With the looming costs of any sort of data
breach, data loss, or exfiltration, cybersecurity has become a key focus of due
diligence in recent mergers and acquisitions. Specific representations and
warranties about data security are now routine in M&A Purchase Agreements.
Only a few years ago, there were almost no provisions in a Purchase Agreement
related to cybersecurity. However, costs have become enormous. The Australian
government just initiated litigation
against Facebook for sharing the personal data of Australians
as part of the Cambridge Analytica controversy back in 2016. That case could
cost Facebook millions of dollars in fines and legal expenses. Facebook already
agreed to pay $5 billion as a settlement of an administrative action filed by
the US Federal Trade Commission for failing to adequately protect user data.
Other countries have also imposed fines, albeit in much smaller amounts. Brazil
fined Facebook $1.6 million for the same offense and the UK government imposed
a $645,000 fine in 2019.
Without question, the value of a target
business is greatly diminished if there has been any sort of breach. The
potential costs include government fines, judgments and/or settlements of civil
lawsuits, legal expenses and attorneys fees associated with defending against
investigations and lawsuits, the cost of employee time and materials and more.
To minimize the risks, good representations
and warranties are needed and a thorough investigation is required during the
due diligence phase. Representations and warranties should include these, at
minimum:
- Target Company has written and implemented
commercially reasonable data security safeguards to protect its computer
systems and information
- The computer and information technology system
now in use by Target Company is fit for the purposes of securing data and
information contained therein and the software and other security protocols are
state of the art
- Target Company has commercially reasonable
administrative, technical and physical safeguards for its information systems
and data
- Target Company has not experienced any loss,
unauthorized access, disclosure, or breach of data — sometimes the focus is on
personally identifiable consumer data; other times the focus is on ANY sort of
breach
- Target Company has not received any notice or
threat of notice or has any reason to believe that it will receive a notice
from any person or Governmental agency relating to any data loss, breach and/or
non-compliance with any statute regarding proper use, collection or protection
of data
- Target Company has not been the target of any
ransom-ware attack and has not paid, at any time, ransom or other compensation
related to hacked or lost data
- Target Company is in compliance with various
statutory requirements with respect to data security including the European
Union’s General Data Protection Regulation, the California Consumer Privacy
Act, the New York Data Security and Breach Notification Act, the Illinois
Biometric Information Protection Act, etc.
- Target Company has disposed of computer
equipment in a manner that has ensured that no data can be retrieved from said
equipment
- When deleting or destroying data or
information, Target Company has used state of the art and commercially
reasonable standards to ensure complete and irreversible destruction
- And more
Aside from researching these representations
and warranties, the buyer will want to gather as much information as possible
about how the target company’s IT systems function and the status of the
cybersecurity. These questions are distinct from issues of cataloging and
mapping the data, including locating consents and notices with respect to
collection of consumer personally identifiable data. In terms of cybersecurity,
the buyer will want to know who has and has had access (including vendors),
what hardware and software has been used, what are the physical security
measures, what are the authentication and password protocols, what contractual
security measures have been used (such as confidentiality agreements), how are
mobile devices linked and configured with the main system, what are the
patching and updating procedures, what are and have been the procedures for
data destruction, and more.
As can be seen, data
security is no easy or quickly-resolved matter. The foregoing are general and
non-exhaustive parameters. With any specific target business, there may be
unique and particular data security issues that must be investigated and
resolved. If you have questions, contact the deal-proven business lawyers at Revision Legal at
231-714-0100.