0
Data Security and Privacy Due DiligenceData Security and Privacy Must Play a Part in M&A Due Diligence

Data Security and Privacy Must Play a Part in M&A Due Diligence

In the past, acquiring companies engaged in M&A activity paid little attention to a target company’s data security & privacy (DSP) posture during due diligence. The acquiring companies learned that their failure to fully evaluate the target company’s DSP posture led to the target company inheriting more work than ever anticipated. These risks manifested in two costly areas: undisclosed cybersecurity incidents (which could lead to costly litigation and negative publicity), and poor cybersecurity and privacy infrastructure (which would delay integration).

These negatives are well documented. A 2019 Forescout report found that, “[j]ust under half (49%)” of the transactions analyzed “encountered unknown or undisclosed cybersecurity incidents, issues, or risks when integrating the acquired company’s information and technology that delayed the integration timeline.” Another well-known example was Verizon’s $350 million purchase price reduction of Yahoo!’s to cover costs of ongoing government investigations and private litigation for historic cybersecurity incidents that were not fully disclosed or evaluated in the due diligence phase.

Things have changed. Gartner reported that by 2022 sixty percent of organizations will consider a target company’s cybersecurity posture as a critical factor in their due diligence process. Acquiring companies have made DSP due diligence a priority because they understand the costly risks of inheriting a target company’s DSP liabilities.

Target companies must proactively address and disclose DSP risks to avoid renegotiation of the purchase price, delay the closing date, or at worst, the acquiring company backing out of the deal. M&A parties often retain sophisticated DSP attorneys to assist in all phases of the deal, including conducting DSP posture analyses, evaluating DSP-specific risks, and guiding the company through the diligence process.

This article addresses some of the key privacy and security issues, and strategies target companies should undertake to prepare for privacy reviews in due diligence.

 

Understand Data Privacy and Cybersecurity Obligations

The acquiring company’s goal during diligence is to understand whether the target company: (a) is in compliance with all applicable privacy and cybersecurity obligations, (b) has controls in place to avoid future regulatory or litigation exposure, and (c) has no undisclosed cybersecurity incidents that could lead to future exposure. Thus, the target company should be prepared to respond to diligence requests that focus on these key areas.

Context Matters. Cyber and privacy due diligence are heavily dependent on the target company’s profit model and industry because those factors heavily drive the evaluation of the transaction’s risk stemming from the target company’s cybersecurity posture. A purely regional business-to-business (B2B) company will generally have lower obligations than a company that handles personal health information (PHI), does significant business in California, or has international operations. A seller should focus on the following core area and consider whether it is in compliance with all standards-based on its position in that core area:

  • Profit-Model. Understand how the target company’s profit model subjects it to privacy and cybersecurity obligations. Consumer-facing companies are likely to have higher privacy obligations than those with an exclusively B2B model.  Additionally, companies who collect or trade consumer information will have higher privacy obligations, particularly when that information includes financial or health information.
  • Location. Understand the obligations imposed on the target company based on where it conducts business. Businesses in Europe or California may subject the business to specific obligations under the General Data Privacy Regulation (GRPR) or California Consumer Privacy Act (CCPA). Each has a specific requirement and harsh penalties for non-compliance. It is equally important to know if the target company is not subject to the CCPA and GRPR so that the target company does not unnecessarily expend resources to comply with those laws, and to adequately respond to misdirected diligence inquiries about GRPR and CCPA compliance.
    Cybersecurity incident notification laws also vary by state, so the company should understand could create obligations for historic cybersecurity incidents.
  • Industry. Understand whether the target company’s industry creates unique security obligations. Broadly, a company that operates in: (a) financial services, (b) healthcare, (c) government contracting, (c) consumer data collection, and (d) consumer credit card transactions. State laws may also impose industry-specific obligations.

Understand the impact of historic cybersecurity incidents. Any historic cybersecurity incidents will very likely be the subject of the acquiring company’s diligence inquiry. The target company should consider the root cause of the incident (i.e. system vulnerabilities or policy gaps).

 

Strategies to Maximize Price and Avoid Concerns During Diligence

Again, acquiring companies are evaluating potential transaction risk based on the target companies’ compliance obligations and cybersecurity risks. Strong documentation reflecting a target company’s understanding of its obligations and implementation of necessary policies and programs is a target company’s strongest asset in alleviating an acquiring company’s concerns (and in turn maximizing the purchase price).

Implement Privacy Policies. Implement compliance privacy policies to the extent necessary based on the target business’ profit model, location, and industry (as discussed above). If the target company determines its business does not require implementation of a specific policy, demand the rationale for that decision, and maintain a policy that requires a review of the target company’s privacy compliance requirements: (a) periodically, (b) based on material changes in the company’s business, and (c) based on material changes in the law.

Implement Data Governance Programs. Even if the target company has determined that specific privacy laws do not apply to the company, many acquiring companies will require that the target company understands the data it collects. Understanding the collected data allows the target company to show that: (a) it has analyzed potential risks of a cybersecurity incident, and (b) is well-positioned to comply with future privacy requirements following the acquisition (or based on future changes in the laws).

Implement Cybersecurity Policies. Maintain a cybersecurity and compliance infrastructure that require conducting penetration testing, vulnerability assessments, and corrective follow-up. An acquiring company is likely to be skeptical about a target company’s representations about a lack of prior incidents because a company that does not conduct regular testing and assessments may not even be aware of prior intrusions.

Analyze Contracts and Maintain Insurance. The target company should analyze vendor and customer contracts relating to indemnification for cyber or privacy incidents.  As the acquiring company may be inheriting these contracts, they will want to ensure that these contracts don’t create unnecessary risk. Maintaining cybersecurity insurance covering past incidents will further alleviate concerns.

Analyze Past Incidents. Analyze past incidents to determine what system vulnerabilities, policy or training gaps led to the incident, and document the steps taken to correct those issues.

Partner with Technologists Who Understand the Legal Requirements. There is no need to reinvent the wheel.  Work with experienced partners who can help assess the need for privacy and cybersecurity programs, and help you navigate due diligence requests from an acquiring company.  Beckage retains privacy attorneys and security professionals with a deep understanding of the technology in the law.

For more information on this topic, contact Beckage attorney Chirag H. Patel.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

0
CaliforniaCalifornia Privacy Protection Agency: Updates on Rulemaking Timeline, Agency Staffing, and What Privacy Practitioners Can Expect in the Months to Come

California Privacy Protection Agency: Updates on Rulemaking Timeline, Agency Staffing, and What Privacy Practitioners Can Expect in the Months to Come

On Tuesday, October 5th, Jennifer M. Urban, Board Chair of the newly formed California Privacy Protection Agency (CPPA), joined the Privacy Law Section of the California Lawyers Association for a fireside chat about CPRA rulemaking, agency staffing, and what privacy practitioners can expect in the months to come.

 

Approved through ballot proposition back in November 2020, the California Privacy Rights Act (CPRA) created the CPPA, which is the first state-level agency dedicated to consumer privacy regulation. With the CPPA having full administrative power, authority, and jurisdiction to implement and enforce the CCPA and CPRA, privacy practitioners and businesses are keeping a close eye on the new agency’s rulemaking timeline as the July 1st deadline to adopt final regulations quickly approaches.

 

The CPPA had its first public board meeting on June 14th (agenda and meeting materials available here). The agency then followed up with a two-day, public virtual meeting on September 7th and September 8th (agenda and meeting materials available here) as well as a closed session regarding hiring matters on September 24th (agenda available here).

 

Some of the topics discussed by the CPPA Board during its September 7th and 8th public meetings include: (1) the Bagley-Keene Open Meeting Act; (2) the Administrative Procedures Act; (3) other administrative updates; (4) initial hiring strategy, timelines, and duties; (5) delegations of authority for limited administrative functions; (6) the agency’s conflict of interest code; (7) member handbook drafts; (8) subcommittee assignments; (9) board office location; (10) notice to the Attorney General to assume rulemaking authority; (11) future meeting schedule; and (12) public comments.

 

In continuing with some of the above-mentioned topics, the fireside chat primarily covered the agency’s proposed rulemaking timeline, agency staffing needs, and subcommittee assignments.

 

With preliminary public comments on proposed rulemaking due by November 8th, the CPPA is looking to publish notice of proposed rulemaking, an initial statement of reasons, and text of regulations sometime in Winter 2021-2022 (aiming potentially for January 2022). In Winter/Spring 2021-2022, the CPPA is planning to hold public hearings. Furthermore, the CPPA is planning to submit draft regulations to the Office of Administrative Law by May 2022.

 

The CPPA proposes to form three new subcommittees to divide up the work: (1) New CPRA Rules Subcommittee; (2) Update of CCPA Rules Subcommittee, and (3) Rulemaking Process Subcommittee.

 

The New CPRA Rules Subcommittee will cover topics such as cybersecurity audits, risk assessments, automated decision-making, and agency audit authority. The suggested members for this subcommittee are Vinhcent Le and Lydia de la Torre.

 

The Update CCPA Rules Subcommittee will cover opt-out requests (including preference signals), accessibility, rights to erase/correct/know (look-back period, definition of “specific pieces of information obtained from the consumer, etc.), and use of PI by contractors/service providers. The suggested members for this subcommittee are Jennifer Urban and Angela Sierra.

 

The Rulemaking Process Subcommittee will coordinate pre-rulemaking and rulemaking activities (e.g., informational hearings, collection of comments, etc.), make recommendations as to whether rules are needed for certain topics, coordinate reports on the scope of privacy rules that currently apply to insurance corporations, and suggest additional topics for rulemaking and secure resources. The suggested members for this subcommittee are John Christopher Thompson and Lydia de la Torre.

 

Please see additional information regarding the agency’s proposed course of action here.

 

Economic considerations regarding the operational cost of compliance are also likely to be considered during the rulemaking process.

 

What’s next? The deadline for the adoption of final regulations is July 1, 2022. The CPRA becomes effective on January 1, 2023. The CPPA will also continue to hold meetings as the rulemaking process continues.

 

Beckage’s California Privacy Team continues to actively monitor updates to the privacy landscape as well as the impacts that new CPRA regulations will have on businesses. To learn more about the impact the CCPA and the CPRA may have on your business, reach out to our team of highly skilled attorneys.

 

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

 

0
Cybersecurity AwarenessCybersecurity Awareness Month – 10 Tips for Improving Your Organization’s Cyber Hygiene

Cybersecurity Awareness Month – 10 Tips for Improving Your Organization’s Cyber Hygiene

October is Cybersecurity Awareness Month – a month-long event with the goal of raising awareness of good cybersecurity practices.

As a law firm focused only on technology, data security, and privacy, Beckage is dedicated to helping organizations create robust cybersecurity programs that help prevent or lessen the impact of potential cyber attacks. This starts with helping organizations, and their employees understand the important role they play in protecting their systems and safeguarding data.

In recognition of this important educational opportunity, we have compiled some of our top cybersecurity tips to help your organization improve your cyber hygiene. Do your part, #BeCyberSmart!

1. Use Multi-Factor Identification  

Add multi-factor authentication to your accounts. These tools require you to grant access to your accounts every time someone tries to log in.   

 

2. Update your Systems  

Updates may be a pain, but they are important. Updates often include patches for recently identified security issues. Neglecting updates may leave you vulnerable to threat actors exploiting these vulnerabilities.  

 

3. Emphasize Employee Education  

Human error is one of the most commonly cited causes of cyber incidents. Conduct regular cybersecurity trainings, including tabletop exercises testing your incident response plan, to help employees understand their role in incident response and prevention.  

 

4. Use Strong Passwords  

Choose unique passphrases as an alternative to passwords (ie. Myd0g1sth3b3st! vs. Fido123). Use a different password for each account. To help keep your credentials straight, consider using a password manager.   

 

5. Examine Emails Carefully  

Scammers often mimic a legitimate site or email address by using a slight variation in spelling. Pay attention to email and website addresses and independently verify links and attachments before clicking. Know where/how to report any suspect emails because you may not be the only one who received it.  Sharing is caring! 

 

6. Avoid Public or Unsecure Wi-Fi Networks  

Do not connect to a public or unsecure Wi-Fi network, such as at a coffee shop or hotel. Any sensitive information transmitted over these unsecure connections can be accessed by other users on the network. When a secure network is not available, opt to use your mobile hotspot.  

 

7. Create Email Forwarding Alerts  

Set up alerts when forwarding rules are added to your e-mail account and routinely check email forwarding rules. If threat actors gain access to an email account, they may create account rules to hide their activity.      

 

8. Do Not Use Personal Devices to Access Sensitive Data  

Personal devices, such as your phone or personal computer, are often not as secure as devices in the workplace. Downloading or accessing sensitive information on those devices could lead to the information being compromised. Unless your Security Officer says otherwise, never access sensitive information from personal devices.    

 

9. Keep Track of your Backups  

Make sure to have backups of important backups in place and these backups are stored separate from your normal environment. Check the integrity of your backups regularly. 

 

10. Find A Data Security Team  

Creating data security policies, procedures, and plans be daunting. Partnering with a team that understands the legal and threat landscape surrounding data security is a great first step towards improving your cyber preparedness. 

 

 

*Attorney advertising – prior results do not guarantee future outcomes.

Subscribe to our newsletter.