Imagine you are the CEO of company sitting across from an interviewer. The interviewer asks you the age old question, “So tell me about your company’s strengths and weaknesses?” You start thinking about your competitive advantages that distinguish you from competitors. You decide to talk about how you know your customers better than the competition, including who they are, what they need, and how your products and services fit their needs and desires. The interviewer, being somewhat cynical, asks “Aren’t you worried about the liabilities involved with collecting all that data?”
In honor of National Cyber Security Awareness Month, we at Mintz Levin wanted to take the chance to remind our readers of data’s value as an asset and the associated liabilities that stem from its collection and use, as well as provide guidelines for maximizing its value and minimizing its liabilities.
Data’s Value as an Asset
More than ever before, data is now recognized as an asset in corporate transactions. This year, Unilever PLC was widely reported to have paid $1 billion in cash for Dollar Shave Club, a mail-order service that ships customers disposable razors. While four year old Dollar Shave Club is not profitable, Kees Kruythoff, president of Unilever North America, credit the purchase with providing Unilever “unique consumer and data insights.” According to some, the transaction “would represent the largest multiple for a e-commerce startup in history.”
However, don’t think that data is only a value driver for stratospheric M&A valuations. It can also form a significant portion of the remaining value of a company during the bankruptcy process. During its bankruptcy proceeding, RadioShack sold its brand name and customer data for about $26 million, with the winning bidder receiving names and addresses for 67 million former customers. Similarly, in the Sports Authority bankruptcy proceeding, Dick’s Sporting Goods paid $15 million for “intellectual property, including the Sports Authority name, its e-commerce site and about 114 million customers’ files and 25 million email addresses.”
Data Collection and Use Can Create Avoidable Liabilities
Unfortunately, the collection, storage, and use of data will in most cases create liabilities as well. Consider the flip side of the M&A context, where we have just seen data can be a key driver of value. Verizon had agreed to buy Yahoo for $4.8 billion; however after a serious data breach affecting at least 500 million uses was disclosed by Yahoo, it is now reportedly seeking a $1 billion reduction in the purchase price.
Numerous other potential liabilities exist as well. For example, California requires that businesses that “own or license” personal information concerning a California resident are required to “implement and maintain reasonable security procedures and practices . . . to protect the personal information from unauthorized access, destruction, use modification, or disclosure.” Massachusetts has its own data security requirements for those who “who own or license personal information about a resident of the Commonwealth of Massachusetts.” There are numerous other contract issues, as well state and federal regulations, that can come into play based on the specific situation.
Three Guidelines to Maximize the Value of your Data
While every company’s situation is different, this section provides three basic guidelines companies can use to maximize the value of the data collected by the company. It’s useful to keep in mind that companies should approach maximizing the value of their data by both taking steps to increase its value as an asset as well as reduce the liabilities that its collection, use, and transfer may create. Implementation of these strategies will often require complicated legal analysis, so companies may find it helpful to contact a qualified professional.
- Understand what data is coming into the company and from where
Companies should perform a dataflow analysis to understand what data is being collected, and where that data is being stored and transferred. Having a holistic view of the data coming into the company will assist with the use of that data in furthering corporate objectives, and in many cases, will identify sources of data that were previously not recognized at the senior decision making level, exposing additional opportunities to integrate data sets and unlock additional value.
- Discuss with senior stakeholders the intended purpose(s) of the data and ensure that the purpose(s) are supported by appropriate legal agreements and permissible under applicable laws
In many cases, companies may realize that there is additional value to the organization of certain data beyond the purpose originally conceived when the data was collected. This can occur through an evolving business model, but is also often the result of another part of the organization becoming aware that certain data is available. The most common issue present in these circumstances is that the data cannot be used for the desired purpose either because either adequate consent was not objected from the collection source, or the data based on its current form cannot be legally used for the desired purpose. Meeting with appropriate stakeholders on a regular basis to discuss the desired purposes of data (both now and in the future) to be collected can often reveal these issues before they become significant areas of business risk or lost opportunity.
- Ensure that appropriate security measures are in place based on business risk to the organization taking into account applicable legal requirements
Based on the identification of the data coming into the company, including its type, companies will need to decide from a risk management perspective what level of protection, including security controls, is appropriate. In many cases, where there are multiple sources of incoming data with different sensitivity levels and access requirements, the data protection architecture may provide different levels of protection for different data sets. In all cases, legal requirements, such as the California and Massachusetts laws mentioned above, will provide a minimum baseline for companies to adhere to. While maintaining an effective security architecture cannot completely mitigate the risk of data loss, it can certainly reduce to a more acceptable level. Furthermore, having such an architecture in place will be of great assistance should the company ever decide to market itself as an acquisition target.