More Privacy and Cybersecurity Issues in M&A
Privacy Plus+
Privacy, Technology and Perspective
More Privacy and Cybersecurity Issues in M&A. Today let’s take a further look at privacy and cyber security issues in M&A. You can read our previous post by clicking on the following link:
The Trend:
Deal-Mania Continues. The first half of 2021 was the most active M&A half ever, with approximately $3T in M&A volume. Anecdotally, we believe deal momentum and volume continued in Q3 and are now continuing in Q4. Unlike previous peak-times when M&A volume was driven by mega-deals, current M&A volume is largely focused on the middle-market with private equity firms increasingly willing to pay high-teen multiples for quality assets. It looks like this will continue at least for a little while, as there still seems to be plenty of “dry powder” (liquidity) available to invest.
There may be many reasons for this trend – plenty of cheap capital around, low interest rates, a record stock market, pension funds’ ever-increasing interest in investing in private equity, and we suspect more-than-a-little “Fear of Missing Out.” Many of the underlying strategies seem to be “Growth for its Own Sake,” which we do question, in part, because of antitrust concerns. Regardless…
…Deal pace is torrid. We sense that the speed of deals from first contact to closing is also accelerating, remarkably. There may be plenty of reasons for this, too. But “Why” doesn’t really matter. What matters is that faster deals mean more demands from anxious clients, higher pressure on their lawyers, and a sore need for M&A lawyers (young and old) to find better ways to handling these transactions.
Impact of that Trend:
Haste leads to Impatience with Complex Issues. Faster deals require faster due diligence. Anecdotally, we believe that the aggressive pace of these deals has often not allowed for meaningful privacy and cyber security review. Many M&A lawyers, in their effort to get the deal done, have not comprehensively counselled their clients regarding reps and warranties around privacy and cyber security and the potential impact of any disclosures, and those who have still often meet resistance from their clients, who are themselves impatient to get the deals done.
Privacy and Cyber Problems are often Magnified in Middle-Market Companies. With the current M&A environment focused on the middle-market, privacy and cyber should have greater attention because often middle-market companies are thinly resourced in privacy and cybersecurity matters. They may not have a Chief Privacy Officer or Chief Information Security Officer; they may not have formal written privacy and information security programs; they may offer regular training to their workforces, incorporate privacy and data security into their procurement processes, maintain data maps, accurately represent their privacy practices to consumers or their employees, know and keep control over their vendors’ privacy and cyber security practices, conduct regular third-party assessments and remediate issues that are found, or have boards that monitor privacy and cyber issues affecting the company. Yet, under various legal standards and regulations, particularly concerning data protection and privacy, all of this and more is required. Further, companies may have privacy and cyber obligations and risks stemming contracts, and restrictions on data transfer and use stemming from privacy notices. Regrettably, we have even seen deals close where the target company has no privacy notice at all. We have also seen deals where target companies rely on third parties to manage functions that have material privacy and cyber-security risks, but those companies have not addressed the risks by contractually requiring their subcontractors to adequately safeguard the information or undergo third-party security assessments.
Tips:
Focus on Privacy and Cyber Security, Quantify the Risks, and Mitigate Them. Privacy and cyber risks are real, especially where a target’s data is one of its great attractions. (Skeptical? Ask Yahoo, which lost $350 million off its valuation when its buyer Verizon discovered a series of data breaches affecting more than a million customers, or Marriott, which was fined $123 million in connection with its acquisition of Starwood when a major data breach was found.) Much value could have been saved for the sellers, had they discovered and addressed these issues before selling.
Thorough, prior preparation remains our first and best suggestion. In our previous post, referenced above, we particularly encouraged pre-sale assessments as means of identifying and fixing critical gaps in a company’s privacy and cyber posture. In addition, a company should identify contracts with privacy and cyber obligations, and review and update its privacy notices, if needed, to ensure that they are completely accurate, and allow for the transfer of that information in connection with a sale of all or a portion of the business or assets.
Where you must “start from where you are,” however, we suggest the following:
Do not include a rep unless you positively know that it is true; do not warrant unless you are confident that it won’t become an issue. Broad reps and warranties about compliance with “all Laws and contractual and fiduciary obligations as to protection and security of Personal Information to which the Company is subject” are minefields for sellers, and they should raise a flag for buyers if a seller is willing to agree without qualification. Company counsel should ask deal counsel for comprehensive explanations and assistance; and deal counsel should work with a privacy specialist to identify the applicable laws and obligations, and explain the issues thoroughly. Whereas risk is sometimes reduced by using knowledge qualifiers, along with language like “comply…to the extent applicable,” arguably such language isn’t helpful in the privacy and cyber context because the overarching standard is the “reasonableness” of the company’s privacy and cyber posture—meaning that it’s immaterial what company knows—what it should have known is the issue. Similarly, rep and warranty and warranty insurance as a risk-reducing mechanism is often ineffective in this context because it generally excludes privacy and cyber, and where it doesn’t, it will absolutely exclude issues that are identified during the underwriting process.
Identify the risks and quantify them as best you can. The target company may not have fully appreciated its privacy and cyber security obligations; may not be materially compliant with some or all of them; may be unaware whether it is materially compliant or not; or some combination of the three. Walk down the obligations and get a read on where the target actually is, including the ranges of possible loss and relative likelihoods in that industry – in effect, exactly as if you were an insurance underwriter. Realize that any actual or perceived failure to comply with such obligations will harm the business.
Mitigate the risks as best you can. Some issues may be easy to mitigate. Here, we’re not referring to mitigation in the context of drafting deal documents, but in the real world. Posting a privacy notice, taking down legacy websites, installing automated back-up processes are operational items that can drastically reduce risk. For operational issues that are harder and more expensive to mitigate, at least identify them (usually through an assessment) and put in place a corrective action plan that will put your company in a position to start mitigating them, thereby demonstrating a degree of reasonableness in the company’s approach to improving its privacy and cyber posture. A work-in-progress is usually less problematic than a risk that hasn’t been addressed at all.
Where liabilities remain, consider their allocation. The apportionment of liabilities presents unique complexity where privacy and cyber issues are concerned. As between the parties, quantifying the risks by disclosing them in the deal documents, and in particular, in the disclosure schedules may avoid outright fraud by the seller, but perhaps at the risk of harmful admissions that ultimately will impact the buyer (“We haven’t complied with the GDPR or CCPA;” “we don’t know whether our data was collected lawfully, is being used lawfully now, or can be lawfully transferred to a buyer”). These may be material issues that affect the target company’s valuation as well as the buyer’s ultimate ability to utilize the target’s data, and its exposure to claims by regulators and others whose personal information is part of the transaction. While there aren’t perfect solutions, there are ones that can be reasoned through, and defended, if needed.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠