This article is the third in a series of articles that discuss the importance of privacy and data security considerations in the transactional context.
In any transaction in which an entity invests in or acquires another business or its assets, the investing or acquiring entity (the “Acquiror”) should fully evaluate its counterparty (the “Company”), the Company’s assets, and the Company’s liabilities and risks prior to the consummation of the transaction. A spate of significant data security incidents and exposés in the past few years has raised awareness across industries of the need to adequately contemplate privacy concerns and appropriately secure data systems. Businesses, acquirors, and investors increasingly understand that expensive data security incidents, lawsuits, and government investigations can result from basic failures to comply with applicable privacy laws or data processing contracts or, with regard to information security, well-established industry best practices.
Because of the high costs of responding to and managing investigations, litigation, and data security breaches—and the potential disruptions to business and the brand damage that follows—businesses have become increasingly attuned to the need for minimizing risks before an incident occurs. Thus, when an Acquiror is evaluating an acquisition, proper risk management requires the Acquiror to take the time and to expend the resources necessary to conduct targeted due diligence, and to mitigate and manage data privacy and security-related risks. When a Company fails to appropriately handle privacy or data security matters, and those matters are not identified and addressed prior to consummating a transaction, undesirable or even disastrous results could follow. For instance, if an Acquiror has not appropriately allocated risks for privacy or data security compliance to the Company, the Acquiror could end up losing a significant portion of the deal value.
Failure to appropriately evaluate privacy or data security considerations in a merger or acquisition could result in an Acquiror: (a) purchasing data or data systems that cannot be appropriately or meaningfully used or exploited; (b) acquiring compromised electronic assets or data systems; (c) inheriting class actions or governmental investigations or fines; or (d) experiencing losses in value or brand equity following a deal. If a Company fails to adequately manage its privacy or data security risks, the Acquiror may also face significant market risk with respect to the acquired business. In one well-publicized example, Target Corporation suffered a significant data breach that it announced on December 19, 2013. In the ensuing two months, Target’s stock lost more than ten percent of its value.1 Fixing these privacy and data security problems can become very costly—for instance, Home Depot announced in September 2014 that it anticipated spending about $62 million to handle the investigation, credit monitoring services, call center staffing, and other remediation-oriented steps to respond to the breach of 56 million payment cards compromised in a massive cyber attack.2 These financial repercussions have lasting effects on a company’s financials and, perhaps more importantly, on a company’s brand, with many consumers choosing to avoid conducting business with brands that they consider to have exposed consumers’ personal information.3
In certain cases, a failure to appropriately evaluate these risks could lead to an Acquiror’s unwillingness to consummate an agreed-upon transaction because of the potential costs and risks, or because of the difficulties in integrating a business or its assets.4 Indemnification may be available in certain circumstances, but difficulties may arise in obtaining indemnification, and indemnification may be subject to caps or other limitations that prevent an Acquiror from being made whole for its losses. When one adds to this the potential risks of data security incidents occurring during the process of negotiating or consummating a transaction—i.e., the potential that one or more parties to a potential strategic transaction is targeted by hackers or others who use information transfers and sharing in connection with the proposed transaction in order to advance an agenda, such as espionage or gaining a competitive advantage—the importance of considering the potential privacy and data security risks to Acquirors in the course of effectuating a transaction becomes paramount.5
Acquirors must consider myriad privacy and data security matters in mergers, acquisitions, and other strategic transactions. Through conducting due diligence, Acquirors may discover risks related to inadequate privacy or data security programs and procedures, litigation risks, undisclosed data breaches, government investigations, non-compliance with legal or industry obligations, or other similar matters related to the Company’s management of personal data and assets. Lawyers focused on privacy and data security issues can ensure that these risks are evaluated, disclosed, and remediated appropriately. The Acquiror’s counsel should work with the Acquiror’s business and technical subject matter experts to determine whether steps need to be taken by the Acquiror or the Company to enable the Acquiror to use any personal data and other information assets that are transferred in a transaction. Acquirors should also attempt to ensure that representations and warranties addressing privacy and data security are drafted, structured, and negotiated effectively to cause risk (and costs) to be allocated to the Company and its owners.6 Further, in order to effectuate a contemplated transaction, Acquirors must consider how to address data transfer issues. In some cases, an Acquiror may need to ensure that clauses regarding data transfer rights, user or employee consents, the security of transferred data and assets, and other critical matters are tailored appropriately, and to make sure that appropriate steps are taken by the Company to transfer such data and assets and to permit their contemplated use by the Acquiror.
In mergers and acquisitions, parties conduct due diligence to understand the nature of the facts that relate to, and the risks that may arise from, the proposed transaction and the acquired entity and business. In these transactions, due diligence is typically performed so that an Acquiror can learn more about the Company or the Company’s assets that are being acquired and how the Company or its assets may be integrated into the Acquiror’s business. In these circumstances, conducting due diligence may include discussing the Company’s business with key employees; reviewing relevant policies, procedures, documentation, and contracts; reviewing litigation and pre-litigation activity; and identifying other commitments. The findings from due diligence may shape the structure of a transaction, may necessitate additional representations, warranties, or covenants of the Company, and may materially affect the consideration received by the Company and its owners in connection with a transaction.
More specifically, privacy and data security due diligence provides an opportunity for the relevant parties in a transaction to learn about and evaluate the Company’s data privacy, data security and information governance policies and practices. There are many avenues that produce relevant information in the course of privacy and data security due diligence. To begin with, a Company’s public statements—in the Company’s website privacy policies, public securities filings, press releases, product claims, employee quotes, and other public-facing documents—can be remarkably useful in understanding how the Company views or characterizes itself and presents itself to consumers, investors, and the general public. These public statements should not, however, be taken at face value, and this review is only the first component of privacy and data security due diligence.
The information that an Acquiror should attempt to gather through due diligence in an acquisition or financing can vary dramatically across companies and industries and should be based on the probable risks associated with a Company. Companies that operate in regulated sectors—such as financial services, healthcare, critical infrastructure, and transportation—can present more significant risks to an Acquiror, and thus Acquirors should ask more probing and target-appropriate questions when conducting due diligence upon such Companies. Similarly, larger or more complex Companies may pose additional due diligence hurdles based upon the sheer volume of materials that must be reviewed in the short window of time prior to entering into the transaction documents. In any such transaction, the Acquiror should ensure that it allocates the appropriate time and resources to diligence matters in order to fully understand the more complex risk patterns endemic in transactions involving large Companies.
The findings in privacy and data security due diligence can have a significant effect on a transaction: by better knowing a Company and its data practices, an Acquiror can more easily evaluate the company’s potential risks. Due diligence may reveal non-compliance with laws or with contractual requirements, or might uncover that a Company has experienced significant data security vulnerabilities, including data breaches, or that a Company is restricted from transferring data to the Acquiror and permitting its use by the Acquiror.<7 An Acquiror can then use its due diligence findings to more appropriately allocate risk for privacy or data security matters to the Company. For example, the Acquiror could use due diligence findings to ensure that indemnification provisions and other remedies that may be available to the Acquiror, and attendant limitations upon them, are adequate in light of potential risks. Likewise, an Acquiror can determine whether certain privacy and data security risks need remediation prior to signing or closing, or whether the risks can be handled by the Acquiror post-closing. If risks are particularly significant, an Acquiror may find it prudent to seek additional assurances from the Company or may modify the pricing for a particular transaction or, in some cases, may elect not to proceed with the transaction. Without conducting appropriate due diligence, however, addressing the Company’s privacy or data security practices may be difficult.
1 Andria Cheng, “Two Months After Damaging Data Breach, Target Stock Has Its Best Day in Five Years,” MarketWatch, February 26, 2014,http://blogs.marketwatch.com/behindthestorefront/2014/02/26/two-months-after-damaging-data-breach-target-stock-has-its-best-day-in-5-years/. See also “Home Depot: Could the Impact of the Data Breach Be Significant?” Forbes Great Speculations Blog, September 24, 2014, http://www.forbes.com/sites/greatspeculations/2014/09/24/home-depot-could-the-impact-of-the-data-breach-be-significant/.
2 See id.
3 Mark Bribish, “A Data Breach Will Damage Your Business, Brand, and Profits—Are You Prepared?” The Arizona Republic, July 17, 2014,http://www.azcentral.com/story/money/business/2014/07/17/data-breach-will-damage-business-brand-profits-prepared/12805227/.
4 See Dale S. Bergman, “Notable Factors and Trends in Recent M&A Deals,” M&A Deal Strategies, September 2012, at 7 (“Ultimately, when an M&A deal fails, it is often because the buyer did not do its diligence. An acquirer needs to know exactly what it is buying, what liabilities it is assuming, and how the acquisition is going to affect the acquirer from a financial and operational point of view.”).
5 This is far from an academic concern: in the past decade, numerous deals have been targeted by hackers affiliated with interested parties or competitors. See, e.g., Michael A. Riley and Sophia Pearson, “China-Based Hackers Target Law Firms to Get Secret Deal Data,” Bloomberg, January 31, 2012, http://www.bloomberg.com/news/2012-01-31/china-based-hackers-target-law-firms.html.
6 The structure of a strategic transaction may affect the data rights of the Acquiror, and may result in additional risks being borne by the Acquiror, too. For instance, in mergers or stock purchases, an Acquiror may be assuming the Company’s past liabilities for privacy and data security compliance issues, including regulatory investigations and litigation. At the same time, certain concerns regarding whether data may be “transferred” in a strategic transaction are not as relevant in mergers or stock purchases in which the Company continues operations. In conducting due diligence upon a Company, Acquiror’s counsel should keep in mind the structure of the strategic transaction to appropriately evaluate the Company’s risks.
7 The FTC and state authorities have intervened to preclude the transfer of certain personal data in mergers, acquisitions, and bankruptcies where the privacy policy of the company attempting to transfer personal data did not permit the transfer of personal data in such transactions. See, e.g., FTC v. Toysmart.com, LLC, and Toysmart.com, Inc., No. 00-11341-RGS (Stipulated Consent Agreement and Final Order) (D. Mass. July 21, 2000); Letter from David C. Vladeck, Director, Bureau of Consumer Protection, Federal Trade Commission to XY Magazine and XY.com Regarding the Use, Sale, or Transfer of Personal Information Obtained During Bankruptcy Proceeding, July 1, 2010,http://www.ftc.gov/system/files/documents/closing_letters/letter-xy-magazine-xy.com-regarding-use-sale-or-transfer-personal-information-obtained-during-bankruptcy-proceeding/100712xy.pdf; Letter From Jessica L. Rich, Director of the Federal Trade Commission Bureau of Consumer Protection, to Erin Egan, Chief Privacy Officer, Facebook, and to Anne Hoge, General Counsel, WhatsApp Inc., April 10, 2014,http://www.ftc.gov/system/files
/documents/public_statements/297701/140410facebookwhatappltr.pdf; In the Matter of State of Texas and True Beginnings d/b/a True.com, No. 12-42061, Assurance of Voluntary Compliance (Tex. Dist. Ct. of Travis County, November 14. 2013).