With the looming costs of any sort of data breach, data loss, or exfiltration, cybersecurity has become a key focus of due diligence in recent mergers and acquisitions. Specific representations and warranties about data security are now routine in M&A Purchase Agreements. Only a few years ago, there were almost no provisions in a Purchase Agreement related to cybersecurity. However, costs have become enormous. The Australian government just initiated litigation against Facebook for sharing the personal data of Australians as part of the Cambridge Analytica controversy back in 2016. That case could cost Facebook millions of dollars in fines and legal expenses. Facebook already agreed to pay $5 billion as a settlement of an administrative action filed by the US Federal Trade Commission for failing to adequately protect user data. Other countries have also imposed fines, albeit in much smaller amounts. Brazil fined Facebook $1.6 million for the same offense and the UK government imposed a $645,000 fine in 2019.
Without question, the value of a target business is greatly diminished if there has been any sort of breach. The potential costs include government fines, judgments and/or settlements of civil lawsuits, legal expenses and attorneys fees associated with defending against investigations and lawsuits, the cost of employee time and materials and more.
To minimize the risks, good representations and warranties are needed and a thorough investigation is required during the due diligence phase. Representations and warranties should include these, at minimum:
- Target Company has written and implemented commercially reasonable data security safeguards to protect its computer systems and information
- The computer and information technology system now in use by Target Company is fit for the purposes of securing data and information contained therein and the software and other security protocols are state of the art
- Target Company has commercially reasonable administrative, technical and physical safeguards for its information systems and data
- Target Company has not experienced any loss, unauthorized access, disclosure, or breach of data — sometimes the focus is on personally identifiable consumer data; other times the focus is on ANY sort of breach
- Target Company has not received any notice or threat of notice or has any reason to believe that it will receive a notice from any person or Governmental agency relating to any data loss, breach and/or non-compliance with any statute regarding proper use, collection or protection of data
- Target Company has not been the target of any ransom-ware attack and has not paid, at any time, ransom or other compensation related to hacked or lost data
- Target Company is in compliance with various statutory requirements with respect to data security including the European Union’s General Data Protection Regulation, the California Consumer Privacy Act, the New York Data Security and Breach Notification Act, the Illinois Biometric Information Protection Act, etc.
- Target Company has disposed of computer equipment in a manner that has ensured that no data can be retrieved from said equipment
- When deleting or destroying data or information, Target Company has used state of the art and commercially reasonable standards to ensure complete and irreversible destruction
- And more
Aside from researching these representations and warranties, the buyer will want to gather as much information as possible about how the target company’s IT systems function and the status of the cybersecurity. These questions are distinct from issues of cataloging and mapping the data, including locating consents and notices with respect to collection of consumer personally identifiable data. In terms of cybersecurity, the buyer will want to know who has and has had access (including vendors), what hardware and software has been used, what are the physical security measures, what are the authentication and password protocols, what contractual security measures have been used (such as confidentiality agreements), how are mobile devices linked and configured with the main system, what are the patching and updating procedures, what are and have been the procedures for data destruction, and more. As can be seen, data security is no easy or quickly-resolved matter. The foregoing are general and non-exhaustive parameters. With any specific target business, there may be unique and particular data security issues that must be investigated and resolved. If you have questions, contact the deal-proven business lawyers at Revision Legal at 231-714-0100.