Key Privacy and Cybersecurity Issues for Sellers in M&A Transactions
February 25, 2022
Publications
Reprinted with permission from the February 22, 2022 edition of The Legal Intelligencer © 2022 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.
With the volume of M&A transactions surpassing record levels in 2021, many small- and medium-sized businesses (SMBs) have attracted interest from private equity firms or other motivated buyers. At the outset of a transaction, those potential buyers (often with the assistance of sophisticated advisers) will deliver well-developed due diligence request lists addressing myriad topics. Those topics will include an examination of the cybersecurity and privacy compliance posture of the target company, all part of evaluating possible transactional hurdles and liabilities associated with the target.
SMBs that are garnering interest from M&A partners (or actively seeking out such a partner) need to invest time and resources to ensure that their information technology and privacy practices are sufficient not only to satisfy the representations and warranties that these buyers will expect to receive as part of the contemplated transaction, but also to ensure a smooth transition of operations from the target SMB to the buyer.
With many SMBs focused on business growth and performance benchmarks, the looming potential for an M&A transaction may require a new or renewed reckoning with cybersecurity and privacy issues. Such a transaction certainly will require business leaders and owners to grapple with IT issues that may have been outsourced to vendors or delegated to employees.
This article will examine common cybersecurity and privacy due diligence requests as well as the ultimate representations and warranties that are expected from a seller in a purchase agreement during M&A transactions, and how sellers can prepare to address these issues when such a transaction may be on the horizon.
- What privacy and data protection laws are applicable to the seller?
At the outset, let’s pause at the opening “definitions” section of a proposed sale or merger agreement. Before even getting to the substance of the representations and warranties, the agreement usually will define “applicable laws,” or, more specifically, define “privacy/cybersecurity laws” along the following lines:
All applicable laws governing the receipt, collection, use, storage, handling, processing, sharing, security, use, disclosure, or transfer of personal information or the security of seller’s business systems or business data.
Determining what laws are applicable to the seller will require an examination of the seller’s line of business, the legal jurisdictions in which the seller has a physical presence, as well as the jurisdictions to which the seller entity markets its goods or services.
First, the scope of applicable laws will depend on the nature of the seller’s business. At the federal level, privacy laws in the United States are mostly industry-sectoral, including HIPAA (health care entities and health insurers) and the Gramm-Leach-Bliley Act (financial institutions). The applicability of other, more generally applicable federal laws (such the CAN-SPAM Act, the Telephone Consumer Protection Act, and Children’s Online Privacy Protection Act) also will depend on the nature of the seller’s business and the types of personal information the seller collects from consumers. Notably, however, even businesses that are not directly regulated may be subject to these laws as third-party service providers to customers in those regulated industries (for example, vendors that are business associates of HIPAA-covered entities).
Determining the applicability of U.S. state privacy laws and international privacy laws will depend on a quasi-jurisdictional analysis to determine, for example, whether the seller entity “does business” in California, and therefore is subject to the state’s Consumer Privacy Act. Looking at international laws, we must examine, by way of example, whether the entity is “established” in the European Union, and therefore subject to the EU’s General Data Protection Regulation. Both tests may be satisfied regardless of physical presence if a business collects personal information from individuals in these jurisdictions and/or offers goods or services for delivery (physically or virtually) in these jurisdictions.
While California’s CCPA and the EU’s GDPR have been primary drivers for privacy compliance in the U.S. and worldwide, the seller entity may also do business in some of the many other international jurisdictions that have enacted privacy laws, such as Brazil or China.
And, in the United States, more state privacy laws are pending, with privacy laws in Colorado and Virginia scheduled to take effect on Jan. 1, 2023.
That same date will mark another key change: the extension of California’s privacy law beyond consumer information to all personal information of California residents, regardless of the context of collection. To date, B2B companies that do not sell goods or services directly to consumers largely have been able to sidestep application of CCPA. But on Jan. 1, the California Privacy Rights Act takes effect. The CPRA amends the CCPA to bring all personal information of California residents under the protections of the law, regardless of whether that information was collected through a consumer-facing website, or on a job application, or through business relationships. And so personal information covered by the act will include B2B contact information as well as personal information of employees residing in California. Accordingly, the CPRA amendments will substantially expand the scope of businesses that are subject to “applicable privacy/cybersecurity laws” to any business with employment, contracting, or other business relationships with any California residents.
In addition to these privacy laws, many U.S. states have proactive cybersecurity laws. Businesses that collect personal information of residents of these states for any purpose are required to have a “written information security program” in place and to employ reasonable administrative, technical, and physical safeguards to protect their information.
Finally, each U.S. state and territory has a data breach notification law. These reactive requirements set forth standards for the form of notification that must be sent to residents of those jurisdictions following a data security breach.
- Has the seller been complying with these applicable privacy laws?
Once it is determined what domestic and international laws are “applicable” to the seller, the next step is determining whether the seller has been complying with all of those laws.
When it comes to collection and processing of personal information, the CCPA, GDPR, and other privacy laws require that businesses to disclose what personal information is being collected, and the purposes of such collection, at the point of collection (e.g., when a website visitor makes a purchase or signs up for a mailing list). These laws may also require that the business receive and retain affirmative consent from these individuals before collecting or using their personal information. If an SMB has collected personal information from individuals without making these disclosures or obtaining requisite consent, then the seller may be unable to satisfy representations and warranties regarding compliance with these applicable laws.
Often these disclosures are provided through a website privacy policy. Laws requiring website privacy policies date back to 2003, but a surprising number of SMBs (especially organizations offering goods or services solely B2B) operate websites without such privacy notices.
An SMB proactively preparing for a potential M&A transaction therefore will want to examine its privacy practices and reconcile those practices with all applicable U.S. state and federal and international legal requirements. Having appropriate privacy policies and disclosures in place, and complying with these requirements in advance, will facilitate the transaction.
- Has the seller ever suffered a data security incident?
Due diligence questionnaires and accompanying contractual representations and warranties will examine whether the seller business has ever suffered a data security incident.
“Incident” is a broader term than “data security breach.” A “breach” generally means an incident that gave rise to a legal obligation to notify affected individuals or government regulators. Affected individuals include customers or employees whose personally identifiable information was compromised, to whom notification is required under U.S. state breach notification laws. Notice to government regulators also is required by some of those state laws, which require notice to state attorneys general. Federal laws like HIPAA also require notice to regulators, such as the U.S. Department of Health & Human Services. International laws may require notice to data protection authorities in their jurisdictions.
A prospective buyer certainly will want to know whether the seller entity has ever had to report a data breach. If so, the seller will need to be able to explain what happened to cause the breach, the number of persons affected, the form of notices and to whom they were issued, whether the breach was covered by cyber insurance, and whether the seller was sued or might still face potential legal liability for the breach.
But potential buyers will want to know about more than just publicly reported data breaches. Sellers will be required to disclose any material incidents that resulted in any intrusion into the seller’s computer systems or network, or compromised in any way the seller’s business. Common examples of these include distributed denial-of-service (DDOS) attacks and ransomware, but also incidents such as a lost hard drive, failure to control access to systems by former employees, or the inadvertent disclosure or theft of the seller’s trade secrets or other confidential business information. Potential buyers may also inquire whether the seller’s systems were affected by specific variants of malware or widely spread compromises such as the Log4j vulnerability or the SolarWinds hack.
Preparing to address these questions requires the ownership or leadership of the SMB to proactively engage with their internal IT team and/or third-party IT vendor (if IT functions have been outsourced). In an ideal world, any such incidents would have been documented in a vulnerability or risk assessment and records retained regarding the business’s response to the incident. SMBs may not always comply with those best practices, however, and so the seller SMB may need to conduct its own internal and retrospective due diligence inquiries to determine whether it has been affected by any of these types of incidents or compromises and will need to disclose them to a potential buyer.
- Does the seller have adequate IT systems and cybersecurity measures?
A seller will be required to warrant that it has commercially reasonable physical, technical, organizational, and administrative security measures and policies in place to protect all personal information collected or possessed by it or on its behalf from and against unauthorized access, use or disclosure.
Here again, a dialogue between business leaders and IT staff may be necessary to confirm that adequate externally facing IT security measures are in place, including firewalls, antivirus software, logging and scanning of systems, administrative access controls, and disaster recovery and back-up measures.
Additionally, a potential seller should undertake a review of its vendors to determine which vendors have access to its computer systems or physical offices. Any such vendor relationships should begin with an assessment of the vendor’s capabilities and include contractual language requiring the vendor to keep the seller’s business information confidential, employ their own adequate security safeguards, and not to transfer or use the seller’s information for any unauthorized purpose.
SMBs also should consider retaining a third-party IT security vendor to conduct a vulnerability assessment and penetration test of the seller’s systems, and do so well in advance of any potential transaction. A qualified IT security vendor will be able to assist the seller by identifying any gaps or flaws in the seller’s security posture. Based on this report, the seller can remediate those gaps in advance of the transaction by implementing technical measures such as multi-factor authentication, network monitoring, or other technological solutions. IT security vendors should be engaged by counsel on behalf of the seller entity in order to attempt to wrap any such gap report in the attorney-client privilege. A final written report from that vendor establishing that the seller has remediated and maintains sound IT security may be useful to exchange during due diligence and will allow the seller business to confidently document its compliance with various IT security representations and warranties.
But many of these required measures and policies may fall outside the bailiwick of IT. Businesses should have a written information security program in place, and this program must include not only technical measures but also organizational and administrative security policies. Such employee-facing policies will include an overall information security policy and adjunct bring-your-own-device (BYOD), acceptable use, remote access, and other internal policies. Administration of these policies may rest with the Human Resources department or management rather than within the IT department. Ownership and management also should be responsible to create, maintain, and test an incident response plan.
Working with experienced counsel in advance of a potential M&A transaction will allow an SMB to develop this entire suite of written information security policies in advance of engaging in due diligence with a prospective buyer.
Devin J. Chwastyk is a member of McNees Wallace & Nurick and the chair of the firm’s privacy & data security group.