"Today, nearly every company is or wants to be a business capable of leveraging information and advances in technology. At the same time privacy and cybersecurity laws are changing, becoming more complex and requiring more resources to comply with. Some of the biggest challenges in the M&A market are identifying, prioritizing, evaluating, and quantifying the key privacy and cybersecurity risks in a changing environment. In response, privacy and cybersecurity due diligence has become more sophisticated and is no longer an afterthought at the end of IP due diligence. Deal teams need to ensure that all of the stakeholders (IT, legal, compliance, marketing) are aligned, transparent and communicating. Having a coordinated privacy and cybersecurity strategy before, during and after the due diligence is also essential. Post-closing, the buyer needs to leverage the privacy and cybersecurity experts and the information that it learned during due diligence to ensure that it puts in place an action plan to mitigate risks, such as any identified cybersecurity vulnerabilities or privacy compliance gaps."

Ryan Blaney, Head of the Firm's global Privacy & Cybersecurity Group; partner in the Firm's Health Care Group

"EU and UK privacy and cybersecurity regulators are increasingly focused on bringing enforcement action under the General Data Protection Regulation (GDPR) against parent companies and PE sponsors for GDPR breaches committed by their affiliates and portfolio companies. Specifically, parent companies and PE sponsors may now be subject to direct enforcement action with respect to GDPR infringements committed by (even minority-held) affiliates or portfolio companies (even if the parent was not “personally” implicated in the infringement). This “parental liability” principle could impact transactions even (for example) where neither the buyer nor the target has any physical operations in the EU or the UK, but sells goods or services into these countries. Overall, corporate groups, PE sponsors and portfolio companies may need to, where appropriate, consider their liability exposure and implement risk mitigation measures, including during and post any M&A or PE transaction."

Vishnu Shankar, Member of the Firm's TMT, Sports, and Privacy & Cybersecurity groups

"Really understanding the systems of the acquired entity (both on and off premises), and how to integrate those into the acquirer in a way that supports needed business functionalities but does not adversely impact the cyber risk profile of the combined organization. This has been a real source of headaches as companies grow and simply bolt on new systems to their network architecture or do not look deeply enough for unexpected consequences. Done without enough due diligence and analysis can lead to security vulnerabilities that impact the greater enterprise or might inadvertently weaken the effectiveness of current controls. Conducting meaningful due diligence through the use of dedicated professionals and pressure-testing the architecture design in a holistic way are critical steps to mitigate that risk."

Margaret Dale, Vice Chair of the Litigation Department; Co-head of Data Privacy and Cybersecurity Litigation

"For sellers, particularly those in sectors that collect or have access to a significant amount of personally identifiable information, one of the biggest developments has been the increased focus by potential buyers on the areas of data privacy and cybersecurity. The existence and effectiveness of a seller’s data privacy and cybersecurity policies, procedures and insurance coverage have become increasingly subject to examination during the due diligence phase. For a buyer, weaknesses in these areas can impact valuation, post-closing recourse they intend to seek or even their interest in pursuing the deal altogether. Sellers should consider proactively shoring up these areas before engaging in a sale process."

Joshua Apfelroth, Member of the Firm's Mergers & Acquisitions Group

"Regulators sometimes use purported security-related concerns as grounds to oppose a merger or acquisition or to extract security-related concessions in exchange for approval. Organizations should be prepared to demonstrate the current security-posture of each organization as well as the existence of a well-considered plan to merge the organizations at every level of security (culture, policy, controls, systems, etc.). It is often useful to structure such a plan as a “road map,” as, while there may be some level of connectivity between merged systems on day 1, it may be some time before the organizations can truly be unified at a security level with a single set of security policies applied uniformly to the newly merged entity. Accordingly, it would be desirable for such a plan to include an assessment of the various risks at each stage of the merging process, including the intermediate stages, where various parts of the organization may still be governed by the individual policies and controls of each merging entity. "

Nolan Goldberg, Co-head of Data Privacy and Cybersecurity Litigation