Look Before You Leap.. Privacy and Security in M&A Transactions

For those of us in the privacy and security area, the European Union’s General Data Protection Regulation (“GDPR“) has dramatically changed the landscape and the platform privacy and security enjoy both domestically and abroad.  The GDPR is driving much of the conversation around privacy and security but we have also seen a renaissance in privacy regulations in other countries; Australia, Japan, and China to name just a few. Even domestically, we are noticing that the states are getting into the privacy game with the California Consumer Privacy Act (“CCPA”) leading the way, but with privacy laws in Massachusetts, North Carolina, and a significant change in the laws of Pennsylvania with the Dittman v. UPMC, __ A.3d __,  No. 43 WAP 2017, 2018 WL 6072199 (Pa. 2018) decision, also changing the privacy landscape.  

And what does this mean for businesses? Well, it means that business as usual cannot be business as usual, particularly in the area of mergers and acquisitions (“M&A”).

No matter what industry you are in, M&A was a huge part of 2018.  The life sciences industry alone, which includes biopharma and medical technology segments, was predicted to have over $200 billion in the annual volume of M&A deals. And let’s not forget the Amazon purchase of Whole Foods or Verizon’s acquisition of Yahoo. M&A is a huge area and it is growing with each year. With the large number of M&A deals, and the growing concerns over consumer data privacy, you have a recipe for the perfect storm of problems and revenue losses if an acquirer does not take the appropriate and necessary actions to do privacy and security due diligence on a target.

It is critical that an acquirer perform extensive due diligence on the target’s data and data collection practices. Having a granular understanding is a necessary first step in order to protect and safeguard the acquirer’s business assets. Each due diligence team needs to be missile locked on the target’s digital assets, their vulnerabilities, the infrastructure and the target’s business operations and key critical vendors. And this all must be done before the pen hits the paper to finalize the deal. Long gone are the days when security and privacy are a last minute, check the box sign off. Security and privacy should be at the forefront of the due diligence and considered at every stage of the process.   

Due diligence provides a key window into the targets most important practices. The acquirer cannot and should not move forward with the deal unless and until all of the target’s “warts” are discovered. Yahoo did not disclose its data breach until it was required to as part of cyber due diligence in the Verizon acquisition — resulting in a significantly devalued acquisition price. It is not that this type of invasive due diligence is easy.  Far from it. And it is no surprise since organizations do not want to see their value plummet. However, deals simply should not be done unless and until privacy and security due diligence is completed.  Because it is not just about the value of the target, but the future liability of the acquirer.

Depending on the scope of the deal, an acquisition can create significant liability on the part of the acquirer, particularly in the realm of privacy regulations. The acquirer can get “stuck” with the target’s good (or bad) data collection practices, data storage/protection practices, and any regulatory compliance gap. If, for example, the target is a controller under the GDPR, the acquirer can be assuming liability not just for the target’s data collection practices, but each and every processor with whom the target shares data. So what do we really need to consider when addressing privacy in an M&A transaction?

First, we need the fully transparent view of the target organization’s data flows  What is the target collecting, storing, encrypting? Does the target have a data destruction policy? Is it followed? If data is stored, what are the parameters of its storage. Does the target have a data categorization or data map?  Does the target share data with another organization? What type of contractual agreements are in place to deal with the sharing of data? Are we dealing with international data? If so, has the target been appropriately and legally moving data across borders? What type of data is moving? Has the target ever suffered a data breach, reported to a regulatory authority or been fined/sanctioned?

And really these questions are just the tip of the due diligence iceberg. Aggressively addressing privacy and security issues in M&A transactions is a key part of the deal. Failure to do so is not just an oopsy, it is negligence bordering on recklessness. No matter how fast an organization wants to move, taking the time to perform thorough and extensive privacy and cyber due diligence can make an enormous difference on the outcome of the deal and the longevity of an organization.  Because when you are dealing with M&A transactions, luck favors the prepared (and the well informed).


Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.