In the past, acquiring companies engaged in M&A activity paid little attention to a target company’s data security & privacy (DSP) posture during due diligence. The acquiring companies learned that their failure to fully evaluate the target company’s DSP posture led to the target company inheriting more work than ever anticipated. These risks manifested in two costly areas: undisclosed cybersecurity incidents (which could lead to costly litigation and negative publicity), and poor cybersecurity and privacy infrastructure (which would delay integration).
These negatives are well documented. A 2019 Forescout report found that, “[j]ust under half (49%)” of the transactions analyzed “encountered unknown or undisclosed cybersecurity incidents, issues, or risks when integrating the acquired company’s information and technology that delayed the integration timeline.” Another well-known example was Verizon’s $350 million purchase price reduction of Yahoo!’s to cover costs of ongoing government investigations and private litigation for historic cybersecurity incidents that were not fully disclosed or evaluated in the due diligence phase.
Things have changed. Gartner reported that by 2022 sixty percent of organizations will consider a target company’s cybersecurity posture as a critical factor in their due diligence process. Acquiring companies have made DSP due diligence a priority because they understand the costly risks of inheriting a target company’s DSP liabilities.
Target companies must proactively address and disclose DSP risks to avoid renegotiation of the purchase price, delay the closing date, or at worst, the acquiring company backing out of the deal. M&A parties often retain sophisticated DSP attorneys to assist in all phases of the deal, including conducting DSP posture analyses, evaluating DSP-specific risks, and guiding the company through the diligence process.
This article addresses some of the key privacy and security issues, and strategies target companies should undertake to prepare for privacy reviews in due diligence.
Understand Data Privacy and Cybersecurity Obligations
The acquiring company’s goal during diligence is to understand whether the target company: (a) is in compliance with all applicable privacy and cybersecurity obligations, (b) has controls in place to avoid future regulatory or litigation exposure, and (c) has no undisclosed cybersecurity incidents that could lead to future exposure. Thus, the target company should be prepared to respond to diligence requests that focus on these key areas.
Context Matters. Cyber and privacy due diligence are heavily dependent on the target company’s profit model and industry because those factors heavily drive the evaluation of the transaction’s risk stemming from the target company’s cybersecurity posture. A purely regional business-to-business (B2B) company will generally have lower obligations than a company that handles personal health information (PHI), does significant business in California, or has international operations. A seller should focus on the following core area and consider whether it is in compliance with all standards-based on its position in that core area:
- Profit-Model. Understand how the target company’s profit model subjects it to privacy and cybersecurity obligations. Consumer-facing companies are likely to have higher privacy obligations than those with an exclusively B2B model. Additionally, companies who collect or trade consumer information will have higher privacy obligations, particularly when that information includes financial or health information.
- Location. Understand the obligations imposed on the target company based on where it conducts business. Businesses in Europe or California may subject the business to specific obligations under the General Data Privacy Regulation (GRPR) or California Consumer Privacy Act (CCPA). Each has a specific requirement and harsh penalties for non-compliance. It is equally important to know if the target company is not subject to the CCPA and GRPR so that the target company does not unnecessarily expend resources to comply with those laws, and to adequately respond to misdirected diligence inquiries about GRPR and CCPA compliance.
Cybersecurity incident notification laws also vary by state, so the company should understand could create obligations for historic cybersecurity incidents.
- Industry. Understand whether the target company’s industry creates unique security obligations. Broadly, a company that operates in: (a) financial services, (b) healthcare, (c) government contracting, (c) consumer data collection, and (d) consumer credit card transactions. State laws may also impose industry-specific obligations.
Understand the impact of historic cybersecurity incidents. Any historic cybersecurity incidents will very likely be the subject of the acquiring company’s diligence inquiry. The target company should consider the root cause of the incident (i.e. system vulnerabilities or policy gaps).
Strategies to Maximize Price and Avoid Concerns During Diligence
Again, acquiring companies are evaluating potential transaction risk based on the target companies’ compliance obligations and cybersecurity risks. Strong documentation reflecting a target company’s understanding of its obligations and implementation of necessary policies and programs is a target company’s strongest asset in alleviating an acquiring company’s concerns (and in turn maximizing the purchase price).
Implement Privacy Policies. Implement compliance privacy policies to the extent necessary based on the target business’ profit model, location, and industry (as discussed above). If the target company determines its business does not require implementation of a specific policy, demand the rationale for that decision, and maintain a policy that requires a review of the target company’s privacy compliance requirements: (a) periodically, (b) based on material changes in the company’s business, and (c) based on material changes in the law.
Implement Data Governance Programs. Even if the target company has determined that specific privacy laws do not apply to the company, many acquiring companies will require that the target company understands the data it collects. Understanding the collected data allows the target company to show that: (a) it has analyzed potential risks of a cybersecurity incident, and (b) is well-positioned to comply with future privacy requirements following the acquisition (or based on future changes in the laws).
Implement Cybersecurity Policies. Maintain a cybersecurity and compliance infrastructure that require conducting penetration testing, vulnerability assessments, and corrective follow-up. An acquiring company is likely to be skeptical about a target company’s representations about a lack of prior incidents because a company that does not conduct regular testing and assessments may not even be aware of prior intrusions.
Analyze Contracts and Maintain Insurance. The target company should analyze vendor and customer contracts relating to indemnification for cyber or privacy incidents. As the acquiring company may be inheriting these contracts, they will want to ensure that these contracts don’t create unnecessary risk. Maintaining cybersecurity insurance covering past incidents will further alleviate concerns.
Analyze Past Incidents. Analyze past incidents to determine what system vulnerabilities, policy or training gaps led to the incident, and document the steps taken to correct those issues.
Partner with Technologists Who Understand the Legal Requirements. There is no need to reinvent the wheel. Work with experienced partners who can help assess the need for privacy and cybersecurity programs, and help you navigate due diligence requests from an acquiring company. Beckage retains privacy attorneys and security professionals with a deep understanding of the technology in the law.
For more information on this topic, contact Beckage attorney Chirag H. Patel.
*Attorney Advertising. Prior results do not guarantee future outcomes.