This article is the first in a series of articles that will discuss the importance of privacy and data security considerations in the transactional context.
Data privacy and data security continued to capture headlines and boardroom attention in 2014, as the EU “right to be forgotten” ruling, the Sony cyberattack,1 new laws and lawsuits, and investor pressure on executives and boards regarding cybersecurity issues 2 provided continued worries for legal departments, executives, and directors.3 The ongoing coverage of these incidents has caused many legal departments, executive teams, and boards of directors to become more familiar with data privacy and security risks. Many businesses are taking steps to reduce their risk exposure by reviewing and enhancing their privacy and data security programs, ensuring that they maintain appropriate cyber insurance, and working with service providers, vendors, customers, and employees to minimize the likelihood of becoming the next target of a cyberattack or class action litigation.
A critical but sometimes overlooked component of improving a company’s privacy and data security risk profile is the appropriate handling of privacy and data security in the context of corporate transactions. A failure to appropriately contemplate and address privacy and data security risks in a merger, acquisition, divestiture, investment, securities offering, joint venture, strategic alliance, or other similar transaction can dramatically increase enterprise-level risk.
In the past, parties to corporate transactions often viewed privacy or data security as of only minor importance. In today’s environment, however, acquirors, investors, and underwriters must conduct due diligence and engage in risk management with regard to data privacy and security issues in corporate transactions in order to avoid significant risks, to price the transaction appropriately, and to account for key practical issues (e.g., legal compliance measures, such as obtaining the consent of consumers or business counterparties to use and exploit data, that may be difficult to achieve). When a potential joint venture partner or acquisition or investment target has failed to appropriately handle data privacy or security matters, or where an acquiror, investor, or underwriter does not invest sufficiently in conducting due diligence or mitigating identified risks appropriately, undesirable or even disastrous results could follow.
Failure to appropriately evaluate data privacy and security issues in a merger or acquisition could, for instance, result in an acquiror: (i) obtaining data that cannot be used or exploited in anticipated manners post-acquisition; (ii) acquiring compromised electronic assets or data systems; (iii) inheriting, or creating a basis for, privacy- or data security-related class actions or regulatory investigations or fines;4 (iv) experiencing significant damage to reputation or losses in enterprise value or brand equity—not only with regard to the acquisition or investment target, but in many cases, also its own—following the transaction; or (v) determining not to consummate an agreed-upon transaction due to potential costs or risks, or integration difficulties, identified late in the diligence process. Investors and underwriters in financings and securities offerings, respectively, could find the company in which they are investing, or whose securities they are underwriting, suffering many of these consequences. Indemnification or other remedies may be available for certain of these circumstances, but difficulties may arise in obtaining indemnification, and indemnification may be subject to caps or other limitations that prevent the claimant from being made whole for its losses.
Through conducting due diligence, parties may discover risks relating to inadequate data security programs and procedures, undisclosed data breaches, government investigations, non-compliance with data protection legal obligations, privacy-related litigation, or other similar matters relating to data processing or transfer. Attorneys focused on privacy and data security matters can take steps to ensure that these risks are evaluated, disclosed, remediated, and addressed appropriately, such as by: (i) reviewing the target company’s or issuer’s policies, practices, and obligations arising under applicable law or by contract; (ii) assessing potential liabilities that may result from deficient privacy or data security practices; (iii) drafting and negotiating appropriate representations, warranties, and covenants;5 and (iv) working with business and technical subject-matter experts on integration matters.
Parties to a proposed transaction must also ensure that relevant privacy and data security representations and warranties, risk factors, and similar disclosures are drafted, structured, and negotiated to allocate risk and costs appropriately. In the mergers and acquisitions context, and in many investment scenarios, acquirors or buyers should in most instances draft strong privacy and data security representations regarding the business at issue; conversely, sellers should seek to minimize their representations and warranties regarding their data practices, and should describe any failures of those representations and warranties to be accurate in the disclosure schedules to the acquisition agreement. In public securities offerings, issuers and underwriters should attempt to minimize their respective risks in the underwriting agreement but work cooperatively to cause the registration statement to convey appropriate disclosures to the public.
Data privacy- and security-related integration concerns in many corporate transactions merit specific mention. In many cases, privacy policies must be revised or harmonized, registrations (such as with the Department of Commerce regarding the EU/U.S. and Swiss/U.S. Safe Harbors, or with data protection authorities in European states) must be updated, and privacy and data security must be accounted for in transferring employee and user data. With many transactions structured with simultaneous execution and closing, and many others contemplating abbreviated pre-closing periods, companies often must not only plan but also begin to execute post-signing, pre-closing matters (including closing conditions and other pre-closing covenants) before transaction documents are even executed. Where these covenants or closing conditions involve data privacy or security matters, they may require an acquired entity to amend certain agreements, modify privacy policies, obtain consumer or user consents to data transfers, and make other significant undertakings.
For companies that seek investment or that may be acquired or pursue a public securities offering in the future, paying attention to privacy and data security is critical, particularly when a company is involved in a regulated sector (such as health care or payments), has international operations, or engages in significant uses of consumer data. For these companies, incorporating privacy-by-design into product development and contractual arrangements may reduce the burden on the company in a corporate transaction, result in fewer obligations and risks in connection with the transaction, and contribute to obtaining its desired consideration and other commercial terms in the transaction. If a company develops an understandable, appropriate approach to data privacy and security before entering into (or negotiating) a corporate transaction, the company can: (i) be more confident that its representations, warranties, and disclosures are accurate, thereby decreasing the likelihood of post-closing indemnification claims; (ii) avoid needing to take significant operational and technical remediation measures in the context of the transaction or during pre-transaction planning, which can place significant stress on a company’s management and technical personnel; and (iii) permit a prospective acquiror or investor to have greater confidence in the company’s compliance approach.
Public companies must evaluate the level of disclosure they provide surrounding their data privacy and security practices in various contexts, including: (i) in connection with a material acquisition, determining whether an acquired business or acquired assets will require additional disclosures in the company’s securities filings; (ii) ensuring that risk factors in its annual and quarterly filings reflect the company’s privacy- and data security-related risks, particularly where user or consumer data is a critical source of value to the company; and (iii) in connection with an initial public offering, considering how to disclose data privacy- and security-related risks, and related policies and procedures, in risk factors and other applicable portions of the initial registration statement. Conducting these evaluations and preparing appropriate disclosures can reduce the risk of SEC inquiry into data privacy- and security-related practices and reduce the risk of liability for misstatements and omissions in securities filings.
1 Case C 131/12, Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (E.C.R. May 13, 2014), available at http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir&cid=437838.
2 For example, Institutional Shareholder Services, a prominent proxy advisor, suggested the removal in early 2014 of seven of Target Corporation’s board members in light of the data breach suffered by the company in late 2013. See Paul Ziobro and Joann S. Lublin, “ISS’s View on Target Directors is a Signal on Cybersecurity,” Wall Street Journal, available at http://www.wsj.com/articles/iss-calls-for-an-overhaul-of-target-board-after-data-breach-1401285278 (updated May 28, 2014).
3 According to a Grant Thornton 2014 Corporate General Counsel Survey, nearly 60 percent of in-house counsel consider privacy risks to be one of their top three concerns.
4 Regulatory authorities are monitoring merger and acquisition activity and seeking to ensure that parties to corporate transactions appropriately safeguard the privacy of consumers. For example, following the announcement of Facebook, Inc.’s acquisition of WhatsApp Inc., the Director of the Bureau of Consumer Protection at the Federal Trade Commission sent both Facebook and WhatsApp a letter reminding them of their privacy obligations to consumers. See Letter from Jessica L. Rich, Director of the Federal Trade Commission Bureau of Consumer Protection, to Erin Egan, Chief Privacy Officer, Facebook, and to Anne Hoge, General Counsel, WhatsApp Inc., available at http://www.ftc.gov/system/files/documents/public_statements/297701/140410facebookwhatappltr.pdf.
5 The structure of a corporate transaction may affect the rights of the acquiror with regard to data, and may result in additional risks being borne by the acquiror. For instance, in mergers or stock purchases, an acquiror may be assuming the target company’s past liabilities for data privacy and security compliance issues, including regulatory investigations and litigation. At the same time, certain concerns regarding whether data may be “transferred” are less relevant in reverse triangular mergers or stock purchases in which the target company continues operations than in other transaction structures such as asset purchases and forward mergers. In conducting due diligence into a target entity, acquiror’s counsel should keep in mind the structure of the corporate transaction to appropriately evaluate the target company’s risks and to consider restrictions upon data transfer appropriately.