Don’t Forget Privacy in M&A Due Diligence
Privacy Plus+
Privacy, Technology and Perspective
Don’t Forget Privacy in M&A Due Diligence. This week, a reminder: Don’t forget privacy, when planning due diligence for mergers or acquisitions. And don’t conflate privacy with cybersecurity, especially these days, when a target’s data can be a major source of value in the transaction.
You’ll find plenty of due-diligence checklists for M&A transactions. But most checklists focus on cyber risk presented to digital data—both personal and impersonal—and to systems, like cloud and network infrastructure, operational technology, IoT and traditional IT assets. You’ll recognize those checklists because they usually include a spectrum of questions on cybersecurity, such as the results of technical audits and penetration tests, the histories and details of any data breaches, and so forth. While some checklists also address operational and administrative controls, as well as data use and governance, they usually focus on policies and procedures (like business continuity and disaster recovery) and vendor and third-party management in connection with the evaluation of cyber-security risks.
All too often, there is a meaningful gap.
The gap concerns the evaluation of privacy risk—the risk presented by the acquisition of personal information collected by the target, wherever and in whatever forms it resides. To discover and address that risk, you’ll need to understand the target’s privacy practices and controls.
If the target and its vendors do not collect, maintain, and use their customers’ and others’ personal information in accordance with applicable privacy and data-protection laws, the transaction itself may be devalued. For instance, the FTC has long required businesses to provide notice to consumers and others about their privacy practices, and it is well established that failing to act in accordance with those notices can constitute a misleading and deceptive practice. So questions should be asked about the privacy notice—is there a privacy notice? Dated when? Has all the personal information been collected, used, etc. according to the same terms as in the notice? Have things shifted over time, perhaps incrementally as the target has added new software or other technologies?
Anecdotally, we’ve seen a number of transactions where there is no privacy notice, or where the privacy notice is silent about what happens to the personal information in the event of a merger. Another common issue is that the personal information in a target’s databases has been collected over time from many sources, some of which can’t be tracked to corresponding privacy notices or are simply lost to memory. Some of it may have come from first-party, direct contact between the target and the customer, while other pieces may have come from mailing lists, website visits, third parties, or out of thin air as far as records show. The degree to which this may be a present problem depends on the specifics of the personal information (sensitive personal information is more problematic), the business (is it regulated?), the jurisdiction, and many other factors.
However, the regulatory trend leans toward requiring more and closer analyses of the circumstances under which all kinds of personal information has been sourced, collected, stored, and used. Certainly, where privacy liability is not discovered and addressed during due diligence, it may further be compounded later since such “tainted” data can contaminate the whole “data lake” when combined with the buyer’s own data.
We suggest that the first step is being clear that cyber risk is only part of the inquiry. Privacy risk should also be considered during due diligence. This means more than merely confirming “compliance.” It means understanding what personal information is involved in the transaction, how it was collected, where it is stored, what is it used for, and what are the permitted uses for it. Only with answers to these questions can the power of data be fully leveraged, so that the target can command a higher price, and the buyer can be assured of the value of the transaction, along with its ultimate ability to empower business analytics or otherwise find new ways to leverage the target’s databases.
Studying the privacy issue in depth, at the due-diligence stage, will benefit both sides of the table.
---
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.