M&A Tips for Buyers to Reduce Cyber Security Risks

A “Red/Yellow/Green Light” Analysis Approach for Potential Privacy Risks

by Brian Hengesbaugh, Principal, Baker & McKenzie and Harry A. Valetk, Of Counsel, Baker & McKenzie

Nearly half (46 percent) of global financial services professionals named cyber risk as their number-one concern, a record-high level of concern, according to the Depository Trust & Clearing Corporation’s (DTCC) most recent Systemic Risk Barometer Survey.  Eighty percent of respondents cited cyber risk as one of their top five risks, along with geopolitical risk and regulatory risk, and overall, cybersecurity concerns have nearly doubled in only one year, according to DTCC.

Every dealmaker should, therefore, be looking at data privacy and security with an eye on establishing an appropriate valuation of the target, particularly if customer list acquisition or employee data is important to the transaction.  The following checklist offers guidance in the pre-acquisition valuation stage concerning the data privacy risks associated with a potential target.  Separate, but related, issues arise during other aspects of M&A transactions (e.g., post-acquisition integration) and other types of corporate transactions, such as pre-transaction restructuring in connection with spin-offs of business lines or divisions.

When conducting these privacy due diligence activities, moreover, a good approach is to develop a “red/yellow/green light” analysis for potential privacy risks. 

Red light refers to significant or material privacy concerns that may affect valuation of the target or should otherwise be considered by decision-makers (e.g., if planned data uses or cross-border transfers are incompatible with the target's privacy framework, or would otherwise require compliance steps that may be difficult to achieve, like consumer or corporate customer consent). 

Yellow light refers to privacy risks associated with the target's existing privacy framework or the planned integration of that framework into the acquiring company's business operations, where those risks appear to be manageable with appropriate privacy compliance steps. 

Green light refers to elements of the target's privacy program that seem appropriately aligned, designed, and operated to fit within the overall plans to integrate the target into the acquirer's business operations.

The broad questions below offer a framework to help identify key data privacy risks with the target company’s existing privacy program in its current state, and help flag potential concerns with the acquirer's planned uses of the target’s personal information. 
 

Privacy Policies matter more today than ever before.  Regulators and plaintiff class action counsel continue to rely on them as a basis to file lawsuits against companies that fail to live up to stated promises.  Before closing, an investor should be confident that all representations about that target company’s data collection practices, its affiliates and subsidiaries are accurately described.  It is also important to compare those practices against the investor’s own privacy promises to help identify what steps may be necessary to consolidate acquired information systems and databases.

1. Does the target’s privacy policy(ies) accurately represent its information collection, use, and disclosure practices online?
2. Does target comply with CalOPPA, Children’s Online Privacy Protection Act, or other laws outside the US that may apply to disclosures about online data collection practices?

Marketing and Tracking Technologies.  This is the age of socialized marketing, crowd-everything, and mobile technologies.  And too many companies are embarking on social media and digital marketing campaigns with a limited understanding of the personal information collection and sharing activities, as well as laws that may apply to those activities in the U.S. or abroad.  Most rely on ad agencies to hire and deploy social media and digital marketing activities.  Understanding the data privacy risks associated with any acquisition includes knowledge about the types of campaigns, sharing activities, and tools deployed by a target company.

1. Does Target engage in Online Behavioral Advertising, search engine marketing, or social media marketing activities to (i) consumers; (ii) customer contacts; or (iii) business contacts?  Describe in detail.
2. Does Target share any personal information with affiliated or unaffiliated companies for marketing purposes?  If yes, describe in detail.
3. Does Target’s website(s) or mobile apps use cookies or other web-based files stored on user devices.

Cross Border Data Transfers in this Age of Information are no longer optional; they’re essential.  Almost every company implements business operations, engages in compliance activities, or otherwise leverages technology or services that requires personal information to cross country borders.  And even if the personal information remains local, if others outside of that host country can even access it, many data privacy and security laws outside the U.S. consider this foreign accessibility to personal information the same as a transfer.

1. Does Target maintain any global or regional databases or applications that store personal data?  If so, identify each and describe functions (e.g., enterprise resource planning systems, software-as-a-service or other cloud solutions, e-mail, collaboration tools, Customer Relationship Management ("CRM")  databases, or the like.).
2. Does Target have an established approach to address cross-border data transfer restrictions under non-US data protection laws (e.g., individual consent, Safe Harbor, standard contractual clauses, binding corporate rules)? Explain in detail.
3. Has Target completed registrations with any non-US data protection authorities, or taken other steps to comply with non-US data protection laws?

Employee Data is often overlooked during the diligence process.  Depending on the size of the organization, and whether it has employees outside the U.S., a host of compliance issues may arise.

1. Does Target have policies governing the collection, use, and disclosure of personal information about its employees?
2. Has Target obtained consent from or provided notice to employees whose personal information has been transferred outside of host country?  Explain, and provide copies of any forms.
3. Have all employees successfully completed background investigations to the extent permitted by applicable law?  (Performing employee background checks outside the U.S. is not always permitted by law.)

Special Concerns for Highly-Regulated Entities: Gramm-Leach-Bliley Act, Regulation S-P, Red Flag Rules, Children’s Online Privacy Protection Act, HIPAA/ HITECH, Insurance laws.  Beyond this basic level of diligence applicable to any company doing business today, an entirely separate layer of inquiry should be performed on regulated entities to ensure compliance with specific rules that may apply to that business.  For example, banks, broker-dealers, and financial services firms have numerous obligations under federal and state law separate from those applicable to most companies.  Most states have laws governing the use of Social Security numbers.  Website operators that collect personal information about children under 13 are subject to COPPA.  Health services firms also need to carefully assess operational controls and subcontractor compliance with HIPAA and various other state laws regulating the collection, use, and disclosure of protected health information.

1. Does Target collect, host, or use protected health information subject to the Health Insurance Portability and Accountability Act of 1996? If so, explain in detail.
2. Is Target a financial institution subject to the requirements of Gramm Leach Bliley?
3. Does Target offer customers an account designed to allow multiple payments or transactions, such as credit card account, mortgage loan, automobile loan, margin account, mobile phone account, utility account, checking account, or savings account?  If so, describe those accounts and how Target complies with the Red Flag Rules.

Record Retention and Disposal Policies.  So much personal information is collected and stored today by organizations of every size.  Suitable information retention and disposal policies are essential approaches to comply with data privacy and security laws (e.g., limits on retention of personal information when such data is longer required for legitimate purposes) but also for controlling the potential risks associated with data security incidents (e.g., avoiding situations where the scope of personal data affected by a data security breach is excessively broad because the Target retained personal information well beyond its useful life).

1. Does Target have a policy requiring secure disposal of data on electronic media?  If so, provide.
2. Does Target have a policy requiring secure disposal of hard copy records (e.g., shredding vendor) when no longer needed for legal or business reasons?  If so, provide.
3. Does Target maintain a records retention policy?  If so, provide.

Information Security is much more than just a Yes-or-No inquiry.  Every investor should understand the maturity and sophistication levels of any Target’s information security program.  How many technical and human resources are charged with protecting the target company’s infrastructure?

1. Does Target maintain an Information Security Program that includes physical, technical, and administrative controls to protect the security, integrity, and confidentiality of personal information about individuals, including consumers, customer contacts, and employees? Provide a copy of the written information security policies, evidence of the due diligence procedures undertaken to identify and establish appropriate controls, evidence of any security audits and results (whether internal or external) and other evidence that support the program.
2. What specific tools have been deployed?  For example, did Target deploy Data Loss Prevention or encryption?
3. How many exceptions to Target’s policies have been made throughout its operations, and how are such exceptions evaluated and documented?
4. Does the Target have a Bring-Your-Own-Device program in place?  If so, describe administrative and technical controls to prevent unauthorized access to corporate systems and loss of personal information on employee-owned devices.  Also, describe the steps that the Target takes to address employee privacy issues with such controls.
5. Does the Target allow personal information about consumers, customer contacts, and employees to be stored on portable devices (laptops or other mobile devices)?  If yes, are all those devices encrypted? Explain level of encryption and other controls.

Data Security Incident Response.  Every company of every size has data security incidents, some more than others, and some with fewer incidents but those that may have impacted a larger population, suffered harmful media coverage, and materially damaged the Target’s reputation and net worth.  Understanding the root cause of any incidents, and the steps taken to remediate them, allows a savvy buyer to more accurately assess the privacy risk to the deal.

1.  Does Target maintain a Data Security Incident Response and Breach Notification Plan?  If so, provide the plan.  Have all employees been trained appropriately in their role(s) on how to follow the plan in the event of a known or suspected breach?

2.  Has the Target experienced one or more data security incidents?

3.  Has Target had any data security incidents other than the one identified above?  If so, describe and provide responses to items 2(a) thru 2(c) for each such incident.

Authorized Third Party Subcontractors.  Every company uses subcontractors.  Some have more subcontractors than others.  And some depend more on them to carry out core business activities.  Those subcontractors also often rely on their own service providers to perform services, and must, likewise, access a Target’s personal information.

1. Does Target give any authorized third party subcontractors access to personal information about its customers or employees?  If so:
   1. identify the vendor(s);
   2. the type of information provided to each; and
   3. the nature of the services each provides.
2. Does Target perform data privacy and security risk assessments on all authorized third party subcontractors with access to personal information?  If yes, provide the risk assessment questions used to assess each vendor.
3. Does Target require all third party subcontractors with access to personal information to agree to specific data privacy and security terms and conditions?
   1. If yes, do those provisions include security incident notice obligations?  Provide copies of all such agreements.
4. Are all authorized subcontractors with access to personal information located locally within host country?
5. Does Target use cloud computing services to support any of its operations.  Describe the nature of those services, including:
   1. whether the cloud services used are multitenant;
   2. whether Target has prior notice and authorization rights (or at least the opportunity to object) to the location and identity of any of vendor’s service providers;
   3. whether the Target data resides within regional servers (e.g., in Europe) and other details of the services.
   4. Also provide a copy of the terms Target has in place with its cloud computing service provider.

Audits, Claims, and Other Known Issues.  Information about a target’s known deficiencies are often available to those who know where to look.  Many issues are outlined in internal or external audits, especially if Target is a regulated entity.  A trend in the use of Risk and Compliance platforms also serves as a source of information about known deficiencies.  These tools have become increasingly common among many global or regulated entities with a need to document all internal legal and operational risks, implemented controls, and any known deficiencies.

1. Has Target’s Information Security Program ever been audited (internally or externally)?  If yes, provide findings and remedial steps taken.
2. Does Target use risk and compliance management software to coordinate and control compliance activities?  If yes, provide all findings related to privacy and data security.
3. Identify any data protection claims brought (or anticipated) against Target by consumers, customer contacts, employees or employee representative bodies, state attorneys general, data protection authorities, the Federal Trade Commission, or any other authorities.  For each, give ample detail about the claim and remedial steps taken.

_____________________________

Baker & McKenzie advises multinational companies on mergers and acquisitions, restructurings, legal issues impacting global business strategy and various other legal issues. Brian Hengesbaugh is one of our partners heading up our multidisciplinary, multicultural and multilingual team that helps clients structure global supply chains, commercial transactions, data transfers and cross-border operations to optimize opportunities in the global business landscape. As trusted advisors on international trade, foreign investments, data privacy, information governance, sourcing and business transformations, we provide practical and comprehensive legal solutions aligned with clients’ strategy and risk profile. Baker & McKenzie is one of the partners of the M&A Leadership Council regularly presenting at the Art of M&A Integration workshops. For more information or comments on this article, please contact Brian Hengesbaugh (mailto:[email protected]) or Harry Valetk (mailto:[email protected]) of Baker & McKenzie.  For inquiries relating to mergers and acquisitions, post-acquisition integrations and other restructurings and other areas of interest, please contact Regine Corrado ([email protected]).

Brian Hengesbaugh is a Principal in the Chicago office of Baker & McKenzie and a member of the Firm's Global Privacy Steering Committee.  He focuses on global data privacy and data security issues in business transformations, compliance activities, and incident response/ regulatory inquiries.  Brian can be reached at [email protected].

Harry A. Valetk is Of Counsel in the New York office of Baker & McKenzie, where he focuses on advising highly-regulated clients on global privacy risk and data security practices.  He can be reached at [email protected].