This article has been written by Saptarshi Deb and has been edited by Shashwat Kaushik.
It has been published by Rachit Garg.
Table of Contents
It hasn’t been long since data privacy was a second thought for a lot of companies, be it in India, the U.S., or any other developing/ developed nation in this world. In a lot of cases, it is still an afterthought. While entering into any merger or acquisition, there are a lot of data security and privacy issues that have to be evaluated and addressed from the beginning. In today’s online world, a lot of companies store and collect data/valuable personal and private information about private individuals or even companies, the breach of which may be potentially problematic or highly damaging. Meaning that it has now become a primary concern for buyers to conduct a thorough evaluation of the security and data privacy measures a target has in place, as well as determine if there are any related issues or concerns that could be potentially troublesome eventually.
Recent developments in EU and Northern America
Data privacy continues to be one of the most important topics of 2021 and will be for the foreseeable future. In the USA, Since 2018, major laws and regulations governing companies’ collection, use, and disclosure of personal information have been enacted, including the General Data Protection Regulation (GDPR) for the E.U., the California Consumer Privacy Act (CCPA)—amended by the California Privacy Rights Act—and soon to be joined by similar state privacy laws in Colorado, Connecticut, Indiana, Virginia, and Utah—the Strengthening American Cyber-Security Act of 2002, and state data breach notification laws. More state laws are on the way. Countries like India, Australia, the U.K., Canada, Russia, etc. are also bringing in their own set of rules and regulations to counter the privacy-related threats that hover over cyberspace and pose a threat to privacy and data security.
Importance in M&A and due-diligence
Aspects that have to be looked into
Some important aspects that have to be looked into are:
- Policies and practices have been maintained to protect this data.
- Whether the data has been shared with a third party or not.
- If it has been shared, how has it been shared with the party?
- Lastly, an investor has to look into whether the target company has been in full compliance with all applicable state, federal, and international rules and regulations.
Areas to consider before M&A
When an organization is considering mergers and acquisitions, the due diligence process must take into consideration the following areas when researching a target:
Privacy laws and their applicability
An understanding has to be achieved of which laws are applicable/affect the target company and how they apply. Whether a particular policy applies to a potential target depends on the specifics of the company. As companies have to consider future markets and shifting trends, tendencies, and needs, they have to make sure that the target has the flexibility to align with future data privacy laws. Companies that see the big picture follow a “data privacy by design and default” approach that not only satisfies current requirements but also makes it easy for them to adapt to a rapidly changing data privacy environment.
Data policy and procedures
Assessing a target’s procedures and blueprints may be one of the easier aspects of data privacy due diligence in that these areas usually involve documented information. When reviewing is under process, an investor has to make sure that the target’s processes have all been documented to accommodate data subject rights under applicable laws, like the right to erase and the right to access one’s private data. The investor also has to make sure that all appropriate personnel have been trained in these procedures.
Data systems, flow, and architecture
Writing a data privacy procedure is one thing, but having a data architecture that allows one to execute it is a separate matter most of the time.
Data and due-diligence (Considerations in the process)-
- Whether the target company knows what kind of data they have.
- Do they know the location of the data?
- Does the company know who has access to all the data?
- What do they do with the data?
- In case a data subject requests access to the erasure of her data, how can they fulfill her request promptly?
- Whether the target has “black box” data stores that may go unreviewed for years at a time.
- In what fashion is the document consent/refusal to allow processing of personal data, and how is consent tracking used to ensure the data subject’s request is honoured?
- The life cycles of data proliferation, both inside and outside of the company.
- Are there any target customers from whom data is collected?
- In what jurisdictions does the target operate?
- What are the cyber security protections that are initiated to secure the data?
- Who is in charge of managing the data?
- Whether the data is shared or sold outside the company?
- What are the data retention and privacy policies in place?
- Are they in compliance with cybersecurity and privacy regulations? Who ensured such compliance?
Along with the above precautions, a due diligence team has to be set up that includes representatives from both the target and the buyers.
Owing to the changing landscape of data security and privacy, there has been an expanded focus by regulators, representation and warranties insurance providers, and acquirers
The areas where the regulators focus mostly on:
- Sensitive personal information (i.e., Social security numbers, driver’s license numbers, financial information, and medical information).
- Credit card information and the requirements under the Payment Card Industry Data Security Standard (PCI-DSS) (for the USA).
- Self-insured plans, protected health information, and the requirements under the Health Insurance Portability and Accountability Act of 1996 (USA).
- Data governance programs and other programs are included in it.
- Written data security policies and procedures, including compliance with the GDPR, CCPA, and state-specific data privacy laws (for EU and Iceland, Liechtenstein, and Norway).
- Data breaches and security incidents, ransomware attacks, and vulnerabilities to each.
Taking the time to conduct a thorough evaluation and investigation might take longer at the start, but it can help avoid costly issues later on. If proper due diligence is not conducted by an acquirer on a target’s data practices and procedures, it could face a lawsuit, third-party audits, civil penalties, regulatory scrutiny, or other liabilities. Let’s say, for example, in the case of:
- The GDPR gives the supervisory authorities the power to impose limits and bans on data processing, withdraw certifications, and impose monetary fines of 2% of worldwide annual revenue or up to 10 million euros, or 4% of worldwide annual revenue or up to 20 million Euros for more serious offences.
- The CCPA gives the California Attorney General the power to seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation.
- For a company that collects credit card information on its systems and is not PCI-DSS compliant, fines can be up to $500,000 per incident, plus penalties established by the company’s merchant agreements.
- If a company is unable to properly identify a prior security breach on its information systems, fails to provide notices required by applicable law, or fails to take necessary remedial action, it may have civil liabilities from state attorneys general, private rights of action, and state unfair and deceptive trade practice laws.
In the above lines, I have covered just a few of the areas to consider in evaluating the data privacy risks of a potential target as part of a company’s M&A due diligence. As some might call the GDPR or the CCPA the finish line, it definitely won’t be wrong to call it somewhat of a milestone in the long list of such data privacy laws that are going to impact almost every organization. This, however, is not an exhaustive list, and M&A privacy considerations will vary based on the industry of the target and the level of data collection.
The business world is in a constant state of change, and with it, the data privacy environment. If a target company was considered a “complaint” when the laws first took effect and there is a lack of adequate governance, even the most industrious effort may turn out to be folly in due time. Along with the increasing importance of data privacy and security regulation, potential targets and acquirers must integrate security due diligence and data privacy into the M&A process, along with other legal necessities. In a proper merger and acquisition exercise, considering a target’s data privacy practices is no longer optional. When data privacy considerations are incorporated—especially those concerning data management—as a part of one’s M&A due diligence, it is possible to paint a more accurate picture of the target company and improve one’s chances for a successful deal.
Just in case policies, procedures, and documented plans do not exist, requiring the target to implement such plans, policies, and procedures must be considered a pre-closing condition. Also, the acquirer must ensure the definitive agreements include proper warranties and representations concerning data privacy matters to better protect itself post-closing. Finally, from the perspective of a seller, an intended target should take the enterprising role of reviewing the information collected, its written data policies and procedures, and its data governance plans to address any material issues before they can be raised by an insurance provider or a potential acquirer.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: