at the time of collection.16 A buyer does not have the right to repurpose, or make more expanded use of, data collected by the target company prior to the acquisition. Instead, the buyer should obtain opt-in consent from each data subject if it wishes to expand the use of his or her data beyond that which was permitted before.17 And if the buyer wishes to change how it uses personal data collected by the acquired company in the future, it should provide existing consumers with notice of the change and a choice to agree to it or not.18 Finally, the buyer will also need to consider any commitments made by the target company in its contracts (e.g., to delete data of customers when they leave).
The privacy and cybersecurity landscape for M&A transactions will continue to become more complex as cyber technology evolves and regulators gain more expertise in the areas of privacy and cybersecurity. M&A practitioners should carefully consider the potential risks and challenges at each stage of a transaction so that they can plan for and effectively address them before, during, and after signing and closing.
1. Throughout this article, we use the terms “data privacy” and “privacy” broadly to refer to the protection of personal data.
2. According to Kaspersky Lab, the number of new malicious files processed by their detection technologies reached 360,000 a day in 2017, up 11.5 percent over the previous year. Kaspersky Lab Detects 360,000 New Malicious Files Daily—Up 11.5% from 2016, Kaspersky Lab (Dec. 14, 2017), https://www.kaspersky.com/about/press-releases/2017_kaspersky-lab-detects-360000-new-malicious-files-daily.
3. Privacy and cybersecurity overlap, but are distinct. Privacy centers around how a company’s insiders (employees and authorized personnel, including vendors) use personal data. Cybersecurity is the defense of a company’s networks and infrastructure from outsiders’ unauthorized digital access, attack, or damage. Cybersecurity protects not only the company’s personal data, but also its other data, such as trade secrets.
4. Sean Curran et al., Testing the Defenses: Cybersecurity Due Diligence in Mergers and Acquisitions, West Monroe Partners (July 12, 2016), https://www.westmonroepartners.com/Insights/Newsletters/Best-of-the-West-July-2016/MA-Security-Survey.
5. Fin. Stability Bd., Summary Report on Financial Sector Cybersecurity Regulations, Guidance and Supervisory Practices (2017) [hereinafter FSB Cybersecurity Report], http://www.fsb.org/2017/10/summary-report-on-financial-sector-cybersecurity-regulations-guidance-and-supervisory-practices/.
6. A similar prohibition is found in the Dodd-Frank Wall Street Reform and Consumer Protection Act, and various regulators have declared their ability to enforce such prohibitions.
7. Emmanuel Ronco et al., Administrative Fines under the GDPR, Cleary Cybersecurity & Privacy Watch (Dec. 19, 2017), https://www.clearycyberwatch.com/2017/12/administrative-fines-gdpr/.
8. SEC Chairman Says Agency Is Focused on Cybersecurity, Cleary Cybersecurity & Privacy Watch (Sept. 6, 2017), https://www.clearycyberwatch.com/2017/09/sec-chairman-says-agency-focused-cybersecurity/.
9. FSB Cybersecurity Report, supra note 5.
10. For example, in its settlement with LifeLock, the FTC indicated that the existence of a PCI DSS certification is “an important consideration in” (but not the end of) the FTC’s analysis of “reasonable security.” Statement of the Federal Trade Commission: FTC v. LifeLock, FTC (Dec. 17, 2015), https://www.ftc.gov/system/files/documents/public_statements/896143/151217lifelockcommstmt.pdf.
11. In both the Target breach of 2013 and the Home Depot breach of 2014, the hackers reportedly used third-party vendor credentials to initially enter the network.
12. When the target company is itself a vendor, there are risks related to liabilities resulting from inadequate practices of the target that affect the target’s customers. Buyers may evaluate exposure by conducting an assessment of the target’s compliance with cybersecurity-related contractual obligations and by reviewing the target’s indemnification obligations, liability caps, and data breach notification obligations.
13. A separate protection may be available through third-party cyber insurance.
14. Letter from Jessica L. Rich, Dir., FTC Bureau of Consumer Prot., to Elise Frejka (May 16, 2015) (expressing concerns about the possible sale by RadioShack of certain consumer personal information as part of bankruptcy proceeding), https://www.ftc.gov/public-statements/2015/05/letter-jessica-rich-director-bureau-consumer-protection-bankruptcy-court.
15. Id.; see also Press Release, FTC, FTC Requests Bankruptcy Court Take Steps to Protect RadioShack Consumers’ Personal Information (May 18, 2015), https://www.ftc.gov/news-events/press-releases/2015/05/ftc-requests-bankruptcy-court-take-steps-protect-radioshack.
17. See Hine, supra note 16.
18. Id. (“[Such] notice and choice must be sufficiently prominent and robust to ensure that existing customers can see the notice and easily exercise their choices.”).