Data Privacy Due Diligence in M&A Transactions:
A Make-or-Break Issue

by Stephen Toland, Head of Austin Office, CIPP certified and Ekaterina Lyapustina, Data Privacy Specialist, CIPM certified

One key issue has become a “make-or-break” for businesses during the current boom in mergers and acquisitions: Inadequate privacy and data security practices.

Privacy and information security due diligence used to be a “nice-to-have.” Now that personal data collection is subject to a complex and inconsistent mix of both state, federal and global data privacy regulations, due diligence is at the core of why many deals happen — or don’t. Or happen and lose money.

Deals are centered on trust. During M&A negotiations and due diligence discussions, buyers and sellers seek a clear understanding of how the other “does business.” With multi-state and global data privacy regulations and compliance pressures looming, buyers are looking to mitigate risk and potential liabilities. Instilling confidence in buyers requires full transparency into how the seller manages and protects personal information, their data collection processes, privacy compliance, and how past breaches have been successfully resolved.

Doing Your Due Diligence: Ten Points to Consider

Data Privacy

  1. Understanding data flow is critical. Design specific due diligence questions around data, identifying what personal data is collected during the course of business, the origin of the business (states/countries), where it’s stored, and how it’s processed. Obtain a clear understanding of the types of data that flow through the company, including how the data is secured and utilized after it is collected.
  2. Evaluate any data governance and management policies. Once you understand the data flow, obtain written copies of all present and past policies & procedures covering data governance and management. Are there realistic accountability mechanisms in place? Does the company have a solid track record of following its stated data access controls and retention policies?
  3. Gap analysis is a must. As you inspect the seller’s policies and disclosures related to how they collect and process data, ask yourself: Are they violating any existing policies and law? The best way to answer this question is to insist on a gap analysis, assessing any weak points or gaps in their data privacy framework.
  4. Are there previous regulatory compliance issues? Unlike civil or criminal cases filed in open court, complaints or regulatory inquiries into violations of data privacy are rarely public. Discovering compliance issues require skilled research to determine if any underlying issues or breaches exist. If there is a history of data breaches or privacy violations, it is critical to get an understanding of the cost to cure. In other words, “What are you signing up for here?”
  5. Identify third parties and vendors in a data exchange. It’s important to identify third-party vendors, service providers, and data processors, especially with access to sensitive data. After identification, rigorously assess third-party security practices, contractual obligations, and compliance with data privacy requirements.
  6. When negotiating the purchase, include all representations and warranties related to the seller’s data security/privacy practices, including but not limited to assessment of contractual obligations, indemnification clauses, and liability exposures in the event of data breaches or privacy incidents.
  7. Ensure the buyer is indemnified for third-party claims that could arise from the seller’s failure to comply with applicable data privacy and security regulations, including disclosures.

Cybersecurity

  1. Imperative cybersecurity due diligence should always include:  Assessment of security measures, infrastructure, and incident response readiness; evaluating cybersecurity controls such as network security, endpoint security, and access controls; and reviewing encryption mechanisms, data masking techniques, and data loss prevention solutions.
  2. Don’t overlook incident response procedures and detection capabilities in initial M&A diligence. Ensure preparedness for potential security breaches, complemented by a review of IT infrastructure, cybersecurity technologies, and cloud services utilized for data storage and processing. Companies with data privacy and security awareness training programs foster a culture of cybersecurity awareness and compliance among their employees.
  3. Vulnerability management processes play a crucial role. It’s key to identify and address potential vulnerabilities in software applications, systems, and network infrastructure. This involves thorough assessments of vulnerability scanning, patch management, and remediation procedures to mitigate risks effectively.

 

Due diligence takes time. It is important to allow your data privacy team adequate time to take on the due diligence required for a strong, liability-free sale. By way of example, consider Verizon’s acquisition of Yahoo. Verizon planned to pay $4.5 billion for the purchase of Yahoo until it was discovered that Yahoo had sought to conceal two significant data breaches which affected a massive number of user accounts. As a result of the attempted concealment, Yahoo was forced to lower the eventual sale price by $350 million and ended up paying over $100 million in fines to the SEC for fraud charges and class action lawsuits stemming from the data breaches and attempted concealment.

Data isn’t always a liability; it can be a real competitive advantage.

By engaging a data privacy and security lawyer with specialized expertise, buyers and sellers can effectively mitigate risks and optimize the value of their investments. A data privacy and security lawyer brings invaluable insights into complex data privacy laws and regulations, enabling thorough assessments of target companies’ privacy practices and potential liabilities.