Data and privacy breaches have garnered much media attention as of late and the list of companies that have experienced a breach is mounting. The potential costs to companies resulting from large-scale privacy breaches are immeasurable. In addition to the costs associated with resulting litigation (often in the form of privacy breach class actions), publicized breaches come with reputational harm.

As a result, companies and organizations considering M&A must be alive to privacy issues and privacy laws. While appropriate due diligence can help guard against liability for privacy breaches, companies should be aware that there are privacy risks associated with the due diligence procedure itself.

Due diligence in cyber space

Where a company is being acquired in a stock purchase or where a transaction is set up as a merger, the parties to the transaction should be concerned about each of the other parties’ past privacy practices. Companies engaging in M&A must make inquiries during the due diligence process to ensure that they are not assuming liability for a past breach of privacy as a result of the transaction.

Additionally, by conducting “cyber due diligence”, a party to a transaction can guard against assuming liability for imminent or future liabilities related to data and privacy breaches. Cyber due diligence involves fully understanding the data security of the other parties to the transaction. This due diligence involves reviewing all materials that relate to another company’s data security including policies and procedures for the collection, encryption, storage, use and destruction of private information.

Effective due diligence allows companies to identify and evaluate the data security risks of a proposed M&A transaction. The parties to the transaction then have the opportunity to exit high-risk investments or to take appropriate measures to protect themselves from privacy risks.

The risks of due diligence in the age of data

While thorough due diligence can provide assurances to companies seeking to avoid privacy liability in an M&A transaction, companies must also be alive to the risks of a privacy breach as a result of engagement in the due diligence process.

A company may be in breach of privacy laws or privacy policies for passing on data to a prospective purchaser or merging company that contains personal, identifiable information of employees or clients. Additionally, the due diligence process itself makes companies more susceptible to intentional and malicious data breaches by cyber hackers. During the due diligence process, materials containing confidential information pass outside corporations at a much higher rate and volume and under strict time pressures. As a result, cyber-criminals can more easily obtain and misappropriate confidential information.


Companies engaging in an M&A transaction have to be concerned with privacy risks in the course of the due diligence process. A difficult balance must be struck given that thorough due diligence is required to ward off privacy risks but can also be the source of privacy breaches. M&A lawyers with knowledge of privacy laws can be of assistance in helping parties to a transaction find the appropriate balance to protect against privacy risks by choosing the best transaction form, manipulating and limiting how information is qualified, shared and received and securing comprehensive warranties.

The author would like to thank Julia Bassett, articling student, for her assistance in preparing this legal update.