Data Security Compliance in Mergers and Acquisitions
The costs of hacking, malicious data breaches, and accidental data leaks can be extensive and potentially fatal to a business enterprise. For example, Equifax had a massive data breach in 2017. Since then, Equifax has spent — or is projected to spend — $439 million through the end of 2018. Only $125 million of that cost is covered by insurance. See Reuters news report here. The value of Equifax shares have lost more than a quarter of their value since the breach was disclosed.
Because of potentially massive costs, online, computer and data security has become one of the key issues with respect to mergers and acquisitions. Potential litigation, government investigations, remediation costs, and judgments can significantly reduce the value of a target acquisitions. When Verizon was considering acquiring Yahoo, Inc., Verizon cut the proposed purchase price by about 8% — from $4.83 billion to $4.40 billion — when it was discovered that Yahoo had suffered large-scale data breaches. That was a cut of $350 million (and that seems low given the costs that Equifax is now spending). See report here.
For these reasons, when considering merging with or acquiring an existing company, pre-offer and pre-closing due diligence must evaluate data breach risks. The issues can be broken down into categories including:
- What data is collected? — different types of data require different protections and might implicate different regulatory regimes; as an example, health-related data requires a higher level of protection than other types of data; biometric data requires specific and careful attention
- What data is retained and what is the current data inventory? — collection and retention are separate matters raising distinct legal issues
- About whom is the data collected? — customers, employees, or other
- Who has access to the data both internally and externally?
- What are the internal procedures to protect the data? — are the procedures state of the art and up-to-date?
- What contractual protections are in place when data is shared or processed by others?
- Does the target company have personnel dedicated to data security? Is there, for example, a Chief Data Security Officer?
- What consents (if any) have been obtained? Are the “consents” browswrap or clickwrap? What does the browswrap or clickwrap agreement say about privacy and data sharing?
- What data is deleted and how? — what are the policies and procedures for deleting data and how effective is/was the destruction of the data?
- Have there been governmental or regulatory agency inquiries about a breach or other data privacy issue?
- Have there been complaints and litigation? — complaints to the target, complaints to governmental agencies, litigation and threatened litigation — and what is the quantity and frequency of such complaints?
Acquisition targets should be fully aware of the potential liabilities with respect to data collection, storage, and unauthorized access/disclosure. Thus, targets should expect to provide copies of consents, contracts, policy and procedure documents, data collection and retention inventories, breach or threatened breach incident reports, governmental inquiries and/or filings, and a host of other information so that the buyer can evaluate data breach liability risks. Any reluctance or obstruction by the target in providing this type of information should be considered a “red flag” for the buyer.
It is advisable to do some of this investigation before the Purchase/Sales Agreement is signed. Then, of course, the agreement must have appropriate representations and warranties and also various pre-closing conditions, indemnities, and hold-backs. The final negotiated purchase price should reflect a realistic projection of liability from any pre-closing data breach or loss.
Contact San Diego Corporate Law Today
If you would like more information, contact attorney Michael Leonard, Esq., of San Diego Corporate Law. If you are buying or selling a business in San Diego or considering a merger, there is a long list of items that must be considered and explored during the due diligence phase. Data security is now one of the most important items on the list. Mr. Leonard has the experience to ensure risks are minimized. Mr. Leonard can be reached at (858) 483-9200 or via email.