Privacy and Data Security Considerations in M&A Transactions

25 January 2022 Foley Ignite Blog
Author(s): Eric Chow

When entering into any merger or acquisition (both a stock deal and an asset deal), there are numerous privacy and data security issues that must be evaluated and addressed from the beginning. Most companies in today’s online world collect and store data that is sometimes highly sensitive or in large volumes where breach would potentially be highly damaging.  This means it is more important than ever for buyers to conduct a thorough evaluation of the data privacy and security measures a target has and has had in place, as well as determine if there are any related concerns or issues that could prove to be problematic down the line.

In order to mitigate risk and liability, buyers need to investigate the kinds of data a target collects, especially if this is personal or highly sensitive information, which are subject to additional regulations.  What policies and practices have they maintained in place to protect this data? Has that data been shared, and if so, how is it shared with others? Is and has the target company been in full compliance with all applicable state, federal and international rules and regulations?

To fully address all of these concerns, there are several steps buyers need to take early on in an M&A transaction.

Conduct an evaluation of the kind of information the target collects and how that data is handled

This is critical to understand from the outset as buyers need to have a complete grasp on the scope of data collected, the level of sensitivity of that data and then what happens to that data once it’s collected.

There are several points to make sure to address in this initial evaluation:

  • First, what kind of data are they or have they been collecting? How sensitive is the information? Is the data subject to any specific privacy laws or regulations (e.g. HIPAA)?
  • Are there any target customers from whom data are collected (e.g. minors)?
  • In what jurisdictions does the target operate?
  • How is the data stored and managed?
  • What kinds of cybersecurity protections are in place to secure the data?
  • Who is in charge of managing the data, and who all has access?
  • Is the data shared or sold outside the company?
  • What privacy policies and data retention policies are in place?
  • Are they in compliance with privacy and cybersecurity regulations? Who ensures such compliance?

Form a due diligence team that includes representatives from both the buyer and target (and their lawyers)

This is an important step as it allows for sharing of information and can help to catch any potential problems early, such as issues that might result from merging or transferring data from the target and buyer.  The due diligence team should include a variety of representatives from both sides, including internal and external legal counsel, IT, security, CSOs and even other outside consultants.  There should be a process in place for sharing and evaluation of information.

Collect information, conduct an assessment, and classify the data

Buyers will need to start with submitting an initial request for all relevant information and documentation, followed by collecting information provided by target and requesting for further information or documentation as appropriate.  They should also conduct interviews with those responsible for privacy and data security at the target, and it may often wise to bring in an outside specialist to conduct an assessment. From our experience, interviews are often times a great way to quickly resolve diligence issues.

Once the information is collected, a complete assessment of the data and IT assets of the target must be conducted so that the buyer knows and confirms what information and protections they have and how that is maintained.  The data should also be classified in terms of what kind of data there is, how much and how it’s stored.

Carefully examine target’s data policies and practices

Based on the classification and assessment of the target’s data, Buyer’s diligence team should then seek to understand what regulations need to be accounted for, what data and security policies the target has in place, if target has been subject to any prior data breaches or non-compliances, target’s reliance on third party providers, whether any litigation is outstanding or has been threatened, and other potential vulnerabilities.

Knowing how a target is sharing data outside the company is critical.  If they are sharing or selling data externally, what kind of security measures are in place?  What kinds of opt in or out policies do they have? Is data being transferred internationally? Does the target require its vendors to follow certain privacy procedures?

Buyers must also know what kinds of data retention policies the target has employed, as well as how they dispose of data - for example, whether any backup copies are saved after disposal.

This is certainly not an exhaustive list, and M&A privacy considerations will vary based on the industry of the target and the level of data collection.  But it the importance of conducting privacy due diligence in M&A transactions cannot be understated.  The risks of foregoing this step can have catastrophic results down the line if problems are unearthed once it’s too late.  Taking the time to conduct a thorough evaluation and investigation might take longer at the start, but can avoid costly issues later on.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.