The online service Ashley Madison is reeling from a catastrophic data breach that resulted in the public exposure of its customers’ sensitive private information. Ironically, the Ashley Madison hack was a very conspicuous and public affair. However, not all cyber security breaches are publicly broadcasted. Most hacks are done surreptitiously such that the hacked company would not know (at least not right away) that it has been attacked. Such “private” hacks can go undetected for months or even years after the initial cyber security breach, and the consequences and damages resulting from the breach are therefore very difficult to predict, both in terms of scope (e.g., the company might not know how much of its information has been compromised or what reputational effect this will have) and the quantum, in dollars, of total liability.
How are M&A lawyers supposed to deal with the nebulous phenomenon of cyber security risk in the context of a proposed acquisition of a company? Boilerplate representations in a purchase agreement regarding confidentiality, privacy and the intellectual property may not sufficiently cover and allocate the risk as between the purchaser and seller, especially where the target company is in a more information-sensitive sector (such as technology) or runs a customer-facing business. In those cases, the risk is heightened and all parties need to pay particular attention to how the purchase agreement deals with the risk and allocates it.
Here are some tips on how to manage cyber security risks during the negotiation and due-diligence stages of an M&A transaction, especially where the target is in a more information-sensitive business:
- Dig into the representations. Buyers should carefully understand what it means for a seller to represent that the cyber security systems and protocols the target uses are within “industry standards”. The Ashley Madison hack certainly makes the case that industry standards may not be robust enough to prevent a serious attack. Buyers should therefore think twice before taking too much comfort in such representations in purchase agreements and sellers might be able to take a bit more comfort in offering them up. It would instead be more appropriate for the buyer to ask the seller to give a representation that it has not been made aware of any (material) security breaches and has no reason to think that any such breaches have occurred.
- Re-calibrate the indemnity provisions. Indemnity provisions in the purchase agreement should bear a meaningful relationship to the magnitude of the risk that the buyer is taking on (and that the seller is trying to get rid of). The parties should think about when it would be appropriate to uncap, raise the cap or extend the time-frame of indemnity provisions that are triggered upon the breach of security of information representations. If the issue of security of information is particularly important in the context of the deal, then the representations relating to them should be “fundamental” and should be associated with the appropriate indemnity baskets. Where the risk is highest, buyers should ask for a separate indemnity (outside of that resulting from any breach of representation) and sellers should be very careful before agreeing to give this.
- Define the exposure. In order to allocate the risk of cyber breaches, the purchase agreement needs to provide the parties with a clear way to identify when a breach has occurred so that damages can be allocated contractually as between the parties (rather than decided by a court). If the purchase agreement cannot tell the parties exactly when a hack has occurred or when the damages have arisen, the parties will be left to litigate how the agreement should be interpreted rather than just being able to enforce the indemnity contractually. The formulation depends on the type of breach that is of concern. If the parties are worried about the leaking of trade secrets integral to the business, they could agree to retain a forensic expert to identify when the trade secret was stolen, and apportion liability based on that date relative to the signing or closing of the deal (when risk generally shifts as between the parties). If the parties are worried about the theft of sensitive customer data such as stolen credit card numbers, consider whether the relevant date would be the date of the fraudulent use of the stolen information, as there would be a transaction record to evidence the date of misuse. In that case, consider allocating the risk to the seller if the fraudulent use occurs within a certain period following closing, after which period the risk would go to the buyer.
- Do the right diligence. During the due diligence process, buyers should make a serious and thorough inquiry into the security of the target company’s data. Analyze the quality of their security systems and investigate any attempted data breaches. If the target stores its data in a cloud computing database, consider the contractual arrangements it has with its service provider.
- Consult a tech expert. The parties involved in M&A transactions often fail to consult with cyber security and technology experts. Instead, they rely on boilerplate “industry standard” language as adequate assurances against potential data breaches. Buyers should consider engaging a technology or forensic specialist to assess the data security of a target company to gain meaningful comfort before signing the deal.