2020 Data Privacy Trends to Watch in M&A
The right question is not whether the company suffered a breach in the past, but rather do the company's systems, policies and procedures have the backbone and the flexibility to withstand the trends and respond to the data profile risk.
May 07, 2020 at 07:00 AM
9 minute read
Data privacy is squarely in the spotlight of not only consumers and government regulators, but also of senior management, boards of directors, and shareholders, in particular in light of the impacts of COVID-19. There has been an increase in cybercrime and hackers wanting access to the surplus of online information generated from the world economy now "working from home."
Data privacy in M&A is complex, with increased security incidents reported on disclosure schedules and elaborate data security representations and warranties in the transaction agreements. Now companies will need to be even more sensitive to the uptick of cybercrime and its impact on valuations and latent issues post-close. As the economy moves forward and M&A activity picks back up, companies need to be highly sensitive to the potential for post-closing issues, which should be weighed when considering price and post-close integration.
|Regulatory Landscape
Companies should be aware of both the current regulations in place and the states whose data privacy laws will come up for legislative vote in 2020 and 2021. States are increasingly focused on regulating biometric information and companies are increasingly implementing the same technology, usually through third party service providers. Understanding the trends helps companies stay ahead of future legislation and carefully draft disclosure language in M&A and otherwise.
Since 2018, when the European Union's General Data Protection Regulation (GDPR) went into effect, we have seen the data landscape take a significant shift towards governmental regulation in the United States. Starting with the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020, other states and local municipalities, including New York and San Francisco, have put forth their own regulations regarding data handling.
Nevada codified an opt-out right similar to the CCPA that took effect on October 1, 2019. Utah's Electronic Information or Data Privacy Act (EIDPA) took effect in 2019. Oregon and Texas enacted laws that joined the CCPA's effective date of January 1, 2020. New York's Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) took effect in March 2020, and Maine's enhanced regulation of data handled by internet service providers will take effect on July 1, 2020. Virginia, Florida, New Hampshire and Washington have taken varying levels of legislative action to address data privacy concerns, with Virginia recently advancing a bill that would create consumer rights similar to the CCPA and would additionally require controllers to perform a privacy risk assessment of any data processing activities—a provision that is widely gaining traction.
|Due Diligence & Disclosure
As a result of the ever-increasing regulatory landscape, it is imperative that acquiring companies in M&A transactions fully investigate the privacy and security risks of their targets. Similarly, targets must be able to plainly and clearly disclose the results of their own internal diligence. A target company may not be fully aware of a current risk or liability, which makes the due diligence investigation and engagement of competent and experienced counsel for the acquirer even more important. Do the target's systems, policies and procedures line up with a company that has the backbone and the flexibility to understand and respond to its data profile risk?
On top of the U.S.'s local data privacy regulations, given the GDPR's extraterritorial scope and increased fines for noncompliance, even businesses without a strong nexus to the EU should consider the GDPR during the M&A process. A comprehensive due diligence plan is necessary to assess any holes in data privacy compliance with an eye on the full scope of international regulation. The plan that you used last year is probably already obsolete. Keep your due diligence questions up to date and relevant to the changing environment. Use due diligence to dissect how the company collects, uses, and stores data. Investigate any contractual obligations around processing of data and the service providers themselves.
Pay attention to recent acquisitions and integrations: a company's data security is only as strong as its latest acquisition. Recent high-profile data breaches have come to light during or after very expensive acquisitions. In another case, another data breach occurred when hackers accessed the acquiring company through the computer systems of its recently-acquired target. Financial exposure increases with each new law that goes into effect, especially as many have look-backs and strict liability. This can create significant risk exposure in M&A and highlights the need for proper due diligence, process and execution.
Key questions to consider:
- Target reporting: Who is the target's internal manager for the data and its security? To whom does that person report? What are the company's policies with respect to data retention?
- Data controller: Is the company the controller of any client or collaborator data? Does the company process data directly, or does it outsource the processing to a third party?
- Data processor: Is the company the data processor of client or collaborator data for any third parties that have given it a mandate?
- Special categories of data: Does the company process any categories of data that merit a higher level of protection, like biometric or health data? Has the company integrated any processes that could be considered biometric data?
- Digital channels, working from home and BYOD: What does the company offer in connection with products or services? Does it have a social media presence? What are its policies and devices for working from home? What is the company policy with respect to bring your own device?
These examples provide a starting point for factors to examine but the overarching issue is to thoroughly understand the company's data profile and the specific data privacy regulations that apply.
|COVID-19 Health Data
Companies are taking extraordinary and unprecedented measures to ensure the health and wellness of employees, customers, clients and others as a result of COVID-19. Information around symptoms and diagnoses, much of which likely falls within categories of heightened protections as personal data, is being gathered in significant volumes. As a result, even targets for which health-related data privacy may not have historically been a concern may warrant a heavier due diligence review. The more sensitive the data being processed the more robust security measures must be to ensure its protection.
An acquirer should obtain information regarding the types of health data the target company has been collecting from employees, customers, clients or other visitors during the pandemic. In addition, it is critical to understand how the target has collected, used or shared such information.
|Data Privacy and Rep & Warranty Insurance
Data privacy has always been an area of heightened scrutiny for providers of representation and warranty insurance (RWI) as a result of the potential liabilities and the governmental focus. For RWI policies being underwritten in the COVID-19 environment, insurers are even more focused on areas that could potentially be impacted by the disease, including data privacy given the increased risks of security breaches discussed above. As has always been the case, insurers will want to see adequate due diligence on the target's business, but the bar for what constitutes adequacy is being raised commensurate with the heightened risks.
As a result of the increased concern on the part of insurers resulting from the effects of COVID-19, a state of the art and thoughtful diligence investigation is necessary in order to avoid RWI policy exclusions. You can be sure that insurers and their counsel will be asking whether you have covered the requisite ground in your review.
|Conclusion
The importance of data security is the new normal, with new data breaches being announced daily and the FBI issuing cautions regarding cybercrime. Companies are adapting quickly as regulations go into effect, but most have been caught off-guard with the increased pressure on work from home strategies and devices resulting from COVID-19.
Acquiring companies need to have astute data privacy counsel who understand the connections between the myriad laws and how to properly examine a target's data posture. A simple representation regarding past security incidents is no longer the gold standard, and due diligence checklists should be continually reviewed and updated to accommodate new data security pressure points. Data security standards are changing rapidly, and the wealth of personal information online has made cybercrime even more lucrative, with COVID-19 only exacerbating the issue.
Proper diligence avoids post-closing surprises or surprises in the disclosure schedules at the 11th hour before signing a deal. Representation and warranty insurance may not provide the coverage you need as underwriters seek to specifically exclude coverage for risks arising out of data privacy, particularly GDPR and as a result of the impacts of COVID-19. From risk assessment to valuation, data privacy must factor into the M&A analysis in 2020 and beyond.
Cynthia J. Cole is currently Special Counsel at Baker Botts in Palo Alto, California and formerly CEO and General Counsel in public and private companies, particularly related to technology, corporate transactional and data privacy issues such as the California Consumer Privacy Act of 2018 (CCPA) and the EU's General Data Protection Regulation (GDPR).
Baker Botts' Partner John Kaercher provides ongoing representation to corporate clients on complex transactions, including domestic and cross-border mergers and acquisitions, divestitures, private equity and public and private securities offerings, with a particular focus on the technology/media/telecommunications and energy sectors.
Katherine Burgess, an associate in the San Francisco office of Baker Botts, focuses on patent prosecution, patent litigation, and post-grant review proceedings. She has experience drafting and prosecuting patent applications relating to a wide range of technologies, including software, machine learning, virtual/augmented reality and telecommunications.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
