The FTC can hold an acquirer responsible for the bad data privacy practices of a company that it acquires. Evaluating a target’s data privacy practices, however, can be daunting and complicated by the fact that many “data” issues are first identified months, or years, after a transaction has closed. For example, although it is relatively easy to read a potential target’s privacy policies it is far more difficult to verify that the policy is accurate or complete. The following provides a snapshot of information concerning privacy violation penalties.
$ 3 million
Civil penalty imposed by the Federal Trade Commission upon acquirer for data privacy violation of acquisition that occurred prior to closing.1
Due diligence questions to consider in a M&A transaction in order to evaluate data privacy related rsisk:
- Has the target received a regulatory inquiry concerning its data privacy practices?
- Has the target received litigation claims concerning its data privacy practices?
- Has the target tracked data privacy complaints submitted to it by consumers?
- Has the target tracked data privacy complaints submitted by consumers to government agencies, including the quantity and nature of data privacy complaints lodged with the Federal Trade Commission?
- Is the target subject to a sector specific data privacy law?
- Do the target’s internal privacy policies and procedures comply with legal standards?
- Do the target’s external privacy policies and procedures comply with legal standards?
- Has the target conducted a data map or a data inventory?
- What are the target’s data retention policies?
- With whom does the target share data?
- Does the target have a vendor management program in place?
- Have the vendors used by the target provided appropriate contractual protections?
- Did the target have an employee, such as a Chief Privacy Officer, who was focused on data privacy issues?
- If the target conducted operations internationally did it have a strategy in-place for handling the cross-border transfers of information?