The following is part one of a two-part series presenting steps for addressing privacy considerations for mergers and acquisitions.
With the global economy showing signs of recovery, 2015 was a strong year for mergers and acquisitions across an array of industries. Activity exceeded $4 trillion, representing also show this accelerated pace to continue. However, another, less positive trend has been commonplace fodder for headlines across the world —
Stage 1: Developing an M&A strategy
Mergers and acquisitions can be extremely effective mechanisms for companies to achieve important business objectives. However, whether the goal is penetrating new markets, enhancing or expanding a product line, or achieving greater economies of scale, during the initial phase of an M&A transaction, a prospective buyer or seller will want to develop a strategy that takes into account privacy and security issues that may arise in the context of key elements of an existing business plan. Such elements might include:
- expansion into new industries or geographic regions;
- whether any new products or technologies are a necessary part of certain business goals;
- any changes in how certain categories of information might be used to achieve objectives, and
- how the risk profile of the buyer or seller might change.
Data privacy and security considerations play a critical role as you develop your M&A strategy because they can impact a company’s business objectives, regulatory profile and valuation model, as well as the list of acquisition candidates or potential buyers. When converting a business plan into a list of acquisition targets, as well as a plan to evaluate those targets, some key items to consider include:
- What new markets and market segments will be entered into as a result of a merger or acquisition? Does the strategic plan involve expansion into any highly regulated sectors (e.g., healthcare, financial, business targeting children as consumers, etc.)? Will the strategic plan require a change in the geographic profile of the business, thus changing compliance obligations, both domestic and internationally, for the organization?
- What new products, services and technologies will be offered or required when entering new markets? What external and internal marketing and tracking efforts will be required to ensure the success of any new products, services or technologies? What privacy policies, notices and other compliance efforts will be required to support new products, services or technologies?
- Will any new consumer demographics be added? What laws and regulations, both domestic and international, apply to any disclosures about the collection of consumer information? How will personal information, both from consumers and employees, be collected, used, stored, disclosed, managed and discarded in accordance with the strategic direction of the company?
Stage 2: Evaluating and engaging targets
When identifying and evaluating targets on either the buy or sell side, determining a target that will ultimately be a successful fit and create the desired value involves an evaluation of a number of financial, logistical, legal, cultural and other factors. While much of this information will be developed further during the due diligence phase when a list of targets has been sufficiently narrowed, understanding the security and privacy profile of a potential target is also important at this early stage.
In order to adequately assess and address the risks involved with a deal, both parties need a comprehensive understanding of the data privacy and security profile of the target. Key pieces of information that should be a part of any due diligence effort include the following:
Privacy policies and notices: As part of a comprehensive effort to understand a target’s Information and Records Management ecosystem, regardless of whether the buyer assumes all liabilities via a stock purchase or merger, or limits general liabilities through an asset purchase agreement, special attention must be given to the adequacy of privacy policies and enforcement efforts in light of the applicable regulatory environment.
How a company collects, uses, discloses, transmits, stores, shares and destroys personal information and other protected categories of data is a key element of its risk profile. For example, the statements made to consumers in a privacy notice are considered legally enforceable promises. The failure of a target to comply with stated privacy policies could lead to a Federal Trade Commission (FTC) enforcement action for violations under Section 5 of the FTC Act or other laws, as well as private class actions and prosecution under state laws. On April 10, 2014, the director of the FTC sent what could be considered a warning letter to the chief privacy officer of Facebook in light of Facebook’s proposed acquisition of WhatsApp, stating, “WhatsApp has made a number of promises about the limited nature of the data it collects, maintains, and shares with third parties – promises that exceed the protections currently promised to Facebook users. We want to make clear that, regardless of the acquisition, WhatsApp must continue to honor these promises to consumers.” It is clear that regulators, like the FTC, are putting customer privacy and the protection of customer personal information at the forefront when looking at M&A deals.
If a buyer’s data privacy policies, notices, or goals for using personal data differ from privacy statements made to consumers by the target, the buyer should consider ways to reconcile such differences to comply with the statements of the target. This can either be achieved through the buyer acting consistently with the target’s policies, or, if the buyer intends to use data in a manner inconsistent with the target’s stated policy, then the buyer should consider gaining affirmative consent prior to using any data from the target’s customers.
On the seller side, consideration should be given for restrictions on disclosure during the deal process. Sellers want to ensure that disclosures are not made that could trigger sector-specific laws or data breach notification requirements. Sellers also want to ensure that where an international element is involved with a transaction that any personal data is lawfully processed and disclosed to the buyer. There are a number of other considerations to take into account in international deals, including data transfer restrictions based on blocking statues and privacy regulations, as well as European Union (EU) merger controls.
Security controls: Privacy policies, notices and other administrative controls paint only part of the information security picture that an acquiring company needs to fully evaluate the risk profile of a target. A purchaser must have a comprehensive understanding of the target’s information security controls and how those controls fit in the context of the industry or industries in which they do business. The following is a list of some of the important considerations for evaluating the security controls of an acquisition target:
- Does the target have a comprehensive information security program that contains all policies and procedures?
- Does the target have a plan for disaster recovery and business continuity?
- How does the target manage all internal and external vendors, including any cloud service providers (CSPs)?
- Does the target perform penetration tests and other vulnerability assessments?
- Does the target certify or audit its information security management system against any industry standards (e.g., ISO/IEC 27001 and COBIT)? How has the target addressed remediation efforts?
- Does the target have a documented incident response plan? Has the target recorded any security incidents or data breaches?
Data privacy and security also play an important role when you actually engage potential acquirers or acquisition targets. This is especially true for sellers that often have to present very confidential information to entice buyers. A seller will want to limit the specific detail that is included in any initial outreach, secure non-disclosure agreements from all prospective buyers, and then utilize a secure online deal room (typically referred to as a “virtual data room”) to help control access to any proprietary information. The specific features of various online deal rooms differ based on provider, but core security-related functions include restricted access to certain documents, restricted functionality (e.g., an administrator can disable a user’s ability to print, share or download), watermarking documents with usernames and the ability to audit user behavior so that an administrator can track what documents are viewed, downloaded or printed.
Stage 3: Negotiate the initial agreement
In the typical M&A initial agreement negotiation process, buyers typically seek to broaden the scope of warranties and representations while targets typically seek to limit the scope of these representations and warranties. When it comes to data privacy and data security provisions and issues, the process is no different.
Both sides should carefully consider how to allocate risks, warranties, and representations related to the target's data privacy protocols and policies, data security privacy and protocols, cross jurisdiction data transfers, compliance with the jurisdiction’s laws and regulation, and how to deal with disputes in any transaction agreement. For the protection of both sides, data privacy and security-related issues should always be addressed in an initial agreement.
Any potential buyer should keep the following in mind and make sure they have a good understanding of the following when drafting an initial agreement, even before diligence is performed:
- How important is customer or personal data to the transaction or valuation of the transaction? Is the data a primary asset to acquire?
- What is the volume of personal data, both customer and employee data, of the target?
- How does the target currently use customer data and what is their current privacy policy?
- Does the target store particularly sensitive or regulated data related to health care records (e.g., HIPPA-related records), educational data (e.g., FERPA data), or children under the age of 13 (e.g., COPPA materials), all of which involve an added level of risk?
Stage 4: Due diligence
Traditional due diligence is the process of investigating a merger or acquisition target and getting a close look at that target’s financials, policies, contracts, assets, and liabilities. The primary goal of traditional due diligence is to collect, examine, and analyze information about a target to ensure the acquirer has a full understanding of the target and its business, assets and liabilities. After examining this information, the buyer will obtain a fuller and more accurate picture of the target’s business, allowing the buyer to make an informed decision on whether the target is a strategic fit and whether to proceed with the potential transaction.
With the rise of “big data” and massive amounts of personal and customer information kept by many companies, a new type of diligence is now required. In addition to traditional due diligence, it is now essential that companies perform “cyber” or “e-due diligence” and fully examine any target’s IT and data security policies — including but not limited to: how the company gathers data and personal information, how it uses that data, stores that data, encrypts (or protects) that data, and destroys that data. Attention should also be paid to a target’s general information governance policies and procedures — i.e., where data are physically stored, on what systems the data are stored (e.g., hardware or software), and what sort of cyber or data related insurance policies the target maintains.
The following list includes some potential questions to ask as well as some information that should be gathered during cyber due diligence:
- A “data map” outlining where and how a company stores data and related security controls and protocols.
- A data map is best described as an employee organization chart, but for data. The goal here should be to understand where company’s data is stored, how it is governed, who has access to it, and how secure it is.
- Company privacy policies and guidelines for using customer data.
- Copies of documentation and policies related to information governance and how companies retain, encrypt, and destroy data.
- Documentation on security audits and data/electronic risk assessments.
- Documentation on physical security guidelines and access guidelines to offices, data centers, computer rooms, and servers.
- Security checks and controls related to hiring employees including what background information is collected and what specific checks are run.
- Any risk profile including previous data breaches or attempted breaches.
The consequences for acquirers that fail to perform thorough cyber due diligence can be severe. In 2014, the online travel site TripAdvisor acquired tour booking company Viator for $200 million. The transaction closed in mid-August 2014 and, approximately two weeks later, Viator announced that it was the victim of a data breach and that the personal details and credit card information for up to 1.4 million customers was likely compromised. TripAdvisor’s stock fell five percent after the news broke.
One of the primary goals of cyber due diligence should be to avoid taking on any potential data privacy-related liability and to ensure the buyer is not assuming any potential liability for a past data breach. However, parties should be sensitive to the fact that sometimes providing other parties (such as an acquirer in an M&A transaction) with the personal information of employees or clients can itself be a breach of privacy policies or laws. Questions should be asked before the diligence process actually takes place to ensure no violations will occur with performing the diligence process.
In addition to identifying potential risks and liabilities during cyber due diligence, parties should also understand that data security and privacy breach risks exist with the mere performance of due diligence itself. It is during the diligence process that large amounts of sensitive and confidential information will be shared with bankers, attorneys, consultants, third party vendors, and other parties. No matter how secure a company is and how many internal steps they take to secure their data, they are at the mercy of other parties that host, access, save, and store their data. Parties would be wise to carefully vet any third party that will be hosting their data during the diligence process, paying special attention to any third party vendors that host large sets of information in their online data rooms.