The following is part two of a two-part series. In this article, we will briefly discuss the facets of data privacy and security that various stakeholders to M&A transactions must consider throughout the various stages of the M&A Process. Miss part one? Find it here.
In the first installment of this series we covered the following steps.
Stage 1: Developing an M&A strategy
Stage 2: Evaluating and engaging targets
Stage 3: Negotiate the initial agreement
Stage 4: Due diligence
In this installment, we'll discuss Stage 5: Closing and regulatory clearances and approvals, and Stage 6: Post closing and integration.
While many M&A closings are fairly straightforward, some transactions are subject to various regulatory clearances before they can officially close. Some of these regulatory approvals and related investigations can involve the review of terabytes of sensitive company and client information. Both buyers and sellers should go to great lengths to ensure any data used in connection with regulatory reviews is safeguarded and that proper precautions are taken with client and customer information, especially during data transmissions and transfers. Many different parties may be involved in these reviews and may have access to company and customer information. Both the buyer and the seller should take the lead to ensure compliance and that all the different parties follow established protocols to keep all data secure.
The most common types of regulatory approvals and clearances required for M&A deals are a) competition-related and b) industry-specific. In some cases, especially in high profile M&A transactions between close competitors, or in highly regulated industries, regulatory agencies can demand large volumes of detailed company data, company documents, and customer information. The collection, transmission, storage, review, and production of this information to, from, and between various parties, including multiple law firms, consultants, economists, state attorneys general, and regulatory agencies greatly increases the risk of a data privacy violation or important information falling into the wrong hands.
Competition clearances and approvals
In the U.S., most private M&A transactions larger than $76.3 million require antitrust clearance. The Hart-Scott-Rodino Antitrust Improvements Act of 1976, as amended, requires that an “HSR filing” be made with the Pre-Merger Notification Office of the FTC and U.S. Department of Justice and allows the FTC and DoJ to review potential mergers and file lawsuits seeking to enjoin them if the agency believes the deal will “substantially lessen competition.” State attorneys general frequently conduct parallel investigations in cooperation with these federal agencies and obtain highly sensitive information from the agencies and the merging parties. Most international jurisdictions also have similar competition authorities responsible for merger reviews, including the EU and its member states, and non-European countries such as China, Brazil, India, and Russia, as well as many other countries around the world.
Certain industries (e.g., telecommunications, education, banking/finance, pharma, defense, energy, and health care) are highly regulated and can require special regulatory approval from governmental entities such as the Food and Drug Administration, the Federal Reserve Board, and the Federal Communications Commission. Certain M&A transactions involving foreign companies acquiring U.S. businesses might also be reviewable by the Committee on Foreign Investment in the U.S.
Regulators often request large amounts of company and client information in connection with their investigations and the regulatory approval process. In the U.S., regulators issue Requests for Additional Information and Documentary Materials if they have reason to believe a merger may impede competition. Second Requests are especially data and document intensive, and the level of detail and amount of information requested can be staggering. The FTC routinely asks for copies of customer databases, contract/pricing terms, and other detailed customer information. Reviewing and producing millions of documents in connection with a FTC or DoJ Second Request for a transaction is the norm.
Because of the volumes involved in these regulatory reviews and the myriad of parties needing access to data, specialized third-party vendors (eDiscovery vendors) often collect and host the data in a central repository review database. In some cases, these repositories can contain all or most of a company’s data or email servers. Similar to third-party vendors hosting due diligence data room, parties should fully vet eDiscovery vendors hosting their data in connection with regulatory reviews. Parties should closely examine the security profile and protocols of any potential eDiscovery vendor and, like pricing, security should be a primary concern.
While eDiscovery vendors help collect and host data for regulatory review, in almost all cases certain data and documents will need to be “produced” and turned over to regulatory agencies and state attorneys general so they can conduct their investigations. More often than not the information produced to regulators contains highly sensitive and confidential business secrets and strategy plans as well as customer information and even documents with personally identifiable information.
There are various steps parties can take to limit data privacy issues and ensure company and client data is secure throughout the regulatory review:
- Any information handed to regulatory agencies must be reviewed for PII before production. Customer data should be redacted or anonymized whenever possible and allowed by regulators. PII redactions have become increasingly difficult with the rise of Technology Assisted Review (TAR), where not all documents are manually reviewed. When TAR is used or when not all documents being handed over to a regulatory agency are manually reviewed, a separate workflow should be devised to flag documents potentially containing PII.
- Encrypt data at every step in the review process, especially any time data is transmitted. Starting from collection, when data is sent from a company to its eDiscovery vendor, encrypt all data, including physical media, and electronic transmissions.
- Utilize an eDiscovery vendor that has encryption features, such as “Encryption at Rest” on their servers. Encrypt all physical media that is produced and submitted to regulatory agencies.
- Have a full and complete understanding of when and which documents and data sent to regulatory agencies are potentially exempt from any Freedom of Information Act Request.
- Use confidential “bates” stamping and document footer language and always request that data/document submissions be kept confidential when submitting the data to regulators.
- Understand and ask regulatory agencies how long any submissions are kept on their servers and when/how they are destroyed.
Stage 6: Post closing and integration
While a buyer should always consider and familiarize themselves (hopefully during the due diligence process) with the target’s data privacy and security policies and protocols, in many cases, actively dealing with certain new data privacy and security issues head on in a real world setting does not become a major concern until a deal is closed and integration commences.
However, this should not be used as an excuse to not perform a complete cyber due diligence process or to cut corners on cyber diligence. All too often, parties wait and try and work out all or most data privacy or data security issues post-closing or ignore potential data and privacy issues during diligence, dismissing concerns simply as IT issues that can be resolved during integration. Leaving everything related to data privacy until integration is dangerous and can lead to potential data privacy violations and serious risks.
As more and more data breaches are reported, and as companies collect and store larger volumes of personal data, concerns relating to privacy, data security, and IT will become an increasingly larger part of the M&A post-closing integration process. However, the integration process can be complicated by the fact that certain types of information and IT databases cannot be shared between the buyer and the seller while a deal is pending. Merging parties that compete with one another must be aware of potential “gun jumping” antitrust violations and understand that certain types of information and databases cannot be shared between the buyer and seller until a deal has been cleared by regulators. For example, materials containing customer lists, including customer personal information databases, customer contract terms, pricing data, cost data, or other competitively sensitive information generally should not be shared until after closing. Until then, parties should be careful when discussing related integration topics, even in a purely IT context. While merging parties should discuss how to collect, store, encrypt, use, and delete customer and sensitive data, until the deal has been cleared by regulators, they should refrain from actually sharing sensitive data without appropriate safeguards in place to protect the dissemination of the information.
Parties should also realize the costs related to integrating data privacy, data security, and IT systems can be extremely expensive. In one recent merger, Sysco’s proposed acquisition of U.S. Foods, it was reported that Sysco spent $53 million just on data-related integration and “allowing the two companies’ computer systems to talk to each other.”
Special consideration should be paid to M&A transactions with a U.S.-based buyer of a foreign (especially European) target. These deals will have a number of new and unique data privacy and security-related requirements depending on the jurisdiction. It is no secret that data privacy and protection laws are typically much more stringent on one side of the Atlantic than the other. Unless a buyer is experienced in foreign integration and has gone through the process in a past M&A transaction, it is highly recommended that data privacy experts or firms specializing in foreign integration and data privacy be retained to lead integration efforts as many new privacy issues await U.S.-based buyers of European targets.
While there are many questions parties should address during integration planning., some of the more basic ones include:
- Will customer or employee personal information on the target’s system be transferred and integrated into the buyer’s system, or, will parallel systems be maintained?
- Which party’s personal and employee data privacy and general data security policies are broader? How can the parties reconcile differences in the policies?
- Are there any new jurisdictions in which data is stored or transferred in/out of as a result of the M&A transaction?
Regardless of how costly, long, or complicated integration is, and no matter the new policies or requirements of any new jurisdictions, parties should frequently review and assess progress, set milestones, and be sure to run compliance checks and audits.
 See Instruction 3 of the model second request – available at
If you want to comment on this post, you need to login.