Don’t Let Privacy Issues Tank Your Data-driven M&A Deal – a blog post by Michael Whitener
More and more M&A transactions are “data driven” – meaning data is central to the deal’s value. But if acquirers are not careful, they could find themselves saddled with serious privacy and data security issues post-acquisition. The once-coveted target company could turn out to be an albatross.
Increasingly, however, privacy issues are at the core of the value of data-driven businesses. The goodwill – and ultimately the value – of these businesses is integrally tied to how fairly and transparently they handle the personal data of their customers and partners. In this scenario, any questionable privacy practices of a target company may be a deal breaker.
Examination of a target company’s privacy-related policies and practices should be considered “pre-diligence” in data-driven deals. Even before beginning to negotiate a stock or asset purchase agreement, see if there are any red flags from a privacy or security perspective. If the red flags are significant, the deal could be dead on arrival.
Imagine a scenario in which a prime asset of the target company is its customer list. The acquirer bids high for the target company, anticipating the profits to be gleaned from marketing to the target company’s customers.
In addition, if the target company has been out of compliance with the GDPR, the CCPA, HIPAA, COPPA, GLBA, and the rest of the alphabet soup of privacy laws, the acquiring company will simply inherit this headache of bringing the target into compliance – and dealing with any liability that may have arisen pre-acquisition.
The acquiring company might argue: “Well, we’ll deal with these issues in the representations and warranties and indemnification sections of the acquisition agreement.” While this approach might provide a financial safety net, it doesn’t resolve the underlying issues. As an acquirer, don’t you want to know the reality of what privacy/security time bombs you may be taking on?
Here’s a more common-sense approach. First, conduct thorough “pre-diligence.” Get the answers from the target company to such questions as:
1. What personal data do you collect, from what sources, and how is such personal data stored, processed, transferred and retained?
3. Have you carefully considered what privacy/data protection laws apply to your processing of personal data? Are you confident you’re in full compliance?
4. What are your data security practices and protocols? Do you have both a written information security plan and a security incident response plan?
5. Do you conduct periodic privacy and/or data security assessments or audits? Please provide results.
6. Have you ever experienced a data security breach? If so, provide details.
7. Have you ever received a complaint or a governmental inquiry regarding your data security or privacy practices?
8. Do you provide employee training with regard to privacy and security compliance?
Inevitably, privacy issues will increase in prominence in M&A transactions. The best practice is to get a handle on them at the outset of a proposed acquisition so they don’t haunt the parties down the road.Share
The VLP Speaks blog is made available for educational purposes only, to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site, you understand and acknowledge that no attorney-client relationship is formed between you and VLP Law Group LLP, nor should any such relationship be implied. This blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.