Top Ten Key Privacy and Security Due Diligence Requests for Mergers and Acquisitions

BY DAVID F. KATZ, NELSON MULLINS RILEY & SCARBOROUGH --

 Due diligence in the context of mergers and acquisitions can easily be compared to a Sherlock Holmes–style exercise where deductive powers of reasoning are applied to the careful and often painstaking collection of a specific set of facts relative to the transaction. Through careful analysis and the gathering of fractured pieces and bits of information, one is able to form a colorful mosaic that ultimately reveals the landscape that will define where core issues that need to be resolved exist in the transaction. The birth of big data and how companies are monetizing data places privacy and security toward the top of the due diligence list. The reasons for this are transparent and simple. The ability to understand the data environment is essential from a risk standpoint, but also from a valuation standpoint. Data is the new cash. It has to be protected. It can’t be left unsecured. Data is a valuable corporate asset whether it is consumer data, employee data or a company’s intellectual property. Whether a company has taken steps to properly protect its data and the ability to understand the data environment is as an important a part of the M&A process as identifying ownership of the entities. The due diligence process in the context of privacy and data security has steadily increased in its importance and has taken its rightful place among the flood of paper traditionally exchanged between the parties during the diligence phase of M&A transactions.

Why it matters:

 The way in which these corporate assets in the form of data are collected, processed, transferred, stored and deleted must be fully understood as part of the due diligence process. This is important to understand for several reasons. First, it is essential to understand what vulnerabilities and weaknesses may exist within the data environment prior to acquisition. Second, it is the responsibility of the lawyers on the deal to explain these vulnerabilities to the client well in advance of close. Third, it is important to understand the vulnerabilities and complexities of the data environment so that the appropriate provisions can be drafted in the agreement in order to protect the client. Finally, understanding the data environment is crucial to the post acquisition process during which the absorption and integration of separate data environments occurs. This exercise requires knowledge sufficient to mitigate and remediate any previously identified risks.

  Top Ten Key Privacy and Security Diligence Requests: 

 1.  Request descriptions of the security controls in place for each of the Company’s data collection platforms. 

 Understanding the existing security framework for how data is collected can quickly identify the target company’s maturity with respect to its security program. To the extent no controls exist, this could be a red flag in the early stages of the deal. 

 2.  Request copies of all documented information governance guidelines and standards, including information governance categories, retention and destruction requirements for each classification.

A key element in the early stages of the deal is to understand where data resides and how data is governed within the organization. A well-developed information governance program can make the location and life cycle of key documents necessary for the transaction simple and easy to identify. Conversely, no data governance program can add valuable time, cost and effort in due diligence by the parties and potentially delay closing.    

3.   Ask for summaries of the Company’s risk assessment and risk management programs, including copies of any reports issued in connection therewith, for the last five years.

 Risk assessment documents are due diligence gold. A good risk assessment can provide detailed locations for “land mines and buried bodies.”

4.  Request copies of all security guidelines in connection with hiring personnel (if guidelines not available, request a summary of such controls), including whether credit checks, background checks, drug   tests and/or other screening procedures are performed.

 Understanding that people can often be a company’s greatest strength or weakness, it is important to understand what types of controls or guidelines are in place from a data security perspective when it comes to access to critical data systems and data repositories by employees. To the extent no controls are in place, this might be a warning regarding the security of existing data systems and data repositories.

 5.   Request copies (or if not available, a summary) of the Company’s Privacy Policies. Indicate whether such policies: have been endorsed by management, include consequences for violations of such policy, undergo an annual risk assessment process, etc.

To the extent that the acquiring company or new entity wishes to use consumer data in a way that is materially different than previously communicated to consumers, M&A counsel will need to consult with qualified privacy counsel to make certain that specific advice regarding any material change in use of the consumer data is obtained.

 6.   Ask for a description of the Company’s IT Business Continuity Plan, including a description of any testing in connection therewith.

This may be the single, most consolidated source for use as a road map in understanding key systems and requirements of the entity subject to acquisition or being assumed in a merger. Understanding this document and recognizing its ability to communicate existing risks and details regarding critical systems, will save considerable time and energy post acquisition, and will provide a jump start for IT and Business teams seeking to quickly integrate these systems.

7.  Request copies of any documented physical security guidelines (or, if not available, a summary of such controls) to ensure security of any buildings, data centers, computer rooms, critical computer infrastructure, etc.

Physical security is an important factor and key indicator of how an organization manages data risk. From a cost perspective, it is important to understand what the physical security requirements may be post acquisition and how these continuing costs should be apportioned or considered for the purposes of valuation.

8.  Ask for details (including insurer, insured party, agent, policy holder, certificates, expiration dates, exclusions and limits) of each insurance policy relating to an Entity.

 A close examination of existing coverages, exclusions and limitations, and an even closer examination of what types of additional coverages may be necessary from a data security perspective, is paramount. To the extent that risks are not properly identified or understood, all parties could be at risk.

9.  Request descriptions of any known event(s) which could give rise to an insurance claim as a result of a privacy or information security incident or data breach.

 This one is fairly obvious. This is the time for complete transparency.

10.  Request information on claims history involving privacy, information security or data breaches, for the past five years.

See response to number nine.

 Understanding the Due Diligence:

          The information produced in response to these requests will provide M&A counsel with a diagnostic picture of the overall data health of the entities subject to acquisition or merger. By collecting the information requested in the Top Ten Key Requests, the M&A team responsible for the deal will have a baseline understanding of the potential vulnerabilities present in the data environment, will be able to communicate the risks to the client and will be able to develop a potential plan for remediation of the data environment post acquisition.