Privacy and data security issues related to mergers and acquisitions


When entering into a merger or acquisition (both a stock transaction and an asset transaction), there are many privacy and data security issues that need to be assessed and resolved early on. start. Most businesses in today’s online world collect and store data that is sometimes very sensitive or in large volumes where a breach would potentially be very damaging. This means that it is more important than ever for buyers to conduct a thorough assessment of the privacy and data security measures a target has and has in place, as well as to determine if there are any concerns or related issues that may prove problematic. line.

To mitigate risk and liability, buyers should investigate the types of data a target collects, especially if it is personal or highly sensitive information, which is subject to additional regulations. What policies and practices do they have in place to protect this data? Has this data been shared, and if so, how is it shared with others? Is the target business and has it been in full compliance with all applicable state, federal, and international rules and regulations?

To fully address all of these concerns, buyers must follow several steps at the start of an M&A transaction.

Conduct an assessment of the type of information the target collects and how that data is processed

It is essential to understand this from the outset, as buyers need to have a full understanding of the scope of the data collected, the level of sensitivity of that data, and then what happens to that data once it is collected.

There are several points to be sure to address in this initial assessment:

  • First, what type of data do they collect or have they collected? How sensitive is the information? Is the data subject to specific privacy laws or regulations (e.g. HIPAA)?

  • Are there any target customers whose data is collected (e.g. minors)?

  • In which jurisdictions does the target operate?

  • How is the data stored and managed?

  • What kinds of cybersecurity protections are in place to secure data?

  • Who is in charge of data management, and who has all access to it?

  • Is the data shared or sold outside the company?

  • What privacy policies and data retention policies are in place?

  • Are they compliant with privacy and cybersecurity regulations? Who ensures this compliance?

Form a due diligence team that includes buyer and target representatives (and their attorneys)

This is an important step because it allows information sharing and can help catch any potential issues early, such as issues that may arise from merging or transferring target and buyer data. The due diligence team should include a variety of representatives from both sides, including internal and external legal counsel, IT, security, CSOs, and even other outside consultants. There should be a process in place for sharing and evaluating information.

Gather information, perform an assessment and classify data

Buyers will need to start by submitting an initial request for all relevant information and documents, then collect the information provided by the target and request additional information or documents, if necessary. They should also conduct interviews with the privacy and data security managers at the target, and it can often be a good idea to bring in an outside specialist to do an assessment. In our experience, interviews are often a great way to resolve due diligence issues quickly.

Once the information is collected, a full assessment of the target’s data and IT assets should be performed so that the buyer knows and confirms what information and protections they have and how this is maintained. Data should also be classified based on the type of data, how much it is, and how it is stored.

Carefully review the target’s data policies and practices

Based on the classification and assessment of the target’s data, the buyer’s due diligence team should then seek to understand what regulations need to be considered, what data and security policies the target has in place. place, whether the target has ever been subject to data breaches or not. – compliances, the target’s dependence on third-party providers, whether litigation is pending or has been threatened, and other potential vulnerabilities.

Knowing how a target shares data outside of the company is essential. If they share or sell data externally, what kind of security measures are in place? What kind of opt-in or out policies do they have? Is the data transferred internationally? Does the target require its suppliers to follow certain confidentiality procedures?

Buyers should also be aware of what types of data retention policies the target has employed, as well as how they dispose of data – for example, whether backup copies are saved after disposal.

This is certainly not an exhaustive list, and M&A privacy considerations will vary depending on the target industry and level of data collection. But the importance of conducting privacy due diligence in M&A transactions cannot be understated. The risks of skipping this step can have catastrophic results down the line if problems are discovered once it’s too late. Taking the time to conduct a thorough assessment and investigation may take longer at first, but can avoid costly problems later.


About Author

Comments are closed.