Data privacy regulations, high-profile data security breaches, and fines and other regulatory enforcement have significantly affected mergers and acquisitions (M&A) transactions in recent years.1 Buyers, sellers and M&A practitioners have elevated data privacy to one of the critical issues to address at various stages of an M&A transaction, from due diligence to drafting and negotiating representations, warranties and related indemnities to post-closing integration.
The data privacy legal environment remains one of the most dynamic and fast-developing areas of law, and will continue to affect M&A transactions for the foreseeable future.
M&A participants are well-advised to focus on data privacy early and throughout an M&A transaction given the potential adverse consequences of a security breach, including reputational damage, fines and other regulatory enforcement, loss of business, class action lawsuits, and resulting damages.
Data privacy is implicated under a number of regulations, some of a more general nature and others specifically tailored to address particular data privacy issues. The Federal Trade Commission, for example, uses its general regulatory and enforcement authority to pursue actions in data security breaches.2 Specifically tailored data privacy regulations, such as the EU General Data Protection Regulation (GDPR)3 4 and the most recently enacted significant data privacy regulation, the California Consumer Privacy Act (CCPA), are directed at data privacy generally, and impose, or will impose, extensive obligations on virtually all businesses within their geographic scope, most particularly in the context of consumer personal information. Industry-specific data privacy regulations such as the Gramm-Leach-Bliley Act (GLBA), which applies to financial institutions, and the Health Insurance Portability and Accountability Act (HIPAA), which applies to the healthcare industry, also impose extensive obligations on businesses that fall within the scope of the industries covered.
The CCPA becomes effective January 1, 2020, and will affect any business of even moderate size that handles the personal or household information of California residents. Businesses that handle this information with respect to as few as 50,000 devices, individuals or households annually will be subject to the CCPA. Businesses with revenues of at least $25 million will also have CCPA compliance obligations, regardless of the number of devices, individuals or households with respect to which information is handled. In addition, businesses that derive more than half their revenue from selling the personal information of California residents will be subject to the CCPA.
The CCPA includes, for the benefit of California residents, virtually all of the basic rights afforded EU residents under the GDPR, such as the right to be informed of the nature of the personal information a business collects, obtains, sells or discloses about them; the reasons for these activities; and the nature of the third parties to whom the information is divulged. Other rights include the ability of California residents to prohibit the sale of their personal information, and the so-called right to be forgotten, which entails an individual’s right to require deletion of the individual’s personal information.
Governmental enforcement of the CCPA may result in civil penalties of $2,500 for each violation and up to $7,500 for each intentional violation. In addition, the CCPA includes a private right of action and statutory damages that are likely to incent consumer class action litigation.
The overall trend in the data privacy legal environment is decidedly toward greater and more complex compliance obligations, higher compliance costs, more frequent enforcement, and greater consequences for noncompliance. All of these factors result in higher risks associated with M&A transactions involving the acquisition and integration of businesses that handle personal information.
In addition to complying with applicable data privacy regulations, businesses must comply with the terms of their commercial contracts pertaining to data privacy, which dictate how data that flows between contracting parties may be used, handled and stored. Parties to commercial contracts continue to react to the data privacy regulatory landscape by including in their contracts extensive data privacy considerations. These commercial terms increasingly extend beyond customary nondisclosure obligations, and often include a litany of data privacy-related obligations, such as requiring specific data security processes, reporting and audit obligations, data security breach procedures and notification requirements, and special indemnities.
Buyers, sellers and M&A practitioners should approach data privacy diligence as they approach similar critical M&A issues. This approach should include identifying the seller’s key risks that flow from its industry, its geography, the types of data collected or obtained, and how that data is used, handled and stored. M&A participants also should ensure that the seller has the right to make available to the buyer and its representatives information of a sensitive nature, the disclosure of which may trigger violations of data privacy regulations or a breach of contract. Importantly, both the buyer and seller should endeavor to avoid or carefully restrict the transfer of personal information at the diligence stage, including through redaction or otherwise limiting names and other personally identifiable information.
The nature of personal information in the seller’s possession, which will directly or indirectly transfer to the buyer at closing, may also affect the transaction structure. For example, some M&A transactions, if structured as an asset purchase as compared to a stock purchase or certain mergers, may present additional risks and challenges if personal information will be conveyed to the buyer as part of the seller’s assets transferred at closing. These factors may determine or influence whether an M&A transaction is structured as a stock sale, an asset sale or a merger.
Due diligence should include examination of the seller’s privacy policies, data security programs and processes, both qualitatively and from an information technology (IT) perspective, to ensure that appropriate processes and sufficiently robust IT assets are in place to protect data. A buyer should also evaluate the seller’s breach history and response times. Buyers should engage a dedicated team of data privacy and IT experts to assist with this diligence.
Overall, the buyer’s due diligence review should enable the buyer to assess data privacy risks associated with the seller’s business and identify any outstanding or potential liabilities that may impact valuation or require a special indemnity.
Representations and Warranties, and Indemnities
Most M&A transactions of significant size, and virtually all M&A transactions where data privacy is of particular concern, now employ carefully drafted data privacy representations and warranties. These representations and warranties extend well beyond the generic noviolations-of-law scope and typically will focus on specific regulations, including industryspecific regulations, security breach history and commercial contract compliance, and they may also extend further back historically than a more generic no-violations-of-law representation and warranty.
In addition to legal and commercial compliance, savvy buyers will use data privacy representations and warranties as a risk allocation tool to fix liability for failures of IT system design, poor information handling processes and even certain post-signing data privacy security breaches. In our view, well-drafted, comprehensive data privacy representations and warranties address at least the following areas, where applicable:
- General legal compliance (e.g., GDPR and, after January 1, 2020, CCPA compliance);
- Industry-specific data privacy regulatory compliance (e.g., GLBA or HIPAA compliance);
- Disclosure of arrangements under which data is shared with third parties;
- Data privacy security breach history;
- Regulatory notices, and both external and internal data privacy investigations;
- Suitability of data privacy processes and related IT infrastructure;
- Employee data privacy training;
- Description of the types of personal information collected and maintained; and
- Security assessment reports and related remediation of data security gaps.
In private-target transactions, buyers may seek special line-item indemnities and longer survival periods for data privacy security breaches, whether known or unknown at the time of signing or closing. Data privacy issues in many M&A transactions are best handled on a customized basis depending on a variety of factors, including those discussed above. To date, we have not seen clear M&A market trends in indemnification terms such as survival periods, line-item indemnities or basket/cap carve-outs as they relate to data privacy issues.
Post-closing integration may involve the mass transfer of data from the seller to the buyer, implicating numerous data privacy considerations. Even if personal information is not formally transferred, as in an asset sale, a buyer will have access to and may seek to obtain, handle and use the personal information held by the target company post-closing. A buyer should be mindful of the need to maintain strict controls on its access to, and handling and use of, personal information held by the target company. A post-closing integration plan developed concurrently with the due diligence phase of the M&A transaction is essential in situations in which data privacy is of particular concern. A buyer should charge its team of data privacy and IT experts engaged in the diligence process to work with the buyer’s integration team to ensure regulatory compliance, appropriate regulatory and consumer notices, and other proper steps are taken to limit postclosing integration risks.
The data privacy legal environment is developing rapidly, and the attendant risks and potential adverse consequences will impact M&A transactions for years to come. Data privacy should be among the critical M&A issues addressed early in and throughout an M&A transaction’s life cycle, from structuring the deal to due diligence and documentation, and to post-closing integration. Buyers should engage a dedicated team of data privacy and IT experts to assist from the commencement of an acquisition transaction, and should keep them involved throughout the transaction and through post-closing integration.