1. What types of transactions implicate cybersecurity and data privacy concerns?
Cybersecurity and data privacy concerns arise in many different types of M&A transactions, but greater focus on potential cybersecurity and data privacy issues should be directed toward transactions involving (a) a target company that operates in certain highly regulated industries, (b) the acquisition of sensitive information and data, and/or (c) the transfer of sensitive information and data across national borders. Target companies that operate in the financial services and healthcare industries, for example, are subject to the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996, respectively. Companies in other industries are subject to the jurisdiction of other federal agencies, such as the Federal Trade Commission and the Securities Exchange Commission.
Transactions in which a buyer will acquire personally identifiable information or protected health information from the target company naturally implicate cybersecurity and data privacy concerns because not only will the buyer want to confirm that the target company is in material compliance with applicable cybersecurity and data privacy laws pre-closing, but the buyer will also need to ensure continued compliance during the integration period post-closing. Finally, the parties to a cross-border transaction involving the transfer of sensitive information and data from one country to another must abide by sometimes widely differing cybersecurity and data privacy regulatory regimes.
2. What are the risks involved in failing to address cybersecurity and data privacy concerns in an M&A transaction?
Failing to properly address cybersecurity and data privacy concerns could expose target companies and buyers to lawsuits, significant governmental sanctions and/or fines, audits, and loss of goodwill and reputational harm. Moreover, it is not simply target companies and buyers that may suffer these consequences; the directors and officers of both companies are at risk as well.
3. What should a buyer look for in terms of cybersecurity and data privacy during the due diligence period in an M&A transaction?
A buyer should request and inspect all of the target company’s materials that relate to cybersecurity and data privacy. Such materials include the target company’s policies, procedures, and systems relating to the collection, storage, processing, and destruction of personally identifiable information, protected health information and other sensitive information and data; a list of the target company’s websites and social media platforms and description of how the target company uses such sites and platforms; the target company’s employee manuals, handbooks and policies; and the security and privacy provisions of the target company’s vendor contracts.
A buyer should also request documentation and explanation relating to any past instances of non-compliance with applicable cybersecurity and data privacy laws or cybersecurity attacks on the target company or any of its affiliates. If there have been past instances of cybersecurity breaches or attacks, a buyer should seek information regarding how the incident occurred, the types of information exposed by the breach, the total number of individuals affected, the states of residence of each of the individuals affected, whether the individuals were properly notified of the breach, whether the requisite state agencies were properly notified of the breach, the remedial steps taken to prevent similar incidents in the future, and whether any litigation or governmental investigation resulted from the incident. A buyer should also inspect the target company’s insurance policies, including in particular its cyber insurance policy, to determine if the incident was covered and whether the target company took the requisite steps in order to secure coverage. Additionally, a buyer should consider whether additional coverages specific to cybersecurity and data privacy matters should be purchased.
4. How should a buyer account for cybersecurity and data privacy risks in drafting the purchase agreement in an M&A transaction?
If the due diligence review of a target company has revealed a known cybersecurity and data privacy threat, a buyer may integrate this threat into its valuation of the target company and/or include a specific indemnity in the purchase agreement to cover the risk. Inclusion of a specific indemnity in the purchase agreement will lead to a negotiation over the length of the indemnity and whether the indemnity will be subject to a cap or a basket.
Even if no specific cybersecurity and data privacy issues have been uncovered, a buyer should still request specific representations and warranties from the target company concerning the target company’s compliance with applicable cybersecurity and data privacy laws and regulations and with its own internal privacy and data protection policies. If the target company breaches such a representation and warranty, such a breach can form the basis for a fraud claim or an indemnity claim against the target company by the buyer.
Finally, if a buyer is still conducting its due diligence review at the time of signing, a buyer may want to include a diligence “out” provision allowing the buyer to terminate the agreement due to the unsatisfactory completion of its cybersecurity related due diligence before closing.