0
Data Security and Privacy Due DiligenceData Security and Privacy Must Play a Part in M&A Due Diligence

Data Security and Privacy Must Play a Part in M&A Due Diligence

In the past, acquiring companies engaged in M&A activity paid little attention to a target company’s data security & privacy (DSP) posture during due diligence. The acquiring companies learned that their failure to fully evaluate the target company’s DSP posture led to the target company inheriting more work than ever anticipated. These risks manifested in two costly areas: undisclosed cybersecurity incidents (which could lead to costly litigation and negative publicity), and poor cybersecurity and privacy infrastructure (which would delay integration).

These negatives are well documented. A 2019 Forescout report found that, “[j]ust under half (49%)” of the transactions analyzed “encountered unknown or undisclosed cybersecurity incidents, issues, or risks when integrating the acquired company’s information and technology that delayed the integration timeline.” Another well-known example was Verizon’s $350 million purchase price reduction of Yahoo!’s to cover costs of ongoing government investigations and private litigation for historic cybersecurity incidents that were not fully disclosed or evaluated in the due diligence phase.

Things have changed. Gartner reported that by 2022 sixty percent of organizations will consider a target company’s cybersecurity posture as a critical factor in their due diligence process. Acquiring companies have made DSP due diligence a priority because they understand the costly risks of inheriting a target company’s DSP liabilities.

Target companies must proactively address and disclose DSP risks to avoid renegotiation of the purchase price, delay the closing date, or at worst, the acquiring company backing out of the deal. M&A parties often retain sophisticated DSP attorneys to assist in all phases of the deal, including conducting DSP posture analyses, evaluating DSP-specific risks, and guiding the company through the diligence process.

This article addresses some of the key privacy and security issues, and strategies target companies should undertake to prepare for privacy reviews in due diligence.

 

Understand Data Privacy and Cybersecurity Obligations

The acquiring company’s goal during diligence is to understand whether the target company: (a) is in compliance with all applicable privacy and cybersecurity obligations, (b) has controls in place to avoid future regulatory or litigation exposure, and (c) has no undisclosed cybersecurity incidents that could lead to future exposure. Thus, the target company should be prepared to respond to diligence requests that focus on these key areas.

Context Matters. Cyber and privacy due diligence are heavily dependent on the target company’s profit model and industry because those factors heavily drive the evaluation of the transaction’s risk stemming from the target company’s cybersecurity posture. A purely regional business-to-business (B2B) company will generally have lower obligations than a company that handles personal health information (PHI), does significant business in California, or has international operations. A seller should focus on the following core area and consider whether it is in compliance with all standards-based on its position in that core area:

  • Profit-Model. Understand how the target company’s profit model subjects it to privacy and cybersecurity obligations. Consumer-facing companies are likely to have higher privacy obligations than those with an exclusively B2B model.  Additionally, companies who collect or trade consumer information will have higher privacy obligations, particularly when that information includes financial or health information.
  • Location. Understand the obligations imposed on the target company based on where it conducts business. Businesses in Europe or California may subject the business to specific obligations under the General Data Privacy Regulation (GRPR) or California Consumer Privacy Act (CCPA). Each has a specific requirement and harsh penalties for non-compliance. It is equally important to know if the target company is not subject to the CCPA and GRPR so that the target company does not unnecessarily expend resources to comply with those laws, and to adequately respond to misdirected diligence inquiries about GRPR and CCPA compliance.
    Cybersecurity incident notification laws also vary by state, so the company should understand could create obligations for historic cybersecurity incidents.
  • Industry. Understand whether the target company’s industry creates unique security obligations. Broadly, a company that operates in: (a) financial services, (b) healthcare, (c) government contracting, (c) consumer data collection, and (d) consumer credit card transactions. State laws may also impose industry-specific obligations.

Understand the impact of historic cybersecurity incidents. Any historic cybersecurity incidents will very likely be the subject of the acquiring company’s diligence inquiry. The target company should consider the root cause of the incident (i.e. system vulnerabilities or policy gaps).

 

Strategies to Maximize Price and Avoid Concerns During Diligence

Again, acquiring companies are evaluating potential transaction risk based on the target companies’ compliance obligations and cybersecurity risks. Strong documentation reflecting a target company’s understanding of its obligations and implementation of necessary policies and programs is a target company’s strongest asset in alleviating an acquiring company’s concerns (and in turn maximizing the purchase price).

Implement Privacy Policies. Implement compliance privacy policies to the extent necessary based on the target business’ profit model, location, and industry (as discussed above). If the target company determines its business does not require implementation of a specific policy, demand the rationale for that decision, and maintain a policy that requires a review of the target company’s privacy compliance requirements: (a) periodically, (b) based on material changes in the company’s business, and (c) based on material changes in the law.

Implement Data Governance Programs. Even if the target company has determined that specific privacy laws do not apply to the company, many acquiring companies will require that the target company understands the data it collects. Understanding the collected data allows the target company to show that: (a) it has analyzed potential risks of a cybersecurity incident, and (b) is well-positioned to comply with future privacy requirements following the acquisition (or based on future changes in the laws).

Implement Cybersecurity Policies. Maintain a cybersecurity and compliance infrastructure that require conducting penetration testing, vulnerability assessments, and corrective follow-up. An acquiring company is likely to be skeptical about a target company’s representations about a lack of prior incidents because a company that does not conduct regular testing and assessments may not even be aware of prior intrusions.

Analyze Contracts and Maintain Insurance. The target company should analyze vendor and customer contracts relating to indemnification for cyber or privacy incidents.  As the acquiring company may be inheriting these contracts, they will want to ensure that these contracts don’t create unnecessary risk. Maintaining cybersecurity insurance covering past incidents will further alleviate concerns.

Analyze Past Incidents. Analyze past incidents to determine what system vulnerabilities, policy or training gaps led to the incident, and document the steps taken to correct those issues.

Partner with Technologists Who Understand the Legal Requirements. There is no need to reinvent the wheel.  Work with experienced partners who can help assess the need for privacy and cybersecurity programs, and help you navigate due diligence requests from an acquiring company.  Beckage retains privacy attorneys and security professionals with a deep understanding of the technology in the law.

For more information on this topic, contact Beckage attorney Chirag H. Patel.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

BiometricsIllinois Appellate Court Finds that Statute of Limitations for BIPA Claims Could be as Much as Five Years, Adding to Already Considerable Class Action Exposure

Illinois Appellate Court Finds that Statute of Limitations for BIPA Claims Could be as Much as Five Years, Adding to Already Considerable Class Action Exposure

On September 17, 2021, the First District of the Illinois Appellate Court issued the first appellate opinion regarding the applicable statute of limitations for claims arising under Illinois’ Biometric Information Privacy Act (“BIPA”).  In a mixed decision, the First District found that the limitations period could range from 1 year to as much as 5 years depending on the nature of the alleged violation at issue.

 

The implications of the First District’s decision are momentous, because many BIPA lawsuits are class actions.  In addition to expanding the pool of potential plaintiffs, a five-year limitations period greatly increases the potential class size and, consequently, defendants’ potential damages exposure.

 

Background

By way of background, Illinois enacted BIPA in 2008 after a company called Pay-by-Touch started a pilot program at Chicago-area retail stores to enable customers to pay for purchases using fingerprint scans linked to their credit cards. When Pay-by-Touch subsequently filed for bankruptcy after collecting customers’ biometric and financial account information, the bankruptcy trustee listed the customers’ biometric information as an asset and sought to sell it to pay off creditors.  This motivated the Illinois legislature to enact BIPA.

 

BIPA’s Requirements

BIPA contains five different subsections regulating the use of biometric information.  The differences between the following five subsections were critical to the First District’s decision:

  • First, anyone in possession of biometric information must develop a publicly-available retention policy.

 

  • Second, prior to collecting any biometric information, the collecting party must disclose the purpose and length of time for which the information will be used, and obtain a release from the subject of the information.

 

  • Third, biometric information cannot be disclosed without the authorization of the subject.

 

  • Fourth, a party cannot profit from the sale of biometric information under any circumstances.

 

  • Finally, a party must protect biometric information using the standard of care in the industry, and at least the same protection measures that the party uses for other personal and confidential information.

 

Debate Over Limitations Period

BIPA itself does not specify the applicable statute of limitations, and the plaintiff and defense bars have disagreed on the applicable limitations period.  Prior to the First District’s decision, the litigation in the trial courts has centered around three potential limitations periods, including the following:

  • One-year period for actions based on “publication of matter violating the right of privacy.” 735 ILCS 5/13-201;

 

  • Two-year period for personal injuries or “statutory penalties.” 735 ILCS 5/13-202; or

 

  • Five-year period for “all civil actions not otherwise provided for.” 735 ILCS 5/13-205.

 

The Subject Lawsuit

An employee sued his former employer alleging that his employer required him to clock-in for work using a biometric time clock, and that his employer violated BIPA by failing to obtain his informed consent, failing to have a retention policy, and disclosing his information to third parties such as the time clock vendor.

 

The plaintiff stopped working for the defendant in January 2018, and he filed suit in March 2019.  The employer moved to dismiss the lawsuit, arguing that the suit was time-barred because the one-year limitations period for “publication of matter violating the right of privacy” applied.  The plaintiff of course disagreed and argued that the five-year period for “civil actions not otherwise provided for” applied.  The trial court agreed with the plaintiff but certified the question for interlocutory appeal.

 

The Appellate Court’s Decision

On appeal, the First District found that the applicable limitations period depends on which of the five BIPA subsections is at issue.  More specifically, the First District found that the one-year limitations period is limited to matters involving “publication.”  Using this framework, the First District found that only two of BIPA’s subsections involve publication: the prohibition of unauthorized disclosure and the prohibition of the sale of biometric information.  On the other hand, the First District found that the other three requirements (the retention policy requirement, informed consent requirement, and standard of care requirement) can be violated without any publication, and therefore are subject to the five-year limitations period.

 

For the case at hand then, applying the First District’s decision means that the plaintiff’s allegations regarding his employer’s failure to obtain his informed consent and failure to have a retention policy were subject to the five-year limitations period and therefore timely.  In contrast, the plaintiff’s allegations of unauthorized disclosure were subject to the one-year limitations period and therefore barred.

 

Not the Last Word

The First District’s decision likely will not be the last word on the limitations period for BIPA claims.  A separate appeal regarding the limitations period for BIPA claims – Marion v. Ring Container Technologies – is pending in Illinois’ Third District. (The First District covers Chicago, and the Third District covers North-Central Illinois and Chicago’s southern suburbs). The parties to both cases are likely to seek further appeal to the Illinois Supreme Court, and the Supreme Court will have a good reason to weigh in on the novel issue, especially if the Third District reaches a contradictory decision.

 

It is also noteworthy that the First District’s decision did not address the potentially applicable two-year limitations period for “statutory penalties.”

 

Potential Legislative Reform

In addition to these appellate decisions, the Illinois legislature could also take action.  In its spring term, the legislature advanced a bill out of committee that would dramatically reform BIPA.  The legislature did not hold a final vote on that bill before the conclusion of its spring term, but new appellate decisions could motivate the legislature to renew the reform effort.

 

Beckage will continue to monitor any developments regarding BIPA and will update its guidance accordingly.  Our team of experienced attorneys, who are also devoted technologists, are especially equipped with the skills and experience necessary to not only develop a comprehensive and scalable biometric privacy compliance program but also handle any resulting litigation.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

CPRAFirst Year of CCPA Enforcement and New Consumer Notice Tool: Insights Into CCPA Compliance

First Year of CCPA Enforcement and New Consumer Notice Tool: Insights Into CCPA Compliance

July marks the one-year anniversary of the California Consumer Protection Act (CCPA) and CCPA enforcement.  Just in time for this anniversary, the California Attorney General (“CA AG”) recently summarized its curative actions (i.e., notices of alleged noncompliance) and released a new consumer tool to assist consumers in notifying business of alleged CCPA violations.  The CA AG’s recent actions demonstrate the breadth of the CCPA’s application across a variety of industries as well as the AG’s commitment to enforcing the CCPA while equipping consumers with mechanisms to assist with enforcement efforts.  

Cure Notices as Effective Enforcement Mechanism  

Under the CA AG’s regulations, businesses found to be in violation of the CCPA receive a “notice to cure” that provides a 30-day window of time to remedy the alleged non-compliance. Rob Bonta, the CA AG, reports that 75% of the companies in receipt of a cure notice responded with amended practices within the 30-day cure period provided under the law. Bonta noted the remaining 25% of alleged violators were either in the middle of their 30-day cure period or under ongoing investigation. 

Following the press release, the CA AG’s Office published examples of the types of notices they have issued against businesses.  Some of the most frequent alleged violations include the following:  

  • There was no “Do Not Sell My Personal Information” Link on the businesses website; 
  • The Notice to Consumers was lacking or inaccurate, lacked the required notice of sale of personal information and notice regarding the minor’s personal information; 
  • The business maintained a non-Compliant Opt-Out process;  
  • The Privacy Policy failed to provide the required request methods for exercising rights; charging fees for the CCPA, and lacked a toll-free number;  
  • The business had defective methods for consumers to submit data subject access requests, provided untimely responses to requests, or charged fees for processing the requests;
  • The business failed to obtain the proper verification information when processing data subject requests or required the creation of a customer account as a means to verify identification;  

The enforcement examples show that the CA AG is looking for a wide range of CCPA violations across the various methods that businesses collect personal information from consumers, from online websites and platforms to mobile applications, and even in-person data collection.  

New Consumer Privacy Interactive Tool


The CA AG also launched a new interactive tool to help consumers notify businesses of alleged non-compliance with the CPPA for a lack of a clear and conspicuous “Do Not Sell My Personal Information” (DNSPI) link on its website.  While consumers cannot sue organizations directly yet, this new consumer tool provides a direct mechanism for consumers to issue a notice of noncompliance to a business, triggering the 30-day period to cure, which in turn triggers the Attorney General’s right to sue if a CCPA violation is not remedied. 

Although the new consumer tool for issuing notices only applies to the lack of a DNSPI link, this tool will likely be expanded for other CCPA rights.  

Overall Takeaways:  

  • Lack of a “Do Not Sell My Personal Information” Link Is An Easy Target – Not having an DNSPI link is an easy red flag for non-compliance that could likely trigger a notice to cure from the AG directly, or now from a consumer via the new tool   
  • Watch Out for AG Notice – The Attorney General’s Office is and will continue to use the notice to cure as effective way of CCPA enforcement. Organizations should clarify their CCPA obligations, take steps to be CCPA compliant to avoid triggering a notice to cure, and be prepared to respond and address promptly should you receive a notice.  
  • Watch Out for Consumer Notice – The new Consumer Privacy Interactive Tool streamlines the DNSPI link noncompliance notice process and will likely expand to other CCPA violations. Organizations should clarify their obligations to include a DNSPI link on their websites and implement where required.   
  • All Business Subject to Enforcement – All businesses across a variety of industries are ripe for enforcement actions under the CCPA.  
  • External and Internal Policies Matter – Organizations should review their external facing notices and internal processes in light of enforcement actions and update accordingly to meet compliance obligations. Be sure your Privacy Notice is up to date and accurate, including the notice of required CCPA rights, instructions on how to exercise those rights, and methods to exercise rights.  
  • Don’t Forget About Service Providers – Review agreements with service providers to be sure they adequately address data security and privacy by including provisions that impose restrictions on the use of personal information and other CCPA-specific provisions/addendums.  

In sum, companies subject to the CCPA should take initial steps to evaluate compliance obligations and implement proactive measures to minimize a potential enforcement action.  The Beckage team will continue to provide timely updates on the CCPA landscape and potential claims, and is available to discuss practical low-cost, high-impact tips for mitigating CCPA enforcement risk.  From reviewing your external policies and data collection practices to reviewing your data mapping and data subject access right procedures, this last year of enforcement underscores the importance of operationalizing robust data security and privacy practice that can stand the test of time and adapt to the evolving consumer privacy landscape.   

*Attorney Advertising. Prior results do not guarantee similar outcomes. *

Subscribe to our Newsletter.

0
Colorado Privacy ActThe Colorado Privacy Act: Explained

The Colorado Privacy Act: Explained

On July 8th, Colorado Governor Jared Polis signed Senate Bill 190, the Colorado Privacy Act (CPA), into law. The Act is the third comprehensive state privacy law in the United States, following California’s Consumer Privacy Act and Virginia’s Consumer Data Protection Act.

The CPA is applicable to businesses that collect and store data on more than 100,000 individuals or those earning revenue from the data of more than 25,000 consumers. The bill also includes various data subject rights, a broad opt-out consent model with a universal opt-out mechanism, a right to cure, and attorney general rulemaking and enforcement. It is set to go into effect on July 1, 2023.

The CPA carries specific rights for the consumer including:

  • Opt-out of processing of personal data.
  • Authorization of another person to act on behalf of the consumer to opt-out of the processing of personal data for purposes of targeted advertising or the sale of consumer data.
  • Confirm whether personal data is being processed and access that data in a portable and readily usable format.
  • Correct inaccurate personal data.
  • Delete personal data.
  • Obtain consent before collection of certain sensitive personal data (data that reveals race or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sexual orientation or sex life, citizenship or citizenship status, or genetic or biometric data).

The right to opt-out model gives consumers a user-selected universal opt-out mechanism for executing their opt-out right, however, it applies to targeted advertising and the sale of information. Consumers cannot opt out of unnecessary and irrelevant collection of information.  Controllers must comply with the universal opt-out. Consumer requests must be verifiable, and a controller may deny the request if the request cannot be authenticated.

All consumers are provided the opportunity to appeal any denials of request. Under the act, all controllers are required to respond to a consumer’s request to exercise their rights within 45 days of receiving the request. The time period may be extended an additional 45 days with a notice of delay and reasons for the delay.

The controllers must receive a consumer’s consent before processing a consumer’s sensitive information. Consent must be a clear, affirmative act signifying a consumer’s freely given, specific, informed and unambiguous consent. Consent cannot be obtained by way of acceptance of general or broad terms of use. While the CPA requires consent to process “sensitive” personal data, the bill exempts protected health information and de-identified information under HIPAA, financial institutions and nonpublic personal information under the Gramm-Leach Bliley Act, information regulated by the Fair Credit Reporting Act, Children’s Online Privacy Protection Act, and the Family Educational Rights and Privacy Act, and information regulated by the Driver’s Privacy Protection Act of 1994. The CPA also exempts information maintained for employment records purposes.

Under the CPA, controllers are also required to conduct and document data protection assessments of each of its processing activities that involves personal data acquired when conducting processing that presents a heightened risk of harm to a consumer.

Controllers must provide a privacy notice to the consumer including:

  • Categories of personal data collected, processed, and/or shared with third parties,
  • Purposes for processing such data,
  • Categories of third parties with whom the controller shares personal data,
  • How and where consumers may exercise their rights, and
  • Whether the controller sells personal data or processes personal data for targeted advertising.

Data security practices must be appropriate to the volume, scope, and nature of the personal data processes and nature of the business. While the CPA carries these consumer rights and provides for several controller obligations, it does not offer a private right of action.

The Attorney General has the capability to address outstanding compliance concerns and ambiguities ahead of the law’s effective date. The Attorney General and state district attorneys will enforce the CPA. Under the bill, there is a 60-day cure period to rectify non-compliance provided before the Attorney General or district attorney may take enforcement action. The cure period is only provided until January 1, 2025, and noncompliance can result in civil penalties of not more than $2,000 per violation, not to exceed $500,000 in total for any related series of violations. Again, consumers are not given the private right of action under the bill.

We anticipate more states will begin to enact legislation that will encourage the regulation of sensitive data processing and enhance consumer privacy rights. Beckage will continue to monitor any developments regarding the bill. Our team of highly skilled attorneys are especially equipped to help your business implement a proactive plan to help mitigate risk and remain compliant with emerging laws.

*Attorney Advertising. Prior results do not guarantee similar outcomes. *

Subscribe to our Newsletter.

GDPRThe EU Commission Releases the Long-Awaited Updated SCCs for Continued Cross-Border Data Transfers

The EU Commission Releases the Long-Awaited Updated SCCs for Continued Cross-Border Data Transfers

One of the most highly contentious areas under the European Union’s General Data Protection Regulation (“GDPR”) is the cross-border data transfer of Personal Data out of the EU and into other regions, especially the US. Last year, the Court of Justice released its highly anticipated decision, Schrems II, where it invalidated the EU-US Privacy Shield as a lawful mechanism to transfer Personal Data into the US but upheld the continued use of the Standard Contractual Clauses (“SCCs”). However, the Court signaled a heightened tension around the transfer of data, even using the SCCs, from the EU to the US, directing companies to consider whether those transfers would require “supplemental measures” prior to utilizing the SCCs to transfer Personal Data from the EU to the US.

In the wake of that decision, the EU Commission, charged with adopting the SCCs, announced its plans to update the SCCs to align with the Schrems II decision, to generally update the document. To date, the current form SCCs used for cross-border data transfers were adopted under the GDPR’s predecessor, the EU Directive on Data Protection, in 2001.

For the last two decades, companies across the globe leveraged the SCCs to validate the on-going transfers of personal data across many borders. However, with the increasing complexities of technology and multi-party data transactions, the limited form and nature of the SCCs continued to create challenges in leveraging the standard documents to fit varying types of cross-border data transfers. On Friday, June 4, 2021, the EU Commission released its long anticipated updated form of the Standard Contractual Clauses, available here.

The New Form Standard Contractual Clauses

The new SCCs include robust obligations on both importers and exporters of personal data under the GDPR and the Schrems II decision. Further, the new SCCs are intended to provide more flexibility and options for companies to better address the complex nature of data transfers.

The new SCCs also include modules for entities to leverage depending on the relationship between the parties involved in the transfer, i.e., controller to processer; processor to processor; etc.  These changes are intended to further align with modern data transfers and to promote the free flow of data. In the EU Commission Press-Release, Vice-President for Values and Transparency, Vera Jourová emphasized that the SCCs provide a useful tool for the free-flow of data:

“In Europe, we want to remain open and allow data to flow, provided that the protection flows with it. The modernized Standard Contractual Clauses will help to achieve this objective: they offer businesses a useful tool to ensure they comply with data protection laws, both for their activities within the EU and for international transfers. This is a needed solution in the interconnected digital world where transferring data takes a click or two.”

The Impact of the New SCCs

The new SCCs are expected to impact and streamline the process of adopting the appropriate contractual language to allow for the cross-border exchange of personal data. Further, the clauses are intended to align closer to the GDPR requirements, which went into effect in 2018, and the recent Schrems II guidance. Commissioner for Justice, Didier Reynders, emphasized that:

“In our modern digital world, it is important that data can be shared with the necessary protection – inside and outside the EU. With these reinforced clauses, we are giving more safety and legal certainty to companies for data transfers. After the Schrems II ruling, it was our duty and priority to come up with user-friendly tools, which companies can fully rely on. This package will significantly help companies to comply with the GDPR.”

The updated SCCs focus on the following key updates:

  • Align with the GDPR and Schrems II decision;
  • Provide simple and flexible model clauses for international transfers;
  • Include more robust data protection obligations (e.g., requiring importers to allow regular audits upon exporter request); and
  • Allow for third parties to acceded to existing SCCS as data exporter or importer (under the Docking Clause).

Transition to New SCCs

The new SCCs go into effect in approximately 20 days. Businesses leveraging previous versions of the SCCs have 18 months to transition to the new SCCs.

Overall, these new SCCs will allow companies to use contractual agreements in the cross-border transfer of personal data that better align to the increasingly complex nature of these transactions. Further, the new versions come at a critical juncture, when companies are struggling to implement the guidance of Schrems II and continue to leverage data processing in multiple regions around the world.  In the wake of the invalidation of the EU-US Privacy Shield, and heightened challenges with cross-border data transfers, the SCCs demonstrate the EU’s commitment to addressing data protection while continuing to allow the continued data flows out of the EU.

In light of this critical development, Beckage recommends that clients taken immediate steps to evaluate all existing agreements that will need to be updated with the new SCCs.  As stated above, companies will have up to 180 days to amend previously executed DPAs to include the new form SCCs. As such, companies will need to discuss a process to review its previously executed contracts and develop a plan to roll out amendments. Additionally, moving forward, companies will need to leverage the updated form SCCs in all new Data Processing Agreements.

At Beckage, we have a team of highly skilled attorneys certified in comprehensive GDPR knowledge that can help your company work towards compliance and data protection in both Europe and the United States.  Beckage works with clients to review current policies and assess data security practices.  Our team can help implement a plan to address the new SCCs.  

*Attorney Advertising. Prior results do not guarantee future outcomes. 

Subscribe to ourNewsletter

1 2 3 9