When entering into any merger or acquisition (both a stock deal and an asset deal), there are numerous privacy and data security issues that must be evaluated and addressed from the beginning. Most companies in today’s online world collect and store data that is sometimes highly sensitive or in large volumes where breach would potentially be highly damaging. This means it is more important than ever for buyers to conduct a thorough evaluation of the data privacy and security measures a target has and has had in place, as well as determine if there are any related concerns or issues that could prove to be problematic down the line.
In order to mitigate risk and liability, buyers need to investigate the kinds of data a target collects, especially if this is personal or highly sensitive information, which are subject to additional regulations. What policies and practices have they maintained in place to protect this data? Has that data been shared, and if so, how is it shared with others? Is and has the target company been in full compliance with all applicable state, federal and international rules and regulations?
To fully address all of these concerns, there are several steps buyers need to take early on in an M&A transaction.
Conduct an evaluation of the kind of information the target collects and how that data is handled
This is critical to understand from the outset as buyers need to have a complete grasp on the scope of data collected, the level of sensitivity of that data and then what happens to that data once it’s collected.
There are several points to make sure to address in this initial evaluation:
- First, what kind of data are they or have they been collecting? How sensitive is the information? Is the data subject to any specific privacy laws or regulations (e.g. HIPAA)?
- Is there any target customers from whom data are collected (e.g. minors)?
- In what jurisdictions do the target operate?
- How is the data stored and managed?
- What kinds of cybersecurity protections are in place to secure the data?
- Who is in charge of managing the data, and who all has access?
- Is the data shared or sold outside the company?
- What privacy policies and data retention policies are in place?
- Are they in compliance with privacy and cybersecurity regulations? Who ensures such compliance?
Form a due diligence team that includes representatives from both the buyer and target (and their lawyers)
This is an important step as it allows for sharing of information and can help to catch any potential problems early, such as issues that might result from merging or transferring data from the target and buyer. The due diligence team should include a variety of representatives from both sides, including internal and external legal counsel, IT, security, CSOs and even other outside consultants. There should be a process in place for sharing and evaluation of information.
Collect information, conduct an assessment, and classify the data
Buyers will need to start with submitting an initial request for all relevant information and documentation, followed by collecting information provided by target and requesting for further information or documentation as appropriate. They should also conduct interviews with those responsible for privacy and data security at the target, and it may often wise to bring in an outside specialist to conduct an assessment. From our experience, interviews are often times a great way to quickly resolve diligence issues.
Once the information is collected, a complete assessment of the data and IT assets of the target must be conducted so that the buyer knows and confirms what information and protections they have and how that is maintained. The data should also be classified in terms of what kind of data there is, how much and how it’s stored.
Carefully examine target’s data policies and practices
Based on the classification and assessment of the target’s data, Buyer’s diligence team should then seek to understand what regulations need to be accounted for, what data and security policies the target has in place, if target has been subject to any prior data breaches or non-compliances, target’s reliance on third party providers, whether any litigation is outstanding or has been threatened, and other potential vulnerabilities.
Knowing how a target is sharing data outside the company is critical. If they are sharing or selling data externally, what kind of security measures are in place? What kinds of opt in or out policies do they have? Is data being transferred internationally? Does the target require its vendors to follow certain privacy procedures?
Buyers must also know what kinds of data retention policies the target has employed, as well as how they dispose of data – for example, whether any backup copies are saved after disposal.
This is certainly not an exhaustive list, and M&A privacy considerations will vary based on the industry of the target and the level of data collection. But it the importance of conducting privacy due diligence in M&A transactions cannot be understated. The risks of foregoing this step can have catastrophic results down the line if problems are unearthed once it’s too late. Taking the time to conduct a thorough evaluation and investigation might take longer at the start, but can avoid costly issues later on.