Luis Salazar, partner with Salazar Law in Miami.Five Critical Tools for M&A Cybersecurity Due Diligence
Cybersecurity due diligence has become a bedrock component of mergers and acquisitions. Recent surveys have revealed that as many as 73% of buyers conducting due diligence have uncovered evidence of undisclosed data breaches.
April 17, 2020 at 06:22 PM
4 minute read
Cybersecurity due diligence has become a bedrock component of mergers and acquisitions. Recent surveys have revealed that as many as 73% of buyers conducting due diligence have uncovered evidence of undisclosed data breaches. Buyers—and sellers—have ample reasons to be concerned about cybersecurity risks given recent disastrous examples. For instance, Verizon's acquisition of Yahoo! was significantly disrupted when Yahoo! belatedly disclosed a major data breach that had been ongoing for more than two years. Yahoo! was forced to reduce its sales price by a whopping $350 million, and the Securities and Exchange Commission slapped the internet giant with a $35 million fine for failing to properly disclose the breach.
While not every deal is a multibillion acquisition, supporting the deployment of a cybersecurity due diligence team, there are five tools in the cybersecurity playbook that every buyer-side lawyer can use.
First, ask for a data inventory. A fundamental component of any data privacy or cybersecurity program, the inventory should include every piece of information stored or processed by the target company and provide an understanding of what sort of data is collected, where and how it is stored, what is it used for, if it is shared with another organization or group, and how long it is kept before being disposed. This inventory will, in turn, provide a buyer with a good, basic understanding of the potential laws and regulations that could apply.
Second, ask for a copy of any internal or external cybersecurity assessments or audits. Several of these assessments are employed now, from a full-blown cybersecurity audit, to penetration testing, to Payment Card Industry, or PCI, audits. These reports, or the lack of them, may reveal critical weaknesses in the target's cybersecurity system.
Third, obtain and scour any outward facing privacy statements. If any component of the target's value is based on consumer data, then a review of its privacy commitments is critical. Consumer's personally identifiable information (PII) may include name, addresses, emails, biometric information, IP addresses and much more. Surprisingly, many businesses still post privacy policies that do not give it appropriate permission to use PII in the ways they need and frequently represent that the business will not sell consumer PII to any third party. Businesses also often make contradictory privacy commitments through conflicting statements on sprawling websites, shopping carts and in live stores. Poorly worded or contradictory privacy statements can have a significant adverse impact on the value of any data assets being sold.
Fourth, ask for and review all third party and vendor contracts. The privacy and cybersecurity world has been virtually transformed by the passage of major legislation, like the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). In turn, these privacy laws have driven changes in vendor agreements that impose significant cyber and privacy compliance requirements. As part of due diligence, buyer's side counsel should be analyzing both whether the acquisition target has met its obligation under those laws and what obligations it has agreed to undertake. These undertakings may add increased costs to company operations, or seriously limit the usability of the data acquired.
Finally, think outside the due diligence space. If the acquirer has room in their budget, there are many nontraditional techniques buyers can employ to truly confirm a seller's representations about its cybersecurity. Dark web and threat intelligence searches can determine whether company data, including its intellectual property, is already "in the wild" and for sale to criminals everywhere. That could negatively impact a business's value.
Certainly, a successful cybersecurity due diligence effort should embrace these five tools and much more. And, of course this due diligence must be backed up with thorough representations and warranties and well thought out cyber insurance coverage. Arguably, there is an even more fundamental element needed: make sure a data privacy and cybersecurity lawyer leads the due diligence effort.
Luis Salazar is managing partner of Salazar Law and The Biometric Law Firm. A cerrtified information privacy professional, he advises clients on data privacy and cybersecurity issues relating to acquisitions around the globe. He can be reached at [email protected].
|This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Navigating Claims Under the Florida Telephone Solicitation Act and Florida Telemarketing Act
4 minute read
Second Circuit Ruling Expands VPPA Scope: What Organizations Need to Know
6 minute read
Trending Stories
- 1Divided State Court Reinstates Dispute Over Replacement Vehicles Fees
- 2Construction Worker Hit By Falling Concrete Settles Claims for $2.3M
- 3Phila. Jury Hits Sig Sauer With $11M Verdict Over Alleged Gun Defect
- 4Lost in the Legal Maze: How State Regulations Are Hindering Hemp Operators' Success
- 5New Associates Yearbook 2024
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
