Buyer Beware: Privacy and Cybersecurity in M&A Transactions
January 24, 2022
The mergers and acquisitions market is hot. But with the increasing number of data breach incidences and the ever-growing list of new privacy laws, it is crucial for a buyer to do their homework to identify privacy and cybersecurity vulnerabilities of its target.
Due diligence is critical. There may be host of data implications for all types of companies – including manufacturers, service providers and distributors – that may not be entirely obvious from the onset. As a baseline, a buyer should request from the seller information such as: a description of the data security infrastructure; the categories of personally identifiable information (PII) collected and descriptions of the practices regarding the use, collection, transfer, storage and sharing of PII; and all policies related to the collection of data in jurisdictions that have data privacy laws.
Once the scope of data collection and its use by the target is understood, it may impact the transaction structure. If due diligence identifies privacy and cybersecurity vulnerabilities of the target, a buyer may shy away from acquiring the target’s shares or membership interests due to the potential risk involved with thereby acquiring all of the liabilities of the target. An acquisition of the target’s assets will likely be preferable in that instance, because the transaction can be structured to limit target liabilities assumed by the buyer. For example, a buyer could acquire only relevant technology and not acquire any data or customer contracts that may implicate data security and privacy liabilities. A buyer also may negotiate terms and conditions in the definitive agreement to provide adequate protection, such as an escrow or holdback. Finally, good due diligence enables a buyer to determine the terms of sale and use, and privacy and other policies, that it should adopt post-closing.
In sum, while data security and privacy may not always be at the forefront of a deal, buyers should be aware of the potential risks to avoid any future liabilities attributable to the misuse of their predecessor’s data.