Online Privacy Concerns in M&A Transactions

Online privacy concerns are real and impact everyone. You leave a digital footprint every time you use the Internet, mobile apps, or even social media.

This information is collected and shared without your knowledge by many services, companies, and organizations. While this is legal, it poses a risk to your privacy.

Privacy and Cyber Risks in M&A Transactions

Achieving successful M&A transactions requires a thoughtful and proactive approach to privacy and cyber risks and issues. Counsel for both parties must consider them at each stage, from due diligence to contract drafting and negotiation, to closing the deal and post-closing integration.

In particular, any target company that processes sensitive information or data should focus on performing a thorough due diligence review of its cybersecurity practices and policies, including its compliance with applicable privacy laws. In addition, any buyer should verify that the target is in material compliance with applicable privacy laws pre-closing and be prepared to remediate essential cybersecurity deficiencies and build a more robust cyber regime for the acquired business after close.

Failure to address privacy and cybersecurity risk in an M&A transaction could expose target companies and buyers to significant governmental sanctions and fines, lawsuits, audits, loss of goodwill, and other damages. Effective privacy/cyber risk due diligence combines the expertise of business, technical, and legal advisors to help transacting parties make informed decisions and avoid serious risks.

Privacy and Cyber Risks in M&A Due Diligence

Cyber due diligence is a crucial element of any merger or acquisition transaction. A well-executed cyber evaluation allows organizations to identify and evaluate potential risks and vulnerabilities, including previous data breaches that the target company may not have disclosed publicly.

Failure to adequately address privacy and cyber risks in connection with an M&A transaction can expose the transacting parties, their directors and officers and their advisors to significant legal compliance costs and liabilities after closing. These may include costs associated with complying with privacy laws, industry-specific cybersecurity laws, continuous disclosure obligations for reporting issuers and corporate risk management in general.

The recent spate of high-profile data breaches has demonstrated that privacy and cyber due diligence is no longer optional in M&A transactions. Even if the acquired entity’s historical data is not considered sensitive, lax cybersecurity and breach response practices can result in massive financial fines and reduction in deal value that could have been avoided with appropriate cyber due diligence.

Privacy and Cyber Risks in M&A Integration

Inadequately addressing privacy and cyber risks in an M&A transaction can expose the transacting parties, their directors and officers and in some circumstances their insurance coverage to significant legal compliance costs and liabilities after the completion of the M&A transaction. This is because legal compliance concerns may include obligations under privacy laws, industry-specific cybersecurity laws and reporting issuers’ continuous disclosure obligations.

More often than not, M&A deal teams overlook or fail to understand that cyber risk is a key M&A due diligence concern and can have serious financial consequences for both buyers and sellers. For example, Verizon’s discovery of a previously undisclosed data breach at Yahoo! post-acquisition resulted in a significant reduction in the purchase price and substantial liability for Verizon.

In addition to evaluating the privacy and security risks of target companies, acquirers must also consider how those risks will impact their M&A integration of the target company’s networks and systems. Failure to do so can put the target’s new owners at risk of legal and regulatory enforcement actions, reputational damage and lost business.

Privacy and Cyber Risks in M&A Closing

In the case of M&A transactions, privacy and cyber risks remain important considerations throughout the deal-making process, from the initial due diligence phase through contract drafting and negotiations, closing and post-closing issues. Serious cybersecurity breaches can significantly reduce the value of a deal or even cause it to collapse.

Buyers should consider the status of a seller’s cybersecurity practices in two contexts: (1) as part of their initial valuation of the target entity and (2) in connection with negotiating representations, warranties and indemnities in the purchase agreement. Where a seller’s due diligence review reveals gaps in compliance, the buyer might choose to negotiate a compliance “clean-up” commitment or a stand-alone cyber risk indemnity in the purchase agreement.

Legal compliance concerns in M&A include obligations under privacy laws and industry-specific data security and protection requirements, directors’ duties of care, corporate reporting and disclosure requirements and quasi-contractual assurances in a company’s various published policies, notices and communications. Failure to address these requirements can expose the transacting parties, their officers and directors and their insurance carriers to significant costs and liabilities.