Mergers & Acquisitions Privacy Risks
I recently had a chance to sit down with Brian Rosenbaum, National Director of Aon’s Legal and Research Practice, and Jacinta Davies, Senior Vice President, Private Equity Group to discuss privacy liability issues in an M&A context.
Data breaches involving personal or corporate information have become a worldwide epidemic. Regardless of size, location, sector or structure, all organizations face a degree of risk involving the personal, customer or corporate information they collect, use and store. Cyber breaches, once the purview of cyber vandals and ‘computer geeks’ have gone mainstream with organized crime, state entities and hacktivist groups getting in on the action. In the world of mergers and acquisitions, where data is a valuable asset, often traded in abundance, there is a tendency to sideline privacy and cyber liability issues as peripheral to the due-diligence process. What are the risks and consequences to private equity firms that fail to adequately address these issues? I recently had a chance to sit down with Brian Rosenbaum, National Director of Aon’s Legal and Research Practice, and Jacinta Davies, Senior Vice President with Aon’s Private Equity Group, to find out.
Mark Borkowski: What does a cyber due-diligence review typically entail?
Jacinta Davies: I’d hesitate to say there is a ‘typical’ cyber due diligence review, as standards for this sort of thing are generally set on a ‘deal-by-deal’ basis.
Any review is going to be affected by both the laws of the jurisdiction governing the process, and the industry of the target company. With that said, a cyber review would generally look at the robustness of the privacy and network security culture, things like the health of the IT systems, encryption and firewalls, the policies and procedures of the target organization. It’s also important to look at any 3rd party contacts as these vendor contracts may contain indemnity provisions that can impact a deal.
Brian Rosenbaum: We’d also ask questions about past breaches, security audits, lost devices and whether or not there is a history of unauthorized accesses. Any past breach, or problems with the security infrastructure, can create problems down the line, post-merger, that may affect the value of the deal. The scope of the review too, needs to be taken into consideration as the nature of the information being shared, and the obligations attached to it, can also pose a risk.
MB: You mean the due diligence process itself can pose a risk?
BR: Yes, definitely. There seems to be a widespread belief that privacy laws don’t impact the M&A process in a meaningful way, and yet nothing could be further from the truth. Beyond any obligations in the non-disclosure agreement (NDA) to protect information, any personal identifiable information (PII) will be governed by different statutes in different jurisdictions. This means that simply possessing employee or client data that qualifies as PII will impose obligations on the company that has it. It is really important to be cognizant of the various statutory regimes that may come into play when dealing with data. In the US there is HIPAA (Health Information Portability and Accountability Act) and PIPA (Personal Information Privacy Act). In Canada we have PIPEDA (Personal information Protection and Electronic Documents Act) in addition to various provincial statutes. Generally these statutes would compel an organization collecting personal information to get consent to do so, including consent for how that information will be used, and they create an obligation to safeguard that data. A target company may be in breach of privacy laws for simply turning over data to a prospective purchaser if they do so without consent. Beyond that, possession of the data imposes a duty on the acquiring company to safeguard it, and in the event of a data breach, mandatory notification laws may come into play depending on the jurisdiction.
BR: Some jurisdictions even impose statutory limits on the types of information that can be shared in an M&A process. In Quebec, for example, the names of employees would have to be stripped from any documentation. In Europe, there are very strict rules governing the collection and protection of both employee and client data that may prevent a target firm from sharing certain information. While it is common practice for an acquiring firm to request, for example, copies of all employment contracts, the target firm may be prohibited from sharing this information in some jurisdictions, while express consent might be required in others.
MB: What about intellectual property (IP)?
BR: The NDA should outline what kind of intellectual property is going to be shared and how it will need to be protected. Beyond that, while there aren’t any privacy statutory protections for non-personal corporate information the way there may be for personal identifiable information; this doesn’t mean intellectual property is unprotected. Any clients of the target firm would still have an expectation that their IP will be protected, and would have recourse at common law in the event it was shared, leaked or otherwise compromised. It’s important to recognize that clients don’t cede their rights just because a firm is an M&A target. If you request IP from a target firm, and fail to protect it, both you and the target firm could become embroiled in litigation.
MB: How can you mitigate against this risk?
JD: The acquiring company should be careful to only request information that they actually need to assess the value of the deal. There is a tendency for acquiring companies to request everything under the sun, and then share this information widely not only with the due diligence team, but also with 3rd parties such as legal counsel and accounting firms. It’s also important to be mindful of any limits on information sharing that may exist in the jurisdiction whose laws will govern the deal.
BR: Acquiring companies should also get warranties from the target firm before any information is shared. The acquiring company would want representations that the target is authorized to share any information, not just data that would qualify as PII under statute, but also for any intellectual property or other proprietary information. To avoid taking on any additional liability, the acquiring firm might also want to consider requesting aggregations of data rather than specific information, where possible, particularly when it comes to things like employee data.
MB: Beyond restricting the scope of the information being requested, and securing warranties, what else can you recommend?
BR: The prevalence of peripheral devices also poses a problem from a cyber liability perspective. And it’s not just about the controls and security at the acquiring company. You also have lawyers, and accountants and outside consultants that may be brought into the process. That’s alot of blackberries, tablets, laptops, email accounts, and even photocopiers, any of which can result in ghosted information that may run afoul of the NDA, common law rights to intellectual property and proprietary information, and privacy statutes.
BR: Those peripheral devices and third parties are an appealing target for hackers. It’s not an accident that target companies, law firms and accounting firms are at their highest risk of a cyber-attack during the M&A process.
JD: In the same way that it makes sense to confine the information request only to information that is necessary to assess the deal, it also makes sense to restrict that information to only those people who require it to perform their due diligence. Simply uploading everything to a share site, and letting everyone involved in the assessment review it can result in massive amounts of information being accessed at multiple locations, on multiple devices, across multiple companies, raising the risk that information might be compromised.
BR: It’s not just malicious hacking that acquiring firms and their partners need to be aware of. Most privacy breaches are accidental, the result of human error; documents that should have been shredded, drives that should have been wiped but weren’t. Protecting yourself against ‘old fashioned paper risk’ is just as important as protecting yourself against hacking attacks or cyber espionage.
MB: What kind risk transfer options exist for Private Equity firms looking to limit their liability during the M&A process?
BR: While it’s generally well known that cyber/privacy policies will cover the risk of collecting and storing PII data, it’s less well known that coverage is also available for intellectual property and other proprietary information. A portfolio company undertaking a series of acquisitions for a private equity firm could purchase a policy that would cover both the statutory risk associated with PII data, as well as any common law risk with respect to the loss of, or unauthorized access to, the intellectual property of others.
JD: A privacy/cyber policy at the portfolio company level also makes sense when you consider the post-acquisition integration risks, which we haven’t touched on yet. A successful acquisition by a portfolio company is, from a privacy liability perspective, really a massive acquisition of data. During the integration process a company is particularly vulnerable to a cyber breach. A good insurance policy at the portfolio company level can transfer some of the risks associated with the M&A process, from due diligence through to post-acquisition integrations. A post-acquisition breach during the integration period can negatively impact the value of the acquired company.
BR: Portfolio companies will also want to take steps to ensure that their risk doesn’t outlive a deal. Just because a deal tanked doesn’t mean their potential privacy liabilities die with it. Beyond insurance solutions, acquiring companies should have in place a thorough post-review data protocol. This isn’t just a matter of complying with the terms of the NDA, but also securing and destroying any data that would qualify as PII under statute, any IP, shredding documents and wiping drives and peripherals. As long as a prospective purchaser retains data, they retain the risk of a breach.
By Mark Borkowski
Mark Borkowski is president of Mercantile Mergers & Acquisitions Corporation. Mercantile specialize in the sale of mid market companies. He can be contacted at email@example.com or www.mercantilemergersacquisitions.com