Privacy and cybersecurity practices of target companies are being increasingly scrutinized throughout the due diligence process in M&A transactions. Particularly, buyers want to understand the risk and value inherent in sellers’ data assets and sellers want to manage transactional and post-closing risks.
In the course of their privacy and cybersecurity due diligence, buyers should consider the following when assessing the risks associated with purchasing a company:
- First, how robust are the company’s data security and information technology (IT) practices? This is especially important where the company is heavily reliant on, or derives significant value from, data or IT assets. Where the company does not have timely policies and related training in place, or conduct regular third party testing (e.g. vulnerability and penetration testing), a buyer may not be comfortable with the company’s cybersecurity risk exposure. Sellers can expect buyers to seek to allocate this risk within the representations and warranties and related indemnification obligations in their deal documentation.
- Second, how seriously does the company take privacy compliance? While sellers acknowledge the value and complexity of their digital assets (which often include personal information), the evolving nature and increasing complexity of privacy laws worldwide pose risks to even the most prudent sellers. Buyers should prioritize understanding how companies collect personal information, where the information resides, who it is shared with, and whether these practices actually comply with the company’s privacy policies and applicable laws. A buyer can then assess to what extent any compliance issues impact the value of the data to the buyer going forward, or require more careful risk allocation in the deal documentation.
To facilitate the buyer’s privacy and cybersecurity due diligence, sellers will want to consider the following:
- First, how can sellers mitigate risks triggered by poor privacy or cybersecurity practices, or security events beyond the company’s control? In many cases, privacy and cybersecurity due diligence reveals gaps in a company’s compliance. When these gaps are considered immaterial, compliance “clean-up” can become a post-closing concern for the buyer and the buyer may or may not seek to address such gaps through negotiating a specific indemnity from the sellers in the purchase agreement, depending upon the buyer’s assessment of the level of risk. In some cases, however, companies have experienced data breaches or have failed to comply with privacy laws, leading to more material risks. It is important for parties to address these issues head on and early, as certain buyers may not be willing to proceed with the transaction, may seek to renegotiate the purchase price, or may require substantial indemnification obligations from the sellers as a result of such issues. Sellers may seek to integrate lookback periods or knowledge or materiality qualifiers in the representations and warranties regarding privacy and security matters in order to limit their risk exposure with respect to these matters.
- Second, from a process perspective, how can sellers best protect the information they disclose to a prospective buyer in the course of the due diligence process? Typically, non-disclosure agreements are put in place in order to protect the data that sellers share with prospective buyers in the course of due diligence and to comply with applicable privacy laws. Sellers should also think about how and when information is presented in data rooms and seek to minimize unnecessary disclosures. For example, personal information of a company’s customers or employees should be redacted, or only necessary samples should be shared. Additional measures may also be required depending on the context. For example, it may be advisable to put in place clean team agreements in order to establish specific procedures for the sharing of highly sensitive information.
Given the pervasiveness of digitization and the value of data across virtually all industries, privacy and cybersecurity issues are increasingly important in transactional due diligence. Parties should consult with their counsel and make sure they are approaching this complex area with a view to managing their respective risks.